Hardware firewall is an important barrier to protect the internal network security. Its security and stability, directly related to the security of the entire internal network. Therefore, routine checks are important to ensure the security of a hardware firewall.
There are many hidden troubles and faults in the system before the outbreak of such or such a sign, the task of routine inspection is to find these security risks, and as far as possible the problem positioning, to facilitate the resolution of the problem.
In general, the routine inspection of a hardware firewall is primarily for the following:
1. Configuration files for hardware firewalls
No matter how comprehensive and rigorous you consider when installing a hardware firewall, the situation is changing at any time once the hardware firewall is put into the actual use environment. The rules of the hardware firewall always change and adjust, and the configuration parameters will change frequently. As a network security manager, it is best to write a set of security policies to modify the firewall configuration and rules, and strictly implement them. The hardware firewall configuration involved, it is best to detail the details of which traffic is allowed and which services use the agent.
In the security policy, specify the steps to modify the hardware firewall configuration, such as which authorizations need to be modified, who can make such changes, when to make changes, how to record these changes, and so on. The security policy should also specify the division of responsibilities, such as a person's specific modification, another person responsible for the record, and a third person to check and test the correct settings after the modification. Detailed security policies should ensure that hardware firewall configuration changes are programmed and can avoid errors and security vulnerabilities caused by modification of configuration.
2. Disk usage of hardware firewalls
If logging is maintained on a hardware firewall, it is important to check the disk usage of the hardware firewall. If logging is not preserved, it becomes even more important to check the disk usage of the hardware firewall. In the case of journaling, the unusual increase in disk consumption is likely to indicate a problem with the log cleanup process, which is relatively fine. In the event that the log is not preserved, if the disk footprint grows abnormally, the hardware firewall may have been installed Rootkit tool, has been breached.
Therefore, the network security Manager first needs to understand under the normal situation, the firewall disk occupies the situation, based on this, sets a check baseline. Once the disk footprint of a hardware firewall exceeds this baseline, it means that the system is experiencing security or other problems that require further examination.
3. CPU load of hardware firewall
Similar to disk usage, CPU load is an important indicator of whether the hardware firewall system is functioning properly. As a security manager, you must understand the hardware firewall system CPU load is the normal value, the low load does not necessarily mean that all normal, but the high load value indicates that the firewall system must have problems. Excessive CPU load is most likely the result of a Dos attack or disconnect from the external network connection of a hardware firewall.
4. Hardware Firewall System Wizard program
Each firewall has a set of daemon programs (Daemon), such as a name Service program, a system log program, a network distribution program, or a certification program, in its normal operation. In a routine check, you must check that these programs are running, and if you find that some Elf programs are not running, you need to check further to see what causes these daemon programs not to run, and which daemon programs are still running.
5. System files
Key system files are changed in three different ways: management's purposeful, planned changes, such as changes to the planned system upgrades, occasional changes to system files by managers, and an attacker's modification of the file.
Regular inspection system files, and check the system file modification records, can be found in time firewall attacks. In addition, it should be emphasized that it is best to include a record of modifications to the system files in the modification of the hardware firewall configuration policy.
6. Exception Log
The hardware firewall log records all the information that is allowed or denied, and is the source of information about the health of the major hardware firewall. Because the log has a large amount of data, checking the exception log should usually be an automated process. Of course, what kind of event is an exception event, it has to be determined by the administrator, only the administrator defined the exception events and records, the hardware firewall will keep the corresponding log for reference.
These 6 aspects of the routine check may not immediately check the hardware firewall may encounter all the problems and pitfalls, but it is important to consistently check the hardware firewall to run stably and reliably. If necessary, the administrator can also use packet scanners to verify the correct hardware firewall configuration, or even further use the vulnerability scanning program to simulate attacks to assess the capabilities of the hardware firewall.