Skybox Firewall Assurancedownloads.skyboxsecurity.com/files/Installers/...Firewall Assurance covers...

Skybox Firewall Assurance

Getting Started Guide

9.0.800

Revision: 11

Proprietary and Confidential to Skybox Security. © 2019 Skybox Security, Inc. All rights reserved.

Due to continued product development, the information contained in this document may change without notice. The information and intellectual property contained herein are confidential and remain the exclusive intellectual property of Skybox Security. If you find any problems in the documentation, please report them to us in writing. Skybox Security does not warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical, photocopying, recording, or otherwise—without the prior written permission of Skybox Security.

Skybox®, Skybox® Security, Skybox Firewall Assurance, Skybox Network Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox Change Manager, Skybox Appliance 5500/6000/7000/8000/8050, and the Skybox Security logo are either registered trademarks or trademarks of Skybox Security, Inc., in the United States and/or other countries. All other trademarks are the property of their respective owners.

Contact information

Contact Skybox using the form on our website or by emailing [email protected]

Customers and partners can contact Skybox technical support via the Skybox Support portal

https://lp.skyboxsecurity.com/ContactMe1.html

mailto:[email protected]

https://www.skyboxsecurity.com/support/portal


Skybox version 9.0.800 3

Intended audience .................................................................................... 5 How this manual is organized ..................................................................... 5 Related documentation .............................................................................. 6 Technical support ..................................................................................... 6

Overview ............................................................................................... 7 Skybox Firewall Assurance ......................................................................... 7 How Firewall Assurance works .................................................................... 9 Highlights of Skybox Firewall Assurance ...................................................... 9 Firewall change request workflow ............................................................. 10 Basic architecture ................................................................................... 10

Before you begin .................................................................................... 11 Prerequisites .......................................................................................... 11 Starting Skybox Firewall Assurance ........................................................... 12 Summary page ....................................................................................... 12

Importing firewalls ................................................................................. 14 Add Firewall Wizard ................................................................................ 14 Adding firewalls ...................................................................................... 14 Viewing firewalls ..................................................................................... 17 Searching access rules ............................................................................ 19

Rule Compliance .................................................................................... 21 Overview of Rule Compliance ................................................................... 21 Working with Rule Compliance ................................................................. 22

Access Compliance ................................................................................. 24 Access Compliance and Rule Compliance ................................................... 24 What is an Access Policy? ........................................................................ 24 Mapping firewall network interfaces to Access Policy zones .......................... 26 Analyzing the Access Policy ...................................................................... 28 Understanding compliance metrics ............................................................ 29 Understanding what caused a violation ...................................................... 31 Creating and editing Access Policy exceptions ............................................ 32 PCI DSS ................................................................................................ 34

Contents

Skybox Firewall Assurance Getting Started Guide


Exceptions ............................................................................................ 37

Configuration Compliance ........................................................................ 38 Configuration Compliance overview ........................................................... 38 Viewing Configuration Compliance for a single firewall ................................. 38

Viewing vulnerabilities on a firewall ...................................................... 39 Viewing Configuration Compliance for all analyzed firewalls ......................... 41 Viewing an overview of Configuration Compliance ....................................... 42

Optimization and cleanup ........................................................................ 44 Shadowed and redundant rules ................................................................ 44 Rule usage analysis ................................................................................ 47

Viewing object usage ......................................................................... 49 Generating Rule Usage Analysis reports ................................................ 50

Exporting data to CSV files ...................................................................... 50

Change tracking ..................................................................................... 51 Using change tracking ............................................................................. 51 Viewing the changes ............................................................................... 52 Change Tracking reports .......................................................................... 53

Rule review ........................................................................................... 54 Reviewing rules ...................................................................................... 54 Recertifying rules .................................................................................... 56

Firewalls with intrusion prevention systems ............................................... 58 Viewing IPS coverage in Skybox ............................................................... 58

Access analysis ...................................................................................... 61 Using the Access Analyzer ....................................................................... 61

What If and Forensics models .................................................................. 65

Using Skybox reports ............................................................................. 66 Reports tree ........................................................................................... 66 Report types .......................................................................................... 66 Firewall Assurance reports ....................................................................... 67


Preface

Intended audience The Skybox Firewall Assurance Getting Started Guide provides background information about what Skybox Firewall Assurance does and how it works, and explains how to get started using the product. This Getting Started Guide is intended for use with the demo model only. To model firewalls from your organization’s network and work with those firewalls, see the Skybox Firewall Assurance User Guide.

The intended audience is anyone who wants to learn how to use Skybox Firewall Assurance.

How this manual is organized This manual includes:

› Overview (on page 7) of Skybox Firewall Assurance › Before you begin (on page 11), which includes:

• Instructions for starting and logging in to Skybox

• An overview of Skybox Manager

• Instructions for loading the demo model

If you are familiar with Skybox, you can skip most of this section. However, make sure to load the Live demo model file (on page 12).

› Tutorials on:

• Importing firewalls (on page 14)

• Rule Compliance (on page 21): Understanding how much protection is offered by a firewall’s access rules

• Access Compliance (on page 24): Testing the firewall traffic in the demo model for compliance with predefined Access Policies that correspond to industry standards

• Configuration Compliance (on page 38): Viewing weaknesses in firewall configurations

• Optimization and cleanup (on page 44): Optimizing access rules on a firewall

• Change tracking (on page 51): Viewing and managing changes in access rules and checking the results of these changes on the network

• Access analysis (on page 61): Understanding and troubleshooting connections between a source and a destination

• Using Skybox reports (on page 66): Understanding the built-in reports, making changes to the properties of reports, and generating reports



Each tutorial builds on the knowledge gathered in the previous tutorial; they are intended to be used in sequence.

Note: Screen captures in this document are from a Skybox installation with a license for Skybox Firewall Assurance and Skybox Network Assurance. If you have a license for a single Skybox product, screens might look slightly different.

Related documentation The following documentation is available for Skybox Firewall Assurance:

› Skybox Firewall Assurance User Guide

Other Skybox documentation includes:

› Skybox Installation and Administration Guide › Skybox Reference Guide › Skybox Developer Guide › Skybox Release Notes › Skybox Change Manager User Guide

The entire documentation set (in PDF format) is available here

You can access a comprehensive Help file from any location in Skybox Manager by using the Help menu or by pressing F1.

Technical support You can contact Skybox using the form on our website or by emailing [email protected]

Customers and partners can contact Skybox technical support via the Skybox Support portal

When you open a case, you need:

› Your contact information (telephone number and email address) › Skybox version and build numbers › Platform (Windows or Linux) › Problem description › Any documentation or relevant logs

You can compress logs before attaching them by using the Pack Logs tool (see Packing log files for technical support, in the Skybox Installation and Administration Guide).

http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/9.0/9.0.800/Docs

https://lp.skyboxsecurity.com/ContactMe1.html

mailto:[email protected]




Chapter 1

This chapter contains introductory information about Skybox Firewall Assurance.

In this chapter

Skybox Firewall Assurance ..................................................... 7

How Firewall Assurance works ................................................ 9

Highlights of Skybox Firewall Assurance .................................. 9

Firewall change request workflow.......................................... 10

Basic architecture ............................................................... 10

Skybox Firewall Assurance Skybox® Security arms security professionals with the broadest platform of solutions for security operations, analytics, and reporting. By integrating with more than 100 networking and security technologies organizations, the Skybox Security Suite merges data silos into a dynamic network model of your organization’s attack surface, giving comprehensive visibility of public, private, and hybrid IT environments. Skybox provides the context needed for informed action, combining attack vector analytics and threat-centric vulnerability intelligence to continuously assess vulnerabilities in your environment and correlate them with exploits in the wild. This makes the accurate prioritization and mitigation of imminent threats a systematic process, decreasing the attack surface and enabling swift response to exposures that truly put your organization at risk.

Overview



Skybox arms security leaders with a comprehensive cybersecurity management platform to address the security challenges of large, complex networks. The Skybox Security Suite breaks down data silos to build a dynamic network model that gives complete visibility of an organization’s attack surface and the context needed for informed action across physical, multi-cloud, and industrial networks. We leverage data by integrating with 120 security technologies, using analytics, automation, and advanced threat intelligence from the Skybox Research Lab to continuously analyze vulnerabilities in your environment and correlate them with exploits in the wild. This makes the prioritization and mitigation of imminent threats an efficient and systematic process, decreasing the attack surface and enabling swift response to exposures that truly put your organization at risk. Our award-winning solutions automate as much as 90 percent of manual processes and are used by the world’s most security-conscious enterprises and government agencies, including Forbes Global 2000 companies. For additional information visit the Skybox website

Firewall Assurance covers the most comprehensive list of firewall vendors, complex rulesets and virtual- and cloud-based firewalls, bringing your entire firewall estate into a single view. With continuous monitoring of firewalls and network devices, Firewall Assurance verifies that firewalls are clean, optimized and working effectively. It extends beyond firewall rule checks, analyzing possible traffic between network zones to find hidden attack vectors, flagging unauthorized changes and finding vulnerabilities on firewalls.

https://www.skyboxsecurity.com/

Chapter 1 Overview


› Identify security policy violations and platform vulnerabilities to reduce your attack surface

› Visualize how network traffic can flow through your firewalls to troubleshoot access issues

› Clean and optimize firewall rulesets to maintain top performance › Manage traditional, next-generation, virtual- and cloud-based firewalls with a

single consistent and efficient process

Skybox Firewall Assurance is most often used to automate firewall audits and, in addition, to test policy compliance on other types of forwarding devices.

How Firewall Assurance works The following figure shows the process of working with Firewall Assurance.

Highlights of Skybox Firewall Assurance Skybox Firewall Assurance is most often used to automate firewall audits, but you can also use it to test policy compliance on other forwarding devices.

Highlights

› Comprehensive detection of security threats and compliance risks

• Imports, combines, and normalizes firewall data automatically from multiple vendors

• Highlights access policy violations and provides root cause analysis

• Identifies rule conflicts and misconfigurations

• Reveals vulnerabilities on firewalls

› Next-generation firewall management

• Supports next-generation access and rule compliance at the user and application level

• Provides configuration analysis and reporting on intrusion prevention system (IPS) blades

• Provides comprehensive visibility and real-time reporting

• Highlights the impact of firewall risks on your attack surface

• Shows the relation between firewalls and zones on an interactive map

• Reports on firewall ruleset audits and automates change tracking

• Incorporates compliance metrics and configuration analysis



› Firewall optimization and cleanup

• Automates rule recertification to streamline rulesets and ensure compliance

• Monitors firewalls continuously to eliminate security gaps

• Targets redundant, hidden and obsolete rules for cleanup and optimization

Firewall change request workflow Skybox Firewall Assurance supports firewall change management using either of 2 approaches:

› Using a workflow application: Skybox offers Skybox Change Manager, a web interface for use with Skybox Firewall Assurance that supports a change request workflow. You can submit change requests to permit new connectivity in the network. Network administrators can quickly find the relevant firewalls and check whether the firewalls grant this access. Moreover, Firewall Assurance can check whether this request complies with your network guidelines and help to plan the details of the access rule change. For additional information, see the Skybox Change Manager User Guide.

› Using the Skybox API: To build a workflow application with BMC Remedy, ServiceNow, or another ticketing system, you can use the Skybox web service API and utilize Skybox Access and Policy analysis, as well as extracting firewall policy information. For additional information, see the Firewall Changes API chapter in the Skybox Developer Guide.

Basic architecture The Skybox platform consists of a 3-tiered architecture with a centralized server (Skybox Server), data collectors (Skybox Collectors), and a user interface (Skybox Manager). Skybox can be scaled easily to suit the complexity and size of any infrastructure.

For additional information, see the Skybox architecture topic in the Skybox Installation and Administration Guide.


Chapter 2

This chapter contains introductory information about working with Skybox.

In this chapter

Prerequisites ...................................................................... 11

Starting Skybox Firewall Assurance ....................................... 12

Summary page ................................................................... 12

Prerequisites

› Skybox must be installed on your system before you can begin to work with the tutorials in this guide.

› The Skybox Server must be running before you can start Skybox Manager. If it is not running on your local machine, you need its name or IP address to connect to it.

Before you begin



Starting Skybox Firewall Assurance

To start Skybox Firewall Assurance

1 In the Windows system tray, right-click the Skybox icon ( ) and select Open Skybox.

2 Note that you can log in to any Skybox product at this point by clicking its icon above the User Name field. Make sure that Skybox Firewall Assurance is selected.

3 Type your user name and password.

If you were not assigned a user name and password by your Skybox administrator, use the user name skyboxview with the password skyboxview.

4 If the Server was not specified during installation or you do not want to connect to the default Server, select the desired Server or type its IP address.

5 Click Login.

6 The 1st time that you work with Skybox, click the Load demo model link in the workspace to load the demo model file.

The display refreshes after the model is loaded.

Note: The demo model file includes a small model for which data has been collected and some configuration tasks have been run.

Summary page After the demo model loads, the All Firewalls Summary page is displayed in the workspace. This is the main page for Skybox Firewall Assurance, which displays summaries about the information that Skybox provides about your firewalls.

The page contains summary information about:

Chapter 2 Before you begin


› Policy Compliance: The policy compliance level for both Access Compliance and Rule Compliance, and a link to the list of violations of the firewall ACLs

› Configuration Compliance: The security level of the firewall configurations, based on platform security checks

› Optimization and Cleanup: The number of firewalls with access rules that are candidates for cleanup, based on analysis of shadowing and redundancy, and on hit counts (from the firewall logs)

› Change tracking: The changes made in firewall access rules; how many firewalls were changed recently, and how many rules and objects were changed

From the Summary page, you can drill down to the firewall level in the area that interests you. Alternatively, you can view a similar summary for each firewall by selecting the firewall in the Tree pane.


Chapter 3

This chapter explains how to add firewalls and their configuration data to Skybox.

In this chapter

Add Firewall Wizard ............................................................. 14

Adding firewalls .................................................................. 14

Viewing firewalls ................................................................. 17

Searching access rules ........................................................ 19

Add Firewall Wizard Skybox can import configurations from many firewall types (and from some other devices).

You import firewalls using the Add Firewalls Wizard. Use the wizard to:

› Connect directly to the firewall and collect its configuration data

For this method, you must know the firewall details.

› Import saved configuration files of the firewall

For this method, you must save copies of the necessary configuration files on your file system.

Adding firewalls Configuration data for a number of devices is included in the demo model that you loaded, so there is no need to add more firewalls. However, steps of the Add Firewalls Wizard are included in this tutorial to familiarize you with the process. The Add Firewalls Wizard adds firewalls and their configuration data to Skybox. If there are firewalls in the Skybox model that are not listed under All Firewalls in the Firewall Assurance tree, use the wizard to add these firewalls to the tree.

Importing firewalls

Chapter 3 Importing firewalls


To add a firewall to Skybox 1 Open the Firewall Assurance workspace.

2 On the toolbar, click .

3 In the Start page, in the Select firewall type field, select Cisco

PIX/ASA/FWSM firewall.

4 In the Select method for importing configuration field, select Import configuration files.

The selected method specifies whether to import saved configuration files (files generated from firewall configuration data retrieved from the firewall) or retrieve configuration information directly from the firewalls.



5 Click Next.

In the Properties page for importing firewalls, you specify the location of the saved configuration files.

6 Click Back.

7 In the Select method for importing configuration field, select Import from Firewall and then select Default Collector as the Skybox Collector to use to collect information from the firewall.



8 Click Next.

In the Properties page for collecting firewalls, you specify the information that the Collector needs to access the firewall and find the correct data.

Note: Each firewall type has different properties.

9 As the necessary firewalls are already included in the model, click Cancel at this point.

Viewing firewalls

To view the summary of a firewall

› In the tree, select All Firewalls > main_FW.

In the workspace, you see summary information about the firewall.

You can click a link to focus on that aspect of the firewall.

Note: If a firewall is part of a firewall management system, the firewall is visible in the tree under the name of the management system. For example, All Firewalls > MgmtServer1 > Firewall1.



To view firewall connections in a graphical (map) format 1 At the top of the workspace (underneath the name of the firewall), click the

Firewall Map link, or click on the toolbar.

The Firewall Map window, displaying a map of the firewall connections, opens. You can see all the network interfaces of the firewall and the networks or clouds to which they are connected. This is useful for checking that new firewalls were imported correctly.

2 Right-click the firewall icon. You can see that there are various possible

actions.

3 Right-click an interface icon. You can use this method to mark or change the zone of a network interface.

4 Close the Firewall Map when you are finished.



To view the access rules of a firewall 1 At the top of the workspace, click the Access Rules link.

2 Click the 3rd rule (Source = Partners Network, Destination = DMZ).

The Object tree (right-hand pane) displays the firewall objects for this rule.

You can expand the firewall objects to see the hierarchies of objects or double-click a firewall object to view its properties. You can double-click an access rule to see its properties.

3 By default, Skybox displays the source and destination using the original names in the firewall object. Click Show Resolved Addresses to view them as IP address ranges.

4 Click Cancel.

Searching access rules In addition to viewing all the access rules of a firewall, you can use Skybox search capability to view a list of access rules that meet specified criteria.

For example, you can search for access rules that:

› Contain a specific object › Contain a specific IP address or IP address range in the source or destination,

or a specific port in the services field › Contain a specific string in the original rule text or a specific original rule ID



To search for access rules 1 In the tree, select All Firewalls.

The context of the search depends on the element selected in the Tree pane; this search is across all firewalls.

2 In the Search area of the toolbar (on the right), make sure that Access Rule is selected in the drop-down list.

3 In the Search box, you can type an IP address or IP address range, a service port, or all or part of an object name. For this tutorial, type app1. This searches for the asset app1 in the Source, Destination, and Service fields of all firewalls.

4 Click .

All access rules containing app1 are listed in the search results.

Note: Skybox determines the fields to be checked by examining the format of the search string. Only relevant fields are checked for matches.

5 In the Search box, click to clear the previous search results

6 Click to expand the search definition area.

There are various ways to refine the search, including searching only in specific fields or changing the scope.

7 In the Search By area, select Advanced Search.

8 In the Source box, type app1.

9 Click .

This time, the search results list only access rules that contain app1 in their Source field, not in the Destination.


Chapter 4

This chapter explains working with Rule Compliance in Skybox.

In this chapter

Overview of Rule Compliance ............................................... 21

Working with Rule Compliance .............................................. 22

Overview of Rule Compliance Skybox analyzes Rule Compliance—checking firewall access rules against a Rule Policy—a set of best practice guidelines.

Skybox checks the access rules of each firewall for compliance with the Rule Policy and shows the access rules that violate the policy.

Rule Compliance analysis provides a starting point for understanding how much protection is offered by a firewall’s access rules. More accurate information is provided by Skybox Access Policy analysis, which checks traffic in the firewall against an Access Policy, but this requires additional configuration on your part, including the selection of an Access Policy (NIST, PCI DSS, or custom) and mapping firewall interfaces to zones. For this reason, we recommend Rule Compliance analysis as a 1st step.

Skybox includes a predefined Rule Policy. The predefined Rule Policy includes standard best practice Rule Checks. For example:

› Rules must not have “Any” in the destination, source, or service › Rules must not have too many IP addresses in the destination or source

Some Rule Checks relate to missing access rules or to the interaction between access rules. For example:

› The ACL is missing an explicit Any-Any Deny rule › There are bidirectional rules (that is, 2 rules with opposite source and

destination but with the same service) in the ACL

You can:

› Control the set of Rule Checks to be applied to the firewalls by enabling and disabling checks, changing their severity, and modifying their properties

› Create custom Rule Checks

Rule Compliance



Working with Rule Compliance Rule Compliance is analyzed automatically after firewalls are imported via the wizard.

To view Rule Compliance 1 In the tree, select a firewall.

2 Look at the Rule Compliance pane.

You can see whether the firewall is compliant with the Rule Policy and how many access rules violated the Rule Policy.

3 Click Rule Compliance.

You can see the Rule Checks applied to the firewall and their pass/fail status.

The Violating Rules column shows how many access rules violated each check.

4 Click the Violating Rules tab at the top of the table.

You can see all the violating access rules for this firewall, including those that violated the Access Policy.

Chapter 4 Rule Compliance


Exporting Rule Compliance information

To export Rule Compliance information for a firewall

› Right-click the firewall Policy Compliance node and select Export to CSV – Rule Compliance.

Irrelevant Rule Checks Some Rule Checks might not be relevant for all firewalls. You can disable any Rule Check for a specific firewall by right-clicking it and selecting Disable Rule Check in this Firewall.

Analyzing Rule Compliance after firewall updates If you import a firewall using the wizard (as explained in Firewall import (on page 14)), Rule Compliance is automatically analyzed. If firewalls are updated using Skybox tasks, use an Analysis – Policy Compliance task to analyze Rule Compliance.

Note: If a firewall was not analyzed or if you accidentally cleared the compliance results, reanalyze compliance (right-click the Policy Compliance node of the firewall and select Analyze Compliance).


Chapter 5

Skybox offers the most advanced and effective Access Compliance to verify that your firewall ACLs are well configured.

This chapter explains how to test firewall traffic for compliance with predefined Access Policies that correspond to industry standards. The result is compliance metrics for each firewall, a list of violations of the selected Access Policy, and a list of access rules that should be fixed.

In this chapter

Access Compliance and Rule Compliance ............................... 24

What is an Access Policy? .................................................... 24

Mapping firewall network interfaces to Access Policy zones ...... 26

Analyzing the Access Policy .................................................. 28

Understanding compliance metrics ........................................ 29

Understanding what caused a violation .................................. 31

Creating and editing Access Policy exceptions ......................... 32

PCI DSS ............................................................................ 34

Access Compliance and Rule Compliance When Skybox analyzes Rule Compliance, it uses syntactic checks (string comparison) to check whether a firewall’s access rules obey simple best practice guidelines (for example, “No Risky Ports” and “‘Any’ in 2 fields”). In the Rule Compliance chapter (on page 21), you saw how Skybox displays Rule Compliance.

When Skybox analyzes Access Compliance, it checks whether traffic can pass through the firewall, taking all the firewall’s access rules into consideration. In this chapter, you learn how Skybox displays Access Compliance.

What is an Access Policy? An Access Policy is a set of rules (Access Checks) defining the constraints on the traffic permitted by a firewall protecting the network. These rules verify that access permitted by the firewall does not violate the best practice, regulatory, or customized organizational policies established by your organization. Skybox includes a predefined Access Policy for NIST 800-41 guidelines and another for PCI DSS guidelines (Requirement 1 of PCI DSS).

Access Compliance

Chapter 5 Access Compliance


To view the Access Policies 1 In the tree, expand the Access Policies node.

There are separate Access Policies for NIST and PCI.

2 Expand the NIST 800-41 Policy > NIST External Access folder.

This folder is divided into policy sections: NIST-External to External, NIST-External to Partner, NIST-External to DMZ, and NIST-External to Internal. Each policy section specifies the desired access relationship between 2 specific zones.

3 Expand these policy sections to see the Access Checks in each section.



Some Access Checks in different policy sections have similar names because they test the same type of access but between different areas or zones in the network. For example, in the External to DMZ policy section, the Block Trojan and Worm Ports Access Check tests that there is no access to Trojan and worm ports in the DMZ from external servers; in the External to Internal policy section, the Access Check with the same name tests that there is no access to Trojan and worm ports in the internal servers from the external servers.

4 Expand the PCI DSS Access Policy.

Each subfolder defines how to test compliance for a section of the PCI DSS policy.

Customizing the Access Policies The predefined Access Policies include a policy for NIST 800-41 and other industry-wide best practice guidelines and another policy for PCI DSS. However, most organizations have additional best practice guidelines of their own. You can add these guidelines to the appropriate Access Policy in the form of custom Access Checks and custom zones, or create a separate Access Policy. You can modify or disable individual Access Checks as needed.

Mapping firewall network interfaces to Access Policy zones You can apply an Access Policy to a firewall by selecting the Access Policy and then mapping the firewall network interfaces to the zones used in that policy. A zone is a way of grouping network interfaces that have the same trust level. For example, map the network interface of a firewall that leads to the DMZ network to the DMZ zone and map network interfaces leading to the internet and other external networks to the External zone. You can then check compliance of the firewall with the selected Access Policy.



To check whether your firewall is compliant with the NIST or PCI DSS Access Policy, select the Access Policy to use and then map each network interface of the firewall to the relevant zone. The firewall map shows the network to which each interface is mapped, which can help you to understand the network interfaces that map to each zone.



To select an Access Policy and map zones for a firewall 1 In the Firewall Assurance tree, right-click the All Firewalls > main_FW >

Policy Compliance node and select Manage Access Policy.

2 In the Manage Access Policy dialog box, select the Access Policy named NIST

800-41 & Application.

3 To change the zone of a network interface, select int18 and click Mark as Zone.

The Mark as zone dialog box is where you change or add the zone type. (The zone name is optional.)

4 Click Cancel.

5 To check traffic to or from a network interface, click Access from Interface or Access to Interface.

• For information about these results, see Access analysis (on page 61).

6 Click OK.

Note: After you select the Access Policy for a firewall, you can either map the network interfaces to zones in The Mark as zone dialog box or by using the firewall map.

Analyzing the Access Policy After all network interfaces are classified into zones, analyzing the Access Policies applies the best practice rules to existing firewalls, to analyze access and check for compliance with the rules.



You can analyze all or part of the Access Policy. For example:

› A specific firewall, (that is, analyze only Access Checks that apply to the selected firewall)

› A specific folder or policy section (for example, only Access Checks that check for access between the External and DMZ zones), for all firewalls in the scope

› A specific Access Check

Analyzing compliance

To analyze compliance (for all firewalls) 1 In the Tree pane, select All Firewalls.

2 On the toolbar, click .

Note: This action analyzes the firewalls for all types of compliance (Access Compliance, Configuration Compliance, and Rule Compliance), change tracking, and shadowed and redundant rules.

Understanding compliance metrics After the Access Policy is analyzed for a firewall, there is a short summary of the results in the Summary page of the firewall, including how much the firewall complies with the Access Policy and its sections.

1 With main_FW selected in the tree, look at the workspace.

The summary of policy compliance lists the compliance metrics for this firewall.



2 Click the Violating Rules link to view the firewall access rules that caused the violations.

Look in the Access Policy Violations column to view the number of Access Policy violations per access rule.

The Details pane lists data about the access rule selected in the Table pane.

3 Click a specific access rule in the Table pane.

The view switches to show the violations caused by the selected access rule, including the violated policy section and Access Check.

These violations are failed implementations of the NIST 800-41 policy on main_FW, listing what was tested (and failed).

4 The Rule Details tab displays detailed information about the selected access rule, including firewall objects.

After you understand why an access rule is causing violations, you can decide how to fix it. For example, you could change a rule that permits access on all services to permit access on specific services only.



Access Compliance by policy sections Sometimes it is useful to view the violations according to the policy sections that they violate. In this way, you get an overall idea of the connections in this firewall that are causing the most problems.

1 In the tree, reselect main_FW > Policy Compliance.

2 In the Table pane, click the Access Compliance tab.

You can see a list of the policy sections with their source, destination, and the number of violations of each criticality level.

3 Select an Access Policy section and click the All Tests tab of the Details pane

to see a list of tests that checked compliance.

Skybox verifies compliance of the firewall to the Access Policy by running access tests. Access tests are tests that analyze access between the network interfaces (zones) of the firewall according to the rules specified in the Access Policy. Each test analyzes a specific Access Check between 2 interfaces.

For example, an Access Check that analyzes to make sure that NetBIOS access is blocked from External zones to DMZ zones has separate tests for each External interface to each DMZ interface. If there are 2 interfaces marked External Zone and 2 interfaces marked DMZ Zone, there are a total of 4 access tests.

If all the tests passed successfully, the firewall is considered 100% compliant. Tests that fail are violations. The compliance level is the percentage of successful tests relative to the total number of tests.

Understanding what caused a violation This section explains how to view access information for violations. After you understand what caused the violation, you can try to work out an appropriate solution.

To view access information for a violation

1 On the toolbar, click to view the list of policy sections.

2 Click NIST-External to Internal.

For this policy section, there is 1 violating access rule. In the Details pane, you see that this access rule has 3 violations.



3 Click the violating rule’s link in the Table pane.

The Table pane lists the violations for this policy section. The Details pane contains information about the 1st violation, with the Details tab displayed.

The name of the rule is Block Login Services and that this is a critical violation.

The access test failed because access exists between the External interface (int19) and the Internal interface (int15), but the Access Check specifies that login services between networks zones of different security levels must not be permitted.

4 Click to display all the tabs in the Details pane.

5 Click the Access Results tab to view the access between the source and the destination.

6 In the tree, expand the int15 network interface and select the lowest-level node.

The access to the IP address range 192.170.17.0-192.170.19.255 is via the service (port) 22-23/TCP.

Creating and editing Access Policy exceptions Exceptions are a way to fine-tune the Access Policy according to actual practices or requirements of your organization. Sometimes, specific entities in a location or zone that you are testing have different access permissions from the other entities in that location or zone. You can mark these entities as exceptions to the Access Check so that they are not tested, or you can create exceptions for specific access rules.

In our example, it was realized that access over 22-23/TCP between the internet and internal networks does not violate your Access Policy—mark it as an exception.



To mark exceptions 1 In the Access Results tree, select the 22-23/TCP node and click

.

2 Click OK.

As this is the only service that violated the Access Check in this access test, the test no longer violates the Access Policy and a green compliance indicator ( ) is displayed next to the ID of the test.

You can view and edit exceptions.



To edit an exception 1 In the tree, right-click main_FW > Policy Compliance and select

Exceptions.

In the Exceptions dialog box, the Firewall Exceptions tab lists exceptions created for the firewall, and the Access Policy Exceptions tab lists exceptions to specific Access Checks that are relevant for this firewall.

2 Click the Access Policy Exceptions tab.

Access Policy exceptions that affect the selected firewall are listed.

3 Select an exception and click Modify.

Policy exceptions might affect multiple firewalls. Keep this in mind when you change a policy exception from a specific firewall.

4 As it is not necessary to change the exception’s properties, click Cancel in the Access Policy Exception Properties dialog box.

PCI DSS Skybox Firewall Assurance supports Requirement 1 of PCI DSS: “Install and maintain a firewall configuration to protect cardholder data, a sensitive area within the trusted network of a company.” Requirement 1 is preconfigured in Skybox using an Access Policy and specific zone types, so that you can use Skybox Firewall Assurance to check whether your firewalls are compliant. Public Access Policies > PCI DSS V3.x Policy is organized using a similar structure to the hierarchy of sections in Requirement 1.

In the demo model, prod FW was prepared for a PCI DSS firewall audit.



To view compliance with PCI DSS Requirement 1 1 In the Firewall Assurance tree, select All Firewalls > prod FW.

You can see information about this firewall, including Access Compliance.

2 In the tree, select Access Policies > Public Access Policies > PCI DSS

V3.x Policy and expand this node.

Each policy folder and policy section in the hierarchy represents a subsection of PCI DSS Requirement 1.

3 In the tree, navigate to the All Firewalls > prod FW > Policy Compliance

node.

4 Right-click the node and select PCI Firewall Compliance Report.



5 In the Report Properties dialog box, click Generate Now.

The 2nd section of the report contains a summary of the compliance of the prod FW firewall with each subsection of the requirement.

6 When you are finished, close the report window.


Chapter 6

Exceptions are a way to fine-tune the Access Policy according to actual practices or requirements of your organization. Sometimes, specific entities in a location or zone that you are testing have different access permissions from the other entities in that location or zone. You can mark these entities as exceptions to the Access Check so that they are not tested or you can create exceptions for specific access rules.

Exceptions


Chapter 7

This chapter explains working with Configuration Compliance in Skybox.

In this chapter

Configuration Compliance overview ....................................... 38

Viewing Configuration Compliance for a single firewall ............. 38

Viewing Configuration Compliance for all analyzed firewalls ...... 41

Viewing an overview of Configuration Compliance ................... 42

Configuration Compliance overview Configuration Compliance enables you to audit the platform security of your firewalls and understand weaknesses in a firewall configuration (for example, whether the firewall can be accessed using the default password, whether logging is enabled, and whether the management protocol is encrypted).

Configuration Compliance is analyzed by comparing firewall configuration data with a Configuration Policy—a predefined policy included with Skybox or a customized policy created by your organization. Skybox displays where the configuration does not comply with the policy.

A Configuration Policy is a set of Configuration Checks for a specific firewall type. Each Configuration Check contains a regular expression. When firewall configuration data is analyzed, the Configuration Check passes only if the regular expression is found in the configuration file.

The predefined set of Configuration Policies (Standard) checks your device files against known best practice guidelines for various platforms, including Check Point firewalls, Cisco devices, Juniper NetScreen and Junos firewalls, Palo Alto Networks firewalls, and Fortinet FortiGate firewalls. There is one Configuration Policy for each firewall type. You can customize the Standard Configuration Policies to suit your requirements and you can create additional policies. When a Configuration Policy is analyzed, all firewalls that match the policy scope are tested against all the Configuration Checks in that policy.

There is an additional set of Configuration Policies for those whose companies must comply with STIG standards.

Viewing Configuration Compliance for a single firewall There are 2 ways to view Configuration Compliance data:

› Per firewall

Configuration Compliance

Chapter 7 Configuration Compliance


› For all analyzed firewalls

To view Configuration Compliance for a single firewall 1 In the Firewall Assurance tree, select All Firewalls > vlab-cisco >

Configuration Compliance.

You can see all the Configuration Checks analyzed for this firewall, and whether the firewall is compliant with them.

2 Select a failed Configuration Check in the list.

The Details pane displays general information about the check. Click the Result Details tab to view information about the violation, including the expected results of the Configuration Check and the actual results of comparing the Configuration Check with the firewall configuration data.

VIEWING VULNERABILITIES ON A FIREWALL You can view vulnerability occurrences on a firewall based on the firewall configuration. This shows if there are vulnerability occurrences on these devices that might expose them to attacks.



To view vulnerability occurrences on a firewall 1 In the Firewall Assurance tree, make sure that All Firewalls > vlab-cisco >

Configuration Compliance is selected.

2 Click the Vulnerability Occurrences tab.

There are multiple vulnerability occurrences on this firewall, although most of them are marked as inaccessible (they cannot be used by an attacker). These vulnerability occurrences were detected by the Analysis – Vulnerability Detector for Devices task, based on information in the firewall configuration files.



Viewing Configuration Compliance for all analyzed firewalls

To view Configuration Compliance for all analyzed firewalls 1 In the tree, expand the main Configuration Policies node.

There is a policy folder named Standard v9. This is the folder that contains all the standard predefined Configuration Policies. When you expand it, you can see all its Configuration Policies.

Each Configuration Policy applies to a specific type of firewall.

2 Select Cisco FW Standard Policy.

The workspace displays a list of all the Configuration Checks in this policy, and whether there are violations.



3 Right-click Cisco FW Standard Policy and select Properties.

This policy applies to all Cisco firewalls.

4 Close the Properties dialog box.

5 Click a Configuration Check in the Table pane to see its details in the workspace.

6 Click the Analyzed Firewalls tab.

You can see a list of all the firewalls analyzed for this Configuration Check and the firewalls that violated the Configuration Check. In the demo model, only the vlab-cisco firewall was analyzed.

The Details pane displays the expected and actual results.

Exporting Configuration Compliance information

To export Configuration Compliance information for a firewall

› Right-click vlab-cisco’s Configuration Compliance node and select Export to CSV – Configuration Compliance. You can select where to save the file.

Viewing an overview of Configuration Compliance Skybox includes an overview (dashboard) of Configuration Compliance for all analyzed devices and all Configuration Policies.



To view the overview

› In the tree, select Configuration Policies.

The workspace displays a dashboard of compliance, which displays overall configuration results grouped by Configuration Policy/Configuration Check and by device.

Use the links to drill down to detailed information.


Chapter 8

The Optimization and Cleanup feature can help you to clean up and optimize access rules on a network device.

› Shadowing and redundancy is based on a logical analysis of the device ACL to find access rules that can never be reached and other access rules that you can delete without changing the behavior of the device.

› Rule usage analysis is based on activity logs. It groups rules in the device according to usage frequency.

In this chapter

Shadowed and redundant rules ............................................ 44

Rule usage analysis ............................................................. 47

Exporting data to CSV files ................................................... 50

Shadowed and redundant rules Skybox can analyze the ACLs of firewalls to find unused access rules that might be unnecessary.

A shadowed rule is an access rule that is never reached because its scope is completely covered by rules that are above it in the rule chain.

For example, if you have the following access rules in a rule chain, the 1st rule grants more access than the 2nd rule, so the 2nd rule is never reached by any packets:

› Rule 56: Network A to Network B on any port (any service) › Rule 121: Network A to locations in Network B on port 21

For shadowed rules, it does not matter whether the action of the 2 rules is the same or different. In the preceding example, the 1st rule’s action could be Deny and the 2nd rule’s action could be Allow; the 2nd rule is never reached.

A redundant rule is an access rules whose scope is completely covered by rules with the same action that are below it in the rule chain. Deletion of a redundant rule does not change the access behavior of the firewall as a packet that matches the redundant rule also matches a rule below it with the same action.

For example, if you have the following access rules in a rule chain:

› Rule 31: Development Network to All Production Application Servers on FTP port, action = Allow

› Rule 53: Development Network to Entire Organization Network on all ports, action = Allow

Optimization and cleanup

Chapter 8 Optimization and cleanup


Rule 31 is redundant because its scope is completely covered by rule 53 and both rules have the same action (Allow).

Working with shadowed and redundant rules Usually, you run an Analysis – Rule Optimization Status task to obtain information about shadowed and redundant rules; the Analyze Firewall Shadowed Rules task has been run for the demo model.

To view shadowed rules 1 In the Firewall Assurance tree, select All Firewalls and click the Firewalls

tab.

2 Look at the Shadowed Rules column to identify the firewalls that have shadowed rules.

3 Click the Shadowed Rules link for main_FW.

The Table pane lists the rules in main_FW that are shadowed (that is, not reached).

4 Select rule 14.

The bottom table lists the rules that shadow (that is, contain) this rule followed by the shadowed rule.



5 Click Explain to open the Explanation View dialog box that shows the shadowed rule next to the shadowing rules in separate panes, to help you to understand how the scope of the shadowed rule is covered by the shadowing rules.

6 Click the Source node in the Shadowed Rule pane.

The Causes Shadowing pane shows how the source in the shadowing rule covers (shadows) the source in the Shadowed Rule pane. The icon next to the Source in the Causes Shadowing pane means that this source (Any) completely contains the source in the shadowed rule (192.170.18.0-192.170.18.255).

Viewing redundant rules Viewing redundant rules is similar to viewing shadowed rules. Click the Redundant Rules tab at the top of the table pane to get started.



Rule usage analysis In Skybox Firewall Assurance, you can use a process named rule usage analysis to streamline the optimization of access rules and to help you to identify unused rules and objects.

The 1st step in this process is to collect the activity log from the device policy; this data is included in the demo model for the firewall main_FW.

To view rule usage analysis data 1 In the tree, select All Firewalls > main_FW.

The summary includes rule usage information for this firewall.

2 Next to the title of the Optimization and Cleanup pane, click the arrow to expand the pane.

• Rule Usage: Usage information about the access rules used by this

device, in table and chart formats.

• Object Usage: Usage information about the device objects used in the device access rules.

3 Click the Unused Rules link.

The Rule Usage tab is displayed. The access rules are grouped by usage types (during the analysis period):

• Unloggable: Rules that cannot be logged. These are implicit rules and rules entered manually in Skybox.



• Contains Unused Objects: Rules that had hits, but some objects referenced in the rule had no hits.

• Used: Rules that had hits and all objects referenced in the rule had hits.

• Not Logged: Rules for which logging is disabled on the device.

• Unused: Rules that had no hits.

The value in the Hit Count column of the unused rules is 0. Rules in the Usage: Used and Usage: Contains Unused Objects groups have hit counts greater than zero.

4 Open the list of Usage: Used rules.

There are 2 rules that have (Critical) in the Actual Rule Usage column, and that the actual rule usage for these rules is under 1% each. The Actual Rule Usage column shows the lowest usage level of the Source, Destination, and Service fields. You can see if any of the fields are very ‘permissive’ by their poor usage.

5 Select the Critical rule with 0.39% usage.

The Details pane displays the actual usage for the rule, split according to its ‘dimensions’ (source, destination, and service).

6 Select the last entry in the table.

7 Hover your mouse over the Used Addresses/Ports field.



The field itself shows that, although the definition of this rule contains Any in the Service field, only a limited number of ports are used. The tooltip shows the actual hit count for each port and the most recent date that the port was used; consider narrowing the scope of the Service field of this access rule to prevent unnecessary exposure.

VIEWING OBJECT USAGE

To view object usage for an access rule 1 Click the Object Usage tab.

The firewall objects are grouped by usage types and then by object types. The usage types are (for hits during the analysis period):

• Unused: The object had no hits.

• Unused in Some Rules: The object is used in at least 1 rule and unused in at least 1 rule.

• Used: The object is used in all rules that reference it.

• Not Logged: No hit count is available for the object. This usually refers to objects that are only referenced by implicit rules and rules for which logging is disabled.

2 In the Table pane, expand Usage: Unused in Some Rules and then expand

Type: FireWall-1 Group.

3 Select an object. You can see information about the object in the Details pane, including how many rules reference the object and in how many rules the object is unused.



4 To display all access rules that reference the object, right-click the object and select Show Referencing Rules.

All the access rules for the firewall are listed; the rule that references the object is in bold type.

5 Close the display of access rules.

6 To display the rules in which the object is referenced but not used (that is, the object’s hit count in that rule is zero), right-click the object and select Show Unused Rules.

The access rules for the firewall are listed; the rules that reference the object but have a hit count of zero are in bold type (rule 9).

7 Close the list of access rules.

GENERATING RULE USAGE ANALYSIS REPORTS

To generate a Rule Usage Analysis report 1 In the tree, expand the main_FW node.

2 Right-click Optimization and Cleanup and select Rule Usage Analysis Report.

You can change properties of the report in the Report Properties dialog box.

3 Set Analysis Period (by selecting Custom) so that the start date is January 1, 2017 and the end date is May 23, 2017.

4 Click Generate Now.

The report is generated and displayed in a separate window. The information in the report is a summary of the rule usage analysis information, focusing on unused rules and objects.

Exporting data to CSV files You can export shadowed and redundant rules, and rule usage data from Skybox to CSV files for additional analysis or processing.

To export information to a CSV file

› Right-click the firewall or firewall folder for which you want to export data and select Reports > Export to CSV – Shadowed Rules (or Export to CSV – Rule Usage Data).


Chapter 9

Change tracking in Skybox helps you to keep track of changes made to access rules and objects for all firewalls, including the time of change and who made the change (when available). Change tracking provides a side-by-side view of the previous and current values of all changed entities.

If you use change tracking, Skybox maintains a repository of changes so that you can review the history of access rules.

In this chapter

Using change tracking ......................................................... 51

Viewing the changes ........................................................... 52

Change Tracking reports ...................................................... 53

Using change tracking The change tracking feature analyzes changes that occur in firewall access rules and objects over time.

To use change tracking, you must import firewall data on a regular basis and analyze the data for changes (using the Analyze Firewall Changes task) after each import. You can import syslog changes (even several times per hour) to provide updated change tracking information, including the user who made each change and its timestamp.

By selecting a specific tracking period, you can view all changes in the access rules and firewall objects that occurred during the selected period.

Note: For tutorial purposes, some of the firewalls in the demo model include data that you can use for change tracking.

Change tracking



Viewing the changes

To view changes to the firewalls 1 In the tree, select All Firewalls and look at the Summary page.

There are several changes on some firewalls.

2 Display a graph of the changes:

• Next to the title of the Change Tracking pane, click the arrow to expand the pane.

You can choose to view daily, weekly, or monthly changes in the chart.

3 Click the link in the Total Changes field to see a list of all the changes.

Select a change (click in the row, but not on the link to the firewall within the row) to view additional information in the Details pane.

If the change involves an object, the Affected Access Rules tab lists all access rules affected by the changes in this object.

To view changes to a single firewall 1 In the Table pane, click the Changes by Firewall tab.

You can see a sorted list of firewalls in which changes were made.

2 Click the firewall that you want to examine.

Chapter 9 Change tracking


Change Tracking reports You can generate a report of the firewall changes or export the changes to a CSV file.

To generate a Change Tracking report for a firewall 1 Right-click the Change Tracking node of the main_FW firewall and select

Change Tracking Report.

2 Click Generate Now.

The report is displayed in PDF format in a separate window.

To export the firewall changes to a CSV file 1 Right-click the Change Tracking node of the main_FW firewall and select

Export to CSV – Change Tracking Data.

2 Select a location for the file and click OK.


Chapter 10

Rule review in Skybox enables you to view access rules in the context of all compliance categories, and to view and set business attributes for each rule. You can search for specific groups of rules (for example, those that include a specific object or a specific IP address range) across multiple firewalls.

Rule review:

› Provides an overall view of firewall access rules in the context of all compliance categories

› Enables you to document business attributes of the rules, including owner, business function, comment, and next review date, and to search on these attributes. (If your organization requires additional, custom attributes, you can add them using custom fields.)

In this chapter

Reviewing rules .................................................................. 54

Recertifying rules ................................................................ 56

Reviewing rules

To review access rules for a firewall 1 In the tree, select main_FW > Rule Review.

You can see all the access rules for this firewall. The table includes business information that is not visible in other displays of access rules (for example, Owner and Next Review Date).

Note: Business attributes are not imported from firewall configuration files; you must add them manually to individual rules or groups of rules.

Rule review

Chapter 10 Rule review


2 Select the 1st rule in the table that has a value in the Actual Rule Usage column.

3 Look at the Highlights tab in the Details pane.

4 The Compliance Category area displays a linked summary for each category in

the table that has data. Click the link in the 1st row.

The properties of the access rule are displayed with the Access Compliance violations.

5 To view information about a different compliance category, click the relevant

tab in the Access Rule Properties dialog box.

Note that within the Properties dialog box, the entries in the Highlights tab do not have links.

6 Close the dialog box.



7 In the Highlights tab, expand the Business Attributes area to see the rule’s business information.

The available business attributes are: Owner, Email, Business Function, Next Review Date, Rule Comments, and Ticket ID. Administrators can define additional (custom) fields to suit your requirements.

8 To change the value of a business attribute, right-click the rule in the Table pane and select Set Business Attributes.

Note: You can select multiple access rules in the Table pane and change the business attributes of all of them.

Recertifying rules After reviewing an access rule, you can request that the rule be recertified. Recertification requests are created in Skybox as tickets; you track and handle them in Skybox Change Manager.

Chapter 10 Rule review


To recertify an access rule 1 Select an access rule to recertify. Usually, this is a rule that you own, whose

next review date is approaching.

2 Right-click the access rule and select Recertify Rule.

3 In the Workflow field, notice that Recertification is selected. This is a

special workflow that is for recertification tickets.

4 (Optional) Specify a different owner for the ticket and make any other necessary changes.

5 Click OK.

A ticket is created for the access rule. The pop-up message about the ticket includes a link to the ticket in Skybox Change Manager.

The recertification status of the access rule is shown in the table.

You can request recertification for multiple access rules at the same time.


Chapter 11

Skybox Firewall Assurance includes the following information about IPS coverage of your organization:

› Information about signatures in prevention mode vs. detection mode so that you can understand the actual coverage provided by the IPS device in the context of the network architecture

› Signatures (in prevention mode or detection mode) correlated against critical vulnerability occurrences that exist in your organization using Skybox Vulnerability Control

This information, which is provided per IPS-enabled device, allows you to make informed decisions about the signatures to change from detection mode to prevention mode, and the signatures to deactivate.

Skybox Firewall Assurance also includes overall signature coverage from Palo Alto Networks devices per new threats reported over a specified period and threat level.

Viewing IPS coverage in Skybox IPS coverage is displayed as part of the summary for each IPS-enabled firewall.

To view IPS coverage for an IPS-enabled firewall 1 In the tree, select PA-2020:vsys1 and look at the IPS pane at the bottom of

the summary page.

Note: If you use a Firewall Assurance-only license, you can see information about vulnerability occurrences only if they are enabled.

Firewalls with intrusion prevention systems

Chapter 11 Firewalls with intrusion prevention systems


At the top of the IPS pane, there is a link specifying how many active IPS signatures exist for this type of IPS device. The link opens the IPS Signatures dialog box, which lists all the signatures.

2 Look at the left-hand side of the pane. Active Signatures Relative to Vulnerability Occurrences displays the total number of active signatures (in both Prevention and Detection modes) that are relevant to vulnerability occurrences in your organization. The pie chart and table classify the active signatures to prevention, detection, and disabled. Disabled signatures are signatures of the firewall’s vendor that have a matching vulnerability occurrence in the model but that are not activated on this device.

Click the link to Prevention in either the pie chart or the table to display a list of all the signatures active in Prevention mode on this device that are relevant to vulnerability occurrences in your organization.

For each signature, you can see its ID, status, CVE and SBV IDs, and other information.

3 The right-hand side of the IPS pane displays this device’s coverage of new threats (Vulnerability Definitions) by signature. You can change the time frame and the CVSS threshold.

Note: The IPS pane shows the coverage that the selected device provides for new threats in general. It is not specific to vulnerability occurrences that exist in your organization.



4 Click the link to Threats with Prevent Signatures in either the pie chart or the table to display a list of all the signatures in Prevention mode that are relevant to new threats.

For each threat, you can see its SBV ID, title, CVE and Bugtraq IDs, severity, and other information, as well as the IPS signature in the device that covers the threat and the coverage (in this case, Prevent).


Chapter 12

The Access Analyzer runs on a firewall and finds all routes between selected sources and destinations over selected services.

The Access Analyzer can help you to:

› Troubleshoot connection problems quickly › Get an overview of what is accessible from each of the network interfaces of

the selected firewall

Using the Access Analyzer You can use the Access Analyzer to check access:

› Between 2 network interfaces of a firewall › For specific source or destination IP addresses

For each destination interface, the Access Analyzer displays:

› The ports that are exposed › The access rules that grant permission for connectivity between the source

and the destination

To check access between 2 network interfaces 1 Select a firewall.

2 Click .

Access analysis



3 Click the Browse button next to the Source field.

4 Select the int19 interface for the source; click to move it to the Selected Source field.

5 Select the int15 interface for the destination; click .

6 Click OK to close the Scope dialog box.

7 Click the Browse button next to the Services field.

Chapter 12 Access analysis


You select the services to use for checking access in the Services dialog box.

8 For this tutorial, you do not need to select any services; click Cancel.

Note: If you do not select any services, Skybox analyzes access using all services.

9 Click .

In the Analysis Results pane, you can see the network interfaces that are accessible from the selected interface.

10 Expand each network interface to see the accessible IP addresses (and their ports and services).

11 Select the ports.

In the Details pane, you can see the route for access between the network interface that you selected in the table and the selected ports of the network interface selected in the results tree.

12 On the Analysis Results toolbar, select Group by Service (instead of

Group by Interface, ).

When you expand the results, the same information is grouped by services (ports).

13 Close the Access Analyzer.

Checking access between specific IP addresses Checking access between specific IP addresses is similar to checking access between 2 network interfaces.



To check access between specific IP addresses 1 Select a firewall.

2 Click .

3 Click the Browse button next to the Source field.

4 In the Source and Destination Scope dialog box, in the Use IP Ranges field of either the source or the destination, type an IP address or IP address range.

5 To check access to or from the network interface that is associated with that IP address:

a. Click Find Interfaces.

b. In the Select a Matching Network Interface dialog box, select the interface and click Select.

6 Select an interface for the other side of the analysis (source or destination) and move it to the Selected Sources field.

7 Follow the previous procedure from step 7 to the end to understand the access results.


Chapter 13

Skybox enables advanced users to work with other models (data sets) in addition to the Live model.

› What If model: Work with the same set of firewalls for what-if purposes, making changes and checking the impact.

› Forensics model: Load a backup model to see the firewalls as they were at a previous time; compare the firewalls in the Forensics model with the versions in the Live model.

All Skybox features are available on these models, including the Access Analyzer.

Example Copy the current model to What If, make changes (in the What If model) to the access rules of firewalls, and run the Access Analyzer to check the impact of the access rule changes. An example of the summary of changes for a firewall is shown in the following screen capture.

What If and Forensics models


Chapter 14

Reports in Skybox are detailed accounts of specific data in the model (for example, Access Policy violations, firewall changes, or overdue tickets). As you saw in previous chapters, you can generate reports manually on a per-firewall basis. You can also generate reports for multiple firewalls, schedule report generation, and send reports to specified Skybox users.

In this chapter

Reports tree ....................................................................... 66

Report types ...................................................................... 66

Firewall Assurance reports ................................................... 67

Reports tree The Reports tree is divided into a public folder and a private folder; predefined reports are in the public folder and report definitions that you create are stored in your private folder. You can add subfolders for additional grouping. For example, you can have one folder for all reports relating to Access Compliance of individual firewalls and another for change tracking or Rule Usage Analysis reports.

Report types Skybox Firewall Assurance provides the following report types:

› Firewall Assurance reports: Show the overall status of the specified firewalls, including Access Policy and Rule Policy compliance, Configuration Compliance, Optimization & Cleanup, and Change Tracking. Detailed reports provide detailed information about aspects of the firewall status.

› Access Compliance reports: Show the status of the Access Policy and provide policy-related information about specific firewalls. You can use detailed Access Policy reports to understand Access Policy violations.

› PCI Firewall Compliance reports: Demonstrate compliance of firewalls with PCI DSS Requirement 1, as you saw in PCI DSS – Firewall Compliance (on page 34).

› Rule Usage Analysis reports: Provide information about unused Access Checks and objects in the Access Policy, as you saw in Rule usage analysis (on page 47).

› Access Checks reports: List the Access Checks in all or part of the Access Policy.

Using Skybox reports

Chapter 14 Using Skybox reports


› Firewall Changes reports: Provide a clear summary of the differences between firewalls in different models, with details about each modification and an explanation of how to bring the firewall in your baseline model to the same configuration as the firewall in your current model. Use Firewall Changes reports for change management.

Firewall Assurance reports Firewall Assurance reports provide a complete overview of the state of firewalls in the network that you can distribute to others who do not have access to Skybox.

To generate a Firewall Assurance report 1 Open the Reports workspace.

2 Select Public Report Definitions > Firewall Compliance > Firewall Assurance Assessment.

The workspace displays the properties of the report. The Firewall Scope field is empty—the report includes all firewalls in the network.

3 Right-click the report name and select Properties.



4 Look at the Firewall Scope field. The default firewall scope includes all firewalls in the All Firewalls list. For this tutorial, you narrow the scope to specific firewalls.

5 Click the Browse button next to the Firewall Scope field.

6 Select main_FW and vlab-cisco in the Available Items field and click

to move them to the Selected Items field.

7 Click OK.

8 Note that, by default, the report includes summary information for all aspects of firewall assurance: Access and Rule Compliance, Configuration Compliance, Optimization & Cleanup, and Change Tracking, and summary information about vulnerability occurrences on the firewalls. You can select the aspects that interest you. For this tutorial, keep the default so that you can see how the information is presented.

9 Expand Optimization & Cleanup. In the Rule Usage Analysis Period field, change the value to All Available from Last 7 Days, as the data in the demo model is older than that of a real model.

10 Expand Change Tracking. In the Analysis Period field, change the value to All Available from Last 7 Days.

11 Click Generate.

You are asked whether to generate the report in the background or in the foreground. It can take time to generate large reports, so it is often useful to generate in the background and keep working; this is not necessary in this tutorial.

Chapter 14 Using Skybox reports


12 Select Generate in the foreground and click OK.

13 After the report is ready, click the Summary: main_FW link.

The section that appears contains summary information for main_FW about the aspects that are tested in Firewall Assurance; it is similar to what you see when you select the firewall in the All Firewalls tree.

Another way to generate this report You can generate Firewall Assurance reports for single folders or firewalls without switching to the Reports workspace.

› In the All Firewalls section of the Firewall Assurance tree right-click the main node of the firewall or folder and select Reports > Firewall Assurance Report.

Skybox Firewall Assurancedownloads.skyboxsecurity.com/files/Installers/...Firewall Assurance covers...

Documents

Transcript of Skybox Firewall Assurancedownloads.skyboxsecurity.com/files/Installers/...Firewall Assurance covers...