Auditing Check Point Firewalls


Published on

One of the first presentations I gave. CSI 1999- Auditing Check Point Firewalls

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Auditing Check Point Firewalls

  1. 1. Auditing Checkpoint Firewalls CSI Annual Conference 1999 Session J7 Ben Rothke, CISSP Network Security Engineer eB Networks, Inc. Iselin, New Jersey [email_address]
  2. 2. About me... <ul><li>Who I am </li></ul><ul><li>Who eB Networks is </li></ul><ul><li>Your handout, this presentation WYSINEWYG </li></ul><ul><ul><li>e-mail me for the current version </li></ul></ul>
  3. 3. Agenda <ul><li>This session is about: </li></ul><ul><li>Ensuring your Firewall-1 is properly configured </li></ul><ul><li>Performing an audit & analysis of a Checkpoint firewall </li></ul><ul><li>This session is not about: </li></ul><ul><li>Comprehensive investigation of every available Firewall-1 configuration and option </li></ul><ul><li>General firewall architectures & configurations </li></ul><ul><li>Firewall certification </li></ul><ul><ul><li>ICSA </li></ul></ul><ul><ul><li>West Coast Labs </li></ul></ul><ul><ul><li>CCSA/CCSE </li></ul></ul>
  4. 4. What is a Firewall? <ul><li>Protection from all known hacker attacks </li></ul><ul><li>All traffic from inside to outside and vice-versa must pass through the firewall </li></ul><ul><li>Only authorized traffic, as defined by the local security policy, will be allowed in </li></ul><ul><li>The firewall itself is immune to penetration </li></ul>
  5. 5. What is a firewall audit? <ul><li>Websters defines audit as a methodical examination & review </li></ul><ul><li>A point in time attestation of the firewall structure </li></ul><ul><li>How do you perform this methodical examination & review? </li></ul><ul><ul><li>Stay tuned! </li></ul></ul><ul><li>On the other hand, a firewall audit is not: </li></ul><ul><ul><li>A guaranty that the firewall operating system or underlying network operating system is secure </li></ul></ul><ul><ul><li>A guaranty that the firewall or network operating system is configured correctly </li></ul></ul>
  6. 6. GAAP & GASSP <ul><li>Generally Accepted Accounting Principles (GAAP) </li></ul><ul><ul><li>Widely accepted set of rules, conventions, standards & procedures for reporting financial information, as established by the Financial Accounting Standards Board in 1973. The mission of FASB is to establish and improve standards of financial accounting and reporting for the guidance and education of the public, including issuers, auditors and users of financial information. </li></ul></ul><ul><li>Generally Accepted System Security Principles (GASSP) </li></ul><ul><ul><li>In development by the International Information Security Foundation </li></ul></ul><ul><ul><li>Research and complete the Authoritative Foundation </li></ul></ul><ul><ul><li>Develop and approve the framework for the GASSP </li></ul></ul><ul><ul><li>Map the Authoritative Foundation of related authoritative works </li></ul></ul><ul><ul><li>GASSP homepage: </li></ul></ul>
  7. 7. GASSP <ul><li>The lack of a GASSP means that there is no authoritative reference on which to maintain a protected infrastructure. If there was a GASSP, then there would be a way to enforce a level of compliance, and provide a vehicle for the authoritative approval of reasonably founded exceptions or departures from GASSP </li></ul>
  8. 8. Steps to auditing a firewall <ul><li>Review corporate firewall policy </li></ul><ul><li>Review network infrastructure </li></ul><ul><li>Run hosts & network assessment scans </li></ul><ul><li>Review Firewall-1 configuration </li></ul><ul><li>Review Firewall-1 rulebase </li></ul><ul><li>Put it all together in a report </li></ul><ul><li>Redo as necessary </li></ul>
  9. 9. Infrastructure & architecture <ul><li>It is necessary to look at the infrastructure since a firewall does not exist in a vacuum, rather it should operate in the context of defense in depth </li></ul><ul><li>Internet access requirements </li></ul><ul><li>Understand the business justifications for Internet access </li></ul><ul><li>Validate inbound & outbound services that are allowed </li></ul><ul><li>Review design (i.e. dual-homed, multi-homed, proxy) </li></ul><ul><li>Analyze connectivity to internal/external networks </li></ul><ul><li>Interview firewall & network administrators </li></ul><ul><ul><li>Information on operating procedures </li></ul></ul><ul><ul><li>supporting documents </li></ul></ul><ul><ul><li>installation procedures </li></ul></ul><ul><ul><li>maintenance procedures </li></ul></ul>
  10. 10. Policy <ul><li>Policy is a critical element of the effective and successful operation of a firewall. A firewall can’t be effective unless it is deployed it in the context of working policies that govern its use and administration. </li></ul><ul><li>Marcus Ranum defines a firewall as “the implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do”. </li></ul>
  11. 11. Policy <ul><ul><li>Is there a published firewall policy for your organization? </li></ul></ul><ul><ul><li>What policies have top management reviewed and approved that are relevant to the firewall infrastructure? This may include: </li></ul></ul><ul><ul><ul><li>Internet usage policy </li></ul></ul></ul><ul><ul><ul><li>Business Partners, contractors, temporary staff, etc. </li></ul></ul></ul><ul><ul><ul><li>Confidentiality policy </li></ul></ul></ul><ul><ul><ul><li>E-mail policy </li></ul></ul></ul><ul><ul><ul><li>Emergency Response policy </li></ul></ul></ul><ul><ul><ul><li>Responsibilities for controlling the organizations Information Security </li></ul></ul></ul><ul><ul><li>Are there procedures to change the firewall policies? If so, what is the process? </li></ul></ul><ul><ul><li>How are these policies communicated throughout the organization? </li></ul></ul>
  12. 12. Firewall Management <ul><li>Who owns the firewalls - is this defined </li></ul><ul><li>Who is responsible for implementing the stated policies for each of the firewalls </li></ul><ul><li>Who is responsible for day to day management of the firewall </li></ul><ul><li>Who monitors the firewall for compliance with stated policies </li></ul><ul><li>How are security related incidents reported to the appropriate Information Security staff </li></ul><ul><li>Are CERT, CIAC, vendor specific and similar advisories for the existence of new vulnerabilities monitored </li></ul><ul><li>Are there written procedures that specify how to react to different events, including containment and reporting procedures </li></ul>
  13. 13. Firewall Security Management <ul><ul><li>Accounts on the firewall. Explain their purpose. </li></ul></ul><ul><ul><li>Are remote access sessions encrypted via as SSH or similar </li></ul></ul><ul><ul><li>How many people have the administration account passwords? How are these controlled? </li></ul></ul><ul><ul><li>Logs </li></ul></ul><ul><ul><ul><li>Enabled, reviewed, archived? </li></ul></ul></ul><ul><ul><li>Backup and recovery procedures established for the firewall configuration, policies and relevant data </li></ul></ul><ul><ul><li>IDS in use? </li></ul></ul><ul><ul><li>Adequate backup power supplies </li></ul></ul><ul><ul><li>Firewall components located in areas where access is restricted only to authorized personnel </li></ul></ul>
  14. 14. Configuration <ul><li>Ensure FW is appropriately configured </li></ul><ul><li>Determine latest patch installation </li></ul><ul><li>Y2K </li></ul><ul><li>Review system settings </li></ul><ul><li>It goes without saying that the FW is physically secured. </li></ul><ul><li>Dangerous system components (e.g., compilers, debuggers) have been removed </li></ul><ul><li>Only necessary accounts are active </li></ul><ul><li>Only necessary services and applications are run </li></ul><ul><li>No direct modem connection </li></ul>
  15. 15. Physical Security <ul><li>NT, Unix, NetWare, all require a secure infrastructure </li></ul><ul><li>Local console must be secure </li></ul><ul><li>Management console should not be open to the external network </li></ul><ul><li>The firewall configuration should be fully protected and tamper proof (except from an authorized management station) </li></ul><ul><li>Full authentication is required for the administrator for local administration </li></ul><ul><li>Full authentication and an encrypted link is required for remote administration </li></ul>
  16. 16. Change Control <ul><li>Review change control procedures documents </li></ul><ul><li>Review test plans </li></ul><ul><li>Test procedures documentation </li></ul><ul><li>Review procedures for updating fixes </li></ul><ul><li>Procedures documentation </li></ul><ul><li>Review management approval process </li></ul><ul><li>Process should ensure that changes to the following components are documented: </li></ul><ul><ul><li>Any upgrades or patches require notification and scheduling of down-time </li></ul></ul><ul><ul><li>electronic copies of all changes </li></ul></ul><ul><ul><li>hard copy form filled out for any changes </li></ul></ul>
  17. 17. Backup and Contingency <ul><li>Maintain a golden copy of Firewall-1, including patches </li></ul><ul><li>Review backup procedures and documentation </li></ul><ul><li>Review backup schedule </li></ul><ul><li>Determine if procedures are in place to recover the firewall system should a disruption of service occur </li></ul><ul><li>Review contingency plan </li></ul><ul><li>Contingency plan documentation </li></ul>
  18. 18. Miscellaneous issues <ul><li>Time synchronization </li></ul><ul><li>File system integrity </li></ul><ul><ul><li>Tripwire </li></ul></ul><ul><li>If running on NT, NTFS should be used </li></ul>
  19. 19. Network objects <ul><li>Logical entities that are grouped together as part of the security policy. A group of web servers could be a simple network object that a rule is applied to. </li></ul><ul><ul><li>Every network object has a set of attributes, such as network address, subnet mask, etc. Examples of entities that can be part of a network object are: </li></ul></ul><ul><ul><ul><li>networks and sub-networks </li></ul></ul></ul><ul><ul><ul><li>servers </li></ul></ul></ul><ul><ul><ul><li>firewalls </li></ul></ul></ul><ul><ul><ul><li>routers </li></ul></ul></ul><ul><ul><ul><li>switches </li></ul></ul></ul><ul><ul><ul><li>hosts and gateway </li></ul></ul></ul><ul><ul><ul><li>Internet domains </li></ul></ul></ul><ul><ul><ul><li>groups of the above </li></ul></ul></ul>
  20. 20. Security issues with network objects <ul><li>Objects can contain and reference anywhere from a single device, to entire networks containing thousands of devices which can create a significant obstacle when attempting to evaluate the security configuration & security level of a Checkpoint firewall. </li></ul><ul><li>Network objects are timesaving from an administrative perspective. From a security perspective, any built-in trust that is associated with the object is automatically created for every entity within that object. This web of trust makes a comprehensive Firewall-1 review more difficult. </li></ul>
  21. 21. Services/protocols/users <ul><li>Too many services can hinder the efficacy of the firewall </li></ul><ul><ul><li>Each service should be authorized. If not, disable it. </li></ul></ul><ul><ul><li>NT, check Control Panel => Services </li></ul></ul><ul><ul><li>Unix - etc/services </li></ul></ul><ul><li>Similarly, unnecessary protocols open needless communication links </li></ul><ul><ul><li>NT, check Control Panel => Network => Protocols </li></ul></ul><ul><ul><li>Unix - etc/protocols </li></ul></ul><ul><li>Users </li></ul><ul><ul><li>Firewall should a minimal amount of user accounts </li></ul></ul><ul><ul><li>NT, check User Manager </li></ul></ul><ul><ul><li>Solaris, check /etc/passwd </li></ul></ul>
  22. 22. The rulebase <ul><li>A rule base is a file stored on the firewall that contains an ordered set of rules that defines a distinct security policy for each particular firewall. Access to the rule base file is restricted to those that are either physically at the firewall or a member of the GUI clients list specified in the configuration settings. </li></ul><ul><li>A rule describes a communication in terms of its source, destination and service. The rule also specifies whether the communication should be accepted or rejected and whether a log entry is created. </li></ul>
  23. 23. First fit vs. Best Fit <ul><li>Firewall-1 is a first-fit inspection engine. </li></ul><ul><li>If you have 50 rules, and the incoming packet matches rule #4, the inspection engine stops immediately (since rules are examined sequentially for each packet) and does not go through the rest of the rule base. </li></ul><ul><li>Each rule must be reviewed in total, verify that the source, destination, service and action is appropriate </li></ul>
  24. 24. Rule 0 <ul><li>Rule 0 includes items implicitly protected, including: </li></ul><ul><li>Anti-Spoofing - Set on the interface tab of the FW. </li></ul><ul><li>Authentication Failures: This is set in the Authentication tab of the rulebase properties. If this is set to log or alert , any failed authentication attempts will show as a rule 0 log. </li></ul><ul><li>SYNDefender warnings may get logged as rule 0. The Display Warning Messages checkbox in the SYNDefender tab of the rulebase properties is where this can be disabled. </li></ul><ul><li>Successful SecuRemote authentication’s can also appear as a rule 0 accept. This is controlled by the Enable Decryption on Accept checkbox in the Security Policy tab of the Rulebase Properties. </li></ul><ul><li>Anything dropped by the IP Options checking will log as rule 0. The logging is controlled by the IP Options Drop Track section of the Log and Alert tab of the Rulebase Properties. </li></ul><ul><li>From </li></ul>
  25. 25. Stealth rule/Cleanup rule <ul><li>The stealth rule ensures that that nobody can directly connect or communicate to the firewall, other than administrators that are GUI authorized. </li></ul><ul><li>Remember to use Drop , not Reject </li></ul>
  26. 26. Examples of poor rules
  27. 27. Implied pseudo rules
  28. 28. Misc. issues <ul><li>GUI clients </li></ul><ul><ul><li>Verify, and limit amount </li></ul></ul><ul><li>Administrators </li></ul><ul><ul><li>Verify permission level (Read Only, Read/Write) </li></ul></ul><ul><li>SYNDefender </li></ul><ul><ul><li>None/Gateway/Relay </li></ul></ul><ul><li>IP Forwarding </li></ul><ul><ul><li>Disabled </li></ul></ul><ul><li>ICMP </li></ul><ul><ul><li>Disable. If ICMP (Properties => Security Policy) is enabled, your network can be externally port scanned. If ICMP is needed, create a rule that limits what source addresses can connect to them. </li></ul></ul>
  29. 29. INSPECT <ul><li>INSPECT is a high-level programming language for FW-1. By using INSPECT, programmers can create FW-1 specific applications and/or calls to the FW-1 O/S. </li></ul><ul><li>Security applications written in INSPECT are compiled into executable code which is downloaded to the access devices and security gateways. The INSPECT VM on the access devices and security gateways then executes these applications enforcing the rules defined via the rulebase. </li></ul><ul><li>INSPECT is designed for security. Therefore it doesn’t allow loops, functions don’t support recursion, no explicit memory allocation is permitted; in addition to other features. </li></ul>
  30. 30. INSPECT <ul><li>You will likely never need to review any INSPECT code. The .def files, which are used to generate INSPECT code may infrequently need to be modified to allow certain services through the firewall, to change some default behaviors, or to make changes to some services. </li></ul><ul><li>Inspection script - ASCII file (*.pf) which is generated from a Security Policy (*.w file) </li></ul><ul><li>Inspection code - *.fc file compiled from the inspection script </li></ul><ul><li>FW Module - Runs on the host that executes the inspection code </li></ul>
  31. 31. Resources <ul><li> </li></ul><ul><ul><li>Excellent FW-1 resource with tons of technical information </li></ul></ul><ul><li> </li></ul><ul><ul><li>White papers on FW-1 & security from Lance Spitzner </li></ul></ul><ul><li> </li></ul><ul><ul><li>Maintains numerous FW-1 discussion threads </li></ul></ul><ul><li> </li></ul><ul><ul><li>FW-1 reference page </li></ul></ul><ul><li> </li></ul><ul><ul><li>Firewall products & security news </li></ul></ul><ul><li> </li></ul><ul><ul><li>Multivendor security information </li></ul></ul>
  32. 32. More resources <ul><li>Marcus Ranum: Publications, Rants, Presentations & Code </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li>Relevant to this talk, read On the Topic of Firewall Testing </li></ul></ul><ul><li>Internet Firewalls Frequently Asked Questions </li></ul><ul><ul><li> </li></ul></ul><ul><li>Auditing Your Firewall Setup </li></ul><ul><ul><li> </li></ul></ul><ul><li>Bugtraq vulnerability database </li></ul><ul><ul><li> </li></ul></ul>
  33. 33. Tools <ul><li>ISS </li></ul><ul><ul><li>Internet Scanner </li></ul></ul><ul><ul><li>System Scanner </li></ul></ul><ul><li>NAI </li></ul><ul><ul><li>CyberCop Scanner </li></ul></ul><ul><li>Nmap </li></ul><ul><ul><li> </li></ul></ul><ul><li>SecureIT </li></ul><ul><ul><li>Firewall HealthCHECK </li></ul></ul><ul><li>Saint </li></ul><ul><ul><li> </li></ul></ul><ul><li>WebTrends for Firewalls </li></ul><ul><ul><li> </li></ul></ul>Caveat: Your firewall can graduate magna cum laude from these tools & still be insecure
  34. 34. Books <ul><li>Brent Chapman & Elizabeth Zwicky Building Internet Firewalls, O’Reilly & Assoc., 1995. ISBN 1-56592-124-0 </li></ul><ul><li>William Cheswick & Steve Bellovin Firewalls and Internet Security Addison Wesley, 1994. ISBN 0-201-63357-4 </li></ul><ul><li>Simson Garfinkel & Gene Spafford Practical Unix & Internet Security, O’Reilly & Assoc., 1996 ISBN 1-56592-148-8 </li></ul><ul><li>Marcus Goncalves Checkpoint Firewall-1 Administration Guide , McGraw-Hill 1999, ISBN: 0-07134229-X </li></ul>
  35. 35. Mailing lists <ul><li>CERT </li></ul><ul><ul><li>cert-advisory-request@ </li></ul></ul><ul><li>CIAC </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><li>Firewall-1 mailing list </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><li>Firewalls mailing List </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><li>Firewall Wizards List </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><li>Newsgroups </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>COAST </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><li>Bugtraq </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><li>NTBugtraq </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><li>ISS X-Force Advisories </li></ul><ul><ul><li>[email_address] </li></ul></ul>
  36. 36. Conclusion <ul><li>A firewall is only as good as it’s implementation. In today’s dynamic world of Internet access, it’s easy to make mistakes during the implementation process. By auditing your firewall setup, you can ensure that the firewall is enforcing what you expect it to, in a secure manner. </li></ul>Source: Lance Spritzer
  37. 37. Any questions? <ul><li>Any questions? comments? jokes? </li></ul><ul><li>Please fill out your evaluation sheets </li></ul>
  38. 38. Thank You!! Ben Rothke, CISSP, CCO Network Security Engineer eB Networks, Inc. [email_address] Iselin, New Jersey USA