Firewalls continue to secure a countless number of organizations across the world and remain first line of defense against known cyber attacks and network risks. Avalanche of IT-led forces and evolution in threat landscape has brought increased onus on firewalls. On the other side, as enterprises extend their business leveraging internet driven business models and increasingly collaborative networks, embracing cloud and virtual environments, there's a need to understand how this ties with the changing role of security technologies such as a firewall. This webinar explains how a tectonic shift in enterprise networking requires rethinking firewall deployment and management for effective security management.
3. www.cyberoam.com
What necessitates firewall security audit?
Firewalls are solely responsible for any good or bad traffic
Exponential growth in networks, networking speed & devices, apps, web / cloud / virtualization
infrastructure has increased firewall complexity in terms of placement, rules and settings
As many as 80% of firewalls examined in a recent data breach investigation were found poorly
configured!
A quarter of UK and US businesses have had to re-do more than 60% of all firewall changes since they
were not implemented correctly the first time
5. www.cyberoam.com
Baselines and Procedures
Evaluation Parameter:
Checking proper documentation for firewall
baseline and key firewall procedures
Standards & Best Practices:
Having a baseline for firewall helps
implement a security level that is
consistent across the organization
Documented procedures relating to backup,
monitoring and incidence response reduces
manual dependency
6. www.cyberoam.com
Identification & Authentication
Evaluation Parameter:
Is the firewall being managed by third party personnel or by the
organization itself? If managed by third party, is it protected by
an NDA?
Are all administrators authenticated using individual accounts
before granting access to the firewall's administration interface?
What is the procedure for creating users/administrators?
Are all administrator accounts assigned the lowest privilege
level that allows them to perform their duties?
How often is the firewall configuration reviewed for presence of
unauthorized accounts?
7. www.cyberoam.com
Identification & Authentication
Standards & Best Practices:
Third Party personnel managing the firewall of an organization need to
sign an NDA with the later
Maintaining individual accounts for each administrator helps implement
accountability for any malicious activity occurring intentionally or
unintentionally
Procedures should address both creation as well as deletion of user
accounts for the firewall
Administrators should be assigned the lowest privilege level that allows
them to perform their job
Unauthorized accounts pose a serious threat to the overall security
posture of the organization
8. www.cyberoam.com
Configuration
Evaluation Parameters:
Is the firewall configured to be able to protect the network against denial of
service attacks such as Ping of Death, TCP SYN floods, etc.
Is any sort of Ingress/Egress Filtering configured?
Does the firewall use the latest version of the firewall software with all security-
related patches applied?
How often is the firewall configuration rule sets tested in the form of a PT/VA?
Are the firewall administrators registered with the vendors’ vulnerability mailing
list to keep themselves updated with the latest security patches?
Does the firewall perform anti-virus scanning and content security checking of all
inbound packets for HTTP, FTP and SMTP?
How is the performance of the firewall monitored? (memory , CPU)
Are any VPNs configured on the firewall?
9. www.cyberoam.com
Configuration
Standards & Best Practices:
Rule sets should be tested every 6 months to a year
depending on the number of changes made to the
configuration file
Firewall administrators should subscribe to vulnerability
mailing list pertaining to their firewall in order to be
aware of the latest vulnerabilities affecting their product
As part of the capacity management procedure, periodic
reviews of the key parameters such as memory, CPU
should be monitored to address current and future needs
10. www.cyberoam.com
Auditing and Administration
Evaluation Parameters:
Are log recipient hosts identified
and configured?
Is the security of the logs on the host
maintained through local OS settings?
How often are the logs reviewed? Does
senior management receive status reports?
Is logging timestamp enabled?
Is the time synchronized with an NTP Server?
Are logs reviewed/ monitored regularly?
11. www.cyberoam.com
Auditing and Administration
Evaluation Parameters:
Are the logs backed up? How often is the backup
taken? What is the retention period of the logs?
Is the firewall configuration data backed up weekly
and / or whenever configuration changes occur?
Where is the configuration data backup stored?
Is the firewall configuration well documented?
Is a login banner defined when accessing the firewall?
Is the firewall configured to alarm the administrator
for a potential attack or system failure?
12. www.cyberoam.com
Auditing and Administration
Evaluation Parameters:
What is the procedure followed upon detection
of a particular incident?
Is in-band management restricted to a limited
number of IP addresses?
Is a local password assigned to the telnet or SSH
process?
Is SNMP used to manage the firewall? If no, is the
service disabled?
Is a time-out defined for idle sessions?
13. www.cyberoam.com
Auditing and Administration
Standards & Best Practices:
Logging helps track incident
The review of logs should be documented
and sent for manager’s review
Including timestamps in messages allows
tracing network attacks more credibly
Firewall configuration should be backed up
according to the firewall policy. (whenever a
configuration change takes place)
The configuration files should be stored
either on tapes or a file server
14. www.cyberoam.com
Auditing and Administration
Standards & Best Practices:
Well documented Firewall configuration
Login banner should be defined on the
firewall
A documented Incident Management
Procedure
All management communication between
the management hosts and the firewall
should be encrypted
The password should be stored in a manner
consistent site's security policy
If the SNMP service, if not used , should be
explicitly disabled
15. www.cyberoam.com
Configuration Change Management
Evaluation Parameters:
Is there a documented change management
procedure for changes applied on the firewall?
Standards & Best Practices:
Since the application software change
management document addresses software
change management procedures, it should be
expanded to include networking devices such as
a firewall too.
16. www.cyberoam.com
Management & Monitoring
Evaluation Parameters:
Checking periodic review for firewall
configuration
Is the firewall configuration (hard
copy) stored in a secured location?
Checking whether firewall
administrator details (matrix)
document get updated
17. www.cyberoam.com
Failover / Redundancy
Evaluation Parameters:
Is the firewall configured for proper recovery
from failure or interruption?
What is the procedure to be followed if the
firewall fails?
Is the hot standby firewall in sync with active
firewall configuration and software updates?
Is hot standby/recovery procedures of the firewall
periodically tested?
Standards & Best Practices:
HA should be configured, for firewall being a
critical device
Availability of immediate backup firewall for
uninterrupted business continuity
18. www.cyberoam.com
Findings and Recommendations
Sr. No Findings / Recommendations
Implementation
Priority
1 The configuration file should be reviewed periodically to check for its accuracy. High
2
Logs should be stored on logging host which is hardened enough. High
3 Firewall is accessible from the whole network. A dedicated machine can be placed inside the
data center to which Admin can login and manage the Cyberoam and Layer-3 switches etc.
High
4
The review of logs should be documented and sent to the manager for review. High
5 Logs of the firewall should be backed up and retained. Log retention time period should be
defined.
Medium
6 As part of the capacity management procedure, periodic reviews of the key parameters such
as memory, CPU should be monitored on the firewall to address current and future needs.
Medium
7
Login banner should be defined on the firewall. Medium
8 A documented Incident Management Procedure should be available for alerts detected by
the firewall.
Medium
9
Firewall baseline and the procedures related to the firewall should be documented. Medium
10 Procedures should address the creation as well as the deletion of the user accounts created
on the firewall.
Low
11
Firewall configuration should be well documented. Low
As findings from several surveys on enterprise network security reveal, lack of proper configuration for devices like Firewall allow unforeseen threats to penetrate and exploit corporate networks. A leading ICT analyst in the recent past reported that misconfigured network gear represents a major security threat. As per the analyst’s estimate nearly 65% of cyber attacks exploit misconfigured systems.
Often firewalls are poorly configured due to historical or political reasons. Common firewall flaws include passing Microsoft Windows networking packets, passing rservices, and having trusted hosts on the business LAN. The most common configuration problem is not providing outbound data rules. This may allow an attacker who can sneak a payload onto any control system machine to call back out of the control system LAN to the business LAN or the Internet.
And not just security, such errors / poor configurations also take toll on network performance, productivity and at times also cause frequent network outages, negatively impacting business continuity and hampering access to and availability of key business apps
Here’s what needs to be remembered - The protection that firewalls provide is only as good as the policy they are configured to implement.
Standards and Best Practices:
2nd point – Also makes the activity person independent
Standards and Best Practices:
2nd point – Also makes the activity person independent
Standards and Best Practices:
5th point –A regular review based on company policy helps eliminate the risk posed by unauthorized accounts.
Standards and Best Practices:
Last point –Logical/Physical controls need to be implemented on the file server to prevent unauthorized access
Standards and Best Practices:
2nd point – This can aid in prosecution in some jurisdictions and also serves as a preventive measure to unauthorized access.
3rd point - A documented Incident Management Procedure should be available for alerts detected by the firewall.
For e.g. to check the requirement and accuracy of access-lists.
Logging is enabled by defining logging host; however this host is not connected to the network always.
Further to strengthen the security only Admin system’s can have access to this system and this system should only be allowed to access certain ports (e.g. 80, 22, 23) on network devices only.
This will prove useful if old logs have to be looked into to investigate a particular incident.
This can aid in prosecution in some jurisdictions and also serves as a preventive measure to unauthorized access.