Re: [fw-wiz] Auditing a firewall rulebase



Rules which have "any" or an equivalent keyword in them
Rules where an entire subnet has been granted access to a resource
Rules where a range of IP addresses has been granted access to a resource
Rules where a large range of ports has been opened to an IP Address /
Addresses
Rules where there are design issues in the protocol itself eg. Unencrypted
traffic
Rules which are redundant and can be removed from the rulebase

That's a pretty good list, actually. I would add; rules that allow access
to the firewall. You will also want to audit for what kind of logging is
turned on/off and whether or not that poses a risk. Also think in terms of
implied rules (like interface security levels in a PIX or Global Policy in
Check Point) and whether or not those create any of the situations you
mention above.

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards