Checklists are a good way to verify Information Technology security
environments. Many people including
[url=http://www.tompeters.com/entries.php?note=010132.php]Tom
Peters[/url] have been praising the usefulness and simplicity of
checklists. I had previously created a
[url=http://thinkingproblemmanagement.blogspot.com/2007/10/ultimate-test-pilots.html]networking
troubleshooting checklist[/url]. Reading a post about Router/Firewalls
at [url=http://www.guerilla-ciso.com/]Guerilla CISO[/url], reminded me
of a checklist about firewall rules I created in 2003. I dusted it off
and updated it. So, here is a checklist for firewall rules:
1. External routers health check. You can use
[url=http://www.titania.co.uk/nipper.php]Nipper[/url] to check wether
your router configuration is acceptable.
2. Document current firewall/router, OS, rule-base, object-base, and
NAT tables. You can look at using
[url=http://www.wyae.de/software/fwdoc/]FWdoc[/url].
3. Document current performance - page load, file transfer, CPU
utilization. If you firewall platform supports that standard HostMIB you
can point something like [url=http://sins.com.au/nmis/]NMIS[/url] at it
and obtain these stats.
4. Document current usage of security systems and recommend
improvements. A good tool to recognize improvements is
[url=http://www.sensepost.com/research/wikto/]Wikto[/url].
5. Research traffic needs. You can span the router port and check out
traffic flows using
[url=http://www.openxtra.co.uk/freestuff/ntop-xtra.php]OpenXtra's
NTOP[/url], or alternatively use Netflow and a tool like
[url=http://www.crannog-software.com/index.php?go=Product.ShowDetail&ProductID=1]Netflow
Tracker[/url].
6. Review firewall/router logs to determine current service usage.
Collect syslogs for review using a product like
[url=http://www.kiwisyslog.com/kiwi-syslog-daemon-overview/]Kiwi[/url].
7. Interview business units for service requirements and document
findings.
8. Backup existing configuration, rule-base, object-base, and NAT
tables.
9. Create rule-base migration plan.
10. Migrate rule-base in controlled sections.
11. Arrange rules in order of rule hit rate.
12. Monitor changes for issues.
13. Document final configuration.
14. Document performance differential performance gains.
15. Only allow RFC1918 IP addresses on the internal network. Drop all
RFC1918 addresses on the external Internet Access router.
16. Drop the following incoming traffic on the external Internet
router:telnet, snmp, icmp, dns, pop3, SQL: Oracle SQL*NET(66),
sqlserv(118), SQL-NET(150), sqlsrv(156), mini-SQL(1114), Microsoft SQL
Server(1433), Microsoft SQL Monitor(1434), Sybase SQL AnyWhere(1498),
Oracle SQL*Net v2(1521), Oracle(1522), Oracle SQL*Net v1(1525), Oracle
SQL*Net(1529), UniSQL (1978), UniSQL Java(1979), mySQL(3306),
SSQL(3352), mSQL(4333), Remote access: Dameware (6129), PC Anywhere
(5631).
17. Firewall default properties: Eliminate anything that is allowed
generically. Firewall software is installed by default with services
wide open. The first step is to turn off these default properties.
18. Firewall outbound: Allow the following traffic originating from
the firewall to any destination: Time services, SSH, Ping, Ident, FW-1,
Traceroute, SNMP trap
19. Internal outbound: Allow the following traffic originating
internal to any outbound destination: HTTP (80), HTTPS (443), FTP (21),
SSH (22), MSN Messenger (1863) Voice (UDP:2001-2120, 6801, 6901), file
transfers (6891-6900).
20. Lockdown: Blocking any access to the firewall. No one should have
access to the firewall but the firewall administrators and workstations
operating on the FW-1 ports.
21. Drop All AND Log rule and add it to the end of the rule base.
22. No Logging: A rule that drops/rejects broadcast traffic, but does
NOT log it.
23. DNS access: All the internal DNS servers’ access to the service
provider’s named DNS server. All servers in the DMZ, DNS access to the
internal DNS servers.
24. Mail access: Allow the bridgehead servers bi-directional SMTP
access to the relay server in the DMZ. Allow all bidirectional SMTP
traffic from the relay server to external hosts. As an alternative
investigate the use of a service like
[url=www.mimecast.co.za]Mimecast[/url].
25. Web access: Allow incoming HTTP and HTTPS access to the DMZ from
external.
26. DMZ access: Allow only bidirectional-encrypted access from the
internal network to the DMZ from named sources and destinations.
27. Performance: Move the most commonly used rules towards the top of
the rule base.
28. Web content: Block access to sites that do not comply with the
company computer usage policy. Consider using
[url=www.opendns.com]OpenDNS[/url], which has blocking abilities.
29. Vulnerability scanning: Allow the internal vulnerability-scanning
server to scan all ports and addresses in the DMZ. Allow the rule only
to be active from 19h00 to 23h30. Wikto is a good tool to accomplish
this.
30. Time services: Allow named addresses access to the time service on
the firewall from the internal network.
31. Allow the network management servers access to the DMZ (e.g. HP
SIM uses port 2381). Allow the network management servers SNMP read
access to the DMZ. Allow all DMZ servers to transmit SNMP traps to the
network management servers.Checklists are a good way to verify Information Technology security
environments. Many people including
[url=http://www.tompeters.com/entries.php?note=010132.php]Tom
Peters[/url] have been praising the usefulness and simplicity of
checklists. I had previously created a
[url=http://thinkingproblemmanagement.blogspot.com/2007/10/ultimate-test-pilots.html]networking
troubleshooting checklist[/url]. Reading a post about Router/Firewalls
at [url=http://www.guerilla-ciso.com/]Guerilla CISO[/url], reminded me
of a checklist about firewall rules I created in 2003. I dusted it off
and updated it. So, here is a checklist for firewall rules:
1. External routers health check. You can use
[url=http://www.titania.co.uk/nipper.php]Nipper[/url] to check wether
your router configuration is acceptable.
2. Document current firewall/router, OS, rule-base, object-base, and
NAT tables. You can look at using
[url=http://www.wyae.de/software/fwdoc/]FWdoc[/url].
3. Document current performance - page load, file transfer, CPU
utilization. If you firewall platform supports that standard HostMIB you
can point something like [url=http://sins.com.au/nmis/]NMIS[/url] at it
and obtain these stats.
4. Document current usage of security systems and recommend
improvements. A good tool to recognize improvements is
[url=http://www.sensepost.com/research/wikto/]Wikto[/url].
5. Research traffic needs. You can span the router port and check out
traffic flows using
[url=http://www.openxtra.co.uk/freestuff/ntop-xtra.php]OpenXtra's
NTOP[/url], or alternatively use Netflow and a tool like
[url=http://www.crannog-software.com/index.php?go=Product.ShowDetail&ProductID=1]Netflow
Tracker[/url].
6. Review firewall/router logs to determine current service usage.
Collect syslogs for review using a product like
[url=http://www.kiwisyslog.com/kiwi-syslog-daemon-overview/]Kiwi[/url].
7. Interview business units for service requirements and document
findings.
8. Backup existing configuration, rule-base, object-base, and NAT
tables.
9. Create rule-base migration plan.
10. Migrate rule-base in controlled sections.
11. Arrange rules in order of rule hit rate.
12. Monitor changes for issues.
13. Document final configuration.
14. Document performance differential performance gains.
15. Only allow RFC1918 IP addresses on the internal network. Drop all
RFC1918 addresses on the external Internet Access router.
16. Drop the following incoming traffic on the external Internet
router:telnet, snmp, icmp, dns, pop3, SQL: Oracle SQL*NET(66),
sqlserv(118), SQL-NET(150), sqlsrv(156), mini-SQL(1114), Microsoft SQL
Server(1433), Microsoft SQL Monitor(1434), Sybase SQL AnyWhere(1498),
Oracle SQL*Net v2(1521), Oracle(1522), Oracle SQL*Net v1(1525), Oracle
SQL*Net(1529), UniSQL (1978), UniSQL Java(1979), mySQL(3306),
SSQL(3352), mSQL(4333), Remote access: Dameware (6129), PC Anywhere
(5631).
17. Firewall default properties: Eliminate anything that is allowed
generically. Firewall software is installed by default with services
wide open. The first step is to turn off these default properties.
18. Firewall outbound: Allow the following traffic originating from
the firewall to any destination: Time services, SSH, Ping, Ident, FW-1,
Traceroute, SNMP trap
19. Internal outbound: Allow the following traffic originating
internal to any outbound destination: HTTP (80), HTTPS (443), FTP (21),
SSH (22), MSN Messenger (1863) Voice (UDP:2001-2120, 6801, 6901), file
transfers (6891-6900).
20. Lockdown: Blocking any access to the firewall. No one should have
access to the firewall but the firewall administrators and workstations
operating on the FW-1 ports.
21. Drop All AND Log rule and add it to the end of the rule base.
22. No Logging: A rule that drops/rejects broadcast traffic, but does
NOT log it.
23. DNS access: All the internal DNS servers’ access to the service
provider’s named DNS server. All servers in the DMZ, DNS access to the
internal DNS servers.
24. Mail access: Allow the bridgehead servers bi-directional SMTP
access to the relay server in the DMZ. Allow all bidirectional SMTP
traffic from the relay server to external hosts. As an alternative
investigate the use of a service like
[url=www.mimecast.co.za]Mimecast[/url].
25. Web access: Allow incoming HTTP and HTTPS access to the DMZ from
external.
26. DMZ access: Allow only bidirectional-encrypted access from the
internal network to the DMZ from named sources and destinations.
27. Performance: Move the most commonly used rules towards the top of
the rule base.
28. Web content: Block access to sites that do not comply with the
company computer usage policy. Consider using
[url=www.opendns.com]OpenDNS[/url], which has blocking abilities.
29. Vulnerability scanning: Allow the internal vulnerability-scanning
server to scan all ports and addresses in the DMZ. Allow the rule only
to be active from 19h00 to 23h30. Wikto is a good tool to accomplish
this.
30. Time services: Allow named addresses access to the time service on
the firewall from the internal network.
31. Allow the network management servers access to the DMZ (e.g. HP
SIM uses port 2381). Allow the network management servers SNMP read
access to the DMZ. Allow all DMZ servers to transmit SNMP traps to the
network management servers.
Comments
Post a Comment