Firewall Audit Techniques
K.S.Narayanan
HCL Technologies Limited
2
Firewall Management
TechnologyNetwork Security Architecture
Firewall Placement
Firewall Appliance
Rule base compliance with security policy
Application Layer Controls
Port Restrictions
Anti-Spoofing / Topology controls
Remote Access / VPN
Firewall Availability
Penetration Testing
Process
Risk Assessment
Change Management
Configuration Management
Access control / Privileges
ID Management
Backup
Monitoring
Review Process
Audit
3
Agenda
Understanding the Firewall architecture / Zone classification
Organization’s Network Security Policy
Basic concepts of a Firewall Rule base
Mapping rule base to security policy
Firewall Management Process
Best practices
Audit checklist
4
Sample – Firewall Diagram
Border Router
Internet
LAN
5
Sample – Firewall Diagram
Border Router
Internet
Mail Relay
ProxyServer
OWA ContentFilter
DMZ
NIDS
LAN
6
Sample – Firewall Diagram
LAN-Insurance
Border Router
Internet
Corp Network-A
Mail Relay
ProxyServer
OWA ContentFilter
DMZ
Mail Server
ProxyServer
IntranetServer
File/PrintServer
CSN-DMZ
NIDS
NIDS
NIDS
Retail Network
NIDS
LAN- Retail
7
Firewall Zones
Zones establish the security borders of the network.
A zone defines a boundary where traffic is subjected to policy
restrictions as it crosses to another region of the network.
8
Sample – Firewall Diagram
LAN-Insurance
Border Router
Internet
Corp Network-A
Mail Relay
ProxyServer
OWA ContentFilter
DMZ
Mail Server
ProxyServer
IntranetServer
File/PrintServer
CSN-DMZ
NIDS
NIDS
NIDS
Retail Network
NIDS
LAN- Retail
9
Zone Policy - ExampleDMZ- INBOUND
Action Source Destination Port Protocol Controls Furtheroptions
Comment
Allow Any DMZ-OWA 443 TCP HIDSServer Hardening
NATAuthentication
Allow HTTPS Webmail access
Allow Any DMZ-SMTP Relay 25 TCP HIDSVirus ControlSPAM ControlAnti-Relay
NAT Allow SMTP relay access
Allow CSN-Proxy DMZ-Proxy 3128 TCP URL ControlActiveX,Java Script ControlVirus Control
Allow Internet resource access
Allow Internet resource access
NAT(Should not allow traffic to other zones except External)
URL ControlActiveX,Java Script ControlVirus Control
TCP80/443AnyDMZ-ProxyAllow
Allow E-mail outNAT (Should not allow traffic to other zones except External)
HIDSVirus ControlSPAM ControlAnti-Relay
TCP25AnySMTP RelayAllow
CommentFurtheroptions
ControlsProtocolPortDestinationSourceAction
DMZ- OUTBOUND
10
Firewall Rules - Example
Source Destination Port Action Log Comment
10.5.0.0/24 192.168.10.11 443 Allow Log Htttps access to cropweb .CR-FW-00201Updated by Ramesh – 10/Jan/2005
Any 202.192.12.21 25 Allow None Allow SMTP relay accessCR-FW-00005Rule implemented by Madhu – 23/03/2004
any@us-sales 192.168.10.2192.168.10.3192.168.10.24
443,80,21 Auth-Encrypt Log Allow US Sales to access Sales Report Web/ftpCR-FW-00123
11
Mandatory Firewall Rules
Mandatory Rules
Action Source Destination Port Protocol Controls Furtheroptions
Comment
Drop Any Firewall Any Any LOG Stealth Rule
Drop Any Any Any Any LOG Cleanup Rule
12
Firewall Rule Base order (FW-1)
User Authentication Rules
VPN Access Rules
Stealth RuleZone ACL Rules
Cleanup Rule
13
Principles
Firewall Policies to be configured for minimum requirement.
Need to Know
Access to firewall devices is to be in strict accordance with the
principle of “least privilege”.
Access based on business requirements only
14
Change Management
Documented and verifiable change management
Change Request FormDetailed Conversation Map ( Source / Destination / Port / Protocol )
Purpose of the change
Expiry Date
Business Approval
Exception ProcessProcess to approve rules which violates Network Security Policy
CoverageRule creation / Modification / deletion
NAT rule changes
Routing changes
Firewall Appliance configuration changes
15
Operating Procedures
Backup
Configuration and Policies
Best practices recommended by the vendor should be followed
ID Management
Firewall Administrator ID
VPN users
Firewall Users
Access Control
Access to firewall device
16
Operating Procedures
Monitoring & Logging Policy on Firewall Logging
Compliance Requirements
Retention Period
Log Monitoring
Roles and Responsibilities
Review Firewall rule review process
AuditInternal Audit
Penetration Test
17
Best Practices
Defined Firewall Zone ( Green, Red, Blue zone etc.,)
Network Security Policy
What is allowed ? What is denied ?
Policy on dangerous protocols like remote desktop, Tunneling protocols etc.,
Change Management Process
Explicit exception process
Firewall Rule Review process
No Single point of failure architecture
NIDS integration
Periodic Penetration testing
18
Recommended Approach
Where to start ?
Understand the Firewall/ Security Zones
Understand the protection objective
What to verify ?
Firewall rules in compliance with the protection objective
Excessive permissions
Change control
Firewall rule reviews
VPN Users
Remote Management
Backup / Patch management
19
Audit Checklist
1. Develop background information about the firewall zones
2. Determine the objectives and protection requirements – Security Policy
3. Is firewall rule base match the organization security policy ?
4. Look for excessive permissions
5. Is firewall configured for minimum requirements?
6. Check the Change control process
7. Who all have access to firewall box ?
8. Is there a Firewall rule review process ?
9. Approval process for VPN / Remote access users
10. Is there a Remote Management of firewall ? Is controls adequate ?
11. Verify Backup / Patch management
12. Physical Security of the firewall device
13. What is the recovery strategy ? Is there a test to confirm ?
14. Log review and monitoring
15. Review latest Penetration testing report
20
Reference
NIST
Guidelines on Firewalls and Firewall Policy
http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf
ISACA
IS AUDITING PROCEDURE - FIREWALLS - DOCUMENT P6http://www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=18748