Firewall Wizards mailing list archives
Re: Verifying your Firewall Setup -> help?
From: Lance Spitzner <lance () stan ksni net>
Date: Sun, 12 Sep 1999 18:54:05 -0500 (CDT)
On Mon, 13 Sep 1999, Pauline van Winsen wrote:
here's my todo list for a firewall:
Pauline, Great information, this is extremely useful! Unfortunately, I've already identified my first critical error, the title. The paper does not focus on how to build a proper firewall, but how to audit your firewall and your firewall rulebase. So, I've changed the title to better relfelect the focus of the paper. "Auditing your Firewall Setup" Once again, thanks for the great info! If you have any additional comments for the paper, I would greatly appreciate it. Thanks!
harden the OS & FW-1 - i.e. strip unnecessary network services & kernel modules, remove unnecessary binaries & files, modify permissions to a least privilege stance. the tiger utility or the AUSCERT unix security checklist can help out here for unix systems. install vendor & OS patches take a baseline of the firewall using a tool like tripwire take a backup - making sure to verify the integrity of the backup. take a hardcopy printout of important configs like disk-layouts, fw putlic strings etc etc put a warning banner/site info into the passwd/registry - if your machine does get hacked & someone "nice" is watching this may help you be notified of the event more quickly, particularly if you don't notice. make sure all the logs from your firewall (including fw-1) are being echoed to a another log device, usually a machine on your internal network. make sure the backup log device shows the same time as your firewall. install a utility like SSH for remote admin access. i.e. strong auth & encrypted session. configure fw-1 rulebase to permit required traffic only, deny/reject everything else. make sure you understand the implications of the traffic you are permitting. for incoming traffic, check the security of the destination servers. put procedures in place to keep the config up to date, regularly update patches, rebuild tripwire database, backup the firewall, read/process the logs. organise to have someone sanity check your config on a frequent, but non-periodic basis. i.e. unannounced checks. document your config. test your firewall, particularly any failover mechanisms. when you're happy with all the above, then connect the firewall to the internet. hope this helps, pauline
Lance Spitzner http://www.enteract.com/~lspitz/papers.html
Current thread:
- Verifying your Firewall Setup -> help? Lance Spitzner (Sep 12)
- <Possible follow-ups>
- Re: Verifying your Firewall Setup -> help? Pauline van Winsen (Sep 14)
- Re: Verifying your Firewall Setup -> help? Lance Spitzner (Sep 14)