Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
George_Ellis
Advisor

Firewall Rule Audits or Approvals - Learning Resource?

Has anyone found a good guide/book/publication to help teach junior analysts/engineers about reviewing firewall changes or auditing rules?  I know there is about nothing that teaches folks on how to do remediation of rules.  Nice of PCI-DSS to demand it, but provide nothing to help support their review cycle.  I have an internal document where I show how to use our tools to do it, but that fundamentals doc on what are good rules and what righteously sucks seems to be elusive.  "PCI auditors" just go by bad protocols and too many addresses, but don't actually understand why. 

So if anyone has any insight into a resource to help with why a firewall rule is good or bad, that would greatly be appreciated.

George

0 Kudos
10 Replies
Tal_Paz-Fridman
Employee
Employee

George_Ellis
Advisor

Great for someone to support Check Point devices and applications.  But they really don't go deep into common usage.

 

0 Kudos
the_rock
Legend
Legend

I think you got 2 excellent responses.

0 Kudos
Ruan_Kotze
Advisor

For what it's worth - I'm a PCI-DSS ISA and have helped a couple of orgs with remediation and compliance efforts.  PCI Req. 1.1.7 deals with ruleset reviews and it's as much a process requirement as a technical one, so it's important to keep that in mind.

One can really go deep into the weeds here, and no doubt you have vendors pushing toolsets which will claim to solve your problem with one click of a button but in my opinion the point of origin and the answer to your question "why is a firewall rule good or bad" is simple - is there a documented business justification for the rule?

If the justification for every rule is documented and backed up by CAB minutes which includes risk and impact assessment you'll have a much easier journey with your auditors.  There will always be edge cases, like a legacy system supporting only telnet or SSLv3 or this or that, but for that you create a compensating control and move on with your life.

Something that I always recommend my clients do to help ease the review process, is to put the change request nr. in the rule description, and that CR in turn links back to the CMDB system.

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Agreed the job is infinitely harder without documentation & context.

Compliance blade & SmartOptimize can help, at a high level the basis of these is regulatory & cleanliness.

CCSM R77/R80/ELITE
0 Kudos
George_Ellis
Advisor

If you don't understand the traffic, you don't know if it should be justified and who it might be.  PCI-DSS demands a rule must have a comment.  This is and everything else is accounting.  Accounting does not explain the traffic.  PCI-DSS focuses on accounting and not enterprise life.  A rule may have business justification, but there could be other traffic piggy-backing on it that needs its own justification or to be stopped.

So, you have multi-domain enterprise AD.  How does a person recognize a rule request, the business justification for the components, etc.?  Shoot, even MS does not list all the ports used like 464/TCP for Apple Kerberos.  So in the audit portion of a rule request, the approver has the business justification right there in front of them, but the AD requests includes 1433/TCP.  A newer person does not realize that that is an SQL connection request in it.

0 Kudos
G_W_Albrecht
Legend
Legend

George_Ellis
Advisor

Thanks.  Yes, great for someone to support Check Point at level 2 and 3, but it does not address teaching what is a rule that applies for common network rules.

0 Kudos
Hugo_vd_Kooij
Advisor

If the person doing validation needs strict guidelines then it is up to the company that requires them to write them down.

If the company can't write down those guidelines then they need to find someone who can write them down in a workable fashion. 

Or accept that you need highly skilled (and costly)  people to do the validation part.

In short: There is no short and cheap answer.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
the_rock
Legend
Legend

Very valid points @Hugo_vd_Kooij . @George_Ellis , below is great reference

https://www.nist.gov/cybersecurity

But, I see what Hugo is saying. If company does not have someone that can write those guidelines, then either such person needs to be hired to do so, or have whoever is skilled the most at the moment write something that makes sense.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events