2

As a more corpose vulnerability assessment and penetration test, one step of our activity is to review from a security perspective the policy of some firewall.

In our society we have a deep understanding of firewall rule and best practice but we don't have any standard reference for commercial purpose and we don't know guidelines to explain security concern about misconfiguration and best practice to the client and to add more value to our know-how.

In out little research about it we found from the NIST this guidelines:

Guidelines on Firewalls and Firewall Policy
Recommendations of the National Institute of Standards and Technology
Special Publication 800-41 Revision 1

Is there other reference about firewall policy and firewall configuration? Any suggestion?

The target client is a public Library, in Italy.
I don't think there is some specific rule about firewall as we have, for example, for privacy stuff.

Eric G
  • 9,691
  • 4
  • 31
  • 58
boos
  • 1,066
  • 2
  • 10
  • 21
  • Seems remarkably similar to your other post at http://security.stackexchange.com/q/2276/485 - not sure what you are asking here? Are you asking for compliance guidelines, or firewall config standards? The NIST one isn't bad. – Rory Alsop Feb 24 '11 at 10:31
  • I'm asking for compliance guidelines about firewall policy. – boos Feb 24 '11 at 10:55
  • As I said in your other post - can you give some context. What type of org, what country etc. That NIST doc is a good general guide, but if you want specifics - provide context. Also look at the ISO reference I provided in my answer to that question - might be what you need. – Rory Alsop Feb 24 '11 at 11:02

2 Answers2

1

DISA STIGs are always good:

http://iase.disa.mil/stigs/net_perimeter/network_infra/firewall.html

Mark E. Haase
  • 1,902
  • 2
  • 15
  • 24
  • thank you. I dont know why my question sound like a stupid question and no one reply to it. i think i will ask another question, somethings like: when you evaluate rules from a firewall how you add credibility to your consideration .. – boos Mar 25 '11 at 10:50
  • I am not sure what you mean by "add credibility to your consideration". That phrase doesn't make sense in English. Are you asking how you can feel confident that your firewall configuration is secure? – Mark E. Haase Mar 25 '11 at 15:07
  • 'how can you add ..' i have lose a can. check my questions i posted another one related. – boos Mar 25 '11 at 15:26
0

There is one thing called as Organization specific policy or in your case Issue specific policy. For e.g a network security policy in that case would tell all the requirements how your internal environment can be protected from threats.E.g

  1. telneting firewalls for management,
  2. specifying dedicated vlans for administration,
  3. firewalls be configured with the concept of least privilege (meaning default firewall should be configured for implicit deny any unauthorized connections) ,
  4. checking for users-privileges for line vty and console access, do two users exists with different privileges levels etc.

When we have this range of inputs, what we do using a tool like NESSUS we run a compliance scan or test against the firewall / networking devices. Basically how it works is that it checks all the inputs by executing commands on its terminal (through dedicated privilege user account), its compares the results based upon expected values (0 or 1, T | F). It does support regex to parse some commands.

Compliance check

Saladin
  • 1,547
  • 3
  • 14
  • 23