You are on page 1of 5

Checklist for Perimeter Intrusion Prevention

Assessment Area People Are perimeter and intrusion protection policies adequate for the organizations level of risk? Are all service networks and DMZs identified by zone with appropriate controls in place? Are all applications and communication protocol requirements documented between security zones? Does firewall policy follow good security practices? Is there an active IPS monitoring policy that all employees have been informed of? Process Are all key assets grouped into zones based on risk? Does the physical design adhere to policy and standards? Are threats and vulnerabilities accounted for in the perimeter architecture? Review logical design and zones to assess identification of risk. Review physical design and assess against good security practices. Review risk assessment documentation. Identify all risk areas that are not being addressed. Review applicable security polices (firewall, IPS, and WAN) and configuration standards and compare them with good practices (CIS, NIST, and ECT). Review security architecture for application and service grouping of similar devices. Network services and protocols allowed should be documented as part of policy and standards. Review logical traffic flow between zones to ensure principles of least privileges and minimum device exposure. Review the policy and ensure that it addresses risk and adheres to good security practices. Review monitoring policies to ensure they are present, and check with legal counsel to determine legality requirements. Assessment Technique

Assessment Area Are security zones assigned risk ratings? Does the security architecture follow good security practices? Are change management processes in place and followed? Are all changes logged to syslog and reviewed?

Assessment Technique Review risk assessment documentation. Ensure that logging is enabled and reported to a central logging system. Identify how often logs are reviewed. Review change management procedures. Interview security administrators, and review and change control documentation. Review logs and device configuration for change logging.

Is there a vulnerability and Security appliance software should be patch management process monitored for vulnerabilities and for perimeter-protection necessary patches. devices? Are configuration backups and disaster-recovery processes in place? Is there a process in place for rule-base modifications? Configuration backups and rules should be stored electronically in a protected manner, and hard copies of the configuration stored in a safe. A formal process should exist to request firewall rule modifications. This process should include a risk analysis and review of the proposed change. All changes should also be tested before implementation.

Are all device alerts logged Review log management configurations to syslog and monitored and logs. for potential intrusion? Is there a defined procedure for incident handling? Technology Firewall Review Does current firewall Review topology and design. Assess incident-handling capabilities.

Assessment Area design provide for segmentation of security services and policies through security zones? Does the firewall design address single point of failure and availability?

Assessment Technique

Assess firewall design for single points of failure.

Does the firewall Assess firewall configuration for good configuration follow security practices. baseline security measures and practices? Is advanced application Review modular policy framework and inspection configured to inspection classes. reduce the risk of tunnelled traffic and application attacks? Is NAT used effectively to hide internal network addressing and topology? Review configurations.

Are secure management Review configuration for utilization of practices utilized for device SSHv2, SNMPv3, and web management configuration and logging? access control lists. Do firewall rules reflect policy requirements? Do firewall rules follow good security practices? Review firewall rules for policy compliance. Compare firewall rules against good security practices.

Is denied traffic logged and Inspect configuration and firewall log reviewed? review procedures. Are firewall rules optimized Review firewall rule usages and and consolidated for faster recommend optimization where needed. operation? Are firewall rules verified through technical testing? Verify firewall rules, and expose the least access necessary for services and applications to function. Utilize tools such as NMAP and Firewall Analyzer to

Assessment Area

Assessment Technique check for compliance.

IPS Review Is the IPS management interface protected from unauthorized access and utilize secure protocols? Is NTP configured for time stamping IPS logging events? Are all corporate assets assigned asset target values within the IPS? Are signature updates configured to automatically update to the latest signatures? Is event logging configured and sent to a security logging platform for archival and storage? Is the IPS configured to leverage security zones to target IPS protection? Review configuration.

Inspect configuration for NTP configuration and appropriate time settings. Review documentation and IPS configuration. Review configuration for device level signature updates or through CSM auto update function. Review update procedures and policy and check for compliance. Check configuration to ensure that all logs are transmitted to a platform such as MARS or IME for log storage and review. IPS should be configured to protect essential services for each security zone they are deployed in. Review configuration and IPS design for proper segmentation and signature deployment. Review signature configuration and test with NMAP and packet generation tools.

Does the IPS provide the appropriate level of protection against security zone threats?

Do security logs reflect the Review IPS logs to see whether all IPS IPS tests? test packets were detected and the appropriate mitigation was preformed. Did the organization under Review detection procedures and tools.

Assessment Area test detect the simulated attacks?

Assessment Technique