Advanced risk editing

This section explains how to perform advanced editing of custom risk items. For information on custom risk items, see Customize risk profiles.

Overview

You can customize Risk Profiles by defining custom risk items. Custom risk items allow you to define more complex risks by composing the XQL query of your choice. For example, you can define risks for the following types of allowed traffic:

  • Group of several services from X to Y
  • Insecure external access to device
  • Over N machines can manage your device
  • TCP on over M ports can enter your network
  • "From A to B with service C" rules

All operators used in risk item XQL queries are standard XQL operators: $eq$, $ne$, $lt$, $gt$, $and$, $or$, $match$ (checks against a regular expression, e.g. '/abc[de]/'), $no_match$, brackets().

Risk item types

AFA supports the following types of risk items:

Type

Description

Traffic

Relates to risks regarding traffic allowed through the device.

This type of risk item can be used to detect risky traffic allowed by the device.

In standard risk items, this type is represented by the letters D,J,Z,K,I,S,O,M,E, C. In custom risk items, this type is represented by the letter U.

Host Group

Relates to risks regarding host group definitions.

This type of risk item can be used to detect certain host groups defined on the device, according to specific criteria.

In standard risk items, this type is represented by the letter H. In custom risk items, this type is represented by the letter U.

Properties

Relates to risks regarding device property definitions.

This type of risk item can be used to detect the value of certain device properties.

In standard risk items, this type is represented by the letter P. In custom risk items, this type is represented by the letter U.

Rules

Relates to risks regarding rule definitions.

This type of risk item can be used to detect specific rules in the policy, for example rules with "Any" as their source and so on.

In standard risk items, this type is represented by the letter R. In custom risk items, this type is represented by the letter U.

Traffic risk item guidelines

Sample traffic risk item (Rule I08)

Queries/QIndex[@name="q_srv_Outside_Inside"]/QEntry[

@srv $eq$ "http" $and$

eval("256", "Number") $lt$ @n_dst_impact_ips

]/QRes[

@n_risky_dst_ips $ne$ 0 $and$

@n_risky_src_ips $ne$ 0 $and$

@is_vpn $ne$ "yes"

]

Host group risk item guidelines

Sample host group risk item (RiskH02)

Hosts

/Host[

@name $eq$ "Trusted_hosts" $and$

eval("20", "Number") $lt$ @n_Total

]

This query checks whether the pre-defined "Trusted_hosts" object (which represents servers that can manage this firewall) contains a certain number of IP addresses.

Property risk item guidelines

Property risk items are used to detect the value of certain firewall properties. These properties are extracted by AFA during analysis. For a full list of properties, refer to the properties.xml file in the relevant report directory.

Note: Properties will differ between firewall vendors. Parameters can be created for Check Point firewalls from the asm.C file.

Sample property risk item (risk P05)

Props[http_enforce_buffer_overflow[@value $ne$ "true"]]

Rule risk item guidelines

Sample rule risk item (risk R01)

Rules/Rulebase[@interface="%INTERFACE"]/Rule

[

@dst = "*" $and$

@srv = "*" $and$

@orig_rule $ne$ "" $and$

@orig_rule $ne$ "0" $and$

@vpn $ne$ "VPN_PERMIT" $and$

@vpn $ne$ "VPN" $and$

@action = "PASS"

]

This query detects all rules other than VPN rules, where both the destination and the service are "any", and the action is "PASS".

Note: AFA performs these queries on its internal "Expanded rules". To see these rules in your device report, go to Explore Policy -> Expanded Rules.

Assessment and remedy keywords

The following keywords can be added to risk item assessments and remedies, for richer user-defined risk descriptions in the report. Keyword use is optional.

For more details, see Customize risk items.