How to Perform a Security Review of a Checkpoint Firewall

1 Auerbach Publications 2001 CRC Press LLC08/01 DATA Security MANAGEMENT H OW TO P ERFORM A S ECURITY R EVIEW OF A C HECKPOINT F IREWALL Ben Rothke, CISSP INSIDE The Need for a Firewall Review ; Review , Audit, Assessment; Steps in Reviewing a Firewall ; Firewall -1 Network Objects; Implied Pseudo-Rules INTRODUCTION Altered States was not just a science fiction movie about a research scien-tist who experimented with altered states of human consciousness; it isalso a metaphor for many firewalls in corporate general, when a Firewall is initially installed, it is tightly coupled toan organization s Security requirements.

2 After use in a corporate environ-ment, the Firewall rule base, configuration, and underlying operating sys-tem often gets transformed into a radically different arrangement. Thisaltered Firewall state is what necessitates a Firewall Firewall is only effective to the degree that it is properly in today s corporate environments, it is easy for a Firewall to be-come misconfigured. By reviewing the Firewall setup, management canensure that their Firewall is enforcingwhat they expect it to, and in a se-cure article focuses on performinga Firewall Review for a CheckpointFirewall-1.

3 1 Most of the informationis sufficiently generic to be germaneto any Firewall , including Cisco PIX,NAI Gauntlet, Axent Raptor, etc. Onecaveat: it is important to note that afirewall Review is not a penetrationtest. The function of a Firewall reviewis not to find exploits and gain access PAYOFF IDEA This article focuses on performing a Firewall re-view for a Checkpoint Firewall -1. 1 Most of the in-formation is sufficiently generic to be germane toany Firewall , from a Checkpoint , to a Cisco PIX,NAI Gauntlet, and Axent Raptor, etc.

4 One caveat:it is important to note that a Firewall Review is not apenetration test. The function of a Firewall reviewis not to find exploits and gain access into the fire-wall; rather, it is to identify risks that are inadvert-ently opened by the Firewall . Finally, it must be un-derstood that a Firewall Review is also not acertification or guarantee that the Firewall operat-ing system or underlying network operating sys-tem is completely secure. 83-10-48 Auerbach Publications 2001 CRC Press LLC08/01 into the Firewall ; rather, it is to identify risks that are inadvertently openedby the , it must be understood that a Firewall Review is also not a cer-tification or guarantee that the Firewall operating system or underlyingnetwork operating system is completely secure.

5 THE NEED FOR A Firewall Review Firewalls, like people, need to be reviewed. In the workplace, this iscalled a performance Review . In the medical arena, it is called a need for periodic Firewall reviews is crucial, as a misconfigured fire-wall is often worse than no Firewall . When organizations lack a Firewall ,they understand the risks involved and are cognizant of the fact that theylack a fundamental Security mechanism. However, a misconfigured fire-wall gives an organization a false sense of addition, because the Firewall is often the primary information se-curity mechanism deployed, any mistake or misconfiguration on the fire-wall trickles into the entire enterprise.

6 If a Firewall is never reviewed, anyof these mistakes will be left unchecked. Review , AUDIT, ASSESSMENT Firewall reviews are often called audits. An audit is defined as a method-ical examination and Review . As well, the terms Review , assessment, and audit are often synonymous. It is interesting to note that when se-curity groups from the Big Five 2 accounting firms Perform a Security re-view, they are specifically prohibited from using the term audit. This isdue to the fact that the American Institute of Certified Public Accounts( ), which oversees the Big Five, prohibits the use of theterm audit because there is no set of official information Security stan-dards in which to audit the designated the other hand, financial audits are performed against the General-ly Accepted Accounting Principles (GAAP).

7 While not a fixed set of rules,GAAP is a widely accepted set of conventions, standards, and proceduresfor reporting financial information. The Financial Accounting StandardsBoard ( ) established GAAP in 1973. The mission of the Fi-nancial Accounting Standards Board is to establish and improve standardsof financial accounting and reporting for the guidance and education ofthe public, including issuers, auditors, and users of financial of January 2001, the Generally Accepted System Security Principles(GASSP) Committee is in the early stages of drafting a business plan thatreflects their plans for establishing and funding the International Infor-mation Security Foundation (IISF).

8 3 While there is currently no set of gen-erally accepted Security principles (in which a Firewall could truly be audited against), work is underway to create such a standard. Workinggroups for the GASSP are in place. Work is currently being done to re- Auerbach Publications 2001 CRC Press LLC08/01 search and complete the Authoritative Foundation and develop and ap-prove the framework for GASSP. The committee has developed adetailed plan for completing the GASSP Detailed Principles and plans toimplement that plan upon securing IISF lack of a GASSP means that there is no authoritative reference onwhich to maintain a protected infrastructure.

9 If there were a GAASP,there would be a way to enforce a level of compliance and provide a ve-hicle for the authoritative approval of reasonably founded exceptions ordepartures from in theory to GASSP is the Common Criteria Project ( ). The Common Criteria is an international effort, which isbeing developed as a way to evaluate the Security properties of informa-tion technology (IT) products and systems. By establishing such a com-mon criteria base, the results of an IT Security evaluation will bemeaningful to a wider Common Criteria will permit comparability between the results ofindependent Security evaluations.

10 It facilitates this by providing a com-mon set of requirements for the Security functions of IT products and sys-tems and for assurance measures applied to them during a securityevaluation. The evaluation process establishes a level of confidence thatthe Security functions of such products and systems, and the assurancemeasures applied to them, meet these requirements. The evaluation re-sults help determine whether the information technology product or sys-tem is secure enough for its intended application and whether thesecurity risks implicit in its use are tolerable.