Firewall Audit Techniques. K.S.Narayanan HCL Technologies Limited

Size: px

Start display at page:

Download "Firewall Audit Techniques. K.S.Narayanan HCL Technologies Limited"

Meredith Davidson
8 years ago
Views:

1 Firewall Audit Techniques K.S.Narayanan HCL Technologies Limited

2 Firewall Management Technology Network Security Architecture Firewall Placement Firewall Appliance Rule base compliance with security policy Application Layer Controls Port Restrictions Anti-Spoofing / Topology controls Remote Access / VPN Firewall Availability Penetration Testing Process Risk Assessment Change Management Configuration Management Access control / Privileges ID Management Backup Monitoring Review Process Audit 2

controls Remote Access / VPN Firewall Availability Penetration Testing Process Risk Assessment Change

3 Agenda Understanding the Firewall architecture / Zone classification Organization s Network Security Policy Basic concepts of a Firewall Rule base Mapping rule base to security policy Firewall Management Process Best practices Audit checklist 3

concepts of a Firewall Rule base Mapping rule base to

4 Sample Firewall Diagram Internet Border Router LAN 4

5 Sample Firewall Diagram OWA Mail Relay ContentDMZ Filter Proxy NIDS Internet Border Router LAN 5

6 Sample Firewall Diagram OWA ContentDMZ Filter Corp Network-A Mail Relay Proxy NIDS LAN-Insurance NIDS Internet Border Router NIDS Proxy Mail File/Print Intranet NIDS LAN- Retail CSN-DMZ Retail Network 6

Internet Border Router NIDS Proxy Mail File/Print

7 Firewall Zones Zones establish the security borders of the network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of the network. 7

8 Sample Firewall Diagram OWA ContentDMZ Filter Corp Network-A Mail Relay Proxy NIDS LAN-Insurance NIDS Internet Border Router NIDS Proxy Mail File/Print Intranet NIDS LAN- Retail CSN-DMZ Retail Network 8

9 Zone Policy - Example DMZ- INBOUND Action Source Destination Port Protocol Controls Further options Allow Any DMZ-OWA 443 TCP HIDS Hardening Allow Any DMZ-SMTP Relay 25 TCP HIDS Virus Control SPAM Control Anti-Relay Allow CSN-Proxy DMZ-Proxy 3128 TCP URL Control ActiveX,Java Script Control Virus Control NAT Authentica tion NAT Comment Allow HTTPS Webmail access Allow SMTP relay access Allow Internet resource access DMZ- OUTBOUND Action Source Destination Port Protocol Controls Further options Comment Allow SMTP Relay Any 25 TCP HIDS Virus Control SPAM Control Anti-Relay NAT (Should not allow traffic to other zones except External) Allow out Allow DMZ-Proxy Any 80/443 TCP URL Control ActiveX,Java Script Control Virus Control NAT (Should not allow traffic to other zones except External) Allow Internet resource access 9

Internet resource access DMZ- OUTBOUND Action Source Destination Port Protocol Controls Further options Comment Allow SMTP Relay Any 25 TCP HIDS Virus Control SPAM Control Anti-Relay NAT (Should not

10 Firewall Rules - Example Source Destination Port Action Log Comment / Allow Log Htttps access to cropweb. CR-FW Updated by Ramesh 10/Jan/2005 Any Allow None Allow SMTP relay access CR-FW Rule implemented by Madhu 23/03/2004 any@us-sales ,80,21 Auth-Encrypt Log Allow US Sales to access Sales Report Web/ftp CR-FW

CR-FW-00201 Updated by Ramesh 10/Jan/2005 Any 202.192.12.

11 Mandatory Firewall Rules Mandatory Rules Action Source Destination Port Protocol Controls Further options Comment Drop Any Firewall Any Any LOG Stealth Rule Drop Any Any Any Any LOG Cleanup Rule 11

options Comment Drop Any Firewall Any Any LOG

12 Firewall Rule Base order (FW-1) User Authentication Rules VPN Access Rules Stealth Rule Zone ACL Rules Cleanup Rule 12

13 Principles Firewall Policies to be configured for minimum requirement. Need to Know Access to firewall devices is to be in strict accordance with the principle of least privilege. Access based on business requirements only 13

14 Change Management Documented and verifiable change management Change Request Form Detailed Conversation Map ( Source / Destination / Port / Protocol ) Purpose of the change Expiry Date Business Approval Exception Process Process to approve rules which violates Network Security Policy Coverage Rule creation / Modification / deletion NAT rule changes Routing changes Firewall Appliance configuration changes 14

Approval Exception Process Process to approve rules which violates Network Security Policy Coverage

15 Operating Procedures Backup Configuration and Policies Best practices recommended by the vendor should be followed ID Management Firewall Administrator ID VPN users Firewall Users Access Control Access to firewall device 15

followed ID Management Firewall Administrator ID VPN

16 Operating Procedures Monitoring & Logging Policy on Firewall Logging Compliance Requirements Retention Period Log Monitoring Roles and Responsibilities Review Firewall rule review process Audit Internal Audit Penetration Test 16

Period Log Monitoring Roles and Responsibilities Review

17 Best Practices Defined Firewall Zone ( Green, Red, Blue zone etc.,) Network Security Policy What is allowed? What is denied? Policy on dangerous protocols like remote desktop, Tunneling protocols etc., Change Management Process Explicit exception process Firewall Rule Review process No Single point of failure architecture NIDS integration Periodic Penetration testing 17

Policy on dangerous protocols like remote desktop, Tunneling protocols etc.

18 Recommended Approach Where to start? Understand the Firewall/ Security Zones Understand the protection objective What to verify? Firewall rules in compliance with the protection objective Excessive permissions Change control Firewall rule reviews VPN Users Remote Management Backup / Patch management 18

19 Audit Checklist 1. Develop background information about the firewall zones 2. Determine the objectives and protection requirements Security Policy 3. Is firewall rule base match the organization security policy? 4. Look for excessive permissions 5. Is firewall configured for minimum requirements? 6. Check the Change control process 7. Who all have access to firewall box? 8. Is there a Firewall rule review process? 9. Approval process for VPN / Remote access users 10. Is there a Remote Management of firewall? Is controls adequate? 11. Verify Backup / Patch management 12. Physical Security of the firewall device 13. What is the recovery strategy? Is there a test to confirm? 14. Log review and monitoring 15. Review latest Penetration testing report 19

Who all have access to firewall box? 8. Is there a Firewall rule review process? 9. Approval process for VPN / Remote access users 10. Is there a Remote Management of firewall?

20 Reference NIST Guidelines on Firewalls and Firewall Policy ISACA IS AUDITING PROCEDURE - FIREWALLS - DOCUMENT P6 20

pdf ISACA IS AUDITING PROCEDURE - FIREWALLS - DOCUMENT P6

21 Thank You K.S.Narayanan

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams