SOC IT Managed Security Firewall Service Review Sample- By Tufin

This firewall security service review report was conducted for client IT Professional Security on their Cisco ASA devices:

Table of contents

1.    Introduction  4

2.    Firewall Rules Audit 5

3.    Service overview   7

3.1.        ITPROSECOM-TOR-FW01 \ ITPROSECOM-TOR-FW02 Firewall Service  7

3.2.        ITPROSECOM-MRHM-FW01 Firewall Service  7

4.    Tufin Best Practices Report 8

5.    Tufin Object and Rule Usage Report 8

6.    Review Results  9

6.1.        Missing Explicit Cleanup Rule  9

6.2.        Cleanup Rule Not Tracked  9

6.3.        Permissive Rules with Any  10

6.4.        Rules with ICMP  10

6.5.        Bidirectional Rules  10

6.6.        Disabled Rules  11

6.7.        Shadowed Rules  11

6.8.        Rule Order Optimization  12

7.    Conclusion  12

1.    Introduction

The following security service review report was conducted for IT Professional Security on the following devices:

Hostname Serial Number
ITPROSECOM-TOR-FW01 FC1737B462
ITPROSECOM-TOR-FW02 FC1757VA13
ITPROSECOM-MHM-FW01 FC17476QZ4

The purpose of this review was to inspect the configuration for the firewalls that are managed by IT for IT Professional Security.  The goals of the review are:

Throughout the report you will find recommendations on possible actions that can be taken to improve both the configuration and the rule base.  Any of the recommendations in this report can be implemented by submitting a Frontline change.  Should you choose to discuss these recommendations in greater detail please let us know and we can setup a separate meeting to discuss further.  Please note that none of these recommendations have or will be implemented until a strategy for implementing them has been discussed.

2.   Firewall Rules Audit

A review of the firewall rule sets and its objects was conducted using a Tufin appliance along with IT and industry best practices.  The rule sets were evaluated for the following rule types.

2.1.1.      Missing Explicit Cleanup Rule

A cleanup rule is a rule with “Any” in the source, destination, and service with the action to deny and log the event.  It is a security best practice to utilize cleanup rules as a catch-all to gain visibility into what is trying to get in and out through the firewall.

2.1.2.      Permissive Rules with Any

A permissive rule is a rule with “Any” in two or more of the fields (source, destination, and service) with the action to allow the flow.  It is a security best practice to specify discrete values where possible for the source, destination, and service fields in order to limit the impact of unauthorized communications such as malware, system compromises, and unauthorized system changes.

2.1.3.      Rules with ICMP

A rule with ICMP is a rule that allows all ICMP packets to traverse the firewall.  It is security best practice that only the ICMP codes that are necessary for troubleshooting or information gathering be allowed to traverse the rule.

2.1.4.      Bidirectional Rules

Bidirectional rules are those that have the same addresses in both the source and destination fields, where the action is accept.  An example would be a web server, which when used in the source field is allowed by the rulebase to act like a client.  Rules that are identified as being bidirectional should be reviewed to have the source field updated for a more secure rulebase. 

2.1.5.      Disabled Rules

A disabled rule is a rule that still resides in the firewall policy but has been turned “off” either for troubleshooting issues or it is no longer required.  Disabled rules should be evaluated and removed as they pose a risk if no longer needed.

2.1.6.      Shadowed Rules

A shadowed rule is a rule that is hidden by another rule (or rules) that is higher up in the rule set.  A rule is hidden when a combination of the rule fields (source, destination, and or services) of the higher rule matches with the fields of the hidden rule.  This results in the rule never matching on any traffic.  It is a security best practice to reorder shadowed rules that are more discrete in access to be higher up in the rule set in order to fine tune and eliminate permissive rules.  Firewall performance is also a benefit of having a smaller rule set.

2.1.7.      Rule Order Optimization

Frequently occurring traffic that matches on rules that are low in the rule set requires the firewall to compare the traffic against all the preceding rules.  For performance, it is recommended to place the most-used rules in the upper 25% of the rule set.  For security reasons, this recommendation should only apply to discrete rules as permissive rules should not be placed high up on rule sets.  If a permissive rule is matching for a lot of traffic, the logs should be reviewed to determine what discrete rules can be created and placed higher in the rule set for the high occurrence traffic with the eventual goal of removing the high use permissive rule.

3.   Service overview

3.1.     ITPROSEC-TOR-FW01 \ ITPROSEC-TOR-FW02 Firewall Service

The following details the status of the ITPROSECOM-TOR-FW01/02 firewall service.

Item Details
Device Hostnames ITPROSEC-TOR-FW01 \ ITPROSEC-TOR-FW02
Check Date January 29, 2018
Firmware Version Cisco Adaptive Security Appliance Version 9.6(3)1 Device Manager Version 7.7(1)151
Uptime 255 Days
CPU Usage Average Utilization 10.5%
Number of Rules 288
NTP Status Synchronized
Configuration Backups Confirmed
Remote Logging Confirmed

3.2.     ITPROSEC-MHM-FW01 Firewall Service

The following details the status of the ITPROSEC-MHM-FW01 firewall service.

Item Details
Device Hostnames ITPROSEC-MHM-FW01
Check Date January 29, 2018
Firmware Version Cisco Adaptive Security Appliance Software Version 9.6(3)1 Device Manager Version 7.5(2)153
Uptime 135 Days
CPU Usage Average Utilization 1%
Number of Rules 38
NTP Status Synchronized
Configuration Backups Confirmed
Remote Logging Confirmed

4.   Tufin Best Practices Report

The following Best Practice report was run against the firewalls, ITPROSEC-TOR-FW01&ITPROSEC-MHM-FW01.  The criteria reported on are as follows:

A PDF copy of the report has been attached for your review.

5.   Tufin Object and Rule Usage Report

The following Object and Rule Usage report was run against the firewalls, ITPROSECOM-TOR-FW01&ITPROSECOM-MRHM-FW01.  The report time period is from Sat, 30 Dec 2017, 00:00 to Mon, 29 Jan 2018, 17:08.  The report is broken down into the following categories:

A PDF copy of the report has been attached for your review.

6.   Review Results

6.1.     Missing Explicit Cleanup Rule

The following ACL’s have no explicit cleanup rule.

Firewall Hostname ACL
ITPROSECOM-TOR-FW01/02 acl_INSIDE_DMZ_22_IN
ITPROSECOM-TOR-FW01/02 acl_dmz3
ITPROSECOM-TOR-FW01/02 acl_out
ITPROSECOM-TOR-FW01/02 sec_dmz_in
ITPROSECOM-TOR-FW01/02 sec_mgt_in
ITPROSECOM-TOR-FW01/02 acl_wlan_guest
ITPROSECOM-MRHM-FW01 acl_dmz1
ITPROSECOM-MRHM-FW01 acl_INSIDE_DMZ_722_IN
ITPROSECOM-MRHM-FW01 acl_INSIDE_IN
ITPROSECOM-MRHM-FW01 acl_out
ITPROSECOM-MRHM-FW01 IT_mgt_access_in

6.1.1.      Recommendations

It is recommended that a cleanup rule be placed at the end of the above identified ACLs. 

6.2.     Cleanup Rule Not Tracked

It was found that the existing cleanup rules currently having logging enabled.  There are no other recommendations for this section.

6.3.     Permissive Rules with Any

The following rules have “Any” listed in two or more fields.

6.3.1.      Rules with overly permissive values.

Firewall ACL Name Rule Number(s)
ITPROSECOM-TOR-FW01/02 acl_inside 33, 67, 70, 84, 131, 132
ITPROSECOM-TOR-FW01/02 acl_out 14, 15, 20,21, 22, 26
ITPROSECOM-TOR-FW01/02 acl_INSIDE_DMZ_22_IN 4
ITPROSECOM-TOR-FW01/02 acl_dmz1 11, 12
ITPROSECOM-TOR-FW01/02 acl_dmz3 12
ITPROSECOM-TOR-FW01/02 acl_wlan_guest 5
ITPROSECOM-MRHM-FW01 acl_INSIDE_IN 4

6.3.2.      Recommendations

It is recommended that these rules be reviewed (systems and applications correlating with firewall logs) in order to determine what are the common sources, destinations, and services being used.  Common flows being allowed by the permissive rules can be grouped into new discrete rules or the existing permissive rule updated to be more discrete.

6.4.     Rules with ICMP

During the course of the review no permissive rules were found to allow ICMP.  No further recommendations for this section.

6.5.     Bidirectional Rules

The following rules have been identified as being bidirectional.

Firewall Rule # ACL
ITPROSECOM-TOR-FW01/02 20, 21,22 acl_out
ITPROSECOM-MRHM-FW01 4 acl_INSIDE_IN

6.5.1.      Recommendations

It is recommended that the source of these rules be reviewed to determine if more discrete values can be applied.

6.6.     Disabled Rules

Firewall Rule # ACL
ITPROSECOM-TOR-FW01/02 66 acl_inside

All disabled rules should

6.7.     Shadowed Rules

The following rules have been identified as shadowed and redundant.

Firewall Rule # ACL of Rule Shadowing Rule(s)
ITPROSECOM-TOR-FW01/02 14 acl_dmz3 4,5,6,12
ITPROSECOM-TOR-FW01/02 19 acl_dmz3 3,4,6,7,8,10,11,12,14,15,18
ITPROSECOM-TOR-FW01/02 11 acl_dmz0 6,7,9
ITPROSECOM-TOR-FW01/02 39 acl_inside Multiple (>10)
ITPROSECOM-TOR-FW01/02 67 acl_inside Multiple (>10)
ITPROSECOM-TOR-FW01/02 84 acl_inside Multiple (>10)
ITPROSECOM-TOR-FW01/02 85 acl_inside 25, 72, 73
ITPROSECOM-TOR-FW01/02 86 acl_inside 25, 51, 52, 53, 60, 62, 63, 71, 74, 80
ITPROSECOM-TOR-FW01/02 100 acl_inside 25, 42, 74
ITPROSECOM-TOR-FW01/02 112 acl_inside 104
ITPROSECOM-TOR-FW01/02 113 acl_inside 104
ITPROSECOM-TOR-FW01/02 118 acl_inside 33, 67, 84
ITPROSECOM-TOR-FW01/02 119 acl_inside 33, 67, 84
ITPROSECOM-TOR-FW01/02 125 acl_inside 104
ITPROSECOM-TOR-FW01/02 127 acl_inside 104
ITPROSECOM-TOR-FW01/02 15 acl_outside 5, 14
ITPROSECOM-TOR-FW01/02 26 acl_outside 5, 14, 23
ITPROSECOM-TOR-FW01/02 32 acl_outside 14, 15, 26
ITPROSECOM-MRHM-FW01 5 acl_INSIDE_IN 3,4
ITPROSECOM-MRHM-FW01 16 acl_out 15

6.7.1.      Recommendations

Move the appropriate rules listed above the “Shadowing Rule(s)”.  Observe for any further matches on rules to determine if this rule can be removed or improved upon.

6.8.     Rule Order Optimization

The following rules have high use non-permissive rules that are not located in the upper 25% of the rule set.

Firewall Rule # ACL of Rule
ITPROSECOM-TOR-FW01/02 15 sec_mgt_in
ITPROSECOM-TOR-FW01/02 33 acl_out
ITPROSECOM-TOR-FW01/02 36, 38, 37, 43, 42, 103, 128, 133, 131, 111 acl_inside           
ITPROSECOM-TOR-FW01/02 6, 7 acl_dmz1
ITPROSECOM-TOR-FW01/02 18 acl_dmz3

6.8.1.      Recommendations

It is recommended to analyze these rules s to see if adjustments can be made to accommodate the identified rules higher in the rule base.

7.   Conclusion

The goals of this review were to audit the firewall rule base against IT and industry best practices as well as inspect the configuration for any potential misconfigurations that may impact service.  At this time we could not identify any errors that may impact service.  Any of the recommendations in this report can be implemented by submitting a Frontline change.  Should you choose to discuss these recommendations in greater detail please let us know and we can setup a separate meeting to discuss further.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: