Re: Auditing a firewall rulebase

["kevin horvath" <kevin.horvath () gmail com>]

If its an external firewall then you can check to make sure that bogon
lists are being filtered.  In addition check to make sure that
internal ip space is being denied as the source coming from anywhere
else.  Make sure denied rule hits are being logged.  Also check for
ports and protocols that should be denied such as telnet, 1433,
finger, etc inbound.

On Wed, May 14, 2008 at 11:19 AM, arvind doraiswamy
<arvind.doraiswamy () gmail com> wrote:
> Hey Guys,
> What parameters would you look for if you audited a large rulebase for
> an enterprise firewall? These are a few I could think of. Anything
> else that you guys consistently look at when managing/auditing your
> firewalls? Do take note that I'm talking just singularly about the
> rule-base and not other configuration information i.e: I'm not looking
> at things like -- Low console session timeout OR Telnet admin
> interface open etc. I'm looking at just the rulebase this time around.
> Here are my parameters:
>
> Rules which have "any" or an equivalent keyword in them
> Rules where an entire subnet has been granted access to a resource
> Rules where a range of IP addresses has been granted access to a resource
> Rules where a large range of ports has been opened to an IP Address / Addresses
> Rules where there are design issues in the protocol itself
>                eg. Unencrypted traffic
> Rules which are redundant and can be removed from the rulebase
>
> Thanks
> Arvind
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards