This firewall security service review report was conducted for client IT Professional Security on their Cisco ASA devices:
Table of contents
3.1. ITPROSECOM-TOR-FW01 \ ITPROSECOM-TOR-FW02 Firewall Service 7
3.2. ITPROSECOM-MRHM-FW01 Firewall Service 7
4. Tufin Best Practices Report 8
5. Tufin Object and Rule Usage Report 8
6.1. Missing Explicit Cleanup Rule 9
6.2. Cleanup Rule Not Tracked 9
6.3. Permissive Rules with Any 10
6.8. Rule Order Optimization 12
Table of Contents
1. Introduction
The following security service review report was conducted for IT Professional Security on the following devices:
| Hostname | Serial Number |
| ITPROSECOM-TOR-FW01 | FC1737B462 |
| ITPROSECOM-TOR-FW02 | FC1757VA13 |
| ITPROSECOM-MHM-FW01 | FC17476QZ4 |
The purpose of this review was to inspect the configuration for the firewalls that are managed by IT for IT Professional Security. The goals of the review are:
Throughout the report you will find recommendations on possible actions that can be taken to improve both the configuration and the rule base. Any of the recommendations in this report can be implemented by submitting a Frontline change. Should you choose to discuss these recommendations in greater detail please let us know and we can setup a separate meeting to discuss further. Please note that none of these recommendations have or will be implemented until a strategy for implementing them has been discussed.
2. Firewall Rules Audit
A review of the firewall rule sets and its objects was conducted using a Tufin appliance along with IT and industry best practices. The rule sets were evaluated for the following rule types.
2.1.1. Missing Explicit Cleanup Rule
A cleanup rule is a rule with “Any” in the source, destination, and service with the action to deny and log the event. It is a security best practice to utilize cleanup rules as a catch-all to gain visibility into what is trying to get in and out through the firewall.
2.1.2. Permissive Rules with Any
A permissive rule is a rule with “Any” in two or more of the fields (source, destination, and service) with the action to allow the flow. It is a security best practice to specify discrete values where possible for the source, destination, and service fields in order to limit the impact of unauthorized communications such as malware, system compromises, and unauthorized system changes.
2.1.3. Rules with ICMP
A rule with ICMP is a rule that allows all ICMP packets to traverse the firewall. It is security best practice that only the ICMP codes that are necessary for troubleshooting or information gathering be allowed to traverse the rule.
2.1.4. Bidirectional Rules
Bidirectional rules are those that have the same addresses in both the source and destination fields, where the action is accept. An example would be a web server, which when used in the source field is allowed by the rulebase to act like a client. Rules that are identified as being bidirectional should be reviewed to have the source field updated for a more secure rulebase.
2.1.5. Disabled Rules
A disabled rule is a rule that still resides in the firewall policy but has been turned “off” either for troubleshooting issues or it is no longer required. Disabled rules should be evaluated and removed as they pose a risk if no longer needed.
2.1.6. Shadowed Rules
A shadowed rule is a rule that is hidden by another rule (or rules) that is higher up in the rule set. A rule is hidden when a combination of the rule fields (source, destination, and or services) of the higher rule matches with the fields of the hidden rule. This results in the rule never matching on any traffic. It is a security best practice to reorder shadowed rules that are more discrete in access to be higher up in the rule set in order to fine tune and eliminate permissive rules. Firewall performance is also a benefit of having a smaller rule set.
2.1.7. Rule Order Optimization
Frequently occurring traffic that matches on rules that are low in the rule set requires the firewall to compare the traffic against all the preceding rules. For performance, it is recommended to place the most-used rules in the upper 25% of the rule set. For security reasons, this recommendation should only apply to discrete rules as permissive rules should not be placed high up on rule sets. If a permissive rule is matching for a lot of traffic, the logs should be reviewed to determine what discrete rules can be created and placed higher in the rule set for the high occurrence traffic with the eventual goal of removing the high use permissive rule.
3. Service overview
3.1. ITPROSEC-TOR-FW01 \ ITPROSEC-TOR-FW02 Firewall Service
The following details the status of the ITPROSECOM-TOR-FW01/02 firewall service.
| Item | Details |
| Device Hostnames | ITPROSEC-TOR-FW01 \ ITPROSEC-TOR-FW02 |
| Check Date | January 29, 2018 |
| Firmware Version | Cisco Adaptive Security Appliance Version 9.6(3)1 Device Manager Version 7.7(1)151 |
| Uptime | 255 Days |
| CPU Usage Average Utilization | 10.5% |
| Number of Rules | 288 |
| NTP Status | Synchronized |
| Configuration Backups | Confirmed |
| Remote Logging | Confirmed |
3.2. ITPROSEC-MHM-FW01 Firewall Service
The following details the status of the ITPROSEC-MHM-FW01 firewall service.
| Item | Details |
| Device Hostnames | ITPROSEC-MHM-FW01 |
| Check Date | January 29, 2018 |
| Firmware Version | Cisco Adaptive Security Appliance Software Version 9.6(3)1 Device Manager Version 7.5(2)153 |
| Uptime | 135 Days |
| CPU Usage Average Utilization | 1% |
| Number of Rules | 38 |
| NTP Status | Synchronized |
| Configuration Backups | Confirmed |
| Remote Logging | Confirmed |
4. Tufin Best Practices Report
The following Best Practice report was run against the firewalls, ITPROSEC-TOR-FW01&ITPROSEC-MHM-FW01. The criteria reported on are as follows:
A PDF copy of the report has been attached for your review.
5. Tufin Object and Rule Usage Report
The following Object and Rule Usage report was run against the firewalls, ITPROSECOM-TOR-FW01&ITPROSECOM-MRHM-FW01. The report time period is from Sat, 30 Dec 2017, 00:00 to Mon, 29 Jan 2018, 17:08. The report is broken down into the following categories:
A PDF copy of the report has been attached for your review.
6. Review Results
6.1. Missing Explicit Cleanup Rule
The following ACL’s have no explicit cleanup rule.
| Firewall Hostname | ACL |
| ITPROSECOM-TOR-FW01/02 | acl_INSIDE_DMZ_22_IN |
| ITPROSECOM-TOR-FW01/02 | acl_dmz3 |
| ITPROSECOM-TOR-FW01/02 | acl_out |
| ITPROSECOM-TOR-FW01/02 | sec_dmz_in |
| ITPROSECOM-TOR-FW01/02 | sec_mgt_in |
| ITPROSECOM-TOR-FW01/02 | acl_wlan_guest |
| ITPROSECOM-MRHM-FW01 | acl_dmz1 |
| ITPROSECOM-MRHM-FW01 | acl_INSIDE_DMZ_722_IN |
| ITPROSECOM-MRHM-FW01 | acl_INSIDE_IN |
| ITPROSECOM-MRHM-FW01 | acl_out |
| ITPROSECOM-MRHM-FW01 | IT_mgt_access_in |
6.1.1. Recommendations
It is recommended that a cleanup rule be placed at the end of the above identified ACLs.
6.2. Cleanup Rule Not Tracked
It was found that the
existing cleanup rules currently having logging enabled. There are no other recommendations for this
section.
6.3. Permissive Rules with Any
The following rules have “Any” listed in two or more fields.
6.3.1. Rules with overly permissive values.
| Firewall | ACL Name | Rule Number(s) |
| ITPROSECOM-TOR-FW01/02 | acl_inside | 33, 67, 70, 84, 131, 132 |
| ITPROSECOM-TOR-FW01/02 | acl_out | 14, 15, 20,21, 22, 26 |
| ITPROSECOM-TOR-FW01/02 | acl_INSIDE_DMZ_22_IN | 4 |
| ITPROSECOM-TOR-FW01/02 | acl_dmz1 | 11, 12 |
| ITPROSECOM-TOR-FW01/02 | acl_dmz3 | 12 |
| ITPROSECOM-TOR-FW01/02 | acl_wlan_guest | 5 |
| ITPROSECOM-MRHM-FW01 | acl_INSIDE_IN | 4 |
6.3.2. Recommendations
It is recommended that these rules be reviewed (systems and applications correlating with firewall logs) in order to determine what are the common sources, destinations, and services being used. Common flows being allowed by the permissive rules can be grouped into new discrete rules or the existing permissive rule updated to be more discrete.
6.4. Rules with ICMP
During the course of the review no permissive rules were found to allow ICMP. No further recommendations for this section.
6.5. Bidirectional Rules
The following rules have been identified as being bidirectional.
| Firewall | Rule # | ACL |
| ITPROSECOM-TOR-FW01/02 | 20, 21,22 | acl_out |
| ITPROSECOM-MRHM-FW01 | 4 | acl_INSIDE_IN |
6.5.1. Recommendations
It is recommended that the source of these rules be reviewed to determine if more discrete values can be applied.
6.6. Disabled Rules
| Firewall | Rule # | ACL |
| ITPROSECOM-TOR-FW01/02 | 66 | acl_inside |
All disabled rules should
6.7. Shadowed Rules
The following rules have been identified as shadowed and redundant.
| Firewall | Rule # | ACL of Rule | Shadowing Rule(s) |
| ITPROSECOM-TOR-FW01/02 | 14 | acl_dmz3 | 4,5,6,12 |
| ITPROSECOM-TOR-FW01/02 | 19 | acl_dmz3 | 3,4,6,7,8,10,11,12,14,15,18 |
| ITPROSECOM-TOR-FW01/02 | 11 | acl_dmz0 | 6,7,9 |
| ITPROSECOM-TOR-FW01/02 | 39 | acl_inside | Multiple (>10) |
| ITPROSECOM-TOR-FW01/02 | 67 | acl_inside | Multiple (>10) |
| ITPROSECOM-TOR-FW01/02 | 84 | acl_inside | Multiple (>10) |
| ITPROSECOM-TOR-FW01/02 | 85 | acl_inside | 25, 72, 73 |
| ITPROSECOM-TOR-FW01/02 | 86 | acl_inside | 25, 51, 52, 53, 60, 62, 63, 71, 74, 80 |
| ITPROSECOM-TOR-FW01/02 | 100 | acl_inside | 25, 42, 74 |
| ITPROSECOM-TOR-FW01/02 | 112 | acl_inside | 104 |
| ITPROSECOM-TOR-FW01/02 | 113 | acl_inside | 104 |
| ITPROSECOM-TOR-FW01/02 | 118 | acl_inside | 33, 67, 84 |
| ITPROSECOM-TOR-FW01/02 | 119 | acl_inside | 33, 67, 84 |
| ITPROSECOM-TOR-FW01/02 | 125 | acl_inside | 104 |
| ITPROSECOM-TOR-FW01/02 | 127 | acl_inside | 104 |
| ITPROSECOM-TOR-FW01/02 | 15 | acl_outside | 5, 14 |
| ITPROSECOM-TOR-FW01/02 | 26 | acl_outside | 5, 14, 23 |
| ITPROSECOM-TOR-FW01/02 | 32 | acl_outside | 14, 15, 26 |
| ITPROSECOM-MRHM-FW01 | 5 | acl_INSIDE_IN | 3,4 |
| ITPROSECOM-MRHM-FW01 | 16 | acl_out | 15 |
6.7.1. Recommendations
Move the appropriate rules listed above the “Shadowing Rule(s)”. Observe for any further matches on rules to determine if this rule can be removed or improved upon.
6.8. Rule Order Optimization
The following rules have high use non-permissive rules that are not located in the upper 25% of the rule set.
| Firewall | Rule # | ACL of Rule |
| ITPROSECOM-TOR-FW01/02 | 15 | sec_mgt_in |
| ITPROSECOM-TOR-FW01/02 | 33 | acl_out |
| ITPROSECOM-TOR-FW01/02 | 36, 38, 37, 43, 42, 103, 128, 133, 131, 111 | acl_inside |
| ITPROSECOM-TOR-FW01/02 | 6, 7 | acl_dmz1 |
| ITPROSECOM-TOR-FW01/02 | 18 | acl_dmz3 |
6.8.1. Recommendations
It is recommended to analyze these rules s to see if adjustments can be made to accommodate the identified rules higher in the rule base.
7. Conclusion
The goals of this review were to audit the firewall rule base against IT and industry best practices as well as inspect the configuration for any potential misconfigurations that may impact service. At this time we could not identify any errors that may impact service. Any of the recommendations in this report can be implemented by submitting a Frontline change. Should you choose to discuss these recommendations in greater detail please let us know and we can setup a separate meeting to discuss further.
