Before we began how to do firewall rule review let us have a basic understanding what is a Firewall and how it works.
What is a Firewall?
A firewall monitors the incoming and outgoing network packet and blocks or permits the packet based on the rules defined and set by an administrator.
Firewall can be hardware or a software but more often it is a hardware/appliance based. It is the first line defense in any of the network architecture.
Types of Firewall
1. Stateless Firewall
Imagine a Residential building (Internal Network) with a Security Guard (Firewall) has been instructed to allow or disallow the outsiders based on the following criteria.
i. Allow the outsiders if he display his identity card (Source Address) and tells the exact name of the Flat owner (Destination Address) the Flat number (Destination Port)
In technical terms, The Stateless firewall will inspect the packet with Source Address, Destination Address and Destination Port whether to reject the packet or accept the packet based on the rules set by an administrator.
Consider one fine day there is a heavy crowd coming in and going out from this building and the security guard checks all of them. Now a malicious outsider come and tries to convince the security guard that I came in this building today morning and you had let me in as I need to collect my belongings that I had forgot to take from Flat owner and Flat number. Now, the security guard gets confused as since it does not maintain any record for the same, the security guard allows the malicious outsider to go inside the building.
In technical terms, A malicious packet with TCP ack flag set tries to convince the stateless firewall that there is already a connection initiated (TCP Session) with the destination server and the port number. Since the stateless firewall does not maintain any records or state as it lacks this intelligence which makes the malicious packet a successful entry through the firewall.
Eventually this gave a rise to a new type of firewall called "Stateful Firewall"
2. Stateful Firewall
Imagine again, now malicious outsider come and tries to convince the Security guard that he allowed you this morning and wants to go inside. The security guard this time having more intelligence view the register and checks his entry. Since there was no entry in his register, he disallows the malicious outsider.
In technical terms, A Stateful firewall looks at all the parameter of Layer 3 & 4 of the OSI model such as Source address, Source port, Destination address, Destination port and the State table. When a malicious packet with TCP flag set reaches the stateful firewall, the stateful firewall looks at the state table whether this is already initiated connection. Since in its state table there is no such entry, it drops the packet.
Imagine now, a malicious outsider comes in with a gun hiding in his jacket. The security guard checks his identity card, which flat owner and flat number he wants to go in and record in the register. However, the security guard fails to scan the malicious outsider body. This allows the malicious outsider to get in the building.
In technical terms, a packet with a malicious data content in it reaches the stateful firewall, the stateful firewall analyze and maintain the state of Layer 3 and Layer 4 information of the OSI model and thus allows the malicious packet a successful entry through the firewall.
Eventually this gave rise to a new type of firewall called "Next Generation Firewall"
3. Next Generation Firewall.
The Next Generation Firewall brings up the capability of analysing and performing the deep inspection of the packet from Layer 7 to Layer 3 of the OSI model.
Imagine now the security guard carrying the metal detector with him and scans everything what the outsider has brought along with him.
How does Firewall work?
When a TCP or UDP packet reaches the Firewall interface it checks whether the Source Address, Destination Address, Destination Port matches the rule base If yes, It creates a state entry for it and looks for the route in the routing table and forwards the packet.
The process flow of packet differs from product to product. For eg: Cisco ASA Firewall would be having its own algorithm for flow of packet arriving at ingress interface or egress interface.
Firewall Rule Base Review
Why it is required to review the Firewall Rule Base?
Often, the firewall is managed by multiple administrators. There are possibilities that some administrator may add the rule in their own way. Some may do it under pressure to add the rules. Some may put incorrect rules which can allow an attacker to take an advantage of vulnerable rule which may lead to exploit. Therefore, it is required to review the Rule base at least quarterly and to create change management process to add and push the policy on the firewall.
How to do Firewall Rule Base Review?
The one who do a firewall rule base review must know the Network Architecture, IP address Schema and VLAN or segregation of logical network.
There are many automated tools available which can perform the Firewall rule base review. For Eg: Skybox, Solarwinds, Tufin, Nipper etc.
However, we will see how to perform firewall rule base review manually. We will take an example of Checkpoint Firewall
Step 1: It is important to know the Network Architecture, IP address Schema and VLAN information.
Step 2: Check for Clean-up rule. Clean up rules are defined at the bottom of the rule base where it says "Any" Source to "Any" Destination to "Any" Ports must be denied. The purpose of having the clean-up rule is to log and deny the traffic which does not match any rule base.
Step 3: Ensure Stealth Rule is present. Stealth Rule are the rules which says "Any" Source to Firewall must be denied. The Stealth rule should be present below the Management Rule.
Note: Even if the stealth rule is not present, the malicious traffic destined for Firewall will be blocked by the clean up rule at the end of the rule base. The reason we want to explicitly create the stealth rule is to block the traffic immediately as soon as it detects the target is the Firewall itself because we do not want to process the thousands of rule base for the best match and increase unnecessary processing power of firewall to make the decision for dropping the packet at the end of the rule base.
Step 4: Ensure Firewall Management rules are present at top of the Rule base. Make sure there should be limited Administrator in the Source address field and should not allow the large subnets to access the firewall and limited ports are defined for management access.
Step 5: Ensure to remove duplicate objects, services, or network host from the rule base.
Step 6: Ensure there should be naming conventions that make the rule base easy to understand. For Eg: Use a consistent format such as Hostname_IP for host.
Step 7: Ensure to remove redundant/Shadow rules from the rule base.
Step 8: Ensure to remove unused connections including specific source, destination, services from the rule base. This can be checked by checking the hit count column what was the last hit count for that rule. Remove the rules that were not used since long time. Remove the rule which has zero hit count connections.
Step 9: Ensure the highest hit count must be at the top of the rule base. Make sure the top services and destination are properly placed in the rule base accordingly
Step 10: Ensure to remove expired rules and objects from the rule base. Administrator usually gives the temporary access however forgets to delete the rule when the rule gets expired.
Step 11: Ensure there is no any service/ports are allowed in the rule base irrespective of inbound or outbound connection provided there is a valid business justification and Risk Acceptance.
Step 12: Ensure there is no any source or any destination allowed in the rule base irrespective of inbound or outbound connection provided there is a valid business justification and Risk Acceptance.
Step 13: Ensure there must be no direct inbound connection to internal network.
Step 14: Ensure there should be a legitimate use of bidirectional access. Sometimes when there is no requirement of bi directional access but you may see an administrator configuring the bi directional access.
Step 15: Evaluate the order of firewall rule for effective performance.
Step 16: Ensure to add the Title for the rule base to easily identify the rules. For eg: Management Rules, Clean up Rule, HR rule, Vendor Rules, etc.
Step 17: Ensure there is no vulnerable ports/service allowed in the rule base.
Step 18: Ensure there must be standard comments on every rule in the rule base.
Step 19: Detect similar rules that can be consolidated into one rule.
Step 20: Ensure to add the IP address in the Group and the group should have proper naming convention. This usually is recommended as this may cause more overhead for the firewall. Groups can also hide mistakes when implementing or changing policy.
Step 21: Ensure the logs must be enabled for every rule in the rule base.
Step 22: Ensure there should be proper business justification for large range of subnets given access in the rule base.
Step 23: Ensure the rules are given as per the policy matrix defined by the organization. Policy matrix is the table which gives information from which zone to zone or VLAN to VLAN the traffic is to be allowed or blocked.