Firewall Wizards mailing list archives
Re: Auditing a firewall rulebase
From: Chuck Benson <chuck () ironponies com>
Date: Tue, 20 May 2008 21:51:39 -0700
Darden, Patrick S. wrote:
If you can tell from logs or otherwise, look for rules that are no longer in use. Look for rules that you do not have a written justification for; if a rule is for a single application or user group, ask if it is still justified.Here's my two cents: -Look for a default deny. -Make sure all rules are performance-based, e.g. most hit rule first in line, etc. to cut down on cpu and bandwidth. --Patrick Darden -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of arvind doraiswamy Sent: Wednesday, May 14, 2008 11:19 AM To: firewall-wizards () listserv icsalabs com Subject: [fw-wiz] Auditing a firewall rulebase Hey Guys, What parameters would you look for if you audited a large rulebase for an enterprise firewall? These are a few I could think of. Anything else that you guys consistently look at when managing/auditing your firewalls? Do take note that I'm talking just singularly about the rule-base and not other configuration information i.e: I'm not looking at things like -- Low console session timeout OR Telnet admin interface open etc. I'm looking at just the rulebase this time around. Here are my parameters: Rules which have "any" or an equivalent keyword in them Rules where an entire subnet has been granted access to a resource Rules where a range of IP addresses has been granted access to a resource Rules where a large range of ports has been opened to an IP Address / Addresses Rules where there are design issues in the protocol itself eg. Unencrypted traffic Rules which are redundant and can be removed from the rulebase Thanks Arvind _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
I have eliminated a lot of deadwood with these checks over the years, cruft accumulates.
Chuck Benson _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Auditing a firewall rulebase arvind doraiswamy (May 19)
- Re: Auditing a firewall rulebase Darden, Patrick S. (May 20)
- Re: Auditing a firewall rulebase Chuck Benson (May 27)
- Re: Auditing a firewall rulebase kevin horvath (May 20)
- null routes and VPN's Kerry Milestone (May 20)
- Re: null routes and VPN's Lord Sporkton (May 27)
- Re: Auditing a firewall rulebase Lord Sporkton (May 20)
- Re: Auditing a firewall rulebase R. DuFresne (May 27)
- Re: Auditing a firewall rulebase Paul Melson (May 20)
- Re: Auditing a firewall rulebase Darden, Patrick S. (May 20)