Fortigate 60 Firewall Security Audit Auditors Perspective

Global Information Assurance Certification Paper

Copyright SANS InstituteAuthor Retains Full Rights

This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.

Interested in learning more?Check out the list of upcoming events offering"Auditing & Monitoring Networks, Perimeters & Systems (Audit 507)"at http://www.giac.org/registration/gsna

http://www.giac.org

http://www.giac.org

http://www.giac.org/registration/gsna

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2005 Author retains full rights.

Fortigate-60 Firewall Security Audit: An Auditor’s Perspective

GSNA Practical Assignment 3.1 (Amended February 24, 2004)Option 1

Author: Brian CookSubmitted December 1st, 2004

GIAC Practical

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.


© SANS Institute 2005 Author retains full rights.2

Table of Contents

Abstract/ Summary 5

1 Research in Audit, Measurement, and Control 5

1.1 System Identification 6

1.2 Fortigate-60 Risk Evaluation 8

1.3 Current State of Practice 10

2 Audit Checklist 12

2.1 Administrative Practices 12

2.2 Firewall Operating System Security 17

2.3 Firewall Device Physical Security 19

2.4 Firewall Device Maintenance Controls 21

2.5 Transport Layer Security 29

2.6 Application Layer Security 30

2.7 Intrusion Detection/Prevention Administration 32

2.8 Anti Virus Gateway Administration 34

3 Audit Example 36

3.2.2 Firewall Operating System Security 43

3.2.3 Firewall Device Physical Security 48

3.2.4 Firewall Device Maintenance Controls 50

3.2.5 Transport Layer Security 58

3.2.5 Transport Layer Security 61

3.2.7 Intrusion Detection/Prevention Administration 63

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



4 Sample Audit Report 67

4.1 Title Page 67

4.2 Table of Contents 68

4.3 Executive Summary 69

4.4 Key Findings and Recommendations 69

4.5 General Background 70

4.6 Detailed Findings and Recommendations 71

4.7 Objectives, Scope & Procedures Performed 72

4.8 Summary of Procedures Performed 73

Table of Figures

Figure 1 – Network Diagram for CBMW Bank 7

Figure 2 – IT Risk Assessment Form 9

Figure 3.1 – External Nessus scan results in html format 45

Figure 3.2 – Screenshot of Nessus plug-in configuration 47

Figure 3.3 – Server Room Entrance 49

Figure 3.4 – Cabinet housing firewall 49

Figure 3.5 – Screen capture of remote host logging screen 51

Figure 3.6 – Screen capture of network interface settings 52

Figure 3.7 – Screen capture of remote administration users screen 54

Figure 3.8 – Screenshot of Nmap run in Terminal on Fedora Core2 60

Figure 3.9 – Script Filter configured to block Java Applet and Active X scripts 62

Figure 3.10 – NIDS detection interface setup screen. (Properly configured) 64

Figure 3.11 – Screenshot of NIDS Prevention (Properly configured) 67

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Table of Exhibits

Exhibit Q – Firewall Audit Questionnaire 36

Exhibit I – Information Request Items 41

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Assignment 1 – Research in Audit, Measurement, and Control

AbstractOne of the biggest “cyber-myths” out there today is the belief that technology willprotect us. Firewalls, VPNs, Intrusion Detection Systems, virus software etc. do not,by their presence alone, protect us from attacks and exploits of systemvulnerabilities. While the technology is vital to securing the data, it is simply a tool.Just because I own a hammer and saw does not make me a carpenter. I have toknow the purpose and capabilities of each tool and have the skill to use themproperly.

While a poor carpenter’s work is often easily identifiable, poor implementation oftechnology can be more difficult to recognize. An IT auditor’s job is to use theirknowledge and skills to examine an organization’s use of technology and ensure thateach tool is being used properly to build a secure IT infrastructure. Whereas abuilding inspector would use local building codes and blueprints to ensure abuilding is safe and built to specifications, an IT auditor must use industry bestpractice standards and the organization’s policies to determine if the use oftechnology is achieving the desired goals of securing the data.

This paper focuses on one financial organization’s first line of defense in securingthe data, the perimeter firewall. In this instance, the device to be audited is theFortinet Fortigate-60 firewall. Fortinet products are not as well known ascomparable Cisco products, but most of the Fortinet models incorporate Antivirusand Intrusion Detection utilities in addition to the firewall capabilities. Having allthree features in one device is more cost effective but also increases the scope andcomplexity of the audit. Each function of the device must be tested to ensure thateach is performing in accordance with industry best practice and the organization’sinformation security goals set out in its policies.

The goal of this paper is to provide an IT auditor with the methodologies andknowledge necessary to audit and secure the Fortigate-60 firewall device. The paperis divided into 4 sections as follows:

• Section one explores the current state of practice for securing the perimeter,as well as an assessment of risks associated with the device being audited.

• Section two contains a comprehensive and detailed checklist, which describesacceptable settings and methodologies to achieve compliance. The checklistdefines the objective, non-compliance risk, expected findings and the detailedtesting methodology for each area in the program.

• Section three selects 10 items from the above checklist as an example of howthe entire audit should be conducted in practice.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



• Section four contains the end result of any audit, the audit report. The auditreport contains an “Executive Summary” of the scope of the audit along with“Key Findings” and a recommendation summary. The audit report is one ofthe most important and difficult components of an audit as the auditor iscommunicating technical concepts and concerns to an often times non-technical audience. Failure to communicate findings in an understandablemanner can lead to the audit findings going unaddressed and anorganization continuing to operate in an unsecured fashion.

1.1 System Identification

The organization contracting for this audit is CBMW, a community bank withlimited in-house technical resources. While substantial business is conductedthrough the use of technology, those responsible for managing the technology arelargely third party service providers. The bank has outsourced their perimeterdefense to a nationally known perimeter defense company, Secure Networks.

The Executive Vice President (EVP) of the bank requested an audit of the bank’snetwork after he attended an IT Security presentation at a recent conference. Hewas concerned that the bank had no independent verification that Secure Networkswas providing them with proper security devices and methodologies. The ChiefInformation Officer (CIO) requested that the initial scope of the audit focus on theperimeter firewall device, which is one of two firewalls employed by the bank. TheCIO felt that since the device serves as a firewall, virus gateway and intrusiondetection/prevention system (three very important security functions) he neededassurance all three were properly configured and functioning according to internalpolicy and industry best practices.

The Fortigate-60 firewall is the perimeter firewall located at the periphery of thebank’s internal network. The bank utilizes a full T1 for Internet access and thirdparty vendor transaction services. Cisco routers and switches provide connectivityand a standalone Cisco intrusion detection device resides outside the Fortigate-60firewall. The Cisco IDS is positioned at the perimeter and therefore configured to bethe least sensitive of the three IDS devices on the network. The Fortigate IDS isconfigured to look at both incoming and outgoing traffic for anomalies. In addition,the bank’s informational/marketing website runs on an Apache web server whichresides in the DMZ provided by the Fortigate-60 firewall.

A second, non-redundant Pix 506 firewall for additional filtering and ingress/egressrestrictions is attached to one internal port on the Fortigate-60. These devicesprotect three distinct LANs in the bank’s network infrastructure. Each LAN isseparate and unique in both architecture and purpose. The Server LAN houses theNDS server and three application servers. The User LAN facilitates the dataconnectivity for all internal users and contains the bank’s Novell file server. The

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



third LAN is an administration LAN that only select users with unique hardwareconfigurations and network OS settings can access. (See Figure 1)

E-mail is hosted by a third party vendor who utilizes F-Secure virus protection andcontent filtering before the mail contents reach the network users. Mail recipientsuse freely available third party e-mail software with additional filtering and junkmail control components.

Figure 1: Network Diagram for CBMW Bank (All IP addresses removedat customer request)

The bank relies on several third party vendors to conduct business and provideservices. Internet access is vital for the bank to conduct their daily operational andcustomer service functions as set out below:

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



• The bank relies on a VPN connection to their Internet Banking vendor forreal time transactional services.

• Connection to real time credit card transactional data is vital for the CreditCard department to service customer accounts and handle customer serviceissues.

• Connection to the Federal Reserve is facilitated via secure token HTTPSsessions which is vital for wires and automated clearing house (ACH)activity.

Bank staff must be able to quickly and securely access the Internet and also securelyconnect to several outside sites. Therefore the bank’s firewall policies shoulddescribe the services and sites necessary for the bank’s employees to operate.Likewise, the policy should also state which sites and services are not allowed. It isimportant that the policy explicitly state the firewall rules. Without these specificguidelines the bank increases the risk of the firewall restricting valid businessfunctions or allowing unnecessary and possibly dangerous access to sites andservices.

As mentioned earlier a third party perimeter defense company, Secure Networks(SN), manages the Fortigate-60 device. While all updates and changes to the deviceare strictly controlled by SN, a local bank administrator does have access to theHTTP administration interface for reporting and monitoring capabilities and in theevent that SN cannot gain access remotely and emergency changes are necessary.

1.2 Fortigate-60 Risk Evaluation

Before conducting the audit a standard IT Risk Assessment form was used toevaluate the bank’s overall IT Risk. While the overall risk assessment was valuablein allowing the CIO and Audit to gain a better understanding of the organization’srisks as a whole, it also allowed us to assess the risks associated with the device beingaudited. Figure 2 on the next page is a screenshot of the section of the riskassessment dealing specifically with the Fortigate-60 device functions.

This particular risk assessment deals specifically with Inherent Risk, or the risk ofsimply being in a business, in this case banking. Residual Risk, or the risk remainingafter controls have been implemented will be evaluated during a later audit. Riskassessments assist management to identify the level of risk associated with eachfunction and work to mitigate the risks identified. The end result of the riskassessment process is to identify areas where compensating controls can beimplemented to lower the associated risk, as well as to monitor high risk areas wherethe risk remains high regardless of mitigating controls. Management should reviewthose areas with high risk frequently to determine if new developments haveemerged which could reduce the risk for the business function. The risk assessment

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



performed ranked each of the functions, firewall, intrusion detection and anti-virusgateway on the low end of “Above Average Risk”.

Figure 2: IT Risk Assessment Form

1.3 Current State of Practice

While there are many audit work programs and checklists designed for severalwell-known firewall devices by Cisco, Sonicwall, and Watchguard I found nothingspecifically for the Fortinet line of products. Fortinet technical support is for

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



registered users only so beyond technical specifications there was not muchuseful information on their site. There were, however, several best practiceresources for firewalls, intrusion detection systems and anti-virus gateways butnothing that addressed a device that included all three. It would be easy toassume that you could apply the best practices for each separate device typeand build a suitable audit checklist. However, a “generic” audit program does notwork for devices made by different vendors as the program would not addressitems specific to each device.

To gain more knowledge of the product itself, I contacted the local administratorand obtained the User Guide on CD-ROM. The CD-ROM contained indexedPDF documents making it simple to find and print the pertinent sections andbegin to gain an understanding of the administration of the device, as well as theareas I needed to check to insure the device had been configured correctly. Inaddition, I was able to create an “Item Request List” which included step-by-stepinstructions for the local administrator to retrieve the information requested. Thisshould help to avoid delays in the audit once we arrive on site.

In addition to device specific information I used the Internet to research industrystandards to determine best practice for each of the three functions of the device.Several of these sites were found from reading the practicals of other SANSstudents in the “reading room” at http://www.sans.org/rr/. A few of the moreinformative sites found were:

S.C.O.R.E. http://www.sans.org/score/Great resource for checklists, benchmarking tools, incident response forms andgeneral security related FAQs. One great resource is the “Firewall Checklist” byKrishni Naidu.

Itsecurity.com http://www.itsecurity.com/Contains some great whitepapers and best practice documentation for severalsecurity related areas.

Auditnet http://www.auditnet.orgHas an impressive amount of checklists and workprograms available for justabout anything you can audit.

Knowledgeleader http://www.knowledgeleader.comA membership resource with fees attached but they do give a free 30 day trial.Has some very professional resources for checklists, work programs and audittheory.

CERT http://www.cert.orgA good general information site with a really useful site index that lets you getright to the areas you are interested in.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



There were also several good books that I was able to skim through and pullrelevant information and useful items I included in the audit checklist. A full list ofall resources used in developing the Fortinet-60 audit program can be found inthe bibliography located at the end of this report.

Assignment 2 – Audit Checklist

2.1 Administrative Practices

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Audit Step 2.1.1

Reference “IT Auditing for Financial Institutions”Jimmy R. Sawyers Vol. 1

Control Objective Establish if a General Security Policythat provides management and staffwith guidance and direction for theorganization’s security goals exists.

Non Compliance Risk Without clearly defined organizationalsecurity goals, security is left up to theindividuals in the organization to define.These individual definitions may not bein line with the organization’s overallsecurity goals.

Compliance A general Security Policy should existTesting

• From questionnaire determine ifa General Security Policy exists.If so request a copy of the policyand review it to determine if theorganization’s security goals areclearly defined.

• Interview the IT Manager andSystems Administrator todetermine if they are aware ofand familiar with the policy andit’s goals.

• Determine if employees arerequired to sign anacknowledgement that theyhave read and understand thepolicy.

Test Type ObjectiveSupporting DocumentationTest ResultsExceptions

Audit Step 2.1.2

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.




Control Objective Establish if a Firewall Policy thatprovides IT Management and staff withguidance and direction for theorganization’s security goals withregards to the Firewall exists.

Non Compliance Risk Without clearly defined procedures forconfiguration, logging, change control,remote access, physical access, andpatch management the organizationrisks having a Firewall in place thatdoes not protect the organization in themanner that is required.

Compliance A Firewall Policy outlining the mannerin which the Firewall will be configuredshould exist.

Testing• From questionnaire determine if

a Firewall Policy exists. If sorequest a copy of the policy andreview it to determine if it clearlydefines the manner in which theFirewall will be configured.

• Interview the IT Manager andSystems Administrator todetermine if they are aware ofand familiar with the policy andit’s goals.

• Obtain a copy of the Firewallconfiguration file to see if theconfiguration is in compliancewith the Firewall Policy.


Audit Step 2.1.3Reference “IT Auditing for Financial Institutions”

Jimmy R. Sawyers Vol. 1

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Control Objective Establish if a Network Acceptable UsePolicy that provides Management andstaff with guidance and direction for theorganization’s security goals withregards to the network exists.

Non Compliance Risk Without clearly defined policies for useof the network the organization cannotdevelop standardized policiesregarding configuration of the firewalldevice in line with what is and is notacceptable use of the network.

Compliance A Network Acceptable Use Policyoutlining the manner in which thenetwork should and should not be usedexists.


a Network Acceptable UsePolicy exists. If so request acopy of the policy and review itto determine if it clearly definesthe manner in which the networkshould and should not be used.

• Interview selected personnel todetermine if they are aware ofand familiar with the policy andit’s goals.

• Obtain a copy of the Firewallconfiguration file and compare itto the Network Acceptable UsePolicy for compliance.

Test Type Objective/SubjectiveSupporting DocumentationTest ResultsExceptions

Audit Step 2.1.4

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.




Control Objective Establish if an Internet Usage Policyexists that provides management andstaff with guidance and direction for theorganization’s security goals related toit’s Internet connectivity.

Non Compliance Risk Without clearly defined policies for useof the Internet, the organization cannotdevelop standardized policiesregarding configuration of the firewalldevice in line with what is and is notacceptable use of the Internet.

Compliance An Internet Usage Policy outlining themanner in which the network shouldand should not be used should exist.


an Internet Usage Policy exists.If so request a copy of the policyand review it to determine if itclearly defines what is and is notacceptable use of the Internet.

• Interview selected personnel todetermine if they are aware ofand familiar with the policy andit’s goals.

• Obtain a copy of the Firewallconfiguration file. Visuallyinspect to see if theconfiguration is in compliancewith the Internet Usage Policy.


Audit Step 2.1.5

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Reference “Firewall Security Best PracticeGuidelines”http://www.knowledgeleader.com

Fortigate-60 Documentation “FirewallConfiguration”

Control Objective Ensure the Firewall is covered byChange Control standards.

Non Compliance Risk Changes to the Firewall that do notfollow Change Control standards canresult in security breaches and systemfailures due to mismanagement ofrulesets and policies that can contradicteach other and the overall goal of theFirewall device.

Compliance Change Control standards exist.Testing

• From questionnaire determine ifChange Control standards exist.

• Determine if the standards aredocumented.

• If so request a copy of thestandards and review them todetermine if they clearly definethe manner in which ChangeControl is managed.


2.2 Firewall Operating System Security

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Audit Step 2.2.1Reference “Firewall Security Best Practice

Guidelines”http://www.knowledgeleader.com


Control Objective Ensure only services required to meetbusiness requirements are running onthe system

Non Compliance Risk Unnecessary services could allowintruders to gather information aboutthe system or even facilitate an attackon the system.

Compliance Only necessary services are runningon the system.

Testing• Obtain a copy of the Firewall

Policy to determine whatservices should be enabled onthe firewall.

• Obtain a copy of theconfiguration file for the systemto determine which services areenabled. Compare this to theallowed services stated in theFirewall Policy.

• Using Nmap, and Nessus scanthe system to determine whichports are listening and whatservices are running on thoseports.

If any ports or services other thanthose listed in the Firewall Policy andconfiguration file are running, thenfurther attention should be given towhether the system is misconfigured orif in fact the system has beencompromised.

Test Type Objective/SubjectiveSupporting DocumentationTest Results

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Exceptions




Control Objective Ensure the OS is updated and patchedto the latest stable version.

Non Compliance Risk Failure to keep the OS updated andpatched can leave the OS vulnerable toknown security vulnerabilities. Out ofdate systems are open to attack andcompromise of the internal network.

Compliance The OS is updated to the most currentstable version

Testing• Have System Administrator log

in to the web interface. ChooseSystem > Status and choose thestatus tab. Note the firmwareversion .

• Due to Fortinet’s subscriptionsupport system the firmwareversion is not publicly available.Have the System Administratorlog in to the Fortinet support siteand provide a printout or screencapture of what the firmwareversion should be.

• Compare the version numbers.If the system is not up to datedetermine through discussionwith management and theSystem Administrator if there isa valid reason for the system notbeing updated.

Test Type Objective/Subjective

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Supporting DocumentationTest ResultsExceptions

2.3 Firewall Device Physical Security



Personal experience.Control Objective Firewall device physical location should

be a secure area such as acombination or key card access datacenter or a locked server rack orcabinet.

Non Compliance Risk Lack of adequate physical security forthe firewall device could result inunauthorized changes to theconfiguration such as creation of backdoors or intentional misconfiguration offeatures such as IDS or Anti-Virus.

Compliance The firewall device resides in arestricted access data center or in alocked server rack or cabinet. Ideallyboth a restricted access data centerand a locked server rack or cabinetwould be utilized.

Testing• Ask to be shown the device and

note the location and securitymeasures in place at thelocation.

• If a secure location existsdocument the procedures forentry and exit from the location.

• If server rack or cabinet is usednote if a lock is present and inuse.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



• If server rack or cabinet lock isused determine who has keys tolocks.




Control Objective Ensure the firewall is located in an areawith environmental controls thatpromote reliable operation.

Non Compliance Risk Lack of or improper environmentalcontrols could contribute to thelikelihood of failure of the device due toextremes in heat, moisture andairborne contaminants.

Compliance The device is located in an area withproper environmental controls thatprotect it from extreme temperatures,humidity and airborne contaminants.

Testing Examine the area where the device islocated.

• Are the air conditioning andhumidity control systems for thearea adequate to maintaintemperatures withinmanufacturers' specifications?

• Is the area kept free of dust,smoke, and other particulatematter, i.e., food?

• Do fire and water detectiondevices that sound audiblealarms protect the area?

Test Type Objective/SubjectiveSupporting Documentation

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Test ResultsExceptions

2.4 Firewall Device Maintenance Controls



“Building Internet Firewalls, 2d ed.Elizabeth D. Zwicky, Simone Cooper,and D. Brent Chapman 2000.

Fortigate-60 Documentation “Loggingand Reporting”

Control Objective Ensure system logging is enabled andthe logs are stored in a secure fashion.

Non Compliance Risk Not logging activities that pass throughthe firewall can result in the inability todetect intrusion attempts and canhinder or defeat forensic analysis of anintrusion event. Secure storage of logsprevents intruders from accessing andpossibly altering the logs to hideevidence of their intrusion.

Compliance Logging is enabled and the logs arestored in a secure fashion, preferablyon a remote syslog server.


in to the web interface.

• ChooseSystem>Network>Interface

Select edit in the modify column beside the active interfaces (NIC) and ensure the “Log” setting is set to “Enable” for each.

• Choose Log & Report > LogSetting.Verify that the “Log toRemote Host” box is checkedand that a valid remote IP andPort number are entered.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Remote Host” box is checkedand that a valid remote IP andPort number are entered.





Control Objective Minimize the number of administrativeaccounts on the Firewall.

Non Compliance Risk Lack of control of the number and typeof administrative accounts on a firewallcan lead to unmanageable changecontrol and could result in confusion asto the level of security the Firewallaffords and inconsistent rules foraccess.

Compliance The number of administrative accountsis kept to a necessary minimum.

Testing• From the Administration

interface Go to System > Configand then click on the Admin tab.Capture a screenshot or printoutof the settings.

• Through interview with the localSystem Administrator establishthe purpose of each account.


© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.





Control Objective Remote administration conductedthrough appropriate vendor software,encryption and security methodology

Non Compliance Risk The use of inappropriate software,encryption and security methodology(such as the use of Telnet, whichbroadcasts information “in the clear”,lack of encryption for sessions and notlogging sessions) for remoteadministration can allow intruders toobtain user names and passwords andother sensitive information that cangrant them access to the firewall andsystem.

Compliance Remote administration conductedthrough SSH or 128-bit EncryptedHTTPS and restricted by IP address


logical access to the firewall isrestricted and if so how.

• From questionnaire determine ifremote administration isallowed.

• From questionnaire determinewhat protocol is used for remoteadministration.

• From questionnaire determine ifthere are written procedures andsecurity guidelines in place.Obtain a copy of the proceduresand guidelines and review.


© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Audit Step 2.4.4Reference NIST “Guide to Firewall Selection and

Policy Recommendations” John Wack,Ken Cutler, Jamie Pole

Control Objective Determine if remote access sessionsare logged.

Non Compliance Risk Failure to log remote access sessionscan result in undetected securitybreaches and poor change control.

Compliance Remote access sessions are loggedand the logs are stored securely


remote access sessions arelogged.

• Obtain a copy of the remoteaccess log. Determine if the lognotes:

1. Date and time of theremote session

2. User name

3. Source IP of the remote session




NIST “Guide to Firewall Selection andPolicy Recommendations” John Wack,Ken Cutler, Jamie Pole


Control Objective Ensure the Firewall has a documentedbackup procedure. Verify that backupsand restoration procedures are testedand verified to insure they are viable

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



and verified to insure they are viableNon Compliance Risk Failure to properly backup the firewall

could result in the loss of configurationinformation as well as system andsecurity log files.

Failure to test backups can result inloss of configuration information,extended down time and risk ofimproper configuration whenrecovering from a device failure.

Compliance Documented backup procedures existand are followed.

Backups are tested in a manner thatensures full system restoration can becompleted in the event of devicefailure.


the Firewall is backed up andwho is responsible for thebackup procedures.

• Request copies of the backupprocedures.

• Request backup testingprocedures.

• Request documentation of lastbackup test results.


© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.





Personal experience.


Control Objective Ensure default username andpasswords have been changed

Non Compliance Risk Failure to change default settingsallows intruders easy access to devicesand networks due to the easilyattainable and widely known defaultuser names and passwords for manypopular devices.

Compliance Default user name and password havebeen changed

Testing Obtain the default user name and

password from the Firewalldocumentation. Observe localadministrator attempt to gainaccess to the system via the webinterface with this information.


Audit Step 2.4.7Reference NIST “Guide to Firewall Selection and

Policy Recommendations” John Wack,Ken Cutler, Jamie Pole

Personal experience


Control Objective Ensure that logical access is restrictedto a designated local managementworkstation and that the workstation isphysically secure

Non Compliance Risk Unrestricted logical access could allowunauthorized remote access sessionsfrom unsecured workstations. If theworkstation is unsecured access couldbe gained by unauthorized personnel.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



unauthorized remote access sessionsfrom unsecured workstations. If theworkstation is unsecured access couldbe gained by unauthorized personnel.

Compliance Logical access should be restricted viaIP address. The managementworkstation should be secured withpassword protection and not publiclyaccessible


logical access is restricted by IPaddress.

• Have local administrator log in tothe web administration interfaceGo to System > Config and thenclick on the Admin tab. Capturea screenshot or printout of thesettings.

• Note the location of theworkstation the administratorlogs into the web interface on.

1. Is the workstation in apublicly accessible area?

2. Is the workstationprotected by a user nameand password?

3. Does the workstationautomatically log the userout after a specifiedperiod of inactivity?

Test TypeSupporting DocumentationTest ResultsExceptions

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.






Control Objective Ensure that the device is configured tostop all access if the device fails (closeon failure)

Non Compliance Risk If the device is not configured to stoptraffic in the event of system orhardware failure there is the risk thedevice could stop working and gounnoticed. This would result in theorganization going unprotectedunknowingly.

Compliance The device is configured to stop alltraffic in the event of failure.


the device is capable of close onfailure and if it is configured todo so.

• Request documentation from themanufacturer or perimeterdefense vendor.


2.5 Transport Layer Security

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.






Control Objective Ensure only ports required to meetbusiness requirements are open on thesystem

Non Compliance Risk Unnecessary open ports could allowintruders to gather information aboutthe system or even facilitate an attackon the system.

Compliance Only necessary ports are open on thesystem.


Policy to determine what portsshould be enabled on thefirewall.

• Obtain a copy of theconfiguration file for the systemto determine which ports areenabled. Compare this to theallowed ports stated in theFirewall Policy.

• Using Nmap, and Nessus scanthe system to determine whichports are listening.

If any ports other than those listed inthe Firewall Policy and configurationfile are running further attention shouldbe given to whether the system ismisconfigured or if in fact the systemhas been compromised.


© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



2.6 Application Layer Security

Audit Step 2.6.1Reference “Building Internet Firewalls, 2d ed.

Elizabeth D. Zwicky, Simone Cooper,and D. Brent Chapman 2000.

Personal experience


Control Objective Ensure that the firewall is usinginbound filtering and only theapplication proxy services allowed bythe firewall policy are running on thedevice.

Non Compliance Risk If the firewall does not perform inboundfiltering or allows unnecessaryapplication proxy services,unnecessary or intentionally malformedpackets may be introduced to thenetwork.

Compliance Inbound filtering is being used and onlythose application proxy services statedin the firewall policy are running on thedevice.

Testing • Determine which applicationproxy services are allowedaccording to the firewall policy.

• Compare the services allowed inthe policy to the services thatare allowed by inbound filteringon the firewall. Have the localadministrator log on using theweb interface. Go to Web Filter> Script Filter to determine whatservices are allowed.


© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.





“Firewall Checklist” Krishni Naiduhttp://www.sans.org/score/firewallchecklist.php


Control Objective Ensure that the device is using statefulinspection and closing ports tounsolicited traffic.

Non Compliance Risk If the device is not using statefulinspection the device is not examiningdata at the application level and portsmay be left open to unsolicited traffic.

Compliance The device is using stateful inspectionto track each connection traversing allinterfaces of the firewall and makessure they are valid.


the device is using statefulinspection.

• Request documentation from themanufacturer or perimeterdefense vendor verifying thedevice uses stateful inspection.


© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



2.7 Intrusion Detection/Prevention Administration

Audit Step 2.7.1Reference Personal experience

Fortigate-60 Documentation “NetworkIntrusion Detection System (NIDS)”

Control Objective Ensure that the intrusion detectionfeature is enabled and the properinterfaces are being monitored by theIDS.

Non Compliance Risk From the Fortigate-60 user guide it wasstated that the intrusion detectionfeature is on by default but can bedisabled. It is important to verify thatthis feature is enabled and that theproper interfaces to the network arebeing monitored.

Compliance The intrusion detection feature isenabled on the device.

Testing• Have the local administrator log

on to the web interface. Go toNIDS > Detection > General tab.Ensure that at least oneinterface is checked. If nointerfaces are checked the IDSfunction is not enabled.

• Through interview establishwhich interfaces should beenabled. Ensure that theseinterfaces are in fact checkedand active in the NIDS >Detection > General tab.


© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.





Control Objective Ensure that the attack signaturesfeature is enabled on the IDS.

Non Compliance Risk From the Fortigate-60 user guide it wasstated that the NIDS attack signaturesfeature is on by default but can bedisabled. It is important to verify thatthis feature is enabled.

Compliance NIDS attack signatures are enabled.


on to the web interface. Go toNIDS > Detection > SignatureList tab. By default allsignatures are checked andshould be left so. If there areany signatures not checkedestablish if there are validbusiness reasons for them to beturned off.




Control Objective Ensure that the NIDS attack preventionfeature is enabled.

Non Compliance Risk From the Fortigate-60 user guide it wasstated that the NIDS attack preventionfeature is disabled by default and that itis automatically disabled after a rebootor power loss. It is important to verifythat this feature is enabled.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Compliance The attack prevention feature isenabled.


on to the web interface. Go toNIDS > Prevention. Ensure thatthe “Enable Prevention” in theupper left corner is checked.


2.8 Anti-Virus Gateway Administration


Fortigate-60 Documentation “Virus andattack definitions updates andregistration”

Control Objective Ensure that the antivirus and attackdefinitions are updated on a scheduledbasis.

Non Compliance Risk Out of date antivirus and attackdefinitions can expose the network toknown viruses and attacks. Ensuringthat a schedule is in place toautomatically or manually update thedefinitions is vital to protecting thenetwork from worms and viruses.

Compliance The antivirus feature is configured toconnect to the FortiResponseDistribution Network (FDN) and updatethe antivirus and attack definitions on aregularly scheduled basis

Testing • Have the local administrator logon to the web interface. Got toSystem > Update. Review thesettings to determine if, and howoften, automatic definitionupdates are scheduled to occur.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



settings to determine if, and howoften, automatic definitionupdates are scheduled to occur.

• Have the local administrator logon to the web interface. Go toSystem > Update. Review theLast Update Attempt and LastUpdate Status fields todetermine when the definitionswere last updated and if theupdate was successful.


© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Assignment 3 – Audit Example

Initial steps:

A brief pre-audit questionnaire was sent to the bank’s CIO in order to gain abetter understanding of the organization’s policies, procedures, and knowledgeregarding the Foritigate-60 firewall. The answers were discussed with the CIOand local administrator once audit arrived on site to ensure that the questionswere understood and the answers were correct to the best of their knowledge.(See Exhibit Q below)

Exhibit Q: Firewall Audit QuestionnairePlease fill out a questionnaire for each firewall in place in the organization

Organization: CBMW Bank

Questionnaire completed by: CIO

Firewall type: Fortinet Fortigate-60

Internal designation: Fortigate 60

Question Response1) Does the organization maintain a

general security policy?

a) If yes, who is in charge ofkeeping the policy up todate?

b) If yes, how often is the policy updated?

No, In process of creating with third partyvendor

2) Does the organization maintain afirewall security policy?

a) If yes, who is in charge ofkeeping the policy up todate?

b) If yes, how often is thepolicy

updated?

No.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



3) Does an outside vendor manage orconsult on configuration of thefirewall?

a) If yes, are there writtenagreements and proceduresin place regarding theconfiguration of the firewalland its intended functions?

b) If yes, are there writtenprocedures in place forfirewall configurationchange management?

c) If yes, how is the vendornotified of internal changesto network configuration orhardware changes that mayaffect the firewall’sfunctions?

Yes

Yes. Procedures and agreements but noprocedures for configuration or intendedfunctions.

Yes. The Perimeter defense vendor haspolicies and procedures for testing andchange management.

Incident response form and e-mail changerequest forms.

4) Who is in charge of firewall logmonitoring and management?

Perimeter Defense vendor Secure Networks(SN).

5) Are the firewall logs reviewedmanually or is a diagnostic programused?

SN uses both methods to insure accuracyand minimal false positives.

6) Where are firewall logs stored? SN stores logs on a remote server which isbacked up daily. A local copy is also keptfor redundancy.

7) How long are logs archived? According to Service Level Agreements inPerpetuity

8) How is management notified ofpossible incidents with regards tothe firewall?

Phone calls followed by e-mails.

9) Is the firewall configured withseparate switches on each interfaceor are both interfaces on the sameswitch?

A secondary firewall is connected viatwisted cable to the second interface.

10) Is the firewall configured to stop allaccess if the device fails (close onfailure)?

Yes per Fortinet and SN

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



access if the device fails (close onfailure)?

11) Is physical access to the firewallrestricted and if so how?

Concentric locks on outer and inner doorsand device resides in a locked cabinet.

12) Is logical access to the firewallrestricted and if so how?

Restricted access via HTTPS and SSHfurther restricted by IP address.

13) Is remote access allowed to the firewall?

a) If yes, what protocol isused?

b) If yes, who is allowedremote access?

c) If yes, are remote accesssessions logged?

d) If yes, are writtenprocedures and securityguidelines in place?

Yes.

HTTPS, SSH

Local admin and vendor restricted by IPaddress.

Yes. (log requested and reviewed byAudit)

Yes. SN has written procedures.(Requested and reviewed by Audit)

14) Does the firewall employ “Stateful” or “Static” filtering?

Both. Stateful through use of NAT andstatic through use of software.

15) Are all non-essential services disabled on the firewall?

Yes.

16) Does the device have an IDS function?

a) If yes, who is in charge ofmonitoring the IDSfunction?

b) If yes, how is management notified in the event of an IDS alert?

Yes.

SN

Phone call followed by e-mail

17) Are the firewall settings backed up in the event of device failure?

a) If yes, how often?

b) If yes, who is responsible for

Yes.

After every change and every 30 days.

SN

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



the backups?

c) If yes, where are the backups stored?

Same process as firewall logs above.

18) Does the organization have a DMZ?

a) If yes, what devices reside in the DMZ?

b) If yes, what types of traffic are allowed and how are

restrictions managed?

Yes.

Web server and two training PCs.

Web – Port 80 and 443 (SSL)Internal – SSH, FTP to DMZ nothingallowed from DMZ.

19) Is a backup firewall in place?

a) If yes, is the backup configured to be a failover

device?

b) If yes is it the same modelas the primary device?

No. A secondary device is available but isnot the same type and is not configured forfailover or backup.

20) Does the firewall allow VPN connections?

a) If yes, is a VPN utilized?

b) If a VPN is utilized, arethere security policies andprocedures for VPN users tofollow?

c) If VPN is utilized, are VPNsessions logged?

Yes.

No.

21) Does the firewall have anti-virus features?

a) If yes, how are the virus definitions kept up to date?

b) If yes, who is in charge of

Yes.

Automatic update.

SN

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



insuring the virus definitions are up to date?

c) If yes, how often are the virus definition updated?

Weekly

After analyzing the answers to the questionnaire two initial areas of interest werefound. Most notably no policies with regard to the firewall are exist. This willmake several of the audit steps in our checklist more difficult as we areattempting to audit the device for compliance with the bank’s policies. The otheritem to note is the use of a third party vendor for configuration and managementof the device. The bank is relying on the vendor to certify the device isconfigured and functioning properly, however the vendor has no guidance fromthe bank as to how the device should be configured and what functions thedevice should be performing.

During the audit these questionnaire findings were discussed with the CIO. Itappears that the CIO and local administrator are familiar with the perimeterdefense vendor’s practices and procedures and they have some degree ofconfidence in the vendor’s expertise.

Scope Expansion:

While discussing the steps of the audit with the CIO it was decided that since anexternal scan of the device was already planned, the scope of the audit would beexpanded to include response time of the vendor, Secure Networks, to anexternal “aggressive” scan against the bank’s perimeter firewall. While incidenceresponse procedures were in place with regards to what constituted an incident,who should be contacted and what methods of contact should be used, no realtest of the monitoring service has been conducted.

Addendum to Information Request:

Due to the expanded scope of the audit the original Item Request List wasmodified to include requests for information from the perimeter defense vendor.Secure Networks (SN) after an external scan of the device *.

Exhibit I: Information Request Items

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Pertaining to the Audit of the Fortinet Fortigate-60 Firewall

Required Before commencement of Audit

Any policies pertaining to security and firewall standards including Acceptable UsePolicy.

Network Diagram (including all IDS and Firewall units and IP addresses)

Fortigate-60 Configuration in print and electronic format. (Analogous to the “ShowConfig” command on a Cisco Pix)

Fortigate-60 NIDS signature list (From web interface Go to NIDS>Detection>SignatureList. Select View Details) in print and electronic format.

Fortigate-60 URL block list (From web interface Go to Web Filter>URL Block. SelectDownload URL Block List) in print and electronic format.

Fortigate-60 Script Filtering list if Script Filtering is enabled. (From web interface Go toWeb Filter> Script Filter) in print and electronic format.

Fortigate-60 Exempt URL list if URL Exemption is enabled. (From web interface Go toWeb Filter>Exempt URL) in print and electronic format.

Fortigate-60 Log Settings ( From web interface Go to Log&Report>Log Setting) in printand electronic format.

Fortigate-60 NIDS Alert E-mail configuration (From web interface Go toLog&Report>Alert Mail> Configuration) in print and electronic format.

Fortigate-60 List of users and users with Admin rights.

Screen shot of Firewall Banner in print and electronic format.

Required after Internal Scan of Firewall

Fortigate-60 NIDS logs for one half hour before and after scan

Fortigate-60 Firewall logs for one half hour before and after scan

IDS logs from Locally managed Internal IDS system(s)

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



* Required after External Scan of Firewall:

Fortigate-60 NIDS logs from 24 hours prior to scan thru 12 hours after the scan.

Fortigate-60 Firewall logs from 24 hours prior to scan thru 12 hours after the scan.

Notation of time between commencement of scan and notification from PerimeterDefense Vendor.

Copy of incident report from Perimeter Defense Vendor.

Tools Used:

Hardware:

IBM R50 Laptop with Windows XP/Fedora Core2 dual boot

Software:

Nessus – From http://www.nessus.org

Nessus is a full feature security scanner, which remotely audits an entire networkor a single device and through use of Nessus Attack Scripting Language (NASL)runs multiple tests to detect both remote flaws as well as local flaws. Nessusincorporates the functionality of Nmap’s TCP scanning techniques, along withNIDS evasion, URL encoding, SSL based services testing and Brute force loginsfor most available services. Nessus is a freely available open source utility thatruns on Linux and Unix. A windows based client version is available but stillrelies on having a Linux or Unix installation running as the server for the client.

Nmap – From http://www.insecure.org/nmap/

“Nmap ("Network Mapper") is a free open source utility for network exploration orsecurity auditing. It was designed to rapidly scan large networks, although itworks fine against single hosts. Nmap uses raw IP packets in novel ways todetermine what hosts are available on the network, what services (applicationname and version) those hosts are offering, what operating systems (and OSversions) they are running, what type of packet filters/firewalls are in use, anddozens of other characteristics.”

Audit Step Examples:

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Ten audit steps were taken from the checklist in section 2 to demonstrate how anactual audit of the Fortigate-60 device should be conducted.

For each audit step, results from the Testing section will be summarized in theTest Results section of the table. Below each audit step table, details of theprocedures, tools used, screen captures and any photographic evidence found isdisplayed to help the reader understand what is necessary for the successfulcompletion of each audit step.

3.2.2 Firewall Operating System Security

Audit Step 3.2.2.1Reference “Firewall Security Best Practice



Control Objective Ensure only services required to meetbusiness requirements are running onthe system

Non Compliance Risk Unnecessary services could allowintruders to gather information aboutthe system or even facilitate an attackon the system.

Compliance Only necessary services are runningon the system.


Policy to determine whatservices should be enabled onthe firewall.

• Obtain a copy of theconfiguration file for the systemto determine which services areenabled. Compare this to theallowed services stated in theFirewall Policy.

• Using Nessus, run an externalscan on the device to determinewhich ports are listening andwhat services are running onthose ports.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



what services are running onthose ports.

If any services other than those listedin the Firewall Policy and configurationfile are running further attention shouldbe given to whether the system ismisconfigured or if in fact the systemhas been compromised.

Test Type Objective – Stimulus/ResponseSupporting Documentation Q2Test Results Through use of the questionnaire it was

determined that a Firewall Policy doesnot exist. Since no Firewall Policycurrently exists there is not anopportunity to assess whether theFirewall configuration is in compliancewith the policy.

Analysis of the firewall configurationshowed that SSH, HTTPS, TCP andUDP were the only services that areconfigured to be running on the device.

An external Nessus scan provedinconclusive due to the bank’s use ofNAT Overloading or Port AddressTranslation (PAT). (See Figure 3.1)An internal scan of the deviceconfirmed that SSH v. 2.0 and HTTPS,TCP and UDP were the only servicesrunning on the system.

Exceptions Exceptions noted: No firewall policy inplace.

Figure 3.1 External Nessus scan results in html format.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



An external “aggressive” Nessus scan was run after business hours. Due to theexpanded scope of the audit this scan has two objectives:

• Confirm which services are running on the device.

• Test the response time and incident handling procedures of the perimeterdefense vendor Secure Networks (SN).

External Nessus Scan Detail:

The html-formatted results of the external scan included over 40 pages ofapparent open ports and running services. (See Figure 3.1) A second scangave similar but slightly different results.

Further investigation and discussion with the local administrator led to thediscovery that the bank utilizes NAT Overloading or Port Address Translation(PAT).

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



PAT allows an organization to use non-routable internal IP addresses that arethen mapped to a range of unique routable IP addresses through an addresstranslation table on a NAT enabled router. The router replaces the sendingcomputer’s non-routable IP address with the router’s IP address. The routerreplaces the sending computer’s source port with the port number that matcheswhere the router saved the sending computer’s information in the translationtable. The table now contains a mapping of the computer’s non-routable IPaddress and port number, matched to the router’s IP address.

When the packet returns from the destination computer it is checked against thetranslation table to determine which computer on the internal network the packetbelongs to. The router then changes the destination address and port to the onethat was saved in the translation table and sends it to the appropriate internalcomputer. If no match is found the packet is dropped.

With this information in mind it was decided that an external scan of the devicehad to pass through the router and the information returned could not be reliedon.

Scope Expansion Detail:

The secondary objective of the Nessus scan was to determine SN’s responsetime to the aggressive scan of the Bank’s perimeter. The audit laptop wasbooted into Fedora Core2 and a terminal window brought up. Nessus wasactivated using the following commands:

# nessusd –D [This command activates the Nessus daemon]# nessus [This command activates the Nessus GUI]

Nessus is highly configurable with regards to how it scans a device or network.Using the plug-ins tab you can either configure each plug-in to run or not run, orchoose either the “Enable all but dangerous plug-ins” or “Enable all” buttons (SeeFigure 3.2). For this scan, with the CIO’s permission, audit enabled all of theavailable plug-ins.

Figure 3.2 Screenshot of Nessus plug-in configuration

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



SN was not notified of the scan for obvious reasons. The start time of the firstscan was noted, as was the time of completion. The local administrator was theprimary point of contact for any incident reporting. No notification from SN wasreceived, even after a second scan was completed. SN was contacted thefollowing day but had no record of any scans run against the device. The CIOwill follow up with the vendor to determine if they are receiving the service theyare contracting for from the perimeter defense vendor.

Addendum:

The following morning bank personnel were unable to access the Internet. Afterworking with the Internet Service Provider and SN it was determined the bank’srouter was “frozen”. The router was rebooted and Internet access was restored.Further tests by the local administrator and SN proved that the router wasvulnerable to Denial of Service (DoS) attacks, which are part of the Nessusaggressive scan settings. This was due primarily to the bank’s use of PAT,which utilizes a high amount of DRAM on the router. A patch for the vulnerabilitywas requested from the router vendor however at the time of the audit no patchwas available.

3.2.3 Firewall Device Physical Security

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.





Personal experience.Control Objective Firewall device physical location should

be a secure area such as acombination or key card access datacenter or a locked server rack orcabinet.

Non Compliance Risk Lack of adequate physical security forthe firewall device could result inunauthorized changes to theconfiguration such as creation of backdoors or intentional misconfiguration offeatures such as IDS or Anti-Virus.

Compliance The firewall device resides in arestricted access data center or in alocked server rack or cabinet. Ideallyboth a restricted access data centerand a locked server rack or cabinetwould be utilized.

Testing• Ask to be shown the device and

note the location and securitymeasures in place at thelocation.

• If a secure location existsdocument the procedures forentry and exit from the location.

• If server rack or cabinet is usednote if a lock is present and inuse.

• If server rack or cabinet lock isused determine who has keys tolocks.

Test Type Objective/SubjectiveSupporting Documentation Figure 3.2 – 3.3Test Results The server room is protected by a steel

door with a combination lock. (seefigure 3.3) Only three people have thecombination to the room with a backupcopy of the combination in a sealedenvelope in a fire safe with restrictedaccess.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



door with a combination lock. (seefigure 3.3) Only three people have thecombination to the room with a backupcopy of the combination in a sealedenvelope in a fire safe with restrictedaccess.

Procedures for entry and exit from theroom are informal due to the limitednumber of personnel with thecombination.

The Fortigate-60 device resides in alocked cabinet along with several otherdevices including switches and IDSdevices. (See figure 3.4)

The only personnel with keys to thecabinet are the CIO and local networkadministrator.

Exceptions No exceptions noted.

Figure 3.3 Server Room Entrance Figure 3.4 Cabinet housing firewall

3.2.4 Firewall Device Maintenance Controls

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.






Fortigate-60 Documentation “Loggingand Reporting”

Control Objective Ensure system logging is enabled andthe logs are stored in a secure fashion.

Non Compliance Risk Not logging activities that pass throughthe firewall can result in the inability todetect intrusion attempts and canhinder or defeat forensic analysis of anintrusion event. Secure storage of logsprevents intruders from accessing andpossibly altering the logs to hideevidence of their intrusion.

Compliance Logging is enabled and the logs arestored in a secure fashion, preferablyon a remote syslog server.


in to the web interface.

• Choose Log & Report > LogSetting. Verify that the “Log toRemote Host” box is checkedand that a valid remote IP andPort number are entered.

• ChooseSystem>Network>Interface

Select edit in the modify column beside the active interfaces (NIC) and ensure the “Log” setting is set to “Enable” for each.

Test Type ObjectiveSupporting Documentation Figure 3.5Test Results The device is configured to log to a

remote server at the PerimeterDefense Vendor’s data center (SeeFigure 3.5). The logs are backed upeach night.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



remote server at the PerimeterDefense Vendor’s data center (SeeFigure 3.5). The logs are backed upeach night.

The log settings for the device are setto monitor the correct interfaces withappropriate access configured for eachinterface (See Figure 3.6).


Figure 3.5 Screen capture of remote host logging screen

Figure 3.6 Screen capture of network interface settings

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Screen shot obtained after firmware upgrade which changed graphicsand layout of the web interface.




Control Objective Minimize the number of administrativeaccounts on the Firewall.

Non Compliance Risk Lack of control of the number and typeof administrative accounts on a firewallcan lead to unmanageable changecontrol and could result in confusion asto the level of security the Firewallaffords and inconsistent rules foraccess.

Compliance The number of administrative accountsis kept to a necessary minimum.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



is kept to a necessary minimum.Testing

• From the Administrationinterface Go to System > Configand then click on the Admin tab.Capture a screenshot or printoutof the settings.

• Through interview with the localSystem Administrator establishthe purpose of each account.

Test Type Objective/SubjectiveSupporting Documentation Figure 3.7Test Results 6 user accounts are configured. One is

the general Admin account with thedefault password changed. Theremaining are as follows:

Netadmin – The local admin accountused internally

Backupuser – The remote adminaccount for the Perimeter Defensevendor’s access.

NetadminHome – The remote adminaccount for the local administrator toaccess the system from home.

The remaining two accounts,monitor_208 and monitor_ 63, aremonitor accounts to facilitate theperimeter defense vendor’s automatedreporting.

(See Figure 3.7).

In discussion with the SystemAdministrator all accounts are deemednecessary by management.


Figure 3.7 Screen capture of remote administration users screen.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



SANITIZE!!!



Control Objective Remote administration conductedthrough appropriate vendor software,encryption and security methodology

Non Compliance Risk The use of inappropriate software,encryption and security methodology(such as the use of Telnet, whichbroadcasts information “in the clear”,lack of encryption for sessions and notlogging sessions) for remoteadministration can allow intruders toobtain user names and passwords andother sensitive information that cangrant them access to the firewall andsystem.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



obtain user names and passwords andother sensitive information that cangrant them access to the firewall andsystem.

Compliance Remote administration conductedthrough SSH or 128-bit EncryptedHTTPS and restricted by IP address


remote administration isallowed.

• From questionnaire determine iflogical access to the firewall isrestricted and if so, how.

• From questionnaire determinewhat protocol is used for remoteadministration.

• From questionnaire determine ifthere are written procedures andsecurity guidelines in place forremote administration. Obtain acopy of the procedures andguidelines and review.

Test Type ObjectiveSupporting Documentation Q12, Q13, Q13a, Q13dTest Results From the questionnaire and

discussions with the local administratorit was determined that remoteadministration of the device is allowed.

Logical access to the firewall isrestricted via IP address or “TrustedHost”.

The only remote administrationprotocols used to access the deviceare SSH and HTTPS. From earlierscans SSH is version 2.0.

Additionally all remote sessions arelogged by the system. (See Exhibit L)

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Secure Networks provided a detailedguide that they give to each of theiremployees and to the localadministrator of devices they manage.The document is thorough and concisein the procedures for accessingsystems that SN manages.

Exceptions No Exceptions noted.

Exhibit L: Sample from firewall log of remote administration session.

2004-07-13 09:42:59 log_id=0104000001 type=event subtype=admin pri=informationuser=monitor_208 ui=GUI(208.100.100.1) action=login status=success reason=nonemsg="User monitor_208 login successfully from GUI(208.100.100.1)"

SN also provided detailed change control procedures that must be followedbefore any change is made to the system via remote administration. While theprocedures are proprietary and SN did not want them reproduced in whole, asummary of the key areas is presented below.

• Acceptable format for change requests• Testing of device changes in lab setting• Backup of existing configuration• Testing of Backup• Application of changes• Change documentation including change request, lab work, backup test

results



NIST “Guide to Firewall Selection andPolicy Recommendations” John Wack,Ken Cutler, Jamie Pole


Control Objective Ensure the Firewall has a documentedbackup procedure. Verify that backupsand restoration procedures are testedand verified to insure they are viable

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



and verified to insure they are viableNon Compliance Risk Failure to properly backup the firewall

could result in the loss of configurationinformation as well as system andsecurity log files.

Failure to test backups can result inloss of configuration information,extended down time and risk ofimproper configuration whenrecovering from a device failure.

Compliance Documented backup procedures existand are followed.

Backups are tested in a manner thatensures full system restoration can becompleted in the event of devicefailure.


the Firewall is backed up andwho is responsible for thebackup procedures..

• Request backup testingprocedures.

• Request documentation of lastbackup test results.

Test Type ObjectiveSupporting Documentation Q17, Q17bTest Results SN is solely responsible for backing up

the Fortinet-60 device configuration.Backup is initiated every 30 days andafter every change.

Backup procedures were reviewed andfound to be detailed and thorough. Thedevice configuration is backed up tothe same server as the firewall logs.Additionally the backup is tested byrestoring to a test device in SN’s lab.

A copy of the documentation for thelast backup test was received andreviewed. All steps and procedures forrestoring the backup configuration werefollowed and the test results reviewedand approved by SN management.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



reviewed. All steps and procedures forrestoring the backup configuration werefollowed and the test results reviewedand approved by SN management.

Exceptions No Exceptions noted.

3.2.5 Transport Layer Security




Control Objective Ensure only ports required to meetbusiness requirements are open on thesystem

Non Compliance Risk Unnecessary open ports could allowintruders to gather information aboutthe system or even facilitate an attackon the system.

Compliance Only necessary ports are open on thesystem.


Policy to determine what portsshould be enabled on thefirewall.

• Obtain a copy of theconfiguration file for the systemto determine which ports areenabled. Compare this to theallowed ports stated in theFirewall Policy.

• Using Nmap, scan the system todetermine which ports arelistening.

If any ports other than those listed inthe Firewall Policy and configurationfile are running further attention shouldbe given to whether the system ismisconfigured or if in fact the systemhas been compromised.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



file are running further attention shouldbe given to whether the system ismisconfigured or if in fact the systemhas been compromised.

Test Type Objective-Stimulus/ResponseSupporting Documentation Figure 3.8Test Results Since no Firewall Policy is in place

there is no way to audit theconfiguration against policy.

Review of the configuration file showedthat only ports 22 and 443 for SSH andHTTPS respectively, should be openon the firewall.

An internal Nmap scan verified thatonly ports 22 and 443 are open andlistening. All others are listed as“filtered”.

Exceptions Exception noted. No Firewall policy inplace to compare configuration file.

Nmap Internal Scan Detail:

Nmap was used to scan for open ports on the Fortigate-60 device. The auditlaptop was connected to the network, booted into Fedora Core2 and a terminalwindow brought up. The following command was entered at the commandprompt:

# nmap -sS -PT -PI -O -T 3 [Target IP] (See Figure 3.8)

-sS tells Nmap to perform a TCP SYN scan, or “half open” scan. This commandsends a SYN packet and then waits for a response. If a SYN/ACK is received itindicates a listening port. –sS is preferable to the normal TCP connect (-sT)because some firewalls and packet filters tend to drop probes without response.

-PT and –PI tells Nmap to perform TCP and ICMP ping sweeps against thedevice. This is useful in bypassing firewall filters that look for either sweep type,but not both.

-O tells Nmap to activate remote host identification using TCP/IP fingerprinting.Many times Nmap can only give a best guess from the results of the TCPsequencing.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



-T 3 tells Nmap to which timing policy to use for scanning. 3 is the setting for aNormal scan which scans more slowly, but eases the load on the network andreduces the possibility of crashing a machine or device.

Figure 3.8 Screenshot of Nmap run in Terminal on Fedora Core2

Nmap Output Detail:

Nmap Output Detail:

[root@audit01 root]# nmap -sS -PT -PI -O -T 3 {Target IPAddress} Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at2004 11:02 CST Warning: OS detection will be MUCH less reliable becausewe did not find at least 1 open and 1 closed TCP port

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Insufficient responses for TCP sequencing (1), OS detectionmay be less accurate

-sS –PT –PI returns:Interesting ports on {Target IP Address}(The 1657 ports scanned but not shown below are in state:filtered)PORT STATE SERVICE22/tcp open ssh443/tcp open https

-O returns:Device type: general purposeRunning: Microsoft Windows 2003/.NETOS details: Microsoft Windows Server 2003 Standard Edition

3.2.5 Transport Layer Security

Audit Step 3.2.6.1Reference “Building Internet Firewalls, 2d ed.

Elizabeth D. Zwicky, Simone Cooper,and D. Brent Chapman 2000.

Personal experience


Control Objective Ensure that the firewall is usinginbound filtering and only theapplication proxy services allowed bythe firewall policy are running on thedevice.

Non Compliance Risk If the firewall does not perform inboundfiltering or allows unnecessaryapplication proxy services,unnecessary or intentionally malformedpackets may be introduced to thenetwork.

Compliance Inbound filtering is being used and onlythose application proxy services statedin the firewall policy are running on thedevice.

Testing • Determine which applicationproxy services are allowedaccording to the firewall policy.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



according to the firewall policy.

• Compare the services allowed inthe policy to the services thatare allowed by inbound filteringon the firewall. Have the localadministrator log on using theweb interface. Go to Web Filter> Script Filter to determine whatservices are allowed.

Test Type ObjectiveSupporting Documentation Figure 3.9Test Results Since no Firewall Policy is in place

there is no way to audit theconfiguration against policy.

The script filtering capabilities of theFortigate-60 device are limited to JavaApplet, ActiveX and Cookie scripts.

Exceptions Exceptions noted. No Firewall Policy inplace.

Figure 3.9 Script Filter configured to block Java Applet and ActiveX scripts

3.2.7 Intrusion Detection/Prevention Administration

Audit Step 3.2.7.1Reference Personal experience


Control Objective Ensure that the intrusion detectionfeature is enabled and the properinterfaces are being monitored by theIDS.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



IDS.Non Compliance Risk From the Fortigate-60 user guide it was

stated that the intrusion detectionfeature is on by default but can bedisabled. It is important to verify thatthis feature is enabled and that theproper interfaces to the network arebeing monitored.

Compliance The intrusion detection feature isenabled on the device.


on to the web interface. Go toNIDS > Detection > General tab.Ensure that at least oneinterface is checked. If nointerfaces are checked the IDSfunction is not enabled.

• Through interview establishwhich interfaces should beenabled. Ensure that theseinterfaces are in fact checkedand active in the NIDS >Detection > General tab.

Test Type ObjectiveSupporting Documentation Figure 3.10Test Results The NIDS>Detection>General tab was

accessed and it was discovered nointerfaces were being monitored. Afterdiscussion with the CIO and SN achange request was submitted to SNand the “Internal” and “wan1” interfaceswere checked. (See Figure 3.10)

The CIO will investigate with SN whythe lack of IDS activity (logging,incident reports, etc) went unnoticedand attempt to verify how long thedevice has been misconfigured.

Exceptions Exception found. Issue resolvedsatisfactorily during course of audit. Noexception noted.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Figure 3.10 NIDS detection interface setup screen. (Properly configured)

Audit Step 3.2.7.2Reference Personal experience


Control Objective Ensure that the attack signaturesfeature is enabled on the IDS.

Non Compliance Risk From the Fortigate-60 user guide it wasstated that the NIDS attack signaturesfeature is on by default but “After theFortigate unit reboots, the NIDS attackprevention and synflood prevention arealways disabled.”

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Fortigate unit reboots, the NIDS attackprevention and synflood prevention arealways disabled.”

It is important to ensure that the attackprevention and synflood prevention areenabled on the device.

Compliance NIDS attack prevention and synfloodprevention are enabled.


on to the web interface. Go toNIDS > Prevention tab. Ensurethe “Enable Prevention” checkbox in the upper left corner ischecked. By default allsignatures are checked andshould be left so. If there areany signatures not checkedestablish if there are validbusiness reasons for them to beturned off.

Test Type ObjectiveSupporting Documentation Figure 3.11Test Results The local administrator logged into the

web interface and theNIDS>Prevention section wasaccessed. It was discovered that the“Enable Prevention” check box was notchecked. After discussion with the CIOand SN a change request wassubmitted to SN and the “EnablePrevention” check box was checked.SN was also apprised of the necessityto check this setting after any reboot ofthe system to ensure this feature isenabled.

Exceptions Exception found. Issue resolvedsatisfactorily during course of audit. Noexception noted.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Figure 3.11 Screenshot of NIDS Prevention (Properly configured)

Assignment 4 - Sample Audit Report

CBMW Bank Audit Report

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Report Issued: August 25th, 2004

Audit Committee Distribution: Audit andReport Completed by:

Brian Cook,IT Auditor

Internal Distribution:CIOCEOCOO

Table of Contents

Executive Summary Pg 3

Fortigate-60 Firewall Audit

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



General Background Pg 4

Detailed Findings Pg 5

Objectives, Scope & Procedures Performed Pg 6

Testing Summary Pg 7-10

Appendices

Appendix A Pg 11

Executive Summary

External audit performed an audit on the bank’s primary firewall between July 13th andJuly 22nd 2004. The objectives of this audit were to obtain an understanding of the keyadministrative and operational processes related to the device and to evaluate theadequacy and effectiveness of the device.

A secondary objective of the audit was to assess the perimeter defense vendor’sresponsiveness and reporting capabilities in the event of an intrusion attempt.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Key Findings and Recommendations

• Review of the bank’s internal policies and procedures showed that no formalwritten policies and procedures related to firewall administration are in place.During the audit it was found that management has hired an outside consultant todevelop an Information Security policy. External Audit recommends seniormanagement ensure the policy is implemented by the end of 2004.

• While performing an external scan of the network Internal Audit was made awareof a vulnerability in the bank’s router which causes the router to shut downresulting in loss of Internet and e-mail access as well as loss of connection withthe Internet Banking vendor and the Federal Reserve. This vulnerability can beavoided by discontinuing the use of a specific network translation protocol (seedetailed findings). External Audit recommends IT management determine if thebenefits of using the network translation protocol outweigh the possibility ofperiodic Internet outages.

• During review of the firewall’s Intrusion Detection feature it was discovered thatseveral settings, necessary for the device to be fully functioning as an IDS, weredisabled. This was discussed with the perimeter defense vendor and the necessarychanges were made to the configuration to ensure that the IDS feature was fullyfunctional. External audit has no further recommendations at this time.

• The perimeter defense vendor’s responsiveness and reporting capabilities tomanagement were not as expected. External Audit recommends that ITmanagement work with the perimeter defense vendor to understand and clarifytheir monitoring and reporting capabilities and establish documented thresholdsfor incident reporting and notification.

General Background

A firewall is a system designed to prevent unauthorized access to or from a privatenetwork. Firewalls can be implemented in both hardware and software, or a combinationof both. Firewalls are frequently used to prevent unauthorized Internet users fromaccessing private networks connected to the Internet, especially intranets. All messagesentering or leaving the intranet pass through the firewall, which examines each messageand blocks those that do not meet the specified security criteria.

CBMW’s management recognizes the growing significance of, and reliance on, their ITinfrastructure. The data transmitted over CBMW’s network and stored on its servers isboth vital and sensitive and every precaution must be taken to ensure the data’s safety

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



and security. The consequences of a security breach of the organization’s network is aserious matter. Loss of data, reputational damage, and financial loss are all very realpossibilities. With CBMW, like most organizations, firewalls are the first major line ofdefense against outside intrusion.

As part of External audit’s IT audit program an audit was conducted on the bank’sprimary firewall device, a Fortinet Fortigate-60 Antivirus firewall. This device is one oftwo firewalls present on the network. As part of an overall plan to increase both thedefensive posture of CBMW’s network and the ability to continually monitor the networkIT management chose the Fortigate-60 for both its Antivirus capabilities and the built inIntrusion Detection System (IDS).

Configuration and administration of the Fortigate-60 firewall is primarily theresponsibility of CBMW’s perimeter defense vendor Secure Networks. While the localSystem Administrator can make changes if necessary, he does not have the testing andimplementation resources available to the perimeter defense vendor. The vendor’s changecontrol procedures facilitate change requests, and include testing and implementation foreach modification to the device.

This audit focused on three major functions of the device:

• Configuration and functionality of the Firewall feature.

• Configuration and functionality of the Intrusion Detection feature.

• Configuration and functionality of the Antivirus feature.

Industry best practices for each feature were researched and External Audit developed anaudit program to conduct a comprehensive examination of the device to ensure it isconfigured and operating as intended and protecting the bank’s network appropriately.

The bank’s policies and procedures were reviewed as well as administrative practices forchange management. Physical and logical access policies and procedures were alsoreviewed to ensure that local and remote access sessions are conducted using a securemethodology.

Detailed Findings and Recommendations

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Policies

In reviewing the bank’s internal policies and procedures it was noted that no formalwritten policies and procedures related to firewall administration are in place. During theaudit it was found that management has hired an outside consultant to develop anInformation Security policy. External Audit recommends senior management ensurethis is a priority. Without clearly defined procedures for configuration, logging, changecontrol, remote access, physical access, and patch management the organization riskshaving a firewall in place that does not protect the organization’s network.

Router Vulnerability

While outside the scope of this audit, it should be mentioned that in the course of anexternal scan of the firewall an issue with the bank’s router was discovered that makesthe device vulnerable to Denial of Service attacks after a port scan of the router. In otherwords, by simply running a scan with freely available software, even without maliciousintent, anyone can shut down the bank’s Internet access.

This is due to the bank’s use of Port Address Translation or PAT, which allows multiplecomputers to access the Internet using only one external IP address. This protocol puts anundue load on the router and causes it to shut down if it becomes overloaded. This stopsall Internet and e-mail access as well as connectivity to external vendors. There is apossibility the device’s manufacturer will provide a patch for this vulnerability at somepoint in the future but no specific commitment to do so has been expressed. ExternalAudit recommends senior management determine if the benefits of utilizing PAToutweigh the probability of periodic Internet outages resulting from external scans of oursystem. This will be re-addressed in detail during a planned audit of the router device inquestion.

IDS Configuration

During review of the firewall’s Intrusion Detection feature it was discovered that severalsettings, necessary for the device to be fully functioning as an IDS, were disabled.Specifically, the settings which tell the device which network to monitor, and attackprevention settings were disabled. This was discussed with the vendor and the necessarychanges were made to the configuration to ensure that the IDS feature was fullyfunctional. External audit has no further recommendations at this time.

IDS Vendor Response

Internal Audit performed an external, “aggressive” scan of the network from a remotelocation to assess the firewall’s effectiveness and the perimeter defense vendor’s

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



responsiveness and reporting capabilities. While the firewall was effective in blockingthe scans intended actions, the perimeter defense vendor’s responsiveness and reportingcapabilities were not as expected. No notification was received of the incident and norecord of the scan was found. External Audit recommends that IT management workwith the perimeter defense vendor to understand and clarify their monitoring andreporting capabilities and establish documented thresholds for incident reporting andnotification.

Objectives, Scope & Procedures Performed

Objectives: Scope:

• Ensure the device is configuredand performing in compliance withthe bank’s policies and securitygoals.

• Verify the firewall configurationand functionality follow industrybest practice guidelines.

• Verify the Antivirus configurationand functionality follow industrybest practice guidelines.

• Verify the Intrusion Detectionconfiguration and functionalityfollow industry best practiceguidelines.

The scope of this audit includes a review ofthe following areas:

• Policies and Administrativepractices

• Physical and logical security of thedevice

• Configuration of firewall rule-sets• Configuration of the Anti-virus

feature• Configuration of the IDS feature• Enabled services running on the

device• Perimeter Defense vendor response

Summary of Procedures Performed:

• Interviewed IT management and appropriate staff to determine administrative

practices and procedures.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



• Interviewed Perimeter Defense vendor technical staff and management to

determine administrative practices and procedures with regards to remote

management and logical access.

• Reviewed existing policies and documentation of relevant procedures.

• Obtained an understanding of the device and its functions through research and

requested items from IT.

• Physically inspected the device to determine level of physical security.

• Conducted both an external and an internal scan of device using Nessus scanning

software and NMap software to test configuration settings and determine if

unnecessary or unsecured services are running on the device.

Testing Summary of Fortigate-60 FirewallThe matrix below outlines testing performed and related results. Testing was conductedduring the week of July 12th, 2004.

Testing PerformedObservations

Policies and Administrative Practices

1) Reviewed bank’s policies and procedures forNetwork Security with regards to firewalladministration and change control.

1) Exception found. Nopolicies related to thefirewall are in place.IT management is inthe process ofdeveloping andrefining morecomprehensivenetwork policies withthe help of Secure

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



2) Reviewed Perimeter Defense vendor’spolicies and procedures for change control,remote access, backup and restorationprocedures.

firewall are in place.IT management is inthe process ofdeveloping andrefining morecomprehensivenetwork policies withthe help of SecureNetworks and SuperiorConsulting.

Senior managementshould ensure this is apriority. Without clearlydefined procedures forconfiguration, logging, changecontrol, remote access,physical access, and patch management the organization riskshaving a firewall in place thatdoes not protect theorganization.

2) No exceptions noted.Vendor policies andprocedures are conciseand cover all necessaryareas.


Physical and Logical Access to the device1) Inspected the physical security of the device. 1) No exceptions noted.

The physical securityof the device isexcellent withconcentric layers oflocks in place toprotect access.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



2) Reviewed the permissions and number ofadministration accounts to ensure they arekept to a minimum.

3) Reviewed remote access policies andprocedures as well as the methods used forremote access to ensure proper proceduresand methodology is used.

excellent withconcentric layers oflocks in place toprotect access.

2) No exceptions noted.The administratoraccounts include onlyaccounts necessary formaintenance andmonitoring of thedevice by SecureNetworks and the localSystem Administrator.

3) No exceptions found.Guarded Network’sremote access policiesand procedures arecomprehensive andwell documented. Thebank should developprocedures for internallogical access as well.


Configuration of the Firewall Rulesets

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



1) Visually reviewed printed version ofFirewall configuration to ensure proper rule-sets are present and enabled.

2) Conducted external scan of device usingNessus scanning software to determine ifany known vulnerabilities were present inthe configuration.

1) No exceptions found.The Fortigate line offirewalls has whatsome would considerexcessive rulesets(Best practiceguidelines specify anaverage of 20 rulesetswhile the Fortigate hasover 70) there may besome benefit to theextra layers ofprotection.

2) The results of theexternal scans weresomewhat inconclusivedue to the bank’s useof PAT. However noknown vulnerabilitieswere found. Due to thevulnerability of therouter to Denial ofService attacks furtherscanning of the routerwas deemed toodisruptive.


Configuration of Anti-Virus feature

1) Visually reviewed printed version of Anti-virus configuration to ensure proper filepatterns and services are present andenabled.

1) No exceptions found.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.




Configuration of IDS feature1) Visually reviewed printed version of

IDS configuration to ensure proper filepatterns and services are present andenabled

2) Requested IDS logs detailing externalscan of device from Secure Networks.

1) Exception found. Theconfiguration showedthat most features forthe IDS were disabled.Some confusion as tothe designation ofdisabled vs. enabledwas cleared up duringconversations withSecure Networks. Itwas determined theIDS feature was notconfigured correctlyand therefore was notlogging networkactivity. The SystemAdministrator workedwith the vendor toenable the IDS featureduring the course of theaudit. No furtherrecommendationsnecessary.

2) Secure Networks wasunable to provide logsof the external scan dueto misconfiguration ofthe IDS feature of thedevice.


Enabled Services running on the device

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



1) Conducted internal scan of the device usingNessus scanning software and a directconnection (via crossover cable plugged directlyinto hub connected to device) to determine ifunnecessary or unsecured services such as FTPor Telnet were running.

1) No exceptions found.The scan of the deviceshowed only HTTPS andSSH services wererunning, both beingnecessary for the device tofunction properly.

Audit Committee Chairman Date

Audit Manager Date

Senior Technology Officer Date

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



Appendix A

Diagram of the Network. A brick wall icon located near the top of the diagram notesthe Fortigate-60 device location in the network architecture.

© S

AN

S In

stitu

te 2

00

5, A

utho

r ret

ains

full

righ

ts.



References

Fortigate-60 Installation and Configuration Guide Version 2.50 MR2

Zwicky, Elizabeth D, Simone Cooper and D Brent Chapman. Building InternetFirewalls, 2d ed. O’Reilly 2000.

Cheswick, Bill, Steve Bellovin and Avi Ruben. Practical Internet & Unix Security.O’Reilly 1996.

Sawyers, Jimmy R. IT Auditing for Financial Institutions 2 vols. Alex eSolutions2004.

Wack, John, Ken Cutler and Jamie PoleNIST “Guide to Firewall Selection and Policy Recommendations”http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf

Krishni Naidu Firewall Checklist http://www.sans.org/score/firewallchecklist.php

Firewall Security Best Practice Guidelines http://www.knowledgeleader.com(Fee based membership site with 30-day free trial with valid e-mail address)

Documents

Fortigate 60 Firewall Security Audit Auditors Perspective