Transcription

1

2

3 Acknowledgements HRD Division Department of Electronics and Information Technology Ministry of Communications and Information Technology Government of India

4

5

6

7 AUDITING FIREWALL Page 1

8 Security Audit Checklist # Audit Check Current Setting. 1. Audit Check: Record Critical Parameters of Device S. No. Parameter Current Value 1. Device Make & Model 2. License Validity 3. CPU Utilization 4. Memory Utilization 5. Disk Utilization Page 2

9 # Audit Check Current Setting. 2. Audit Check: Check the hostname configured on device. How to Check: For checking Hostname Go to terminal of the device and Login as User/Admin and type the command as Show hostname Using GUI: Login as admin/user Go to Network Management Host and DNS Recommended Setting: Hostname should be configured as per the Policy of the organization 3. Audit Check: Check for MOTD Banner message? Check Pre-Login or Post-Login Banner with legal warning is configured. How to Check: Login as Admin/user Go to System Management Messages Page 3

10 # Audit Check Current Setting. Checking After providing the wrong credentials whether we are getting the MOTD message or not: Page 4

11 # Audit Check Current Setting. Recommended Solution: Proper banner should be configured as per the Policies. Pre-Login and Post-Login with a legal warning should be configured as a due care. Page 5

12 # Audit Check Current Setting. 4. Audit Check: Check for Encrypted Password for user/admin. How to Check: For checking Encrypted Password for user/admin Go to terminal of the device Login as User/Admin and type the command as Show configuration Recommended Setting: Password should be encrypted for admin and users as per Security Policies. Page 6

13 5. Audit Check: Check for the status of network interfaces. How to Check: Go to Login as monitor (Gaia) view mode advanced network management Network Interfaces Recommended Setting: To minimize the possibility of any unauthorized access to the device or network resources, all unused interfaces should be administratively shutdown as per the Policies. Page 7

14 6. Audit Check: Check for user/admin roles. How to Check: Login as admin/user go to User Management Users Login as admin/user Go to User Management Roles Recommended Setting: There are 7 accounts which have admin Role for security considerations at least two admin accounts should be created with IP address to MAC binding. 7. Audit Check: Check for the account lock account policy How to Check: Log in as admin using the web interface: Go to view mode advanced user management Password Policy Page 8

15 Go to Checkpoint Smart Dashboard Global Properties Log and Alert Security Management Access Page 9

16 Recommended Setting: Account lockout policy as per Cyber Security Policies for Government of India (Ref. Annexure1). 8. Audit Check: Check for the session idle Timeout configuration Settings. Page 10

17 How to Check: Login as admin/user go to Advance System Management Session Recommended Setting: As per the Password Management Guidelines Active sessions of a User shall be terminated after pre-defined duration of inactivity, say 15 minutes. Page 11

18 9. Audit Check: Check for System Logging option How to Check: Login as admin/user go to Advance System Management System Logging Recommended Setting: As per the Cyber Security Policies for Govt. of India the logging should be enabled. Page 12

19 10. Audit Check: Check the Backup plan for Checkpoint Firewall (Gaia) configuration How to Check: Login as admin/user (Terminal) Type command show backups, show backup last-successful, show backup logs, show backup status. Recommended Setting: As per the Security Policies the device shall be backed up at least once in a three months. 11. Audit Check: Check the Auto/Manual update settings. How to Check: Login as admin/user Go to Advance Software Updates Software Updates policy Page 13

20 Recommended Setting: Ensure that the latest patches and updates are applied to the firewall components manually are thoroughly tested and then applied to the security device as per the Security Policies of the Organization. Page 14

21 12. Audit Check: Check Support for SNMP version and Default community string. How to check: Login as admin/user go to Advance System Management SNMP Recommended Setting: SNMPv3 should be used and default community string (for example, public ) shall not be used as per the Cyber Security Policies of the Organization, 13. Audit Check: Check for Primary and Secondary DNS Servers. How to Check: Login as admin/user Go to Advance Network Management Host and DNS Recommended Setting: Configure DNS Servers to make sure the availability of Updates from checkpoint Cloud as per Cyber Security Policies for Government of India. 14. Audit Check: Check Data leak prevention Configuration (If Supported) How to Check: Go to Checkpoint Smart Dashboard Data Loss Prevention Overview Page 15

22 Recommended Setting: Threat prevention cyber security appliances and specialized Software Blades enable you to protect your network with multi-layered defense against cyber-attacks. For best security practice it should be enable. Page 16

23 15. Audit Check: Check for any unsecure services (http, FTP and telnet) are enabled. How to Check: Login as admin/user Go to Checkpoint Smart Dashboard Firewall Policy Recommended Setting: The unsecure services like (http, FTP and telnet) should be disabling as per the Cyber Security Policies of the organization. 16. Audit Check: Check for the AAA authentication. How to Check: For checking AAA authentication Go to terminal of the device login as user or admin type command Show aaa tacacs-servers list. Recommended Setting: Implement AAA authentication mechanism as AAA server is meant to make user configuration and other administration tasks centralized and convenient for the large network. Create separate username and password for each user of network team. Sharing of username and password should be strongly discouraged. 17. Audit Check: Check NTP Settings for device time synchronization. How to Check: Login as admin/user go to Advance System Management Time Page 17

24 Login as admin/user go to Advance System Management Display Format Page 18

25 Recommended Setting: As per the Cyber Security Policies of the Organization, Time and Date synchronization should be happen with the centrally managed NTP server. 18. Audit Check: Check for Password Policy settings. How to Check: Login as admin/user go to Advance User Management Password Policy Page 19

26 Page 20

27 Page 21

28 For checking Password Policy go to terminal of the device login as user or admin type command show configuration passwordcontrols all Recommended Setting: Implement Password policy and account lockout policy as per Cyber Security Policies of the Organization. 19. Audit Check: Use of Any in permit statements in the rule base should be avoided How to Check: Go to Checkpoint Smart Dashboard Firewall Policy Recommended Setting: Use of Any in permit statements in the rule base should be avoided as per Cyber Security Policies of the Organization. 20. Audit Check: Check for Deny all unless explicitly allowed policy or last rule to drop and log all packets shall be defined. How to Check: Go to Checkpoint Smart Dashboard Firewall Policy Recommended Setting: Explicit deny or cleanup rule should be configured as a last rule of the policy, logging should also be enabled for the same as per Cyber Security Policies of the Organization. Page 22

29 21. Audit Check: All objects names, object groups and the Policy rules should be properly commented with the following details: Creation date, validity, authorized by and the purpose of creation. How to Check: Go to Checkpoint Smart Dashboard Firewall Policy Recommended Setting: All object, Object Groups and policy rules should be configured with the details like Creation date, validity, authorized by and the purpose of creation in the comments field. It is also suggested that a proper change management process should be followed for any changes made in the configuration. 22. Audit Check: Firewall should be deployed in High-Availability mode. How to Check: Go to Checkpoint Smart Dashboard Network object Checkpoint Select hostname ClusterXL and VRRP Recommended Setting: Firewall should be deployed in High-Availability mode as per Cyber Security Policies for Government of India. Audit Check: Following global properties should be checked as per best practices. 23. a) Drop out of state TCP packets" profile must be enabled. How to Check: Go to Checkpoint Smart Dashboard Global Properties Stateful Inspection Recommended Setting: Drop out of state TCP packets" should be enabled for best security practice. Page 23

30 23. b.) Accept ICMP request must be unchecked. How to Check: Go to Checkpoint Smart Dashboard Global Properties Firewall Page 24

31 Recommendation: Accept ICMP request should be enable for best security practice so that no unauthorized user can t ping firewall/cluster. c.) Drop Out of state ICMP packets must be enabled. How to Check: Go to Checkpoint Smart Dashboard Global Properties Stateful Inspection Page 25

32 Recommended Setting: Drop Out of state ICMP packets should be enable for best security practice. d) Enable Delayed Authentication for Brute Force password guessing protection. Page 26

33 How to Check: Go to Checkpoint Smart Dashboard Global Properties Firewall Authentication Recommendations: Delayed authentication should be enabled as it will protect the device against Brute Force attack. e) Hit count should be enabled for at least last 3 months. How to Check: Go to Checkpoint Smart Dashboard Global Properties Hit Count Page 27

34 Recommendations: Hit count should be enabled for at least last 3 months so that we can analysis the data traffic and unused interface for the past three months and update the policy/rules accordingly. Page 28

35 24. Audit Check: Available security features/ blades like (IPS, Anti-Bot, Anti-Virus, Identity Awareness etc ) should be checked as per policy. How to Check: Go to Checkpoint Smart Dashboard Network object checkpoint select hostname General properties Recommendations: Enable (Blades) like IPS, URL Filtering, Application Control, Anti-Virus, Anti-BOT, Anti-Spam and Mail, DLP etc., to make the optimal use of available device features as per the Cyber Security Policy of the Organization. 25. Audit Check: Check for Account Inactivity time-out. How to Check: Go to Login as monitor (Gaia) view mode Advanced System Management Session Page 29

36 Recommendation: Active sessions of a user shall be terminated after pre-defined duration of inactivity, say 15 minutes as per the Cyber Security Policy of the Organization India. 26. Audit Check: Check for Log for implied rules. How to Check: Go to Checkpoint Smart Dashboard Global Properties Firewall Page 30

37 Recommendation: Implied rules allow connections for different services that the Security Gateway uses. For example, the Accept Control Connections option allows packets that control these services: Installing the security policy on a Security Gateway Sending logs from a Security Gateway to the Security Management server Connecting to third party applications, such as RADIUS and TACACS authentication servers So the Log for implied rules should be enabled as per the Cyber Security Policies of the Organization. Page 31

38 27. Audit Check: DNS Service is configured with both TCP and UDP and check the DNS server configured for name resolution. How to Check: Check the DNS service object inside the firewall objects. Recommended Solution: As per Cyber Security Policies for Government of India, it is recommended to restrict the DNS Service to UDP port 53 Page 32

39 28. Audit Check: Check for the Unused objects and policy rules should be removed from the configuration. How to Check: Go to Checkpoint Smart Dashboard Firewall Overview Recommended Solution: Unused and disabled policies should be removed from configuration to optimize the device performance. Page 33

40 ANNEXURE 1 Password Policy: It is recommended to enforce Password Policy settings as shown below Password Policy for User: Policy Secure Setting Password Policy 1. Enforce Password History 24 Passwords 2. Maximum Password Age 120 Days 3. Minimum Password Age 1 Days 4. Minimum Password Length 10 Characters 5. Passwords Must Meet Complexity requirements Enabled 6. Store Password Using Reversible Encryption Disabled Account Lockout Policy 7. Account Lockout Duration 30 Minutes 8. Account Lockout Threshold 5 Invalid Login Attempts 9. Reset Account Lockout Threshold After 30 Minutes Password Policy for Administrator: Policy Secure Setting Password Policy 1. Enforce Password History 24 Passwords 2. Maximum Password Age 120 Days 3. Minimum Password Age 1 Days 4. Minimum Password Length 15 Characters 5. Passwords Must Meet Complexity requirements Enabled 6. Store Password Using Reversible Encryption Disabled Account Lockout Policy 7. Account Lockout Duration 30 Minutes 8. Account Lockout Threshold 3 Invalid Login Attempts 9. Reset Account Lockout Threshold After 30 Minutes Page 34

41 CONTRIBUTED BY: 1. Mr Ch A.S Murty 2. Mr Tyeb Naushad 3. Mr Devi Satish 4. Mr Shrinath Rusia 5. Ms Vertika Singh 6. Mr Vinay Kumar C-DAC, Hyderabad Page 35

42

43

44