Thread Options 
|
#274672 - 11/12/04 10:57 PM
Firewall: access control and activity logging
|
Gold Star
Joined: Dec 2001
Posts: 292
New England
|
BACKGROUND:
The bank uses a Symantec Enterprise firewall that does not provide good logging of changes to the firewall and does not provide for unique user IDs for authorized administrators. The examiners have criticized the lack of separate user IDs, citing the need for accountability. The Examiners want either separate user IDs or compensating controls.
Management says:
Quote:
Authentication and logging are lacking in the current firewall version. We are looking at upgrade options which would improve this and Symantec is working on enhancements as well. The current option requires password by IP address which is not ideal and does not fit our environment very well. Also, logging of changes would not be sufficient even if we had separate logins.
Compensating controls: Only three employees know the password in addition to the firewall/IDS vendor. The firewall/IDS vendor primarily manages the firewall and they send a report documenting any changes that they make. Rules are reviewed internally several times per year by IS, annually by the IS security committee and annually by external third party. Security cameras record entry to the IS area. Rule changes are documented according to current policy. The only access internally is at the firewall console.
MY QUESTIONS:
1. Are these compensating controls adequate? My thought is that perhaps all activity should be manually logged by the users. Then Security would monitor these manual logs and compare to user activity in the windows system logs. But this is labor very intensive.
2. Is this Symantec firwall still an acceptable, state-of-the-art product, or should the bank quickly change to another product?
_________________________
My opinions are not legal advice, not my employer's, and may change anytime.
|
|
Return to Top
|
|
|
|
#274673 - 11/15/04 02:46 PM
Re: Firewall: access control and activity logging
|
Gold Star
Joined: May 2004
Posts: 274
New England
|
Rex, The examiner criticism you cite would appear to be reasonable, given that you and/or your organization have not given them a comfort level that you are in all cases undertaking the most critical of functions: uniquely identifying the user. The problem is not with the brand or the vendor, since they are one of the largest managed firewall providers, as well as one of the leading providers of VPN and small-to-mid range bank firewall products in the industry. Yes, there have been some patch requirements; but that's not the problem here. The problem is that while you may be looking at the issue from the standpoint of merely being a password and userID issue, the examiners are looking at the issue from the standpoint of integrity assurance through your systematic compilation, use, monitoring and continued review of audit trails, logging and usage reports. They don't care if your authentication mechanisms include token-based systems, biometric controls, digital certificates, or just the basic backbone database controls provided through the assignment of unique userIDs and unique passwords; what they care about is that you're demonstrating to them that every log-in event of these three employees and all vendor log-in (particularly remote vendor log-in) is easily traced through effective logging of all events. The firewall controls virtually everything that enters and leaves the enterprise, so it is not unreasonable that examiners or any other reviewing authority (external CPAs, investor third-party auditors, SAS 70 auditors) would want details as to who can administer firewall change settings and when each change occurred. The latest information security boklet that includes the tier I and tier II information security program and firewall review section is at www.ffiec.gov.
|
|
Return to Top
|
|
|
|
|
#274674 - 11/15/04 04:22 PM
Re: Firewall: access control and activity logging
|
Gold Star
Joined: Dec 2001
Posts: 292
New England
|
Jay,
Thank you for your thoughtful comments. You make several good points.
_________________________
My opinions are not legal advice, not my employer's, and may change anytime.
|
|
Return to Top
|
|
|
|
|
#274675 - 11/16/04 08:27 PM
Re: Firewall: access control and activity logging
|
Gold Star
Joined: Dec 2001
Posts: 292
New England
|
Quote:
The problem is not with the brand or the vendor, since they are one of the largest managed firewall providers, as well as one of the leading providers of VPN and small-to-mid range bank firewall products in the industry. . .
The problem is that while you may be looking at the issue from the standpoint of merely being a password and userID issue, the examiners are looking at the issue from the standpoint of integrity assurance through your systematic compilation, use, monitoring and continued review of audit trails, logging and usage reports. They don't care if your authentication mechanisms include token-based systems, biometric controls, digital certificates, or just the basic backbone database controls provided through the assignment of unique userIDs and unique passwords; what they care about is that you're demonstrating to them that every log-in event of these three employees and all vendor log-in (particularly remote vendor log-in) is easily traced through effective logging of all events.
I agree that this is what they want, BUT how does one systematically compile, use, monitor and continualy review audit trails, logging and usage reports - when the firewall does not provide for unique user IDs and for logging?
_________________________
My opinions are not legal advice, not my employer's, and may change anytime.
|
|
Return to Top
|
|
|
|
|
#274676 - 11/17/04 03:48 PM
Re: Firewall: access control and activity logging
|
Gold Star
Joined: May 2004
Posts: 274
New England
|
Quote:
]H]ow does one systematically compile, use, monitor and continualy review audit trails, logging and usage reports - when the firewall does not provide for unique user IDs and for logging?
Rex:
Since you state in your original posting that "the bank uses" the firewall, I am going to assume that the applicance is physically in a bank facility and that the device(s)is administered by bank staff, versus having the firewall managed, physically housed, and administered by a third party. Whatever the configuration you employ, a critical component of any gateway device such as a firewall is to "screen" or filter all incoming access requests from users who are outside of the firewall, and who want permission to go inside the firewall -- meaning they need to be validated and their trust status determined so as to ensure that they have a right to be in the network. Once in the network, your users presumably have access to various business applications based on each user's access rights.
Like all systems with host management facilities, the firewall utility understands the communication of each type of traffic. Because the firewall is a gateway between the external and internal networks, its sole purpose is to synthesize the incoming (and outgoing) network traffic and to drill down and log all traffic events. Our logging is extremely detailed -- right down to the time and date, originating router location, the sending host identifier, a log-on format reconciliation, IP address, and a username-for-allowed-connections report. All firewall administrators and security engineers are also uniquely identified and governed by ruleset changes and strictly applied rules for administrator account changes.
The "compensating" controls you speak of are not appropriate for the technology risks of 2004. It is expected and reasonable that you would be queried by examiners, external auditors, third-party inspection and due-diligence reviewers, and others to provide sufficient evidence that your firewall architecture is providing the intended gateway governance for the bank's network.
At this juncture, I think you should have an independent engineered assessment of the firewall configuration and a simultaneous evaluation conducted of your information security program. This should be conducted by non-vendor-specific professional firms. The applicance you mention can provide you with the same reports I'm getting. In fact, using that appliance with the ACL desktop analytics software provides some of the best reporting available.
|
|
Return to Top
|
|
|
|
|
#274677 - 11/17/04 03:59 PM
Re: Firewall: access control and activity logging
|
Gold Star
Joined: Dec 2001
Posts: 292
New England
|
Thank you for the informative response.
_________________________
My opinions are not legal advice, not my employer's, and may change anytime.
|
|
Return to Top
|
|
|
|
#274678 - 11/17/04 04:11 PM
Re: Firewall: access control and activity logging
|
Gold Star
Joined: Dec 2001
Posts: 292
New England
|
One clarification: when I said that the firewall did not provide logging, I did not mean it had no logging of data traffic.
Rather, the firewall reportedly provides no logging of changes to the firewall configurations by the users, and reportedly the firewall does not provide for separate user IDs and passwords for the administrators.
_________________________
My opinions are not legal advice, not my employer's, and may change anytime.
|
|
Return to Top
|
|
|
|
|
#274679 - 11/17/04 05:28 PM
Re: Firewall: access control and activity logging
|
Anonymous
Unregistered
|
Attribution is indeed important to monitoring the activities of administrators, vendors and users. Although the following may work for your situation, you may still need to evaluate other, more granular firewall products.
You could have your ISO (Information Security Officer) be the custodian for the firewall admin access credentials. Each time someone needs admin access to the firewall, they have to get the password from the ISO. Once the work is complete, the ISO changes the password. All of this is logged on paper to show transfer of administrative credential custody, initialed by the ISO and the party that had custody of the credentials. Further, the ISO could print/save the last know firewall rule set/configuration before and/or after releasing the credentials.
This system may also assist with your change management policy. Before changes can be made to one of your primary security perimeter devices, the ISO has to bless or be aware of the proposed changes before releasing the admin credentials.
|
|
Return to Top
|
|
|
|
|
|
Previous Thread
Index