Security Basics mailing list archives
Re: Firewall rulebase audit
From: c0unter14 <c0unter14 () gmail com>
Date: Thu, 20 Sep 2007 14:48:42 -0500
I've been doing quite a few firewall reviews myself for my clients and believe that tools can be useful only to some extent. Usually tools check for a set of design criterion which not necessarily hold true for all rule bases. For e.g. some tools check for presence of "clean-up rule" which is the ip deny any any at the end of each rule base. The presence of the clean up rule is not a necessity and in case where the traffic flow has been defined by restricted to few strict no-no sites, allowed to everything else, this rule won't apply. This was just an example, there are a lot of other aspects wherein tools are not the best option for evaluating the security posture of a firewall. To my opinion, the firewall rulebase should be inspected on what traffic is allowed to where with the aim of finding any un-wanted exemptions in the rule base. The tools mentioned earlier would be an excellent source for strictly "documenting" what you have in the firewall however I would leave the audit to manual checking of the rule base. Having said that, some good tools will surely give you an idea of missing security baselines (if any) in the firewall rulebases. My favourites are nipper and firemon. Personally i would check for the following - disable telnet, allow only SSH - check for IPs being allowed administrative access to the firewall - check for any unwanted local accounts (username/pwd) -ip deny any any at the end of each rulebase (again depends on the logical flow of traffic) - disable any unwanted incoming traffic "allows" (depends on what applications you have running behind the firewall) - do not use "allow any any" for outgoing traffic. There should always be some control on outgoing traffic - any protocol access to an internal destination is usually not recommended - typically a DMZ should not be allowed to talk to internal hosts unless it is a necessity These are my 2 cents ! On 9/20/07, Palmer, Mark <mpalmer () hoovers com> wrote: Take a look at Nipper: http://sourceforge.net/project/showfiles.php?group_id=191582&package_id= 226095 Mark Palmer -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of David Hamm Sent: Thursday, September 20, 2007 9:22 AM To: security-basics () securityfocus com Subject: Re: Firewall rulebase audit You might want to look at this Excel template, it can be helpful for keeping track of PIX configs. http://downloads.techrepublic.com.com/download.aspx?&scname=Firewalls&do cid=277863 There is an article to go along with it, and several other PIX related checklists etc. on the site. Murda Mcloud wrote:
Hey this is a good start point-from Lance Spitzner no less... http://www.rootprompt.org/article.php3?article=323 -----Original Message----- From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On
Behalf Of jctx09 () yahoo com Sent: Thursday, September 20, 2007 7:00 AM To: security-basics () securityfocus com Subject: Firewall rulebase audit I have a pair of PIX firewalls that I need to audit. I was hoping to
get
some guidelines for doing this. Antyhing specific to PIX would be even better. 1) What is the best/easiest way to document a current policy?
Spreadsheet??
I would like to know what ports (services) are open and to where? Also duplicates, etc.? Would it be best just to put it in a spreadsheet? Is
there
a tool for this? 2)Is there standard Analysis checklist to go by when reviewing a (PIX) firewall policy? Any help is highly appreciated. Thank you,
Current thread:
- Firewall rulebase audit jctx09 (Sep 19)
- Re: Firewall rulebase audit Garry Baker (Sep 20)
- Firewall gnatbox gb-2000e rulebase audit Wilson Mosquera (Sep 20)
- Re: Firewall rulebase audit Roman Shirokov (Sep 20)
- RE: Firewall rulebase audit Murda Mcloud (Sep 20)
- Re: Firewall rulebase audit David Hamm (Sep 20)
- RE: Firewall rulebase audit Palmer, Mark (Sep 20)
- Re: Firewall rulebase audit c0unter14 (Sep 20)
- Re: Firewall rulebase audit David Hamm (Sep 20)
- Re: Firewall rulebase audit Garry Baker (Sep 20)
- Re: Firewall rulebase audit Nikhil Wagholikar (Sep 20)
- Re: Firewall rulebase audit Brian Laing (Sep 21)
- <Possible follow-ups>
- Re: Firewall rulebase audit blah (Sep 20)
- RE: Firewall rulebase audit Chinnery, Paul (Sep 21)