July 2003
The Firewall Physical
How do you know if your firewall is "healthy"?
BY Fred Avolio
When you go to the doctor for a physical, the procedure is fairly routine:
the doc weighs you, takes your temperature, checks your blood pressure and
pulse, looks in your ears, nose and throat, feels your lymph nodes, listens to
your heart and lungs, and so on.
Why are most physicals just like this? Because common medical problems are
diagnosed through a standard, "low-tech" examination. While a checkup by itself
may not lead to a concrete diagnosis, it will at least reveal symptoms that need
closer examination.
In cyberspace, your firewalls need routine checkups if they're to remain
healthy. Like the human body, computer equipment ages with time and wear and
tear. It's not enough to know that you correctly installed your firewall. You
have to run it through a "firewall physical" to ensure it stays in tip-top
shape.
Here are six things to examine:
-
Configuration files. No matter how tight you lock down your firewall
during installation, all bets are off once it goes live. Your firewall security
policy should dictate configuration parameters in high-level, unspecific terms.
You should develop and monitor firewall-specific policies with configuration
details, such as what traffic is allowed or what services use proxies.
The policy should specify the steps for modifying a firewall's
configuration--what authorization is needed to make changes, who is permitted to
make changes and when, how to document the changes, etc. The policy should also
dictate a separation of duties, where one person does the work, another
documents the changes, and a third tests and reviews the new setup.
Disk usage. This is important if you store logs on the firewall, but
even more so if you don't. In the first case, an abnormal increase in the rate
of disk usage could indicate a problem in the log cleanup procedures. In the
latter case, it could mean someone has installed a rootkit. In any case, you
must develop a baseline of what constitutes "normal" firewall disk usage. Most
problems--security or otherwise--take a system out of its normal state.
CPU load. Similar to disk usage, the CPU load is an indicator of
system health. Again, you must know what normal is. A low CPU load doesn't
necessarily mean "all is well," but an abnormally high one almost always means
something is wrong. It could be anything from a DoS attack to the loss of your
outside network connection.
Daemons. Each firewall has a normal set of daemons that must be
running to operate correctly, such as a name server, system logging program,
network dispatcher or authentication server. Are all running that should be? If
not, why not? What else is running that shouldn't be?
System files. A critical system file changes for three reasons: an
admin purposefully changed it, perhaps as part of a scheduled upgrade; an admin
accidentally changed it; or an attacker changed it. Again, your policy for
firewall configuration changes must cover how to correctly document system file
changes.
Log anomalies. Firewall logs, of course, are a great source of health
information, documenting all traffic that is permitted and denied. Because of
the amount of data, checking for log anomalies should be an automated process.
Naturally, what constitutes an anomaly will change over time--but only if you
document it.
Prescription for Continued Health
No checkup uncovers all problems, so
it's important to verify your firewall's health...continuously. Run a packet
scanner to make sure it has the correct configuration. If you want to be a bit
more aggressive, run a vulnerability scanner.
Only the true hypochondriac would get a daily physical from a doctor.
Security, on the other hand, is all about paranoia, and a daily firewall checkup
may be just what the doctor ordered. By checking these six indicators daily,
you'll keep your firewall alive and kicking.
FRED AVOLIO is
president and founder of Avolio Consulting, a Maryland-based computer and
network security consulting firm.
