Firewall Auditing Sean K. Lowder CISSP / MCSE / CCNA

Sean K. Lowder CISSP ©20072 Bio Currently employed at Blue Cross Blue Shield of Louisiana as the Information Security Manager. I’ve been in the computer industry for 17 years, and has specialized in information security for the last 10 years. I have various industry certifications, including Certified Information Systems Security Professional (CISSP), Certified Novell Engineer (CNE), Microsoft Certified Systems Engineer (MCSE), and Cisco Certified Network Associate (CCNA). I received my BS in Information Technology from University of Phoenix. Previously I’ve directed various projects in the Information Security arena including financial institution penetration testing, Firewall and Virtual Private Network (VPN) configuration, design and deployment. I have extensive experience in preparing for SAS70, HIPAA and financial auditing for all information security areas.

Sean K. Lowder CISSP ©20073 What is a firewall? A firewall is a device or collection of components placed between two networks that collectively have the following properties: All traffic from inside to outside, and vice-versa, must pass through the firewall. Only authorized traffic, as defined by the local security policy, will be allowed to pass.

Sean K. Lowder CISSP ©20074 Firewall Types First Generation Packet Filtering Firewalls Second Generation Stateful Inspection Firewalls Third Generation Application (Proxy) Firewalls Forth Generation Kernel Proxy technology “Deep packet” inspection IDS / IPS capabilities

Sean K. Lowder CISSP ©20075 Defining Audit Scope Firewall Documentation Approval Procedures and Process Firewall Rule Base VPN Layer Seven Switching Internal Testing External Testing

Sean K. Lowder CISSP ©20076 Firewall Auditing Methodology Phases I. Gather Documentation II. The Firewall III. The Rule Base IV. Testing and Scanning V. Maintenance and Monitoring

Sean K. Lowder CISSP ©20077 Phase I - Gather Documentation Security Policy Change Control Procedures Administrative Controls Network Diagrams IP Address Scheme Firewall Locations IPS Capable?

Sean K. Lowder CISSP ©20078 Phase I - Gather Documentation Firewall Vendor Software Version and Patch Level Hardware Platform Operating System Version and Patch Level Administrator training and knowledge

Sean K. Lowder CISSP ©20079 Phase II – The Firewall Three “A’s” Authentication Local / Remote Access Logical / Physical Auditing (logs) Local / Remote OS Hardening

Sean K. Lowder CISSP © Phase III – The Rule Base Based on the Organization’s Security Policy Review each rule Business reason Owner Host devices Service Ports Simplicity is the key Most restrictive and least access

Sean K. Lowder CISSP © Phase III – The Rule Base Rule order (first out) Administration Rule ICMP Rule Stealth Rule Cleanup Rule Egress Rules Logging

Sean K. Lowder CISSP © Phase IV – Testing & Scanning Determine & Set Expectations Scan the firewall Nmap Firewalk Scan host behind the firewall Nessus ISS Ensure results match expectations

Sean K. Lowder CISSP © Phase V – Maintenance & Monitoring Change Management and Approval Is the process documented? Is the process being followed? Is there evidence of process? Disaster Recovery Plan Formal? Backup and Recovery Procedures Firewall Logs Reviews Storage and archival

Sean K. Lowder CISSP © Demo

Sean K. Lowder CISSP © Questions???

Sean K. Lowder CISSP © References and Additional Resources The CISSP Prep Guide Ronald L. Krutz & Russell Dean Vines Wiley Publishers ISBN Firewalls and Internet Security William R. Cheswick and Steven M. Bellovin Addison-Wesley Publishing Company ISBN Lance Spitzner White Paper - Auditing your Firewall Setup White Paper - Building your Firewall Rule base VicomSoft White Paper – Firewall