Security Elements

Review the rule sets to ensure that they follow the order as follows:

• Ati-spoofing filters (RFC 1918: Blocked private addresses, internal addresses appearing from the outside)
• User permit rules (Commonly allowed:  HTTP to public web server)
• Management permit rules (SNMP traps to network management server)
• Noise drops (discard OSPF / HSRP overhear)
• Deny and Alert (Event Management)
• Deny and log (Syslog Analysis) 

Firewalls operate on a first match basis, thus the above structure is important to ensure that suspicious traffic is kept out instead of inadvertently allowing them in by not following the proper order.

Application based firewall 

Ensure that the administrators monitor any attempts to violate the security policy using the audit logs generated by the application level firewall. Alternatively some application level firewalls provide the functionality to log to intrusion detection systems. In such a circumstance ensure that the correct host, which is hosting the IDS, is defined in the application level firewall. 

Ensure that there is a process to update the application level firewall’s vulnerabilities checked to the most current vulnerabilities. 

Ensure that there is a process to update the software with the latest attack signatures.

In the event of the signatures being downloaded from the vendors’ site, ensure that it is a trusted site. 

In the event of the signature being e-mailed to the systems administrator, ensure that digital signatures are used to verify the vendor and that the information transmitted has not been modified en-route. 

Review the denied URL’s and ensure that they are appropriate for e.g. any URL’s to hacker sites should be blocked. In some instances organizations may want to block access to x-rated sites or other harmful sites. As such they would subscribe to sites, which maintain listings of such harmful sites. Ensure that the URL’s to deny are updated as released by the sites that warn of harmful sites. 

Ensure that only authorized users are authenticated by the application level firewall.

            Stateful inspection 

Review the state tables to ensure that appropriate rules are set up in terms of source and destination IP’s, source and destination ports and timeouts. 

Ensure that the timeouts are appropriate so as not to give the hacker too much time to launch a successful attack. 

For URL’s

• If a URL filtering server is used, ensure that it is appropriately defined in the firewall software. If the filtering server is external to the organization ensure that it is a trusted source.
• If the URL is from a file, ensure that there is adequate protection for this file to ensure no unauthorized modifications. 

Ensure that specific traffic containing scripts; ActiveX and java are striped prior to being allowed into the internal network. 

If filtering on MAC addresses is allowed, review the filters to ensure that it is restricted to the appropriate MAC’s as defined in the security policy.

Logging  

Ensure that logging is enabled and that the logs are reviewed to identify any potential patterns that could indicate an attack.

Port restrictions  

www.bestitdocuments.com