Re: Auditing Firewalls

From: Javier Fernández-Sanguino (jfernandez@germinus.com)
Date: Wed Dec 12 2007 - 05:27:54 EST


ahgaber_rehan@yahoo.com ha escrito:

> Hi,
> I just shifted to IT Audit field.
> I was wondering If there is any audit program can help me auditing
> my 2 Firewalls: Fortigate NGX-R60 and Sidewinder.

Ok. First of all I would suggest you read two documents: the OSSTMM
methodology (available at http://www.isecom.org/osstmm/, which has a
specific section firewall testing) as well as NIST's DRAFT Technical
Guide to Information Security Testing
(http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-115), its
Guidelines on Firewalls and Firewall Policy
(http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf, which
has a specific section on firewall testing) and the Guidelines on
Network Security Testing
(http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf,
which is however, slightly dated). These will provide some foundation
on how you should test a firewall ruleset and even some of the basic
tools.

Here are teh steps I've used in the past when doing audits:

1.- First of all: know the policy (controls) that should be
implemented in the firewall. Do not ask for the actual firewall
ruleset but get to know the network diagram and ask (maybe to others):
what should be allowed and what not? If you don't do this step you
will not be able to understand the firewall ruleset and make
recommendations if you see the ruleset deviate from the policy.

2.- Ask for the firewall ruleset, review both the rules and global
configuration (some global parameters might change the firewall
behaviour) manually (for some technologies, however, see below). Note
any differences with what was expected in 1). Ask and learn about the
exceptions or strange things in the firewall ruleset. You can use
http://csrc.nist.gov/groups/SMA/fasp/documents/network_security/HCW_Firewall_Worksheet.doc, for example, as a documentation
template.

You don't need access to the console itself to review the ruleset
although in some cases this is the only alternative because the people
managing the firewall don't know how to "export" the ruleset and can
only provide (at best) screen shots. Also notice that in many
firewalls there are global parameters that might be defined which
impact the behaviour of the firewall ruleset. This is the case, for
example of Check Point Firewall-1's "implied" rules and the way zones
are defined and assigned to interfaces in Juniper's NetScreens. If you
only get the firewall ruleset (who is allowed to talk to who and using
which protocol) you might not be "seeing" the whole picture.

And this is when the last step comes.

3.- Test the firewall ruleset itself. The fact that there is a ruleset
defined in a console is not a guarantee that the device is actually
using it! (or, what's more commmon, there might be predefined rules
which are not seen in the ruleset).

Test with one (always the same) system through the different networks
the firewall is connected and determine the visibility of other
systems in other networks. Once this is done, test with *two* systems
(in different networks) and test the visibility between all networks.
There is some software you can use for this (besides network scanning
tools such as nmap) such as ftester
(http://dev.inversepath.com/trac/ftester). IIRC there has been
discussion in this same list (in the past) about such tools.

As you said, if the firewall is in production there might be IPS out
there blocking your network reconnaissance attempts. You might need to
ask the people managing them to whitelist the IPs you are using for
testing. Notice, however, that you do not need to do a full network
scan (visibility+vulnerability testing) as many tools will do if not
properly configured. You just need to do visibility scans to test the
firewall ruleset. Unless, of course, the firewall itself implements an
IPS (like Check Point's Firewall-1 NG AI and later and many other
firewalls) and you want to test that too.

4.- Review the firewall software version. Is it current? Is it
supported by the vendor?

5.- If the firewall is running on a standard operating system, review
the OS itself. Use the hardening configuration guidelines from NSA
(http://www.nsa.gov/snac/downloads_all.cfm?MenuID=scg10.3.1). You can
use the tools developed by the Center of Internet Security
(http://www.cisecurity.com) to automatically review the OS
configuration or the Audit scripts from Tiger
(http://cvs.savannah.nongnu.org/viewvc/tiger/audit/?root=tiger) to
recover the configuration and analyse it offline.

6.- If the firewall is running in a non-standard OS (such as IPSO or
SecurePlatform in the Check Point case or a vendor's OS for
appliances) then you will have to read through the vendor's
documentation in order to find the hardening guidelines. In some cases
you might find some automatic tools, for example, the CIS has a
benchmark for Check Point on Secure Platform
(http://www.cisecurity.com/bench_checkpoint.html)

In order to review the firewall ruleset you can use some tools to
assist you. I know of two I've used in the past: Algosec's Firewall
Analyser (http://www.algosec.com/, covers Check Point Firewall-1,
Juniper NetScreen, and Cisco PIX) and Yixue
(http://yixue.sourceforge.net/, only covers Firewall-1). These tools
will provide some guidelines on how the firewall should be configured
and might pinpoint specific problems which are common to all firewall
configurations. They will not, however, be able to tell you if the
ruleset defined in the firewall adjusts to the access control policy
the organisation wants.

Hopefully these guidelines are useful for you (and maybe to others in
the list too!)

Regards

Javier

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:15 EDT