Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Auditing a firewall rulebase

Re: Auditing a firewall rulebase

From: Chuck Benson <chuck_at_ironponies.com>
Date: Tue, 20 May 2008 21:51:39 -0700

Darden, Patrick S. wrote:
> Here's my two cents:
>
> -Look for a default deny.
> -Make sure all rules are performance-based, e.g. most hit rule first in line, etc. to cut down on cpu and bandwidth.
>
> --Patrick Darden
>
>
> -----Original Message-----
> From: firewall-wizards-bounces_at_listserv.icsalabs.com
> [mailto:firewall-wizards-bounces_at_listserv.icsalabs.com]On Behalf Of
> arvind doraiswamy
> Sent: Wednesday, May 14, 2008 11:19 AM
> To: firewall-wizards_at_listserv.icsalabs.com
> Subject: [fw-wiz] Auditing a firewall rulebase
>
>
> Hey Guys,
> What parameters would you look for if you audited a large rulebase for
> an enterprise firewall? These are a few I could think of. Anything
> else that you guys consistently look at when managing/auditing your
> firewalls? Do take note that I'm talking just singularly about the
> rule-base and not other configuration information i.e: I'm not looking
> at things like -- Low console session timeout OR Telnet admin
> interface open etc. I'm looking at just the rulebase this time around.
> Here are my parameters:
>
> Rules which have "any" or an equivalent keyword in them
> Rules where an entire subnet has been granted access to a resource
> Rules where a range of IP addresses has been granted access to a resource
> Rules where a large range of ports has been opened to an IP Address / Addresses
> Rules where there are design issues in the protocol itself
> eg. Unencrypted traffic
> Rules which are redundant and can be removed from the rulebase
>
> Thanks
> Arvind
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
If you can tell from logs or otherwise, look for rules that are no
longer in use.
Look for rules that you do not have a written justification for; if a
rule is for a single application or user group, ask if it is still
justified.

I have eliminated a lot of deadwood with these checks over the years,
cruft accumulates.

Chuck Benson

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Received on May 27 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]