Firewall Wizards mailing list archives

Re: Verifying your Firewall Setup -> help?

From: Pauline van Winsen <Pauline.van.Winsen () eserv com au>
Date: Mon, 13 Sep 1999 09:41:12 +1000 (EST)

I'm finishing up a whitepaper on "Verifying 
Your Firewall Setup"  I'm writing this paper 
for the FW-1 community, but it should apply
to most of the firewall community.

I would greatly appreciate if you guru's could
review the final draft before I post it to the
public.    The paper goes into how to audit
a firewall setup and verify its configuration.
I would greatly appreciate any comments /
recommendations / corrections you may have.


here's my todo list for a firewall:

harden the OS & FW-1 - i.e. strip unnecessary network services & kernel modules,
remove unnecessary binaries & files, modify permissions to a least
privilege stance. the tiger utility or the AUSCERT unix security checklist 
can help out here for unix systems.

install vendor & OS patches

take a baseline of the firewall using a tool like tripwire

take a backup - making sure to verify the integrity of the
backup. take a hardcopy printout of important configs like disk-layouts,
fw putlic strings etc etc

put a warning banner/site info into the passwd/registry - if your machine
does get hacked & someone "nice" is watching this may help you be notified
of the event more quickly, particularly if you don't notice.

make sure all the logs from your firewall (including fw-1) are being echoed to a
another log device, usually a machine on your internal network. make sure
the backup log device shows the same time as your firewall.

install a utility like SSH for remote admin access. i.e. strong auth &
encrypted session.

configure fw-1 rulebase to permit required traffic only, deny/reject everything
else. make sure you understand the implications of the traffic you are
permitting. for incoming traffic, check the security of the destination
servers.

put procedures in place to keep the config up to date, regularly update
patches, rebuild tripwire database, backup the firewall, read/process
the logs.

organise to have someone sanity check your config on a frequent,
but non-periodic basis. i.e. unannounced checks.

document your config.

test your firewall, particularly any failover mechanisms.

when you're happy with all the above, then connect the firewall to the internet.

hope this helps,
pauline

Current thread:

Verifying your Firewall Setup -> help? Lance Spitzner (Sep 12)
- <Possible follow-ups>
- Re: Verifying your Firewall Setup -> help? Pauline van Winsen (Sep 14)
  - Re: Verifying your Firewall Setup -> help? Lance Spitzner (Sep 14)