Why all graphical representations of a network firewall include a wall with flames? Do you have to set a wall on fire in order to protect a network? I hope not for my network!!
SANS Critical Control # 10 speaks about secure configurations applied to network devices such as firewall, routers and switches.
These pieces of network infrastructure represent the backbone of an organization’s network and cannot be left unconfigured, unpassworded, with backdoors, etc.
SANS mentions the following steps to implement Control #10:
Step 1: Hardened device configurations applied to production devices
Step 2: Hardened device configuration stored in a secure configuration management system
Step 3: Management network system validates configurations on production network devices
Step 4: Patch management system applies tested software updates to production network devices
Step 5:Two-factor authentication system required for administrative access to production devices
Step 6: Proxy/firewall/network monitoring systems analyze all connections to production network devices.
With its various modules, Unified VRM addresses most of the control points SANS includes in Control # 10:
- With the external network module, Unified VRM is capable to test the external firewall for misconfigurations and open ports. Also, if the firewall brand and version has a particular reported vulnerability in both network and web application front-ends, these vulnerabilities can be found and remediated before the bad guys can exploit them.
- On routers and switches, Unified VRM internal network module can find default passwords, default SNMP community strings and other misconfigurations so that they can be corrected. Internal network scan and authenticated OVAL scan with SSH can be used to find classified vulnerabilities in firewall, routers, and switches. Unified VRM can also test Cisco routers, switches and firewalls based on the latest XCCDF definitions.
- Firewall, routers and switches hardened configurations can be customized and the targets tested through the Unified VRM Configuration Review Module.
- Unified VRM Wireless assessment module can test whether the wireless network is logically located outside or inside the firewall.
- If there are any exploitable vulnerabilities found, Unified VRM exploitation module can help in building a Proof-of-Concept exploitation targeted to routers, firewalls and switches.
- For change control, Tripwire can be deployed on most of the firewall and it can monitor the file system for unauthorized changes. Tripwire can be then interfaced with VRM to collect those unauthorized change logs periodically.