This document outlines a 5-phase methodology for auditing firewalls: I) Gather documentation on the firewall setup and security policies; II) Evaluate the firewall configuration for authentication, access controls, and auditing; III) Review each rule in the firewall rule base to ensure it is necessary and properly configured; IV) Test connectivity to hosts behind the firewall to identify any vulnerabilities; V) Ensure adequate change management, backup, logging, and monitoring procedures are in place for ongoing firewall maintenance.

1. Firewall Auditing

2. 2
What is a firewall?
 A firewall is a device or collection of
components placed between two
networks that collectively have the
following properties:
 All traffic from inside to outside, and
vice-versa, must pass through the
firewall.
 Only authorized traffic, as defined by the
local security policy, will be allowed to
pass.

3. 3
Firewall Types
 First Generation
 Packet Filtering Firewalls
 Second Generation
 Stateful Inspection Firewalls
 Third Generation
 Application (Proxy) Firewalls
 Forth Generation
 Kernel Proxy technology
 “Deep packet” inspection
 IDS / IPS capabilities

4. 4
Defining Audit Scope
 Firewall Documentation
 Approval Procedures and
Process
 Firewall Rule Base
 VPN
 Layer Seven Switching
 Internal Testing
 External Testing

5. 5
Firewall Auditing Methodology
Phases
I. Gather Documentation
II. The Firewall
III. The Rule Base
IV. Testing and Scanning
V. Maintenance and Monitoring

6. 6
Phase I - Gather Documentation
 Security Policy
 Change Control Procedures
 Administrative Controls
 Network Diagrams
 IP Address Scheme
 Firewall Locations
 IPS Capable?

7. 7
Phase I - Gather Documentation
 Firewall Vendor
 Software Version and Patch Level
 Hardware Platform
 Operating System Version and Patch
Level
 Administrator training and knowledge

8. 8
Phase II – The Firewall
 Three “A’s”
 Authentication
 Local / Remote
 Access
 Logical / Physical
 Auditing (logs)
 Local / Remote
 OS Hardening

9. 9
Phase III – The Rule Base
 Based on the Organization’s Security
Policy
 Review each rule
 Business reason
 Owner
 Host devices
 Service Ports
 Simplicity is the key
 Most restrictive and least access

10. 10
Phase III – The Rule Base
 Rule order (first out)
 Administration Rule
 ICMP Rule
 Stealth Rule
 Cleanup Rule
 Egress Rules
 Logging

11. 11
Phase IV – Testing & Scanning
 Determine & Set Expectations
 Scan the firewall
 Nmap
 Firewalk
 Scan host behind the firewall
 Nessus
 ISS
 Ensure results match expectations

12. 12
Phase V – Maintenance &
Monitoring
 Change Management and Approval
 Is the process documented?
 Is the process being followed?
 Is there evidence of process?
 Disaster Recovery Plan
 Formal?
 Backup and Recovery Procedures
 Firewall Logs
 Reviews
 Storage and archival

13. 13
Demo

14. 14
Questions???

15. 15
References and Additional Resources
 The CISSP Prep Guide
 Ronald L. Krutz & Russell Dean Vines
 Wiley Publishers
 ISBN 0-471-41356-9
 Firewalls and Internet Security
 William R. Cheswick and Steven M. Bellovin
 Addison-Wesley Publishing Company
 ISBN 0-201-63357-4
 Lance Spitzner
 www.spitzner.net
 White Paper - Auditing your Firewall Setup
 White Paper - Building your Firewall Rule base
 VicomSoft
 www.firewall-software.com
 White Paper – Firewall