Review Your Change Management Process
A good change management process is essential to ensure proper execution and traceability of firewall changes, as well as sustainability over time to ensure continuous compliance vs. point-in-time compliance. Poor documentation of changes, including why the change is needed, who authorized the change, etc. and poor validation of the impact on the network are two of the most common issues when it comes to change control. a. Review the procedures for rule-base maintenance. Just a few key questions to review include:
-- Are requested changes going through proper approvals?
-- Are changes being implemented by authorized personnel? And are they being tested?
-- Are the changes being documented per regulatory or internal policy requirements?
-- Each rule should have a comment that includes the change ID of the request and the name/initials of the person who implemented the change.
-- Is there an expiration date for the change?
The second technical step in an audit is usually a review of the firewall rule base (also called a policy). The methodology for this step varies widely among auditors because it has traditionally been difficult to do and heavily technology-dependent.
For each of these questions you should have a ranking based on the type of firewall and its placement in your infrastructure. For example, a firewall not connected to the Internet does not have the same risk as one that is connected to the Internet; internal firewalls tend to be more permissive than external firewalls.
The first questions that should be asked about the rule base are related to basic policy maintenance and good design practices that grant minimal access for each device. To answer these questions, you need to look at each rule in your rule base and as well as a year"s worth of logs, which will tell you which rules are being used. This has always been a lengthy manual process until recently, with the arrival of tools that can be used to answer these questions programmatically and automatically.
--- How many rules does the policy have? How many did it have at last audit? Last year?
--- Are there any uncommented rules?
--- Are there any redundant rules that should be removed?
--- Are there any rules that are no longer used?
--- Are there any services in the rules that are no longer used?
--- Are there any groups or networks in the rules that are no longer used?
--- Are there any firewall rules with ANY in three fields (source, destination, service/protocol) and a permissive action?
--- Are there any rules with ANY in two fields and a permissive action?
--- Are there any rules with ANY in one field and a permissive action?
--- Are there any overly permissive rules: rules with more than 1000 IP addresses allowed in the source or destination? (You might want a number other than 1000, like 10,000, or 500)
The second list of questions that should be asked about a rule base are related to risk and compliance. These rules are more technically challenging to answer. You must understand the technology of your firewall to understand what traffic is actually passed by each rule, and if there is a group of services called "allowed services," then which ports and protocols actually pass though that rule.
--- Are there any rules that violate our corporate security policy?
--- Are there any rules that allow risky services inbound from the Internet?
While you may have a different list of what is considered "risky" for your company, most start with protocols that pass login credentials in the clear like telnet, ftp, pop, imap, http, netbios, etc.
--- Are there any rules that allow risky services outbound to the Internet?
--- Are there any rules that allow direct traffic from the Internet to the internal network (not the DMZ)?
--- Are there any rules that allow traffic from the Internet to sensitive servers, networks, devices or databases?
If you take the time to master those two processes you will find that it is much easier to pass firewall audits. Having responded to hundreds of firewall audits, I"m a huge fan of automating this process as much and as deeply as possible. That provides the information administrators need to answer difficult audit questions. However, if you are tasked with auditing a large set of firewalls on an ongoing basis or even a couple of firewalls with large and unwieldy rule bases - the time and money saved combined with eliminating the margin for error that exists with any attacking any granular, data-intensive, audit manually makes it worth the cost and effort. If automation is not an option, then addressing these two areas are absolutely essential to maintaining the health and effectiveness of your firewall policies
A typical website penetration testing service comprises of simulation of real life hacking methodologies. It encompasees various security attack vectors and exploitation of potential vulnerabilitiesRead More
We follow a systematic and yet agile approach to test website security. This helps our customers gain an extremly accurate and elaborate results along with a knowledge base and years of experience on the subject matterRead More
Security testing is a continuous improvement process to get benefited in terms of increasing ROI (Returns On Investment). Benefits of a pen-test are short term as well as long termRead More
Here is a list of typical questions which are in the minds of those who wish to leverage our services. If you see more information, feel free to contact usRead More
Please see a list of key vulnerabilities which must be tested while performing a website or webportal penetration testing.Read More
Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.