Tom Peters Networking Troubleshooting Checklist Guerilla CISO

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 2

Checklists are a good way to verify Information Technology security environments.

Many
people including Tom Peters have been praising the usefulness and simplicity of checklists. I had
previously created a networking troubleshooting checklist. Reading a post about
Router/Firewalls at Guerilla CISO, reminded me of a checklist about firewall rules I created in
2003. I dusted it off and updated it. So, here is a checklist for firewall rules:
1. External routers health check. You can use Nipper to check wether your router configuration
is acceptable.
2. Document current firewall/router, OS, rule-base, object-base, and NAT tables. You can look at
using FWdoc.
3. Document current performance - page load, file transfer, CPU utilization. If you firewall
platform supports that standard HostMIB you can point something like NMIS at it and obtain
these stats.
4. Document current usage of security systems and recommend improvements. A good tool to
recognize improvements is Wikto.
5. Research traffic needs. You can span the router port and check out traffic flows using
OpenXtra's NTOP, or alternatively use Netflow and a tool like Netflow Tracker.
6. Review firewall/router logs to determine current service usage. Collect syslogs for review
using a product like Kiwi.
7. Interview business units for service requirements and document findings.
8. Backup existing configuration, rule-base, object-base, and NAT tables.
9. Create rule-base migration plan.
10. Migrate rule-base in controlled sections.
11. Arrange rules in order of rule hit rate.
12. Monitor changes for issues.
13. Document final configuration.
14. Document performance differential performance gains.
15. Only allow RFC1918 IP addresses on the internal network. Drop all RFC1918 addresses on
the external Internet Access router.
16. Drop the following incoming traffic on the external Internet router:telnet, snmp, icmp, dns,
pop3, SQL: Oracle SQL*NET(66), sqlserv(118), SQL-NET(150), sqlsrv(156), mini-SQL(1114),
Microsoft SQL Server(1433), Microsoft SQL Monitor(1434), Sybase SQL AnyWhere(1498),
Oracle SQL*Net v2(1521), Oracle(1522), Oracle SQL*Net v1(1525), Oracle SQL*Net(1529),
UniSQL (1978), UniSQL Java(1979), mySQL(3306), SSQL(3352), mSQL(4333), Remote
access: Dameware (6129), PC Anywhere (5631).
17. Firewall default properties: Eliminate anything that is allowed generically. Firewall software
is installed by default with services wide open. The first step is to turn off these default
properties.
18. Firewall outbound: Allow the following traffic originating from the firewall to any
destination: Time services, SSH, Ping, Ident, FW-1, Traceroute, SNMP trap
19. Internal outbound: Allow the following traffic originating internal to any outbound
destination: HTTP (80), HTTPS (443), FTP (21), SSH (22), MSN Messenger (1863) Voice
(UDP:2001-2120, 6801, 6901), file transfers (6891-6900).
20. Lockdown: Blocking any access to the firewall. No one should have access to the firewall but
the firewall administrators and workstations operating on the FW-1 ports.
21. Drop All AND Log rule and add it to the end of the rule base.
22. No Logging: A rule that drops/rejects broadcast traffic, but does NOT log it.
23. DNS access: All the internal DNS servers access to the service providers named DNS
server. All servers in the DMZ, DNS access to the internal DNS servers.
24. Mail access: Allow the bridgehead servers bi-directional SMTP access to the relay server in
the DMZ. Allow all bidirectional SMTP traffic from the relay server to external hosts. As an
alternative investigate the use of a service like Mimecast.
25. Web access: Allow incoming HTTP and HTTPS access to the DMZ from external.
26. DMZ access: Allow only bidirectional-encrypted access from the internal network to the
DMZ from named sources and destinations.
27. Performance: Move the most commonly used rules towards the top of the rule base.
28. Web content: Block access to sites that do not comply with the company computer usage
policy. Consider using OpenDNS, which has blocking abilities.
29. Vulnerability scanning: Allow the internal vulnerability-scanning server to scan all ports and
addresses in the DMZ. Allow the rule only to be active from 19h00 to 23h30. Wikto is a good
tool to accomplish this.
30. Time services: Allow named addresses access to the time service on the firewall from the
internal network.
31. Allow the network management servers access to the DMZ (e.g. HP SIM uses port 2381).
Allow the network management servers SNMP read access to the DMZ. Allow all DMZ servers
to transmit SNMP traps to the network management servers.

You might also like