Peculiar Cloud · Sample deliverable
Edge-firewall security review
The client asked a simple question: “does our firewall actually do what our compliance framework says it must?” The answer is a requirement-by-requirement review of the running configuration — pass, fail, or advisory, each backed by evidence from the device itself.
A Canadian enterprise manufacturer Under NDA
At a glance
Denial-of-service protection
Client GRC requirement · 4 critical findings
FIPS 140 compliance
Cryptographic standards · 2 critical findings
Security-policy best practices
Vendor hardening guidance · 4 advisories
The device and what it inspects
- HA cluster
- edge-fw-ha (active / standby)
- Primary
- edge-fw-01 — 10.20.30.11
- Secondary
- edge-fw-02 — 10.20.30.12
- Hardware
- Cisco Secure Firewall 3140
- Software
- FTD 7.6 · Snort 3
- Deployment
- Routed · 14 interfaces · managed by FMC
- Security zones
- 8 — outside, DMZ, internal, plant OT, guest, partner, mgmt, sync
- Access-control policy
- corp-edge (287 access rules · 61 NAT rules)
- Site-to-site VPN
- 9 peers — plants, DR site, partners
- Uptime at assessment
- 43 days
Denial-of-service protection
“The information system must protect against denial-of-service attacks including, at a minimum: ICMP floods, SYN floods, connection-exhaustion attacks, buffer-overflow exploits, and volumetric attacks.”
The client’s GRC framework states the requirement above. Each clause is assessed against the running configuration, not the intended one.
- DOS-1
SYN-flood protection (TCP Intercept)
FailTCP Intercept is explicitly disabled and no embryonic-connection limits are configured in the service policy. The firewall cannot detect or mitigate SYN floods in its current configuration.
> show run all | include tcp-intercept no threat-detection statistics tcp-intercept - DOS-2
ICMP-flood protection
FailNo ICMP rate limiting exists in the service policy or access-control rules. ICMP inspection is active but performs protocol validation only — floods pass through unconstrained.
- DOS-3
Connection-exhaustion protection
FailThe Threat Defense Service Policy contains zero rules: no per-client connection maximums, no embryonic limits, no timeout tuning. Attacks that hold connections open would not be mitigated.
- DOS-4
Buffer-overflow exploit protection
PassSnort 3 IPS with the “Balanced Security and Connectivity” base policy is applied on every Allow rule and the default action, with a decryption policy linked for encrypted-traffic inspection.
- DOS-5
Volumetric-attack protection
FailThreat detection runs in alerting mode only; no rate-limiting or enforcement acts on volumetric traffic. The requirement asks for protection, not detection.
- DOS-6
Port-scan handling
AdvisoryPort-scan detection is enabled in Detection mode. Not required by the GRC statement, but converting to Prevention would automatically shun scanning hosts.
FIPS 140 compliance
- FIPS-1
FIPS mode
FailFIPS mode is disabled on the appliance. Without it, management and data-plane operations may negotiate non-validated cryptographic modules and algorithms.
> show fips FIPS is currently disabled. - FIPS-2
Common Criteria compliance mode
FailCC/UCAPL compliance is set to “None” in platform settings. Enabling it is a prerequisite for FIPS-compliant operation and enforces self-tests and algorithm restrictions.
- FIPS-3
Management TLS configuration
AdvisoryManagement access enforces TLS 1.2 minimum with FIPS-compatible key-exchange groups — but until FIPS mode is enabled, cipher negotiation is not restricted to approved algorithms.
- FIPS-4
Management certificate
AdvisoryThe management interface presents a default self-signed certificate. The signature algorithm is approved, but operational practice calls for a CA-signed certificate with real identity validation.
Security-policy best practices
Beyond the stated requirements: where the configuration diverges from vendor hardening guidance, and where it is already right.
- BP-1
IPS and malware event forwarding
AdvisoryIPS and file/malware events are not forwarded to the SIEM — detections exist only in the management console, invisible to centralized monitoring and incident response.
- BP-2
Identity policy
AdvisoryNo identity policy is attached, so access-control rules cannot be user-aware. Per-user and per-group enforcement is unavailable until this is wired to the directory.
- BP-3
Encrypted visibility
AdvisoryThe encrypted-visibility engine is disabled. It fingerprints threats inside TLS without decryption and costs no measurable performance — enabling it is pure gain.
- BP-4
Prefilter policy
AdvisoryThe default prefilter policy is in use. Fastpathing trusted high-volume flows (backups, replication) through a custom policy would cut inspection-engine load and improve throughput.
- BP-5
Intelligent Application Bypass
PassDisabled — which is correct here: IAB skips inspection under load, the opposite of what a security-focused edge should do.
- BP-6
Threat-intelligence feeds
PassThreat Intelligence Director is enabled, integrating external feeds into detection.
What happens after the review
Every fail above became a line in a fixed remediation plan: the exact configuration change, the maintenance window it lands in, how it is validated, and how it rolls back. The full deliverable also includes that plan — findings without a path to green are just bad news, and that is not what we ship.
See the other sample: a cloud security review with the fixes as Terraform →