Here's my two cents:
-Look for a default deny.
-Make sure all rules are performance-based, e.g. most hit rule first in line, etc. to cut down on cpu and bandwidth.
--Patrick Darden
-----Original Message-----
From: firewall-wizards-bounces_at_listserv.icsalabs.com
[mailto:firewall-wizards-bounces_at_listserv.icsalabs.com]On Behalf Of
arvind doraiswamy
Sent: Wednesday, May 14, 2008 11:19 AM
To: firewall-wizards_at_listserv.icsalabs.com
Subject: [fw-wiz] Auditing a firewall rulebase
Hey Guys,
What parameters would you look for if you audited a large rulebase for
an enterprise firewall? These are a few I could think of. Anything
else that you guys consistently look at when managing/auditing your
firewalls? Do take note that I'm talking just singularly about the
rule-base and not other configuration information i.e: I'm not looking
at things like -- Low console session timeout OR Telnet admin
interface open etc. I'm looking at just the rulebase this time around.
Here are my parameters:
Rules which have "any" or an equivalent keyword in them
Rules where an entire subnet has been granted access to a resource
Rules where a range of IP addresses has been granted access to a resource
Rules where a large range of ports has been opened to an IP Address / Addresses
Rules where there are design issues in the protocol itself
eg. Unencrypted traffic
Rules which are redundant and can be removed from the rulebase
Thanks
Arvind
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Received on May 20 2008
Intro
