Firewall Wizards mailing list archives
Re: Firewall Audit Programme/checklist
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Mon, 16 Mar 1998 12:51:39 -0500
Has anyone found or got an Audit Program for firewalls? or an audit checklist for firewalls?
I do a lot of training for a "big six" firm and an audit checklist is a fairly common request. I haven't ever given one to anyone, because I don't have one. If you know what you're doing when you audit a firewall, you don't need a checklist. If you don't know what you're doing, you do -- but then you shouldn't be taking someone's money to audit their firewall. There's one book out called "Practical IT Security Auditing" or "Systems IT Auditing" by Barton Neal. It includes checklists that are semi useful, BUT the problem, once again, is that it doesn't include what the checklists *MEAN* which is the information that the auditor really needs. Also, like many audit checklists, it is too hidebound and regulated. The firewall auditing section, for example, appears to assume that you're auditing a firewall toolkit based firewall (!) i.e.: ----- ...Ensure that the application gateway firewalls' host operating system (usually UNIX) has been properly modified to disable services that could be used to subvert the security of the firewall software program: 1) Review the /etc/inetd.conf file and the /etc/rc start-up files to ensure that all standard network services have been disabled by commenting out (#) their entries ... Now, obviously, that's not going to make a lot of sense on a Checkpoint, or a Firewall/Plus, etc. Someone who was using this checklist would either look stupid or would have to know enough about what they're doing to not need it in the first place. :) It's a tough problem, because there's a methodology but it's really pure systems analysis. You need to start at zero and build facts about the firewall, then understand the significance of those facts in the installed context. It takes a lot of expertise -- more than can be comfortably fit in a book or taught. Even if you did fit it on a checklist or in a book by the time you had it written down the rules would have changed. :( The big problem is that IT audit comes from a mainframe background. Mainframes are *simple* to audit. You just have to make sure that RACF is configured right and that the SNADS are connected to the DASD by a JCL or whatever. Out on the Internet, the products mutate overnight, there are dedicated single process systems that break a lot of rules, and there are lots of applications that are basically undocumented. :( What you really want isn't a checklist, it's a flow-chart. A really BIG flow-chart that goes kind of like: if you're looking at a firewall look at the policy for incoming traffic does it allow http in? to what machine? what OS is it running? are the CGI scripts audited? is the httpd up to date? does it allow smtp in? to what machine? what OS is it running? if UNIX is sendmail up to date? else WTF? does it allow other services in? what service? WTF? The problem is that the *INTERESTING* stuff is the "WTF" entries and those are also the danger points. :( I'm not trying to attack you for answering a simple and straightforward question. But, I beg you, if you find a checklist, please don't think it's something you can apply in a simple and straightforward manner. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- RE: DNS -vs- the firewall: security thoughts Joe Ippolito - President SVNPA (Mar 11)
- NTp config - for the databases :} Bret Watson (Mar 12)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 12)
- Re: NTp config - for the databases :} Bret Watson (Mar 12)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 13)
- Re: NTp config - for the databases :} Bret Watson (Mar 13)
- Re: NTp config - for the databases :} Kees Hendrikse (Mar 12)
- Re: NTp config - for the databases :} Joseph S. D. Yao (Mar 13)
- Re: NTp config - for the databases :} John Painter (Mar 14)
- NTp config - for the databases :} Bret Watson (Mar 12)
- Firewall Audit Programme/checklist Bret Watson (Mar 16)
- Re: Firewall Audit Programme/checklist Marcus J. Ranum (Mar 16)
- Re: Firewall Audit Programme/checklist Chad Schieken (Mar 16)
- Re: Firewall Audit Programme/checklist Bret Watson (Mar 17)
- Re: Firewall Audit Programme/checklist Marcus J. Ranum (Mar 17)
- Re: Firewall Audit Programme/checklist blast (Mar 17)
- Re: Firewall Audit Programme/checklist tqbf (Mar 16)
- Re: Firewall Audit Programme/checklist kant (Mar 16)
- <Possible follow-ups>
- RE: DNS -vs- the firewall: security thoughts Itai Dor-on (Mar 12)
- RE: DNS -vs- the firewall: security thoughts Joe Ippolito (Mar 12)
- Re: DNS -vs- the firewall: security thoughts Bennett Todd (Mar 12)