防火墙规则的清单

清单是验证信息技术安全环境的好方法。许多人包括[URL = http：//www.tompets.com/entries.php？note = 010132.php] Tom Peters [/ URL]一直赞扬清单的有用性和简洁性。我以前创建了[url = http：//thinkingproblobmmanagement.blogspot.com/2007/10/ultimate-test-pilots.html]网络故障排除清单[/ url]。在[url = http：//www.guerilla-ciso.com/] guerilla ciso [/ url]读取关于路由器/防火墙的帖子，提醒我一个关于我在2003年创建的防火墙规则的清单。我删除并更新了它。因此，这里是防火墙规则的清单：1。外部路由器健康检查。您可以使用[url = http：//www.titania.co.uk/nipper.php] nipper [/ url]来检查wether courter配置是否可以接受。2.记录当前防火墙/路由器，操作系统，规则库，对象库和NAT表。您可以查看使用[url = http：//www.wyae.de/software/fwdoc/ fwdoc [/ url]。3.文档当前性能 - 页面加载，文件传输，CPU利用率。 If you firewall platform supports that standard HostMIB you can point something like [url=http://sins.com.au/nmis/]NMIS[/url] at it and obtain these stats. 4. Document current usage of security systems and recommend improvements. A good tool to recognize improvements is [url=http://www.sensepost.com/research/wikto/]Wikto[/url]. 5. Research traffic needs. You can span the router port and check out traffic flows using [url=http://www.openxtra.co.uk/freestuff/ntop-xtra.php]OpenXtra's NTOP[/url], or alternatively use Netflow and a tool like [url=http://www.crannog-software.com/index.php?go=Product.ShowDetail&ProductID=1]Netflow Tracker[/url]. 6. Review firewall/router logs to determine current service usage. Collect syslogs for review using a product like [url=http://www.kiwisyslog.com/kiwi-syslog-daemon-overview/]Kiwi[/url]. 7. Interview business units for service requirements and document findings. 8. Backup existing configuration, rule-base, object-base, and NAT tables. 9. Create rule-base migration plan. 10. Migrate rule-base in controlled sections. 11. Arrange rules in order of rule hit rate. 12. Monitor changes for issues. 13. Document final configuration. 14. Document performance differential performance gains. 15. Only allow RFC1918 IP addresses on the internal network. Drop all RFC1918 addresses on the external Internet Access router. 16. Drop the following incoming traffic on the external Internet router:telnet, snmp, icmp, dns, pop3, SQL: Oracle SQL*NET(66), sqlserv(118), SQL-NET(150), sqlsrv(156), mini-SQL(1114), Microsoft SQL Server(1433), Microsoft SQL Monitor(1434), Sybase SQL AnyWhere(1498), Oracle SQL*Net v2(1521), Oracle(1522), Oracle SQL*Net v1(1525), Oracle SQL*Net(1529), UniSQL (1978), UniSQL Java(1979), mySQL(3306), SSQL(3352), mSQL(4333), Remote access: Dameware (6129), PC Anywhere (5631). 17. Firewall default properties: Eliminate anything that is allowed generically. Firewall software is installed by default with services wide open. The first step is to turn off these default properties. 18. Firewall outbound: Allow the following traffic originating from the firewall to any destination: Time services, SSH, Ping, Ident, FW-1, Traceroute, SNMP trap 19. Internal outbound: Allow the following traffic originating internal to any outbound destination: HTTP (80), HTTPS (443), FTP (21), SSH (22), MSN Messenger (1863) Voice (UDP:2001-2120, 6801, 6901), file transfers (6891-6900). 20. Lockdown: Blocking any access to the firewall. No one should have access to the firewall but the firewall administrators and workstations operating on the FW-1 ports. 21. Drop All AND Log rule and add it to the end of the rule base. 22. No Logging: A rule that drops/rejects broadcast traffic, but does NOT log it. 23. DNS access: All the internal DNS servers’ access to the service provider’s named DNS server. All servers in the DMZ, DNS access to the internal DNS servers. 24. Mail access: Allow the bridgehead servers bi-directional SMTP access to the relay server in the DMZ. Allow all bidirectional SMTP traffic from the relay server to external hosts. As an alternative investigate the use of a service like [url=www.mimecast.co.za]Mimecast[/url]. 25. Web access: Allow incoming HTTP and HTTPS access to the DMZ from external. 26. DMZ access: Allow only bidirectional-encrypted access from the internal network to the DMZ from named sources and destinations. 27. Performance: Move the most commonly used rules towards the top of the rule base. 28. Web content: Block access to sites that do not comply with the company computer usage policy. Consider using [url=www.opendns.com]OpenDNS[/url], which has blocking abilities. 29. Vulnerability scanning: Allow the internal vulnerability-scanning server to scan all ports and addresses in the DMZ. Allow the rule only to be active from 19h00 to 23h30. Wikto is a good tool to accomplish this. 30. Time services: Allow named addresses access to the time service on the firewall from the internal network. 31. Allow the network management servers access to the DMZ (e.g. HP SIM uses port 2381). Allow the network management servers SNMP read access to the DMZ. Allow all DMZ servers to transmit SNMP traps to the network management servers.