Checklists are a good way to verify Information Technology security environments. Many people including [url=http://www.tompeters.com/entries.php?note=010132.php]Tom Peters[/url] have been praising the usefulness and simplicity of checklists. I had previously created a [url=http://thinkingproblemmanagement.blogspot.com/2007/10/ultimate-test-pilots.html]networking troubleshooting checklist[/url]. Reading a post about Router/Firewalls at [url=http://www.guerilla-ciso.com/]Guerilla CISO[/url], reminded me of a checklist about firewall rules I created in 2003. I dusted it off and updated it. So, here is a checklist for firewall rules: 1. External routers health check. You can use [url=http://www.titania.co.uk/nipper.php]Nipper[/url] to check wether your router configuration is acceptable. 2. Document current firewall/router, OS, rule-base, object-base, and NAT tables. You can look at using [url=http://www.wyae.de/software/fwdoc/]FWdoc[/url]. 3. Document current performance - page load, file transfer, CPU utilization. If you firewall platform supports that standard HostMIB you can point something like [url=http://sins.com.au/nmis/]NMIS[/url] at it and obtain these stats. 4. Document current usage of security systems and recommend improvements. A good tool to recognize improvements is [url=http://www.sensepost.com/research/wikto/]Wikto[/url]. 5. Research traffic needs. You can span the router port and check out traffic flows using [url=http://www.openxtra.co.uk/freestuff/ntop-xtra.php]OpenXtra's NTOP[/url], or alternatively use Netflow and a tool like [url=http://www.crannog-software.com/index.php?go=Product.ShowDetail&ProductID=1]Netflow Tracker[/url]. 6. Review firewall/router logs to determine current service usage. Collect syslogs for review using a product like [url=http://www.kiwisyslog.com/kiwi-syslog-daemon-overview/]Kiwi[/url]. 7. Interview business units for service requirements and document findings. 8. Backup existing configuration, rule-base, object-base, and NAT tables. 9. Create rule-base migration plan. 10. Migrate rule-base in controlled sections. 11. Arrange rules in order of rule hit rate. 12. Monitor changes for issues. 13. Document final configuration. 14. Document performance differential performance gains. 15. Only allow RFC1918 IP addresses on the internal network. Drop all RFC1918 addresses on the external Internet Access router. 16. Drop the following incoming traffic on the external Internet router:telnet, snmp, icmp, dns, pop3, SQL: Oracle SQL*NET(66), sqlserv(118), SQL-NET(150), sqlsrv(156), mini-SQL(1114), Microsoft SQL Server(1433), Microsoft SQL Monitor(1434), Sybase SQL AnyWhere(1498), Oracle SQL*Net v2(1521), Oracle(1522), Oracle SQL*Net v1(1525), Oracle SQL*Net(1529), UniSQL (1978), UniSQL Java(1979), mySQL(3306), SSQL(3352), mSQL(4333), Remote access: Dameware (6129), PC Anywhere (5631). 17. Firewall default properties: Eliminate anything that is allowed generically. Firewall software is installed by default with services wide open. The first step is to turn off these default properties. 18. Firewall outbound: Allow the following traffic originating from the firewall to any destination: Time services, SSH, Ping, Ident, FW-1, Traceroute, SNMP trap 19. Internal outbound: Allow the following traffic originating internal to any outbound destination: HTTP (80), HTTPS (443), FTP (21), SSH (22), MSN Messenger (1863) Voice (UDP:2001-2120, 6801, 6901), file transfers (6891-6900). 20. Lockdown: Blocking any access to the firewall. No one should have access to the firewall but the firewall administrators and workstations operating on the FW-1 ports. 21. Drop All AND Log rule and add it to the end of the rule base. 22. No Logging: A rule that drops/rejects broadcast traffic, but does NOT log it. 23. DNS access: All the internal DNS servers’ access to the service provider’s named DNS server. All servers in the DMZ, DNS access to the internal DNS servers. 24. Mail access: Allow the bridgehead servers bi-directional SMTP access to the relay server in the DMZ. Allow all bidirectional SMTP traffic from the relay server to external hosts. As an alternative investigate the use of a service like [url=www.mimecast.co.za]Mimecast[/url]. 25. Web access: Allow incoming HTTP and HTTPS access to the DMZ from external. 26. DMZ access: Allow only bidirectional-encrypted access from the internal network to the DMZ from named sources and destinations. 27. Performance: Move the most commonly used rules towards the top of the rule base. 28. Web content: Block access to sites that do not comply with the company computer usage policy. Consider using [url=www.opendns.com]OpenDNS[/url], which has blocking abilities. 29. Vulnerability scanning: Allow the internal vulnerability-scanning server to scan all ports and addresses in the DMZ. Allow the rule only to be active from 19h00 to 23h30. Wikto is a good tool to accomplish this. 30. Time services: Allow named addresses access to the time service on the firewall from the internal network. 31. Allow the network management servers access to the DMZ (e.g. HP SIM uses port 2381). Allow the network management servers SNMP read access to the DMZ. Allow all DMZ servers to transmit SNMP traps to the network management servers.