Busy Firewall Administrators Note

New job? Review how to restore services. E.g., how would you do a restore? How old is the (Windows) Automated System Recovery (ASR)?

NETALYZR for a snapshot of what your connection to the Internet is like (requires Java). Save links it creates for comparison with future results.

You drop inbound traffic for unnecessary protocols and ports. You drop inbound traffic with known malicious patterns or signatures. See “The Anomaly or Signature based intrusion detection: Do you need both?” [mp3] presentation by David Jacobs, Principal of The Jacobs Group for an overview.

You drop inbound email for malicious patterns or sources.

Visit SRI Malware Threat Center. See the list of Most Aggressive Malware Attack Source and Filters. Test the rules. Implement the rules. See the Most Prolific BotNet Command and Control Servers and Filters. Test the rules. Implement the rules.

Test the rules: Flint is a free, open source, web-based firewall rule scanner.

Visit DShield Top Ten Source IPs or SANS Top Ten Source IPs or StopBadware’s Top 50 IPs. Block access (In and Out, all ports).

No, this is not rigorous. You’re slashing out the alerts you don’t want to waste time investigating, so you can focus on the interesting alerts. You still need to review the logs and follow up. But look at what you’re doing. You tell your boss you finished this. These are measurable tasks, good for status reports. They are good work, too.

For an explanation of the steps you just skipped (because your boss should ask why he cares), a walk-through is in Chapter 4: Lifecycle of a Vulnerability from Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century by Ryan Trost.

Who forwards your network traffic? How do you get on the Internet? Tracert shows IP addresses, but what’s the network diagram? Robtex.com, friend. Look up your domain name. You can give your boss a network diagram. Again, good work!

ip information

In a jam, trying to figure out what’s going on? Robert Graham’s FAQ: Firewall Forensics (What am I seeing?) is a practical file to work from. Can’t connect to it? Various versions appear around the net, the latest I can find (from a reliable source) is version 0.4.0 (April 20, 2000) at linuxsecurity.com and be.at. A version 1.2.0 (January 2003) can be found at coffeenix.net.

See also:

  • Spyware warrior’s firewall links
  • Configuring IP Access Lists Cisco’s Guide To Access Control Lists (ACLs)
  • Port numbers
  • Sanewall Linux firewall builder for IPv4 and IPv6
  • Linux firewalls and routing
  • Hakin9 04/2010 [pdf] with Firewalls for Beginners by Antonio Fanelli
  • Firewall leak testing
  • Firewall Builder firewall policy configuration and management
  • Firewall Auditor, a free firewall PCI assessment tool provided by FireMon
  • Center for Internet Security (CIS) Cisco Router Audit Tool (RAT) assesses target devices for conformance with the CIS Benchmarks for Cisco Router IOS and Cisco PIX firewalls. The installation package for the tool includes benchmark documents (PDF) for both Cisco IOS and Cisco ASA, FWSM, and PIX security settings.
    NOTE: CIS RAT is out of date with the current CIS Cisco Benchmarks. A new, updated version of the tool is under development. Until the new version is released, RAT will remain an unsupported tool. Check for updates.
  • Nipper assists security professionals and network system administrators to securely configure network infrastructure devices. Search for the phrase “Cisco Router Device Router Security Report” to see examples posted on the Internet. The Open Source version is no longer supported. An Open Source fork (nipper-ng) exists.
  • Webfwlog is a flexible web-based firewall log analyzer and reporting tool. It supports standard system logs for linux, FreeBSD, OpenBSD, NetBSD, Solaris, Irix, OS X, etc. as well as Windows XP. Supported log file formats are netfilter, ipfilter, ipfw, ipchains and Windows XP. Webfwlog also supports logs saved in a database using the ULOG or NFLOG targets of the linux netfilter project, or any other database logs mapped with a view to the ulogd schema. Versions 1 and 2 of ulogd database schemas are supported.

Busy network administrators may wish to turn to Qsolved.com for tech support answers from Cisco professionals.

Diagram your network, perhaps using CADE, Dia, Diagram Designer, Gliffy or yEd.

One Response to Busy Firewall Administrators Note