Educause Security Discussion mailing list archives
Re: Firewall Rule Audit Software/Service
From: Ronald King <ronald.king () MORGAN EDU>
Date: Thu, 16 Aug 2018 11:39:30 -0400
We are in the process of a major revamp of our rules. We recently changed vendors so some old rules no longer "fit" with the new firewall. We have recently started using spreadsheets for tracking. We have two SOPs for firewall changes. One is used for internal requests for internal communications from our ERP, Server and Network teams. They enter the applicable info into the spreadsheet and notify the security team a change has been requested. This covers 90% of our requests. For internal communications requests from non-IT personnel or any request for external/Internet based clients to communicate to internal resources, we use a form that requires approval from department heads. We are a two man security team with automatic notifications of changes generated by our firewalls sent to both security team members for review and confirmation. This works for us but can be improved. We have a change management process, but, firewall changes that are minor are considered routine and do not require review. Major changes and code updates go through the change procedure. Ron *Ronald A. King, CISSP* Chief Information Security Officer Morgan State University Office: (443) 885-3372 1700 E. Cold Spring Ln. Email: ronald.king () morgan edu Baltimore, MD 21251 URL: http://www.morgan.edu *Growing the future ... Leading the world* <http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf> On Mon, Aug 13, 2018 at 1:52 PM, Frank Barton <bartonf () husson edu> wrote:
Roman, we have something similar... RANCID checks our configs hourly, and emails the entire itsec team of any changes Frank On Mon, Aug 13, 2018 at 1:41 PM, Simanovich, Roman <rsimanovich () usj edu> wrote:A formal change control policy/process is the best security control for managing authorized administrator changes. I also have a script that runs daily and notifies me of any changes to the firewall config, this can easily be modified to notify the entire team whenever any configuration item is changed. Thanks, Roman *From:* The EDUCAUSE Security Constituent Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Mandi Witkovsky *Sent:* Monday, August 13, 2018 11:57 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Firewall Rule Audit Software/Service Do you have a formal process that must be followed for an exception to be made? Our problem is that several people have legitimate access to make updates—but getting everyone to follow the same process is a challenge. Thanks, mandi *From:* The EDUCAUSE Security Constituent Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Simanovich, Roman *Sent:* Monday, August 13, 2018 11:34 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Firewall Rule Audit Software/Service An excel spreadsheet works great for this, here are the columns I have in mine. Sequence # ID From To Source Destination Service Action NAT/AV/WebFilter/AppControl/IPS/SSLInsepction Department Description Expiration Thanks, Roman *From:* The EDUCAUSE Security Constituent Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Mandi Witkovsky *Sent:* Monday, August 13, 2018 11:15 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Firewall Rule Audit Software/Service I’d love to hear the answer to this one. Even just learning how people tackle documenting and reviewing their rules would be beneficial. Thanks, mandi *From:* The EDUCAUSE Security Constituent Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Telfer, Will *Sent:* Monday, August 13, 2018 11:11 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Firewall Rule Audit Software/Service We are looking at updating our Firewall Rule Audit structure so that we check over all of our rules at least once a year to verify whether they still need to be in place. Since we have multiple groups & multiple firewalls, each with their own specific set of rules the goal is to have some central structure where the audit can be recorded. Are any of you using a software or service that provides the ability for multiple users to log in & check off firewall rules? Please feel free to contact me off list if that is better for you. Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services [image: sig] Twitter: @BearAware Facebook: www.facebook.com/BearAware <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_BearAware&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=6lUt_IcfaWmw0Dg-X52nRXS4A4TlsNjwjx_q9fkiVwM&s=GlhY7Y6z6i0kFSvcEub1X53MTxPs7FeAtMLsTwP1-BI&e=>-- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University
Current thread:
- Firewall Rule Audit Software/Service Telfer, Will (Aug 13)
- Re: Firewall Rule Audit Software/Service Mandi Witkovsky (Aug 13)
- Re: Firewall Rule Audit Software/Service Simanovich, Roman (Aug 13)
- Re: Firewall Rule Audit Software/Service Mandi Witkovsky (Aug 13)
- Re: Firewall Rule Audit Software/Service Telfer, Will (Aug 13)
- Re: Firewall Rule Audit Software/Service Simanovich, Roman (Aug 13)
- Re: Firewall Rule Audit Software/Service Frank Barton (Aug 13)
- Re: Firewall Rule Audit Software/Service Ronald King (Aug 16)
- Re: Firewall Rule Audit Software/Service Simanovich, Roman (Aug 13)
- Re: Firewall Rule Audit Software/Service Mandi Witkovsky (Aug 13)