Automate Firewall Monitoring

by J. Edward Durrett

Continuous Monitoring - Change Management - Firewall Monitoring – Automation – Although these important
concepts start to have the ring of marketing buzz words after a while, they are important best practices in
security and IT management. I often wonder, why is it that organizations are so slow in adopting them? My
suspicion is that as vendor after vendor parades through the manager’s office, the words become synonymous
with cost. Like it or not, we live in a world with limited resources and IT can not suck up the entire budget of
an organization. There have to be limits.

So, what is one to do with out sufficient budget? Complain? Well, no, because, in the end no budget will ever be
sufficient. There is always one more thing to buy, the one thing that promises to fix all your problems only that
it seldom does. The answer is finding a simple solution to solve your problem and all it takes is some talent and
creativity.

For example, take firewall management. We know that protecting the perimeter of or hosts is important, we know
that unauthorized or undocumented changes to firewall configurations are not good from a security perspective and
we know that regulatory compliance, such as PCI, requires continual testing of firewalls to ensure that they are
doing what we think they are doing. How do we achieve these objectives?

When it comes down to it, there are three ways: buy a product, buy a service or create a solution. The script
below is a simple no-cost solution:


#!/bin/sh 
hosts="" #Multiple hosts can be specified like "host1 host2"
allowed_ports="" #Comma separated list of allowed open firewall ports
scanner_flags="" #Example for no ping, fast TCP scan "-Pn -T5"
nmap $scanner_flags $hosts | awk '/open/{print $1}' | cut -d / -f1 | while read open_port; do
test=$(printf $allowed_ports | grep $open_port)
if [ $test ]; then
printf "$open_port - Port is allowed!\n\n"
else
printf "$open_port - Port is not allowed!\n\n"
fi
done



The problem is solved in a 12 line shell script. As this should be called by cron to run automatically, instead of
printing the results to standard output it is better to have the results mailed, sent by SMS of XMMP, or otherwise
pushed to the responsible party. As data and reports multiply, however, it is best to only notify if there is a
change (some auditors might not like this, so archiving reports of no change might be necessary but let the
computer sort iit and free up costly labor eyes to do something else).

Depending on the number of firewalls/hosts that need to be monitored, the script can be modified. For example,
using curl, git, or rsync to pull the host and port list from a central repository makes it so the script does not
need to be updated every time these is a new service opened or an old service closed.

In conclusion, simple solutions often exist to administrative and security management objectives. Keeping cost low
and labor at a minimum is an important criteria to evaluating solutions. Low/No cost solutions take a few minutes
of thought but reward in years of peace of mind with out monthly or yearly bills dinging your always limited IT
budget.

Refrences:

https://nmap.org/book/output-formats-grepable-output.html







Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.

Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.