System Integrity

[walcat_0]

Hi,

What would be the best way to do an audit of the firewalls to see who or if anyone had gained access to them that wasn't supposed too ? Is there an easy way of doing this on Solaris & Nokia ?

Any help would be appreciated.

Thanks

[RayPesek]

It's not an easy question to answer.

How well are the SmartCenter and enforcement modules physically protected?

How well is the enforcement module protecting itself? Is there a rule that only allows access to it from certain IP addresses or can anyone "touch" it?

Does cpconfig on the SmartCenter restrict SmartConsole access to just certain IP addresses or did someone allow an entire subnet or * ?

How well are the SmartCenter and enforcement modules patched? Are OS patches applied in a timely basis? (Can someone use a remote exploit to gain admin access without knowing a set of credentials? Are there unnecessary services running that could be used in a remote exploit?)

How do administrators authenticate? User name and password only? Certificates? Is it the same one for everyone? Is anyone using the "admin" account instead of their own account? Are lockouts configured? How are alerts distributed?

How often do authorized administrators login and what do they check? You can use filters on the Audit tab to see this information. (i.e. Is anyone paying attention?)

How often are the logs deleted?

What exactly are you looking for? A routine audit or suspected abuse?

Ray