auditing firewalls-isaca · pdf filetufin, firewall, audit created date: 12/27/2011 11:29:32...
TRANSCRIPT
ISACA New York Metropolitan December 2011
Audi=ng Firewalls Michael Hamelin Chief Security Architect, Tufin
whoami
2
tufin.com/blog
/hackerjoe
• Michael Hamelin [email protected]
• Chief Security Architect, Tufin Technologies
• 16 Years in Security, Hacking, Networking
/in/Hamelin
/TufinTech
Why are Audits so difficult we need to cheat?
• Firewall Audits tradiGonally have been very difficult to
complete • Firewall Audits are oKen poorly defined
• Auditors tradiGonally are not technical individuals
• We are pressured to pass audits over building security
• We do what ever we need to get rid of the auditor
5
Engineering vs Audi=ng
• We build firewall policies for access • Rules • Users • Servers • Services
• Auditors try and protect businesses • Assets • Risks • People • Processes
• Access rules and assets don't usually match up
6
Auditors Don’t Trust Technology
• Truth is … Auditors don’t all want to learn technology…
• Auditors want to compare implementa=on to standards or to policy
• Technology minu=a can waste everyone’s =me
• Tools should understand technology
• Tools should allow ques=ons about policy
• Tools should allow ques=ons about business risk
7
Audi=ng by hand
• How long to Audit a firewall? • How long to Audit a Cisco router config?
Just READING over a large configuraGon • 65,000 lines is 1083 pages • 1083 pages is about 3249 mins • 3249 mins is roughly 54 hours. • … basically 8 days of work
How many mistakes will you miss in 54 hours?
8
Lifecycle of a firewall RuleBase
• We must make sure Audit is part of the rule lifecycle
• We also need to think about Risk Assessment and Compliance as part of the Design / Approval stages
9
Lets look at how firewall audits mature
• Level 1 • AudiGng like an engineer, rule by rule • Following fixed audit standards
• Level 2 • Looking at risks based on basic direcGons
• (Inbound vs Outbound) • Level 3
• Looking at the device configuraGons • Looking at people and processes
• Level 4 • Zone based risk assessment
• Level 5 • Compliance (asset) based assessments
10
Engineers Look at Firewall Audits like Engineers
• Level 1 -‐ We look for for rules with flaws
• Rules with ‘ANY’ • Rules with 3 ‘ANY’ fields • Rules with 2 ‘ANY’ fields • Rules with 1 ‘ANY’ field
• Rules with no comments • Rules with too many hosts/objects/services • Rules with services we don’t like, risky protocols
• Rules that are shadowed • Rules that are unused
12
Bad things we have learned to do
• Auditors look for ANY in a rule base.
• We have learned to place in negated objects
• We have learned to place in ‘IP Protocol’ instead of ANY
13
Automate Level 1
• Everything in the Level 1 Audi=ng can be automated today with tools on the market • Good (My minimum recommendaGon)
• Run the tests at least once a quarter • Beher
• Run the test once a month • Best
• Run the test on every change event in real Gme with triggers …
• Check Point gives us a safety net “Save Policy” • … we should use it to trigger our new analysis a_er a
Save and before an Install
15
Lets look at how firewall audits mature
• Level 1 • AudiGng like an engineer, rule by rule • Following fixed audit standards
• Level 2 • Looking at risks based on basic direcGons
• (Inbound vs Outbound) • Level 3
• Looking at the device configuraGons • Looking at people and processes
• Level 4 • Zone based risk assessment
• Level 5 • Compliance (asset) based assessments
16
Level 2
• Looking at rules with more intelligence • Are there any rules that violate our corporate security policy?
• Are there any rules that allow risky services inbound from the Internet? …while you may have a different list of what is considered “risky” for your company, most start with protocols that pass login creden?als in the clear like telnet, @p, pop, imap, hAp, netbios, etc…
• Are there any rules that allow risky services outbound to the Internet?
• Are there any rules that allow direct traffic from the Internet to the internal network (not the DMZ)?
17
Automate Level 2
• Everything in the Level 2 Audi=ng can be automated today with tools on the market
18
Lets look at how firewall audits mature
• Level 1 • AudiGng like an engineer, rule by rule • Following fixed audit standards
• Level 2 • Looking at risks based on basic direcGons
• (Inbound vs Outbound) • Level 3
• Looking at the device configuraGons • Looking at people and processes
• Level 4 • Zone based risk assessment
• Level 5 • Compliance (asset) based assessments
19
Level 3
• Looking at people and processes • Who made the changes • Why did they make them • Were they authorized to make them
• Looking at the device configura=ons • Physical configuraGons • OS configuraGons • Default firewall configuraGons
20
People and Processes
• Is the requester documented, and is s/he authorized to make firewall change requests?
• Is the business reason for the change documented? • Are there proper reviewer and approval signatures
(electronic or physical)? • Were the approvals recorded before the change was
implemented? • Are the approvers all authorized to approve firewall
changes (you will need to ask for a list of authorized individuals)?
• Are the changes well documented in the change =cket? • Is there documenta=on of risk analysis for each change? • Is there documenta=on of the change window and/or install
date for each change? • Is there an expira=on date for the change?
21
Device Audit vs Policy Audit
Devices Audits
• Checking services • Checking user accounts
• Checking soKware versions
• Checking SSH banners • Checking NTP servers • Checking …
any configuraGon
Policy Audits
• Dangerous protocols
• Unused policies • Risky flows • Unauthorized connecGons
• Checking … • Traffic vs Policy
22
Automate Level 3
• Much of Level 3 Audi=ng can be automated today with tools on the market
• Mastering Level 3 involves pudng in pace a solid workflow
23
Lets look at how firewall audits mature
• Level 1 • AudiGng like an engineer, rule by rule • Following fixed audit standards
• Level 2 • Looking at risks based on basic direcGons
• (Inbound vs Outbound) • Level 3
• Looking at the device configuraGons • Looking at people and processes
• Level 4 • Zone based risk assessment
• Level 5 • Compliance (asset) based assessments
24
Level 4
• Zone based risk assessment • Security tesGng based on your zones • …maybe it’s 3 zones • …maybe its more like 100 zones
• Traffic paeerns are defined by zones • Zones typically are defined by separate trust levels
25
Policies that allow risky services
• NIST and others standards have tried to define risks by protocol
• Truth is protocols alone are not a good indica=on of
the Risk
• Risk should include Data, network loca=on and direc=on of traffic
26
28
Internet
AT&T
Chase
SeaLand
B2B Router
DMZ Router
AT&T Hosted
Sealand Hosted
Chase Hosted
Internal Servers
172.30.8.16255.255.255.240
172.30.8.32255.255.255.240
172.30.8.48255.255.255.240
10.42.0.0255.255.252.0
10.40.42.8255.255.255.248
10.40.42.16255.255.255.248
10.42.40.16255.255.255.252
Lets look at some examples
• Connec=ons allowed from DMZ back to Internal
Networks
• Groups with ‘extra’ networks
• Mistyped netmask compromising confiden=ality
• Mul=ple firewalls passing the same risky flows
30
Lets look at how firewall audits mature
• Level 1 • AudiGng like an engineer, rule by rule • Following fixed audit standards
• Level 2 • Looking at risks based on basic direcGons
• (Inbound vs Outbound) • Level 3
• Looking at the device configuraGons • Looking at people and processes
• Level 4 • Zone based risk assessment
• Level 5 • Compliance (asset) based assessments
31
Level 5
Audi=ng by Policy Zones
• Take the zones concept up to the business level
• It is about protec=ng assets and data
• ConfidenGal Systems with Internet Accesses
• SPI databases with access from Internet or DMZ
• CriGcal Systems with risky protocol access
32
33
Internet
AT&T
Chase
SeaLand
B2B Router
DMZ Router
AT&T Hosted
Sealand Hosted
Chase Hosted
Internal Servers
172.30.8.16255.255.255.240
172.30.8.32255.255.255.240
172.30.8.48255.255.255.240
10.42.0.0255.255.252.0
10.40.42.8255.255.255.248
10.40.42.16255.255.255.248
10.42.40.16255.255.255.252