Sr.
No
Observation & Impact Recommendation Auditee Response &
Implementati on Timeline 4.1 Weak protocol in use
Background:
As a best practice is always recommended that access for maintenance should be allowed from minimum
Possibly SSH access to firewall should be used and that too should be restrictive.
Implementati on Timeline possible machines.
Observation:
TELNET access to the firewall is configured with no access restrictions.
Impact: No access
restrictions may increases the possibility of unauthorized access and subsequent unauthorized changes to firewall configurations. The unauthorized changes may
even bring down the firewall and hence the network.
4.2 NTP not configured Background:
Accurate time is important for good audit and management.
Network devices support the
standard time synchronization protocol,
NTP to keep their time-of-day clocks accurate and in synchrony. Time Logging is a critical part of network security; good logs can help find configuration errors, understand past intrusions,
troubleshoot service disruptions, and react to probes and scans of network.
Observation:
NTP is not configured.
NTP should be configured.
Implementati on Timeline Impact: Monitoring may be
rendered difficult as time synchronization may not happen and the logs may not be that effective to find configuration errors, trouble shoot service disruptions etc..
4.3 Inappropriate event log configurations
Background:
Logs are used for auditing,
troubleshooting past disruptions or investigations.
Log size and review periods should be so set such that space is always available for writing so that they can be reviewed before they get overwritten. The settings appear to be prima-facie low.
Observation:
Log file event log size is 2000 entries and life time is 20 days.
Impact: Logs may get overwritten before they get reviewed and backed up.
Log file parameters should
be reviewed for their
appropriateness and if required reset.
4.4 ICMP not blocked Background:
ICMP is designed for sending control and test messages across IP networks. The two most important ICMP
ICMP requests should be dropped.
Implementati on Timeline messages are Echo Request
(8) and Echo Reply (0). Echo Request and Echo Reply are utilized by the `ping`
command to test network connectivity. With echo packets an attacker can create a map of the sub networks and hosts (devices / machines) behind the device. Also, he can perform a denial of service attack by flooding the device with echo packets.
Observation:
ICMP (Internet Control Message Protocol) Echo and reply are not blocked.
Impact: Possibility of DOS attack that may put availability at risk.
4.5 Weak encryption for confidentiality used in VPN Background:
ESP is used to provide confidentiality, data origin authentication,
connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. The firewall is configured to encrypt and accept encrypted packets (traffic) using DES algorithm
Encryption using 3DES should be used.
Implementati on Timeline that uses 56 bit key for
encryption to provide for confidentiality of the data during transit. DES is considered very weak these days because of availability of high computing power at very nominal cost that may be used for cracking the key.
Observation:
ESP (Encapsulating Security Payload) – DES (Data Encryption Standard) with SHA (Secure Hash Algorithm) is allowed.
ESP–DES with MD5 (Message Digest ver 5) is allowed.
Impact: Weak encryption algorithms in use may reveal the encrypted information to an attacker who might subsequently use this information to further compromise the network.
4.6 Weak encryption for authentication used in VPN Background:
Diffee-Hellman algorithm is used for public-private key encryption and that in turn is used for identification and authentication of the sender.
The minimum length of the key that is considered safe
Use at least Group 2 that provides 1024 bits of keying strength.
Implementati on Timeline and recommended as per
good practice is 1024.
Observation:
Diffee-Hellman group-1 that provides for 768 bits of keying strength and is the weakest of all is also allowed.
Impact: Weak encryption algorithms in use may reveal the encrypted information to an attacker who might subsequently use this information to further compromise the network.
4.7 Redundant object groups in use
Background:
Object groups are created to group various objects into one and a meaningful name is given to such groups so that by knowing the group name the administrator can understand the nature of the objects contained in the group.
Observation:
Object groups ‘Dealer’ and
‘NB’ are redundant and not in use.
Impact: Unused objects can create confusion for the
Redundant object groups should be removed.
Implementati on Timeline administration performing the
maintenance activities that and therefore may render maintenance difficult
4.8 Password management not configured.
Background:
Password management is used for defining the periodicity at which the password must be changed.
Password change at periodic intervals reduces the risk of password compromise.
Observation:
Password management is disabled.
Impact: Disabled password management increases the risk of password compromise and that renders unauthorized access and subsequent unauthorized configuration change easier.
Password management should be enabled with suitable management
configurations.
4.9 High firewall idle time out.
Background:
Idle timeout is used to logout the user/administrator when there is no activity on the device for the specified amount of time.
Observation:
Idle timeout value
should be reviewed and suitably reduced.
Implementati on Timeline Firewall idle time out value is
set to 15 minutes. That is prima-facie high.
Impact: Longer idle time outs increase the possibility of unauthorized access as logged in device may remain unattended.
4.10 Ant spoofing not enabled Background:
Spoofing or impersonation is used for hiding the identity of the real attacker. The attacker may use some forged source IP address for sending the attack packets.
The anti spoofing feature contains details of some known forged addresses and if configured in the device will not let packets carrying these forged addresses to pass through it.
Observation:
Anti spoofing feature of the firewall is not enabled.
Impact: Availability of device and hence network may be at risk and it may be difficult to identify the attacker in case of need.
Feature should be enabled.
4.11 Redundant / inappropriate Identified
Implementati on Timeline firewall rule configurations
Background:
Firewall rules are configurations in firewall that are deployed for filtration of traffic by the firewall. These rules either allow or deny traffic based on predetermined criteria and the criteria are made as per security needs of the organization.
Observation:
a) Following rules are redundant.
Slot 1 interface1 – Policy 1
Slot 2 interface1 – Policy 1 and Policy 3
b) In rule 6 of slot 2 interface1 specific ports are not defined rather all ports are permitted. Also IP ranges permitted are too permissive (21 class C subnets i.e.
21x254 hosts).
c) Rule 7 of slot 2 interface1 provides for a very large port range and that is too permissive.
d) Rule 9 of slot 2 interface1 provides for redundant
redundant rules should be removed and other
identified rules should be suitably amended.
Implementati on Timeline destination IPs.
192.168.4.x
192.168.4.0
Impact: Possibility of unauthorized access to the firewall that may result in unauthorized changes that may affect the availability of the network. Maintenance may also be rendered difficult.