Firewall Audit

[patrick.yager at mac.com (Patrick Yager)]

I have seen several references to this, but thought I would emphasize this point.  You will also want to review the 
internal controls regarding the firewall.  Who has access to read/write/change config files (check to see if the 
passwords/configs are stored for recovery somewhere and evaluate who has access), change management procedures and 
segregation (creation, testing, approval), physical security of the device, log review policy and procedures, etc.  
Even if this is a "small shop" there should still be controls over the above processes (documentation of changes and 
events).




 
On Wednesday, June 10, 2009, at 08:48AM, "Chris Bentley" <chris.bentley at sky.com> wrote:
> Thanks for all the suggestion guys,
>
> 2009/6/10 Albert R. Campa <abcampa at gmail.com>
>
> > As far as rules, back in the day we used to have a script that would tell
> > us what hosts/ACLs in the firewalls havent been used for last 30/60 or 90
> > days, then you could proceed to remove them.
> >
> > Some firewall admins add rules in firewalls because customers request them,
> > but the customers dont really know what they need, like when they say they
> > need bidirectional rules, when they might not.
> >
> > Also this script would find out what rules get hit most and those rules
> > could be moved up to the top of the list, to help performance.
> >
> >
> > - deny-all
> >
> > __________________________________
> > Albert R. Campa
> >
> >
> > On Wed, Jun 10, 2009 at 7:21 AM, Paul Asadoorian <paul at pauldotcom.com>wrote:
> >
> > > Chris Bentley wrote:
> > > > Paul/Ron any idea what type of scans I could run using nmap or nessus.
> > > > Also this would make a good technical segment for the show.
> > >
> > > Great question!  See below for answers that are just off the top of my
> > > head:
> > >
> > > 1) nmap -sT -n -T4 -p1-65535 <targets behind the firewall>
> > >
> > > That will take some time, but the connect() scan works better for
> > > firewalls and causes them not to crash/fill up state table.  Always scan
> > > all ports, and you can also mess around with different source ports too.
> > >
> > > 2) nmap -sU -n -T4 -p1-65535 <targets behind the firewall>
> > >
> > > Don't forget UDP!
> > >
> > > 3) Nessus is a vulnerability scanner, but does contain a really sweet
> > > TCP and UDP port scanner.  I'd recommend running it against all ports
> > > using select plugin families.  This way you can also find any
> > > vulnerabilities in your firewall (making certain that the actual IP
> > > address of your firewall is included in the targets) and the systems
> > > behind it.  Also, there are several plugins that test "firewall stuff",
> > > 515 to be exact:
> > >
> > > # find . -name '*.nasl' -print0 | xargs -0 grep -i firewall | wc -l
> > >     515
> > >
> > > :)
> > >
> > > Cheers,
> > > Paul
> > >
> > >
> > > --
> > >  Paul Asadoorian
> > > PaulDotCom Enterprises
> > > Web: http://pauldotcom.com
> > > Phone: 401.829.9552
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com