www.cyberoam.com

www.cyberoam.com

Our Products

© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.

Network Security Appliances - UTM, NGFW (Hardware & Virtual)

Modem Router Integrated Security appliance

Implemented, Secured –Now Let’s Audit the Firewall

Presenter: Keyur ShahManager - Presales

www.cyberoam.com

AgendaAgenda

Need of Firewall Audit

Firewall Audit Procedures

Evaluation Parameters and Best Practices

www.cyberoam.com

What necessitates firewall security audit?What necessitates firewall security audit?

Firewalls are solely responsible for any good or bad traffic

Exponential growth in networks, networking speed & devices, apps, web / cloud / virtualization infrastructure has increased firewall complexity in terms of placement, rules and settings

As many as 80% of firewalls examined in a recent data breach investigation were found poorly configured!

A quarter of UK and US businesses have had to re-do more than 60% of all firewall changes since they were not implemented correctly the first time

www.cyberoam.com

Firewall Audit ProcedureFirewall Audit Procedure

Baselines and Procedures

Identification & Authentication

Configuration

Auditing and Administration

Configuration Change Management

Management & Monitoring

Failover / Redundancy

Findings and Recommendations

www.cyberoam.com

Baselines and ProceduresBaselines and Procedures

Evaluation Parameter:

Checking proper documentation for firewall

baseline and key firewall procedures

Standards & Best Practices:

Having a baseline for firewall helps

implement a security level that is

consistent across the organization

Documented procedures relating to backup,

monitoring and incidence response reduces

manual dependency

www.cyberoam.com

Identification & AuthenticationIdentification & Authentication

Evaluation Parameter:

Is the firewall being managed by third party personnel or by the

organization itself? If managed by third party, is it protected by

an NDA?

Are all administrators authenticated using individual accounts

before granting access to the firewall's administration interface?

What is the procedure for creating users/administrators?

Are all administrator accounts assigned the lowest privilege level

that allows them to perform their duties?

How often is the firewall configuration reviewed for presence of

unauthorized accounts?

www.cyberoam.com

Identification & AuthenticationIdentification & Authentication

Standards & Best Practices:

Third Party personnel managing the firewall of an organization need to

sign an NDA with the later

Maintaining individual accounts for each administrator helps implement

accountability for any malicious activity occurring intentionally or

unintentionally

Procedures should address both creation as well as deletion of user

accounts for the firewall

Administrators should be assigned the lowest privilege level that allows

them to perform their job

Unauthorized accounts pose a serious threat to the overall security

posture of the organization

www.cyberoam.com

ConfigurationConfiguration

Evaluation Parameters: Is the firewall configured to be able to protect the network against denial of

service attacks such as Ping of Death, TCP SYN floods, etc.

Is any sort of Ingress/Egress Filtering configured?

Does the firewall use the latest version of the firewall software with all security-

related patches applied?

How often is the firewall configuration rule sets tested in the form of a PT/VA?

Are the firewall administrators registered with the vendors’ vulnerability mailing

list to keep themselves updated with the latest security patches?

Does the firewall perform anti-virus scanning and content security checking of all

inbound packets for HTTP, FTP and SMTP?

How is the performance of the firewall monitored? (memory , CPU)

Are any VPNs configured on the firewall?

www.cyberoam.com

ConfigurationConfiguration

Standards & Best Practices:

Rule sets should be tested every 6 months to a year

depending on the number of changes made to the

configuration file

Firewall administrators should subscribe to vulnerability

mailing list pertaining to their firewall in order to be

aware of the latest vulnerabilities affecting their product

As part of the capacity management procedure, periodic

reviews of the key parameters such as memory, CPU

should be monitored to address current and future needs

www.cyberoam.com

Auditing and AdministrationAuditing and Administration

Evaluation Parameters:

Are log recipient hosts identified

and configured?

Is the security of the logs on the host

maintained through local OS settings?

How often are the logs reviewed? Does

senior management receive status reports?

Is logging timestamp enabled?

Is the time synchronized with an NTP Server?

Are logs reviewed/ monitored regularly?

www.cyberoam.com

Auditing and AdministrationAuditing and Administration

Evaluation Parameters:

Are the logs backed up? How often is the backup

taken? What is the retention period of the logs?

Is the firewall configuration data backed up weekly

and / or whenever configuration changes occur?

Where is the configuration data backup stored?

Is the firewall configuration well documented?

Is a login banner defined when accessing the firewall?

Is the firewall configured to alarm the administrator

for a potential attack or system failure?

www.cyberoam.com

Auditing and AdministrationAuditing and Administration

Evaluation Parameters:

What is the procedure followed upon detection

of a particular incident?

Is in-band management restricted to a limited

number of IP addresses?

Is a local password assigned to the telnet or SSH

process?

Is SNMP used to manage the firewall? If no, is the

service disabled?

Is a time-out defined for idle sessions?

www.cyberoam.com

Auditing and AdministrationAuditing and Administration

Standards & Best Practices:

Logging helps track incident

The review of logs should be documented

and sent for manager’s review

Including timestamps in messages allows

tracing network attacks more credibly

Firewall configuration should be backed up

according to the firewall policy. (whenever a

configuration change takes place)

The configuration files should be stored

either on tapes or a file server

www.cyberoam.com

Auditing and AdministrationAuditing and Administration

Standards & Best Practices:

Well documented Firewall configuration

Login banner should be defined on the

firewall

A documented Incident Management

Procedure

All management communication between

the management hosts and the firewall

should be encrypted

The password should be stored in a manner

consistent site's security policy

If the SNMP service, if not used , should be

explicitly disabled

www.cyberoam.com

Configuration Change ManagementConfiguration Change Management

Evaluation Parameters:

Is there a documented change management

procedure for changes applied on the firewall? Standards & Best Practices:

Since the application software change

management document addresses software

change management procedures, it should be

expanded to include networking devices such as

a firewall too.

www.cyberoam.com

Management & Monitoring Management & Monitoring

Evaluation Parameters:

Checking periodic review for firewall configuration

Is the firewall configuration (hard copy) stored in a secured location?

Checking whether firewall administrator details (matrix) document get updated

www.cyberoam.com

Failover / RedundancyFailover / Redundancy

Evaluation Parameters:

Is the firewall configured for proper recovery

from failure or interruption?

What is the procedure to be followed if the firewall

fails?

Is the hot standby firewall in sync with active

firewall configuration and software updates?

Is hot standby/recovery procedures of the firewall

periodically tested?

Standards & Best Practices:

HA should be configured, for firewall being a

critical device

Availability of immediate backup firewall for

uninterrupted business continuity

www.cyberoam.com

Findings and RecommendationsFindings and Recommendations

Sr. No Findings / RecommendationsImplementation

Priority

1 The configuration file should be reviewed periodically to check for its accuracy. High

2 Logs should be stored on logging host which is hardened enough. High

3 Firewall is accessible from the whole network. A dedicated machine can be placed inside the data center to which Admin can login and manage the Cyberoam and Layer-3 switches etc. High

4 The review of logs should be documented and sent to the manager for review. High

5 Logs of the firewall should be backed up and retained. Log retention time period should be defined. Medium

6 As part of the capacity management procedure, periodic reviews of the key parameters such as memory, CPU should be monitored on the firewall to address current and future needs. Medium

7 Login banner should be defined on the firewall. Medium

8 A documented Incident Management Procedure should be available for alerts detected by the firewall. Medium

9 Firewall baseline and the procedures related to the firewall should be documented. Medium

10 Procedures should address the creation as well as the deletion of the user accounts created on the firewall. Low

11 Firewall configuration should be well documented. Low

www.cyberoam.com

Thank youContact: sales@cyberoam.com