Auditing Firewalls-ISACA · PDF fileTufin, Firewall, Audit Created Date: 12/27/2011 11:29:32 PM

ISACA New York Metropolitan December 2011

Audi=ng Firewalls Michael Hamelin Chief Security Architect, Tufin

whoami

2

tufin.com/blog

/hackerjoe

•  Michael Hamelin [email protected]

•  Chief Security Architect, Tufin Technologies

•  16 Years in Security, Hacking, Networking

/in/Hamelin

/TufinTech

3

Survey Says …

One in 10 IT professionals cheat on firewall audits

Audi=ng Firewalls

•  We have all done it the hard way …

4

Why are Audits so difficult we need to cheat?

•  Firewall Audits tradiGonally have been very difficult to

complete •  Firewall Audits are oKen poorly defined

•  Auditors tradiGonally are not technical individuals

•  We are pressured to pass audits over building security

•  We do what ever we need to get rid of the auditor

5

Engineering vs Audi=ng

•  We build firewall policies for access •  Rules •  Users •  Servers •  Services

•  Auditors try and protect businesses •  Assets •  Risks •  People •  Processes

•  Access rules and assets don't usually match up

6

Auditors Don’t Trust Technology

•  Truth is … Auditors don’t all want to learn technology…

•  Auditors want to compare implementa=on to standards or to policy

•  Technology minu=a can waste everyone’s =me

•  Tools should understand technology

•  Tools should allow ques=ons about policy

•  Tools should allow ques=ons about business risk

7

Audi=ng by hand

•  How long to Audit a firewall? •  How long to Audit a Cisco router config?

Just READING over a large configuraGon •  65,000 lines is 1083 pages •  1083 pages is about 3249 mins •  3249 mins is roughly 54 hours. •  … basically 8 days of work

How many mistakes will you miss in 54 hours?

8

Lifecycle of a firewall RuleBase

•  We must make sure Audit is part of the rule lifecycle

•  We also need to think about Risk Assessment and Compliance as part of the Design / Approval stages

9

Lets look at how firewall audits mature

•  Level 1 •  AudiGng like an engineer, rule by rule •  Following fixed audit standards

•  Level 2 •  Looking at risks based on basic direcGons

•  (Inbound vs Outbound) •  Level 3

•  Looking at the device configuraGons •  Looking at people and processes

•  Level 4 •  Zone based risk assessment

•  Level 5 •  Compliance (asset) based assessments

10

11

Firewall Maintenance

We can start with the basic firewall maintenance

Engineers Look at Firewall Audits like Engineers

•  Level 1 -‐ We look for for rules with flaws

•  Rules with ‘ANY’ •  Rules with 3 ‘ANY’ fields •  Rules with 2 ‘ANY’ fields •  Rules with 1 ‘ANY’ field

•  Rules with no comments •  Rules with too many hosts/objects/services •  Rules with services we don’t like, risky protocols

•  Rules that are shadowed •  Rules that are unused

12

Bad things we have learned to do

•  Auditors look for ANY in a rule base.

•  We have learned to place in negated objects

•  We have learned to place in ‘IP Protocol’ instead of ANY

13

Lets look harder at that ‘ANY’ check

•  Firewalls can Hide ANY

•  What about almost ANY

14

Automate Level 1

•  Everything in the Level 1 Audi=ng can be automated today with tools on the market •  Good (My minimum recommendaGon)

• Run the tests at least once a quarter •  Beher

• Run the test once a month •  Best

• Run the test on every change event in real Gme with triggers …

•  Check Point gives us a safety net “Save Policy” •  … we should use it to trigger our new analysis a_er a

Save and before an Install

15








16

Level 2

•  Looking at rules with more intelligence •  Are there any rules that violate our corporate security policy?

•  Are there any rules that allow risky services inbound from the Internet? …while you may have a different list of what is considered “risky” for your company, most start with protocols that pass login creden?als in the clear like telnet, @p, pop, imap, hAp, netbios, etc…

•  Are there any rules that allow risky services outbound to the Internet?

•  Are there any rules that allow direct traffic from the Internet to the internal network (not the DMZ)?

17

Automate Level 2

•  Everything in the Level 2 Audi=ng can be automated today with tools on the market

18








19

Level 3

•  Looking at people and processes •  Who made the changes •  Why did they make them •  Were they authorized to make them

•  Looking at the device configura=ons •  Physical configuraGons •  OS configuraGons •  Default firewall configuraGons

20

People and Processes

•  Is the requester documented, and is s/he authorized to make firewall change requests?

•  Is the business reason for the change documented? •  Are there proper reviewer and approval signatures

(electronic or physical)? •  Were the approvals recorded before the change was

implemented? •  Are the approvers all authorized to approve firewall

changes (you will need to ask for a list of authorized individuals)?

•  Are the changes well documented in the change =cket? •  Is there documenta=on of risk analysis for each change? •  Is there documenta=on of the change window and/or install

date for each change? •  Is there an expira=on date for the change?

21

Device Audit vs Policy Audit

Devices Audits

•  Checking services •  Checking user accounts

•  Checking soKware versions

•  Checking SSH banners •  Checking NTP servers •  Checking …

any configuraGon

Policy Audits

• Dangerous protocols

• Unused policies •  Risky flows • Unauthorized connecGons

•  Checking … • Traffic vs Policy

22

Automate Level 3

•  Much of Level 3 Audi=ng can be automated today with tools on the market

•  Mastering Level 3 involves pudng in pace a solid workflow

23








24

Level 4

•  Zone based risk assessment •  Security tesGng based on your zones • …maybe it’s 3 zones • …maybe its more like 100 zones

•  Traffic paeerns are defined by zones •  Zones typically are defined by separate trust levels

25

Policies that allow risky services

•  NIST and others standards have tried to define risks by protocol

•  Truth is protocols alone are not a good indica=on of

the Risk

•  Risk should include Data, network loca=on and direc=on of traffic

26

27

28

Internet

AT&T

Chase

SeaLand

B2B Router

DMZ Router

AT&T Hosted

Sealand Hosted

Chase Hosted

Internal Servers

172.30.8.16255.255.255.240

172.30.8.32255.255.255.240

172.30.8.48255.255.255.240

10.42.0.0255.255.252.0

10.40.42.8255.255.255.248

10.40.42.16255.255.255.248

10.42.40.16255.255.255.252

29

Lets look at some examples

•  Connec=ons allowed from DMZ back to Internal

Networks

•  Groups with ‘extra’ networks

•  Mistyped netmask compromising confiden=ality

•  Mul=ple firewalls passing the same risky flows

30








31

Level 5

Audi=ng by Policy Zones

•  Take the zones concept up to the business level

•  It is about protec=ng assets and data

•  ConfidenGal Systems with Internet Accesses

•  SPI databases with access from Internet or DMZ

•  CriGcal Systems with risky protocol access

32

33

Internet

AT&T

Chase

SeaLand

B2B Router

DMZ Router

AT&T Hosted

Sealand Hosted

Chase Hosted

Internal Servers

172.30.8.16255.255.255.240

172.30.8.32255.255.255.240

172.30.8.48255.255.255.240

10.42.0.0255.255.252.0

10.40.42.8255.255.255.248

10.40.42.16255.255.255.248

10.42.40.16255.255.255.252

Thank You www.tufin.com

Michael Hamelin [email protected]

Documents

Auditing Firewalls-ISACA · PDF fileTufin, Firewall, Audit Created Date: 12/27/2011 11:29:32 PM