Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Firewall Documentation Develop background information about the firewall(s) in place: Segment diagrams Software

advertisement 
Firewall Documentation
Develop background information about the firewall(s) in place:
Segment diagrams
Software
Hardware
Routers
Version levels
Host names
IP addresses
Connections
Specific policies for an overview of the firewall security
Determine if the expectations/goals/strategies of the firewall have been identified and
are sound.
Firewall Logical Access
Ensure that logical access to the various components (routers, firewall software) of the
firewall solution is appropriately restricted to the individuals with authorized need for
such access.
Determine the individuals who have log in capability to the firewall
components are appropriate.
Review access request forms for all personnel with log in
capability.
Review position descriptions for need to access.
Determine password management features in place for applicable firewall
components and the shadow password file (etc/security/password) is used.
Password management guidelines exist.
Passwords are required.
Passwords are not displayed.
Password is user maintainable.
Password parameters comply with defined university standards.
Login attempts limited to three and account then locked.
Login failures are logged.
User ids and passwords are encrypted across the network.
Automatice timeout feature exists.
Determine logical connections to the firewall components are secured, e.g.,
encryption, IP restrictions for remote administration needs. Products such as
ssh (encryption connection) and TCP wrappers (IP restrictions) may be
appropriate.
Review for dial in access directly to the firewall server.
Determine if modems are automatically disconnected by the
system after a specified length of time of inactivity or if the
connection is broken.
Who has dial in access?
Who authorizes and approves dial in access?
Is this access reflected on approved access request forms?
What security mechanism is used to control dial in or remote
access?
Is there an audit trail (i.e. any reports) of dial in access and are
these reports reviewed?
Firewall Configuration
The firewall configuration in place should provide for an adequately maintained and
effective firewall. Repeat each step as applicable for each firewall component.
Determine that the firewall component logical/physical locations agree with the
firewall strategy.
Determine that the firewall components are on the latest possible version and security
patches.
Is there a patch ID that equates to a certain level of applied patches.
Determine if patches are applied bi-weekly. If not, why?
Determine that active services running on the firewall servers are appropriate.
Determine that only justified startup scripts are being utilized.
Determine if an appropriate banner is presented during telnet/ftp access.
Determine that all server accounts are individual accounts and that any use
of ROOT or Administrator account is not initiated directly.
Determine the appropriateness of any software on the server that is not part
of the default install of the server operating system.
Operating System Logs
Obtain the firewall operating system configuration for rejection and logging of activities.
Determine how the configurations were derived.
Review to determine the following system activities are logged:
Login (unsuccessful and successful),
Logout (successful),
Use of privileged commands (unsuccessful and successful),
Application and session initiation (unsuccessful and successful),
Use of print command (unsuccessful and successful),
Access control permission modification for users and security
parameters (unsuccessful and successful),
Unauthorized access attempts to files (unsucessful),
System startup and shutdown (unsuccessful and successful),
All system logging and email is isolated to its own partition,
All attempts to gain root/administrator access (including su),
All dropped packets, denied connections, and rejected attempts,
Time, protocol, and user name for successful connections
through the firewall,
IP addresses,
Error messages from routers, bastion host, and proxying
programs.
Are summarization of logs performed?
For events that are logged, is the log parameter to record all the information
activated?
Document logging results are monitored and follow up actions is performed.
Determine how the system and firewall logs are rotated to reduce disk space problems.
Rotation should be automatic. Document the retention period.
If the ports or services are needed to administer the firewall, then a rule should be set up
that limits what source Ips can connect to them.
Test The Firewall
Attempt to port scan the firewall from both the internal network and the Internet,
scanning for ICMP, UDP, and TCP. There should be no open ports and the firewall
should not be able to be pinged.
Review and Test The Rule Base Design
Determine a lockdown rule has been placed at the beginning of the rule base.
The lockdown rule protects the firewall, ensuring that whatever other rules you put in
later will not inadvertently compromise your firewall. If administrative access is
required, then a rule should be placed before the lockdown rule. All other rules should
go after the lockdown rule poing from most restrictive to general rules. Review
remaining rules.
Obtain and review the connections table for time out limits and number of connections.
Timeout should be no longer than 15 minutes (900 secs).
Connections table should be set to a number that makes it difficult to fill up.
This will vary by placement of the firewall (suggested 50,000?).
Identify accessible resources behind the firewall that are to be encrypted
and determine that the connections are encrypted. This may require using
a sniffer to capture log in data to the firewall and traffic going through the
firewall.
Determine if there is a change control process in place for the rule base.
Note if the following information is included in the rule:
Name of the person modifying the rule
Date/time of the rule change
Reason for rule the rule change
Determine the use of the firewall's automatic notification alerting features and
archiving the detail intruder information to a database for future analysis.
Firewall Application Logs
Separate partitioning for the firewall logging should be considered. This may be in the
form of a separate partition on the same server, a second server drive, mirroring to the
disaster recovery site, or centralized logging facility.
Physical Security
Physical access to the various components (routers, firewall software) of the firewall
solution is appropriately restricted to the individuals with an authorized need for access.
Document and explain the lines connected to the firewall hardware for
reasonableness.
Obtain a schematic of the lines connected to the applicable
firewall hardware.
Discuss with the appropriate staff the purpose of each line.
Determine the physical security of the area where the firewall hardware is located.
Continuity of Operations
Adequate precautions should exist to minimize the effects of a disaster on the routine
business operations and processing.
Determine the level, if any, of fault tolerance (e.g. mirroring of data) that has
been implemented for the firewall server.
Redundant components should be installed where critical failure points
exists, or spare parts should be on site.
Discuss with the appropriate staff the procedures/components
in place.
Use the hardware and software configuration information to
odentify hardware and software in place which provide redundancy
and back up.
Identify the firewall's single point of failure, if any, and plans that exist to
address the situation(s).
Discuss with the appropriate staff the procedures/components
in place.
Determine that the backed up server software and data files retention and
rotation and rotation rationale for the software has been adequately
addressed to integrate with any disaster recovery plan.
Obtain and review a schedule of the retention periods for the
firewall's software components and a schedule of the rotation
cycle of the firewall's software.
Determine where the tapes are sent for off site storage.
Determine the disaster recovery plan includes the firewall server.
Obtain and review the disaster recovery plan to determine the
firewall is included.
Related documents
Clique/Trust Solution Suitable for Level 2 Grid
Clique/Trust Solution Suitable for Level 2 Grid
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
Guide to Firewalls and Network Security
Guide to Firewalls and Network Security
technical planning - St. Joseph Elementary School Library
technical planning - St. Joseph Elementary School Library
Firewall Services Request
Firewall Services Request
ITSY 2430 Intrusion Detection Chapter Quiz 11 Name: __________________
ITSY 2430 Intrusion Detection Chapter Quiz 11 Name: __________________
ITSY 2430 Intrusion Detection Chapter Quiz 09 Name: __________________
ITSY 2430 Intrusion Detection Chapter Quiz 09 Name: __________________
Download
advertisement