10 Things to consider when auditing a firewall
A firewall can be software, hardware or combination of both. This article intends to describe in brief the minimum things an IS Auditor / Information Security Professional should consider in auditing a firewall.
1. Platform
Operating system and other hardware platform are the key area an IS Auditor/ Penetration Tester should see. Different architectures need different configurations and hence different way of audit.
2. Services & Application
Type of services allowed and disallowed depends upon requirement, architecture and topology of the setup. However following common services need to be carefully analyzed and allowed on need basis only. Some of the common services are:
HTTP, FTP, SMTP, Ping, SNMP, IMAP, TFTP, X-Windows, POP, Telnet, SSH, NetBIOS etc.
Although most of the above services are very useful but may be exploited if not properly configured. So, an IS Auditor needs to evaluate the need of the allowed services and related configurations.
3. Ports
There can be 0 to 65535 ports (a total of 65536) out of which 0 to 999 are called well known ports and rest are registered and private ports.These ports are associated with some default services or in other words. some services are associated with default ports. For example,
21-FTP, 23-Telnet, 110-POP3 etc.
Wherever possible it is advisable not to allocate default port number for the default application. This will make hacker's job a little more difficult. An IS Auditor must see the port allocation and feasibility.
4. Rule sets - Restrictions and Access control
Rule sets include the ports and services configuration. There could be many rule sets some of the critical rules an auditor must see are:
i. Packet state checking
ii. Stop IP spoof
iii. Connection state
iv. Allow/disallow inner/local traffic
v. Allow /Disallow ICMP Packet
vi. logging of events
5. Patches & Updates
Auditor should check whether OS updates /application patches necessary for firewall have been configured properly or not.
6.Position of Firewall
Auditor should ensure the position/location of firewall based on network topology and requirement of organization. It also depends upon firewall implementation like DMZ, Application level Firewall, Screened subnet arrangement, Dual homed firewall etc.
7. Periodicity of Penetration Testing/Vulnerability Assessment
Auditor should see and analyze the reports pertaining to periodic penetration testing and should also check whether the recommendation of Penetration Testing / Vulnerability assessment have been complied with in best possible way.
Many times Penetration testing remains the part of firewall audit.
8.Logs Generation and audit of logs
Generally firewalls are configured for logging and monitoring. All network logs / application logs / operating system log should be carefully studied. An IS Auditor should ensure:
i. Log sufficiency
ii. Log relevancy
iii. Periodic analysis of logs
iv. Log backup
9. Backup of Configuration file and provision of standby Firewall
Backup of all necessary configuration files and Presence of secondary/standby firewall should also be audited by IS Auditor based on the scope of Audit.
10. Physical access Control.
This is one of the most important thing and auditor should audit while auditing a firewall.
Summary :
An ideal firewall auditing should include checking of most of the following
i. Noise drops
ii. Deny & Allow
iii. Logging & backup
iv. Routing tables
v. IP tables
vi. Remote access
vii. Masquerading
viii. User IDs
ix. Active X
x. Java Applets
xi. MIME
xii. Backups
0 comments:
Post a Comment