0 valutazioniIl 0% ha trovato utile questo documento (0 voti)
80 visualizzazioni3 pagine
The document discusses how to conduct a firewall audit. It recommends reviewing the firewall change process and rule base. For the change process, randomly select recent change requests to check for proper documentation and approvals. For the rule base, evaluate it for maintenance, risk compliance, and adherence to security policy by examining rules, services, and traffic allowed. The document emphasizes automating this process when possible to improve efficiency and reduce errors.
Descrizione originale:
conduction audit
Titolo originale
How to Conduct a Firewall Audit _ Security Matters Magazine
The document discusses how to conduct a firewall audit. It recommends reviewing the firewall change process and rule base. For the change process, randomly select recent change requests to check for proper documentation and approvals. For the rule base, evaluate it for maintenance, risk compliance, and adherence to security policy by examining rules, services, and traffic allowed. The document emphasizes automating this process when possible to improve efficiency and reduce errors.
The document discusses how to conduct a firewall audit. It recommends reviewing the firewall change process and rule base. For the change process, randomly select recent change requests to check for proper documentation and approvals. For the rule base, evaluate it for maintenance, risk compliance, and adherence to security policy by examining rules, services, and traffic allowed. The document emphasizes automating this process when possible to improve efficiency and reduce errors.
How to Conduct a Firewall Audit Best practice for a very good reason By Michael Hamelin Firewall audits are getting a lot of coverage these days thanks to standards like SOX, PCI-DSS, and HIPAA. Even if you dont need to comply with any of those standards yet business relationships with partners or customers may require you to show that your network is secure.
However, beyond compliance requirements, firewall audits are best practice for a very good reason. They increase your chances of catching weaknesses in your network security posture and finding places your policies need to be adapted. They also help prove you have been doing your due diligence in reviewing your security controls and policy controls, should you ever need to respond to a lawsuit, breach or regulatory issue that call your security standards into question.
Two of the most important aspects of conducting a firewall audit are to review the change process and the rule base. If you are tasked with pre-auditing your firewall before the audit team arrives, or if it is your job to audit the firewall, here are some of the main technical details youll need to check.
1) Auditing the Change Process
The first technical step in a firewall audit is normally an examination of the firewall change process. The goal of this step is to make sure that requested changes were properly approved, implemented and documented. You can accomplish this in a few different ways depending on whether you have a tool to assist you or you are doing it manually.
You will need to pull, at random, around 10 change requests since the last audit. The basic questions you should be asking when you audit a firewall change are: Is the requester documented, and is s/he authorized to make firewall change requests? Is the business reason for the change documented? Are there proper reviewer and approval signatures (electronic or physical)? Were the approvals recorded before the change was implemented? Are the approvers all authorized to approve firewall changes (you will need to ask for a list of authorized individuals)? Are the changes well documented in the change ticket? Is there documentation of risk analysis for each change? Is there documentation of the change window and/or install date for each change? Is there an expiration date for the change?
If you are doing this manually, the first thing you need to do is match each of the changes up with a firewall device and with a policy. Now match the change requests up with the firewall rule(s) that implemented the requested traffic. Already stumped? Then you know where you need to improve. The comment on each rule should have at least two pieces of data: the change ID of the request and the initials of the engineer who implemented the change.
Automation tools are widely available, and because of the sheer number of rules that most modern firewalls tend to manage, are highly recommended to aid you in the audit process., and offer significantly more visibility into and control over your rule base.
For example, they show you who added the rule and when, as well as if s/he added anything else to the policy at the same time. They also enable you to put the change ticket number in the comment field, so that the rule will have a hyperlink back to the change ticket to simplify looking up the audit trail. You can even run a rule history report over time to see how this rule has changed with other change tickets since it was implemented. Solutions with more mature change management capabilities will show the rule request along with audit signoff, risk analysis, and implementation into the rule-base, so that the whole lifecycle from request to implementation is documented and auditable.
2) Auditing the Firewall Rule Base
Follow us on Home Videos Buyers Guide Resource Centre Products Headlines Blogs Archive Advertising Subscribe Contact Network Security E-mail Security Video Surveillance Web Security Data Security Helping Canadian businesses secure their data, facilities, assets & staff How to Conduct a Firewall Audit | Security Matters Magazine http://www.securitymattersmag.com/security-matters-magazine-article-detail.php?id=765[14/03/2013 03:15:05 PM] The second technical step in an audit is usually a review of the firewall rule base (also called a policy). The methodology for this step varies widely among auditors because it has traditionally been difficult to do and heavily technology-dependent.
For each of these questions you should have a ranking based on the type of firewall and its placement in your infrastructure. For example, a firewall not connected to the Internet does not have the same risk as one that is connected to the Internet; internal firewalls tend to be more permissive than external firewalls.
The first questions that should be asked about the rule base are related to basic policy maintenance and good design practices that grant minimal access for each device. To answer these questions, you need to look at each rule in your rule base and as well as a years worth of logs, which will tell you which rules are being used. This has always been a lengthy manual process until recently, with the arrival of tools that can be used to answer these questions programmatically and automatically. How many rules does the policy have? How many did it have at last audit? Last year? Are there any uncommented rules? Are there any redundant rules that should be removed? Are there any rules that are no longer used? Are there any services in the rules that are no longer used? Are there any groups or networks in the rules that are no longer used? Are there any firewall rules with ANY in three fields (source, destination, service/protocol) and a permissive action? Are there any rules with ANY in two fields and a permissive action? Are there any rules with ANY in one field and a permissive action? Are there any overly permissive rules: rules with more than 1000 IP addresses allowed in the source or destination? (You might want a number other than 1000, like 10,000, or 500)
The second list of questions that should be asked about a rule base are related to risk and compliance. These rules are more technically challenging to answer. You must understand the technology of your firewall to understand what traffic is actually passed by each rule, and if there is a group of services called allowed services, then which ports and protocols actually pass though that rule. Are there any rules that violate our corporate security policy? Are there any rules that allow risky services inbound from the Internet? While you may have a different list of what is considered risky for your company, most start with protocols that pass login credentials in the clear like telnet, ftp, pop, imap, http, netbios, etc. Are there any rules that allow risky services outbound to the Internet? Are there any rules that allow direct traffic from the Internet to the internal network (not the DMZ)? Are there any rules that allow traffic from the Internet to sensitive servers, networks, devices or databases?
If you take the time to master these two processes you will find that it is much easier to pass firewall audits. Having responded to hundreds of firewall audits, Im a huge fan of automating this process as much and as deeply as possible. Not only does provide the information administrators need answer difficult audit questions, but if you are tasked with auditing a large set of firewalls on an ongoing basis or even a couple of firewalls with large and unwieldy rule bases - the time and money saved combined with eliminating the margin for error that exists with any attacking any granular, data-intensive, audit manually makes it worth the cost and effort. If automation is not an option, then addressing these two areas are absolutely essential to maintaining the health and effectiveness of your firewall policies. Michael Hamelin is the Chief Security Architect at Tufin Technologies. In this role, Hamelin identifies and champions the security standards and processes for Tufin. Bringing more than 16 years of security domain expertise to Tufin, Hamelin has deep hands-on technical knowledge in security architecture, penetration testing, intrusion detection, and anomalous detection of rogue traffic. He has authored numerous courses in information security and worked as a consultant, security analyst, forensics lead, and security practice manager. He is also a featured security speaker around the world widely regarded as a leading technical thinker in information security. Hamelin previously held technical leadership positions at VeriSign, Cox Communications, and Resilience. Prior to joining Tufin he was the Principal Network and Security Architect for ChoicePoint, a LexisNexis Company. Hamelin received Bachelor of Science degrees in Chemistry and Physics from Norwich University, and did his graduate work at Texas A&M University.
Resource Centre Categories IT Anti-Spam Web Site Security E-mail Content Management/Filtering Authentication Anti-Virus Integrated Applicances IM Security Public Key Infrastructure Data Loss Protection Database Security Mobile Encryption E-mail Archiving E-mail Encryption Data Recovery Patch Management Mobile Security E-mail Security Digital Forensics Firewalls Web Content Management End Point Security Web Server Protection Hard Disk Encryption Log Management Identity Management Penetration Testing Remote Access Virtualization Internet Security Application Security VoIP Security Anti-Malware Intrusion Detection and Prevention Systems Anti-Adware/Spyware Security Information Management Encryption Network Access Control Password Protection/Management Enterprise Management Wireless Security How to Conduct a Firewall Audit | Security Matters Magazine http://www.securitymattersmag.com/security-matters-magazine-article-detail.php?id=765[14/03/2013 03:15:05 PM] | 1136 Centre Street, Suite 199 | Thornhill, Ont. L4J 3M8 Canada | Tel: 905-370-0736 | Fax: 416-633-7084 | info@securitymattersmag.com Network Security Digital Rights Management VPN
Content Management Storage Secure eCommerce
SSL VPN Managed Services Secure File Transfer
Physical Security Access Control Security Product Distributor Fog Security Battery Back Up Biometrics Perimeter Protection Shredders Asset Protection Laptop Security Video Surveillance Window Film Home Automation Sound & Communications Wireless Security Systems Integrator IP-Based Video Alarm Monitoring Identification Products Locks & Door Hardware Safes & Vaults Key Management Smart Cards Burglar Alarm Systems Building Automation Asset Tracking Intercom Equipment Window Bars
Fire & Life Safety Guard Services Structured Wiring
Procedural Security Business Continuity Compliance Background Checks Crisis Management Fraud Loss Prevention Disaster Recovery Association Pandemic Planning Training & Awareness Investigations Penetration Testing Privacy Incident Management Risk Analysis Vulnerability & Risk Assessment Risk Management Security Audits Employee Monitoring