Skybox Firewall Assurance

Transcription

1 Skybox Firewall Assurance Getting Started Guide Revision: 11

2 Proprietary and Confidential to Skybox Security Skybox Security, Inc. All rights reserved. Due to continued product development, the information contained in this document may change without notice. The information and intellectual property contained herein are confidential and remain the exclusive intellectual property of Skybox Security. If you find any problems in the documentation, please report them to us in writing. Skybox Security does not warrant that this document is error-free. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic, mechanical, photocopying, recording, or otherwise without the prior written permission of Skybox Security. Skybox, Skybox Security, Skybox Firewall Assurance, Skybox Network Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox Change Manager, Skybox Appliance 5500/6000/7000/8000, and the Skybox Security logo are either registered trademarks or trademarks of Skybox Security, Inc., in the United States and/or other countries. All other trademarks are the property of their respective owners. Contact information Contact Skybox using the form on our website or by ing info@skyboxsecurity.com Customers and partners can contact Skybox technical support via the Skybox support portal

3 Contents Intended audience... 5 How this manual is organized... 5 Related documentation... 6 Technical support... 6 Overview... 7 Skybox Firewall Assurance... 7 How Firewall Assurance works... 9 Highlights of Skybox Firewall Assurance... 9 Firewall change request workflow Basic architecture Before you begin Prerequisites Starting Skybox Firewall Assurance Summary page Importing firewalls Add Firewall Wizard Adding firewalls Viewing firewalls Searching access rules Rule Compliance Overview of Rule Compliance Working with Rule Compliance Access Compliance Access Compliance and Rule Compliance What is an Access Policy? Mapping a firewall s network interfaces to Access Policy zones Analyzing the Access Policy Understanding compliance metrics Understanding what caused a violation Creating and editing Access Policy exceptions PCI DSS Skybox version

4 Skybox Firewall Assurance Getting Started Guide Exceptions Configuration Compliance Configuration Compliance overview Viewing Configuration Compliance for a single firewall Viewing vulnerabilities on a firewall Viewing Configuration Compliance for all analyzed firewalls Viewing an overview of Configuration Compliance Optimization and cleanup Shadowed and redundant rules Rule usage analysis Viewing object usage Generating Rule Usage Analysis reports Exporting data to CSV files Change tracking Using change tracking Viewing the changes Change Tracking reports Rule review Reviewing rules Recertifying rules Firewalls with intrusion prevention systems Viewing IPS coverage in Skybox Access Analysis Using the Access Analyzer What If and Forensics models Using Skybox reports Reports tree Report types Firewall Assurance reports Skybox version

5 Preface Intended audience The Skybox Firewall Assurance Getting Started Guide provides background information about what Skybox Firewall Assurance does and how it works, and explains how to get started using the product. This Getting Started Guide is intended for use with the demo model only. To model firewalls from your organization s network and work with those firewalls, see the Skybox Firewall Assurance User s Guide. The intended audience is anyone who wants to learn how to use Skybox Firewall Assurance. How this manual is organized This manual includes: Overview (on page 7) of Skybox Firewall Assurance Before you begin (on page 11), which includes: Instructions for starting and logging in to Skybox An overview of the GUI Instructions for loading the demo model If you are familiar with Skybox, you can skip most of this section. However, make sure to load the Live demo model file (on page 12). Tutorials on: Importing firewalls (on page 14) Rule Compliance (on page 21): Understanding how much protection is offered by a firewall s access rules Access Compliance (on page 24): Testing the firewall traffic in the demo model for compliance with predefined Access Policies that correspond to industry standards Configuration Compliance (on page 38): Viewing weaknesses in firewall configurations Optimization and cleanup (on page 44): Optimizing access rules on a firewall Change tracking (on page 52): Viewing and managing changes in access rules and checking the results of these changes on the network Access Analysis (on page 62): Understanding and troubleshooting connections between a source and a destination Using Skybox reports (on page 67): Understanding the built-in reports, making changes to the properties of reports, and generating reports Skybox version

6 Skybox Firewall Assurance Getting Started Guide Each tutorial builds on the knowledge gathered in the previous tutorial; they are intended to be used in sequence. Note: Screen captures in this document were taken with a Skybox installation with a license for Skybox Firewall Assurance and Skybox Network Assurance. If you have a license for a single Skybox product, some screens might look slightly different. Related documentation The following documentation is available for Skybox Firewall Assurance: Skybox Firewall Assurance User s Guide Other Skybox documentation includes: Skybox Installation and Administration Guide Skybox Reference Guide Skybox Developer s Guide Skybox Release Notes Skybox Change Manager User s Guide The entire documentation set (in PDF format) is available here You can access a comprehensive Help file from any location in the Skybox Manager by using the Help menu or by pressing F1. Technical support You can contact Skybox using the form on our website or by ing info@skyboxsecurity.com Customers and partners can contact Skybox technical support via the Skybox support portal When opening a case, you need the following information: Your contact information (telephone number and address) Skybox version and build numbers Platform (Windows or Linux) Problem description Any documentation or relevant logs You can compress logs before attaching them by using the Pack Logs tool (see Packing log files for technical support, in the Skybox Installation and Administration Guide). Skybox version

7 Chapter 1 Overview This chapter contains introductory information about Skybox Firewall Assurance. In this chapter Skybox Firewall Assurance... 7 How Firewall Assurance works... 9 Highlights of Skybox Firewall Assurance... 9 Firewall change request workflow Basic architecture Skybox Firewall Assurance Skybox Security arms security professionals with the broadest platform of solutions for security operations, analytics and reporting. By integrating with more than 100 networking and security technologies organizations are already, the Skybox Security Suite merges data silos into a dynamic network model of your organization s attack surface, giving comprehensive visibility of public, private and hybrid IT environments. Skybox provides the context needed for informed action, combining attack vector analytics and threat-centric vulnerability intelligence to continuously assess vulnerabilities in your environment and correlate them with exploits in the wild. This makes the accurate prioritization and mitigation of imminent threats a systematic process, decreasing the attack surface and enabling swift response to exposures that truly put your organization at risk. Skybox version

8 Skybox Firewall Assurance Getting Started Guide Skybox arms security leaders with a comprehensive cybersecurity management platform to address the security challenges of large, complex networks. The Skybox Security Suite breaks down data silos to build a dynamic network model that gives complete visibility of an organization s attack surface and the context needed for informed action across physical, multi-cloud and industrial networks. We leverage data by integrating with 120 security technologies, using analytics, automation and advanced threat intelligence from the Skybox Research Lab to continuously analyze vulnerabilities in your environment and correlate them with exploits in the wild. This makes the prioritization and mitigation of imminent threats an efficient and systematic process, decreasing the attack surface and enabling swift response to exposures that truly put your organization at risk. Our award-winning solutions automate as much as 90 percent of manual processes and are used by the world s most security-conscious enterprises and government agencies, including Forbes Global 2000 companies. For more information visit the Skybox Security website Firewall Assurance covers the most comprehensive list of firewall vendors, complex rulesets and virtual- and cloud-based firewalls, bringing your entire firewall estate into 1 view. With continuous monitoring of firewalls and network devices, Firewall Assurance verifies that firewalls are clean, optimized and working effectively. It extends beyond firewall rule checks, analyzing possible traffic between network zones to find hidden attack vectors, flagging unauthorized changes and finding vulnerabilities on firewalls. Skybox version

9 Chapter 1 Overview Identify security policy violations and platform vulnerabilities to reduce your attack surface Visualize how network traffic can flow through your firewalls to troubleshoot access issues Clean and optimize firewall rulesets to maintain top performance Manage traditional, next-generation, virtual- and cloud-based firewalls with a single consistent and efficient process Skybox Firewall Assurance is most often used to automate firewall audits and, in addition, to test policy compliance on other types of forwarding devices. How Firewall Assurance works The following diagram shows the process of working with Firewall Assurance. Highlights of Skybox Firewall Assurance Skybox Firewall Assurance is most often used to automate firewall audits, but you can use it to test policy compliance on other types of forwarding devices, as well. Highlights Comprehensive detection of security threats and compliance risks Imports, combines and normalizes firewall data automatically from multiple vendors Highlights access policy violations and provides root cause analysis Identifies rule conflicts and misconfigurations Reveals vulnerabilities on firewalls Next-generation firewall management Supports next-generation access and rule compliance at the user and application level Provides configuration analysis and reporting on intrusion prevention system (IPS) blades Provides comprehensive visibility and real-time reporting Highlights the impact of firewall risks on your attack surface Shows the relation between firewalls and zones on an interactive map Reports on firewall ruleset audits and automates change tracking Skybox version

10 Skybox Firewall Assurance Getting Started Guide Incorporates compliance metrics and configuration analysis Firewall optimization and cleanup Automates rule recertification to streamline rulesets and ensure compliance Monitors firewalls continuously to eliminate security gaps Targets redundant, hidden and obsolete rules for cleanup and optimization Firewall change request workflow Skybox Firewall Assurance supports firewall change management using either of 2 approaches: Using a workflow application: Skybox Security offers Skybox Change Manager, a web interface for use with Skybox Firewall Assurance that supports a change request workflow. You can submit change requests to permit new connectivity in the network. Network administrators can quickly find the relevant firewalls and check whether the firewalls already grant this access. Moreover, the module can check whether this request complies with your organization s network guidelines and help to plan the details of the access rule change. For additional information, see the Skybox Change Manager User s Guide. Using Skybox s API: If you want to build a workflow application with BMC Remedy, or another ticketing system, you can use the Skybox web service API and utilize Skybox s Access and Policy analysis, as well as extracting firewall policy information. For additional information, see the Firewall Changes API chapter in the Skybox Developer s Guide. Basic architecture The Skybox platform consists of a 3-tiered architecture with a centralized server (Skybox Server), data collectors (Skybox Collectors), and a user interface (Skybox Manager). Skybox can be scaled easily to suit the complexity and size of any infrastructure. For additional information, see the Skybox architecture topic in the Skybox Installation and Administration Guide. Skybox version

11 Chapter 2 Before you begin This chapter contains introductory information about working with Skybox. In this chapter Prerequisites Starting Skybox Firewall Assurance Summary page Prerequisites Skybox must be installed on your system before you can begin to work with the tutorials in this guide. The Skybox Server must be running before you can start the Skybox Manager. If it is not running on your local machine, you need its name or IP address to connect to it. Skybox version

12 Skybox Firewall Assurance Getting Started Guide Starting Skybox Firewall Assurance To start Skybox Firewall Assurance 1 In the Windows system tray, right-click the Skybox icon ( ) and select Open Skybox. 2 Note that you can log in to any Skybox product at this point by clicking its icon above the User Name field. Make sure that Skybox Firewall Assurance is selected. 3 Type your user name and password. If you were not assigned a user name and password by your Skybox administrator, use the default user name skyboxview with the password skyboxview. 4 If the Server was not specified during installation or you do not want to connect to the default Server, select the desired Server or type its IP address. 5 Click Login. 6 The 1st time that you work with Skybox, click the Load demo model link in the workspace to load the demo model file. The display refreshes after the model is loaded. Note: The demo model file includes a small model for which data has been collected and various configuration tasks have already been run. Summary page After the demo model loads, the All Firewalls Summary page is displayed in the workspace. This is the main page for Skybox Firewall Assurance, where you can see summaries about the various types of information that Skybox provides about your firewalls. The page contains summary information about: Skybox version

13 Chapter 2 Before you begin Policy Compliance: The policy compliance level for both Access Compliance and Rule Compliance, and a link to the list of violations of the firewall ACLs Configuration Compliance: The security level of the firewall configurations, based on platform security checks Optimization and Cleanup: The number of firewalls with access rules that are candidates for cleanup, based on analysis of shadowing and redundancy, and on hit counts (from the firewall logs) Change Tracking: The changes made in firewall access rules; how many firewalls were changed recently, and how many rules and objects were changed From the Summary page, you can drill down to the firewall level in whichever area interests you. Alternatively, you can view a similar summary for each firewall by selecting the firewall in the Tree pane. Skybox version

14 Chapter 3 Importing firewalls This chapter explains how to add firewalls and their configuration data to Skybox. In this chapter Add Firewall Wizard Adding firewalls Viewing firewalls Searching access rules Add Firewall Wizard Skybox can import configurations from many types of firewalls (and other devices). You import firewalls using the Add Firewalls Wizard. Use the wizard to: Connect directly to the firewall and collect its configuration data For this method, you must know the firewall details. Import saved configuration files of the firewall For this method, you must save copies of the necessary configuration files on your file system. Adding firewalls Configuration data for several devices is included in the demo model that you loaded, so there is no need to add more firewalls. However, several steps of the Add Firewalls Wizard are included in this tutorial to familiarize you with the process. The Add Firewalls Wizard adds firewalls and their configuration data to Skybox. If there are firewalls in the Skybox model that are not listed under All Firewalls in the Firewall Assurance tree, use the wizard to add these firewalls to the tree. Skybox version

15 Chapter 3 Importing firewalls To add a firewall to Skybox 1 Open the Firewall Assurance workspace. 2 On the toolbar, click. 3 In the Start screen, in the Select firewall type field, select Cisco PIX/ASA/FWSM firewall. 4 In the Select method for importing configuration field, select Import configuration files. The selected method specifies whether to import saved configuration files (files generated from firewall configuration data retrieved from the firewall) or retrieve configuration information directly from the firewalls. Skybox version

16 Skybox Firewall Assurance Getting Started Guide 5 Click Next. In the Properties screen for importing firewalls, you specify the location of the saved configuration files. 6 Click Back. 7 In the Select method for importing configuration field, select Import from Firewall and then select Default Collector as the Skybox Collector to use to collect information from the firewall. Skybox version

17 8 Click Next. Chapter 3 Importing firewalls In the Properties screen for collecting firewalls, you specify the information that the Collector needs to access the firewall and find the correct data. Note: Each firewall type has different properties. 9 As the necessary firewalls are already included in the model, click Cancel at this point. Viewing firewalls To view the summary of a firewall In the tree, select All Firewalls > main_fw. In the workspace, you see summary information about the firewall. You can click a link to focus on that aspect of the firewall. Note: When a firewall is part of a firewall management system, the firewall is visible in the tree under the name of the management system. For example, All Firewalls > MgmtServer1 > Firewall1. Skybox version

18 Skybox Firewall Assurance Getting Started Guide To view the firewall s connections in a graphical (map) format 1 At the top of the workspace (underneath the name of the firewall), click the Firewall Map link, or click on the toolbar. The Firewall Map window, displaying a map of the firewall s connections, opens. You can see all the network interfaces of the firewall and the networks or clouds to which they are connected. This is useful for checking that new firewalls were imported correctly. 2 Right-click the firewall icon. You can see there are various possible actions. 3 Right-click an interface icon. You can use this method to mark or change the zone of a network interface. 4 Close the Firewall Map when you are finished. Skybox version

19 To view the access rules of a firewall 1 At the top of the workspace, click the Access Rules link. Chapter 3 Importing firewalls 2 Click the 3rd rule (Source = Partners Network, Destination = DMZ). In the Object tree (right-hand pane), you can see the firewall objects for this rule. You can expand the firewall objects to see the hierarchies of objects or double-click a firewall object to view its properties. You can double-click an access rule to see its properties. 3 By default, the source and destination are displayed using the original names that are used in the firewall object. Click Show Resolved Addresses to view them as IP address ranges. 4 Click Cancel. Searching access rules In addition to viewing all the access rules of a firewall, you can use Skybox s search capability to view a list of access rules that meet specified criteria. For example, you can search for access rules that: Contain a specific object Skybox version

20 Skybox Firewall Assurance Getting Started Guide Contain a specific IP address or IP address range in the source or destination, or a specific port in the services field Contain a specific string in the original rule text or a specific original rule ID To search for access rules 1 In the tree, select All Firewalls. The context of the search depends on the element selected in the Tree pane; this search is across all firewalls. 2 In the Search area of the toolbar (on the right), make sure that Access Rule is selected in the drop-down list. 3 In the Search box, you can type an IP address or IP address range, a service port, or all or part of an object name. For this tutorial, type app1. This searches for the asset app1 in the Source, Destination, and Service fields of all firewalls. 4 Click. All access rules containing app1 are listed in the search results. Note: Skybox determines the fields to be checked by examining the format of the search string. Only relevant fields are checked for matches. 5 In the Search box, click to clear the previous search results 6 Click to expand the search definition area. You can see that there are various ways to refine the search, including searching only in specific fields or changing the scope. 7 In the Search By area, select Advanced Search. 8 In the Source box, type app1. 9 Click. This time, the search results list only access rules that contain app1 in their Source field, not in the Destination. Skybox version

21 Chapter 4 Rule Compliance This chapter explains working with Rule Compliance in Skybox. In this chapter Overview of Rule Compliance Working with Rule Compliance Overview of Rule Compliance Skybox analyzes Rule Compliance checking firewall access rules against a Rule Policy, that is, a set of best practice guidelines. Skybox checks the access rules of each firewall for compliance with the Rule Policy and shows which access rules violate the policy. Rule Compliance analysis provides a starting point for understanding how much protection is offered by a firewall s access rules. You can find more accurate information using Skybox s Access Policy analysis, which checks traffic in the firewall against an Access Policy, but this requires additional configuration on your part, including the selection of an Access Policy (NIST, PCI DSS, or custom) and mapping firewall interfaces to zones. For this reason, we recommend Rule Compliance analysis as a 1st step. Skybox includes a predefined Rule Policy. The predefined Rule Policy includes standard best practice Rule Checks. For example: Rules must not have Any in the destination, source, or service Rules must not have too many IP addresses in the destination or source Some Rule Checks relate to missing access rules or to the interaction between access rules. For example: The ACL is missing an explicit Any-Any Deny rule There are bidirectional rules (that is, 2 rules with opposite source and destination but with the same service) in the ACL You can: Control the set of Rule Checks to be applied to the firewalls by enabling and disabling checks, changing their severity, and modifying their properties Create custom Rule Checks as necessary Skybox version

22 Skybox Firewall Assurance Getting Started Guide Working with Rule Compliance Rule Compliance is analyzed automatically after firewalls are imported via the wizard. To view Rule Compliance 1 In the tree, select a firewall. 2 Look at the Rule Compliance pane. You can see whether the firewall is compliant with the Rule Policy and how many access rules violated the Rule Policy. 3 Click Rule Compliance. You can see the Rule Checks applied to the firewall and their pass/fail status. The Violating Rules column shows how many access rules violated each check. 4 Click the Violating Rules tab at the top of the table. You can see all the violating access rules for this firewall, including those that violated the Access Policy. Skybox version

23 Chapter 4 Rule Compliance Exporting Rule Compliance information To export Rule Compliance information for a firewall Right-click the firewall s Policy Compliance node and select Export to CSV Rule Compliance. Irrelevant Rule Checks Some Rule Checks might not be relevant for all firewalls. You can disable any Rule Check for a specific firewall by right-clicking it and selecting Disable Rule Check in this Firewall. Analyzing Rule Compliance after firewall updates When you import a firewall using the wizard (as explained in Firewall import (on page 14)), Rule Compliance is automatically analyzed. When firewalls are updated using Skybox tasks, use an Analysis Policy Compliance task to analyze Rule Compliance. Note: If a firewall was not analyzed for some reason or if you accidentally cleared the compliance results, reanalyze compliance (right-click the Policy Compliance node of the firewall and select Analyze Compliance). Skybox version

24 Chapter 5 Access Compliance Skybox offers the most advanced and effective Access Compliance to verify that your firewall ACLs are well configured. This chapter explains how to test firewall traffic for compliance with predefined Access Policies that correspond to industry standards. The result is compliance metrics for each firewall, a list of violations of the selected Access Policy, and a list of access rules that should be fixed. In this chapter Access Compliance and Rule Compliance What is an Access Policy? Mapping a firewall s network interfaces to Access Policy zones.. 26 Analyzing the Access Policy Understanding compliance metrics Understanding what caused a violation Creating and editing Access Policy exceptions PCI DSS Access Compliance and Rule Compliance When Skybox analyzes Rule Compliance, it uses syntactic checks (string comparison) to check whether a firewall s access rules obey simple best practice guidelines (for example, No Risky Ports and Any in 2 fields ). In the Rule Compliance chapter (on page 21), you saw how Skybox displays Rule Compliance. When Skybox analyzes Access Compliance, it checks whether traffic can pass through the firewall, taking all the firewall s access rules into consideration. In this chapter, you see how Skybox displays Access Compliance. What is an Access Policy? An Access Policy is a set of rules (Access Checks) defining the constraints on the traffic permitted by a firewall protecting the network. These rules verify that access permitted by the firewall does not violate the policy established by your organization: best practice, regulatory, or customized organizational policy. Skybox includes a predefined Access Policy for NIST guidelines and another for PCI DSS guidelines (Requirement 1 of PCI DSS). Skybox version

25 To view the Access Policies 1 In the tree, expand the Access Policies node. There are separate Access Policies for NIST and PCI. Chapter 5 Access Compliance 2 Expand the NIST Policy > NIST External Access folder. This folder is divided into policy sections: NIST-External to External, NIST- External to Partner, NIST-External to DMZ, and NIST-External to Internal. Each policy section specifies the desired access relationship between 2 specific zones. 3 When you expand these policy sections, you can see the Access Checks in each section. Skybox version

26 Skybox Firewall Assurance Getting Started Guide Some Access Checks in different policy sections have similar names because they test the same type of access but between different areas or zones in the network. For example, in the External to DMZ policy section, the Block Trojan and Worm Ports Access Check tests that there is no access to Trojan and worm ports in the DMZ from external servers; in the External to Internal policy section, the Access Check with the same name tests that there is no access to Trojan and worm ports in the internal servers from the external servers. 4 Expand the PCI DSS Access Policy. Each subfolder defines how to test compliance for a section of the PCI DSS policy. Customizing the Access Policies The predefined Access Policies include a policy for NIST and other industry-wide best practice guidelines and another policy for PCI DSS. However, most organizations have additional best practice guidelines of their own. You can add these guidelines to the appropriate Access Policy in the form of custom Access Checks and custom zones, or create a separate Access Policy. You can modify or disable individual Access Checks as needed. Mapping a firewall s network interfaces to Access Policy zones You can apply an Access Policy to a firewall by selecting the Access Policy and then mapping the firewall s network interfaces to the zones used in that policy. A zone is a way of grouping network interfaces that have the same trust level. For example, map the network interface of a firewall that leads to the DMZ network to the DMZ zone and map network interfaces leading to the internet and other external networks to the External zone. You can then check compliance of this firewall with the selected Access Policy. Skybox version

27 Chapter 5 Access Compliance To check whether your firewall is compliant with the NIST or PCI DSS Access Policy, you must select the Access Policy to use, and then map each network interface of the firewall to the relevant zone. You can see the network to which each interface is mapped in the firewall map, which can help you to understand which network interfaces map to which zones. Skybox version

28 Skybox Firewall Assurance Getting Started Guide To select an Access Policy and map zones for a firewall 1 In the Firewall Assurance tree, right-click the All Firewalls > main_fw > Policy Compliance node and select Manage Access Policy. 2 In the Manage Access Policy dialog box, select the Access Policy named NIST & Application. 3 To change the zone of a network interface, select int18 and click Mark as Zone. The Mark as zone dialog box is where you change or add the zone type. (The zone name is optional.) 4 Click Cancel. 5 To check traffic to or from a network interface, click Access from Interface or Access to Interface. For information about these results, see Access Analysis (on page 62). 6 Click OK. Note: After you select the Access Policy for a firewall, you can either map the network interfaces to zones in this dialog box or using the firewall map. Analyzing the Access Policy After all network interfaces are classified into zones, analyzing the Access Policies applies the best practice rules to existing firewalls, to analyze access and check for compliance with the rules. You can analyze all or part of the Access Policy. For example: Skybox version

29 Chapter 5 Access Compliance A specific firewall, (that is, analyze only Access Checks that apply to the selected firewall) A specific folder or policy section (for example, only Access Checks that check for access between the External and DMZ zones), for all firewalls in the scope A specific Access Check Analyzing compliance To analyze compliance (for all firewalls) 1 In the Tree pane, select All Firewalls. 2 On the toolbar, click. Note: This action analyzes the firewalls for all types of compliance (Access Compliance, Configuration Compliance, and Rule Compliance), change tracking, and shadowed and redundant rules. Understanding compliance metrics After the Access Policy is analyzed for a firewall, there is a short summary of the results in the Summary page of the firewall, including how much the firewall complies with the Access Policy and its sections. 1 With main_fw selected in the tree, look at the workspace. The summary of policy compliance lists the compliance metrics for this firewall. Skybox version

30 Skybox Firewall Assurance Getting Started Guide 2 Click the Violating Rules link to view the firewall s access rules that caused the violations. Look in the Access Policy Violations column to view the number of Access Policy violations per access rule. The Details pane lists data about the access rule selected in the Table pane. 3 Click a specific access rule in the Table pane. The view switches to show the violations caused by the selected access rule, including the violated policy section and Access Check. These violations are failed implementations of the NIST policy on main_fw, listing what was tested (and failed). 4 The Rule Details tab displays detailed information about the selected access rule, including firewall objects. After you see why an access rule is causing violations, you can decide how to fix it. For example, you could change a rule that permits access on all services to permit access on specific services only. Skybox version

31 Access Compliance by policy sections Chapter 5 Access Compliance Sometimes it is useful to view the violations according to the policy sections that they violate. In this way, you get an overall idea of which connections in this firewall are causing the most problems. 1 In the tree, reselect main_fw > Policy Compliance. 2 In the Table pane, click the Access Compliance tab. You can see a list of the policy sections with their source, destination, and the number of violations of each criticality level. 3 Select an Access Policy section and click the All Tests tab of the Details pane to see a list of tests that checked compliance. Skybox verifies compliance of the firewall to the Access Policy by running access tests: tests that analyze access between the network interfaces (zones) of the firewall according to the rules specified in the Access Policy. Each test analyzes a specific Access Check between 2 interfaces. For example, an Access Check that analyzes to make sure that NetBIOS access is blocked from External zones to DMZ zones has separate tests for each External interface to each DMZ interface. If there are 2 interfaces marked External Zone and 2 interfaces marked DMZ Zone, there are a total of 4 access tests; 1 test for each combination of source (External) and destination (DMZ) interfaces. If all the tests passed successfully, the firewall is considered 100% compliant. Tests that fail are violations. The compliance level is the percentage of successful tests relative to the total number of tests. Understanding what caused a violation This section explains how to view access information for violations. When you understand what caused the violation, you can try to work out an appropriate solution. To view access information for a violation 1 On the toolbar, click to view the list of policy sections. 2 Click NIST-External to Internal. You can see that for this policy section, there is 1 violating access rule. In the Details pane, you see that this access rule has 3 violations. Skybox version

32 Skybox Firewall Assurance Getting Started Guide 3 Click the violating rule s link in the Table pane. The Table pane lists the violations for this policy section. The Details pane contains information about the 1st violation, with the Details tab displayed. You can see that the name of the rule is Block Login Services and that this is a critical violation. The access test failed because access exists between the External interface (int19) and the Internal interface (int15), but the Access Check specifies that login services between networks zones of different security levels must not be permitted. 4 Click to display all the tabs in the Details pane. 5 Click the Access Results tab to view the access between the source and the destination. 6 In the tree, expand the int15 network interface and select the lowest-level node. You can see that the access to the IP address range is via the service (port) 22-23/TCP. Creating and editing Access Policy exceptions Exceptions are a way to fine-tune the Access Policy according to actual practices or requirements of your organization. Sometimes, specific entities in a location or zone that you are testing have different access permissions from the rest of the entities in that location or zone. You can mark these entities as exceptions to the Access Check so that they are not tested or you can create exceptions for specific access rules. In our example, it was realized that access over 22-23/TCP between the internet and internal networks does not violate your organization s Access Policy mark it as an exception. Skybox version

33 Chapter 5 Access Compliance To mark exceptions 1 In the Access Results tree, select the 22-23/TCP node and click. 2 Click OK. As this is the only service that violated the Access Check in this access test, the test no longer violates the Access Policy and a green compliance indicator ( ) is displayed next to the ID of the test. You can view and edit exceptions. Skybox version

34 Skybox Firewall Assurance Getting Started Guide To edit an exception 1 In the tree, right-click main_fw > Policy Compliance and select Exceptions. In the Exceptions dialog box, the Firewall Exceptions tab lists exceptions created for the firewall, and the Access Policy Exceptions tab lists exceptions to specific Access Checks that are relevant for this firewall. 2 Click the Access Policy Exceptions tab. Access Policy exceptions that affect the selected firewall are listed. 3 Select an exception and click Modify. Policy exceptions might affect multiple firewalls. Keep this in mind when you change a policy exception from a specific firewall. 4 As it is not necessary to change the exception s properties, click Cancel in the Access Policy Exception Properties dialog box. PCI DSS Skybox Firewall Assurance supports Requirement 1 of PCI DSS: Install and maintain a firewall configuration to protect cardholder data, a sensitive area within the trusted network of a company. Requirement 1 is preconfigured in Skybox using an Access Policy and specific zone types, so that you can use Skybox Firewall Assurance to check whether your firewalls are compliant. Public Access Policies > PCI DSS V3.x Policy is organized using a similar structure to the hierarchy of sections in Requirement 1. In the demo model, prod FW was prepared for a PCI DSS firewall audit. Skybox version

35 To view compliance with PCI DSS Requirement 1 Chapter 5 Access Compliance 1 In the Firewall Assurance tree, select All Firewalls > prod FW. You can see various kinds of information about this firewall, including Access Compliance. 2 In the tree, select Access Policies > Public Access Policies > PCI DSS V3.x Policy and expand this node. Each policy folder and policy section in the hierarchy represents a subsection of PCI DSS Requirement 1. 3 In the tree, navigate to the All Firewalls > prod FW > Policy Compliance node. 4 Right-click the node and select PCI Firewall Compliance Report. Skybox version

36 Skybox Firewall Assurance Getting Started Guide 5 In the Report Properties dialog box, click Generate Now. The 2nd section of the report contains a summary of the compliance of this firewall with each subsection of the requirement. 6 When you are finished, close the report window. Skybox version

37 Chapter 6 Exceptions Exceptions are a way to fine-tune the Access Policy according to actual practices or requirements of your organization. Sometimes, specific entities in a location or zone that you are testing have different access permissions from the rest of the entities in that location or zone. You can mark these entities as exceptions to the Access Check so that they are not tested or you can create exceptions for specific access rules. Skybox version

38 Chapter 7 Configuration Compliance This chapter explains working with Configuration Compliance in Skybox. In this chapter Configuration Compliance overview Viewing Configuration Compliance for a single firewall Viewing Configuration Compliance for all analyzed firewalls Viewing an overview of Configuration Compliance Configuration Compliance overview Configuration Compliance enables you to audit the platform security of your firewalls and understand weaknesses in a firewall s configuration (for example, whether the firewall can be accessed using the default password, whether logging is enabled, and whether the management protocol is encrypted). Configuration Compliance is analyzed by comparing a firewall s configuration data with a Configuration Policy a predefined policy included with Skybox or a customized policy created by your organization. Skybox displays where the configuration does not comply with the policy. A Configuration Policy is a set of Configuration Checks for a specific type of firewall. Each Configuration Check contains a regular expression. When a firewall s configuration data is analyzed, the Configuration Check passes only if the regular expression is found in the configuration file. The default set of Configuration Policies (Standard) checks your device files against known best practice guidelines for various platforms, including Check Point firewalls, Cisco firewalls and routers, Juniper NetScreen and Junos firewalls, Palo Alto Networks firewalls, and Fortinet FortiGate firewalls. There is one Configuration Policy for each type of firewall. You can customize the default Configuration Policies to suit your organization s requirements and you can create additional policies as necessary. Each time a Configuration Policy is analyzed, all firewalls that match the policy s scope are tested against all the Configuration Checks in that policy. There is also an additional set of Configuration Policies for those whose companies must comply with STIG standards. Viewing Configuration Compliance for a single firewall There are 2 ways to view Configuration Compliance data: Skybox version

39 Chapter 7 Configuration Compliance Per firewall For all analyzed firewalls To view Configuration Compliance for a single firewall 1 In the Firewall Assurance tree, select All Firewalls > vlab-cisco > Configuration Compliance. You can see all the Configuration Checks analyzed for this firewall, and whether the firewall is compliant with them. 2 Select a failed Configuration Check in the list. In the Details pane, you can see general information about the check. Click the Result Details tab to view information about the violation, including the expected results of the Configuration Check and the actual results of comparing the Configuration Check with the firewall s configuration data. VIEWING VULNERABILITIES ON A FIREWALL You can view vulnerability occurrences on a firewall based on the firewall s configuration. This shows if there are vulnerability occurrences on these devices that might expose them to attacks. Skybox version

40 Skybox Firewall Assurance Getting Started Guide To view vulnerability occurrences on a firewall 1 In the Firewall Assurance tree, make sure that All Firewalls > vlab-cisco > Configuration Compliance is still selected. 2 Click the Vulnerability Occurrences tab. You can see that there are multiple vulnerability occurrences on this firewall, although most of them are marked as inaccessible (they cannot be used by an attacker). These vulnerability occurrences were detected by the Analysis Vulnerability Detector for Devices task, based on information in the firewall s configuration files. Skybox version

41 Chapter 7 Configuration Compliance Viewing Configuration Compliance for all analyzed firewalls To view Configuration Compliance for all analyzed firewalls 1 In the tree, expand the main Configuration Policies node. You can see that there is a policy folder named Standard v9. This is the folder that contains all the standard predefined Configuration Policies. When you expand it, you can see all its Configuration Policies. Each Configuration Policy applies to a specific group of firewalls. For example, there is a policy for Check Point firewalls and a policy for NetScreen firewalls. The firewall type is specified in the properties of each policy. 2 Select Cisco FW Standard Policy. In the workspace, you can see a list of all the Configuration Checks in this policy, and whether there are violations. Skybox version

42 Skybox Firewall Assurance Getting Started Guide 3 Right-click Cisco FW Standard Policy and select Properties. You can see that this policy applies to all Cisco firewalls. 4 Close the Properties dialog box. 5 Click a Configuration Check in the Table pane to see its details in the workspace. 6 Click the Analyzed Firewalls tab. You can see a list of all the firewalls analyzed for this Configuration Check and which of these firewalls violated the Configuration Check. In the demo model, only the vlab-cisco firewall was analyzed. In the Details pane, you can see the expected and actual results. Exporting Configuration Compliance information To export Configuration Compliance information for a firewall Right-click vlab-cisco s Configuration Compliance node and select Export to CSV Configuration Compliance. You can select where to save the file. Skybox version

43 Chapter 7 Configuration Compliance Viewing an overview of Configuration Compliance Skybox includes an overview (dashboard) of Configuration Compliance for all analyzed devices and all Configuration Policies. To view the overview In the tree, select Configuration Policies. The workspace displays a dashboard of compliance, where you can see overall configuration results grouped by Configuration Policy/Configuration Check and by device. Use the links to drill down to detailed information. Skybox version

44 Chapter 8 Optimization and cleanup Use Skybox s Optimization and Cleanup feature to help you to clean up and optimize access rules on a firewall. Shadowing and Redundancy is based on a logical analysis of the firewall s ACL to find access rules that can never be reached and other access rules that you can delete without changing the behavior of the firewall. Rule Usage Analysis is based on firewall activity logs. It groups rules in the firewall according to the frequency of their usage. In this chapter Shadowed and redundant rules Rule usage analysis Exporting data to CSV files Shadowed and redundant rules Skybox can analyze the ACLs of firewalls to find access rules that are not used and might be unnecessary. Shadowed rules are access rules that are never reached because their scope is completely covered by rules that are above them in the rule chain. For example, if you have the following 2 access rules in a rule chain, it is clear that the 1st rule grants more access than the 2nd rule, so the 2nd rule is never reached by any packets: Rule 56: Network A to Network B on any port (any service) Rule 121: Network A to some locations in Network B on port 21 For shadowed rules, it does not matter whether the action of the 2 rules is the same or different. In the preceding example, the 1st rule s action could be Deny and the 2nd rule s action could be Allow; the 2nd rule is never reached. Redundant rules are access rules whose scope is completely covered by rules with the same action that are below them in the rule chain. Deletion of redundant rule does not change the access behavior of the firewall as a packet that matches the redundant rule also matches a rule below it with the same action. For example, if you have the following access rules in a rule chain: Rule 31: Development Network to All Production Application Servers on FTP port, action = Allow Skybox version

45 Chapter 8 Optimization and cleanup Rule 53: Development Network to Entire Organization Network on all ports, action = Allow Rule 31 is redundant since its scope is completely covered by rule 53 and both rules have the same action (Allow). Working with shadowed and redundant rules Usually, you run an Analysis Rule Optimization Status task to obtain information about shadowed and redundant rules; the Analyze Firewall Shadowed Rules task has been run for the demo model. To view shadowed rules 1 In the Firewall Assurance tree, select All Firewalls and click the Firewalls tab. 2 Look at the Shadowed Rules column to identify which firewalls have shadowed rules. 3 Click the Shadowed Rules link for main_fw. The Table pane lists the rules in main_fw that are shadowed (that is, not reached). 4 Select rule 14. The bottom table lists the rules that shadow (that is, contain) this rule followed by the shadowed rule. Skybox version

46 Skybox Firewall Assurance Getting Started Guide 5 Click Explain to open the Explanation View dialog box that shows the shadowed rule next to the shadowing rules in separate panes, to help you to understand how the scope of the shadowed rule is covered by the shadowing rules. 6 Click the Source node in the Shadowed Rule pane. In the Causes Shadowing pane, you can see how the source in the shadowing rule covers (shadows) the source in the Shadowed Rule pane. The icon next to the Source in the Causes Shadowing pane means that this source (Any) completely contains the source in the shadowed rule ( ). Viewing redundant rules Viewing redundant rules is similar to viewing shadowed rules. Click the Redundant Rules tab at the top of the table pane to get started. Skybox version

47 Chapter 8 Optimization and cleanup Rule usage analysis In Skybox Firewall Assurance, you can use a process named rule usage analysis to streamline the optimization of access rules and to help you to identify unused rules and objects. The 1st step in this process is to collect the activity log from the firewall policy; this data is included in the demo model for the firewall main_fw. To view rule usage analysis data 1 In the tree, select All Firewalls > main_fw. You can see that the summary includes rule usage information for this firewall. 2 Next to the title of the Optimization and Cleanup pane, click the arrow to expand the pane. You can see the following information: Rule Usage: Usage information about the access rules that make up this firewall in table and chart formats. Object Usage: Usage information about the firewall objects used in the firewall s access rules. 3 Click the Unused Rules link. The Rule Usage tab is displayed. The access rules are grouped by their usage types (during the analysis period): Skybox version

48 Skybox Firewall Assurance Getting Started Guide Unloggable: Rules that cannot be logged. These are implicit rules and rules entered manually in Skybox. Contains Unused Objects: Rules that had hits, but some objects referenced in the rule had no hits. Used: Rules that had hits and all objects referenced in the rule had hits. Not Logged: Rules for which logging is disabled on the firewall. Unused: Rules that had no hits. You can see that the value in the Hit Count column of the unused rules is 0. Rules in the Usage: Used and Usage: Contains Unused Objects groups have hit counts greater than zero. 4 Open the list of Usage: Used rules. You can see that there are 2 rules that have (Critical) in the Actual Rule Usage column, and that the actual rule usage for these rules is under 1% each. The Actual Rule Usage column shows the lowest usage level of the Source, Destination, and Service fields. You can see if any of the fields are very permissive by their poor usage. 5 Select the Critical rule with.39% usage. In the Details pane, you can see the actual usage for the rule, split according to its dimensions (source, destination, and service). Skybox version

49 6 Select the last entry in the table. 7 Hover your mouse over the Used Addresses/Ports field. Chapter 8 Optimization and cleanup In the field itself, you can see that, although the definition of this rule contains Any in the Service field, only a specific number of ports are actually used. In the tooltip, you can see the actual hit count for each port and the port s last used date; consider narrowing the scope of the service field of this access rule to prevent unnecessary exposure. VIEWING OBJECT USAGE To view object usage for an access rule 1 Click the Object Usage tab. The firewall objects are grouped by their usage types and then by their object types. The usage types are (for hits during the analysis period): Unused: The object had no hits. Unused in Some Rules: The object is used in at least 1 rule and unused in at least 1 rule. Used: The object is used in all rules that reference it. Not Logged: No hit count is available for the object. This usually refers to objects that are only referenced by implicit rules and rules for which logging is disabled. 2 In the Table pane, expand Usage: Unused in Some Rules and then expand Type: FireWall-1 Group. Skybox version

50 Skybox Firewall Assurance Getting Started Guide 3 Select an object. You can see information about the object in the Details pane, including how many rules reference the object and in how many rules the object is unused. 4 To display all access rules that reference the object, right-click the object and select Show Referencing Rules. All the access rules for the firewall are listed; the rule that references the object is listed in bold type. 5 Close the display of access rules. 6 To display the rules in which the object is referenced but not used (that is, the object s hit count in that rule is zero), right-click the object and select Show Unused Rules. The access rules for the firewall are listed; the rules that reference the object but have a hit count of zero are in bold type (rule 9). 7 Close the list of access rules. GENERATING RULE USAGE ANALYSIS REPORTS To generate a Rule Usage Analysis report 1 In the tree, expand the main_fw node. 2 Right-click Optimization and Cleanup and select Rule Usage Analysis Report. You can change properties of the report in the Report Properties dialog box. 3 Set Analysis Period (by selecting Custom) so that the start date is January 1, 2017 and the end date is May 23, Click Generate Now. The report is generated and displayed in a separate window. The information in the report is a summary of the rule usage analysis information, focusing on unused rules and objects. Skybox version

51 Chapter 8 Optimization and cleanup Exporting data to CSV files You can export shadowed and redundant rules, and rule usage data from Skybox to CSV files for additional analysis or processing. To export information to a CSV file Right-click the firewall or firewall folder for which you want to export data and select Reports > Export to CSV Shadowed Rules (or Export to CSV Rule Usage Data). Skybox version

52 Chapter 9 Change tracking Change tracking in Skybox helps you to keep track of changes made to access rules and objects for all firewalls, including the time of change and who made the change (when available). Change tracking provides a side-by-side view of the previous and current values of all changed entities. When you use change tracking, Skybox maintains a repository of changes so that you can review the history of access rules. In this chapter Using change tracking Viewing the changes Change Tracking reports Using change tracking The change tracking feature analyzes changes that occur in firewall access rules and objects over time. To use change tracking, you must import firewall data on a regular basis and analyze the data for changes (using the Analyze Firewall Changes task) after each import. You can import syslog changes as necessary (even several times per hour) to provide updated change tracking information, including the user who made each change and its timestamp. By selecting a specific tracking period, you can view all changes in the access rules and firewall objects that occurred during the selected period. Note: For tutorial purposes, several of the firewalls in the demo model include data that you can use for change tracking. Skybox version

53 Chapter 9 Change tracking Viewing the changes To view changes to the firewalls 1 In the tree, select All Firewalls and look at the Summary page. You can see that there are several changes on some firewalls. 2 To view a graph of the changes: next to the title of the Change Tracking pane, click the arrow to expand the pane. You can choose to view daily, weekly, or monthly changes in the chart. 3 Click the link in the Total Changes field to see a list of all the changes. Select a change (click in the row, but not on the link to the firewall within the row) to view additional information in the Details pane. If the change involves an object, the Affected Access Rules tab lists all access rules affected by the changes in this object. Skybox version

54 Skybox Firewall Assurance Getting Started Guide To view changes to a single firewall 1 In the Table pane, click the Changes by Firewall tab. You can see a sorted list of firewalls in which changes were made. 2 Click the firewall that you want to examine. Change Tracking reports You can generate a report of the firewall changes or export the changes to a CSV file. To generate a Change Tracking report for a firewall 1 Right-click the Change Tracking node of the main_fw firewall and select Change Tracking Report. 2 Click Generate Now. The report is displayed in PDF format in a separate window. To export the firewall changes to a CSV file 1 Right-click the Change Tracking node of the main_fw firewall and select Export to CSV Change Tracking Data. 2 Select the location where you want the file to be saved and click OK. Skybox version

55 Chapter 10 Rule review Rule review in Skybox enables you to view access rules in the context of all compliance categories, and to view and set business attributes for each rule. You can search for specific groups of rules (for example, those that include a specific object or a specific IP address range) across multiple firewalls. Rule review provides an overall view of a firewall s access rules in the context of all compliance categories. It also enables you to document various business attributes of the rules, including owner, business function, comment, and next review date, and to search on these attributes. If your organization requires add additional, custom attributes, you can add them using custom fields. In this chapter Reviewing rules Recertifying rules Reviewing rules To review access rules for a firewall 1 In the tree, select main_fw > Rule Review. You can see all the access rules for this firewall. The table includes business information that is not visible in other displays of access rules (for example, Owner and Next Review Date). Note: Business attributes are not imported from firewall configuration files; you must add them manually to individual rules or groups of rules. Skybox version

56 Skybox Firewall Assurance Getting Started Guide 2 Select the 1st rule in the table that has a value in the Actual Rule Usage column, and look at the Highlights tab in the Details pane. 3 In the Compliance Category area, you can see a linked summary for each category in the table that has data. Click the link in the 1st row. The properties of the access rule are displayed with the Access Compliance violations. 4 To view information about a different compliance category, click the relevant tab in the Access Rule Properties dialog box. Note that within the Properties dialog box, the entries in the Highlights tab do not have links. 5 Close the dialog box. 6 In the Highlights tab, expand the Business Attributes area to see the rule s business information. Skybox version

57 Chapter 10 Rule review The following business attributes are available: Owner, , Business Function, Next Review Date, Rule Comments and Ticket ID. Administrators can define additional (custom) fields to suit your organization s requirements. 7 To change any of the business attributes, right-click the rule in the Table pane and select Set Business Attributes. Note: You can select multiple access rules in the Table pane and change the business attributes of all of them at once. Recertifying rules After reviewing an access rule, you can request that the rule be recertified. Recertification requests are created in Skybox as tickets; you track and handle them in Skybox Change Manager. To recertify an access rule 1 Select an access rule that you want to recertify. Usually that would be a rule that you own, whose next review date is approaching. 2 Right-click the access rule and select Recertify Rule. Skybox version

58 Skybox Firewall Assurance Getting Started Guide 3 In the Workflow field, notice that Recertification is selected. This is a special workflow that is for recertification tickets. 4 If desired, specify a different owner for the ticket and make any other necessary changes. 5 Click OK. A ticket is created for the access rule. The pop-up message about the ticket includes a link to the ticket in Skybox Change Manager. You can see the recertification status of the access rule in the table. You can request recertification for several access rules at the same time. Skybox version

59 Chapter 11 Firewalls with intrusion prevention systems Skybox Firewall Assurance offers the following information regarding IPS coverage of your organization: Overall signature coverage from Palo Alto Networks devices per new threats reported over a period of time and threat level Information about signatures in prevention mode vs. detection mode so that you can understand the actual coverage provided by the IPS device in the context of the network architecture Signatures (in prevention mode or detection mode) correlated against critical vulnerability occurrences that exist in your organization using Skybox Vulnerability Control You can then make informed decisions about which signatures to change from detection mode to prevention mode, and which signatures to deactivate. Information is provided per IPS-enabled device. Viewing IPS coverage in Skybox IPS coverage is displayed as part of the summary for each IPS-enabled firewall. To view IPS coverage for an IPS-enabled firewall 1 In the tree, select PA-2020:vsys1 and look at the IPS pane at the bottom of the summary page. Note: If you use a Firewall Assurance-only license, you cannot see information about vulnerability occurrences unless they are enabled. Skybox version

60 Skybox Firewall Assurance Getting Started Guide At the top of the IPS pane, there is a link specifying how many active IPS signatures exist for this type of IPS device. The link opens the IPS Signatures dialog box, which lists all the signatures. 2 Look at the left-hand side of the pane. Active Signatures Relative to Vulnerability Occurrences displays the total number of active signatures (in both Prevention and Detection modes) that are relevant to vulnerability occurrences in your organization. The pie chart and table classify the active signatures to prevention, detection, and disabled. Disabled signatures are signatures of the firewall s vendor that have a matching vulnerability occurrence in the model but that are not activated on this device. Click the link to Prevention in either the pie chart or the table to display a list of all the signatures active in Prevention mode on this device that are relevant to vulnerability occurrences in your organization. For each signature, you can see its ID, status, CVE and SBV IDs, and other information. 3 The right-hand side of the IPS pane displays this device s coverage of new threats (Vulnerability Definitions) by signature. You can change the time frame and the CVSS threshold. Note: The IPS pane shows the coverage that the selected device provides for new threats in general. It is not specific to vulnerability occurrences that exist in your organization. Skybox version

61 Chapter 11 Firewalls with intrusion prevention systems 4 Click the link to Threats with Prevent Signatures in either the pie chart or the table to display a list of all the signatures in Prevention mode that are relevant to new threats. For each threat, you can see its SBV ID, title, CVE and Bugtraq IDs, severity, and other information, as well as which IPS signature in the device covers the threat and with what type of coverage (in this case, Prevent). Skybox version

62 Chapter 12 Access Analysis The Access Analyzer runs on a firewall and finds all routes between the selected source and destination over the selected services. For each destination interface, you can see: The ports that are exposed The access rules that grant permission for connectivity between the source and the destination The Access Analyzer can help you to troubleshoot connection problems quickly and help you to get an overview of what is accessible from each of the network interfaces of the firewall. You can use the Access Analyzer to check access: Between 2 network interfaces of a firewall For specific source or destination IP addresses Using the Access Analyzer To check access between 2 network interfaces 1 Select a firewall. 2 Click. Skybox version

63 Chapter 12 Access Analysis 3 Click the Browse button next to the Source field. 4 Select the int19 interface for the source; click to move it to the Selected Source field. 5 Select the int15 interface for the destination; click. 6 Click OK to close the Scope dialog box. 7 Click the Browse button next to the Services field. Skybox version

64 Skybox Firewall Assurance Getting Started Guide You select the services to use for checking access in the Services dialog box. 8 For this tutorial, you do not need to select any services; click Cancel. Note: When you do not select any services, Skybox analyzes access using all services. 9 Click. In the Analysis Results pane, you can see the network interfaces that are accessible from the selected interface. 10 Expand each network interface to see the accessible IP addresses (and their ports and services). 11 Select the ports. In the Details pane, you can see the route for access between the network interface that you selected in the table and the selected ports of the network interface selected in the results tree. 12 On the Analysis Results toolbar, select Group by Service (instead of Group by Interface, ). When you expand the results, you see the same information grouped by services (ports). 13 Close the Access Analyzer. Checking access between specific IP addresses Checking access between specific IP addresses is similar to checking access between 2 network interfaces. Skybox version

65 Chapter 12 Access Analysis To check access between specific IP addresses 1 Select a firewall. 2 Click. 3 Click the Browse button next to the Source field. 4 In the Source and Destination Scope dialog box, in the Use IP Ranges field of either the source or the destination, type an IP address or IP address range. 5 To check access to or from the network interface that is associated with that IP address: a. Click Find Interfaces. b. In the Select a Matching Network Interface dialog box, select the interface and click Select. 6 Select an interface for the other side of the analysis (source or destination) and move it to the Selected Sources field. 7 Follow the previous exercise from step 7 to the end to understand the access results. Skybox version

66 Chapter 13 What If and Forensics models Skybox enables advanced users to work with other models (data sets) in addition to the current (Live) model. What If model: Work with the same set of firewalls for what-if purposes, making changes and checking the impact. Forensics model: Load a backup model to see the firewalls as they were at some previous time; compare the firewalls in the Forensics model with the current versions in the Live model. All Skybox features are available on these models, including the Access Analyzer. Example Copy the current model (Live) to What If, make changes (in the What If model) to the access rules of firewalls, and run the Access Analyzer to check the impact of the access rule changes. The summary of changes for a firewall is similar to that in the following screen capture. Skybox version

67 Chapter 14 Using Skybox reports Reports in Skybox are detailed accounts of specific data in the model (for example, Access Policy violations, firewall changes, or overdue tickets). As you saw in previous chapters, you can generate reports manually on a per-firewall basis. You can also generate reports for multiple firewalls, schedule their generation to run at specific times, and send them to specified Skybox users. In this chapter Reports tree Report types Firewall Assurance reports Reports tree The Reports tree is divided into a public folder and a private folder; predefined reports are in the public folder and report definitions that you create are stored in your private folder. You can add subfolders for additional grouping. For example, you can have one folder for all reports relating to Access Compliance of individual firewalls and another for change tracking or Rule Usage Analysis reports. Report types Skybox Firewall Assurance provides several types of reports, including: Firewall Assurance reports: Show the overall status of the specified firewalls, including Access Policy and Rule Policy compliance, Configuration Compliance, Optimization & Cleanup, and Change Tracking. Detailed reports provide detailed information about various aspects of the firewall status. Access Compliance reports: Show the status of the Access Policy and provide policy-related information about specific firewalls. You can use detailed Access Policy reports to understand Access Policy violations. PCI Firewall Compliance reports: Demonstrate compliance of firewalls with PCI DSS Requirement 1, as you saw in PCI DSS Firewall Compliance (on page 34). Rule Usage Analysis reports: Provide information about unused Access Checks and objects in the Access Policy, as you saw in Analyzing rule usage (on page 47). Access Checks reports: List the Access Checks in all or part of the Access Policy. Skybox version

68 Skybox Firewall Assurance Getting Started Guide Firewall Changes reports: Provide a clear summary of the differences between firewalls in different models, with details about each modification and an explanation of how to bring the firewall in your baseline model to the same configuration as the firewall in your current model. They are used for change management. Firewall Assurance reports Firewall Assurance reports provide a complete overview of the state of firewalls in the network that you can distribute to others who do not have access to Skybox. To generate a Firewall Assurance report 1 Open the Reports workspace. 2 Select Public Report Definitions > Firewall Compliance > Firewall Assurance Assessment. The workspace displays the properties of the report. The Firewall Scope field is empty the report includes all firewalls in the network. 3 Right-click the report name and select Properties. Skybox version

69 Chapter 14 Using Skybox reports 4 Look at the Firewall Scope field. The default firewall scope includes all firewalls in the All Firewalls list. For this tutorial, you narrow the scope to specific firewalls. 5 Click the Browse button next to the Firewall Scope field. 6 Select mainfw and vlab-cisco in the Available Items field and click to move them to the Selected Items field. 7 Click OK. 8 Note that, by default, the report includes summary information for all aspects of firewall assurance: Access and Rule Compliance, Configuration Compliance, Optimization & Cleanup, and Change Tracking, and summary information about vulnerability occurrences on the firewalls. You can select the aspects in which you are interested. For this tutorial, keep the default so that you can see how the information is presented. 9 Expand Optimization & Cleanup. In the Rule Usage Analysis Period field, change the value to All Available from Last 7 Days, as the data in the demo model is older than that of a real model. 10 Expand Change Tracking. In the Analysis Period field, change the value to All Available from Last 7 Days. 11 Click Generate. You are asked whether to generate the report in the background or in the foreground. As it can take some time to generate the report, it is often useful to generate in the background and keep working; this is not necessary in this tutorial. Skybox version

70 Skybox Firewall Assurance Getting Started Guide 12 Select Generate in the foreground and click OK. 13 After the report is ready, click the Summary: mainfw link. The section that appears contains summary information for main_fw about the various aspects that are tested in Firewall Assurance; it is similar to what you see when you select the firewall in the All Firewalls tree. Another way to generate this report You can generate Firewall Assurance reports for single folders or firewalls without switching to the Reports workspace: in the All Firewalls section of the Firewall Assurance tree right-click the main node of the firewall or folder and select Reports > Firewall Assurance Report. Skybox version