skybox firewall assurancedownloads.skyboxsecurity.com/files/installers/... · vulnerability...

Skybox Firewall Assurance

Getting Started Guide

8.5.300

Revision: 11

Proprietary and Confidential to Skybox Security. © 2017 Skybox Security, Inc. All rights reserved.

Due to continued product development, the information contained in this document may change without notice. The information and intellectual property contained herein are confidential and remain the exclusive intellectual property of Skybox Security. If you find any problems in the documentation, please report them to us in writing. Skybox Security does not warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical, photocopying, recording, or otherwise—without the prior written permission of Skybox Security.

Skybox®, Skybox® Security, Skybox Firewall Assurance, Skybox Network Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox Change Manager, Skybox Appliance 5500/6000, and the Skybox Security logo are either registered trademarks or trademarks of Skybox Security, Inc., in the United States and/or other countries. All other trademarks are the property of their respective owners.

Contact information

Contact Skybox using the form on our website or by emailing [email protected].

Customers and partners can contact Skybox technical support via the Skybox support portal.

https://lp.skyboxsecurity.com/ContactMe1.html

mailto:[email protected]

https://www.skyboxsecurity.com/support/portal


Skybox version 8.5.300 3

Intended audience .................................................................................... 5 How this manual is organized ..................................................................... 5 Related documentation .............................................................................. 6 Technical support ..................................................................................... 6

Overview ............................................................................................... 7 Skybox Firewall Assurance ......................................................................... 8 How Firewall Assurance works .................................................................... 9 Highlights of Skybox Firewall Assurance ...................................................... 9 Firewall change request workflow ............................................................. 10 Basic architecture ................................................................................... 10

Before you begin .................................................................................... 11 Prerequisites .......................................................................................... 11 Starting Skybox Firewall Assurance ........................................................... 12 Summary page ....................................................................................... 12

Importing firewalls ................................................................................. 14 Add Firewall Wizard ................................................................................ 14 Adding firewalls ...................................................................................... 14 Viewing firewalls ..................................................................................... 17 Searching access rules ............................................................................ 19

Rule Compliance .................................................................................... 21 Overview of Rule Compliance ................................................................... 21 Working with Rule Compliance ................................................................. 22

Access Compliance ................................................................................. 24 Access Compliance and Rule Compliance ................................................... 24 What is an Access Policy? ........................................................................ 24 Mapping a firewall’s network interfaces to Access Policy zones ..................... 26 Analyzing the Access Policy ...................................................................... 28 Understanding compliance metrics ............................................................ 29 Understanding what caused a violation ...................................................... 31 Creating and editing Access Policy exceptions ............................................ 32 PCI DSS ................................................................................................ 34

Configuration Compliance ........................................................................ 37 Configuration Compliance overview ........................................................... 37

Contents

Skybox Firewall Assurance Getting Started Guide


Viewing Configuration Compliance for a single firewall ................................. 37 Viewing vulnerabilities on a firewall ...................................................... 38

Viewing Configuration Compliance for all analyzed firewalls ......................... 40 Viewing an overview of Configuration Compliance ....................................... 42

Optimization and cleanup ........................................................................ 43 Shadowed and redundant rules ................................................................ 43 Rule usage analysis ................................................................................ 46

Viewing object usage ......................................................................... 48 Generating Rule Usage Analysis reports ................................................ 49

Exporting data to CSV files ...................................................................... 50

Change tracking ..................................................................................... 51 Using change tracking ............................................................................. 51 Viewing the changes ............................................................................... 52 Change Tracking reports .......................................................................... 53

Rule review ........................................................................................... 54 Reviewing rules ...................................................................................... 54 Recertifying rules .................................................................................... 56

Intrusion prevention systems .................................................................. 58 Viewing IPS coverage in Skybox ............................................................... 58

Access Analysis ...................................................................................... 60 Using the Access Analyzer ....................................................................... 60

What If and Forensics models .................................................................. 64

Using Skybox reports ............................................................................. 65 Reports tree ........................................................................................... 65 Report types .......................................................................................... 65 Firewall Assurance reports ....................................................................... 66


Preface

Intended audience The Skybox Firewall Assurance Getting Started Guide provides background information about what Skybox Firewall Assurance does and how it works, and explains how to get started using the product. This Getting Started Guide is intended for use with the demo model only. To model firewalls from your own corporate network and work with those firewalls, see the Skybox Firewall Assurance User’s Guide.

The intended audience is anyone who wants to learn how to use Skybox Firewall Assurance.

How this manual is organized This manual includes:

› Overview (on page 7) of Skybox Firewall Assurance › Before you begin (on page 11), which includes:

• Instructions for starting and logging in to Skybox

• An overview of the GUI

• Instructions for loading the demo model

If you are familiar with Skybox, you can skip most of this section. However, make sure to load the Live demo model file (on page 12).

› Tutorials on:

• Importing firewalls (on page 14)

• Rule Compliance (on page 21): Understanding how much protection is offered by a firewall’s access rules

• Access Compliance (on page 24): Testing the firewall traffic in the demo model for compliance with predefined Access Policies that correspond to industry standards

• Configuration Compliance (on page 37): Viewing weaknesses in firewall configurations

• Optimization and cleanup (on page 43): Optimizing access rules on a firewall

• Change tracking (on page 51): Viewing and managing changes in access rules and checking the results of these changes on the network

• Access Analysis (on page 60): Understanding and troubleshooting connections between a source and a destination

• Using Skybox reports (on page 65): Understanding the built-in reports, making changes to the properties of reports, and generating reports



Each tutorial builds on the knowledge gathered in the previous tutorial; they are intended to be used in sequence.

Note: Screen captures in this document were taken with a Skybox installation with a license for Skybox Firewall Assurance and Skybox Network Assurance. If you have a license for only 1 of these Skybox products, some screens might look slightly different.

Related documentation The following documentation is available for Skybox Firewall Assurance:

› Skybox Firewall Assurance User’s Guide

Other Skybox documentation includes:

› Skybox Installation and Administration Guide › Skybox Reference Guide › Skybox Developer’s Guide › Skybox Release Notes › Skybox Change Manager User’s Guide

The entire documentation set (in PDF format) is available here.

You can access a comprehensive Help file from any location in the Skybox Manager by using the Help menu or by pressing F1.

Technical support You can contact Skybox using the form on our website or by emailing [email protected].

Customers and partners can contact Skybox technical support via the Skybox support portal.

When opening a case, you need the following information:

› Your contact information (telephone number and email address) › Skybox version and build numbers › Platform (Windows or Linux) › Problem description › Any documentation or relevant logs

You can compress logs before attaching them by using the Pack Logs tool (see Packing log files for technical support, in the Skybox Installation and Administration Guide).

http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/8.5/8.5.300/Docs

https://lp.skyboxsecurity.com/ContactMe1.html

mailto:[email protected]




Chapter 1

This chapter contains introductory information about Skybox Firewall Assurance.

In this chapter

Skybox Firewall Assurance ..................................................... 8

How Firewall Assurance works ................................................ 9

Highlights of Skybox Firewall Assurance .................................. 9

Firewall change request workflow.......................................... 10

Basic architecture ............................................................... 10

Overview



Skybox Firewall Assurance Skybox™ Security arms security professionals with the broadest platform of solutions for security operations, analytics and reporting. By integrating with more than 100 networking and security technologies organizations are already, the Skybox Security Suite merges data silos into a dynamic network model of your organization’s attack surface, giving comprehensive visibility of public, private and hybrid IT environments. Skybox provides the context needed for informed action, combining attack vector analytics and threat-centric vulnerability intelligence to continuously assess vulnerabilities in your environment and correlate them with exploits in the wild. This makes the accurate prioritization and mitigation of imminent threats a systematic process, decreasing the attack surface and enabling swift response to exposures that truly put your organization at risk.

Firewall Assurance covers the most comprehensive list of firewall vendors, complex rulesets and virtual- and cloud-based firewalls, bringing your entire firewall estate into one view. With continuous monitoring of firewalls and network devices, Firewall Assurance verifies that firewalls are clean, optimized and working effectively. It extends beyond firewall rule checks, analyzing possible traffic between network zones to find hidden attack vectors, flagging unauthorized changes and finding vulnerabilities on firewalls.

Chapter 1 Overview


› Identify security policy violations and platform vulnerabilities to reduce your attack surface

› Visualize how network traffic can flow through your firewalls to troubleshoot access issues

› Clean and optimize firewall rulesets to maintain top performance › Manage traditional, next-generation, virtual- and cloud-based firewalls with a

single consistent and efficient process

Skybox Firewall Assurance is most often used to automate firewall audits and, in addition, to test policy compliance on other types of forwarding devices.

How Firewall Assurance works The following diagram shows the process of working with Firewall Assurance.

Highlights of Skybox Firewall Assurance Skybox Firewall Assurance is most often used to automate firewall audits, but you can use it to test policy compliance on other types of forwarding devices, as well.

Highlights

› Comprehensive detection of security threats and compliance risks

• Imports, combines and normalizes firewall data automatically from multiple vendors

• Highlights access policy violations and provides root cause analysis

• Identifies rule conflicts and misconfigurations

• Reveals vulnerabilities on firewalls

› Next-generation firewall management

• Supports next-generation access and rule compliance at the user and application level

• Provides configuration analysis and reporting on intrusion prevention system (IPS) blades

• Provides comprehensive visibility and real-time reporting

• Highlights the impact of firewall risks on your attack surface

• Shows the relation between firewalls and zones on an interactive map

• Reports on firewall ruleset audits and automates change tracking



• Incorporates compliance metrics and configuration analysis

› Firewall optimization and cleanup

• Automates rule recertification to streamline rulesets and ensure compliance

• Monitors firewalls continuously to eliminate security gaps

• Targets redundant, hidden and obsolete rules for cleanup and optimization

Firewall change request workflow Skybox Firewall Assurance supports firewall change management using either of 2 approaches:

› Using a workflow application: Skybox Security offers Skybox Change Manager, a web interface for use with Skybox Firewall Assurance that supports a change request workflow. You can submit change requests to permit new connectivity in the network. Network administrators can quickly find the relevant firewalls and check whether the firewalls already grant this access. Moreover, the module can check whether this request complies with your organization’s network guidelines and help to plan the details of the required access rule change. For additional information, see the Skybox Change Manager User’s Guide.

› Using Skybox’s API: If you want to build a workflow application with BMC Remedy, or another ticketing system, you can use the Skybox web service API and utilize Skybox’s Access and Policy analysis, as well as extracting firewall policy information. For additional information, see the Firewall Changes API chapter in the Skybox Developer’s Guide.

Basic architecture The Skybox platform consists of a 3-tiered architecture with a centralized server (Skybox Server), data collectors (Skybox Collectors), and a user interface (Skybox Manager). Skybox can be scaled easily to suit the complexity and size of any infrastructure.

For additional information, see the Skybox architecture topic in the Skybox Installation and Administration Guide.


Chapter 2

This chapter contains introductory information about working with Skybox.

In this chapter

Prerequisites ...................................................................... 11

Starting Skybox Firewall Assurance ....................................... 12

Summary page ................................................................... 12

Prerequisites

› Skybox must be installed on your system before you can begin to work with the tutorials in this guide.

› The Skybox Server must be running before you can start the Skybox Manager. If it is not running on your local machine, you need its name or IP address to connect to it.

Before you begin



Starting Skybox Firewall Assurance

To start Skybox Firewall Assurance

1 In the Windows system tray, right-click the Skybox icon ( ) and select Open Skybox.

2 Note that you can log into any Skybox product at this point by clicking its icon above the User Name field. Make sure that Skybox Firewall Assurance is selected.

3 Type your user name and password.

If you were not assigned a user name and password by your Skybox administrator, use the default user name skyboxview with the password skyboxview.

4 If the Server was not specified during installation or you do not want to connect to the default Server, select the desired Server or type its IP address.

5 Click Login.

6 The 1st time that you work with Skybox, click the Load demo model link in the workspace to load the demo model file.

The demo model file includes a small model for which data has been collected and various configuration tasks have already been run. The file takes about a minute to load; the display refreshes when loading finishes.

Summary page After the demo model loads, the All Firewalls Summary page is displayed in the workspace. This is the main page for Skybox Firewall Assurance, where you can see summaries about the various types of information that Skybox provides about your firewalls.

The page contains summary information about:

Chapter 2 Before you begin


› Policy Compliance: The policy compliance level for both Access Compliance and Rule Compliance, and a link to the list of violations of the firewall ACLs

› Configuration Compliance: The security level of the firewall configurations, based on platform security checks

› Optimization and Cleanup: The number of firewalls with access rules that are candidates for cleanup, based on analysis of shadowing and redundancy, and on hit counts (from the firewall logs)

› Change Tracking: The changes made in firewall access rules; how many firewalls were changed recently, and how many rules and objects were changed

From the Summary page, you can drill down to the firewall level in whichever area interests you. Alternatively, you can view a similar summary for each firewall by selecting the firewall in the Tree pane.


Chapter 3

This chapter explains how to add firewalls and their configuration data to Skybox.

In this chapter

Add Firewall Wizard ............................................................. 14

Adding firewalls .................................................................. 14

Viewing firewalls ................................................................. 17

Searching access rules ........................................................ 19

Add Firewall Wizard Skybox can import configurations from many types of firewalls (and other devices).

You import firewalls using the Add Firewalls Wizard. You can use the wizard to:

› Connect directly to the firewall and collect its configuration data

For this method, you must know the firewall details.

› Import saved configuration files of the firewall

For this method, you must save copies of the necessary configuration files on your file system.

Adding firewalls Configuration data for a number of devices is included in the demo model that you loaded, so there is no need to add more firewalls. However, several steps of the Add Firewalls Wizard are included in this tutorial to familiarize you with the process. You use the Add Firewalls Wizard to add firewalls and their configuration data to Skybox. If there are firewalls in the Skybox model that are not listed under All Firewalls in the Firewall Assurance tree, use the wizard to add these firewalls to the tree.

Importing firewalls

Chapter 3 Importing firewalls


To add a firewall to Skybox 1 Open the Firewall Assurance workspace.

2 On the toolbar, click .

3 In the Start screen, from the Select firewall type drop-down list, select

Cisco PIX/ASA/FWSM firewall.

4 In the Select method for importing configuration drop-down list, select Import configuration files.

The selected method specifies whether to import saved configuration files (files generated from firewall configuration data retrieved from the firewall) or retrieve configuration information directly from the firewalls.



5 Click Next.

In the Properties screen for importing firewalls, you specify the location of the saved configuration files.

6 Click Back.

7 In the Select method for importing configuration drop-down list, select Import from Firewall and then select Default Collector as the Skybox Collector to use to collect information from the firewall.



8 Click Next.

In the Properties screen for collecting firewalls, you specify the information that the Collector needs to access the firewall and find the correct data.

Note: Each firewall type has different properties.

9 As the necessary firewalls are already included in the model, click Cancel at this point.

Viewing firewalls

To view the summary of a firewall

› In the tree, select All Firewalls > main_FW.

In the workspace, you see summary information about the firewall.

You can click a link to focus on that aspect of the firewall.

Note: When a firewall is part of a firewall management system, the firewall is visible in the tree under the name of the management system. For example, All Firewalls > MgmtServer1 > Firewall1.



To view the firewall’s connections in a graphical (map) format 1 At the top of the workspace (underneath the name of the firewall), click the

Firewall Map link, or click on the toolbar.

The Firewall Map window, displaying a map of the firewall’s connections, opens. You can see all the network interfaces of the firewall and the networks or clouds to which they are connected. This is useful for checking that new firewalls were imported correctly.

2 Right-click the firewall icon. You can see there are various possible actions.

3 Right-click an interface icon. You can use this method to mark or change the zone of a network interface.

4 Close the Firewall Map when you are finished with it.



To view the access rules of a firewall 1 At the top of the workspace, click the Access Rules link.

2 Click the 3rd rule (Source = Partners Network, Destination = DMZ).

In the Object tree (right pane), you can see the firewall objects for this rule.

You can expand the firewall objects to see the hierarchies of objects or double-click a firewall object to view its properties. You can double-click an access rule to see its properties.

3 By default, the source and destination are displayed using the original names that are used in the firewall object. Click Show Resolved Addresses to view them as IP address ranges.

4 Click Cancel.

Searching access rules In addition to viewing all the access rules of a firewall, you can use Skybox’s search capability to view a list of access rules that meet specified criteria.

For example, you can search for access rules that:

› Contain a specific object › Contain a specific IP address or IP address range in the source or destination,

or a specific port in the services field



› Contain a specific string in the original rule text or a specific original rule ID

To search for access rules 1 In the tree, select All Firewalls.

The context of the search depends on the element selected in the Tree pane; this search is across all firewalls.

2 In the Search area of the toolbar (on the right), make sure that Access Rule is selected in the drop-down list.

3 In the Search box, you can type an IP address or IP address range, a service port, or all or part of an object name. For the purpose of this tutorial, type app1. This searches for the asset app1 in the Source, Destination, and Service of all firewalls.

4 Click .

All access rules containing app1 are listed in the search results.

Note: Skybox determines the fields to be checked by examining the format of the search string. Only the appropriate fields are checked for matches.

5 In the Search box, click to clear the previous search results

6 Click to expand the search definition area.

You can see that there are various ways to refine the search, including searching only in specific fields, or changing the scope.

7 In the Search By area, select Advanced Search.

8 In the Source box, type app1.

9 Click .

This time, the search results list only access rules that contain app1 in their Source field, not in the Destination.


Chapter 4

This chapter explains working with Rule Compliance in Skybox.

In this chapter

Overview of Rule Compliance ............................................... 21

Working with Rule Compliance .............................................. 22

Overview of Rule Compliance Skybox analyzes Rule Compliance—checking firewall access rules against a Rule Policy, that is, a set of best practice guidelines.

Skybox checks the access rules of each firewall for compliance with the Rule Policy and shows which access rules violate the policy.

Rule Compliance analysis provides a starting point for understanding how much protection is offered by a firewall’s access rules. You can find more accurate information using Skybox’s Access Policy analysis, which checks traffic in the firewall against an Access Policy, but this requires additional configuration on your part, such as the selection of an Access Policy (NIST, PCI DSS, or custom) and mapping firewall interfaces to zones. For this reason, we recommend Rule Compliance analysis as a 1st step.

Skybox includes a predefined Rule Policy. The predefined Rule Policy includes standard best practice Rule Checks, for example:

› Rules must not have “Any” in the destination, source, or service › Rules must not have too many IP addresses in the destination or source

Some Rule Checks relate to missing access rules or to the interaction between access rules, for example:

› The ACL is missing an explicit Any-Any Deny rule › There are bidirectional rules (that is, 2 rules with opposite source and

destination but with the same service) in the ACL

You can:

› Control the set of Rule Checks to be applied to the firewalls by enabling and disabling checks, changing their severity, and modifying their properties

› Create custom Rule Checks as necessary

Rule Compliance



Working with Rule Compliance Rule Compliance is analyzed automatically after firewalls are imported via the wizard.

To view Rule Compliance 1 In the tree, select a firewall.

2 Look at the Rule Compliance pane.

You can see whether or not the firewall is compliant with the Rule Policy and how many access rules violated the Rule Policy.

3 Click Rule Compliance.

You can see the Rule Checks applied to the firewall and their pass/fail status.

The Violating Rules column shows how many access rules violated each check.

4 Click the Violating Rules tab at the top of the table.

You can see all the violating access rules for this firewall, including those that violated the Access Policy.

Chapter 4 Rule Compliance


Exporting Rule Compliance information

To export Rule Compliance information for a firewall

› Right-click the firewall’s Policy Compliance node and select Export to CSV – Rule Compliance.

Irrelevant Rule Checks Some Rule Checks might not be relevant for all firewalls. You can disable any Rule Check for a specific firewall by right-clicking it and selecting Disable Rule Check in this Firewall.

Analyzing Rule Compliance after firewall updates When you import a firewall using the wizard (as explained in Firewall import (on page 14)), Rule Compliance is automatically analyzed. When firewalls are updated using Skybox tasks, use an Analysis – Policy Compliance task to analyze Rule Compliance.

Note: If a firewall was not analyzed for some reason or if you accidentally cleared the compliance results, reanalyze compliance (right-click the Policy Compliance node of the firewall and select Analyze Compliance).


Chapter 5

Skybox offers the most advanced and effective Access Compliance to verify that your firewall ACLs are well configured.

This chapter explains how to test firewall traffic for compliance with predefined Access Policies that correspond to industry standards. The result is compliance metrics for each firewall, a list of violations of the selected Access Policy, and a list of access rules that should be fixed.

In this chapter

Access Compliance and Rule Compliance ............................... 24

What is an Access Policy? .................................................... 24

Mapping a firewall’s network interfaces to Access Policy zones .. 26

Analyzing the Access Policy .................................................. 28

Understanding compliance metrics ........................................ 29

Understanding what caused a violation .................................. 31

Creating and editing Access Policy exceptions ......................... 32

PCI DSS ............................................................................ 34

Access Compliance and Rule Compliance When Skybox analyzes Rule Compliance, it uses syntactic checks (string comparison) to check whether a firewall’s access rules obey simple best practice guidelines, such as “No Risky Ports” and “‘Any’ in 2 fields”. In the Rule Compliance chapter (on page 21), you saw how Skybox displays Rule Compliance.

When Skybox analyzes Access Compliance, it checks whether traffic can pass through the firewall, taking all the firewall’s access rules into consideration. In this chapter, you see how Skybox displays Access Compliance.

What is an Access Policy? An Access Policy is a set of rules (Access Checks) defining the constraints on the traffic permitted by a firewall protecting the network. These rules verify that access permitted by the firewall does not violate the policy established by your organization: best practice, regulatory, or customized organizational policy. Skybox includes a predefined Access Policy for NIST 800-41 guidelines and another for PCI DSS guidelines (Requirement 1 of PCI DSS V2.0).

Access Compliance

Chapter 5 Access Compliance


To view the Access Policies 1 In the tree, expand the Access Policies node.

There are separate Access Policies for NIST and PCI.

2 Expand the NIST 800-41 Policy > NIST External Access folder.

This folder is divided into policy sections: NIST-External to External, NIST-External to Partner, NIST-External to DMZ, and NIST-External to Internal. Each policy section specifies the desired access relationship between 2 specific zones.

3 When you expand these policy sections, you can see the Access Checks in each section.



Some Access Checks in different policy sections have similar names because they test the same type of access but between different areas or zones in the network. For example, in the External to DMZ policy section, the Block Trojan and Worm Ports Access Check tests that there is no access to Trojan and worm ports in the DMZ from external servers; in the External to Internal policy section, the Access Check with the same name tests that there is no access to Trojan and worm ports in the internal servers from the external servers.

4 Expand the PCI DSS V3.1 Policy Access Policy.

Each subfolder defines how to test compliance for a particular section of the PCI DSS policy.

Customizing the Access Policies The predefined Access Policies include 2 policies for NIST 800-41 (the 1st for most firewalls, and the 2nd for next-generation firewalls, such as Palo Alto) and other industry-wide best practice guidelines and another policy for PCI DSS V3.1. However, most organizations have additional best practice guidelines of their own; you can add these guidelines to the appropriate Access Policy in the form of custom Access Checks and custom zones, or create a separate Access Policy. You can modify or disable Access Checks.

Mapping a firewall’s network interfaces to Access Policy zones

You can apply an Access Policy to a firewall by selecting the Access Policy and then mapping the firewall’s network interfaces to the zones used in that policy. A zone is a way of grouping network interfaces that have the same trust level. For example, map the network interface of a firewall that leads to the DMZ network to the DMZ zone and map network interfaces leading to the internet and other external networks to the External zone. You can then check compliance of this firewall with the selected Access Policy.



To check whether your firewall is compliant with the NIST or PCI DSS Access Policy, you must select the Access Policy to use, and then map each network interface of the firewall to the appropriate zone. You can see the network to which each interface is mapped in the firewall map, which can help you understand which network interfaces map to which zones.



To select an Access Policy and map zones for a firewall 1 In the Firewall Assurance tree, right-click the All Firewalls > main_FW >

Policy Compliance node and select Manage Access Policy.

2 In the Manage Access Policy dialog box, select the Access Policy named NIST

800-41 Policy.

3 To change the zone of a network interface, select int18 and click Mark as Zone.

The Mark as zone dialog box is where you change or add the zone type. (The zone name is optional.)

4 Click Cancel.

5 To check traffic to or from a network interface, click Access from Interface or Access to Interface.

• For information about these results, see Access Analysis (on page 60).

6 Click OK.

Note: After you select the Access Policy for a firewall, you can either map the network interfaces to zones in this dialog box or using the firewall map.

Analyzing the Access Policy After all network interfaces are classified into zones, analyzing the Access Policies applies the best practice rules to existing firewalls, to analyze access and check for compliance with the rules.

You can analyze all or part of the Access Policy. For example:



› A specific firewall, (that is, analyze only Access Checks that apply to the selected firewall)

› A specific folder or policy section (for example, only Access Checks that check for access between the External and DMZ zones), for all firewalls in the scope

› A specific Access Check

Analyzing compliance

To analyze compliance (for all firewalls) 1 In the Tree pane, select All Firewalls.

2 On the toolbar, click .

Note: This action analyzes the firewalls for all types of compliance (Access Compliance, Configuration Compliance, and Rule Compliance), change tracking, and shadowed and redundant rules.

Understanding compliance metrics After the Access Policy is analyzed for a firewall, there is a short summary of the results in the Summary page of the firewall, including how much the firewall complies with the Access Policy and its sections.

1 With main_FW selected in the tree, look at the workspace.

The summary of policy compliance lists the compliance metrics for this firewall.



2 Click the Violating Rules link to view the firewall’s access rules that caused the violations.

Look in the Access Policy Violations column to view the number of Access Policy violations per access rule.

3 Select a specific access rule in the Table pane; the Details pane lists data

about the selected rule.

In the Table pane, you can see the violations caused by the selected access rule, including the violated policy section and Access Check.

These violations are failed implementations of the NIST 800-41 policy on main_FW, listing what was tested (and failed).

4 The Rule Details tab displays detailed information about the selected access rule, including firewall objects.

After you see why an access rule is causing violations, you can decide how to fix it. For example, you could change a rule that permits access on all services to permit access on specific services only.



Access Compliance by policy sections Sometimes it is useful to view the violations according to the policy sections that they violate. In this way, you get an overall idea of which connections in this firewall are causing the most problems.

1 In the tree, reselect main_FW > Policy Compliance.

2 In the Table pane, click the Access Compliance tab.

You can see a list of the policy sections with their source, destination, and the number of violations of each criticality level.

3 Select an Access Policy section and click the All Tests tab of the Details pane

to see a list of tests that checked compliance.

Skybox verifies compliance of the firewall to the Access Policy by running access tests: tests that analyze access between the network interfaces (zones) of the firewall according to the rules specified in the Access Policy. Each test analyzes a specific Access Check between 2 interfaces.

For example, an Access Check that analyzes to make sure that NetBIOS access is blocked from External zones to DMZ zones has separate tests for each External interface to each DMZ interface. If there are 2 interfaces marked External Zone and 2 interfaces marked DMZ Zone, there are a total of 4 access tests; 1 test for each combination of source (External) and destination (DMZ) interfaces.

If all the tests passed successfully, the firewall is considered 100% compliant. Tests that fail are violations. The compliance level is the percentage of successful tests relative to the total number of tests.

Understanding what caused a violation This section explains how to view access information for violations. When you understand what caused the violation, you can try to work out the appropriate solution.

To view access information for a violation

1 On the toolbar, click to view the list of policy sections.

2 Click NIST-External to Internal.

You can see that for this policy section, there is 1 violating access rule. In the Details pane, you see that this access rule has 3 violations.



3 Click the violating rule’s link in the Table pane.

The Table pane lists the violations for this policy section. The Details pane contains information about the 1st violation, with the Details tab displayed.

You can see that the name of the rule is Block Login Services and that this is a critical violation.

The access test failed because access exists between the External interface (int19) and the Internal interface (int15), but the Access Check specifies that login services between networks zones of different security levels must not be permitted.

4 Click to display all the tabs in the Details pane.

5 Click the Access Results tab to view the access between the source and the destination.

6 In the tree, expand the int15 network interface and select the lowest-level node.

You can see that the access to the IP address range 192.170.17.0-192.170.19.255 is via the service (port) 22-23/TCP.

Creating and editing Access Policy exceptions Exceptions are a way to fine-tune the Access Policy according to actual practices or requirements of your organization. Sometimes, specific entities in a location or zone that you are testing have different access permissions from the rest of the entities in that location or zone. You can mark these entities as exceptions to the Access Check so that they are not tested or you can create exceptions for specific access rules.

In our example, it was realized that access over 22-23/TCP between the internet and internal networks does not violate your organization’s Access Policy—mark it as an exception.



To mark exceptions 1 In the Access Results tree, select the 22-23/TCP node and click

.

2 Click OK.

As this is the only service that violated the Access Check in this access test, the test no longer violates the Access Policy and a green compliance indicator ( ) appears next to the ID of the test.

You can view and edit exceptions.



To edit an exception 1 In the tree, right-click main_FW > Policy Compliance and select

Exceptions.

In the Exceptions dialog box, the Firewall Exceptions tab lists exceptions created for the firewall, and the Access Policy Exceptions tab lists exceptions to specific Access Checks that are relevant for this firewall.

2 Click the Access Policy Exceptions tab.

Access Policy exceptions that affect the selected firewall are listed.

3 Select an exception and click Modify.

Policy exceptions might affect multiple firewalls. Keep this in mind when you change a policy exception from a specific firewall.

4 As it is not necessary to change the exception’s properties, click Cancel in the Access Policy Exception Properties dialog box.

PCI DSS Skybox Firewall Assurance supports Requirement 1 of PCI DSS versions 2.0 and 3.1: “Install and maintain a firewall configuration to protect cardholder data, a sensitive area within the trusted network of a company.”

Note: Version 3.1 is the default version.

Requirement 1 is preconfigured in Skybox using an Access Policy and specific zone types, so that you can use Skybox Firewall Assurance to check whether your firewalls are compliant. Public Access Policies > PCI DSS V3.1 Policy is organized using a similar structure to the hierarchy of sections in Requirement 1.

In the demo model, prod FW has been prepared for a PCI DSS firewall audit.



To view compliance with PCI DSS Requirement 1 1 In the Firewall Assurance tree, select All Firewalls > prod FW.

You can see various kinds of information about this firewall, including Access Compliance.

2 In the tree, select Access Policies > Public Access Policies > PCI DSS

V3.1 Policy and expand this node.

Each policy folder and policy section in the hierarchy represents a subsection of PCI DSS Requirement 1.

3 In the tree, navigate to the All Firewalls > prod FW > Policy Compliance

node.

4 Right-click the node and select PCI Firewall Compliance Report.



5 In the Report Properties dialog box, click Generate Now.

The 2nd section of the report contains a summary of the compliance of this firewall with each subsection of the requirement.

6 When you are finished, close the report window.


Chapter 6

This chapter explains working with Configuration Compliance in Skybox.

In this chapter

Configuration Compliance overview ....................................... 37

Viewing Configuration Compliance for a single firewall ............. 37

Viewing Configuration Compliance for all analyzed firewalls ...... 40

Viewing an overview of Configuration Compliance ................... 42

Configuration Compliance overview Configuration Compliance enables you to audit the platform security of your firewalls and understand weaknesses in a firewall’s configuration, for example, whether the firewall can be accessed using the default password, whether logging is enabled, and whether the management protocol is encrypted.

Configuration Compliance is analyzed by comparing a firewall’s configuration data with a Configuration Policy—a predefined policy included with Skybox or a customized policy created by your organization. Skybox displays where the configuration does not comply with the policy.

A Configuration Policy is a set of Configuration Checks for a specific type of firewall. Each Configuration Check contains a regular expression. When a firewall’s configuration data is analyzed, the Configuration Check passes only if the regular expression is found in the configuration file.

The default set of Configuration Policies checks your device files against known best practice guidelines for various platforms, including Check Point firewalls, Cisco firewalls and routers, Juniper NetScreen and Junos firewalls, Palo Alto Networks firewalls, and Fortinet FortiGate. There is 1 Configuration Policy for each type of firewall. You can customize the default Configuration Policies to suit your organization’s requirements and you can create additional policies as necessary. Each time a Configuration Policy is analyzed, all firewalls that match the policy’s scope are tested against all the Configuration Checks in that policy.

Viewing Configuration Compliance for a single firewall There are 2 ways to view Configuration Compliance data:

› Per firewall › For all analyzed firewalls

Configuration Compliance



To view Configuration Compliance for a single firewall 1 In the Firewall Assurance tree, select All Firewalls > vlab-cisco >

Configuration Compliance.

You can see all the Configuration Checks analyzed for this firewall, and whether the firewall is compliant with them.

2 Select a failed Configuration Check in the list.

In the Details pane, you can see general information about the check. Click the Result Details tab to view information about the violation, including the expected results of the Configuration Check and the actual results of comparing the Configuration Check with the firewall’s configuration data.

VIEWING VULNERABILITIES ON A FIREWALL You can view vulnerability occurrences on a firewall based on the firewall’s configuration. This shows if there are vulnerability occurrences on these devices that might expose them to attacks.

Chapter 6 Configuration Compliance


To view vulnerability occurrences on a firewall 1 In the Firewall Assurance tree, make sure that All Firewalls > vlab-cisco >

Configuration Compliance is still selected.

2 Click the Vulnerability Occurrences tab.

You can see that there are a number of vulnerability occurrences on this firewall, although almost all of them are marked as inaccessible (they cannot be used by an attacker). These vulnerability occurrences were detected by the Analysis – Vulnerability Detector for Devices task, based on information in the firewall’s configuration files.



Viewing Configuration Compliance for all analyzed firewalls

To view Configuration Compliance for all analyzed firewalls 1 In the tree, expand the main Configuration Policies node.

You can see that there is a policy folder named Standard v5. This is the folder that contains all the predefined Configuration Policies. When you expand it, you can see the predefined Configuration Policies.

Each Configuration Policy applies to a specific group of firewalls. For example, there is 1 policy for Check Point firewalls and 1 for NetScreen firewalls. The firewall type is specified in the properties of each policy.

2 Select Cisco FW Standard Policy.

In the workspace, you can see a list of all the Configuration Checks in this policy, and whether or not there are violations.

Chapter 6 Configuration Compliance


3 Right-click the selected Configuration Policy and select Properties.

You can see that this policy applies to all Cisco firewalls.

4 Close the Properties dialog box.

5 Click a Configuration Check in the Table pane to see its details in the workspace.

6 Click the Analyzed Firewalls tab.

You can see a list of all the firewalls analyzed for this Configuration Check and which of these firewalls violated the Configuration Check. In the demo model, only the vlab-cisco firewall was analyzed.

In the Details pane, you can see the expected and actual results.

Exporting Configuration Compliance information

To export Configuration Compliance information for a firewall

› Right-click vlab-cisco’s Configuration Compliance node and select Export to CSV – Configuration Compliance. You can select where to save the file.



Viewing an overview of Configuration Compliance Skybox includes an overview (dashboard) of Configuration Compliance for all (analyzed) devices and all Configuration Policies.

To view the overview

› In the tree, select Configuration Policies.

The workspace displays a dashboard of compliance, where you can see overall configuration results grouped by Configuration Policy/Configuration Check and by device.

Use the links to drill down to detailed information.


Chapter 7

You can use Skybox’s Optimization and Cleanup feature to help you to clean up and optimize access rules on a firewall.

› Shadowing and Redundancy is based on a logical analysis of the firewall’s ACL to find access rules that can never be reached and other access rules that you can remove without changing the behavior of the firewall.

› Rule Usage Analysis is based on firewall activity logs. It groups rules in the firewall according to the frequency of their usage.

In this chapter

Shadowed and redundant rules ............................................ 43

Rule usage analysis ............................................................. 46

Exporting data to CSV files ................................................... 50

Shadowed and redundant rules Skybox can analyze the ACLs of firewalls to find access rules that are not used and might be unnecessary.

Shadowed rules are access rules that are never reached because their scope is completely covered by rules that are above them in the rule chain.

For example, if you have the following 2 access rules in a rule chain, it is clear that the 1st rule grants more access than the 2nd rule, so the 2nd rule is never reached by any packets:

› Rule 56: Network A to Network B on any port (any service) › Rule 121: Network A to some locations in Network B on port 21

For shadowed rules, it does not matter whether the action of the 2 rules is the same or different. In the preceding example, the 1st rule’s action could be Deny and the 2nd rule’s action could be Allow; the 2nd rule is never reached.

Redundant rules are access rules whose scope is completely covered by rules with the same action that are below them in the rule chain. Removal of redundant rule does not change the access behavior of the firewall as a packet that matches the redundant rule also matches a rule below it with the same action.

For example, if you have the following access rules in a rule chain:

› Rule 31: Development Network to All Production Application Servers on FTP port, action = Allow

Optimization and cleanup



› Rule 53: Development Network to Entire Organization Network on all ports, action = Allow

Rule 31 is redundant since its scope is completely covered by rule 53 and both rules have the same action (Allow).

Working with shadowed and redundant rules Usually, you run an Analysis – Rule Optimization Status task to obtain information about shadowed and redundant rules; the Analyze Firewall Shadowed Rules task has been run for the demo model.

To view shadowed rules 1 In the Firewall Assurance tree, select All Firewalls and click the Firewalls

tab.

2 Look at the Shadowed Rules column to identify which firewalls have shadowed rules.

3 Click the Shadowed Rules link for main_FW.

The Table pane lists the rules in main_FW that are shadowed (that is, not reached).

4 Select rule 14.

The bottom table lists the rules that shadow (that is, contain) this rule followed by the shadowed rule.

Chapter 7 Optimization and cleanup


5 Click Explain to open the Explanation View dialog box that shows the shadowed rule next to the shadowing rules in separate panes, to help you to understand how the scope of the shadowed rule is covered by the shadowing rules.

6 Click the Source node in the Shadowed Rule pane.

In the Causes Shadowing pane, you can see how the source in the shadowing rule covers (shadows) the source in the Shadowed Rule pane. The icon next to the Source in the Causes Shadowing pane means that this source (Any) completely contains the source in the shadowed rule (192.170.18.0-192.170.18.255).

Viewing redundant rules Viewing redundant rules is similar to viewing shadowed rules. Click the Redundant Rules tab at the top of the table pane to get started.



Rule usage analysis In Skybox Firewall Assurance, you can use a process named rule usage analysis to streamline the optimization of access rules and to help you identify unused rules and objects.

The 1st step in this process is to collect the activity log from the firewall policy; for the purpose of this tutorial, this data is included in the demo model for the firewall main_FW.

To view rule usage analysis data 1 In the tree, select All Firewalls > main_FW.

You can see that the summary includes rule usage information for this firewall.

2 Next to the title of the Optimization and Cleanup pane, click the arrow to expand the pane.

You can see the following information:

• Rule Usage: Usage information about the access rules that make up this firewall in table and chart formats.

• Object Usage: Usage information about the firewall objects used in the firewall’s access rules.

3 Click the Unused Rules link.

The Rule Usage tab is displayed. The access rules are grouped by their usage types:



• Unloggable: Rules that cannot be logged. These are implicit rules and rules entered manually in Skybox.

• Contains Unused Objects: Rules that had hits, but some objects referenced in the rule had no hits.

• Used: Rules that had hits and all objects referenced in the rule had hits.

• Not Logged: Rules for which logging is disabled on the firewall.

• Unused: Rules that had no hits during the analysis period.

You can see that the value in the Hit Count column of the unused rule is 0. Rules in the Usage: Used and Usage: Contains Unused Objects groups have hit counts greater than zero.

4 Open the list of Usage: Used rules.

You can see that there are 2 rules that have a (Critical) icon in the Actual Rule Usage column, and that the actual rule usage for these rules is 0.01%. The Actual Rule Usage column shows the lowest usage level of the Source, Destination, and Service fields. You can see if any of the fields are very ‘permissive’ by their poor usage.

5 Select the 1st Critical rule.

In the Details pane, you can see the actual usage for the rule, split according to its dimensions (source, destination, and service).



6 Select the last entry in the table.

7 Hover your mouse over the Used Addresses/Ports field.

In the field itself, you can see that, although the definition of this rule contains Any in the Service field, only 3 ports (21/TCP, 80/TCP, and 443/TCP) are used. In the tooltip, you can see the actual hit count for each port and the port’s last used date; consider narrowing the scope of the service field of this access rule to prevent unnecessary exposure.

VIEWING OBJECT USAGE

To view object usage for an access rule 1 Click the Object Usage tab.

The firewall objects are grouped by their usage types and then by their object types. The usage types are:

• Unused: The object had no hits during the analysis period.

• Unused in Some Rules: The object is used in at least 1 rule and unused in at least 1 rule.

• Used: The object is used in all rules that reference it.

• Not Logged: No hit count is available for the object. This usually refers to objects that are only referenced by implicit rules and rules for which logging is disabled.

2 In the Table pane, expand Usage: Unused in Some Rules and then expand

Type: FireWall-1 Group.



3 Select the 1st object. You can see information about the object in the Details pane, including how many rules reference the object and in how many rules the object is unused.

4 To display all access rules that reference the object, right-click the object and

select Show Referencing Rules.

The access rules for the firewall are listed; the rules that reference the object are in bold type (rule 9).

5 Close the display of access rules.

6 To display the rules in which the object is referenced but not used (that is, the object’s hit count in that rule is zero), right-click the object and select Show Unused Rules.

The access rules for the firewall are listed; the rules that reference the object but have a hit count of zero are in bold type (rule 9).

7 Close the list of access rules.

GENERATING RULE USAGE ANALYSIS REPORTS

To generate a Rule Usage Analysis report 1 In the tree, expand the main_FW node.

2 Right-click Optimization and Cleanup and select Rule Usage Analysis Report.

You can change properties of the report in the Report Properties dialog box.

3 Set Analysis Period (by selecting Custom) so that the start date is November 6, 2015 and the end date is Jan 18, 2016.

4 Click Generate Now.

The report is generated and displayed in a separate window. The information in the report is a summary of the rule usage analysis information, focusing on unused rules and objects.



Exporting data to CSV files You can export shadowed and redundant rules, and rule usage data from Skybox to CSV files for additional analysis or processing.

To export information to a CSV file

› Right-click the firewall or firewall folder for which you want to export data and select Reports > Export to CSV – Shadowed Rules (or Reports > Export to CSV – Rule Usage Data).


Chapter 8

Change tracking in Skybox helps you to keep track of changes made to access rules and objects for all firewalls, including the time of change and who made the change (when available). Change tracking provides a side-by-side view of the previous and current values of all changed entities.

When you use change tracking, Skybox maintains a repository of changes so that you can review the history of access rules.

In this chapter

Using change tracking ......................................................... 51

Viewing the changes ........................................................... 52

Change Tracking reports ...................................................... 53

Using change tracking The change tracking feature analyzes changes that occur in firewall access rules and objects over time.

To use change tracking, you must import firewall data on a regular basis and analyze the data for changes (using the Analyze Firewall Changes task) after each import. You can import syslog changes as necessary (even several times per hour) to provide updated change tracking information, including the user who made each change, and its timestamp.

By selecting a specific tracking period, you can view all changes in the access rules and firewall objects that occurred during the selected period.

Note: For tutorial purposes, several of the firewalls in the demo model include data that you can use for change tracking.

Change tracking



Viewing the changes

To view changes to the firewalls 1 In the tree, select All Firewalls and look at the Summary page.

You can see that there are a number of changes on some firewalls.

2 To view a graph of the changes: next to the title of the Optimization and

Cleanup pane, click the arrow to expand the pane.

You can choose to view daily, weekly, or monthly Changes in the chart.

3 Click the link in the Total Changes field to see a list of all the changes.

Select a change (click on the row, but not on the link to the firewall within the row) to view additional information in the Details pane.

If the change involves an object, the Affected Access Rules tab lists all access rules affected by the changes in this object.

Chapter 8 Change tracking


To view changes to a single firewall 1 In the Table pane, click the Changes by Firewall tab.

You can see a sorted list of firewalls in which changes were made.

2 Click the firewall that you want to examine.

Change Tracking reports You can generate a report of the firewall changes or export the changes to a CSV file.

To generate a Change Tracking report for a firewall 1 Right-click the Change Tracking node of the PA:2020-vsys2 firewall and

select Change Tracking Report.

2 Click Generate Now.

The report is displayed in PDF format in a separate window.

To export the firewall changes to a CSV file 1 Right-click the Change Tracking node of the PA:2020-vsys2 firewall and

select Export to CSV – Change Tracking Data.

2 Select the location where you want the file to be saved and click OK.


Chapter 9

Rule review in Skybox enables you to view access rules in the context of all compliance categories, and to view and set business attributes for each rule. You can search for specific groups of rules (for example, those that include a specific object or a specific IP address range) across multiple firewalls.

Rule review provides an overall view of a firewall’s access rules in the context of all compliance categories. It also enables you to document various business attributes of the rules including owner, business function, comment, and next review date, and to search on these attributes. You can add additional, custom attributes required by your organization using custom fields.

In this chapter

Reviewing rules .................................................................. 54

Recertifying rules ................................................................ 56

Reviewing rules

To review access rules for a firewall 1 In the tree, select main_FW > Rule Review.

You can see all the access rules for this firewall. The table includes business information that is not visible in other displays of access rules, for example, Owner and Next Review Date.

Note: Business attributes are not imported from firewall configuration files; you must add them manually to individual rules or groups of rules.

Rule review

Chapter 9 Rule review


2 Select the 1st rule in the table that has a value in the Actual Rule Usage column, and look at the Highlights tab in the Details pane.

3 In the Compliance Category area, you can see a linked summary for each

category in the table that has data. Click the link in the 1st row.

The properties of the access rule are displayed with the Access Compliance violations.

4 To view information about a different compliance category, click the relevant

tab in the Access Rule Properties dialog box.

Note that within the Properties dialog box, the entries in the Highlights tab do not have links.

5 Close the dialog box.



6 In the Highlights tab, expand the Business Attributes area to see the rule’s business information.

The following business attributes are available: Owner, Email, Business Function, Next Review Date, Rule Comments and Ticket ID. Administrators can define additional (custom) fields to suit your organization’s requirements.

7 To change any of the business attributes, right-click the rule in the Table pane and select Set Business Attributes.

Note: You can select multiple access rules in the Table pane and change the business attributes for all of them at once.

Recertifying rules After reviewing an access rule, you can request that the rule be recertified. Recertification requests are created in Skybox as tickets; you track and handle them in Skybox Change Manager.

Chapter 9 Rule review


To recertify an access rule 1 Select an access rule that you want to recertify. Usually that would be a rule

that you own, whose next review date is approaching.

2 Right-click the access rule and select Recertify Rule.

3 In the Workflow field, notice that Recertification is selected. This is a

special workflow that is for recertification tickets.

4 If desired, specify a different owner for the ticket and make any other necessary changes.

5 Click OK.

A ticket is created for the access rule. The pop-up message about the ticket includes a link to the ticket in Skybox Change Manager.

You can see the recertification status of the access rule in the table.

You can request recertification for several access rules at the same time.


Chapter 10

Skybox Firewall Assurance offers the following information regarding IPS coverage of your organization:

› Overall signature coverage from Palo Alto Networks devices per new threats reported over a period of time and threat level

› Information about signatures in prevention mode vs. detection mode so that you can understand the actual coverage provided by the IPS device in the context of the network architecture

› Signatures (in prevention mode or detection mode) correlated against critical vulnerability occurrences that exist in your organization using Skybox Vulnerability Control

You can then make informed decisions about which signatures to change from detection mode to prevention mode, and which signatures to deactivate.

Information is provided per IPS-enabled device.

Viewing IPS coverage in Skybox IPS coverage is displayed as part of the summary for each IPS-enabled firewall.

To view IPS coverage for an IPS-enabled firewall 1 In the tree, select PA-2020:vsys1 and look at the IPS pane at the bottom of

the summary page.

Note: If you use a Firewall Assurance-only license, you cannot see information about vulnerability occurrences unless they are enabled.

At the top of the IPS pane, there is a link specifying how many active IPS signatures exist for this type of IPS device. The link opens the IPS Signatures dialog box, which lists all the signatures.

Intrusion prevention systems

Chapter 10 Intrusion prevention systems


2 Look at the left side of the pane. Active Signatures Relative to Vulnerability Occurrences displays the total number of active signatures (in both Prevention and Detection modes) that are relevant to vulnerability occurrences in your organization. The pie chart and table classify the active signatures to prevention, detection, and disabled. Disabled signatures are signatures of the firewall’s vendor that have a matching vulnerability occurrence in the model but that are not activated on this device.

Click the link to Prevention in either the pie chart or the table to display a list of all the signatures active in Prevention mode on this device that are relevant to vulnerability occurrences in your organization.

For each signature, you can see its ID, status, CVE and SBV IDs, and other information.

3 The right-hand side of the IPS pane displays this device’s coverage of new threats (Vulnerability Definitions) by signature. You can change the time frame and the CVSS threshold.

Note: The IPS pane shows the coverage that the selected device provides for new threats in general. It is not specific to vulnerability occurrences that exist in your organization.

4 Click the link to Threats with Prevent Signatures in either the pie chart or the table to display a list of all the signatures in Prevention mode that are relevant to new threats.

For each threat, you can see its SBV ID, title, CVE and Bugtraq IDs, severity, and other information, as well as which IPS signature in the device covers the threat and with what type of coverage (in this case, Prevent).


Chapter 11

The Access Analyzer runs on a firewall and finds all routes between the selected source and destination over the selected services. For each destination interface, you can see:

› The ports that are exposed › The access rules that grant permission for connectivity between the source

and the destination

The Access Analyzer can help you to troubleshoot connection problems quickly and help you to get an overview of what is accessible from each of the network interfaces of the firewall.

You can use the Access Analyzer to check access:

› Between 2 network interfaces of a firewall › For specific source or destination IP addresses

Using the Access Analyzer

To check access between 2 network interfaces 1 Select a firewall.

2 Click .

Access Analysis

Chapter 11 Access Analysis


3 Click the Browse button next to the Source field.

4 Select the int19 interface for the source; click to move it to the Selected Source field.

5 Select the int15 interface for the destination; click .

6 Click OK to close the Scope dialog box.

7 Click the Browse button next to the Services field.



You select the services to use for checking access in the Services dialog box.

8 For this tutorial, you do not need to select any services; click Cancel.

Note: When you do not select any services, Skybox analyzes access using all services.

9 Click .

In the Analysis Results pane, you can see the network interfaces that are accessible from the selected interface.

10 Expand each network interface to see the accessible IP addresses (and their ports and services).

11 Select the ports.

In the Details pane, you can see the route for access between the network interface that you selected in the table and the selected ports of the network interface selected in the results tree.

12 On the Analysis Results toolbar, select Group by Service (instead of Group by Interface, ).

When you expand the results, you see the same information grouped by services (ports).

13 Close the Access Analyzer.

Checking access between specific IP addresses Checking access between specific IP addresses is similar to checking access between 2 network interfaces.

Chapter 11 Access Analysis


To check access between specific IP addresses 1 Select a firewall.

2 Click .

3 Click the Browse button next to the Source field.

4 In the Source and Destination Scope dialog box, in the Use IP Ranges field of either the source or the destination, type an IP address or IP address range.

5 To check access to or from the network interface that is associated with that IP address:

a. Click Find Interfaces.

b. In the Select a Matching Network Interface dialog box, select the interface and click Select.

6 Select an interface for the other side of the analysis (source or destination) and move it to the Selected Sources field.

7 Follow the previous exercise from step 7 to the end to understand the access results.


Chapter 12

Skybox enables advanced users to work with other models (data sets) in addition to the current (Live) model.

› What If model: Work with the same set of firewalls for what-if purposes, making changes and checking the impact.

› Forensics model: Load a backup model to see the firewalls as they were at some previous time; compare the firewalls in the Forensics model with the current versions in the Live model.

All Skybox features are available on these models, including the Access Analyzer.

Example Copy the current model (Live) to What If, make changes (in the What If model) to the access rules of firewalls, and run the Access Analyzer to check the impact of the access rule changes. The summary of changes for a firewall is similar to that in the following screen capture.

What If and Forensics models


Chapter 13

Reports in Skybox are detailed accounts of specific data in the model (for example, Access Policy violations, firewall changes, or overdue tickets). As you saw in previous chapters, you can generate reports manually on a per-firewall basis. You can also generate reports for multiple firewalls, schedule their generation to run at specific times, and send them to specified Skybox users.

In this chapter

Reports tree ....................................................................... 65

Report types ...................................................................... 65

Firewall Assurance reports ................................................... 66

Reports tree The Reports tree is divided into a public folder and a private folder; predefined reports are in the public folder and report definitions that you create are stored in your private folder. You can add subfolders for additional grouping. For example, you can have 1 folder for all reports relating to Access Compliance of individual firewalls and another for change tracking or Rule Usage Analysis reports.

Report types Skybox Firewall Assurance provides several types of reports, including:

› Firewall Assurance reports: Show the overall status of the specified firewalls, including Access Policy and Rule Policy compliance, Configuration Compliance, Optimization & Cleanup, and Change Tracking. Detailed reports provide detailed information about various aspects of the firewall status.

› Access Compliance reports: Show the status of the Access Policy and provide policy-related information about specific firewalls. You can use detailed Access Policy reports to understand Access Policy violations.

› PCI Firewall Compliance reports: Demonstrate compliance of firewalls with PCI DSS Requirement 1, as you saw in PCI DSS – Firewall Compliance (on page 34).

› Rule Usage Analysis reports: Provide information about unused Access Checks and objects in the Access Policy, as you saw in Analyzing rule usage (on page 46).

› Access Checks reports: List the Access Checks in all or part of the Access Policy.

Using Skybox reports



› Firewall Changes reports: Provide a clear summary of the differences between firewalls in different models, with details about each modification and an explanation of how to bring the firewall in your baseline model to the same configuration as the firewall in your current model. They are used for change management.

Firewall Assurance reports Firewall Assurance reports provide a complete overview of the state of firewalls in the network that you can distribute to others who do not have access to Skybox.

To generate a Firewall Assurance report 1 Open the Reports workspace.

2 Select Public Report Definitions > Firewall Compliance > Firewall Assurance Assessment.

The workspace displays the properties of the report. The Firewall Scope field is empty—the report includes all firewalls in the network.

3 Right-click the report name and select Properties.

Chapter 13 Using Skybox reports


4 Look at the Firewall Scope field. The default firewall scope includes all firewalls in the All Firewalls list. For this tutorial, you narrow the scope to specific firewalls.

5 Click the Browse button next to the Firewall Scope field.

6 Select mainFW and vlab-cisco in the Available Items field and click to move them to the Selected Items field.

7 Click OK.

8 Note that, by default, the report includes summary information for all aspects of firewall assurance: Access and Rule Compliance, Configuration Compliance, Optimization & Cleanup, and Change Tracking. You can select the aspects in which you are interested. For this tutorial, keep the default so that you can see how the information is presented.

9 In the Rule Usage Analysis Period and Analysis Period fields, change the value to All Available from Last 7 Days, as the data in the demo model is older than that of a real model.

10 Click Generate.

You are asked whether to generate the report in the background or in the foreground. As it can take some time to generate the report, it is often useful to generate in the background and keep working; this is not necessary in this tutorial.



11 Select Generate in the foreground and click OK.

12 After the report is ready, click the Summary: mainFW link.

The section that appears contains summary information for main_FW about the various aspects that are tested in Firewall Assurance; it is similar to what you see when you select the firewall in the All Firewalls tree.

Another way to generate this report

› You can generate Firewall Assurance reports for single folders or firewalls without switching to the Reports workspace: in the All Firewalls section of the Firewall Assurance tree right-click the main node of the firewall and select Reports > Firewall Assurance Report.

skybox firewall assurancedownloads.skyboxsecurity.com/files/installers/... · vulnerability...

Documents