Firewall Checklist
Post date: Mar 5, 2013 10:43:21 AM
Firewall Checklist
Prepared by: Mohamed Gamal
Introduction
This checklist should be used to audit a firewall. This checklist does not provide vendor specific security considerations but rather attempts to provide a generic listing of security considerations to be used when auditing a firewall.
Only technical aspects of security are addressed in this checklist. Manual elements like physical protection for the firewall server is not considered.
Prior to using this checklist the following elements should be considered:
· Operating system: This checklist only defines the security items relating the firewall software and not to any security elements of the operating system.
· Port restrictions: A listing of ports to be restricted are highlighted in this checklist. However, prior to recommending that the ports be restricted, the auditor should ensure that the service associated with that port is not used by the business e.g. remote access via telnet. Where such situations exist this checklist attempts to provide alternate security options if the service is needed e.g. use SSH instead of Telnet.
· Modems within the internal network: Modems within the internal network are the biggest threat to subvert a firewall and thus the auditor should ensure that there are no modems within the internal network. It is senseless performing an audit on the firewall when an even bigger threat exists via the modem. The auditor should perform war dialling to identify any modems within the internal network with tools like phonesweeper.
· Application level firewalls: The inherent nature of application level firewalls require that the operating system be as secure as possible due to the close binding of these two components. Thus, the auditor should ensure that the security on the operating system is secure before evaluating the security offered by the application level firewall.
· Defence in depth: It must be recognised that the firewall implementation is a not an end to itself to provide security. Thus, it is vital that the auditor evaluate the security of the other components like IDS, operating systems, web applications, IIS/Apache, routers and databases. Some organisations have opted for firewall network appliances, which are firewalls loaded onto operating systems which have their security already preconfigured. In such instances, the auditor need only review the security of the firewall configuration instead of the operating system as well.
· Rulesets: This checklist provides a listing of best practice rulesets to be applied. However, the organisational requirements may not need all of the rulesets. For e.g. where an organisation has a need to allow access via the internet to critical servers, the rulesets wound not include a deny rule to that internal IP address for the critical server. Instead it may provide for allow access to HTTP 80 to the critical IP and deny all other traffic to the critical IP. It must be noted that some elements of the recommended rulesets have to be applied irrespective of business requirements e.g. blocking private addresses (RFC1918), illegal addresses, standard unroutables, reserved addresses, etc.
· Laptop users: Most organisations use mobile laptops for telecommuting and on the road sales, etc. This provides a further vulnerability even if the organisation operates a VPN. The hacker could easily gain access to the laptop when it is connected to the internet and download tools to the laptop that can become a problem when the laptop is again connected to the corporate network. In a VPN situation, the hacker with access to the remote station once the tunnel is connected, can access the corporate network. In such a circumstance, it is important for the auditor to determine if laptop usage occurs and to evaluate whether personal firewalls are installed on these laptops prior to usage. This checklist provides a generic set of considerations for personal firewalls, but it does not provide any product specific security recommendations.
Checklist
No.
Security Elements
Review the rulesets to ensure that they follow the order as follows:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
· anti-spoofing filters (blocked private addresses, internal addresses appearing from the outside)
· User permit rules (e.g. allow HTTP to public webserver)
· Management permit rules (e.g. SNMP traps to network management server)
· Noise drops (e.g. discard OSPF and HSRP chatter)
· Deny and Alert (alert systems administrator about traffic that is suspicious)
· Deny and log (log remaining traffic for analysis)
Firewalls operate on a first match basis, thus the above structure is important to ensure that suspicious traffic is kept out instead of inadvertently allowing them in by not following the proper order.
Application based firewall
Ensure that the administrators monitor any attempts to violate the security policy using the audit logs generated by the application level firewall. Alternatively some application level firewalls provide the functionality to log to intrusion detection systems. In such a circumstance ensure that the correct host, which is hosting the IDS, is defined in the application level firewall.
Ensure that there is a process to update the application level firewall’s vulnerabilities checked to the most current vulnerabilities.
Ensure that there is a process to update the software with the latest attack signatures.
In the event of the signatures being downloaded from the vendors’ site, ensure that it is a trusted site.
In the event of the signature being e-mailed to the systems administrator, ensure that digital signatures are used to verify the vendor and that the information transmitted has not been modified en-route.
The following commands should be blocked for SMTP at the application level firewall:
· EXPN (expand)
· VRFY (verify)
· DEBUG
· WIZARD
The following command should be blocked for FTP:
· PUT
Review the denied URL’s and ensure that they are appropriate for e.g. any URL’s to hacker sites should be blocked. In some instances organisations may want to block access to x-rated sites or other harmful sites. As such they would subscribe to sites, which maintain listings of such harmful sites. Ensure that the URL’s to deny are updated as released by the sites that warn of harmful sites.
Ensure that only authorised users are authenticated by the application level firewall.
Stateful inspection
Review the state tables to ensure that appropriate rules are set up in terms of source and destination IP’s, source and destination ports and timeouts.
Ensure that the timeouts are appropriate so as not to give the hacker too much time to launch a successful attack.
For URL’s
· If a URL filtering server is used, ensure that it is appropriately defined in the firewall software. If the filtering server is external to the organisation ensure that it is a trusted source.
· If the URL is from a file, ensure that there is adequate protection for this file to ensure no unauthorised modifications.
Ensure that specific traffic containing scripts; ActiveX and java are striped prior to being allowed into the internal network.
If filtering on MAC addresses is allowed, review the filters to ensure that it is restricted to the appropriate MAC’s as defined in the security policy.
Logging
Ensure that logging is enabled and that the logs are reviewed to identify any potential patterns that could indicate an attack.
Patches and updates
Ensure that the latest patches and updates relating to your firewall product is tested and installed.
If patches and updates are automatically downloaded from the vendors’ websites, ensure that the update is received from a trusted site.
In the event that patches and updates are e-mailed to the systems administrator ensure that digital signatures are used to verify the vendor and ensure that the information has not been modified en-route.
Location – DMZ
Ensure that there are two firewalls – one to connect the web server to the internet and the other to connect the web server to the internal network.
In the event of two firewalls ensure that it is of different types and that dual NIC’s are used. This would increase security since a hacker would need to have knowledge of the strengths, weaknesses and bugs of both firewalls.
The rulesets for both firewalls would vary based on their location e.g. between web server and the internet and between web server and the internal network.
Vulnerability assessments/ Testing
Ascertain if there is a procedure to test for open ports using nmap and whether unnecessary ports are closed.
Ensure that there is a procedure to test the rulesets when established or changed so as not to create a denial of service on the organisation or allow any weaknesses to continue undetected.
Compliance with security policy
Ensure that the ruleset complies with the organisation security policy.
Ensure that the following spoofed, private (RFC 1918) and illegal addresses are blocked:
Standard unroutables
· 255.255.255.255
· 127.0.0.0
Private (RFC 1918) addresses
· 10.0.0.0 – 10.255.255.255
· 172.16.0.0 – 172.31.255.255
· 192.168.0.0 - 192.168.255.255
Reserved addresses
· 240.0.0.0
Illegal addresses
· 0.0.0.0
UDP echo
ICMP broadcast (RFC 2644)
Ensure that traffic from the above addresses is not transmitted by the interface.
Ensure that loose source routing and strict source routing (lsrsr & ssrr) are blocked and logged by the firewall.
Port restrictions
The following ports should blocked:
Remote access
If remote access is to be used, ensure that the SSH protocol (port 22) is used instead of Telnet.
File Transfers
If FTP is a requirement, ensure that the server, which supports FTP, is placed in a different subnet than the internal protected network.
Mail Traffic
Ascertain which protocol is used for mail and ensure that there is a rule to block incoming mail traffic except to internal mail.
ICMP (ICMP 8, 11, 3)
Ensure that there is a rule blocking ICMP echo requests and replies.
Ensure that there is a rule blocking outgoing time exceeded and unreachable messages.
IP Readdressing/IP Masquerading
Ensure that the firewall rules have the readdressing option enabled such that internal IP addresses are not displayed to the external untrusted networks.