|
Please review and comment the audit checklist for a firewall
A friend asked me to audit his firewall at work.
Honestly, I have no clue even though googled for many days. In this context, I am planning to audit the firewall as follows: Any comments/suggestions are welcome. 1) The placement or location of the firewall 2) Vulnerability scanning the firewall from outside, e.g., Internet 3) The rulebase or security policy according to its vendor recommendation 4) I will also check the access control (ID, password and priviledges) to the system. 5) physical security of the system 6) Monitoring of the firewall log, to find out if any port scanning or hacking activities 7) Rulebase Change Control 8) documentation 9) Back Up 10) Please generously point out the missing pieces as you see it. Any input/comments are greatly appreciated. Thanks, Doug |
Re: Please review and comment the audit checklist for a firewall
Hi Doug - You might find a little help here - from my Blog, Defending Your
Machine, addy below in my Signature: There's a useful comparative review of firewalls here: http://www.informationweek.com/story...3402915&pgno=1 You can minimally test your firewall here: https://www.grc.com/x/ne.dll?bh0bkyd2 and here: http://www.auditmypc.com/freescan/scanoptions.asp -- Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP My Blog, Defending Your Machine, here: http://DefendingYourMachine.blogspot.com/ "Doug Fox" <dfox168@hotmail.com> wrote in message news:CqydnUAk_s2FghfeRVn-og@rogers.com > A friend asked me to audit his firewall at work. > Honestly, I have no clue even though googled for many days. > > In this context, I am planning to audit the firewall as follows: Any > comments/suggestions are welcome. > > 1) The placement or location of the firewall > 2) Vulnerability scanning the firewall from outside, e.g., Internet > 3) The rulebase or security policy according to its vendor recommendation > 4) I will also check the access control (ID, password and priviledges) to > the system. > 5) physical security of the system > 6) Monitoring of the firewall log, to find out if any port scanning or > hacking activities > 7) Rulebase Change Control > 8) documentation > 9) Back Up > 10) Please generously point out the missing pieces as you see it. > > Any input/comments are greatly appreciated. > > Thanks, > > Doug |
Re: Please review and comment the audit checklist for a firewall
|
Re: Please review and comment the audit checklist for a firewall
thunderbird wrote:
> Yep, www.grc.com has a good test at shields up, just say no when you get > probed and set the rules. www.grcsucks.com Gibson is a scammer. ShieldsUp is FUD. Of course Privacy.LIE sock puppets LOVE scammers and FUD spreaders, don't they? Birds of a feather and all that stuff. |
Re: Please review and comment the audit checklist for a firewall
Doug Fox wrote:
> A friend asked me to audit his firewall at work. > Honestly, I have no clue even though googled for many days. > > In this context, I am planning to audit the firewall as follows: Any > comments/suggestions are welcome. > > 1) The placement or location of the firewall > 2) Vulnerability scanning the firewall from outside, e.g., Internet > 3) The rulebase or security policy according to its vendor recommendation > 4) I will also check the access control (ID, password and priviledges) to > the system. > 5) physical security of the system > 6) Monitoring of the firewall log, to find out if any port scanning or > hacking activities > 7) Rulebase Change Control > 8) documentation > 9) Back Up > 10) Please generously point out the missing pieces as you see it. > > Any input/comments are greatly appreciated. > > Thanks, > > Doug > > I don't see anything assigning /checking to ensure the firewall hardware has current mfg patches. They must be maintained like any other network device. Winged |
Re: Please review and comment the audit checklist for a firewall
On Sun, 27 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
<CqydnUAk_s2FghfeRVn-og@rogers.com>, Doug Fox wrote: >A friend asked me to audit his firewall at work. >Honestly, I have no clue even though googled for many days. I always have concerns when I see something like this. "A friend asked me to remove a brain tumor, but I have no experience with sharp implements. Please advise." >In this context, I am planning to audit the firewall as follows: Any >comments/suggestions are welcome. > >1) The placement or location of the firewall Company policy - they should be written, reviewed (and possibly signed off) by a labor relations lawyer, signed by officials of the company, and published so the users are aware of them, and what is expected/allowed. >2) Vulnerability scanning the firewall from outside, e.g., Internet A lot depends on the interface to the world. Serial port or Ethernet - I prefer to substitute a system (lap top, usually) to act as the world, so that I can flog the crap out of the firewall without kicking off the warning sirens at the upstream. This means testing during non-business hours. This also avoids exposing discovered vulnerabilities to the world before there is time to correct the problem. Most security scanning services (another poster mentions grc.com - nearly useless for home users, and a total waste of electrons for a business operation) are going to look for problems normally associated with home users. >3) The rulebase or security policy according to its vendor recommendation I'd expand that to include this newly discovered artifact called "common sense". Determine what access is needed inbound AND out. Does the rule set _allow_ that access, and _default_ to blocking? Or is it blocking a few things, and hoping that the rest isn't noticed? Watch out for Self Denial Of Service configurations (I've been "attacked from there - quick, put in a rule blocking that address), especially while you are scanning the firewall. >4) I will also check the access control (ID, password and priviledges) to >the system. What is running on the firewall? A proper firewall is running firewall code only, and isn't a DHCP, DNS, mail, web, pr0n, or anything else server. What access is there to the firewall (meaning serial console only, SSH from specified internal hosts only - or at most a very few specific hosts outside)? >5) physical security of the system >6) Monitoring of the firewall log, to find out if any port scanning or >hacking activities 6 is nearly useless. What are you going to do if you discover that the firewall is being scanned every ten minutes by hosts from Ascension Island to Fiji to Zimbabwe, and every two letter domain in between? Call the Internet Police? Firewall logs ("I blocked this", or "I rejected that") are usually a waste of disk space and CPU cycles. I have yet to see a real firewall that logged something like "I shoulda blocked this, but...". The place to look for firewall problems (firewall manufacturers so love to call them "attacks") is on the hosts the firewall is protecting. >7) Rulebase Change Control Hardware and software update issues. Makes no sense to be using a firewall that has obsolete software (example) with known holes. Is the firewall currently supported by the manufacturer? Is everything up to date? How often is the firewall administrator looking (where) for updates? >8) documentation >9) Back Up Backups kept where? How protected? How often are backups made? Old guy |
| All times are GMT. The time now is 08:06 PM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.