A firewall configuration review is one of the safest activities we do as penetration testers. There’s no automated scanning, no active exploitation, and poking/prodding exposed ports and services. Even though it is a very low risk activity, there are a couple things we’ve identified over the years as ways to streamline the process of having a firewall configuration review performed. If you have this kind of review scheduled or are considering it in the future, check out these quick tips on how to avoid problems with a firewall configuration review.
Getting the Right Kind of Access
The center point of this assessment is making sure your security engineer has information to the access he or she needs before the testing window starts. This will allow them to focus on the task at hand of identifying issues in the security of your firewall, rather than desperately trying to simply get access to the device. Depending on the type of firewall, your security engineer will need the following:
- Remote access to the administrative console – This can be tricky depending on where the device is placed and the level of security protecting it. It may involve provisioning a VPN account for your testers, creating a new firewall account, issuing multi-factor authentication tokens, or sending a field system onsite to facilitate remote access. Make sure you think through this ahead of time and work with your test team to nail down these details.
- READ-ONLY Administrative Access – The capitalization of read-only is very much intentional. This is the privilege level we’ll ask for before performing a firewall configuration review, and while we will never make any configuration changes to your devices during an assessment, we like to avoid any risk of a mistake wherever possible. But the administrative portion is also important, as we will require access to see all of the devices configuration and security settings. Providing admin access ensure we don’t miss anything.
- Provide firewall configuration via a flat file – This may depend on the type of firewall your organization uses, but in some cases it can be just as easy to audit the firewall using the configs as opposed to logging into the admin interface (Cisco ASAs are a good example). This can be simpler and easier to manage for both the test team and the client. Unfortunately, this isn’t always possible as certain firewall configuration outputs are less than helpful (SonicWall, Palo Alto, etc.).
- Why not both? – Of course, usually the more information you can provide the test team ahead of time the better. So if you’re able to pull the device config and provide remote access to the administrative console, that is ideal.
Tidy Up Ahead Of Time
Before your test team gets in there to analyze the device, it may be a great time to just clean up the place a little bit. Kinda like when you pick up the clothes off the floor before a dinner party, you want to put your best foot forward when showing off to guests. So deleting any temporary rules you may have had in place in the past, updating comments associated with rules and objects (because all of your rules have comments, right?), and removing any old accounts are just a couple things that can remove some of the low hanging fruit for an assessor, allow them to focus on bigger priority issues, and just make your device more secure in general. It’s awesome if you’re already doing these things on a regular basis, but maybe this is the extra kick you need to up the priority on these tasks. We’ve discussed some best practice items that you could be doing to improve the results of your firewall configuration review here.
Hopefully these quick tips will help avoid problems with a firewall configuration review. While there aren’t generally any issues, you always run into weird situations every now and then so it’s a good idea to prepare as best you can.