SANS FireWall Checklist

1. ************************SANS FireWall Checklist**************************
2. ________________________________________________________________________
3. Review the rulesets to ensure that they follow the order as follows:
4. • anti-spoofing filters (blocked private addresses, internal addresses
5. appearing from the outside)
6. • User permit rules (e.g. allow HTTP to public webserver)
7. • Management permit rules (e.g. SNMP traps to network
8. management server)
9. • Noise drops (e.g. discard OSPF and HSRP chatter)
10. • Deny and Alert (alert systems administrator about traffic that is
11. suspicious)
12. • Deny and log (log remaining traffic for analysis)
13. Firewalls operate on a first match basis, thus the above structure is important
14. to ensure that suspicious traffic is kept out instead of inadvertently allowing
15. them in by not following the proper order.
16. Page 3 of 6
17. 2. Application based firewall
18. Ensure that the administrators monitor any attempts to violate the security
19. policy using the audit logs generated by the application level firewall.
20. Alternatively some application level firewalls provide the functionality to log to
21. intrusion detection systems. In such a circumstance ensure that the correct
22. host, which is hosting the IDS, is defined in the application level firewall.
23. Ensure that there is a process to update the application level firewall’s
24. vulnerabilities checked to the most current vulnerabilities.
25. Ensure that there is a process to update the software with the latest attack
26. signatures.
27. In the event of the signatures being downloaded from the vendors’ site, ensure
28. that it is a trusted site.
29. In the event of the signature being e-mailed to the systems administrator,
30. ensure that digital signatures are used to verify the vendor and that the
31. information transmitted has not been modified en-route.
32. The following commands should be blocked for SMTP at the application level
33. firewall:
34. • EXPN (expand)
35. • VRFY (verify)
36. • DEBUG
37. • WIZARD
38. The following command should be blocked for FTP:
39. • PUT
40. Review the denied URL’s and ensure that they are appropriate for e.g. any
41. URL’s to hacker sites should be blocked. In some instances organisations may
42. want to block access to x-rated sites or other harmful sites. As such they
43. would subscribe to sites, which maintain listings of such harmful sites. Ensure
44. that the URL’s to deny are updated as released by the sites that warn of
45. harmful sites.
46. Ensure that only authorised users are authenticated by the application level
47. firewall.
48. 3. Stateful inspection
49. Review the state tables to ensure that appropriate rules are set up in terms of
50. source and destination IP’s, source and destination ports and timeouts.
51. Ensure that the timeouts are appropriate so as not to give the hacker too much
52. time to launch a successful attack.
53. For URL’s
54. • If a URL filtering server is used, ensure that it is appropriately
55. defined in the firewall software. If the filtering server is external to
56. the organisation ensure that it is a trusted source.
57. • If the URL is from a file, ensure that there is adequate protection
58. for this file to ensure no unauthorised modifications.
59. Ensure that specific traffic containing scripts; ActiveX and java are striped prior
60. to being allowed into the internal network.
61. If filtering on MAC addresses is allowed, review the filters to ensure that it is
62. restricted to the appropriate MAC’s as defined in the security policy.
63. 4. Logging
64. Ensure that logging is enabled and that the logs are reviewed to identify any
65. potential patterns that could indicate an attack.
66. 5. Patches and updates
67. Ensure that the latest patches and updates relating to your firewall product is
68. tested and installed.
69. If patches and updates are automatically downloaded from the vendors’
70. websites, ensure that the update is received from a trusted site.
71. Page 4 of 6
72. In the event that patches and updates are e-mailed to the systems
73. administrator ensure that digital signatures are used to verify the vendor and
74. ensure that the information has not been modified en-route.
75. 6. Location – DMZ
76. Ensure that there are two firewalls – one to connect the web server to the
77. internet and the other to connect the web server to the internal network.
78. In the event of two firewalls ensure that it is of different types and that dual
79. NIC’s are used. This would increase security since a hacker would need to
80. have knowledge of the strengths, weaknesses and bugs of both firewalls.
81. The rulesets for both firewalls would vary based on their location e.g. between
82. web server and the internet and between web server and the internal network.
83. 7. Vulnerability assessments/ Testing
84. Ascertain if there is a procedure to test for open ports using nmap and whether
85. unnecessary ports are closed.
86. Ensure that there is a procedure to test the rulesets when established or
87. changed so as not to create a denial of service on the organisation or allow
88. any weaknesses to continue undetected.
89. 8. Compliance with security policy
90. Ensure that the ruleset complies with the organisation security policy.
91. 9. Ensure that the following spoofed, private (RFC 1918) and illegal addresses
92. are blocked:
93. Standard unroutables
94. • 255.255.255.255
95. • 127.0.0.0
96. Private (RFC 1918) addresses
97. • 10.0.0.0 – 10.255.255.255
98. • 172.16.0.0 – 172.31.255.255
99. • 192.168.0.0 - 192.168.255.255
100. Reserved addresses
101. • 240.0.0.0
102. Illegal addresses
103. • 0.0.0.0
104. UDP echo
105. ICMP broadcast (RFC 2644)
106. Ensure that traffic from the above addresses is not transmitted by the
107. interface.
108. 10. Ensure that loose source routing and strict source routing (lsrsr & ssrr) are
109. blocked and logged by the firewall.
110. 11. Port restrictions
111. The following ports should blocked:
112. Service Port Type Port Number
113. DNS Zone Transfers
114. except from external
115. secondary DNS servers
116. TCP 53
117. TFTP Daemon UDP 69
118. Link TCP 87
119. SUN RPC TCP & UDP 111
120. BSD UNIX TCP 512 – 514
121. LPD TCP 515
122. UUCPD TCP 540
123. Open Windows TCP & UDP 2000
124. NFS TCP & UDP 2049
125. X Windows TCP & UDP 6000 – 6255
126. Small services TCP & UDP 20 and below
127. Page 5 of 6
128. Small services TCP & UDP 20 and below
129. FTP TCP 21
130. SSH TCP 22
131. Telnet TCP 23
132. SMTP (except external
133. mail relays)
134. TCP 25
135. NTP TCP & UDP 37
136. Finger TCP 79
137. HTTP (except to external
138. web servers)
139. TCP 80
140. POP TCP 109 &110
141. NNTP TCP 119
142. NTP TCP 123
143. NetBIOS in Windows NT TCP &UDP 135
144. NetBIOS in Windows NT UDP 137 & 138
145. NetBIOS TCP 139
146. IMAP TCP 143
147. SNMP TCP 161 &162
148. SNMP UDP 161 &162
149. BGP TCP 179
150. LDAP TCP &UDP 389
151. SSL (except to external
152. web servers)
153. TCP 443
154. NetBIOS in Win2k TCP &UDP 445
155. Syslog UDP 514
156. SOCKS TCP 1080
157. Cisco AUX port TCP 2001
158. Cisco AUX port (stream) TCP 4001
159. Lockd (Linux DoS
160. Vulnerability)
161. TCP &UDP 4045
162. Cisco AUX port (binary) TCP 6001
163. Common high order
164. HTTP ports
165. TCP 8000, 8080, 8888
166. 12. Remote access
167. If remote access is to be used, ensure that the SSH protocol (port 22) is used
168. instead of Telnet.
169. 13. File Transfers
170. If FTP is a requirement, ensure that the server, which supports FTP, is placed
171. in a different subnet than the internal protected network.
172. 14. Mail Traffic
173. Ascertain which protocol is used for mail and ensure that there is a rule to
174. block incoming mail traffic except to internal mail.
175. 15. ICMP (ICMP 8, 11, 3)
176. Ensure that there is a rule blocking ICMP echo requests and replies.
177. Ensure that there is a rule blocking outgoing time exceeded and unreachable
178. messages.
179. 16. IP Readdressing/IP Masquerading
180. Ensure that the firewall rules have the readdressing option enabled such that
181. internal IP addresses are not displayed to the external untrusted networks.
182. Page 6 of 6
183. 17. Zone Transfers
184. If the firewall is stateful, ensure packet filtering for UDP/TCP 53. IP packets for
185. UDP 53 from the Internet are limited to authorised replies from the internal
186. network. If the packet were not replying to a request from the internal DNS
187. server, the firewall would deny it. The firewall is also denying IP packets for
188. TCP 53 on the internal DNS server, besides those from authorised external
189. secondary DNS servers, to prevent unauthorised zone transfers.
190. 18. Egress Filtering
191. Ensure that there is a rule specifying that only traffic originating from IP’s
192. within the internal network be allowed. Traffic with IP’s other than from the
193. Internal network are to be dropped.
194. Ensure that any traffic originating from IP’s other than from the internal
195. network are logged.
196. 19. Critical servers
197. Ensure that there is a deny rule for traffic destined to critical internal addresses
198. from external sources. This rule is based on the organisational requirements,
199. since some organisations may allow traffic via a web application to be routed
200. via a DMZ.
201. 20. Personal firewalls
202. Ensure that laptop users are given appropriate training regarding the threats,
203. types of elements blocked by the firewall and guidelines for operation of the
204. personal firewall. This element is essential, since often times personal firewalls
205. rely on user prompt to respond to attacks e.g. whether to accept/deny a
206. request from a specific address.
207. Review the security settings of the personal firewall to ensure that it restricts
208. access to specific ports, protects against known attacks, and that there is
209. adequate logging and user alerts in the event of an intrusion.
210. Ensure that there is a procedure to update the software for any new attacks
211. that become known.
212. Alternatively most tools provide the option of transferring automatic updates
213. via the internet. In such instances ensure that updates are received from
214. trusted sites.
215. 21. Distributed firewalls
216. Ensure that the security policy is consistently distributed to all hosts especially
217. when there are changes to the policy.
218. Ensure that there are adequate controls to ensure the integrity of the policy
219. during transfer, e.g. IPSec to encrypt the policy when in transfer.
220. Ensure that there are adequate controls to authenticate the appropriate host.
221. Again IPSec can be used for authentication with cryptographic certificates.
222. 22. Stealth Firewalls
223. Ensure that default users and passwords are reset.
224. Ensure that the firewall is appropriately configured to know which hosts are on
225. which interface.
226. Review the firewall access control lists to ensure that the appropriate traffic is
227. routed to the appropriate segments.
228. A stealth firewall does not have a presence on the network it is protecting and
229. it makes it more difficult for the hacker to determine which firewall product is
230. being used and their versions and to ascertain the topology of the network.
231. 23. Ensure that ACK bit monitoring is established to ensure that a remote system
232. cannot initiate a TCP connection, but can only respond to packets sent to it.
233. 24. Continued availability of Firewalls
234. Ensure that there is a hot standby for the primary firewall.