Re: Auditing Firewalls

[Javier Fernández-Sanguino <jfernandez () germinus com>]

ahgaber_rehan () yahoo com ha escrito:

> Hi,
> I just shifted to IT Audit field.
> I was wondering If there is any audit program can help me auditing   
> my 2 Firewalls: Fortigate NGX-R60 and  Sidewinder.

Ok. First of all I would suggest you read two documents: the OSSTMM  
methodology (available at http://www.isecom.org/osstmm/, which has a  
specific section firewall testing) as well as NIST's DRAFT Technical  
Guide to Information Security Testing  
(http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-115), its  
Guidelines on Firewalls and Firewall Policy  
(http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf, which  
has a specific section on firewall testing) and the Guidelines on  
Network Security Testing  
(http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf,  
which is however, slightly dated). These will provide some foundation  
on how you should test a firewall ruleset and even some of the basic  
tools.

Here are teh steps I've used in the past when doing audits:

1.- First of all: know the policy (controls) that should be  
implemented in the firewall. Do not ask for the actual firewall  
ruleset but get to know the network diagram and ask (maybe to others):  
what should be allowed and what not? If you don't do this step you  
will not be able to understand the firewall ruleset and make  
recommendations if you see the ruleset deviate from the policy.

2.- Ask for the firewall ruleset, review both the rules and global  
configuration (some global parameters might change the firewall  
behaviour) manually (for some technologies, however, see below). Note  
any differences with what was expected in 1). Ask and learn about the  
exceptions or strange things in the firewall ruleset. You can use  
http://csrc.nist.gov/groups/SMA/fasp/documents/network_security/HCW_Firewall_Worksheet.doc, for example, as a documentation  
template.

You don't need access to the console itself to review the ruleset  
although in some cases this is the only alternative because the people  
managing the firewall don't know how to "export" the ruleset and can  
only provide (at best) screen shots. Also notice that in many  
firewalls there are global parameters that might be defined which  
impact the behaviour of the firewall ruleset. This is the case, for  
example of Check Point Firewall-1's "implied" rules and the way zones  
are defined and assigned to interfaces in Juniper's NetScreens. If you  
only get the firewall ruleset (who is allowed to talk to who and using  
which protocol) you might not be "seeing" the whole picture.

And this is when the last step comes.

3.- Test the firewall ruleset itself. The fact that there is a ruleset  
defined in a console is not a guarantee that the device is actually  
using it! (or, what's more commmon, there might be predefined rules  
which are not seen in the ruleset).

Test with one (always the same) system through the different networks  
the firewall is connected and determine the visibility of other  
systems in other networks. Once this is done, test with *two* systems  
(in different networks) and test the visibility between all networks.  
There is some software you can use for this (besides network scanning  
tools such as nmap) such as ftester  
(http://dev.inversepath.com/trac/ftester). IIRC there has been  
discussion in this same list (in the past) about such tools.

As you said, if the firewall is in production there might be IPS out  
there blocking your network reconnaissance attempts. You might need to  
ask the people managing them to whitelist the IPs you are using for  
testing. Notice, however, that you do not need to do a full network  
scan (visibility+vulnerability testing) as many tools will do if not  
properly configured. You just need to do visibility scans to test the  
firewall ruleset. Unless, of course, the firewall itself implements an  
IPS (like Check Point's Firewall-1 NG AI and later and  many other  
firewalls) and you want to test that too.

4.- Review the firewall software version. Is it current? Is it  
supported by the vendor?

5.- If the firewall is running on a standard operating system, review  
the OS itself. Use the hardening configuration guidelines from NSA  
(http://www.nsa.gov/snac/downloads_all.cfm?MenuID=scg10.3.1). You can  
use the tools developed by the Center of Internet Security  
(http://www.cisecurity.com) to automatically review the OS  
configuration or the Audit scripts from Tiger  
(http://cvs.savannah.nongnu.org/viewvc/tiger/audit/?root=tiger) to  
recover the configuration and analyse it offline.

6.- If the firewall is running in a non-standard OS (such as IPSO or  
SecurePlatform in the Check Point case or a vendor's OS for  
appliances) then you will have to read through the vendor's  
documentation in order to find the hardening guidelines. In some cases  
you might find some automatic tools, for example, the CIS has a  
benchmark for Check Point on Secure Platform  
(http://www.cisecurity.com/bench_checkpoint.html)


In order to review the firewall ruleset you can use some tools to  
assist you. I know of two I've used in the past: Algosec's Firewall  
Analyser (http://www.algosec.com/, covers Check Point Firewall-1,  
Juniper NetScreen, and Cisco PIX) and Yixue  
(http://yixue.sourceforge.net/, only covers Firewall-1). These tools  
will provide some guidelines on how the firewall should be configured  
and might pinpoint specific problems which are common to all firewall  
configurations. They will not, however, be able to tell you if the  
ruleset defined in the firewall adjusts to the access control policy  
the organisation wants.


Hopefully these guidelines are useful for you (and maybe to others in  
the list too!)

Regards

Javier


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------