Auditing the Extranet

[deanwebb]

Request came down the line to me, "audit the extranet!"

While "extranet" is a word from the 1990s that meant a web connection to an outside vendor or partner, now it can include site-to-site VPNs, client-to-site VPNs, pinholes in the firewall, cloud apps, web apps, site-to-jump-box-in-the-DMZ VPNs, and a host of other critters.

Because I'm at Global Megacorporation, I've got lots of rules to examine - over 4000 without any comment on them, for starters. For me, the trick is not in going to each rule, one at a time, and asking, "who owns *this* one?" but in looking at what protocols are permitted in the rules and flagging the ones that violate our policies.

We've got a firewall management tool, and I know that major firewall management platforms allow for the kinds of activities I need to do. Step one is getting with my Compliance counterpart to go through the vendor's default risk settings and to see if they are applicable for our environment. Next is to use those risk rules to assess each of our extranet firewalls. We've got over 5 dozen of the things, so being able to show a risk profile for each one is going to be way better than getting stuck on one that has over 1000 rules, asking multiple times "who owns *this* one?"

Once we have a risk profile on each firewall, we can flag activities to clean it up and create tickets for our support guys to get in there and to get scrubbing.

To get all this done, I've got to be more than just a technical guy. I need to know how to pull in resources to assist me and when and how to delegate authority and/or tasks to others so that I can be the most efficient at what I'm doing. Those non-technical things aren't found in the Cisco OCGs, so it's important to be reading outside of the tech stuff in order to get those skills. I've liked manager-tools.com as a go-to resource for that kind of information. My experiences both in Boy Scouts as well as having been a teacher for 16 years also come into play when directing a group of people to accomplish a task. Another great source is reading up on project management. I'm not running a formal project with budget and timelines, but I do have a task to accomplish and resources to utilize in order to get it done.

If I try and do it all myself, I'll fail. Big time. As in miss the deadline by a lot. If I get others involved and helping with the work, I'll be able to show significant progress so that even if I miss the deadline for the work, I'll still be able to show based on my progress an ETA for when I'll have it all done that won't be too far off the mark.

Now, back to the technical stuff. What protocols do I check? Turns out, I check the ones in the vendor's list. I need to look these up and be familiar with each so that I can help set a proper risk assessment with my Compliance guy. How big a deal is it if we allow POP3 and IMAP4 into our DMZ? Well, if I know what those protocols are, I can give part of an answer. My Compliance guy, based on the info I give, can finish my answer and set an appropriate risk level on those items.

[icecream-guy]

unfortunately with today's technology, many software's use 80 and 443 to circumvent firewall policy, so you better scrutinize those carefully.


1. turn everything off
2. see who complains
3. set priority based on who funds your Paypal account the best.
4. make needed changes to allow "approved" communications

approved = those that fund your paypal account

JK  (not that first statement though)

[that1guy15]

unfortunately with today's technology, many software's use 80 and 443 to circumvent firewall policy, so you better scrutinize those carefully.


1. turn everything off
2. see who complains
3. set priority based on who funds your Paypal account the best.
4. make needed changes to allow "approved" communications

approved = those that fund your paypal account

JK  (not that first statement though)

Good old, " Im not doing my job, unless you cant"

[deanwebb]