RE: Evaluating the security level of a firewall

["Roger Bou-Aoun" <roger.bouaoun () ndu edu lb>]

Dear Yannick,

Both ways are valid, depending on each party point of view, however, in
order to configure a firewall, you should attend training, and follow
the security policy of the organization where the Internetwork
connection is involved, and the same applied for procedures, another
suggestion is to subscribe for the vendor mailing list and keep your
self up to date, in case a vulnerability Is found, or new
releases/patches.

However, a firewall alone is not enough in order to protect your servers
or the organization, everything is related to layers, and this approach
is the best one. Not to mention the support of the upper management, and
Information security auditing, what most of the firms would do is either
hire an auditing company (usually big five) and come to audit the
system, a good approach for security could be either the BS7799-2:2002,
COBIT, NIST... The other thing to do is trying to run a risk assessment
either from the inside (LAN) or the WAN, there are companies specialized
in doing this.

You should take into consideration the type of firewall that is being
used, because you can not expect a packet filtering firewall to protect
the application layer, neither state full packet inspection. 

In case of the Installation of Intrusion Detection System, depending on
the configuration it might write rules on the firewall, and in some
cases you wont like the result (depending on the configuration and the
brand name of the IDS), it might block all the incoming and outgoing
traffic though the firewall.

Kind Regards
__________________________________________________
Division of Computing Services

Roger Bou-Aoun, Head
Information Security & Internetworking Department
Notre Dame University
Tel: 961-9-218-950 ext 2266
e-mail: roger.bouaoun () ndu edu lb 

-----Original Message-----
From: yannick'san [mailto:yannicksan () free fr] 
Sent: Saturday, May 24, 2003 5:25 PM
To: security-basics () securityfocus com
Subject: Evaluating the security level of a firewall


Hello folks,

Well, a couple of days ago, I had a strong discussion with friends about
how to regularly evaluate the security level of a firewall.

First of all, everybody agreed that we can't install/configure a
firewall and then sleep and consider that everything behind it is in a
secure area . In any security approach we have to think about the "life
cycle" of the firewall. thus, security managers has to plan for a
recursive process for regularly looking for its state and the
vulnerabilities which could have came out on it. In fact, our discussion
became very strong when we started to talk about the methods we were
using for. They told me that they were only evaluating the security
level by regularly launching tools (like nessus) against their firewall.
So, somewhere in a procedure it was clearly written a sentance like this
one :

"We considere (today) that the firewall and its configuration is secure
according to the results given by nessus."... and that's all.

It seems that I was the only one to considere that we could not only
evaluate a security level regarding to the results given by this tool
but we also had to look for vulnerabilities in CERTS or CVE. In case of
a 0-vulnerability result, the tools will let us think that the security
level is good while in fact it is completly wrong. I considered that it
was a wrong way of thinking and told them that my sentance will have
been :

"We considere (today) that the firewall and its configuration is secure
according to the results given both by a search on CVE or CERTS
databases and the actual configuration and last update. Nessus (or other
tools) are used to improve our view but are not considered as
sufficient."

I've been told that looking for CVE or CERTS vulnerabilities takes too
long time for a lonely security manager who both has to deal with a lot
of equipments and other security stuffs. They said nessus give them a
good security view and without any security organisation to help them,
the task is too hard.

I answered that if a security manager can't take the time to check for
vulnerabilities in specific databases, he must write somewhere the
reasons and the security consequences of his choice.  Reason and
security consequences of just using tools like nessus. Our discussion
about this subject has covered subjects like process, procedures,
methods, risk analysis (especialy identification of the threats),
security management,..., but finaly I was told that most of companies do
like them and my approach was not used.

I would to know your point of view, your experiences, for exemple : do
you only use nessus (or anything else) and considere the results as
valuable ?? Any comments (flame or not) is welcome :)

Thanks in advance.

-Yannick


------------------------------------------------------------------------
---
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check
Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register
Now! --UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------