Re: Firewall Rule Audit Software/Service

[Ronald King <ronald.king () MORGAN EDU>]

We are in the process of a major revamp of our rules. We recently changed
vendors so some old rules no longer "fit" with the new firewall. We have
recently started using spreadsheets for tracking.

We have two SOPs for firewall changes. One is used for internal requests
for internal communications from our ERP, Server and Network teams. They
enter the applicable info into the spreadsheet and notify the security team
a change has been requested. This covers 90% of our requests. For internal
communications requests from non-IT personnel or any request for
external/Internet based clients to communicate to internal resources, we
use a form that requires approval from department heads.  We are a two man
security team with automatic notifications of changes generated by our
firewalls sent to both security team members for review and confirmation.
This works for us but can be improved. We have a change management process,
but, firewall changes that are minor are considered routine and do not
require review. Major changes and code updates go through the change
procedure.

Ron

*Ronald A. King, CISSP*
Chief Information Security Officer
Morgan State University Office: (443) 885-3372
1700 E. Cold Spring Ln. Email: ronald.king () morgan edu
Baltimore, MD 21251 URL: http://www.morgan.edu

*Growing the future ... Leading the world*
<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>


On Mon, Aug 13, 2018 at 1:52 PM, Frank Barton <bartonf () husson edu> wrote:

> Roman, we have something similar... RANCID checks our configs hourly, and
> emails the entire itsec team of any changes
>
> Frank
>
> On Mon, Aug 13, 2018 at 1:41 PM, Simanovich, Roman <rsimanovich () usj edu>
> wrote:
>
> > A formal change control policy/process is the best security control for
> > managing authorized administrator changes. I also have a script that runs
> > daily and notifies me of any changes to the firewall config, this can
> > easily be modified to notify the entire team whenever any configuration
> > item is changed.
> >
> >
> >
> > Thanks,
> >
> > Roman
> >
> >
> >
> > *From:* The EDUCAUSE Security Constituent Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Mandi Witkovsky
> > *Sent:* Monday, August 13, 2018 11:57 AM
> >
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* Re: [SECURITY] Firewall Rule Audit Software/Service
> >
> >
> >
> > Do you have a formal process that must be followed for an exception to be
> > made?  Our problem is that several people have legitimate access to make
> > updates—but getting everyone to follow the same process is a challenge.
> >
> >
> >
> > Thanks,
> >
> > mandi
> >
> >
> >
> > *From:* The EDUCAUSE Security Constituent Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Simanovich, Roman
> > *Sent:* Monday, August 13, 2018 11:34 AM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* Re: [SECURITY] Firewall Rule Audit Software/Service
> >
> >
> >
> > An excel spreadsheet works great for this, here are the columns I have in
> > mine.
> >
> >
> >
> > Sequence #
> >
> > ID
> >
> > From
> >
> > To
> >
> > Source
> >
> > Destination
> >
> > Service
> >
> > Action
> >
> > NAT/AV/WebFilter/AppControl/IPS/SSLInsepction
> >
> > Department
> >
> > Description
> >
> > Expiration
> >
> >
> >
> >
> >
> >
> >
> > Thanks,
> >
> > Roman
> >
> >
> >
> > *From:* The EDUCAUSE Security Constituent Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Mandi Witkovsky
> > *Sent:* Monday, August 13, 2018 11:15 AM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* Re: [SECURITY] Firewall Rule Audit Software/Service
> >
> >
> >
> > I’d love to hear the answer to this one.  Even just learning how people
> > tackle documenting and reviewing their rules would be beneficial.
> >
> >
> >
> > Thanks,
> >
> > mandi
> >
> >
> >
> >
> >
> >
> >
> > *From:* The EDUCAUSE Security Constituent Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Telfer, Will
> > *Sent:* Monday, August 13, 2018 11:11 AM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* [SECURITY] Firewall Rule Audit Software/Service
> >
> >
> >
> > We are looking at updating our Firewall Rule Audit structure so that we
> > check over all of our rules at least once a year to verify whether they
> > still need to be in place. Since we have multiple groups & multiple
> > firewalls, each with their own specific set of rules the goal is to have
> > some central structure where the audit can be recorded. Are any of you
> > using a software or service that provides the ability for multiple users to
> > log in & check off firewall rules? Please feel free to contact me off list
> > if that is better for you.
> >
> >
> >
> > Thank You,
> >
> > Will Telfer, M.S.
> >
> > Information Security Analyst
> >
> > Information Technology Services
> >
> > [image: sig]
> >
> > Twitter: @BearAware
> >
> > Facebook: www.facebook.com/BearAware
> > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_BearAware&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=6lUt_IcfaWmw0Dg-X52nRXS4A4TlsNjwjx_q9fkiVwM&s=GlhY7Y6z6i0kFSvcEub1X53MTxPs7FeAtMLsTwP1-BI&e=>
>
>
>
> --
> Frank Barton, MBA
> Security+, ACMT, MCP
> IT Systems Administrator
> Husson University