Firewall Audit Techniques K.S.Narayanan HCL Technologies Limited
Firewall Management Technology Network Security Architecture Firewall Placement Firewall Appliance Rule base compliance with security policy Application Layer Controls Port Restrictions Anti-Spoofing / Topology controls Remote Access / VPN Firewall Availability Penetration Testing Process Risk Assessment Change Management Configuration Management Access control / Privileges ID Management Backup Monitoring Review Process Audit 2
Agenda Understanding the Firewall architecture / Zone classification Organization s Network Security Policy Basic concepts of a Firewall Rule base Mapping rule base to security policy Firewall Management Process Best practices Audit checklist 3
Sample Firewall Diagram Internet Border Router LAN 4
Sample Firewall Diagram OWA Mail Relay ContentDMZ Filter Proxy NIDS Internet Border Router LAN 5
Sample Firewall Diagram OWA ContentDMZ Filter Corp Network-A Mail Relay Proxy NIDS LAN-Insurance NIDS Internet Border Router NIDS Proxy Mail File/Print Intranet NIDS LAN- Retail CSN-DMZ Retail Network 6
Firewall Zones Zones establish the security borders of the network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of the network. 7
Sample Firewall Diagram OWA ContentDMZ Filter Corp Network-A Mail Relay Proxy NIDS LAN-Insurance NIDS Internet Border Router NIDS Proxy Mail File/Print Intranet NIDS LAN- Retail CSN-DMZ Retail Network 8
Zone Policy - Example DMZ- INBOUND Action Source Destination Port Protocol Controls Further options Allow Any DMZ-OWA 443 TCP HIDS Hardening Allow Any DMZ-SMTP Relay 25 TCP HIDS Virus Control SPAM Control Anti-Relay Allow CSN-Proxy DMZ-Proxy 3128 TCP URL Control ActiveX,Java Script Control Virus Control NAT Authentica tion NAT Comment Allow HTTPS Webmail access Allow SMTP relay access Allow Internet resource access DMZ- OUTBOUND Action Source Destination Port Protocol Controls Further options Comment Allow SMTP Relay Any 25 TCP HIDS Virus Control SPAM Control Anti-Relay NAT (Should not allow traffic to other zones except External) Allow E-mail out Allow DMZ-Proxy Any 80/443 TCP URL Control ActiveX,Java Script Control Virus Control NAT (Should not allow traffic to other zones except External) Allow Internet resource access 9
Firewall Rules - Example Source Destination Port Action Log Comment 10.5.0.0/24 192.168.10.11 443 Allow Log Htttps access to cropweb. CR-FW-00201 Updated by Ramesh 10/Jan/2005 Any 202.192.12.21 25 Allow None Allow SMTP relay access CR-FW-00005 Rule implemented by Madhu 23/03/2004 any@us-sales 192.168.10.2 192.168.10.3 192.168.10.24 443,80,21 Auth-Encrypt Log Allow US Sales to access Sales Report Web/ftp CR-FW-00123 10
Mandatory Firewall Rules Mandatory Rules Action Source Destination Port Protocol Controls Further options Comment Drop Any Firewall Any Any LOG Stealth Rule Drop Any Any Any Any LOG Cleanup Rule 11
Firewall Rule Base order (FW-1) User Authentication Rules VPN Access Rules Stealth Rule Zone ACL Rules Cleanup Rule 12
Principles Firewall Policies to be configured for minimum requirement. Need to Know Access to firewall devices is to be in strict accordance with the principle of least privilege. Access based on business requirements only 13
Change Management Documented and verifiable change management Change Request Form Detailed Conversation Map ( Source / Destination / Port / Protocol ) Purpose of the change Expiry Date Business Approval Exception Process Process to approve rules which violates Network Security Policy Coverage Rule creation / Modification / deletion NAT rule changes Routing changes Firewall Appliance configuration changes 14
Operating Procedures Backup Configuration and Policies Best practices recommended by the vendor should be followed ID Management Firewall Administrator ID VPN users Firewall Users Access Control Access to firewall device 15
Operating Procedures Monitoring & Logging Policy on Firewall Logging Compliance Requirements Retention Period Log Monitoring Roles and Responsibilities Review Firewall rule review process Audit Internal Audit Penetration Test 16
Best Practices Defined Firewall Zone ( Green, Red, Blue zone etc.,) Network Security Policy What is allowed? What is denied? Policy on dangerous protocols like remote desktop, Tunneling protocols etc., Change Management Process Explicit exception process Firewall Rule Review process No Single point of failure architecture NIDS integration Periodic Penetration testing 17
Recommended Approach Where to start? Understand the Firewall/ Security Zones Understand the protection objective What to verify? Firewall rules in compliance with the protection objective Excessive permissions Change control Firewall rule reviews VPN Users Remote Management Backup / Patch management 18
Audit Checklist 1. Develop background information about the firewall zones 2. Determine the objectives and protection requirements Security Policy 3. Is firewall rule base match the organization security policy? 4. Look for excessive permissions 5. Is firewall configured for minimum requirements? 6. Check the Change control process 7. Who all have access to firewall box? 8. Is there a Firewall rule review process? 9. Approval process for VPN / Remote access users 10. Is there a Remote Management of firewall? Is controls adequate? 11. Verify Backup / Patch management 12. Physical Security of the firewall device 13. What is the recovery strategy? Is there a test to confirm? 14. Log review and monitoring 15. Review latest Penetration testing report 19
Reference NIST Guidelines on Firewalls and Firewall Policy http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf ISACA IS AUDITING PROCEDURE - FIREWALLS - DOCUMENT P6 http://www.isaca.org/contentmanagement/contentdisplay.cfm?contentid=18748 20
Thank You K.S.Narayanan ksnmails@yahoo.co.in