Firewall Security Review: Audit Report
Firewall Security Review: Audit Report
Table of Contents
Firewall
Security
Review
Findings
Audit Report
Recommendations
Report Number
IT-AR-16-005
January 26, 2016
Appendices
Print
Highlights
Table of Contents
Highlights Background apply six of the nine critical security controls required for any of
the 30 firewalls we sampled.
U.S. Postal Service mail processing equipment and mail
handling equipment (MPE/MHE) includes computer systems
In addition, firewall administrators did not manage firewall rules
and networks that manage, monitor, and control mail processing
effectively or remove duplicate firewall rules. For the 30 firewalls
functions. There are about 74 types of MPE/MHE totaling more
in our sample, we reviewed 504,528 rules and identified
Findings
Postal Service firewalls are than 8,500 pieces of equipment used to sort about 155 billion
mailpieces annually.
We also identified
at all facilities
69,258 (14 percent) rules that
To secure its mail processing systems and control access to the
and are not properly , and 31,754 (6 percent) were
MPE/MHE environment, the Postal Service relies on 285 firewalls
duplicate rules.
managed and functioning to to control the flow of network traffic. Therefore, firewall policies
that effectively address security risks are critical to protecting
Further, we found the Postal Service does not always document
safeguard mail processing the Postal Service network.
Recommendations
and industry best practices. We identified 67 out of 352 mail due to budget constraints. However,
processing facilities that did not their management did not perform a risk assessment to determine
MPE/MHE as required. Firewall administrators also did not the associated impact. In addition, Information Technology
firewall administrators and Engineering systems analysts What the OIG Recommended
focused on supporting system deployment as opposed to
We recommended administrators and analysts
implementing critical security controls and managing firewall rules.
at all mail processing facilities. In addition, we
recommended firewall administrators regularly review and
Facilities , along with improperly configured,
update current firewall configuration settings and implement
outdated, or nonexistent firewall security controls, significantly
Findings
CLEAR ALL
MICHAEL J. AMATO
VICE PRESIDENT, ENGINEERING SYSTEMS
GREGORY S. CRABB
ACTING CHIEF INFORMATION SECURITY OFFICER
AND VICE PRESIDENT DIGITAL SOLUTIONS
E-Signed by Kimberly Benoit
VERIFY authenticity with eSign Desktop
Findings
This report presents the results of our audit of the Postal Service’s Firewall Security
Review (Project Number 15TG036IT000).
We appreciate the cooperation and courtesies provided by your staff. If you have any
questions or need additional information, please contact Sean Balduff, acting director,
Information Technology, or me at 703-248-2100.
Attachment
Appendices
Cover
Highlights.......................................................................................................1
Background.................................................................................................1
What the OIG Found...................................................................................1
Table of Contents
Management’s Comments..........................................................................9
Evaluation of Management’s Comments..................................................10
Appendices.................................................................................................. 11
Appendix A: Additional Information...........................................................12
Background ..........................................................................................12
Recommendations
secures sensitive information to allow for uninterrupted mail processing and network operations, and maintain the trust of the
67 out of 352 mail processing American public.
facilities, as required by
Postal Service mail processing equipment and mail handling equipment1 (MPE/MHE) includes computer systems and networks
Postal Service policy. that manage, monitor, and control mail processing functions. In addition, these systems collect workload statistics and transmit
data between the MPE/MHE and Postal Service information systems. There are about 74 different types of MPE/MHE totaling
more than 8,500 pieces of equipment used to sort about 155 billion mailpieces annually. To secure its mail processing systems,
the Postal Service relies on 285 firewalls2 to control the flow of network traffic. These firewalls help control access to MPE/MHE
systems and resources; therefore, firewall policies that effectively address security risks are critical to protecting the Postal Service
and its network.
Summary
Findings
Postal Service firewalls are at all facilities and are not properly managed and functioning to safeguard mail processing
operations according to Postal Service standards and industry best practices. Specifically, we identified mail processing
facilities that to protect their MPE/MHE. In addition, for the 30 firewalls we sampled, firewall administrators
3
did not apply six of the nine critical security controls as required by the Postal Service’s security standards.
Further, firewall administrators did not manage firewall rules effectively and did not remove duplicate firewall rules. For the 30 firewalls
in our sample, we reviewed 504,528 rules and identified four rules that allowed to flow
Recommendations
through two firewalls. We also identified 69,258 (14 percent) rules that allowed network traffic from
, and 31,754 (6 percent) duplicate rules. We also found that the Postal Service does not always document and review
MPE/MHE firewall rule changes and firewall administrators did not review and update firewall security standards in accordance
with Postal Service policy.
These issues exist because firewall administrators and system analysts decided to due
to budget constraints. In addition, IT firewall administrators and Engineering Systems analysts focused on supporting system
deployment as opposed to implementing security controls and managing firewall rules. Further, the telecommunications
infrastructure4 at mail processing facilities is not equipped to handle .
Facilities , along with improperly configured, outdated, or nonexistent firewall security controls, significantly
Appendices
1 Examples of mail processing and handling equipment include the Automated Flat Sorting Machine (AFSM), Delivery Barcode Sorter (DBSC), and National Directory
Support System (NDSS).
2 A network security device designed to control incoming and outgoing network traffic based on predetermined security rules.
3 See Table 1 for a listing of the 30 firewalls we sampled.
4 Telecommunication infrastructure refers to the transmission or exchange of information over significant distances by electronic means.
■■
■■ Use 8
The firewalls in our sample used Postal Service hardening
standards require the use of
9
which uses an improved and stronger process for encryption and includes a secure file
Findings
■■ Update the time upon start-up. Postal Service hardening standards10 require the Network Time Protocol (NTP)11 to be
configured to update firewall time upon start-up. Time synchronization protocols are important during forensic analysis following
a network intrusion.
■■ Enable session timeout for . Postal Service hardening standards12 require session timeout of 60 seconds or less
Recommendations
■■ Enforce password complexity or minimum length requirements. Current firewall configurations require passwords to have a
, but Postal Service policy13 states passwords must consist of at least 15 characters and include a
combination of characters and numbers, which limits the potential for a password compromise.
■■ Use a current operating systems version. The firewalls are currently running . As
of , the vendor no longer provides security updates or support for this version. Attackers could exploit known
operating system flaws to compromise the network.
7 Security Hardening Standards for , Section 5.1, General Audit Logging Requirements, dated .
8 A for secure access to remote computers.
9 Security Hardening Standards for , Section 4.5.1, .
10 Security Hardening Standards for , Section 4.12.1 Use NTP Boot-Server.
11 A protocol that synchronizes computer clock times over a network. Network security logs and event analysis depend on accurate time synchronization.
12 Security Hardening Standards for , Section 4.2.5, Configure Idle Timeout for All Login Classes.
13 Handbook AS-805, Information Security, Section 9-6.1.1, Password Selection Requirements, dated May 2015.
Firewall Security Review
Report Number IT-AR-16-005
Print 6
Highlights These issues occurred because IT administrators and Engineering Systems analysts focused on supporting system deployment
as opposed to implementing required configurations and restricting network traffic. In addition, the manager, Perimeter Security
Services, stated that the amount of system log data generated by the firewalls caused network performance and availability issues.
Without adequate and effective security controls, the Postal Service cannot effectively identify and respond to security events
that could result in unauthorized disclosure of sensitive data and disruption of mail processing operations. We determined about
$237 million of revenue was processed at 1514 of the 30 facilities in our sample during Quarter (Q) 3, FY 2015.
We determined firewall administrators did not identify and remove overly permissive15 and duplicate firewall rules to control
network traffic, prevent unauthorized access to data and avoid disrupting mail processing operations. According to Postal Service
hardening standards16 and industry best practices,17 firewall rules should allow only necessary network traffic. In addition, firewall
rules should be as specific as possible to allow the types18 of traffic that are required to support mail processing systems and
applications. For the 30 firewalls in our sample, we reviewed 504,528 rules. During our review:
■■
■■ We identified 51,656 (10 percent) firewall rules that permitted network traffic ; 13,852 (3 percent)
firewalls rules that permitted network traffic ; and 3,750 (1 percent) firewall rules that permitted
Findings
■■ We identified 30,196 (6 percent) rules that allowed unencrypted data to flow across the network and 721 (less than 1 percent)
rules that allowed the use of
.
■■ We identified 31,754 (6 percent) duplicated rules that could degrade firewall performance and limit the firewall’s ability to
Recommendations
respond to connection requests and process legitimate network traffic. An excessive number of duplicate rules also make it
more difficult to manage all of the rules in an efficient manner.
Overly permissive or duplicate firewall rules existed because firewall administrators did not review rules semiannually according
to policy.21 In addition, administrators and analysts did not identify critical elements for developing secure rules. These elements
include source IPs, destination IPs, and applications. Identifying these elements would allow administrators and analysts to
customize the rule sets to secure the network environment without any business impact. In addition, contractors developed the
14 For this analysis we only calculated total revenue associated with competitive mail (Flats and Parcels) that was processed through Postal Service plants. This number
only includes 15 facilities from our sample that were part of the Postal Service’s statistical sample for Revenue Pieces Weights-Orgin Destination Information System
during Q3, FY 2015.
15 .
Appendices
(NCRB) approval. Therefore, we will not make a recommendation regarding this issue.
Postal Service policy and
industry best practices. Firewall Hardening Standards
Firewall administrators did not review and update firewall security standards in accordance with Postal Service policy22 and
Specifically, firewall
industry best practices. Specifically, firewall administrators have not reviewed and updated security standards since
administrators have not because they believed their initial configurations were reliable and needed no changes. However, they did not perform a
review to ensure that the configurations included the latest updates to secure the environment against new potential threats and
reviewed and updated vulnerabilities. Lack of and outdated security controls increase the risk of unauthorized access to data and disruption of critical
mail processing operations.
security standards
since
Findings
Recommendations
Appendices
1. Perform a risk assessment for all mail processing facilities to ensure that they are
protected as appropriate or document acceptance of the risk.
We recommend management
We recommend the acting vice president, Information Technology, direct the manager, Enterprise Asset Infrastructure, to:
perform a risk assessment
2. Configure firewalls to enforce , proper encryption, network time protocol, session timeouts, and password complexity;
Table of Contents
for all mail processing and update the firewall operating system.
facilities
3. Update the telecommunication infrastructure to support firewall capabilities at all mail processing facilities.
We recommend the acting vice president, Information Technology, and the vice president, Engineering Systems, direct the
to ensure that they are managers, Enterprise Asset Infrastructure and Engineering Software Management, to:
protected as appropriate or
4. Review current firewall rules and remove those that are overly permissive or duplicative and; review firewall rules every 6 months
document acceptance of the according to Handbook AS-805, Information Security, and document the results of the review.
risk; and review and update We recommend the acting vice president, Information Technology, and the acting Chief Information Security Officer and vice
Findings
president Digital Solutions, direct the managers, Enterprise Asset Infrastructure and Corporate Information Security, to:
the firewall security
standards annually in 5. Review and update the firewall security standards annually in accordance with Handbook AS-805, Information Security.
priorities have always been improving the overall security posture and have efforts underway to enhance firewall and network
security. See Appendix B for management’s comments in their entirety.
Regarding recommendation 1, management stated that funding is in place and efforts are underway to upgrade existing firewalls
and install new firewall technology at all mail processing facilities. The target implementation date is December 31, 2017.
Regarding recommendation 2, management will configure firewalls to ensure proper encryption, network time protocol, session
timeouts, and password complexity; and update the firewall operating system. In addition, management will work with the
Enterprise Splunk team to determine the appropriate level of logging activity for the firewalls and configure them accordingly. The
target implementation date is September 30, 2017.
Appendices
Regarding recommendation 3, management will work with the Enterprise Splunk team to determine the appropriate level of
logging activity for firewalls and configure them accordingly. The target implementation date is September 30, 2016.
Regarding recommendation 5, management disagreed with the recommendation and stated that they have begun a large-scale
network upgrade that includes replacing all existing devices with devices and
installing this technology at all mail processing facilities. Management will replace the firewall security standards with
security standards, which they will review and update annually. The target implementation date is September 30, 2017.
Table of Contents
Regarding the $237 million in potential revenue at risk, management disagreed with our calculation and stated that the likelihood
of a potential malicious actor exploiting firewall vulnerabilities and simultaneously penetrating mail processing facilities and
disrupting mail processing is extremely remote. Management also stated that they have monitoring practices in place to identify an
attack within minutes and both manual and automated contingency plans in place to ensure mail processing operations continue in
the event of a disruption to the network. Management calculated an impact of $175,393.
Regarding recommendation 5, we agree that a large-scale network upgrade that includes replacing all existing devices
Findings
with devices and replacing firewall security standards with security standards should resolve the
issue identified in the report. However, based on the target implementation date provided, management should continue updating
the security standards to support the firewalls currently in place. This recommendation will remain open until management
provides documentation supporting the network upgrade.
Management stated that they disagreed with the calculated $237 million in potential revenue at risk. We based our analysis on
the amount of revenue exposed to the risks we identified in our report and agree that this is not the amount of revenue that would
Recommendations
be lost during a single incident. We clarified in the report that $237 million is the amount of competitive mail revenue processed at
15 of the 30 facilities in our sample during Q3, FY 2015.
All recommendations require OIG concurrence before closure. Consequently, the OIG requests written confirmation when
corrective actions are completed. These recommendations should not be closed in the Postal Service’s follow-up tracking system
until the OIG provides written confirmation that the recommendations can be closed.
Appendices
The Postal Service relies on firewalls to protect information resources and secure its mail processing systems. Firewalls are
security devices that control the flow of network traffic and check against approved policies to either allow or block traffic based
on those policies. Policies should be based on the direction that the traffic moves across the network. This feature allows firewalls
to restrict connections to and from the internal networks, which prevents unauthorized access to systems and resources. The
Postal Service uses two brands of firewalls to control network traffic – firewalls are used on the IT
network for perimeter protection and firewalls are used in the MPI environment for internal network protection.
facilities. We conducted our audit work at Postal Service Headquarters; Engineering Systems Headquarters in Merrifield, VA; and
the Information Technology Service Center in Raleigh, NC.
■ Reviewed policies and standards related to firewalls and interviewed IT, Corporate Information Security, and Engineering
Systems personnel to identify facilities without firewalls.
Recommendations
■ Interviewed IT, Corporate Information Security, and Engineering Systems personnel to obtain an understanding of network
security controls for the MPE/MHE environment.
■ Obtained the firewall inventory and selected a random sample of 30 firewalls to review and assess the sufficiency of their
configurations against the approved Postal Service firewall security standards and controls.
■ Compared the Postal Service firewall hardening standards to industry best practices and documented discrepancies.
■ Interviewed Engineering Systems and IT personnel to identify and document MPE/MHE applications and servers.
■ Reviewed firewall configurations, rules sets, and policies to determine whether appropriate controls were in place.
Appendices
1 No
Table of Contents
2 No
3 No
4 Yes
5 Yes
6 Yes
7 No
8 No
Findings
9 No
Source: Postal Service Security Standards and OIG analysis.
We conducted this performance audit from July 2015 through January 2016, in accordance with generally accepted government
auditing standards and included such tests of internal controls, as we considered necessary under the circumstances. Those
standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for
Recommendations
our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objective. We discussed our observations and conclusions with management on
December 18 and December 22, 2015, and included their comments where appropriate.
We assessed the reliability of firewall configurations and rules data by reviewing information stored in the Network
Management and the NCRB change management systems. In addition, we interviewed agency officials knowledgeable about the
data and process and tested required security controls. We determined that the data were sufficiently reliable for the purposes of
this report.
We did not identify any prior audits or reviews related to the objective of this audit.
23
24 Console logins left unattended by firewall administrators can compromise sensitive network information or allow accidental or intentional configuration changes by
unauthorized personnel.
Firewall Security Review
Report Number IT-AR-16-005
Print 14
Highlights Appendix B:
Management’s Comments
Table of Contents
Findings
Recommendations
Appendices
Arlington, VA 22209-2020
(703) 248-2100
Appendices