Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Rule Analysis
The removable rules identified by FSM have no role to play in controlling traffic flow through the network and simply
bloat your rulebases. The effect of bloating is not only increased exposure to attacks, but it also creates a
stranglehold on the change process, adding significant time and expense to firewall management activities and
compliance reviews. These rulebases also have an adverse impact on network performance, service delivery and
the ability to execute major infrastructure projects such as upgrading security devices or adding networks.
To see the exact rules that can be removed from the firewalls that were analyzed in this report, you will require a fullfunctioning license of FSM. This will give you access to several advanced features including detailed technical
reports, automated scripts for executing the cleanup, change validation and rulebase querying.
Risk Summary
Evaluating the security profile of firewall devices requires complex algorithms that evaluate actual rules for
dangerous services allowed to destination hosts. Using an offline model of the device based on the interfaces,
objects, access lists, address translations, VPNs, routing rules, access-group statements and other constructs that
control how the IP traffic flows through the firewall, FSM performs the most consistent and thorough security analytic
function possible.
FSM recommends that immediate attention is given to the high severity issues discovered during this assessment
and that an action plan is generated to remediate failed checks. This is accomplished by using the full-functioning
version of SolarWinds FSM which details the exact rules responsible for flagged risks, non-compliance to corporate
policies and PCI violations. FSM dramatically reduces the time to perform firewall audits by at least 60-80% and
provides the technical information required by network engineers who are responsible for implementing the fixes.
Firewalls Analyzed
No.
Name
Model
IP
Complexity
DC-NONCBS-FW
10.1.35.31
VERY HIGH
2
3
4
5
Page 1 of 6
To upgrade your license and see the actual rules that were summarized in this
report, please contact sales@solarwinds.com
Name
Model
IP
Complexity
DC-NONCBS-FW
10.1.35.31
VERY HIGH
Rule Summary
Total Rules :
1227
ACL Rules :
1125
184
Unused Rules :
Disabled Rules :
27
Security Audit
Total Checks :
123
Passed Checks :
86
Failed Checks :
37
High Risk :
Medium Risk :
14
Low Risk :
17
Page 2 of 6
To upgrade your license and see the actual rules that were summarized in this
report, please contact sales@solarwinds.com
APPENDIX
The following list of security checks are evaluated by the security audit analysis performed by SolarWinds FSM.
This list is provided for informational purposes only.
High Risk
Medium Risk
Low Risk
Risk
Description
C1
Stealth Rule
C4
C5
C6
C9
C13
C14
Rule(s) allow "any" TCP service from external zone to internal zone
C15
Rule(s) allow "any" UDP service from external zone to internal zone
C16
Rule(s) with "any" destination address allow access from external zone to internal zone
C17
Rule(s) with "any" service allow access from DMZ zone to Internal zone
C18
Rule(s) allow "any" TCP service from DMZ zone to internal zone
C19
Rule(s) allow "any" UDP service from DMZ zone to internal zone
C20
Rule(s) with "any" destination address allow access from DMZ zone to internal zone
C21
Rule(s) with "any" source address allow access from DMZ zone to internal zone
C27
C28
C29
C30
C31
C35
C39
IP Address Spoofing
C40
C41
C42
C43
C46
C47
C48
C55
C61
C62
C63
Risk
Description
C64
C65
C66
C67
C69
C70
C71
C72
C80
C84
C85
C86
C89
C91
C92
C93
Rule(s) with "any" service allow access from external zone to DMZ zone
C94
Rule(s) allow "any" TCP service from external zone to DMZ zone
C95
Rule(s) allow "any" UDP service from external zone to DMZ zone
C96
Rule(s) with "any" destination address allow access from external zone to DMZ zone
C100
Rule(s) with "any" source address allow access from DMZ zone to external zone
C115
C116
C118
Rule(s) with "any" destination and "any" service allow access from external zone to internal zone
C119
Rule(s) with "any" destination and "any" service allow access from external zone to DMZ zone
C120
Rule(s) with "any" destination and "any" service allow access from DMZ zone to internal zone
C121
Rule(s) with "any" source and "any" service allow access from DMZ zone to internal zone
C122
Rule(s) with "any" source and "any" service allow access from DMZ zone to external zone
C123
Rule(s) with "any" service allow access from external zone to internal zone
C3
C8
C10
C11
ICMP echo requests are allowed from external zone to internal zone
C12
ICMP reply services are allowed from internal zone to external zone
C32
C33
C34
C49
C50
C51
C52
Risk
Description
C56
C58
TCP or UDP high ports allowed from external zone to internal zone
C68
C73
C74
C75
C76
C77
C78
C79
C81
C82
C83
C87
C88
C106
C107
C113
C114
C124
C125
C126
C22
Reserved source IP addresses (non RFC-1918) allowed access from external zone to internal zone.
C23
Reserved source IP addresses (non RFC-1918) allowed access from external zone to DMZ zone.
C24
RFC-1918 private IP Source addresses allowed access from external zone to internal zone.
C25
RFC-1918 private IP Source addresses allowed access from external zone to DMZ zone.
C36
C37
C38
C44
C45
C53
C54
C57
C59
TCP or UDP high ports allowed from external zone to DMZ zone
C60
TCP or UDP high ports allowed from DMZ zone to Internal zone
C90
C97
Rule(s) with "any" service allow access from internal zone to DMZ zone
C98
Rule(s) allow "any" TCP service from internal zone to DMZ zone
C99
Rule(s) allow "any" UDP service from internal zone to DMZ zone
Page 5 of 6
To upgrade your license and see the actual rules that were summarized in this
report, please contact sales@solarwinds.com
Risk
Description
C101
C102
C103
C104
C105
C108
C109
C110
C111
C112
C117
Page 6 of 6
To upgrade your license and see the actual rules that were summarized in this
report, please contact sales@solarwinds.com