The purpose of this review was to inspect the configuration for the firewalls that are managed by IT for IT Professional Security. The goals of the review are:

Throughout the report you will find recommendations on possible actions that can be taken to improve both the configuration and the rule base. Any of the recommendations in this report can be implemented by submitting a Frontline change. Should you choose to discuss these recommendations in greater detail please let us know and we can setup a separate meeting to discuss further. Please note that none of these recommendations have or will be implemented until a strategy for implementing them has been discussed.

2. Firewall Rules Audit

A review of the firewall rule sets and its objects was conducted using a Tufin appliance along with IT and industry best practices. The rule sets were evaluated for the following rule types.

2.1.1. Missing Explicit Cleanup Rule

A cleanup rule is a rule with “Any” in the source, destination, and service with the action to deny and log the event. It is a security best practice to utilize cleanup rules as a catch-all to gain visibility into what is trying to get in and out through the firewall.

2.1.2. Permissive Rules with Any

A permissive rule is a rule with “Any” in two or more of the fields (source, destination, and service) with the action to allow the flow. It is a security best practice to specify discrete values where possible for the source, destination, and service fields in order to limit the impact of unauthorized communications such as malware, system compromises, and unauthorized system changes.

2.1.3. Rules with ICMP

A rule with ICMP is a rule that allows all ICMP packets to traverse the firewall. It is security best practice that only the ICMP codes that are necessary for troubleshooting or information gathering be allowed to traverse the rule.

2.1.4. Bidirectional Rules

Bidirectional rules are those that have the same addresses in both the source and destination fields, where the action is accept. An example would be a web server, which when used in the source field is allowed by the rulebase to act like a client. Rules that are identified as being bidirectional should be reviewed to have the source field updated for a more secure rulebase.

2.1.5. Disabled Rules

A disabled rule is a rule that still resides in the firewall policy but has been turned “off” either for troubleshooting issues or it is no longer required. Disabled rules should be evaluated and removed as they pose a risk if no longer needed.

2.1.6. Shadowed Rules

A shadowed rule is a rule that is hidden by another rule (or rules) that is higher up in the rule set. A rule is hidden when a combination of the rule fields (source, destination, and or services) of the higher rule matches with the fields of the hidden rule. This results in the rule never matching on any traffic. It is a security best practice to reorder shadowed rules that are more discrete in access to be higher up in the rule set in order to fine tune and eliminate permissive rules. Firewall performance is also a benefit of having a smaller rule set.

2.1.7. Rule Order Optimization

Frequently occurring traffic that matches on rules that are low in the rule set requires the firewall to compare the traffic against all the preceding rules. For performance, it is recommended to place the most-used rules in the upper 25% of the rule set. For security reasons, this recommendation should only apply to discrete rules as permissive rules should not be placed high up on rule sets. If a permissive rule is matching for a lot of traffic, the logs should be reviewed to determine what discrete rules can be created and placed higher in the rule set for the high occurrence traffic with the eventual goal of removing the high use permissive rule.

3. Service overview

3.1. ITPROSEC-TOR-FW01 \ ITPROSEC-TOR-FW02 Firewall Service

The following details the status of the ITPROSECOM-TOR-FW01/02 firewall service.

Item	Details
Device Hostnames	ITPROSEC-TOR-FW01 \ ITPROSEC-TOR-FW02
Check Date	January 29, 2018
Firmware Version	Cisco Adaptive Security Appliance Version 9.6(3)1 Device Manager Version 7.7(1)151
Uptime	255 Days
CPU Usage Average Utilization	10.5%
Number of Rules	288
NTP Status	Synchronized
Configuration Backups	Confirmed
Remote Logging	Confirmed

3.2. ITPROSEC-MHM-FW01 Firewall Service

The following details the status of the ITPROSEC-MHM-FW01 firewall service.

Item	Details
Device Hostnames	ITPROSEC-MHM-FW01
Check Date	January 29, 2018
Firmware Version	Cisco Adaptive Security Appliance Software Version 9.6(3)1 Device Manager Version 7.5(2)153
Uptime	135 Days
CPU Usage Average Utilization	1%
Number of Rules	38
NTP Status	Synchronized
Configuration Backups	Confirmed
Remote Logging	Confirmed

4. Tufin Best Practices Report

The following Best Practice report was run against the firewalls, ITPROSEC-TOR-FW01&ITPROSEC-MHM-FW01. The criteria reported on are as follows:

A PDF copy of the report has been attached for your review.

5. Tufin Object and Rule Usage Report

The following Object and Rule Usage report was run against the firewalls, ITPROSECOM-TOR-FW01&ITPROSECOM-MRHM-FW01. The report time period is from Sat, 30 Dec 2017, 00:00 to Mon, 29 Jan 2018, 17:08. The report is broken down into the following categories:

A PDF copy of the report has been attached for your review.

6. Review Results

6.1. Missing Explicit Cleanup Rule

The following ACL’s have no explicit cleanup rule.

Firewall Hostname	ACL
ITPROSECOM-TOR-FW01/02	acl_INSIDE_DMZ_22_IN
ITPROSECOM-TOR-FW01/02	acl_dmz3
ITPROSECOM-TOR-FW01/02	acl_out
ITPROSECOM-TOR-FW01/02	sec_dmz_in
ITPROSECOM-TOR-FW01/02	sec_mgt_in
ITPROSECOM-TOR-FW01/02	acl_wlan_guest
ITPROSECOM-MRHM-FW01	acl_dmz1
ITPROSECOM-MRHM-FW01	acl_INSIDE_DMZ_722_IN
ITPROSECOM-MRHM-FW01	acl_INSIDE_IN
ITPROSECOM-MRHM-FW01	acl_out
ITPROSECOM-MRHM-FW01	IT_mgt_access_in

6.1.1. Recommendations

It is recommended that a cleanup rule be placed at the end of the above identified ACLs.

6.2. Cleanup Rule Not Tracked

It was found that the existing cleanup rules currently having logging enabled. There are no other recommendations for this section.

6.3. Permissive Rules with Any

The following rules have “Any” listed in two or more fields.

6.3.1. Rules with overly permissive values.

Firewall	ACL Name	Rule Number(s)
ITPROSECOM-TOR-FW01/02	acl_inside	33, 67, 70, 84, 131, 132
ITPROSECOM-TOR-FW01/02	acl_out	14, 15, 20,21, 22, 26
ITPROSECOM-TOR-FW01/02	acl_INSIDE_DMZ_22_IN	4
ITPROSECOM-TOR-FW01/02	acl_dmz1	11, 12
ITPROSECOM-TOR-FW01/02	acl_dmz3	12
ITPROSECOM-TOR-FW01/02	acl_wlan_guest	5
ITPROSECOM-MRHM-FW01	acl_INSIDE_IN	4

6.3.2. Recommendations

It is recommended that these rules be reviewed (systems and applications correlating with firewall logs) in order to determine what are the common sources, destinations, and services being used. Common flows being allowed by the permissive rules can be grouped into new discrete rules or the existing permissive rule updated to be more discrete.

6.4. Rules with ICMP

During the course of the review no permissive rules were found to allow ICMP. No further recommendations for this section.

6.5. Bidirectional Rules

The following rules have been identified as being bidirectional.

Firewall	Rule #	ACL
ITPROSECOM-TOR-FW01/02	20, 21,22	acl_out
ITPROSECOM-MRHM-FW01	4	acl_INSIDE_IN

6.5.1. Recommendations

It is recommended that the source of these rules be reviewed to determine if more discrete values can be applied.

6.6. Disabled Rules

Firewall	Rule #	ACL
ITPROSECOM-TOR-FW01/02	66	acl_inside

All disabled rules should

6.7. Shadowed Rules

The following rules have been identified as shadowed and redundant.

Firewall	Rule #	ACL of Rule	Shadowing Rule(s)
ITPROSECOM-TOR-FW01/02	14	acl_dmz3	4,5,6,12
ITPROSECOM-TOR-FW01/02	19	acl_dmz3	3,4,6,7,8,10,11,12,14,15,18
ITPROSECOM-TOR-FW01/02	11	acl_dmz0	6,7,9
ITPROSECOM-TOR-FW01/02	39	acl_inside	Multiple (>10)
ITPROSECOM-TOR-FW01/02	67	acl_inside	Multiple (>10)
ITPROSECOM-TOR-FW01/02	84	acl_inside	Multiple (>10)
ITPROSECOM-TOR-FW01/02	85	acl_inside	25, 72, 73
ITPROSECOM-TOR-FW01/02	86	acl_inside	25, 51, 52, 53, 60, 62, 63, 71, 74, 80
ITPROSECOM-TOR-FW01/02	100	acl_inside	25, 42, 74
ITPROSECOM-TOR-FW01/02	112	acl_inside	104
ITPROSECOM-TOR-FW01/02	113	acl_inside	104
ITPROSECOM-TOR-FW01/02	118	acl_inside	33, 67, 84
ITPROSECOM-TOR-FW01/02	119	acl_inside	33, 67, 84
ITPROSECOM-TOR-FW01/02	125	acl_inside	104
ITPROSECOM-TOR-FW01/02	127	acl_inside	104
ITPROSECOM-TOR-FW01/02	15	acl_outside	5, 14
ITPROSECOM-TOR-FW01/02	26	acl_outside	5, 14, 23
ITPROSECOM-TOR-FW01/02	32	acl_outside	14, 15, 26
ITPROSECOM-MRHM-FW01	5	acl_INSIDE_IN	3,4
ITPROSECOM-MRHM-FW01	16	acl_out	15

6.7.1. Recommendations

Move the appropriate rules listed above the “Shadowing Rule(s)”. Observe for any further matches on rules to determine if this rule can be removed or improved upon.

6.8. Rule Order Optimization

The following rules have high use non-permissive rules that are not located in the upper 25% of the rule set.

Firewall	Rule #	ACL of Rule
ITPROSECOM-TOR-FW01/02	15	sec_mgt_in
ITPROSECOM-TOR-FW01/02	33	acl_out
ITPROSECOM-TOR-FW01/02	36, 38, 37, 43, 42, 103, 128, 133, 131, 111	acl_inside
ITPROSECOM-TOR-FW01/02	6, 7	acl_dmz1
ITPROSECOM-TOR-FW01/02	18	acl_dmz3

6.8.1. Recommendations

It is recommended to analyze these rules s to see if adjustments can be made to accommodate the identified rules higher in the rule base.

7. Conclusion

The goals of this review were to audit the firewall rule base against IT and industry best practices as well as inspect the configuration for any potential misconfigurations that may impact service. At this time we could not identify any errors that may impact service. Any of the recommendations in this report can be implemented by submitting a Frontline change. Should you choose to discuss these recommendations in greater detail please let us know and we can setup a separate meeting to discuss further.

IT Pro Security

SOC IT Managed Security Firewall Service Review Sample- By Tufin

1. Introduction