Module-1: Section-3 Appendix

Annexure

Sample Firewall Audit Program

Phase I – Gathering Documentation
1. Document background information on the firewall(s) in place:
 Security Policy
 Network/Firewall diagrams
 Firewall Vendor
 Software version and patch level
 Operating System version and patch level
 Hardware version and patch level
 IP address scheme
2. Review the policies, procedures and other documentation surrounding firewall administration.
Phase II – The Firewall
3. Review physical security surrounding the firewall. Is the administration console protected? Will the
screen be password protected after a certain time period of inactivity?
4. Determine if the users that have access to administer the firewall have been trained on the firewall and
the underlying operating system.
5. Ensure that logical access to the various components (i.e. routers, software, hardware, etc.) of the
firewall solution is appropriately restricted.
 Do all users have a business need to access the firewall?
 Are adequate password controls in place?
 Have default passwords been changed to a secure password for both hardware and software?
 Are logical connections to the firewall secure (i.e. are there IP restrictions and encryption for any remote
administration needs)? If remote access is to be used, ensure that the SSH protocol (port 22) is used
instead of Telnet.
 Are passwords stored anywhere in plain text (i.e. password file, a spreadsheet of passwords on the
network)?
6. The firewall is only as good as the security of the operating system. Review security of the operating
system used to manage the firewall.
7. Review the patch level of the hardware, software (including the operating system) within the firewall
solution. If the latest patch isn’t installed, document and evaluate the reason for not installing it. Also
research what is included with the patch install such as additional security or functionality in order to
evaluate whether it should have been applied.
Phase III – The Rule Base
8. Review the firewall rule base. Make sure that manager-level approval has been obtained for all holes in
the firewall. The rule base should include the following rules:
 Firewall Admin Rule – rule documenting the firewall administrators that could access the firewall.
Review the users defined within this rule.
 Stealth Rule – rule allowing no one to access the firewall besides the approved administrators above.
 ICMP rule – restricts users from being able to ping the firewall. (Note: This could be set as a rule or
configured as an option depending upon the type of firewall).
 All other rules must have a specific business need, an assigned owner, host devices and service ports.
 Clean up – deny everything else.
Phase IV – Testing & Scanning
 9. Perform a vulnerability assessment on your firewall. Documented management approval should be
obtained prior to running any security tool on the network. These scanning tools could bring down the
firewall if not configured correctly. The auditor should scan the firewall with the assistance of an
individual within the security area or an individual responsible for maintaining the firewall. Make sure
that someone who is experienced in running the tool has reviewed the individual checks within the scan
in detail.
 Run a security scanner on the IP address for the firewall. This tool should be run from both inside and
outside the firewall.
 Run a port scan from inside and outside of the firewall to determine what ports are open. Trace the
open ports to documentation of a business need for the opening/hole in the firewall.
 Review any banners that could be viewed by an outside user. Banners should not include the machine
name, operating system or firewall manufacture.
Phase V - Maintenance & Monitoring
10. Determine if changes to the configuration of the firewall are logged. An adequate change control
process should be in place. Manager level approval should be obtained for all holes in the firewall.
11. Evaluate the process for reviewing firewall and operating system logs. Ensure that logging is enabled
and that the logs are reviewed to identify any potential patterns that could indicate an attack. Are
incident response procedures in place?
12. Determine if the company’s business recovery plan includes procedures to recover the firewall in the
event of a disaster.
13. Review backup and recovery procedures for the firewall.

Annexure –II
Some Email Security Tips
 Create Separate Email for personal and official activities.
 Select Email-id with SSL for Bank related Communication.
 If E-mail is unsolicited, do not open attachments.
 Create Strong Passwords.
 Do not share Passwords.
 Do not share your OTP, IPIN, Passwords with any one on email.
 Install and use Anti-Virus Security Suite.
 Scan your system at regular intervals.
 Ensure browsers Security Patches are up to date.