Please review and comment the audit checklist for a firewall

Discussion in 'Computer Security' started by Doug Fox, Nov 27, 2005.

  1. Doug Fox

    Doug Fox Guest

    A friend asked me to audit his firewall at work.
    Honestly, I have no clue even though googled for many days.

    In this context, I am planning to audit the firewall as follows: Any
    comments/suggestions are welcome.

    1) The placement or location of the firewall
    2) Vulnerability scanning the firewall from outside, e.g., Internet
    3) The rulebase or security policy according to its vendor recommendation
    4) I will also check the access control (ID, password and priviledges) to
    the system.
    5) physical security of the system
    6) Monitoring of the firewall log, to find out if any port scanning or
    hacking activities
    7) Rulebase Change Control
    8) documentation
    9) Back Up
    10) Please generously point out the missing pieces as you see it.

    Any input/comments are greatly appreciated.

    Thanks,

    Doug
    Doug Fox, Nov 27, 2005
    #1
    1. Advertising

  2. Doug Fox

    Jim Byrd Guest

    Hi Doug - You might find a little help here - from my Blog, Defending Your
    Machine, addy below in my Signature:



    There's a useful comparative review of firewalls here:
    http://www.informationweek.com/story/showArticle.jhtml?articleID=173402915&pgno=1

    You can minimally test your firewall here:
    https://www.grc.com/x/ne.dll?bh0bkyd2 and here:
    http://www.auditmypc.com/freescan/scanoptions.asp


    --
    Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
    My Blog, Defending Your Machine, here:
    http://DefendingYourMachine.blogspot.com/

    "Doug Fox" <> wrote in message
    news:
    > A friend asked me to audit his firewall at work.
    > Honestly, I have no clue even though googled for many days.
    >
    > In this context, I am planning to audit the firewall as follows: Any
    > comments/suggestions are welcome.
    >
    > 1) The placement or location of the firewall
    > 2) Vulnerability scanning the firewall from outside, e.g., Internet
    > 3) The rulebase or security policy according to its vendor recommendation
    > 4) I will also check the access control (ID, password and priviledges) to
    > the system.
    > 5) physical security of the system
    > 6) Monitoring of the firewall log, to find out if any port scanning or
    > hacking activities
    > 7) Rulebase Change Control
    > 8) documentation
    > 9) Back Up
    > 10) Please generously point out the missing pieces as you see it.
    >
    > Any input/comments are greatly appreciated.
    >
    > Thanks,
    >
    > Doug
    Jim Byrd, Nov 27, 2005
    #2
    1. Advertising

  3. Doug Fox

    thunderbird Guest

    Yep, www.grc.com has a good test at shields up, just say no when you
    get probed and set the rules.
    thunderbird, Nov 28, 2005
    #3
  4. Doug Fox

    Nomen Nescio Guest

    thunderbird wrote:

    > Yep, www.grc.com has a good test at shields up, just say no when you get
    > probed and set the rules.


    www.grcsucks.com

    Gibson is a scammer. ShieldsUp is FUD. Of course Privacy.LIE sock puppets
    LOVE scammers and FUD spreaders, don't they? Birds of a feather and all
    that stuff.
    Nomen Nescio, Nov 28, 2005
    #4
  5. Doug Fox

    Winged Guest

    Doug Fox wrote:
    > A friend asked me to audit his firewall at work.
    > Honestly, I have no clue even though googled for many days.
    >
    > In this context, I am planning to audit the firewall as follows: Any
    > comments/suggestions are welcome.
    >
    > 1) The placement or location of the firewall
    > 2) Vulnerability scanning the firewall from outside, e.g., Internet
    > 3) The rulebase or security policy according to its vendor recommendation
    > 4) I will also check the access control (ID, password and priviledges) to
    > the system.
    > 5) physical security of the system
    > 6) Monitoring of the firewall log, to find out if any port scanning or
    > hacking activities
    > 7) Rulebase Change Control
    > 8) documentation
    > 9) Back Up
    > 10) Please generously point out the missing pieces as you see it.
    >
    > Any input/comments are greatly appreciated.
    >
    > Thanks,
    >
    > Doug
    >
    >

    I don't see anything assigning /checking to ensure the firewall hardware
    has current mfg patches. They must be maintained like any other network
    device.

    Winged
    Winged, Nov 28, 2005
    #5
  6. Doug Fox

    Moe Trin Guest

    On Sun, 27 Nov 2005, in the Usenet newsgroup alt.computer.security, in article
    <>, Doug Fox wrote:

    >A friend asked me to audit his firewall at work.
    >Honestly, I have no clue even though googled for many days.


    I always have concerns when I see something like this. "A friend asked
    me to remove a brain tumor, but I have no experience with sharp implements.
    Please advise."

    >In this context, I am planning to audit the firewall as follows: Any
    >comments/suggestions are welcome.
    >
    >1) The placement or location of the firewall


    Company policy - they should be written, reviewed (and possibly signed off)
    by a labor relations lawyer, signed by officials of the company, and
    published so the users are aware of them, and what is expected/allowed.

    >2) Vulnerability scanning the firewall from outside, e.g., Internet


    A lot depends on the interface to the world. Serial port or Ethernet - I
    prefer to substitute a system (lap top, usually) to act as the world, so
    that I can flog the crap out of the firewall without kicking off the
    warning sirens at the upstream. This means testing during non-business
    hours. This also avoids exposing discovered vulnerabilities to the world
    before there is time to correct the problem. Most security scanning services
    (another poster mentions grc.com - nearly useless for home users, and a
    total waste of electrons for a business operation) are going to look for
    problems normally associated with home users.

    >3) The rulebase or security policy according to its vendor recommendation


    I'd expand that to include this newly discovered artifact called "common
    sense". Determine what access is needed inbound AND out. Does the rule
    set _allow_ that access, and _default_ to blocking? Or is it blocking a
    few things, and hoping that the rest isn't noticed? Watch out for Self
    Denial Of Service configurations (I've been "attacked from there - quick,
    put in a rule blocking that address), especially while you are scanning
    the firewall.

    >4) I will also check the access control (ID, password and priviledges) to
    >the system.


    What is running on the firewall? A proper firewall is running firewall code
    only, and isn't a DHCP, DNS, mail, web, pr0n, or anything else server. What
    access is there to the firewall (meaning serial console only, SSH from
    specified internal hosts only - or at most a very few specific hosts outside)?

    >5) physical security of the system
    >6) Monitoring of the firewall log, to find out if any port scanning or
    >hacking activities


    6 is nearly useless. What are you going to do if you discover that the
    firewall is being scanned every ten minutes by hosts from Ascension Island
    to Fiji to Zimbabwe, and every two letter domain in between? Call the
    Internet Police? Firewall logs ("I blocked this", or "I rejected that")
    are usually a waste of disk space and CPU cycles. I have yet to see a real
    firewall that logged something like "I shoulda blocked this, but...". The
    place to look for firewall problems (firewall manufacturers so love to call
    them "attacks") is on the hosts the firewall is protecting.

    >7) Rulebase Change Control


    Hardware and software update issues. Makes no sense to be using a firewall
    that has obsolete software (example) with known holes. Is the firewall
    currently supported by the manufacturer? Is everything up to date? How often
    is the firewall administrator looking (where) for updates?

    >8) documentation
    >9) Back Up


    Backups kept where? How protected? How often are backups made?

    Old guy
    Moe Trin, Nov 28, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Slamadatan

    Networking checklist for XP

    Slamadatan, Aug 4, 2003, in forum: Computer Support
    Replies:
    7
    Views:
    2,439
    °Mike°
    Aug 4, 2003
  2. JM

    Looking for input on Reformat Checklist

    JM, Jan 23, 2006, in forum: Computer Information
    Replies:
    3
    Views:
    1,687
    bambam
    Jan 23, 2006
  3. Pete from Boston

    Site for searching by checklist of features?

    Pete from Boston, Jan 1, 2006, in forum: Digital Photography
    Replies:
    6
    Views:
    231
    Pete from Boston
    Jan 3, 2006
  4. farhanalikhan

    Network Security Checklist

    farhanalikhan, Dec 14, 2007, in forum: Cisco
    Replies:
    0
    Views:
    403
    farhanalikhan
    Dec 14, 2007
  5. Giuen
    Replies:
    0
    Views:
    832
    Giuen
    Sep 12, 2008
Loading...

Share This Page