Scribd
Upload
171 views38 pages

Firewall Audit Work Program

G

Uploaded by

chinhgpt189
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
171 views38 pages

Firewall Audit Work Program

G

Uploaded by

chinhgpt189
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 38

Table of Content

FIREWALL AUDIT WORK PROGRAM


s
EXECUTIVE SUMMARY.......................................................................................................................................... 2
FIREWALL AUDIT WORK PROGRAM: SAMPLE 1................................................................................................. 3
FIREWALL AUDIT WORK PROGRAM: SAMPLE 2................................................................................................. 9
FIREWALL AUDIT WORK PROGRAM: SAMPLE 3............................................................................................... 13
FIREWALL AUDIT WORK PROGRAM: SAMPLE 4............................................................................................... 16

1 Source: www.knowledgeleader.com
EXECUTIVE SUMMARY

A firewall is a system or group of systems that enforces an access control policy between two or more networks.
Firewalls are important since they can provide a single “choke point” where security and audit can be imposed.
They also provide an important logging and auditing function because they provide summaries about what kinds
and amount of traffic have passed through, how many penetration attempts there were, and more.

For a firewall to work properly, it must be a part of a consistent overall organizational security architecture.
Policies regarding firewalls must be realistic and reflect the entire network’s level of security.

Furthermore, it is imperative that the rules concerning the configuration of every component in the firewall
(internet router, firewall, proxy server, virus software) are properly understood, fully documented and carefully
implemented.

Independent testing of the firewall on a regular basis, and especially immediately after installation, is essential.
Most successful hacking attempts are due to inadequate or faulty configuration of one or more firewall
components. Attacks on the firewall by a firm specializing in such services, using reputable testing software,
should be carried out immediately after implementation and on a regular (preferably monthly) basis thereafter.

Given the sensitive roles firewalls play in network infrastructure, how they are administered and maintained is
critical. One of the most common methods for breaking into a firewall is to take advantage of tools made available
for the remote administration of the firewalls. This can include exploiting access to the operating system consoles
and or access to graphical management interfaces.

For all these reasons, access to these administrative tools and firewalls administration must be monitored and
controlled and regular audits must be performed.

With this tool, you get four separate sample work programs that were designed to provide guidance for your next
firewall audit.

Audit objectives for these work programs include obtaining network diagrams illustrating firewall connections and
segmentation on the network; obtaining network diagrams from the network administrator to gain an
understanding of the network environment; determining if the expectations/goals/strategies of the firewall have
been identified and are sound; meeting with the systems manager to define the functional purpose of each
firewall; and verifying that the firewalls have been configured to match their functional purpose.

This document should be used as a general guide to understand and review this business process. Organizations
should customize this tool to ensure that it reflects their business operations and continuously monitor the
process to ensure that the steps described are accurate.

2 Source: www.knowledgeleader.com
FIREWALL AUDIT WORK PROGRAM: SAMPLE 1

PROJECT TEAM (LIST MEMBERS)

2B2B Project Timing Date Comments

0B0B Planning

Fieldwork

Report Issuance (Local)

Report Issuance (Worldwide)

AUDIT OBJECTIVES

Time Project Work Step Initial Index

Documentation

Obtain network diagrams illustrating firewall connections and segmentation on


the network.
Test Step: Obtain network diagrams from the network administrator to gain an
understanding of the network environment.

Determine if the expectations/goals/strategies of the firewall have been identified


and are sound.
Test Step: Meet with the systems manager to define the functional purpose of
each firewall. Verify that the firewalls have been configured to match their
functional purpose.

Logical Access

Ensure that logical access to the various components (routers, firewall software,
etc.) of the firewall solution is appropriately restricted to the individuals with
authorized need for such access.
Test Step: Obtain a list of individuals who have access to change configurations
to routers and firewalls.

Ensure that justifications for firewall rules are documented to identify the purpose
of the rules.
Test Step: Obtain firewall rule sets and review for appropriate rule justification
and purpose.

Determine if password management features are in place for applicable firewall


components and if the shadow password file (security/password/etc.) is used.
• Password management guidelines exist.
• Passwords are required.

3 Source: www.knowledgeleader.com
Time Project Work Step Initial Index

• Passwords are not displayed.


• Passwords are user maintainable.
• Password parameters comply with defined standards.
• Login attempts are limited to three and the account is then locked.
• Login failures are logged.
• User IDs and passwords are encrypted across the network.
• An automatic timeout feature exists.
Test Step: Obtain password policies and systematic password guidelines from
the systems manager. Verify the following:
• Password management guidelines exist.
• Passwords are required.
• Passwords are not displayed.
• Passwords are user maintainable.
• Login attempts are limited to three and the account is then locked.
• Login failures are logged.
• User IDs and passwords are encrypted across the network.
• An automatic timeout feature exists.

Determine if logical connections to the firewall components are secured (e.g.,


encryption, Internet Protocol (IP) restrictions for remote administration needs).
Products such as secure sockets layer (SSL) encryption connection, and
transport control protocol (TCP) wrappers (IP restrictions) may be appropriate.
Test Step: Meet with firewall administrators and verify that logical firewall
connections are adequately secured.

Review for dial-in access directly to the firewall server.


• Determine if remote connections are automatically disconnected by the
system after a specified length of time of inactivity or if the connection is
broken.
• Only appropriate users have access to dial-in access to the firewall.
• Appropriate individuals authorize dial-in access.
• Access request forms exist to document approval of dial-in access.
• Secure protocols are utilized when users are logging into firewalls remotely.
• The use of dial-in access is logged and reviewed by management.
Test Steps:
• Meet with the systems manager to determine which users can dial into the
firewall servers.
• Verify that:
− Remote connections are disconnected after an appropriate period of
inactivity.
− Individuals with dial-in access are appropriate for job functions.

4 Source: www.knowledgeleader.com
Time Project Work Step Initial Index

− Dial-in access is documented in the access control form.


− Appropriate security measures are in place when users dial in to firewalls.
− Dial-in access is logged and reviewed by management.

Configuration

The firewall configuration in place provides for an adequately maintained and


effective firewall.
Test Steps:
• Obtain firewall configurations from firewall administrators.
• Review configurations to verify the effectiveness of firewalls.

Firewall component logical/physical locations agree with the firewall strategy.


Test Step: Review configurations to verify that the firewall is configured in a
manner that is consistent with its strategy.

Firewall components are on an appropriate version, and security patches are


kept up to date as vulnerabilities and business reasons dictate.
• A patch ID equates to a certain level of applied patches.
• Available patch updates are monitored and applied, as necessary.
• Active services running on the firewall servers are appropriate.
• Only justified startup scripts are being utilized.
• An appropriate banner is presented during file transport protocol (FTP)
access.
• All server accounts are individual accounts, and any use of an administrator
account is not initiated directly.
Test Step: Meet with a manager and firewall administrators and inquire about
the patch management process and updates of firewalls.
• Obtain a list of available services of the firewall and review it for
reasonableness.
• Obtain and review the startup script for reasonableness.
• Verify that the banner presented during FTP use is appropriate.
• Verify that generic system accounts are not being used.

Operating Systems Logs

Obtain the firewall operating system configuration for rejecting and logging
activities. Review to determine that the following system activities are logged:
• Login (unsuccessful and successful)
• Logout (successful)
• Use of privileged commands (unsuccessful and successful)
• Application and session initiation (unsuccessful and successful)
• Use of print command (unsuccessful and successful
• Control permission modification for users and security parameters

5 Source: www.knowledgeleader.com
Time Project Work Step Initial Index

(unsuccessful and successful)


• Unauthorized access attempts to files (unsuccessful)
• System startup and shutdown (unsuccessful and successful) and if the
connection is broken
• All system logging and email isolated to its own partition
• All attempts to gain root/administrator access
• All dropped packets, denied connections and rejected attempts
• Time, protocol and username for successful connections through the firewall
• IP addresses
• Error messages from routers, bastion host and proxying programs
For events that are logged, the log parameter to record all the information is
activated.
Test Steps:
• Obtain logs from the firewall administrators.
• Review the logs to verify if the following items are logged:
− Login (unsuccessful and successful)
− Logout (successful)
− Use of privileged commands (unsuccessful and successful)
− Application and session initiation (unsuccessful and successful)
− Use of print command (unsuccessful and successful)
− Control permission modification for users and security parameters
(unsuccessful and successful)
− Unauthorized access attempts to files (unsuccessful)
− System start-up and shutdown (unsuccessful and successful) and if the
connection is broken
− All system logging and email isolated to its own partition
− All attempts to gain root/administrator access
− All dropped packets, denied connections and rejected attempts
− Time, protocol and username for successful connections through the
firewall
− IP addresses
− Error messages from routers, bastion host and proxying programs

Documented logging results are monitored, and follow-up actions are performed.
Test Step: Meet with a manager and a firewall administrator and inquire about
the monitoring of logs and the incident response, if needed.

System and firewall logs are rotated to reduce disk space problems. Rotation
should be automatic. Document the retention period.
Test Step: Meet with the systems manager and inquire about the retention of
firewall logs.

When ports or services are needed to administer the firewall and rules exist that

6 Source: www.knowledgeleader.com
Time Project Work Step Initial Index

limit what source IP addresses can connect to them.


Test Steps:
• Meet with the systems manager and firewall administrators and inquire about
IP restriction rules.
• Inspect firewall rules for the definition of restricted IP addresses.

Firewall Test

Attempt to port scan the firewall from both the internal network and the internet,
scanning for internet control message protocol (ICMP), user datagram protocol
(UDP) and TCP. There should be no open ports and the firewall should not be
able to be pinged.
Test Step: Attempt to port scan the firewall from both the internal network and
the internet, scanning for ICMP, UDP and TCP. There should be no open ports
and the firewall should not be able to be pinged.

A lockdown rule has been placed at the beginning of the rule base. The lockdown
rule protects the firewall, ensuring that whatever other rules you put in later will
not inadvertently compromise your firewall. If administrative access is required,
then a rule should be placed before the lockdown rule. All other rules should go
after the lockdown rule going from most restrictive to general rules. Review the
remaining rules.
Test Steps:
• Obtain the IS router and firewall standard from (Insert name). Review the
policy to verify the reasonableness of baseline firewall rules.
• Review the rule set to verify the appropriate use of a lockdown rule.

Obtain and review the connections table for timeout limits and the number of
connections.
• Timeout should be no longer than X minutes (X seconds).
• The firewall's automatic notification alerting features are utilized and
information about the breach/intruder is archived for analysis.
Test Steps:
• Obtain firewall configurations from the firewall administrators.
• Review the configurations and verify:
− Connections time out after an appropriate length of time.
− Connection tables are properly set.
− Automatic notifications are enabled in the event of a security breach.

Application Logs

Separate partitioning for firewall logging is considered. This may be in the form of
a separate partition on the same server, a second server drive, mirroring to the
disaster recovery site or a centralized logging facility.
Test Step: Meet with the systems manager and firewall administrators and
inquire about the location of where the logs are stored.

7 Source: www.knowledgeleader.com
Time Project Work Step Initial Index

Physical Security

Physical access to the various components (routers, firewall software, etc.) of the
firewall solution is appropriately restricted to individuals with an authorized need
for access.
• Lines connected to the firewall hardware are reasonable.
− Obtain a schematic of the lines connected to the applicable firewall
hardware.
− Discuss the purpose of each line with the appropriate staff.
Test Steps:
• Meet with the systems manager and firewall administrators and verify that all
firewalls are physically inside of a data center.
• Inspect the firewall network diagrams to verify that the connected lines are
appropriate.

Continuity of Operations

Fault tolerance (e.g., mirroring of data) has been implemented for the firewall
server.
Redundant components are installed where critical failure points exist, or spare
parts should be on site.
• Use the hardware and software configuration information to identify hardware
and software in place, which provides redundancy and backup.
If single points of failure exist, plans to address the situation(s) exist.
Obtain and review a schedule of the retention periods for the firewall's software
components and a schedule of the rotation cycle of the firewall's software. The
disaster recovery plan includes the firewall server.
Test Steps:
• Meet with the systems manager and firewall administrators and discuss the
failover and point of failure strategies of the firewalls.
• Discuss the life expectancy of the firewall software.
• Verify that the disaster recovery plan takes firewalls into account.

8 Source: www.knowledgeleader.com
FIREWALL AUDIT WORK PROGRAM: SAMPLE 2

PROJECT TEAM (LIST MEMBERS)

3B3B Project Timing Date Comments

1B1B Planning

Fieldwork

Report Issuance

Time Project Work Step Initial Index

Internet and Firewall Configuration Security

Control Objective: The connection to an external network, such as the


internet, is secured with an application gateway firewall and the firewall is
properly configured to secure internet traffic.

Using the network diagram as a guide, observe the physical connections


between the various components, noting proper labeling of all physical
connections and consistency of physical connections within the diagram.
Investigate any connections that link portions of the firewall network to
networks or links not documented in the network diagram.
• Determine whether the firewall has only two network interfaces – the link to
the external network and the link to the internal network.
• Determine whether the router that connects to the internet has only two
interfaces – one that connects to the internet service provider and a second
that connects directly to the firewall or one that connects to the sacrificial
network outside of the firewall.
• For all systems (web server, DNS server, router, firewall) on the sacrificial
network, determine that each component has no links to any other parts of
the internal network or other networks.
• Determine if any devices other than the firewalls and routers tested under
Steps A and B above connect directly to the internet.
• Review the router configuration file for the router that connects to the
internet service provider. Determine whether adequate filters are in place to
detect and drop incoming services that are not authorized to be used on any
of the components located on the sacrificial network. Ensure that traffic that
should only connect to the DMZ (ex: HTTP requests to web host) is not
allowed to be routed to the firewall.

Ensure that the application gateway firewalls host operating system (usually
Unix) has been properly modified to disable services that could be used to
subvert the security of the firewall software program:
• Review startup files to ensure that all standard network services have been

9 Source: www.knowledgeleader.com
Time Project Work Step Initial Index

disabled by commenting on their entries.


• Execute the command at the firewall operating system prompt and review
the output (it should show no routes available) to ensure that IP datagram
routing has been disabled in the operating system kernel.
• Review the content to ensure that they are empty or do not exist on the
system.
• Review the/etc./passwd file to ensure that only the root account and one
firewall administration account are active (not including log-in-disabled
system accounts, bin, wheel, etc.). Assess controls (passwords, logging and
review) overuse of these accounts.
• Review the directory structure to ensure that no other application programs,
language compilers, interpreters or other utilities are loaded on the system.

Review the configuration of the firewall software. Often, a configuration file can
be printed out and reviewed.
• Identify all supported and active network application proxies along with the
indication of where connections may be initiated. (This may be noted as a
“trusted network” for connections initiated from the internal network and an
“untrusted network” for connections initiated from the external network–the
internet.) Compare this to the internet policy description of authorized
services. Investigate any deviations from the policy. Further, ensure that the
firewall is not configured to automatically trust any outside network.
• For all proxies that allow network connections to be initiated from the
internet (telnet, FTP, etc.), ensure that strong password authentication
controls are implemented (challenge-response, encryption) or that third-
party security schemes have been implemented (SecureID and S/key).
• For all proxies that allow network connections to be initiated from the
internet, there should normally be restrictions (based on IP addresses or
host names) on the source of such connections and the systems on the
internal network that an internet user may access. Assess the need for
these restrictions and review the configuration of such access controls.
• Review the firewall documentation to ensure that the IP source routing
functionality is disabled in the firewall product.
• Review ID and password controls – authorizations for IDs, password format
and aging controls.
• Review and assess the use of groups to assign services and access
capabilities to users.
• For generic proxy programs that may be in use, review the port number and
IP source and destination restrictions to ensure that they are correctly
designed to restrict this traffic. Assess the need for and implementation of
compensating controls, such as router filters.
• For each proxy, determine that adequate logging mechanisms have been
activated and that logs are reviewed timely. Further, determine who has
access to the logs and ensure that this access is appropriate.
• Review port settings and ensure that all unused ports are disabled. Further,
any active ports must have Cisco Discovery Protocol (CDP), trunking and
spanning tree explicitly disabled.
• Determine whether audit alerts have been adequately designed to alert

10 Source: www.knowledgeleader.com
Time Project Work Step Initial Index

management in real-time security events that require prompt attention


(alerts such as spam traps, email messages, pagers, etc.).
• Identify and assess the appropriateness of administrators’ access to view
and modify the firewall configuration.
• Review the firewall configuration file and determine if any generic accounts
have access to the firewall. If generic accounts are identified, verify that the
passwords for the accounts are encrypted and that the accounts are
documented in a generic account listing noting the business reasons for
retaining the accounts and the users with knowledge of the passwords.

Review the configuration of the firewall access control lists (ACL).


• Identify and assess the appropriateness of administrators’ access to view
and modify the ACL.
• Determine if the ACL implements a “deny all” strategy, only allowing specific
IP addresses to send and receive information. Review the list of IP
addresses allowed and ensure that they are appropriate.
• Ensure that the first rule of the ACL denies traffic coming into the internal
network, which has an internal source IP address.

Determine all remote access mechanisms that are allowed through the firewall.
Ensure that anonymous FTP access is not allowed through the firewall.
• Ensure that the firewall is configured to log off idle user sessions after a set
timeout period.

Determine if security levels are assigned to firewall perimeter interfaces that


indicate levels of sensitivity. Ensure that the settings are appropriate.

Ensure that internet control message protocol (ICMP) packets are controlled
inbound and outbound on the firewall.

Ensure that the IP frag guard protects the firewall from IP fragmentation
attacks.

Ensure that RIP or OSPF is disabled so that the firewall does not accept any IP
routing table updates.

Ensure that the SNMP community string on the router has been changed from
public to a password key value.

Ensure that mail guard is enabled in the firewall to provide a safe conduit for
simple mail transfer protocol (SMTP) connections from the outside to an inside
electronic mail server.

Determine if ActiveX content is blocked by the firewall.

Determine what mechanisms are used to protect against external IP spoofing.

Internet and Firewall Configuration Change Management

Control Objective: Firewall change management procedures are appropriate


to prevent incomplete, unintended or unauthorized changes to the firewall

11 Source: www.knowledgeleader.com
Time Project Work Step Initial Index

and/or other critical network devices.

Review the configuration change log (many firewall products support this) and
investigate a sample of changes from the population with the administrator to
ensure that they are authorized changes.

Determine the process of how software upgrades and security patches are
applied to firewalls and routers. Further, determine how administrators are
notified of available updates.

Determine if a process exists to back up the firewall configuration regularly.

Determine if a backup firewall exists and is configured to be deployed if the


primary firewall fails.

Network Monitoring and Intrusion Detection

Control Objective: Network traffic is monitored to detect availability issues or


security events.

Determine if a third-party service is used for intrusion prevention and intrusion


detection services to monitor internet and wide area network traffic for security
events such as denial of service attacks. Obtain a sample notification and verify
that an IT ticket was created for any necessary changes.

Determine if the network is monitored to detect issues such as availability, high


CPU utilization or system errors.

Firewall Vulnerability Assessment

Control Objective: The firewall is configured properly to prevent unauthorized


security breaches.

Ensure that third-party penetration tests were performed. Review the testing
results and determine if vulnerabilities were discovered. Follow up with IT
management to determine what action plans were implemented to remediate
the vulnerabilities if any.

12 Source: www.knowledgeleader.com
FIREWALL AUDIT WORK PROGRAM: SAMPLE 3

PRELIMINARY ASSESSMENT
• Determine who has overall responsibility for the firewall.
• Request documentation as follows:
− Wide area network (WAN) diagrams showing all network locations, including WAN transmission methods
used (X.25, frame-relay, T – 1, dial-up, etc.)
− Detailed network diagrams for all local area networks within the audit scope, including all significant nodes
such as routers, firewalls, gateways, file servers, host processing systems (Unix, mainframe, etc.), with
network and node IP addresses and link transmission methods (ethernet, token ring, etc.)
− Printouts of firewall configuration files

INTERNET AND FIREWALL CONFIGURATION SECURITY


Determine whether the connection to an external network, such as the internet, is secured with an
application gateway firewall and that the firewall is properly configured to secure internet traffic.
• Using the network diagram as a guide, observe the physical connections between the various components,
noting proper labeling of all physical connections and consistency of physical connections with the diagram.
Investigate any connections, which link portions of the firewall network to networks, or links not documented in
the network diagram.
− Determine whether the firewall has only two network interfaces – the link to the external network and the
link to the internal network.
Remarks:
− Determine whether the router that connects to the internet has only two interfaces – one that connects to
the internet service provider and a second that connects directly to the firewall or one that connects to the
sacrificial network outside of the firewall.
Remarks:
− For all systems (web server, DNS server, router, firewall) on the sacrificial network, determine that each
component has no links to any other parts of the internal network or other networks.
Remarks:
• Review the router configuration file for the router that connects to the internet service provider. Determine
whether adequate filters are in place to detect and drop incoming services that are not authorized to be used
on any of the components located on the sacrificial network (possibly telnet, snmp, bootp, etc.).
Remarks:
• Ensure that the application gateway firewalls host operating system (usually Unix) has been properly modified
to disable services that could be used to subvert the security of the firewall software program:
− Review the/etc./inetd.conf file and the/etc/rc startup files to ensure that all standard network services have
been disabled by commenting out their entries.
Remarks:
− Execute the command netstat at the firewall operating system prompt and review the output (it should show
no routes available) to ensure that IP datagram routing has been disabled in the operating system kernel.
Remarks:
− Review the contents of the/etc/hosts.equiv, $HOME/.rhosts, and $HOME/.netrc files to ensure that they are
empty or do not exist on the system.

13 Source: www.knowledgeleader.com
Remarks:
− Review the/etc/passwd file to ensure that only the root account and one firewall administration account are
active (not including log-in-disabled system accounts, bin, wheel, etc.). Assess control (passwords, logging
and review) overuse of these accounts.
Remarks:
− Review the directory structure to ensure that no other application programs, language compilers,
interpreters or other utilities are loaded on the system.
Remarks:
• Review the configuration of the firewall software. Often, a configuration file can be printed out and reviewed.
− Identify all supported and active network application proxies along with the indication of where connections
may be initiated. (This may be noted as a “trusted network” for connections initiated from the internal
network and an “untrusted network” for connections initiated from the external network–the internet.)
Compare this to the internet policy description of authorized services. Investigate any deviations from the
policy.
Remarks:
− For all proxies that allow network connections to be initiated from the internet (telnet, ftp, etc.), ensure that
strong password authentication controls are implemented (challenge-response, encryption) or that third-
party security schemes have been implemented (SecureID and S/key).
Remarks:
− For all proxies that allow network connections to be initiated from the internet, there should normally be
restrictions (based on IP addresses or host names) on the source of such connections and the systems on
the internal network that an internet user may access. Assess the need for these restrictions and review the
configuration of such access controls.
Remarks:
− Review ID and password controls – authorizations for IDs, password format and aging controls.
Remarks:
− Review and assess the use of groups to assign services and access capabilities to users.
Remarks:
− For generic proxy programs that may be in use, review the port number and IP source and destination
restrictions to ensure that they are correctly designed to restrict this traffic. Assess the need and
implementation of compensating controls such as router filters.

Remarks:
− For each proxy, determine that adequate logging mechanisms have been activated and that logs are
reviewed on a timely basis.
Remarks:
− Determine whether audit alerts have been adequately designed to alert management on a real-time basis of
security events that require prompt attention (alerts such as SNMP traps, email messages, pagers, etc.).
Remarks:
− Identify and assess the appropriateness of administrators’ access to view and modify the firewall
configuration.

INTERNET AND FIREWALL CONFIGURATION CHANGE MANAGEMENT


Determine whether the firewall change management procedures are appropriate to prevent incomplete,
unintended or unauthorized changes to the PIX firewall and/or other critical network devices.
• Review the configuration change log (many firewall products support this) and investigate several changes
with the administrator to ensure that they are authorized changes.

14 Source: www.knowledgeleader.com
NETWORK MONITORING AND INTRUSION DETECTION
Determine whether network traffic is monitored to detect availability issues or security events.
• Determine if a third-party service is used for intrusion prevention and intrusion detection services to monitor
internet and wide area network traffic for security events such as denial of service attacks.
Remarks:
• Determine if the network is monitored to detect issues such as availability, high CPU utilization or system
errors.

FIREWALL VULNERABILITY ASSESSMENT


Determine whether the firewall is configured properly to:

(Insert Text)

15 Source: www.knowledgeleader.com
FIREWALL AUDIT WORK PROGRAM: SAMPLE 4

F. Firewalls and Internet DMZ Design and Composition

F.1 The firewalls are kept up to date and securely configured.

AUDIT STEP
F.1.1 Ensure that processes and procedures are documented to ensure the most up-to-date (or one release
behind) security patches for the firewall application are installed and updated.

Control Procedures in Place at (Insert Company)


(Insert Company) is currently using three firewalls within the DMZ architecture. All three are using (Insert System)
with Feature Pack 1.

The operating system for the (Insert Location) internal and DMZ firewalls is (Insert System). The operating system
for the (Insert Location) firewall is (Insert System).

Internal Audit Test Work


Screen captures from the (Insert System) firewalls that show the version, and current update levels of (Insert
System) (F.1.1.1 – F.1.1.4), were reviewed to ensure that they are up-to-date or one release behind.

Conclusions
(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.1.1

Issue: Firewall Version Level

Business Risk (Risk Level = Low)


(Insert Text)

Recommendations (Resolution Effort)


(Insert Text)

Management Action Plan


The action plan must be completed by management.

AUDIT STEP
F.1.2 Ensure that processes and procedures are in place to ensure that security updates and advisories (such as
CERT or CIAC) are reviewed and implemented.

Control Procedures in Place at (Insert Company)

16 Source: www.knowledgeleader.com
(System Administrator): The firewall administrator receives some security alerts via email, but they are mostly
reviewed on an ad-hoc basis. If updates are needed on the firewall, (System Administrator) updates one of the
failover firewalls first, and once it has been established that the update is safe, it is added to the other firewalls.

Internal Audit Test Work


In an interview with (System Administrator), the firewall administrator explains the process for how security alerts
and updates are monitored and implemented.

Conclusions
(Insert Text)

AUDIT STEP
F.1.3 Ensure that adequate network scanning of the firewall is occurring regularly. Results are reviewed and
changes are implemented in response to discovered security flaws.

Control Procedures in Place at (Insert Company)


(Insert Company)’s Class C network is scanned twice a year by a third-party security company for vulnerabilities.
The reports are reviewed by (Insert Name). (Insert Name) then creates a list of concerns that need to be
addressed from the report. (Insert Name) distributes the concerns to the appropriate group where they respond to
each concern.

Internal Audit Test Work


An interview with (Insert Name) was conducted to discuss how and when vulnerability scans are conducted on the
(Insert Company) network. The latest vulnerability scans were reviewed (A.2.7.1 – A.2.7.2). The report that (Insert
Name) produced with responses was reviewed as well (F.1.3.2).

Conclusions
(Insert Text)

AUDIT STEP 2
F.1.4 Ensure that (Insert System) TCP session timeouts are set to an appropriate timeout value.

Control Procedures in Place at (Insert Company)


The current TPC session timeout for the firewalls is set to the default of 3600 hours or one hour.

Internal Audit Test Work


Since there is no way to export the (Insert System) rule-base or configurations from the (Insert System) appliance,
(System Administrator) sent us the firewall files that contained the rules and configurations. A perl script was used
to convert the files into a readable html format similar to the (Insert System) GUI (F.1.4.1). The TCP session
timeout value was shown here (F.1.4.1).

Conclusions
(Insert Text)

AUDIT STEP

17 Source: www.knowledgeleader.com
F.1.5 Ensure that SNMP community strings have been changed from default values to a "strong" password that
has eight characters minimum and is alphanumeric.

Control Procedures in Place at (Insert Company)


SNMP is not being used on the firewall.

Internal Audit Test Work


Configurations on the firewalls showing that SNMP is not used (F.1.5.1) were reviewed.

Conclusions
(Insert Text)

AUDIT STEP
F.1.6 Determine if there are appropriate OS hardening procedures in place before firewalls are implemented.

Control Procedures in Place at (Insert Company)


There are no written procedures for hardening the firewall OS, in this case, Sun Solaris. The first firewall at (Insert
Company) was put in by the firewall vendor. (System Administrator) cloned that OS for all current firewalls.
(System Administrator) was not sure if hardening procedures were performed on the original firewall.

Internal Audit Test Work


(System Administrator) was interviewed and asked about the hardening procedures for the firewall.

Conclusions
(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.1.6

Issue: OS Hardening Procedures

Business Risk
(Risk Level)

Recommendations (Resolution Effort)


(Insert Text)

Management Action Plan


The action plan must be completed by management.

AUDIT STEP
F.1.7 Determine if a firewall integrity checker is in use and firewall administrators are notified when changes are
made to critical files.

18 Source: www.knowledgeleader.com
Control Procedures in Place at (Insert Company)
A firewall integrity checker is not being used to monitor the status of critical files on the firewall.

Internal Audit Test Work


This was done through an interview with (System Administrator) and the firewall administrator.

Conclusions
(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.1.7

Issue: Consolidation of Authentication

Business Risk (Risk Level = Low)

(Insert Text)

Recommendations (Resolution Effort Is Medium)


(Insert Text)

Management Action Plan


The action plan must be completed by management.

AUDIT STEP
F.1.8 NTP is enabled on firewalls and synchronized with a valid (Insert Company) timeserver. NTP is restricted in
the (Insert System) security policy rule-base to a valid (Insert Company) timeserver.

Control Procedures in Place at (Insert Company)


NTP has not been implemented on any of the (Insert Company) firewalls.

Internal Audit Test Work


(System Administrator) and the firewall administrator was interviewed to determine that NTP is not being used on
the firewall. There are also no rules on the firewall allowing NTP access (F.1.4.1).

Conclusions
(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.1.8

19 Source: www.knowledgeleader.com
Issue: NTP

Business Risk (Risk Level = Low)


(Insert Text)

Recommendations (Resolution Effort)


(Insert Text)

Management Action Plan


The action plan must be completed by management.

AUDIT STEP
F.1.9 Ensure that a firewall policy exists or that a network policy that entails firewall policies and procedures is
being followed.

Control Procedures in Place at (Insert Company)

A firewall policy exists at (Insert Company) (D.2.1.3). The policy describes acceptable services that are allowed
into (Insert Company) through the firewall and policy for remote administration. Though the policy is very limited to
what it addresses, the policies that are defined are adhered to. The policy does not establish rules for traffic
between the DMZ and the internal and external network.

Internal Audit Test Work

The firewall policy that was given to us was reviewed by (Insert Name 2) (D.2.1.3). The firewall rule-set (F.1.4.1)
was then reviewed to ensure that the firewall policy was being adhered to. Remote administration was discussed
with (System Administrator).

Conclusions

(Insert Text)

AUDIT STEP
F.1.10 Verify that the anti-spoofing property under the “Host Properties” window is checked in the GUI.

Control Procedures in Place at (Insert Company)

Anti-spoofing has been enabled on all (Insert Company) firewalls to prevent IP spoofing. This is a process by
which a host sends IP packets with source addresses different from its own in order to evade filtering or to
pretend to be another, trusted host.

Internal Audit Test Work

Screenprints (F.1.10.1) showing that anti-spoofing has been turned on for the firewall were reviewed.

Conclusions

(Insert Text)

F.2 Access and authorization to the firewall are appropriately secured.

AUDIT STEP

20 Source: www.knowledgeleader.com
F.2.1 Ensure that a login message is displayed to users logging into the firewall operating system warning them of
the consequences of unauthorized use.

Control Procedures in Place at (Insert Company)


Access to the firewalls can be gained from the (Insert Company) internal network via the (Insert System) client
GUI, port 900 authentications and Telnet. None of the means for connecting to the firewalls presents a
customized login banner addressing unauthorized use.

Internal Audit Test Work


An interview with (System Administrator) was conducted where (System Administrator) discussed the fact that no
login banners have been created for the firewalls. In addition, telnet (F.2.1.5 – F.2.1.8) and port 900 connections
were made to the firewalls to review if banners have been implemented (F.2.1.1 – F.2.1.4).

Conclusions
(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.2.1

Issue: Login Banner

Business Risk (Risk Level = Low)


(Insert Text)

Recommendations (Resolution Effort)


(Insert Text)

Management Action Plan

The action plan must be completed by management.

AUDIT STEP
F.2.2 Ensure that only administrators that need to access the firewall can log in to the firewall via the operating
system or the firewall application ([Insert System] FW – 1). Users who need administrative access to either the
(Insert System) GUI have separate IDs for accountability purposes.

Control Procedures in Place at (Insert Company)


The only accounts on the Solaris operating systems besides system accounts are root and account for (System
Administrator) (F.1.1.1 – F.1.1.4). The root account does not have the ability login remotely via telnet. (System
Administrator) must log in to the operating system with his account and switch the user to the root account as
administration is needed on the operating system.

The only (Insert System) GUI account is the default fwadmin account (F.2.2.1).

Internal Audit Test Work


Screenshots of the password (F.1.1.1 – F.1.1.4) from Solaris and the (Insert System) GUI clients (F.2.2.1) from

21 Source: www.knowledgeleader.com
the firewall were reviewed.

Conclusions

(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.2.2

Issue: Firewall Accounts

Business Risk (Risk Level = Low)


(Insert Text)

Recommendations (Resolution Effort)


(Insert Text)

Management Action Plan

The action plan must be completed by management.

AUDIT STEP
F.2.3 Ensure that there is appropriate backup for the administration of the firewall and that administration
procedures are properly documented.

Control Procedures in Place at (Insert Company)

(System Administrator) is the administrator for the firewall. (System Administrator) indicated that (Insert Name)
could be a backup, but he/she has very little experience administering the firewall and currently doesn’t even have
an account through the (Insert System) GUI (F.2.2.1) or the Solaris operating system (F.1.1.1 – F.1.1.4).

(Insert Name) has put together a manual on the firewall build (F.2.3.1), but the information is somewhat outdated
and it is very little on how to administer it.

Internal Audit Test Work

(System Administrator) was interviewed about backup administration in an interview. He provided the firewall
manual for review (F.2.3.1). We spoke with (Insert Name) about her experience with the (Insert System) firewalls
and to confirm that she does not have a (Insert System) GUI account (F.2.2.1). We also reviewed the Solaris
password file (F.1.1.1 – F.1.1.4) to confirm that (Insert Name) does not have a separate account on the Solaris
operating system.

Conclusions

(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.2.3

22 Source: www.knowledgeleader.com
Issue: Backup Support for Firewall Administration

Business Risk (Risk Level = Low)


(Insert Text)

Recommendations (Resolution Effort)


(Insert Text)

Management Action Plan

The action plan must be completed by management.

AUDIT STEP
F.2.4 Ensure that (Insert System) administrative sessions are encrypted with a protocol such as HTTPS, SSH or
kerberos-encrypted Telnet.

Control Procedures in Place at (Insert Company)

The firewall GUI client creates an encrypted session between it and the firewall. The GUI is used for most of the
firewall administration. Telnet access and HTTP access to port 900 are also available on the firewall. Neither of
these sessions is encrypted.

Internal Audit Test Work

Telnet and HTTP connections were made to the separate firewalls to verify that they existed (see Audit Step
F.2.1).

Conclusions
(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.2.4

Issue: Encryption of Administrative Sessions

Business Risk (Risk Level = Low)


(Insert Text)

Recommendations (Resolution Effort)


(Insert Text)

Management Action Plan

The action plan must be completed by management.

AUDIT STEP
F.2.5 Ensure that password settings for Sun and (Insert System) GUI administrator IDs have appropriate controls.

23 Source: www.knowledgeleader.com
Control Procedures in Place at (Insert Company)

There are no set password policies for the firewall GUI client or the Solaris operating systems where the firewall
resides. Passwords are changed on an ad-hoc basis. The last password change for the firewalls was around a
year ago according to (System Administrator).

Internal Audit Test Work

An interview with (System Administrator) was conducted in which he told us that there were no defined or
automated password policies or controls for the (Insert System) GUI or the Solaris operating system.

Conclusion

(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.2.5

Issue: Password Policy

Business Risk (Risk Level = Low)


(Insert Name)

Recommendations (Resolution Effort)


(Insert Name)

Management Action Plan

The action plan must be completed by management.

AUDIT STEP
F.2.6 Ensure that a change control procedure exists and is followed for all changes to the firewall.

Control Procedures in Place at (Insert Company)

(Insert Company) follows a defined change control procedure (B.1.1.1). All changes that are made to the firewall
are put through the change control process.

Internal Audit Test Work

An interview was conducted with (Insert Name 4) to go over the change control procedures for (Insert Company).
An interview with (System Administrator) was also done to discuss how changes are made to the firewall. A
firewall change control ticket (B.1.2.1) was reviewed to determine if appropriate procedures were followed for
making the change.

Conclusions
(Insert Text)

AUDIT STEP

24 Source: www.knowledgeleader.com
F.2.7 Review the physical security of the firewall to ensure that it is stored in an environmentally safe locked room,
with only a select number of individuals having physical access to these rooms.

Control Procedures in Place at (Insert Company)


The firewalls are kept in the data center, which is controlled by card access. A list of people with access to the
(Insert Company) data center is sent from building management to (Insert Name 4) and (Insert Name 2) once a
month for review. (Insert Name 2) and (Insert Name 4) determine if the appropriate people have access and send
a request to building management to add or revoke access when needed.

Internal Audit Test Work


A tour of the data center was given to us where we were able to view the firewall. The process for data center
access and review was discussed in interviews with (Insert Name 2) and (Insert Name 4) (see Audit Step A.1.1
and A.1.2 )

Conclusions
(Insert Text)

F.3 Firewalls are appropriately backed up and ensure redundancy.

AUDIT STEP
F.3.1 Ensure that backups for the firewalls are made regularly.

Control Procedures in Place at (Insert Company)


Operating system backups are not performed for the firewalls. The files within the /fw/conf directory are backed up
by (System Administrator) periodically to his PC and the corporate fileserver.

25 Source: www.knowledgeleader.com
Internal Audit Test Work
An interview with (System Administrator) was held where he/she discussed the backup and restore procedures for
the firewall.

Conclusions
(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.3.1

Issue: Firewall Backups

Business Risk (Risk Level = Low)


(Insert Text)

Recommendations (Resolution Effort)


(Insert Text)

Management Action Plan

The action plan must be completed by management.

AUDIT STEP
F.3.2 Determine if backups have been tested to ensure that the firewall can quickly and successfully be restored
to the most up-to-date configuration.

Control Procedures in Place at (Insert Company)

Recently, (System Administrator) tested a complete rebuild of one of the redundant firewalls that included the
management console. If a firewall needs to be restored, a standard copy of the Solaris OS would have to be
restored and then the default (Insert System) firewall and then the backed up configuration files that are kept on
one of the (Insert Company) file servers and on (Insert Name 1)’s PC. A restore of a corrupted rule-base was
performed with the help of (Insert System) engineers about a year ago, which took approximately five hours.

Internal Audit Test Work

An interview was conducted with (System Administrator) that included a discussion of firewall backup and
restoration.

Conclusions

(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.3.2

26 Source: www.knowledgeleader.com
Issue: Restoring the Firewall

Business Risk (Risk Level = Low)


(Insert Text)

Recommendations (Resolution Effort)


(Insert Text)

Management Action Plan

The action plan must be completed by management.

AUDIT STEP
F.3.3 Ensure that firewalls are redundant and set up as a cluster that provides failover capabilities in the event of
primary failure of a business-critical firewall.

Control Procedures in Place at (Insert Company)


The firewalls that control internet access are redundantly built using Fireproof by Radware. Access to and from
the DMZ from the Internet and internal network is controlled by one (Insert System) firewall. There is also one
firewall that separates the (Insert Location) office from the internet. The applications and websites within the DMZ
are not considered mission critical and (Insert Company) is prepared to take the downtime if a failure occurs.

Internal Audit Test Work


An interview with (System Administrator) was conducted to discuss the firewall architecture and DMZ applications.
A diagram was also produced by (System Administrator) showing the architecture of the DMZ (F.3.3.1).

Conclusions
(Insert Text)

AUDIT STEP
F.3.4 Determine if load balancing is being performed on the firewall.

Control Procedures in Place at (Insert Company)


Load balancing is occurring on the firewalls between the internal network and the internet. This is done with a
firewall traffic management product called Fireproof by Radware. Fireproof provides full fault tolerance and
optimization between multiple firewalls on both inbound and outbound traffic.

Internal Audit Test Work


An interview with (System Administrator) was conducted to discuss the firewall architecture and redundancy. A
diagram was also produced by (System Administrator) showing in the architecture the redundant firewalls
(F.3.3.1).

Conclusions
(Insert Text)

F.4 Appropriate logging and website filtering is occurring on the firewall and is reviewed in a timely manner.

27 Source: www.knowledgeleader.com
AUDIT STEP
F.4.1 Determine if website content filtering is occurring at the firewall (or some other device) to limit employee
access to internet sites that are consistent with business needs.

Control Procedures in Place at (Insert Company)


(Insert Company)’s security policy states “Site blocking software will be in place to block inappropriate sites from
being viewed.” (D.2.1.2).

(Insert Company) had been using the WebSense application to filter offensive and nonproductive websites, but
there were many problems with the WebSense application code. The problems with the code caused all internet
traffic to be blocked from time to time, so it was eventually removed. (Insert Company) is currently looking at an
IDS/web filtering product called eTrust by Computer Associates to replace the WebSense application.

Internal Audit Test Work


An interview was conducted with (System Administrator) where he described the problems with the WebSense
application. (Insert Company)’s security policy was also reviewed (D.2.1.2).

Conclusions
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.4.1

Issue
Website Content Filtering: (Insert Company)’s security policy states “Site blocking software will be in place to
block inappropriate sites from being viewed,” but there is no site blocking software being used at (Insert
Company). (Insert Company) had been using WebSense for content filtering, but had problems with the software
and disabled it. (Insert Company) is in the process of reviewing site-blocking software to replace the WebSense
application, but there is no timeline for selecting a content filtering application.

Business Risk (Risk Level = Low)


(Insert Text)

Recommendations (Resolution Effort)


(Insert Text)

Management Action Plan

The action plan must be completed by management.

AUDIT STEP
F.4.2 Ensure that appropriate Internet logging is occurring and being monitored for suspicious activity.

Control Procedures in Place at (Insert Company)


No specific logging or monitoring is happening on the firewall. There is some default logging (F.4.2.1) occurring on
the firewall for implicit rules, but all other rules on the firewalls have logging set to none (F.1.4.1).

Internal Audit Test Work

28 Source: www.knowledgeleader.com
We reviewed the firewall rule-set (F.1.4.1) for information under the track column and interviewed (System
Administrator) about firewall logging and monitoring.

Conclusions
(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.4.2

Issue: Firewall Packet Information Logging

Business Risk (Risk Level = Low)


(Insert Text)

Recommendations (Resolution Effort)


(Insert Text)

Management Action Plan

The action plan must be completed by management.

AUDIT STEP
F.4.3 Ensure that Sun and (Insert System) are logging unsuccessful login attempts for review periodically.

Control Procedures in Place at (Insert Company)


Unsuccessful login attempts via the (Insert System) GUI are logged by the firewall. Unsuccessful login attempts to
the Solaris operating system that the firewalls reside on is also being logged, but neither of the logs are monitored
for suspicious activity regularly.

Internal Audit Test Work


Screenprints were reviewed showing successful and failed login attempts via the (Insert System) GUI (F.4.3.1)
and the Solaris operating system (F.4.3.2). An interview with (System Administrator) was conducted to discuss
reviews of these logs.

Conclusions
(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.4.3

29 Source: www.knowledgeleader.com
Issue: Monitoring of Unsuccessful Login Attempts

Business Risk (Risk Level = Low)


(Insert Text)

Recommendations (Resolution Effort)


(Insert Text)

Management Action Plan

The action plan must be completed by management.

AUDIT STEP
F.4.4 Determine how log files are handled in the database and if their size is being monitored.

Control Procedures in Place at (Insert Company)


A minimum amount of default logging (F.4.2.1) is happening on the firewalls, but it is very limited. These logs are
not monitored for size. Filesystem size and general performance are also not monitored on the firewalls. The
availability for the filesystems that hold the (Insert System) firewall software and logs are:

Internal Audit Test Work


In an interview with (System Administrator), we discussed how logs and performance are monitored in the firewall
environment. The output of the firewall was reviewed to show the usage of the various filesystems on the firewall
operating systems.

Conclusions
(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.4.4

Issue: Disk Usage and Firewall Performance

Business Risk (Risk Level = Low)


(Insert Text)

Recommendations (Resolution Effort = Low)


(Insert Text)

Management Action Plan


The action plan must be completed by management.

F.5 The rules, network objects and NAT translations for the firewall are appropriately configured to allow least
privilege access only.

30 Source: www.knowledgeleader.com
AUDIT STEP
F.5.1 Review the firewall rule-base to determine if services are limited to appropriate IP addresses.

Control Procedures in Place at (Insert Company)


There are 44 rules used for the (Insert Company) firewalls (F.1.4.1). The rules are set up to define accepted traffic
through the firewalls with a "deny all" rule at the end. The rule-base does need cleanup. Some rules allow traffic to
nonexistent objects, redundant rules and rules that allow excessive traffic.

Internal Audit Test Work


Each rule was reviewed and discussed with (System Administrator). A separate matrix was created that lists each
rule that had potential problems with an issue and recommendation column. (Appendix A).

Conclusions
(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.5.1

Issue: Firewall Rule-base

Business Risk (Risk Level = Low)


(Insert Time)

Recommendations (Resolution Effort = Low)


(Insert Time)

Management Action Plan


The action plan must be completed by management.

AUDIT STEP
F.5.2 Review network address translation (NAT) tables to determine if appropriate NAT mappings have been
created.

Control Procedures in Place at (Insert Company)


NAT is being handled on the LinkProof servers that also manage load balancing between the internet and the
(Insert Company) network. There are X static one-to-one NAT mappings (F.5.2.1) from the internet to the internal
and DMZ networks.

Internal Audit Test Work


The NAT table (F.5.2.1) was reviewed and discussed with (System Administrator). Each mapping was compared
to the firewall object definitions (F.1.4.1) to see if there was a match. If a match was not found, it was noted as a
possible unnecessary mapping. (Appendix B).

Conclusions

31 Source: www.knowledgeleader.com
(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.5.2

Issue: Network Address Translation Mappings

Business Risk (Risk Level = Low)


(Insert Text)

Recommendations (Resolution Effort = Low)


(Insert Text)

Management Action Plan


The action plan must be completed by management.

AUDIT STEP
F.5.3 Review the firewall object definitions to determine if all objects are current.

Control Procedures in Place at (Insert Company)


There are 119 objects associated with the (Insert Company) firewall (F.1.4.1).

Internal Audit Test Work


In going through the firewall rules (F.1.4.1) with (System Administrator), if unneeded rules were found, the objects
associated with that rule were noted as possibly not needed. The firewall objects list was also compared to the
network address translation table (F.5.2.1). Objects not found in the NAT table were also noted as possibly
unneeded. (Appendix C).

Conclusions
(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.5.3

Issue: Firewall Objects

Business Risk (Risk Level = Low)


(Insert Text)

Recommendations (Resolution Effort = Low)


(Insert Text)

32 Source: www.knowledgeleader.com
Management Action Plan
The action plan must be completed by management.

F.6 The DMZ is designed to contain appropriate services.

AUDIT STEP
F.6.1 Ensure that only services needing an internet presence are housed in the DMZ.

Control Procedures in Place at (Insert Company)


There are currently six servers in the DMZ. They provide functions such as web services and FTP. All servers
kept in the DMZ need incoming internet access.

Internal Audit Test Work


A list of servers kept in the DMZ from the firewall rule-base was reviewed and a network diagram (F.3.3.1) was
provided by (System Administrator). We discussed the various server functions and reviewed the services needed
through the firewall (F.1.4.1).

Conclusions
(Insert Text)

Audit Step
F.6.2 Determine if incoming internet traffic is making connections with servers or network devices on the (Insert
Company) internal network.

Control Procedures in Place at (Insert Company)


There are eight rules (20, 21, 22, 23, 24, 25, 26, 27) (F.1.4.1) that allow various services from any host on the
internet to approximately X different servers on the (Insert Company) internal network. These services range from
http, ftp to various Oracle ports.

Internal Audit Test Work


The firewall was reviewed for rules (F.1.4.1) that allow any internet traffic to internal IP addresses. These rules
were also discussed with (System Administrator).

Conclusions
(Insert Text)

NETWORK AUDIT
Firewalls and Internet DMZ Design and Composition: POS

WP No. F.6.2

Issue: Appropriate DMZ Design

Business Risk (Risk Level = Low)


(Insert Text)

33 Source: www.knowledgeleader.com
Recommendations (Resolution Effort = Low)
(Insert Text)

Management Action Plan


The action plan must be completed by management.

34 Source: www.knowledgeleader.com
APPENDIX A: RULE-BASE RECOMMENDATIONS

Rule # Issue Recommendation

35 Source: www.knowledgeleader.com
APPENDIX B: POSSIBLE UNNEEDED NETWORK ADDRESS TRANSLATION MAPPINGS

NAT
From Local IP To Local IP Router IP From NAT IP To Nat IP
Redundancy

36 Source: www.knowledgeleader.com
APPENDIX C: POSSIBLE UNNEEDED FIREWALL OBJECTS
(Insert Text)

37 Source: www.knowledgeleader.com

You might also like