Re: Auditing a firewall rulebase

["Lord Sporkton" <lordsporkton () gmail com>]

2008/5/14 arvind doraiswamy <arvind.doraiswamy () gmail com>:
> Hey Guys,
> What parameters would you look for if you audited a large rulebase for
> an enterprise firewall? These are a few I could think of. Anything
> else that you guys consistently look at when managing/auditing your
> firewalls? Do take note that I'm talking just singularly about the
> rule-base and not other configuration information i.e: I'm not looking
> at things like -- Low console session timeout OR Telnet admin
> interface open etc. I'm looking at just the rulebase this time around.
> Here are my parameters:
>
> Rules which have "any" or an equivalent keyword in them
> Rules where an entire subnet has been granted access to a resource
> Rules where a range of IP addresses has been granted access to a resource
> Rules where a large range of ports has been opened to an IP Address / Addresses
> Rules where there are design issues in the protocol itself
>                eg. Unencrypted traffic
> Rules which are redundant and can be removed from the rulebase
>
> Thanks
> Arvind
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

I always spend a decent amount of time making sure that rules are in
the correct order, so a more general deny rule doesnt end up blocking
access to a specific resource just because it was higher on the list,
or vice versa

also comments, any rule with out a comment gets deleted, if it wasnt
important enough to have a comment, its not important enough to still
be here.

high use rules at the top of the list

other than that just what you already said

hope that helps

Lawrence


-- 
-Lawrence
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards