From: Gleb Paharenko (gpaharenko@gmail.com)
Date: Fri Dec 14 2007 - 08:31:47 EST
Hi.
I've found audit scripts is very useful not even for security checks,
but for gathering info from audited system. It is easier to make
baselines also. Can somebody provide more links to good audit
scripts, especially for windows. Did somebody compare solaris scripts
with JASS, and windows staff with MBSA? Did someone give a shot to
cscript instead of batch files?
2007/12/12, Javier Fernández-Sanguino <jfernandez@germinus.com>:
> ahgaber_rehan@yahoo.com ha escrito:
>
> > Hi,
> > I just shifted to IT Audit field.
> > I was wondering If there is any audit program can help me auditing
> > my 2 Firewalls: Fortigate NGX-R60 and Sidewinder.
>
> Ok. First of all I would suggest you read two documents: the OSSTMM
> methodology (available at http://www.isecom.org/osstmm/, which has a
> specific section firewall testing) as well as NIST's DRAFT Technical
> Guide to Information Security Testing
> (http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-115), its
> Guidelines on Firewalls and Firewall Policy
> (http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf, which
> has a specific section on firewall testing) and the Guidelines on
> Network Security Testing
> (http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf,
> which is however, slightly dated). These will provide some foundation
> on how you should test a firewall ruleset and even some of the basic
> tools.
>
> Here are teh steps I've used in the past when doing audits:
>
> 1.- First of all: know the policy (controls) that should be
> implemented in the firewall. Do not ask for the actual firewall
> ruleset but get to know the network diagram and ask (maybe to others):
> what should be allowed and what not? If you don't do this step you
> will not be able to understand the firewall ruleset and make
> recommendations if you see the ruleset deviate from the policy.
>
> 2.- Ask for the firewall ruleset, review both the rules and global
> configuration (some global parameters might change the firewall
> behaviour) manually (for some technologies, however, see below). Note
> any differences with what was expected in 1). Ask and learn about the
> exceptions or strange things in the firewall ruleset. You can use
> http://csrc.nist.gov/groups/SMA/fasp/documents/network_security/HCW_Firewall_Worksheet.doc, for example, as a documentation
> template.
>
> You don't need access to the console itself to review the ruleset
> although in some cases this is the only alternative because the people
> managing the firewall don't know how to "export" the ruleset and can
> only provide (at best) screen shots. Also notice that in many
> firewalls there are global parameters that might be defined which
> impact the behaviour of the firewall ruleset. This is the case, for
> example of Check Point Firewall-1's "implied" rules and the way zones
> are defined and assigned to interfaces in Juniper's NetScreens. If you
> only get the firewall ruleset (who is allowed to talk to who and using
> which protocol) you might not be "seeing" the whole picture.
>
> And this is when the last step comes.
>
> 3.- Test the firewall ruleset itself. The fact that there is a ruleset
> defined in a console is not a guarantee that the device is actually
> using it! (or, what's more commmon, there might be predefined rules
> which are not seen in the ruleset).
>
> Test with one (always the same) system through the different networks
> the firewall is connected and determine the visibility of other
> systems in other networks. Once this is done, test with *two* systems
> (in different networks) and test the visibility between all networks.
> There is some software you can use for this (besides network scanning
> tools such as nmap) such as ftester
> (http://dev.inversepath.com/trac/ftester). IIRC there has been
> discussion in this same list (in the past) about such tools.
>
> As you said, if the firewall is in production there might be IPS out
> there blocking your network reconnaissance attempts. You might need to
> ask the people managing them to whitelist the IPs you are using for
> testing. Notice, however, that you do not need to do a full network
> scan (visibility+vulnerability testing) as many tools will do if not
> properly configured. You just need to do visibility scans to test the
> firewall ruleset. Unless, of course, the firewall itself implements an
> IPS (like Check Point's Firewall-1 NG AI and later and many other
> firewalls) and you want to test that too.
>
> 4.- Review the firewall software version. Is it current? Is it
> supported by the vendor?
>
> 5.- If the firewall is running on a standard operating system, review
> the OS itself. Use the hardening configuration guidelines from NSA
> (http://www.nsa.gov/snac/downloads_all.cfm?MenuID=scg10.3.1). You can
> use the tools developed by the Center of Internet Security
> (http://www.cisecurity.com) to automatically review the OS
> configuration or the Audit scripts from Tiger
> (http://cvs.savannah.nongnu.org/viewvc/tiger/audit/?root=tiger) to
> recover the configuration and analyse it offline.
>
> 6.- If the firewall is running in a non-standard OS (such as IPSO or
> SecurePlatform in the Check Point case or a vendor's OS for
> appliances) then you will have to read through the vendor's
> documentation in order to find the hardening guidelines. In some cases
> you might find some automatic tools, for example, the CIS has a
> benchmark for Check Point on Secure Platform
> (http://www.cisecurity.com/bench_checkpoint.html)
>
>
> In order to review the firewall ruleset you can use some tools to
> assist you. I know of two I've used in the past: Algosec's Firewall
> Analyser (http://www.algosec.com/, covers Check Point Firewall-1,
> Juniper NetScreen, and Cisco PIX) and Yixue
> (http://yixue.sourceforge.net/, only covers Firewall-1). These tools
> will provide some guidelines on how the firewall should be configured
> and might pinpoint specific problems which are common to all firewall
> configurations. They will not, however, be able to tell you if the
> ruleset defined in the firewall adjusts to the access control policy
> the organisation wants.
>
>
> Hopefully these guidelines are useful for you (and maybe to others in
> the list too!)
>
> Regards
>
> Javier
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
-- Best regards. Gleb Pakharenko. http://gpaharenko.livejournal.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:16 EDT