Firewall Summary

Completed on Wed Mar 09 20:59:32 IST 2016

This report provides a summary of the rule cleanup and security audit analyses performed by the Profiler edition of
SolarWinds FSM.
The rule cleanup analysis identifies opportunities for simplifying the firewall configuration by removing unnecessary
rules, and unused network and service objects. The security audit analysis evaluates security checks based on best
practice recommendations for firewall policies drawn from industry sources such as NIST, NSA, SANS Institute, and
CIS (refer to the standard checks listed in the appendix).

Rule Analysis
The removable rules identified by FSM have no role to play in controlling traffic flow through the network and simply
bloat your rulebases. The effect of bloating is not only increased exposure to attacks, but it also creates a
stranglehold on the change process, adding significant time and expense to firewall management activities and
compliance reviews. These rulebases also have an adverse impact on network performance, service delivery and
the ability to execute major infrastructure projects such as upgrading security devices or adding networks.
To see the exact rules that can be removed from the firewalls that were analyzed in this report, you will require a fullfunctioning license of FSM. This will give you access to several advanced features including detailed technical
reports, automated scripts for executing the cleanup, change validation and rulebase querying.

Risk Summary
Evaluating the security profile of firewall devices requires complex algorithms that evaluate actual rules for
dangerous services allowed to destination hosts. Using an offline model of the device based on the interfaces,
objects, access lists, address translations, VPNs, routing rules, access-group statements and other constructs that
control how the IP traffic flows through the firewall, FSM performs the most consistent and thorough security analytic
function possible.
FSM recommends that immediate attention is given to the high severity issues discovered during this assessment
and that an action plan is generated to remediate failed checks. This is accomplished by using the full-functioning
version of SolarWinds FSM which details the exact rules responsible for flagged risks, non-compliance to corporate
policies and PCI violations. FSM dramatically reduces the time to perform firewall audits by at least 60-80% and
provides the technical information required by network engineers who are responsible for implementing the fixes.

Firewalls Analyzed
No.

Name

Model

IP

Complexity

DC-NONCBS-FW

Cisco ASA 9.1(2)

10.1.35.31

VERY HIGH

2
3
4
5

Page 1 of 6
To upgrade your license and see the actual rules that were summarized in this
report, please contact sales@solarwinds.com

Firewall Summary Report - DC-NONCBS-FW

No.

Name

Model

IP

Complexity

DC-NONCBS-FW

Cisco ASA 9.1(2)

10.1.35.31

VERY HIGH

Rule Summary
Total Rules :

1227

ACL Rules :

1125

Redundant and Shadowed Rules :

184

Unused Rules :

Disabled Rules :

Time Inactive Rules :

Unreferenced Network Objects :

27

Unreferenced Service Objects :

Rules with Unused Objects :

Rules with Logging Enabled :

Unused Network Objects :

Network Objects with Unused Members :

Unused Service Objects :

Service Objects with Unused Members :

16.36% of access control rules can potentially be removed

from the rule base.

Security Audit
Total Checks :

123

Passed Checks :

86

Failed Checks :

37

High Risk :

Medium Risk :

14

Low Risk :

17

30.08% of 123 security checks failed.

Page 2 of 6
To upgrade your license and see the actual rules that were summarized in this
report, please contact sales@solarwinds.com

APPENDIX
The following list of security checks are evaluated by the security audit analysis performed by SolarWinds FSM.
This list is provided for informational purposes only.
High Risk
Medium Risk
Low Risk

Risk

Description

C1

Stealth Rule

C4

Check Point DNS over UDP implied rule

C5

Check Point DNS over TCP implied rule

C6

Check Point ICMP implied rule

C9

Insecure external access to firewall

C13

Rule(s) with "any" service from "any" source to "any" destination

C14

Rule(s) allow "any" TCP service from external zone to internal zone

C15

Rule(s) allow "any" UDP service from external zone to internal zone

C16

Rule(s) with "any" destination address allow access from external zone to internal zone

C17

Rule(s) with "any" service allow access from DMZ zone to Internal zone

C18

Rule(s) allow "any" TCP service from DMZ zone to internal zone

C19

Rule(s) allow "any" UDP service from DMZ zone to internal zone

C20

Rule(s) with "any" destination address allow access from DMZ zone to internal zone

C21

Rule(s) with "any" source address allow access from DMZ zone to internal zone

C27

HTTP services allowed from external zone to internal zone

C28

FTP services allowed from external zone to internal zone

C29

TFTP services allowed from external zone to internal zone

C30

DNS services allowed from external zone to internal zone

C31

Mail services allowed from external zone to internal zone

C35

DNS services allowed from DMZ zone to internal zone

C39

IP Address Spoofing

C40

Netbios services allowed from external zone to internal zone

C41

Microsoft RPC services allowed from external zone to internal zone

C42

Microsoft directory services allowed from external zone to internal zone

C43

Netbios services allowed from DMZ zone to internal zone

C46

Netbios services allowed from external zone to DMZ zone

C47

Microsoft RPC services allowed from external zone to DMZ zone

C48

Microsoft directory services allowed from external zone to DMZ zone

C55

Traceroute traffic allowed from external zone to internal zone

C61

SNMP services are allowed from external zone to internal zone

C62

SNMP services are allowed from external zone to DMZ zone

C63

LDAP service allowed from external zone to internal zone

Page 3 of 6
To upgrade your license and see the actual rules that were summarized in this
report, please contact sales@solarwinds.com

Risk

Description

C64

NFS services allowed from external zone to internal zone

C65

X11 services allowed from external zone to internal zone

C66

P2P file-sharing services allowed from external zone to internal zone

C67

SunRPC services allowed from external zone to internal zone

C69

Telnet services allowed from external zone to internal zone

C70

MSSQL services allowed from external zone to internal zone

C71

R services allowed from external zone to internal zone

C72

Finger service allowed from external zone to internal zone

C80

MSSQL services allowed from external zone to DMZ zone

C84

NFS services allowed from DMZ zone to internal zone

C85

X11 services allowed from DMZ zone to internal zone

C86

P2P file-sharing services allowed from DMZ zone to internal zone

C89

Telnet services allowed from DMZ zone to internal zone

C91

R services allowed from DMZ zone to internal zone

C92

Finger service allowed from DMZ zone to internal zone

C93

Rule(s) with "any" service allow access from external zone to DMZ zone

C94

Rule(s) allow "any" TCP service from external zone to DMZ zone

C95

Rule(s) allow "any" UDP service from external zone to DMZ zone

C96

Rule(s) with "any" destination address allow access from external zone to DMZ zone

C100

Rule(s) with "any" source address allow access from DMZ zone to external zone

C115

DataBase services allowed from external zone to internal zone

C116

DataBase services allowed from external zone to DMZ zone

C118

Rule(s) with "any" destination and "any" service allow access from external zone to internal zone

C119

Rule(s) with "any" destination and "any" service allow access from external zone to DMZ zone

C120

Rule(s) with "any" destination and "any" service allow access from DMZ zone to internal zone

C121

Rule(s) with "any" source and "any" service allow access from DMZ zone to internal zone

C122

Rule(s) with "any" source and "any" service allow access from DMZ zone to external zone

C123

Rule(s) with "any" service allow access from external zone to internal zone

C3

Check Point "Accept Outgoing Packets" implied rule

C8

Cisco external firewall management

C10

Insecure Internal access to firewall

C11

ICMP echo requests are allowed from external zone to internal zone

C12

ICMP reply services are allowed from internal zone to external zone

C32

HTTP services allowed from DMZ zone to internal zone

C33

FTP services allowed from DMZ zone to internal zone

C34

TFTP services allowed from DMZ zone to internal zone

C49

Netbios services allowed from internal zone to external zone

C50

Microsoft RPC services allowed from internal zone to external zone

C51

Microsoft directory services allowed from internal zone to external zone

C52

Netbios services allowed from internal zone to DMZ zone

Page 4 of 6
To upgrade your license and see the actual rules that were summarized in this
report, please contact sales@solarwinds.com

Risk

Description

C56

Traceroute traffic allowed from DMZ zone to internal zone

C58

TCP or UDP high ports allowed from external zone to internal zone

C68

Instant message services allowed from external zone to internal zone

C73

LDAP service allowed from external zone to DMZ zone

C74

NFS services allowed from external zone to DMZ zone

C75

X11 services allowed from external zone to DMZ zone

C76

P2P file-sharing services allowed from external zone to DMZ zone

C77

SunRPC services allowed from external zone to DMZ zone

C78

Instant message services allowed from external zone to DMZ zone

C79

Telnet services allowed from external zone to DMZ zone

C81

R services allowed from external zone to DMZ zone

C82

Finger service allowed from external zone to DMZ zone

C83

LDAP service allowed from DMZ zone to internal zone

C87

SunRPC services allowed from DMZ zone to internal zone

C88

Instant message services allowed from DMZ zone to internal zone

C106

NFS services allowed from internal zone to external zone

C107

X11 services allowed from internal zone to external zone

C113

NFS services allowed from DMZ zone to external zone

C114

X11 services allowed from DMZ zone to external zone

C124

Netscreen external firewall management

C125

Checkpoint external firewall management

C126

Insecure DMZ access to firewall

C22

Reserved source IP addresses (non RFC-1918) allowed access from external zone to internal zone.

C23

Reserved source IP addresses (non RFC-1918) allowed access from external zone to DMZ zone.

C24

RFC-1918 private IP Source addresses allowed access from external zone to internal zone.

C25

RFC-1918 private IP Source addresses allowed access from external zone to DMZ zone.

C36

Mail services allowed from DMZ zone to internal zone

C37

Protection against DoS Land Attack

C38

Protection against SYN Flood attack

C44

Microsoft RPC services allowed from DMZ zone to internal zone

C45

Microsoft directory services allowed from DMZ zone to internal zone

C53

Microsoft RPC services allowed from internal zone to DMZ zone

C54

Microsoft directory services allowed from internal zone to DMZ zone

C57

Traceroute traffic allowed from external zone to DMZ zone

C59

TCP or UDP high ports allowed from external zone to DMZ zone

C60

TCP or UDP high ports allowed from DMZ zone to Internal zone

C90

MSSQL services allowed from DMZ zone to internal zone

C97

Rule(s) with "any" service allow access from internal zone to DMZ zone

C98

Rule(s) allow "any" TCP service from internal zone to DMZ zone

C99

Rule(s) allow "any" UDP service from internal zone to DMZ zone
Page 5 of 6
To upgrade your license and see the actual rules that were summarized in this
report, please contact sales@solarwinds.com

Risk

Description

C101

FTP services allowed from internal zone to external zone

C102

TFTP services allowed from internal zone to external zone

C103

Telnet services allowed from internal zone to external zone

C104

Instant message services allowed from internal zone to external zone

C105

R services allowed from internal zone to external zone

C108

FTP services allowed from DMZ zone to external zone

C109

TFTP services allowed from DMZ zone to external zone

C110

Telnet services allowed from DMZ zone to external zone

C111

Instant message services allowed from DMZ zone to external zone

C112

R services allowed from DMZ zone to external zone

C117

DataBase services allowed from DMZ zone to internal zone

Page 6 of 6
To upgrade your license and see the actual rules that were summarized in this
report, please contact sales@solarwinds.com