Routine inspection of hardware firewalls

Source: Computer newspaper

The hardware firewall is an important barrier to ensure internal network security. Its security and stability are directly related to the security of the entire internal network. Therefore, routine inspection is very important to ensure the security of the hardware firewall.
Many of the hidden risks and faults in the system will appear in one way or another before the outbreak. The task of routine inspection is to discover these security risks and locate the problems as much as possible, this facilitates problem solving.
Generally, the routine inspection of the hardware firewall mainly targets the following:
1. Hardware firewall configuration file
No matter how comprehensive and rigorous you are when installing the hardware firewall, once the hardware firewall is put into the actual use environment, the situation is changing at any time. The rules of the hardware firewall always change and adjust, and the configuration parameters also change from time to time. As a network security manager, it is best to write a set of security policies for modifying firewall configurations and rules, and strictly implement them. The hardware firewall configuration involves details about which traffic is allowed and which services require proxy.
In the Security Policy, you must specify the steps for modifying the configuration of the hardware firewall, such as which authorizations need to be modified, who can perform such modifications, when can the modifications be made, and how to record the changes. The security policy should also specify the division of responsibilities. For example, if someone makes specific changes, the other person is responsible for recording the changes, and the third person checks and tests whether the modified settings are correct. Detailed security policies should ensure that the configuration modification of the hardware firewall is procedural, and avoid errors and security vulnerabilities caused by configuration modification.
2. disk usage of the hardware firewall
If logs are retained on the hardware firewall, it is very important to check the disk usage of the hardware firewall. If you do not keep the log records, it is more important to check the disk usage of the hardware firewall. When logs are retained, the abnormal increase in disk usage may indicate a problem in the log clearing process. In this case, the log clearing process is better. If the disk usage increases abnormally without retaining logs, it indicates that the hardware firewall may have been installed with the Rootkit tool and has been cracked.
Therefore, the network security administrator must first understand the disk usage of the firewall under normal circumstances and set a baseline for inspection. Once the disk usage of the hardware firewall exceeds this baseline, it means that the system has encountered security or other problems and requires further checks.
3. CPU load of the hardware firewall
Similar to disk usage, CPU load is also an important indicator for determining whether the hardware firewall system is running normally. As a security manager, you must know the normal value of the CPU load of the hardware firewall system. A low load value may not necessarily indicate that everything is normal, however, if the load value is too high, the firewall system must be faulty. High CPU load may be caused by DoS attacks on the hardware firewall or the disconnection of external network connections.
4. Hardware firewall system genie
Each Firewall runs normally and has a set of Daemon programs, such as name service programs, System Log programs, network distribution programs, and authentication programs. In the routine check, you must check whether these programs are running. If you find that some genie programs are not running, you need to further check the reason for these genie programs not running, which other genie programs are still running.
5. system files
There are three major changes to key system files: management personnel make purposeful and planned changes, such as modifications caused by planned system upgrades; occasionally, administrators modify system files. Attackers modify files.
Check System files and modify system files regularly to detect attacks against the firewall in a timely manner. In addition, it should be emphasized that it is best to include the modification records of system files in the modification of the hardware firewall configuration policy.
6. Exception log
The hardware firewall log records all permitted or denied communication information, and is the main source of information about the running status of the hardware firewall. Because the log data volume is large, it is usually an automatic process to check abnormal logs. Of course, the Administrator determines what kind of event is an exception event. Only when the Administrator defines and records the exception event will the hardware firewall keep the relevant logs for future reference.
Routine checks in the above six aspects may not immediately detect all the problems and risks that may occur in the hardware firewall, but the constant inspection is very important for the stable and reliable operation of the hardware firewall. If necessary, the administrator can also use a packet scanner to check whether the hardware firewall is configured correctly or not, or even use a vulnerability scanner to simulate attacks to assess the hardware firewall's capabilities.