Firewall Auditing

2

What is a firewall? A firewall is a device or collection

of components placed between two networks that collectively have the following properties: All traffic from inside to outside,

and vice-versa, must pass through the firewall.

Only authorized traffic, as defined by the local security policy, will be allowed to pass.

3

Firewall Types First Generation

Packet Filtering Firewalls Second Generation

Stateful Inspection Firewalls Third Generation

Application (Proxy) Firewalls Forth Generation

Kernel Proxy technology “Deep packet” inspection IDS / IPS capabilities

4

Defining Audit Scope Firewall Documentation Approval Procedures and

Process Firewall Rule Base VPN Layer Seven Switching Internal Testing External Testing

5

Firewall Auditing Methodology

PhasesI. Gather DocumentationII. The FirewallIII. The Rule BaseIV. Testing and ScanningV. Maintenance and

Monitoring

6

Phase I - Gather Documentation Security Policy Change Control Procedures Administrative Controls Network Diagrams IP Address Scheme Firewall Locations IPS Capable?

7

Phase I - Gather Documentation Firewall Vendor Software Version and Patch Level Hardware Platform Operating System Version and

Patch Level Administrator training and

knowledge

8

Phase II – The Firewall Three “A’s”

Authentication Local / Remote

Access Logical / Physical

Auditing (logs) Local / Remote

OS Hardening

9

Phase III – The Rule Base Based on the Organization’s

Security Policy Review each rule

Business reason Owner Host devices Service Ports

Simplicity is the key Most restrictive and least access

10

Phase III – The Rule Base Rule order (first out)

Administration Rule ICMP Rule Stealth Rule Cleanup Rule Egress Rules

Logging

11

Phase IV – Testing & Scanning Determine & Set Expectations Scan the firewall

Nmap Firewalk

Scan host behind the firewall Nessus ISS

Ensure results match expectations

12

Phase V – Maintenance & Monitoring Change Management and

Approval Is the process documented? Is the process being followed? Is there evidence of process?

Disaster Recovery Plan Formal? Backup and Recovery Procedures

Firewall Logs Reviews Storage and archival

13

Demo

14

Questions???

15

References and Additional Resources

The CISSP Prep Guide Ronald L. Krutz & Russell Dean Vines Wiley Publishers ISBN 0-471-41356-9

Firewalls and Internet Security William R. Cheswick and Steven M. Bellovin Addison-Wesley Publishing Company ISBN 0-201-63357-4

Lance Spitzner www.spitzner.net White Paper - Auditing your Firewall Setup White Paper - Building your Firewall Rule base

VicomSoft www.firewall-software.com White Paper – Firewall