RE: Firewall rulebase audit

["Chinnery, Paul" <PaulC () mmcwm com>]

I also have Pix firewall.  If you want to get more detailed, I suggest you subscribe to the Cisco Forums for Firewall 
and VPN (http://forum.cisco.com/eforum/servlet/NetProf?page=main).  
Great resource.
-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]On Behalf Of Brian Laing
Sent: Friday, September 21, 2007 1:20 PM
To: jctx09 () yahoo com
Cc: security-basics () securityfocus com
Subject: Re: Firewall rulebase audit




> 1) What is the best/easiest way to document a current policy?  
> Spreadsheet?? I would like to know what ports (services) are open  
> and to where? Also duplicates, etc.? Would it be best just to put  
> it in a spreadsheet? Is there a tool for this?

  While you have asked this as one question it is really several  
questions.  There are a variety of tools out there that will help you  
with this depending on which part of this question you are looking at.

Q1 What is the best/easiest way to document a current policy?   
SpreadSheet? - documenting a policy can run the gambit from human  
readable (e.g. no internal webservers should be exposed to the  
internet unless they are in the DMZ), to documenting each ACL with  
comments as to the purpose of the ACL.  Depending on the level of  
documentation needed different formats would be appropriate.

Q2 I would like to know what ports (services) are open and to where?  
- Documenting this can be difficult on multiple levels.  The first  
hurdle is simply determine all the traffic that is allowed, with  
100's, 1,000's or even 10,000' this can be difficult to impossible  
for an individual to do.  The second hurdle is while this review of a  
single device is difficult to actually document what is allowed  
should really be done in an end to end fashion.  So if there are 3  
filtering devices between the Internet and the DMZ all 3 filter rules  
must be examine to determine what is actually allowed.  The 3rd  
hurdle is to come up with a format that can easily be digested and  
kept updated for it to be useful beyond a single audit.  To really  
meet these requirements you should use an automated system that  
collects the configurations executes the analysis delivering results  
on a scheduled recurring basis.  You can take a look at our product  
there is information and a software download on our main page.  I  
would be happy to give you a demo as well.  Our product can take many  
configs draw a topology analyze the topology for misconfigurations  
and determine what traffic is allowed.  It can also use that  
information to do threat map generation.

Q3 would it be best to just put it in a spreadsheet? Is there a tool  
for this? - as I said earlier depending on what content and your  
audience a spreadsheet may make the best sense.  See our products and  
the others mentioned for the various tools that are out there.

> 2)Is there standard Analysis checklist to go by when reviewing a  
> (PIX) firewall policy?

There are numerous standards out there from NIST, Cisco, SANS, these  
all cover very similar aspects of the configuration file.  They tend  
to take a tact that is more of  best practices policy checking.  Our  
product calls These NCC (Network Configuration Checks)  There are  
also checks you should do based on the traffic that is allowed.  For  
example is the management interface of the Filter exposed to an  
untrusted network such as the internet.  This type of check is not  
really covered in the standard policy / check lists.

I hope this helps.

Cheers,
Brian

--------------------------------------------------------------------
Brian Laing
Chief Security Officer
Cellphone:  +1 650.280.2389
Office:     +1 (888) 845-8169 Ext. 805
Email: brian () redseal net

Redseal Systems – http://www.redseal.net

Instant Visibility.  Threats Averted.
-------------------------------------------------------------------




On Sep 19, 2007, at 1:59 PM, jctx09 () yahoo com wrote:

> I have a pair of PIX firewalls that I need to audit. I was hoping  
> to get some guidelines for doing this. Antyhing specific to PIX  
> would be even better.
>
> 1) What is the best/easiest way to document a current policy?  
> Spreadsheet?? I would like to know what ports (services) are open  
> and to where? Also duplicates, etc.? Would it be best just to put  
> it in a spreadsheet? Is there a tool for this?
>
> 2)Is there standard Analysis checklist to go by when reviewing a  
> (PIX) firewall policy?
>
> Any help is highly appreciated.
>
> Thank you,