Bob's Blogs

Another brick in the (fire)wall (Top 10 list for those who run a firewall)

Well, it's almost firewall review time, so it seemed like a good idea to inflict this stuff on everyone else, so that you can share in the joy (or misery -- take your choice) of the process.

Firewall policies tend to be as varied as the organizations that implement them, but there are several general guidelines that make the process a little more structured and help prevent "rule rot" from setting in too deeply. Most of you probably immediately understood what rule rot was even if you've never heard the term before. For the rest of you though: Rule rot is what happens when new rules, exceptions, objects, etc., are applied to a firewall without first looking at what is already in place to maintain a consistent structure. At some point someone realizes that it's become an unmanageable nightmare.

I'm making the assumption of a GUI interface such as Checkpoint, Juniper, iPolicy and such. If you are using a Pix, router ACL, or other text-/console-driven management method, then you'll have to add comments to the configuration commands in a master document, and keep everything up to date in the master document no matter what!.

Consider this to be the Top 10 things to think about when running a firewall. It's not complete or perfect. But it will save you a lot of time and trouble if kept up. If rule rot has already crept in, then start at step 10 and work backwards.

1) Who wants the rule? What manager and techie are responsible for it? In various places, I've implemented a policy that anyone who wants an exception or new rule needs to provide written approval (e-mail is fine) from a manager at director level or higher. This doesn't represent too great an obstacle, but just enough to keep frivolous requests (and you WILL get frivolous requests) to a minimum, while not interfering with business.

2) For each rule and accompanying objects (name/IP address, etc.): Get and maintain the management and technical name and contact. If possible, put those names in a comment field with the object in the actual configuration itself. If the rule is unique to an individual group, then put the contact information in the rule comment itself.

3) For temporary or test rules (I've seen "temporary" rules that have been in place for years), put an expiration date in the comment field in addition to the contact.

4) Group like services together. All inbound Web servers should be in a single group with the relevant ports (usually 80 and/or 443).

5) Discourage non-standard ports without good reason. "I want to make it less likely for hackers and bots to find my Web page" is not a good reason. We tell those people that we will be happy to perform a Nessus vulnerability scan on their server to see if it meets acceptable minimums. Alternately, we suggest that they implement user IDs and passwords.

6) Discourage "I need all (65,000-odd) ports open because I have no idea what's really required" type of requests. For these, you can create a temporary rule (see #3), and then track the logs with the services in use to see what is actually needed. Then go back and tighten it down.

7) For legitimate non-standard port usage, consider grouping the oddball systems together under a single rule. In one sense, this violates the principle of allowing no access that is not absolutely necessary. But, if you check all relevant systems first (port scan them) and only one responds on TCP/7000 (and the others don't) and only two others (properly) respond only on port 24555, then you may able to group them into an "oddball" rule safely. Just make sure that you recheck all of them every time you add a new non-standard port.

8) Many people will want special inbound access to their desktops. This sort of request can take the form of Telnet, SSH, Remote Desktop/Terminal Server, PCAnywhere, GoToMyPC, Mionet, VNC, LapLink, various databases and probably a whole host of other things. The answer is: "No. Implement a VPN." By the way, for those of you not familiar with it, Mionet is a relative newcomer to the scene. It not only allows remote desktop access, it also allows the user to "share resources" with those of his or her choosing. If this scenario doesn't scare you, you haven't spent enough time in security. By the way, technically speaking, GoToMyPc and Mionet are outbound applications, but the direction of access is inward.

9) Many enterprises simply allow all outbound connections without further restriction. There is very little reason to do this, and lots of reasons not to. First off, the overwhelming majority of traffic these days is HTTP and its partner HTTPS on well-known ports. If policy permits, you can allow SSH, FTP (active and passive), POP3 (dubious, as it can bypass anti-virus protections), SMTP (what's wrong with the regular mail server?), various forms of IM (Instant Messaging, in the forms of AIM, MSN, Yahoo, et al). Peer-to-peer (P2P) file sharing? Not on a bet. The college I help out gets LOTS of e-e-mail from the RIAA (Recording Industry Association of America), DMCA (Digital Millennium Copyright Association) and other copyright-protective trade groups who will provide a polite warning before serving a summons. You don't want your employer to have a "CNN moment." They are not much fun.

10) Having inflicted all of this on you, it's now expected that you will keep it up. Pick your interval (weekly, monthly, quarterly, semi-annually or annually), put it in your (common?) calendar application and review everything. Specifically the following:

  • For every object defined, validate that the contact names, numbers and e-mail addresses are still valid. Don't just look at them, call each and every person to make sure they are still part of your organization, haven't changed roles (promotions, moves, etc.) and still have responsibility for the object in question.
  • At the same time, verify and validate that the object and/or services to it still exist and are still needed. You might be surprised how many firewall holes I've found for servers that died years ago. Or for departments that got reorganized out of existence.
  • For all temporary/test rules, find out if they are still needed.
  • Ask the owners of these systems when was the last time the systems were updated for OS, application, antivirus, etc. Ask for a specific date.
  • Consider scheduled Nessus scans, but that's out of the scope of this blog.
  • Make all comments reflect the new data. I love to keep copies of configurations on my system, or a central server, but if we all get hit by a bus, the only copy of the configuration visible to the rest of the IT organization is the one sitting on the firewall itself. And that is where someone new is going to have to start.
Meeting Network Security & Control Requirements: (408) 395-3921