hey everyone welcome back to cyber gray
matter in today's video we're going to
be going over the basics of how to audit
a firewall this video will have six
steps of the firewall auditing process
and i think you'll find a lot of these
concepts helpful and correlate to all
general technology fields including the
emphasis on procedures and documentation
this video won't be a deep dive into the
technical details but it goes over
compliance best practices and other
security concepts
it's a good start to get an idea of what
the auditing process is like let's jump
right into it
so let's start with what a firewall even
is
a firewall is a networking device and
tool that manages connections between
different internal or external networks
they can accept or reject connections or
even filter them and everything is based
on rules
remember that firewalls work on the
network and transport layer so three and
four of the osi model however there are
some firewalls that can operate on the
application layer or layer 7 of the osi
model and these are considered smarter
they're known as next generation
firewalls also please don't confuse the
application layer tidbit about the
next-gen firewall with a web application
firewall it's not the same thing so
what's a firewall audit a firewall audit
is a process of investigating the
existing aspects of a firewall and this
can include access and connections along
with the identification of
vulnerabilities and reports on any
changes
so why are audits important
with all the compliance standards out
and being used firewall audits are a way
to prove to regulators or business
partners that an organization's network
is secure some of these standards
include things such as the payment card
industry data security standards or pci
dss
the general data protection regulation
gdpr
sarbanes-oxley or sox the health
insurance portability and accountability
act hipaa or the california consumer
privacy act or ccpa
other than firewall audits being
required they're simply best practice if
you audit a firewall you're likely to
catch a weakness or openness within your
network and security posture this way
you can adapt your policies to fit this
doing due diligence is important in
cyber security in reviewing controls and
policies will be one piece that helps
protect an organization if there might
be the unfortunate circumstance of a
lawsuit breach or some sort of
regulatory issue that may come up
auditing a firewall will ensure that
your configuration and rules adhere to
internal cyber security policies
besides safety a firewall audit can help
improve performance by fixing the
optimization of the firewall rule base
and we'll go into that a little bit
later
now let's get into the six steps of the
firewall audit step one collect key
information
this is prior to the audit there needs
to be information gathered during this
time there needs to be visibility into
the network with software hardware
policies and risks
in order to plan the audit you will need
the following key information
copies of the relevant security policies
the firewall logs that can be compared
to the firewall rule base to find which
rules are being used
an accurate and updated copy of the
network in the firewall topology
diagrams
any previous audit documentation
including the rules objects and policy
revisions
vendor firewall information including
the os version latest patches in the
default configuration
and finally understanding all the
critical servers and repositories within
the network
step 2
assess the change management process
the change management process starts
with the request to change some sort of
process or technology
it's from the beginning with a
conception through the implementation
and then to the final resolution
change management within a firewall
audit is important because there needs
to be traceability of any firewall
changes and also ensure compliance for
the future
the most common problems with the change
control involved issues with the
documentation such as not including or
being clear why the change was needed
who authorized the changes in poor
validation of the network impact of each
change
some requirements for the rule-based
change management are the following
make sure the changes are going through
the proper approval and are implemented
by the authorized personnel
changes should be tested and documented
by regulatory and internal policy
requirements
each rule should be noted to include the
change id of the request and have a sign
off with the initials of the person who
implemented the change make sure there
is an expiration date for the change if
one should exist
determine whether there is a formal and
controlled process in place for the
request review approval and
implementation of the firewall changes
and this process should include business
purpose for the change request duration
from the new modification rule
assessment of the potential risk
associated with the new or modified rule
formal approvals from new and modified
rules assignment to the proper
administration for implementation
verification that the change has been
tested and implemented correctly
authorization must be granted to make
these changes and any unauthorized
changes should be flagged for future
investigation
it should be determined whether the
real-time monitoring of changes to the
firewall are enabled
authorized requesters admins and
stakeholders should be given rule change
notifications
step 3 audit the os and physical
security
firewall audits don't just involve the
rule-based policies but the actual
firewall itself
it's important to ensure that the
firewall has both physical and software
security feature verification
this involves the hardware and os
software of the firewall
it's important that there's a physical
security protecting the firewall and
management servers with controlled
access
this ensures that only authorized
personnel are permitted to access the
firewall server rooms
vendor operating system patches and
updates are extremely important and it
should be verified that these are here
the operating system should also be
audited to ensure that it passes common
hardening checklists
the device administration procedure
should also be reviewed
step 4
declutter and improve the rule base
in order to ensure that the firewall
performs at peak performance the rule
base should be decluttered and optimized
this also makes the auditing process
easier and will remove the unnecessary
overhead
to do this start by
deleting the rules that aren't useful
and disable expired and unused rules and
objects
delete the unused connections and this
includes source destination and service
routes that aren't in use
find the similar rules and consolidate
them into one rule
identify and fix any issues that are
over permissive and analyze the actual
policy against firewall logs
analyze vpn parameters in order to
uncover users and groups that are unused
unattached expired or those that are
about to expire
enforce object naming conventions
finally keep a record of rules objects
and policy revisions for future
reference
step 5
perform a risk assessment and fix issues
a thorough and comprehensive risk
assessment will help identify any risky
rules that ensure the rules are
compliant with internal policies and
relevant standards and regulations
this is done by prioritizing the rules
by severity and based on industry
standards and best practices
this is based upon company needs and
risk acceptance of an organization
things to look for
check to see if there are any rules or
go against and violate your corporate
security policy
do any of the firewall rules use any in
the source destination service protocol
application or use fields with a
permissive action
do any of the rules allow risky services
for your dmz to the internal network
what about any rules that allow risky
services from the internet coming
inbound to sensitive servers networks
devices and databases
it's also good to analyze firewall rules
and configurations and check to see if
there are any complying with regulatory
standards
such as pci dss socks iso and other
policies that are relevant to the
organization
these might be policies for hardware
software configurations and other
devices
there should be an action plan for
remediation of these risks and
compliance exceptions that are
identified in the risk analysis it
should be verified that the remediation
efforts have taken place and any rule
changes have been completed correctly
and as always these changes should be
tracked and documented
step six conduct ongoing audits
now that the initial audit is done we
need to continue auditing to ensure that
this is ongoing
ensure that there is a process that is
established and continuous for future
firewall audits
in order to avoid air and manual tasks
these can be automated with analysis and
reporting
all procedures need to be documented
and this is in order to create a
complete audit trail for all firewall
management activities
ensure that there is a robust firewall
change workflow in place to maintain
compliance over time
and finally ensure that there is an
alerting system in place for significant
events and activities
this includes changes to certain rules
or if a new high severity risk is
identified in the policy
thanks for watching i hope you've had
fun learning about firewall auditing
please leave a like and any questions
down in the comment section below thanks
you