Security Basics mailing list archives
RE: Firewall rulebase audit
From: "Chinnery, Paul" <PaulC () mmcwm com>
Date: Fri, 21 Sep 2007 16:18:35 -0400
I also have Pix firewall. If you want to get more detailed, I suggest you subscribe to the Cisco Forums for Firewall and VPN (http://forum.cisco.com/eforum/servlet/NetProf?page=main). Great resource. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of Brian Laing Sent: Friday, September 21, 2007 1:20 PM To: jctx09 () yahoo com Cc: security-basics () securityfocus com Subject: Re: Firewall rulebase audit
1) What is the best/easiest way to document a current policy? Spreadsheet?? I would like to know what ports (services) are open and to where? Also duplicates, etc.? Would it be best just to put it in a spreadsheet? Is there a tool for this?
While you have asked this as one question it is really several questions. There are a variety of tools out there that will help you with this depending on which part of this question you are looking at. Q1 What is the best/easiest way to document a current policy? SpreadSheet? - documenting a policy can run the gambit from human readable (e.g. no internal webservers should be exposed to the internet unless they are in the DMZ), to documenting each ACL with comments as to the purpose of the ACL. Depending on the level of documentation needed different formats would be appropriate. Q2 I would like to know what ports (services) are open and to where? - Documenting this can be difficult on multiple levels. The first hurdle is simply determine all the traffic that is allowed, with 100's, 1,000's or even 10,000' this can be difficult to impossible for an individual to do. The second hurdle is while this review of a single device is difficult to actually document what is allowed should really be done in an end to end fashion. So if there are 3 filtering devices between the Internet and the DMZ all 3 filter rules must be examine to determine what is actually allowed. The 3rd hurdle is to come up with a format that can easily be digested and kept updated for it to be useful beyond a single audit. To really meet these requirements you should use an automated system that collects the configurations executes the analysis delivering results on a scheduled recurring basis. You can take a look at our product there is information and a software download on our main page. I would be happy to give you a demo as well. Our product can take many configs draw a topology analyze the topology for misconfigurations and determine what traffic is allowed. It can also use that information to do threat map generation. Q3 would it be best to just put it in a spreadsheet? Is there a tool for this? - as I said earlier depending on what content and your audience a spreadsheet may make the best sense. See our products and the others mentioned for the various tools that are out there.
2)Is there standard Analysis checklist to go by when reviewing a (PIX) firewall policy?
There are numerous standards out there from NIST, Cisco, SANS, these all cover very similar aspects of the configuration file. They tend to take a tact that is more of best practices policy checking. Our product calls These NCC (Network Configuration Checks) There are also checks you should do based on the traffic that is allowed. For example is the management interface of the Filter exposed to an untrusted network such as the internet. This type of check is not really covered in the standard policy / check lists. I hope this helps. Cheers, Brian -------------------------------------------------------------------- Brian Laing Chief Security Officer Cellphone: +1 650.280.2389 Office: +1 (888) 845-8169 Ext. 805 Email: brian () redseal net Redseal Systems – http://www.redseal.net Instant Visibility. Threats Averted. ------------------------------------------------------------------- On Sep 19, 2007, at 1:59 PM, jctx09 () yahoo com wrote:
I have a pair of PIX firewalls that I need to audit. I was hoping to get some guidelines for doing this. Antyhing specific to PIX would be even better. 1) What is the best/easiest way to document a current policy? Spreadsheet?? I would like to know what ports (services) are open and to where? Also duplicates, etc.? Would it be best just to put it in a spreadsheet? Is there a tool for this? 2)Is there standard Analysis checklist to go by when reviewing a (PIX) firewall policy? Any help is highly appreciated. Thank you,
Current thread:
- Re: Firewall rulebase audit, (continued)
- Re: Firewall rulebase audit Garry Baker (Sep 20)
- Firewall gnatbox gb-2000e rulebase audit Wilson Mosquera (Sep 20)
- Re: Firewall rulebase audit Roman Shirokov (Sep 20)
- RE: Firewall rulebase audit Murda Mcloud (Sep 20)
- Re: Firewall rulebase audit David Hamm (Sep 20)
- RE: Firewall rulebase audit Palmer, Mark (Sep 20)
- Re: Firewall rulebase audit c0unter14 (Sep 20)
- Re: Firewall rulebase audit David Hamm (Sep 20)
- Re: Firewall rulebase audit Garry Baker (Sep 20)
- Re: Firewall rulebase audit Nikhil Wagholikar (Sep 20)
- Re: Firewall rulebase audit Brian Laing (Sep 21)
- Re: Firewall rulebase audit blah (Sep 20)
- RE: Firewall rulebase audit Chinnery, Paul (Sep 21)