Re: Firewall Audit program
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: Firewall Audit program

From: DigitalVinyl <DigitalVinyl@internet.com>
Date: Sun Nov 27 2005 - 15:41:04 CET



"Amit Gupta" <guptaamitu@gmail.com> wrote:



>I have to do through review of the PIX and Checkpoint firewall and can


>any one send me  the detailed audit program for the same.


>


>Thanks a lot.. in advance


>


>Regards


>


>Amit



Doing a review of a firewall policy, especially one of any size, is a


useless attempt by mis-management to fix what they've broken and


screwed up in the past, repeatedly.



Every entry to a firewall must be scrutinized when it is being made,


and only open that which you need and nothing more. I have never


worked in any organization that was willing to take measures to review


policy. ONE--it is dangerous to review poilicy cause it means


documenting out to many parties what they firewall rules are. TWO you


are documenting screwups which managers will seek to hide.  THREE most


app developers and operations people DON'T know what ports they use so


they will never tell you shut things down out of fear of causing an


outage. FOUR--it can be a huge task.



If you've got few enough servers you can make  some scans from


speciifc networks, but every source network can have different


accessiblity, so the larger the network the more implausible it


becomes. Especially with various hosts.



An alternative it to focus on specific hosts and use extensive


syslogging and reporting to examine what the servers actually do.



Review best practices and check if you follow them. DO you permit


NetBIOS calls to traverse an internet firewall. Do you allow ALL


outbound ports?  This encourages worms, trojans, p2p, and more. DO you


stop all inbound traffic. Do you filter out all bogon sources. DO you


block all private IP addresses in and out.



When a server is retired, mark the retiring rules for deletion and


craft new rules fresh. Lock things down appropriately. Organize a


change in rules for a specific app by using traffic in syslog to


define a tighter set of rules. Monitor DENY and NO TRANSLATION errors


for hosts that you've changed rules for to detect missed traffic and


be prepared to create rules on the fly to amend permission.



I've inherited several misconfigured firewalls and this is the only


way I can see to clean things up. One has over 4,000 lines in the


config. Getting people to redefine the port needs for a hundred+


different servers is just not gonna happen.


Received on Sat Dec  3 04:18:29 2005