Forum Thread: Firewall Rule Base Review

Firewall Rule Base Review or Optimization
What is Firewall Rule Base Review?
To ensure that the rule base of the firewall is not vulnerable which may lead to exploit.
Why it is required to review the firewall rule base?

Often, the firewall is managed by multiple administrators. There are possibilities that some administrator may add the rule in their own way. Some may do it under pressure to add the rules. Some may put incorrect rules etc. Therefore, it is required to review the Rule base at least quarterly and to create change management process to add and push the policy on the firewall.

How to do firewall rule base review?

The one who do a firewall rule base review must know the Network Architecture, IP address Schema and VLAN or segregation of logical network.

There are many automated tools available which can perform the Firewall rule base review. For Eg: Skybox, Solarwinds, Tufin etc.

However, we will see how to perform firewall rule base review manually. We will take an example of checkpoint firewall.
Step 1: Know the Network Architecture, IP address Schema and VLAN information.

Step 2: Check for Clean up rule. Clean up rules are defined at the bottom of the rule base where it says "Any" Source to "Any" Destination to "Any" Ports denied. The purpose of having the clean up rule is to log and deny the traffic which does not match any rule base.

Step 3: Ensure Stealth Rule is present. Stealth Rule are the rules which says "Any" Source to Firewall must be denied. The Stealth rule should be present below the Management Rule.

Step 4: Ensure Firewall Management rules are present at top of the Rule base. Make sure there should be limited Administrator in the Source address field and should not allow the large subnets to access the firewall and limited ports are defined for management access.

Step 5: Ensure to remove duplicate objects, services or network host from the rule base.

Step 6: Ensure there should be naming conventions that make the rule base easy to understand. For Eg: Use a consistent format such as host name_IP for host.

Step 7: Ensure to remove redundant/Shadow rules from the rule base.

Step 8: Ensure to remove unused connections including specific source, destination, services from the rule base. This can be checked by checking the hit count column what was the last hit count for that rule. Remove the rules that were not used since long time. Remove the rule which has zero hit count connections.

Step 9: Ensure the highest hit count must be at the top of the rule base. Make sure the top services and destination are properly placed in the rule base accordingly

Step 10: Ensure to remove expired rules and objects from the rule base. Administrator usually gives the temporary access however forgets to delete the rule when the rule gets expired.

Step 11: Ensure there is no any service/ports are allowed in the rule base irrespective of inbound or outbound connection provided there is a valid business justification and Risk Acceptance.

Step 12: Ensure there is no any source or any destination allowed in the rule base irrespective of inbound or outbound connection provided there is a valid business justification and Risk Acceptance.

Step 13: Ensure there must be no direct inbound connection to internal network.

Step 14: Ensure there should be a legitimate use of bidirectional access. Sometimes when there is no requirement of bi directional access but you may see an administrator configuring the bi directional access.

Step 15: Evaluate the order of firewall rule for effective performance.

Step 16: Ensure to add the Title for the rule base to easily identify the rules. For eg: Management Rules, Clean up Rule, HR rule, Vendor Rules, etc.

Step 17: Ensure there is no vulnerable ports/service allowed in the rule base.
Step 18: Ensure there must be standard comments on every rule in the rule base.
Step 19: Detect similar rules that can be consolidated into one rule.

Step 20: Ensure to add the IP address in the Group and the group should have proper naming convention. This usually is recommended as this may cause more overhead for the firewall. Groups can also hide mistakes when implementing or changing policy.

Step 21: Ensure the logs must be enabled for every rule in the rule base.
Step 22: Ensure there should be proper business justification for large range of subnets given access in the rule base.

References: giac.org/paper/gsec/3037/firewall-rule-review/102017

Never Miss a Hacking or Security Guide

New Null Byte in your inbox, every week.

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active