- Fred Avolio
When you go to the doctor for a physical, the procedure is fairly routine: the doc weighs you, takes your temperature, checks your blood pressure and pulse, looks in your ears, nose and throat, feels your lymph nodes, listens to your heart and lungs, and so on.
Why are most physicals just like this? Because common medical problems are diagnosed through a standard, "low-tech" examination. While a checkup by itself may not lead to a concrete diagnosis, it will at least reveal symptoms that need closer examination.
In cyberspace, your firewalls need routine checkups if they're to remain healthy. Like the human body, computer equipment ages with time and wear and tear. It's not enough to know that you correctly installed your firewall. You have to run it through a "firewall physical" to ensure it stays in tip-top shape.
Here are six things to examine:
- Configuration files. No matter how tight you lock down your firewall during installation, all bets are off once it goes live. Your firewall security policy should dictate configuration parameters in high-level, unspecific terms. You should develop and monitor firewall-specific policies with configuration details, such as what traffic is allowed or what services use proxies.
The policy should specify the steps for modifying a firewall's configuration--what authorization is needed to make changes, who is permitted to make changes and when, how to document the changes, etc. The policy should also dictate a separation of duties, where one person does the work, another documents the changes, and a third tests and reviews the new setup.
- Disk usage. This is important if you store logs on the firewall, but even more so if you don't. In the first case, an abnormal increase in the rate of disk usage could indicate a problem in the log cleanup procedures. In the latter case, it could mean someone has installed a rootkit. In any case, you must develop a baseline of what constitutes "normal" firewall disk usage. Most problems--security or otherwise--take a system out of its normal state.
- CPU load. Similar to disk usage, the CPU load is an indicator of system health. Again, you must know what normal is. A low CPU load doesn't necessarily mean "all is well," but an abnormally high one almost always means something is wrong. It could be anything from a DoS attack to the loss of your outside network connection.
- Daemons. Each firewall has a normal set of daemons that must be running to operate correctly, such as a name server, system logging program, network dispatcher or authentication server. Are all running that should be? If not, why not? What else is running that shouldn't be?
- System files. A critical system file changes for three reasons: an admin purposefully changed it, perhaps as part of a scheduled upgrade; an admin accidentally changed it; or an attacker changed it. Again, your policy for firewall configuration changes must cover how to correctly document system file changes.
- Log anomalies. Firewall logs, of course, are a great source of health information, documenting all traffic that is permitted and denied. Because of the amount of data, checking for log anomalies should be an automated process. Naturally, what constitutes an anomaly will change over time--but only if you document it.
Prescription for Continued Health
No checkup uncovers all problems, so it's important to verify your firewall's health ... continuously. Run a packet scanner to make sure it has the correct configuration. If you want to be a bit more aggressive, run a vulnerability scanner.
Only the true hypochondriac would get a daily physical from a doctor. Security, on the other hand, is all about paranoia, and a daily firewall checkup may be just what the doctor ordered. By checking these six indicators daily, you'll keep your firewall alive and kicking.
About the author:
Fred Avolio is president and founder of Avolio Consulting, a Maryland-based computer and network security consulting firm.