Current revision updated by rgilbert39 on
Originally created by rgilbert39 on

Frequency: 

Annual 

Prerequisites: 

  • Book Of Knowledge Training 
  • FW.Noc training 
  • DNS/GTIPAM cleanup complete 
  • Host, Server, and endpoint are used interchangeably. The column in FW Noc says server although it is for any endpoint. 
  • Firewall reviews are saved in Dropbox under cybersecurity. 
  • Legend: red – firewall issues, violet- Vulnerabilities, yellow-excluded endpoints, light blue – excluded IPs with no DNS entry, Green- good or resolved. 

Steps 

  1. Build an updated List
    1. Navigate to https://fw.noc.gatech.edu/ 
    2. COC firewalls located under FW Auditing  
    3. Firewall Review Scores are based on Vulnerabilities. As resolved the firewall list will change order. 
      1. Highlight and copy all firewalls and paste them to Excel so none are skipped. 
      2. Delete columns “B” and “C” in Excel. 
      3. Use the previous year’s review for a template and example. 
    4. Open Firewalls one at a time. 
    5. Tasks 
      1. Click SS Edit or hyperlink in the server column that says “Scanned- Found Vulnerabilities.” 
      2. Select “Scan HOST + Update Status and Report.” 
      3. If there are still Vulnerabilities select “Generate Report for Viewing.” 
      4. Open the report and save it. 
      5. Open the RT ticket and list all level 3,4, and 5 vulnerabilities with their potential solutions including the potential ones in the comment field. 
      6. List the RT ticket number in Excel for tracking.  
    6. Discuss findings with TSO. 
    7. All Excluded servers will need a new PER. This includes any TSO subnets that are excluded. Update the PER with new numbers. 
    8. Determine who is responsible for the vulnerability and assign cases accordingly. 
    9. Reach out to users with risky rules to ensure they are still needed. If not change per request. This should have an RT case for tracking. 
    10. Closing Vulnerabilities requires a compensating control, PER, or some other mitigating control for acceptance. 
      1. If using a PER, choose the ignore score, choose other from the selection box, and enter PER number. 
      2. If choosing to accept due to compensating control, choose it from the dropdown. 
      3. Note that if other vulnerabilities are ignored then, accepting them will cause them to show and it works in a circle. Always choose to show ignored vulnerabilities so they can be accepted again as well. 
      4. If Vulnerability is mitigated, then a rescan will clear it. 
      5. If using the hyperlink to see the vulnerability, then it is required to choose the update scan and report button to clear the vulnerability score. 
      6. Work on any additional issues and resolve them. 
      7. Save the list in Firewall reviews. 
      8. Archive the previous year’s review. 
  2. List all default rules for firewalls
    1. Rules in Default should apply to all hosts or a majority of them
      1. If using default rules for the majority of servers, each one not needing them must be set to deny for Implicit deny being maintained. 
    2. Review rules with TSO 
    3. Any changes removing default rules, require reaching out to contact endpoints in the subnet to ensure they do not need rules. If so, then will need to add it to the endpoint. 
    4. Save the final in the Firewall review drop box as well. 
Filing Categories
Identifier Categories
Specific categories