Although unified Threat Management and other integrated security devices have emerged in recent years, the firewall is still one of the basic security devices of many organizations. Are your firewalls solid? This article introduces the concept of audit or test firewall.
First, we need to define the firewall. A firewall is an application, device, and system that can control the communication flow between two networks according to a set of rules. It may also be a group of Systems with such functions, it can protect the system from external and internal threats and separate the sensitive part of the private network from the less sensitive area, you can encrypt the internal network or external network that transmits sensitive data (when used as a VPN endpoint), or hide the internal network address from the external network (network address translation ). The firewall obtains the communication permitted by the VBR and performs thorough communication filtering. Firewalls have different types, including static data packet filters (for example, beidian's Accelar router), formal firewalls (for example, Cisco's PIX), and proxy firewalls.
Like routers, firewalls use multiple filtering techniques or methods to ensure security. These methods include packet filtering, status detection, proxy or application gateway, and deep data detection. A firewall can use one of these methods, or it can combine different methods to form an appropriate robust configuration.
A good way to test the firewall is to collect information from the owner of the firewall. These members can be members of the audit team, system administrator, Network Administrator, Policy Team, and information security personnel. The main point is to collect and compare everyone's understanding about the functions that the firewall should have and how the Firewall should be configured to meet the requirements of the network and system. Obtain any existing firewall documentation and network charts to verify the information obtained from the interviewees. Ideally, a firewall is a control mechanism set to reflect policies. This means that you must first establish related policies before configuring the firewall. Sadly, few organizations do this.
After the above information is collected, auditors can further understand the firewall architecture and determine whether the firewall is correctly configured to segment the network correctly and implement information protection. The next step is to evaluate the operating system configuration. This is the configuration of the firewall. All firewalls have an operating system. Some vendors claim that the firewall is only a device. In fact, a firewall is typically only an enhanced operating system. In fact, this device can run on a streamlined Unix system, or on a factory-customized operating system, such as Cisco's ASA. Firewalls and routers are both software-driven. What they do is to make the code more difficult to see.
Next, ensure that the system administrator follows the best practices: user management, Patch Update, change control, and configuration backup. If the firewall is not patched, it will eventually be damaged. The reason is that it is a security device and it does not automatically implement security.
Finally, verify that the rule repository of the firewall matches the rules and policies of the Organization.
The test Firewall should be coordinated with other components of the test unit's deep defense method, and the unit should not rely solely on a single defense. The firewall is not a panacea for all security diseases. Its main purpose is to delay attacks and record activities.
The overall results of testing or auditing the firewall include: the confirmation of any security vulnerability, and whether the firewall completes its functions according to the company's security policy. It also needs to assess whether the firewall's installation, configuration, and operations are secure enough to protect the information or services that the firewall needs to protect. The identified risks and their likelihood should be considered.
Operating System Configuration
When auditing a firewall, auditors must look at the platform or operating system on which the Firewall runs.
Auditors need to check whether the operating system that supports firewall operation only contains the minimum functions or services that allow the firewall to function. A firewall should be an isolation system dedicated to one purpose. It filters communications based on defined rules. The simpler the installation, the simpler the management. The fewer features, the less patches and fewer vulnerabilities required.
Many operating systems have a large number of tools to determine which ports are open to the system. Here is an example for Windows:
Netstat-
In Unix-like operating systems, you can run the following command:
Lsof-I, netstat-a, or ps-aef
When deciding on open ports and services, firewall should be disabled (disable or run policies that permit all communications ). The purpose is to test the ports and services for specific operating systems. At this point, it is important to perform this operation on a secure network and not connect the firewall to the Internet. Remember, in this mode, a firewall is a router.
In addition, security settings and operating system vulnerabilities should be analyzed. Each operating system includes a set of security features and vulnerabilities. Different vendors have different security features. For example, during installation, the default security settings of the operating system may not be modified, and such security settings may not meet the security level required by the security policy. The most common security settings that can be evaluated include access rules, password rules, and logon rules. You should also confirm the settings and parameters of other operating systems.
Firewall Configuration
After discussing the operating system of the firewall platform, the next step is to verify the firewall configuration. All firewalls have configurations and policies, and they should not be confused. Configuration is a set of basic settings related to the firewall software and its installation. Changing the firewall configuration will change the firewall's behavior.
Auditors must check whether the firewall is located on a dedicated isolation system, filter data packets, and record them. For example, DNS, email, and Server Load balancer cannot be installed on the same host or processed by the firewall platform. The only exception here is that the Server Load balancer of the firewall is a feature of the High-possibility firewall and should be permitted.
Because the basic purpose of the firewall is to manage the information flow between two networks, auditors must view the firewall configuration to observe its implementation of this function. We need to verify that the communications permitted by the firewall are consistent with the security policy. This article will discuss the question of testing the rule repository, but the following key issues need to be considered:
The access rules (authentication, authorization, etc.) of the firewall are consistent with the security policy and the best method.
For management and maintenance, an encrypted channel is used to access the firewall system.
Physical access to the device is restricted.
Configure the firewall to hide internal restricted DNS information from the external network.
SNMP requests restricted by the External Firewall.
The firewall hides internal information from external sources.
Configure the firewall to reject all services unless explicitly permitted.
Security patches are applied to the firewall system.
Back up configuration settings correctly, and only access authorized persons.
1 describes an instance of a standard firewall rule repository. In this example, the standard policy describes the default settings in detail.
Figure 1
Work with Firewall Builder
Firewall Builder is a General Public License Software Package, which is set to help administrators configure the Firewall. The current version supports many FireWall platforms, such as FireWall Services Module (FWSM), ipfi lter, ipfw, iptables, PF, Cisco Private Internet Exchange (PIX), and many other platforms, such as FreeBSD, Cisco FWSM, Linksys/Sveasoft, GNU/Linux (kernel 2.4 and 2.6), Mac OS X, OpenBSD, and Solaris.
After setting the standard policy, the administrator needs to make the next decision to define the firewall interface and then configure each interface. A firewall usually has external interfaces (untrusted) and internal interfaces (trusted ). Therefore, the test firewall includes testing the configuration of each interface of the firewall to verify its consistency with the firewall policy of the Organization.
Build Test
There are many configuration guides on the Firewall Builder website, as shown in Figure 2:
498) this. style. width = 498; "border = 0> |
Figure 2 |
Most vendors have their own guides and installation guides. One of the main advantages of using a tool such as Firewall Builder is the ability to manage several systems. See 3:
498) this. style. width = 498; "border = 0> |
Figure 3 |
This interface allows auditors to quickly verify configuration information based on policies. In addition, this tool provides the ability to save the rule set, which enhances the management of changes. By looking back at the previous rule set, the auditor will see the changed mode and find the reason for adding the rule.
After the countermeasure is omitted for the final compilation and installation, the policy installer adds the feature of quick date viewing. As shown in Figure 4: