Re: Firewall rulebase audit

[c0unter14 <c0unter14 () gmail com>]

I've been doing quite a few firewall reviews myself for my clients and believe that tools can be useful only to some 
extent. Usually tools check for a set of design criterion which not necessarily hold true for all rule bases. For  e.g. 
some tools check for presence of "clean-up rule" which is the ip deny any any at the end of each rule base. The 
presence of the clean up rule is not a necessity and in case where the traffic flow has been defined by restricted to 
few strict no-no sites, allowed to everything else, this rule won't apply. This was just an example, there are a lot of 
other aspects wherein tools are not the best option for evaluating the security posture of a firewall. To my opinion, 
the firewall rulebase should be inspected on what traffic is allowed to where with the aim of finding any un-wanted 
exemptions in the rule base. The tools mentioned earlier would be an excellent source for strictly "documenting" what 
you have in the firewall however I would leave the audit to manual checking of the rule base. Having said that, some 
good tools will surely give you an idea of missing security baselines (if any) in the firewall rulebases. My favourites 
are nipper and firemon. 
  
 Personally i would check for the following
 - disable telnet, allow only SSH
 - check for IPs being allowed administrative access to the firewall
 - check for any unwanted local accounts (username/pwd)
 -ip deny any any at the end of each rulebase (again depends on the logical flow of traffic)
 - disable any unwanted incoming traffic "allows" (depends on what applications you have running behind the firewall)
 - do not use "allow any any" for outgoing traffic. There should always be some control on outgoing traffic
 - any protocol access to an internal destination is usually not recommended
 - typically a DMZ should not be allowed to talk to internal hosts unless it is a necessity
  
 These are my 2 cents !
  
 

 
 On 9/20/07, Palmer, Mark <mpalmer () hoovers com> wrote: 
Take a look at Nipper:
 http://sourceforge.net/project/showfiles.php?group_id=191582&package_id=
226095

Mark Palmer


-----Original Message-----
From: listbounce () securityfocus com  [mailto:listbounce () securityfocus com]
On Behalf Of David Hamm
Sent: Thursday, September 20, 2007 9:22 AM
To:  security-basics () securityfocus com
Subject: Re: Firewall rulebase audit

You might want to look at this Excel template, it can be helpful for
keeping track of PIX configs.
 http://downloads.techrepublic.com.com/download.aspx?&scname=Firewalls&do
cid=277863

There is an article to go along with it, and several other PIX related
checklists etc. on the site.


Murda Mcloud wrote: 
> Hey this is a good start point-from Lance Spitzner no less...
> http://www.rootprompt.org/article.php3?article=323
>
> -----Original Message----- 
> From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On
> Behalf Of  jctx09 () yahoo com
> Sent: Thursday, September 20, 2007 7:00 AM
> To: security-basics () securityfocus com
> Subject: Firewall rulebase audit
>
> I have a pair of PIX firewalls that I need to audit. I was hoping to
get
> some guidelines for doing this. Antyhing specific to PIX would be even
> better.
>
>
> 1) What is the best/easiest way to document a current policy? 
Spreadsheet??
> I would like to know what ports (services) are open and to where? Also
> duplicates, etc.? Would it be best just to put it in a spreadsheet? Is
there
> a tool for this?
>
>
> 2)Is there standard Analysis checklist to go by when reviewing a (PIX)
> firewall policy?
>
>
> Any help is highly appreciated.
>
>
> Thank you,