Firewall Wizards mailing list archives
Re: Verifying your Firewall Setup -> help?
From: Pauline van Winsen <Pauline.van.Winsen () eserv com au>
Date: Mon, 13 Sep 1999 09:41:12 +1000 (EST)
I'm finishing up a whitepaper on "Verifying Your Firewall Setup" I'm writing this paper for the FW-1 community, but it should apply to most of the firewall community. I would greatly appreciate if you guru's could review the final draft before I post it to the public. The paper goes into how to audit a firewall setup and verify its configuration. I would greatly appreciate any comments / recommendations / corrections you may have.
here's my todo list for a firewall: harden the OS & FW-1 - i.e. strip unnecessary network services & kernel modules, remove unnecessary binaries & files, modify permissions to a least privilege stance. the tiger utility or the AUSCERT unix security checklist can help out here for unix systems. install vendor & OS patches take a baseline of the firewall using a tool like tripwire take a backup - making sure to verify the integrity of the backup. take a hardcopy printout of important configs like disk-layouts, fw putlic strings etc etc put a warning banner/site info into the passwd/registry - if your machine does get hacked & someone "nice" is watching this may help you be notified of the event more quickly, particularly if you don't notice. make sure all the logs from your firewall (including fw-1) are being echoed to a another log device, usually a machine on your internal network. make sure the backup log device shows the same time as your firewall. install a utility like SSH for remote admin access. i.e. strong auth & encrypted session. configure fw-1 rulebase to permit required traffic only, deny/reject everything else. make sure you understand the implications of the traffic you are permitting. for incoming traffic, check the security of the destination servers. put procedures in place to keep the config up to date, regularly update patches, rebuild tripwire database, backup the firewall, read/process the logs. organise to have someone sanity check your config on a frequent, but non-periodic basis. i.e. unannounced checks. document your config. test your firewall, particularly any failover mechanisms. when you're happy with all the above, then connect the firewall to the internet. hope this helps, pauline
Current thread:
- Verifying your Firewall Setup -> help? Lance Spitzner (Sep 12)
- <Possible follow-ups>
- Re: Verifying your Firewall Setup -> help? Pauline van Winsen (Sep 14)
- Re: Verifying your Firewall Setup -> help? Lance Spitzner (Sep 14)