Firewall Wizards mailing list archives

Re: Verifying your Firewall Setup -> help?

From: Lance Spitzner <lance () stan ksni net>
Date: Sun, 12 Sep 1999 18:54:05 -0500 (CDT)

On Mon, 13 Sep 1999, Pauline van Winsen wrote:

here's my todo list for a firewall:


Pauline,

Great information, this is extremely useful!  Unfortunately, I've
already identified my first critical error, the title.  The paper
does not focus on how to build a proper firewall, but how to 
audit your firewall and your firewall rulebase.  So, I've changed
the title to better relfelect the focus of the paper.

"Auditing your Firewall Setup"

Once again, thanks for the great info!  If you have any additional
comments for the paper, I would greatly appreciate it.

Thanks!


harden the OS & FW-1 - i.e. strip unnecessary network services & kernel modules,
remove unnecessary binaries & files, modify permissions to a least
privilege stance. the tiger utility or the AUSCERT unix security checklist 
can help out here for unix systems.

install vendor & OS patches

take a baseline of the firewall using a tool like tripwire

take a backup - making sure to verify the integrity of the
backup. take a hardcopy printout of important configs like disk-layouts,
fw putlic strings etc etc

put a warning banner/site info into the passwd/registry - if your machine
does get hacked & someone "nice" is watching this may help you be notified
of the event more quickly, particularly if you don't notice.

make sure all the logs from your firewall (including fw-1) are being echoed to a
another log device, usually a machine on your internal network. make sure
the backup log device shows the same time as your firewall.

install a utility like SSH for remote admin access. i.e. strong auth &
encrypted session.

configure fw-1 rulebase to permit required traffic only, deny/reject everything
else. make sure you understand the implications of the traffic you are
permitting. for incoming traffic, check the security of the destination
servers.

put procedures in place to keep the config up to date, regularly update
patches, rebuild tripwire database, backup the firewall, read/process
the logs.

organise to have someone sanity check your config on a frequent,
but non-periodic basis. i.e. unannounced checks.

document your config.

test your firewall, particularly any failover mechanisms.

when you're happy with all the above, then connect the firewall to the internet.

hope this helps,
pauline


Lance Spitzner
http://www.enteract.com/~lspitz/papers.html

Current thread:

Verifying your Firewall Setup -> help? Lance Spitzner (Sep 12)
- <Possible follow-ups>
- Re: Verifying your Firewall Setup -> help? Pauline van Winsen (Sep 14)
  - Re: Verifying your Firewall Setup -> help? Lance Spitzner (Sep 14)