|
The
Checkmark firewall certification is designed to ensure that firewalls
achieve a basic level of protection against a number of common hostile
attacks, both from inside and outside the realm of protection.�
Configuration
- The
firewall is to be configured to provide the various services and
enforce the various restrictions specified in this document
- Firewalls
can be provided either as a complete turnkey hardware and software
solution, or as software only to be installed on our own PC (the
specification of which will be provided on request)
- All
firewalls are to be provided initially with an “out of the box”
configuration. This is to allow us to form an objective opinion on (a)
the amount of effort needed to configure the product from scratch, and
(b) the likelihood that an end user may mis-configure the product
- Software-based
firewalls will be installed on a “clean” version of the native
operating system. The firewall machine will be “wiped” and
returned to a steady state after each test. Firewalls from different
vendors will not be installed side by side on the same machine
- Firewall
vendors will be encouraged to provide advice on the most appropriate
means to achieve the necessary configuration. If no such advice is
forthcoming, NSS Group staff will attempt to provide the best
configuration possible from information contained in the manuals.
- Firewall
vendors will be encouraged to visit the testing lab to effect the
necessary configuration under direct supervision of NSS Group
laboratory staff
- In
the event multiple methods of achieving the same result are available,
the vendor should advise on the most secure option
- It
is assumed that the underlying OS will be “hardened” and/or have
the latest security fixes applied during firewall installation. No
patches or configuration options will be allowed which are not
available to the general public either in a current release or via a
recognised and generally available support source
Test
Environment
NSS
Network Testing Laboratories maintains a dedicated test network for
firewall accreditation (network
diagram can be viewed here).�
- The
test environment consists of three distinct networks – the external
(Internet), DMZ and internal (protected)
- The
external network consist of a Telnet host, Web server, FTP server, DNS
server, SMTP/POP3 server and a “hacker” client
- The
DMZ network consists of a Telnet host, Web server and FTP server
- The
internal network consists of a Telnet host, DNS server, SMTP server,
file/print server, Web server and a “hacker” client
- Machines
on the internal and DMZ networks are not configured in a secure manner
– they rely totally on the protection of the firewall
- The
firewall is the only link between the DMZ, internal and external
networks
- Firewalls
that support DMZ services internally rather than on a separate subnet
are also allowed. Vulnerabilities in the actual services will not be
deemed cause for failure of the certification process unless those
vulnerabilities provide external access to the protected network in
some way.
- The
link between the firewall and the external network is via a simple
router. No packet filtering will be configured on this router – all
protection must be provided by the firewall
- A
network monitor, protocol analyser and security monitor is installed
on the external, DMZ and internal networks
- The
configuration of all machines remains constant between tests. The
machine designated as the firewall will be “wiped” and returned to
a steady state after each test.
Services
The
firewall is to be configured to allow the following services, typical of
most installations:
- Telnet
(outbound, no restrictions)
- Telnet
(inbound denied)
- FTP
(inbound to DMZ (or equivalent) only)
- FTP
(outbound, no restrictions)
- HTTP
(inbound to DMZ (or equivalent) only)
- HTTP
(outbound, no restrictions)
- SMTP
(inbound to corporate mail server only)
- SMTP
(outbound, no restrictions)
- DNS
(internal clients to be able to resolve both internal and external addresses
freely)
- DNS
(no internal addresses to be resolved from the external network)
- POP3
(internal clients to be allowed to retrieve POP3 mail from the
external network)
- POP3
(no external POP3 access to internal servers is allowed)
- ICMP
(inbound denied)
- ICMP
(outbound denied)
- “Stealth
mode” (if available) should be enabled
- No
other traffic of any description to be allowed onto the protected
network or DMZ
Management
Management
of the firewall will be evaluated using the following criteria:
- Local
console must be secure
- Management
console should not be open to the external network
- The
firewall configuration should be fully protected and tamper proof
(except from an authorised management station)
- Full
authentication is required for the administrator for local
administration
- Full
authentication and an encrypted link is required for remote
administration. If the remote link cannot be encrypted, there should
be the ability to disable it.
Tests
A
range of tests will be carried out using commonly-available firewall
scanning tools (NAI CyberCop Scanner and ISS Internet Scanner) as well as
custom-built in-house utilities. All tools will be configured with full
knowledge of both the firewall and network configuration:�
- Check
that firewall management console is not available to any users unless
authenticated
- Check
that the remote management link (if available) is encrypted or can be
disabled
- Check
that the firewall configuration is fully protected and tamper proof
- Check
that the firewall is resistant to a range of known Denial Of Service
(DOS) tests
- Check
that the firewall has no known vulnerabilities.
- Check
that the underlying OS is hardened and not vulnerable to known
OS-specific attacks
- Check
that all specified outbound services (and no others) are available
from internal clients
- Check
that all specified inbound services (and no others) are available to
external clients
- Check
that the firewall does not allow uncontrolled access to either the
internal or DMZ networks
- Check
that DNS names can be resolved from internal clients
- Check
that external DNS queries do not reveal information about the internal
network
- Check
that the firewall does not pass mis-configured packets to the internal
network or DMZ
Tests
will be repeated in the following manner:
- Stage
1: Probe the firewall from the Internet
- Stage
2: Probe the protected network from the Internet
- Stage
3: Probe the DMZ from the Internet
- Stage
4: Probe the firewall from the protected network
- Stage
5: Probe the Internet from the protected network (test security
policy)
- Stage
6: Probe the DMZ from the protected network
- Stage
7: Probe the firewall from the DMZ (if available)
- Stage
8: Probe the protected network from the DMZ (if available)
Results
Protocol
analysers, network monitors and advanced security monitoring tools are
used during initial firewall configuration and throughout the testing,
both to validate the configuration and confirm the test results.
- No
access to protected servers is permitted
- No
internal data is to be allowed outside the protected network
- No
“illegal” traffic is to be permitted on any protected segment
- No
access to the management console or firewall configuration files is to be
allowed
- Firewall
log files to log all rejected packets and port scans
- Firewall
is to remain running through DOS attacks (both generic IP and OS-specific
attacks). Where
it is recognised that a particular DoS attack has no defence, the
firewall should terminated “gracefully” (leaving connections
securely closed).
- Log
files to remain intact through any log flood or DOS attacks
- The
management console must remain available and secure
|
|
