Re: [fw-wiz] How to keep firewall rules clean and up-to-date

Fair warning: I make software to work on problems like this, and their
associated risks. That said, I will try to keep my comments properly

Ilias asked:

What do you do to keep your firewall rules clean and up-to-date?
Procedures, for which?

Keep in mind;

-Servers that change from IP
-Server which has been discarded

Others have already brought up organization discipline, and this is
definitely key. However, errors still happen, and accumulate over time.

There are technologies that can look at the firewall alone, and identify
things like rules that cannot be hit. You can also look for rules that
aren't seeing any traffic, by looking in the logs. However, this faces
serious problems in reality. (Scanners and other tests can "tickle" lots
of rules that aren't otherwise used, making it unclear what "unused"
really means. And on the other side, exactly how long do you have to wait
to be truly confident a rule "isn't used"?)

Worse, as you point out, Ilias, you cannot do everything by just looking
at the firewall. You really need to COMPARE your firewall to your
infrastructure - are there rules allowing access to IP's where there
simply is no host any more? Are there hosts that are exposed that are not
being scanned regularly? Are there exposed hosts that are "forgotten" by
the process, and are thus not being patched?

All of these can be answered, but they take a "multi-silo" approach - you
need to compare your firewall data to your scan data. The scan data may
just be nmap, or something richer that maps out known vulnerabilities (and
can thus detect things like unpatched, overlooked hosts). This may sound
daunting, but my experience is that it IS possible, and it's EXTREMELY
productive. I've seen real cases of a security team getting their first
insight into comparing firewalls to scan data, and immediately proceeding
to pull power cords out of a couple of machines that should have been
decommissioned, but were simply forgotten.

Hope that helps - am happy to discuss technical approaches off-list if
need be.

Mike Lloyd
Chief Scientist
RedSeal Systems, Inc.

firewall-wizards mailing list

Relevant Pages

  • RE: [fw-wiz] Vulnerability Response
    ... >>two evolving solution spaces that solve real problems. ... > management effort scales with the number of hosts. ... change control is an _enemy_ when talking about rank and file ... but not even the mjr perfectly secure firewall will work ...
  • Asymmetric routing vs. pf
    ... I am in the process of trying to build up a new firewall cluster using ... hosts are connected to each other, running an iBGP session and PFSync. ... When I create such a connection ...
  • Re: Using netmask ffffffff
    ... The most important thing these new hosts need is connection to the outside world, for internet browsing, webmail access, fetch some documents from remote sites they forgot to bring with them for the conference, etc. ... the new hosts should not be able to directly contact each-other or the majority of my internal network. ... The trouble is that even if I set-up firewall rules to filter their traffic, they can still communicate behind the firewall directly through the switch they are all connected to, as only their internet traffic will go through the firewall. ...
  • Re: XP vulnerabilities?
    ... Note that I also questioned your use of the "Corporate Edition" of Windows. ... If you were indeed running a network of 5 or more hosts for which you ... firewall host running the firewall software through which all your intranet ... export their rules so you can migrate them easily to another host, but NIS ...
  • Re: HELP ! ipfw et natd
    ... > So the problem for me was to remark that the DNS of my IPS ( it ... I don't think the nameserver's IP changed because of the firewall. ... Propagation of the change to your LAN hosts is another thing. ... well) and pointing the LAN hosts to the FreeBSD box as their nameserver. ...