Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall rulebase audit

From: Brian Laing <brian () redseal net>
Date: Fri, 21 Sep 2007 10:19:37 -0700
1) What is the best/easiest way to document a current policy? Spreadsheet?? I would like to know what ports (services) are open and to where? Also duplicates, etc.? Would it be best just to put it in a spreadsheet? Is there a tool for this?
While you have asked this as one question it is really several questions. There are a variety of tools out there that will help you with this depending on which part of this question you are looking at.
Q1 What is the best/easiest way to document a current policy? SpreadSheet? - documenting a policy can run the gambit from human readable (e.g. no internal webservers should be exposed to the internet unless they are in the DMZ), to documenting each ACL with comments as to the purpose of the ACL. Depending on the level of documentation needed different formats would be appropriate.
Q2 I would like to know what ports (services) are open and to where? - Documenting this can be difficult on multiple levels. The first hurdle is simply determine all the traffic that is allowed, with 100's, 1,000's or even 10,000' this can be difficult to impossible for an individual to do. The second hurdle is while this review of a single device is difficult to actually document what is allowed should really be done in an end to end fashion. So if there are 3 filtering devices between the Internet and the DMZ all 3 filter rules must be examine to determine what is actually allowed. The 3rd hurdle is to come up with a format that can easily be digested and kept updated for it to be useful beyond a single audit. To really meet these requirements you should use an automated system that collects the configurations executes the analysis delivering results on a scheduled recurring basis. You can take a look at our product there is information and a software download on our main page. I would be happy to give you a demo as well. Our product can take many configs draw a topology analyze the topology for misconfigurations and determine what traffic is allowed. It can also use that information to do threat map generation.
Q3 would it be best to just put it in a spreadsheet? Is there a tool for this? - as I said earlier depending on what content and your audience a spreadsheet may make the best sense. See our products and the others mentioned for the various tools that are out there.
2)Is there standard Analysis checklist to go by when reviewing a (PIX) firewall policy?
There are numerous standards out there from NIST, Cisco, SANS, these all cover very similar aspects of the configuration file. They tend to take a tact that is more of best practices policy checking. Our product calls These NCC (Network Configuration Checks) There are also checks you should do based on the traffic that is allowed. For example is the management interface of the Filter exposed to an untrusted network such as the internet. This type of check is not really covered in the standard policy / check lists. 

I hope this helps.

Cheers,
Brian

--------------------------------------------------------------------
Brian Laing
Chief Security Officer
Cellphone:  +1 650.280.2389
Office:     +1 (888) 845-8169 Ext. 805
Email: brian () redseal net

Redseal Systems – http://www.redseal.net

Instant Visibility.  Threats Averted.
-------------------------------------------------------------------




On Sep 19, 2007, at 1:59 PM, jctx09 () yahoo com wrote:
I have a pair of PIX firewalls that I need to audit. I was hoping to get some guidelines for doing this. Antyhing specific to PIX would be even better.
1) What is the best/easiest way to document a current policy? Spreadsheet?? I would like to know what ports (services) are open and to where? Also duplicates, etc.? Would it be best just to put it in a spreadsheet? Is there a tool for this?
2)Is there standard Analysis checklist to go by when reviewing a (PIX) firewall policy? 

Any help is highly appreciated.

Thank you,
Previous By Date Next
Previous By Thread Next

Current thread: