Firewall Auditing Sean K.

Lowder
CISSP / MCSE / CCNA
Sean.Lowder@bcbsla.com

Bio

Currently employed at Blue Cross Blue Shield of Louisiana

as the Information Security Manager.
Ive been in the computer industry for 17 years, and has
specialized in information security for the last 10 years.
I have various industry certifications, including Certified
Information Systems Security Professional (CISSP), Certified
Novell Engineer (CNE), Microsoft Certified Systems
Engineer (MCSE), and Cisco Certified Network Associate
(CCNA). I received my BS in Information Technology from
University of Phoenix.
Previously Ive directed various projects in the Information
Security arena including financial institution penetration
testing, Firewall and Virtual Private Network (VPN)
configuration, design and deployment.
I have extensive experience in preparing for SAS70, HIPAA
and financial auditing for all information security areas.
Sean K. Lowder CISSP 2007

What is a firewall?

A firewall is a device or collection

of components placed between
two networks that collectively
have the following properties:
All traffic from inside to outside,
and vice-versa, must pass through
the firewall.
Only authorized traffic, as defined
by the local security policy, will be
allowed to pass.

Sean K. Lowder CISSP 2007

Firewall Types

First Generation

Second Generation

Stateful Inspection Firewalls

Third Generation

Packet Filtering Firewalls

Application (Proxy) Firewalls

Forth Generation
Kernel Proxy technology
Deep packet inspection
IDS / IPS capabilities

Sean K. Lowder CISSP 2007

Defining Audit Scope

Firewall

Documentation
Approval Procedures and
Process
Firewall Rule Base
VPN
Layer Seven Switching
Internal Testing
External Testing
Sean K. Lowder CISSP 2007

Firewall Auditing Methodology

Phases
I.
II.
III.
IV.
V.

Gather Documentation
The Firewall
The Rule Base
Testing and Scanning
Maintenance and
Monitoring
Sean K. Lowder CISSP 2007

Phase I - Gather
Documentation
Security Policy
Change Control Procedures
Administrative Controls
Network Diagrams
IP Address Scheme
Firewall Locations
IPS Capable?

Sean K. Lowder CISSP 2007

Phase I - Gather
Documentation
Firewall Vendor
Software Version and Patch Level
Hardware Platform
Operating System Version and
Patch Level
Administrator training and
knowledge

Sean K. Lowder CISSP 2007

Phase II The Firewall

Three As

Authentication
Local

/ Remote

Access
Logical

Auditing (logs)
Local

/ Physical

/ Remote

OS Hardening
Sean K. Lowder CISSP 2007

Phase III The Rule Base

Based on the Organizations
Security Policy
Review each rule

Business reason
Owner
Host devices
Service Ports

Simplicity is the key

Most restrictive and least access

Sean K. Lowder CISSP 2007

10

Phase III The Rule Base

Rule order (first out)

Administration Rule
ICMP Rule
Stealth Rule
Cleanup Rule
Egress Rules

Logging

Sean K. Lowder CISSP 2007

11

Phase IV Testing & Scanning

Determine & Set Expectations
Scan the firewall

Nmap
Firewalk

Scan host behind the firewall

Nessus
ISS

Ensure results match

expectations
Sean K. Lowder CISSP 2007

12

Phase V Maintenance &

Monitoring

Change Management and

Approval
Is the process documented?
Is the process being followed?
Is there evidence of process?

Disaster Recovery Plan

Formal?
Backup and Recovery Procedures

Firewall Logs
Reviews
Storage and archival
Sean K. Lowder CISSP 2007

13

Demo

Sean K. Lowder CISSP 2007

14

Questions???

Sean K. Lowder CISSP 2007

15

References and Additional

Resources

The CISSP Prep Guide

Firewalls and Internet Security

William R. Cheswick and Steven M. Bellovin

Addison-Wesley Publishing Company
ISBN 0-201-63357-4

Lance Spitzner

Ronald L. Krutz & Russell Dean Vines

Wiley Publishers
ISBN 0-471-41356-9

www.spitzner.net
White Paper - Auditing your Firewall Setup
White Paper - Building your Firewall Rule base

VicomSoft

www.firewall-software.com
White Paper Firewall
Sean K. Lowder CISSP 2007

16