Re: [fw-wiz] Auditing a firewall rulebase



Darden, Patrick S. wrote:
Here's my two cents:

-Look for a default deny.
-Make sure all rules are performance-based, e.g. most hit rule first in line, etc. to cut down on cpu and bandwidth.

--Patrick Darden


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of
arvind doraiswamy
Sent: Wednesday, May 14, 2008 11:19 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Auditing a firewall rulebase


Hey Guys,
What parameters would you look for if you audited a large rulebase for
an enterprise firewall? These are a few I could think of. Anything
else that you guys consistently look at when managing/auditing your
firewalls? Do take note that I'm talking just singularly about the
rule-base and not other configuration information i.e: I'm not looking
at things like -- Low console session timeout OR Telnet admin
interface open etc. I'm looking at just the rulebase this time around.
Here are my parameters:

Rules which have "any" or an equivalent keyword in them
Rules where an entire subnet has been granted access to a resource
Rules where a range of IP addresses has been granted access to a resource
Rules where a large range of ports has been opened to an IP Address / Addresses
Rules where there are design issues in the protocol itself
eg. Unencrypted traffic
Rules which are redundant and can be removed from the rulebase

Thanks
Arvind
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

If you can tell from logs or otherwise, look for rules that are no longer in use.
Look for rules that you do not have a written justification for; if a rule is for a single application or user group, ask if it is still justified.

I have eliminated a lot of deadwood with these checks over the years, cruft accumulates.

Chuck Benson

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] Auditing a firewall rulebase
    ... -Make sure all rules are performance-based, e.g. most hit rule first in line, etc. to cut down on cpu and bandwidth. ... interface open etc. I'm looking at just the rulebase this time around. ... Rules where a range of IP addresses has been granted access to a resource ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Auditing a firewall rulebase
    ... interface open etc. I'm looking at just the rulebase this time around. ... Rules where a range of IP addresses has been granted access to a resource ... firewall-wizards mailing list ...
    (Firewall-Wizards)
  • [fw-wiz] Auditing a firewall rulebase
    ... an enterprise firewall? ... interface open etc. I'm looking at just the rulebase this time around. ... Rules where a range of IP addresses has been granted access to a resource ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Auditing a firewall rulebase
    ... If its an external firewall then you can check to make sure that bogon ... interface open etc. I'm looking at just the rulebase this time around. ... Rules where a range of IP addresses has been granted access to a resource ...
    (Firewall-Wizards)