0:00:01.280,0:00:02.960
hey everyone welcome back to cyber gray

0:00:02.960,0:00:04.960
matter in today's video we're going to

0:00:04.960,0:00:06.720
be going over the basics of how to audit

0:00:06.720,0:00:08.880
a firewall this video will have six

0:00:08.880,0:00:11.200
steps of the firewall auditing process

0:00:11.200,0:00:12.480
and i think you'll find a lot of these

0:00:12.480,0:00:14.320
concepts helpful and correlate to all

0:00:14.320,0:00:16.640
general technology fields including the

0:00:16.640,0:00:19.279
emphasis on procedures and documentation

0:00:19.279,0:00:21.039
this video won't be a deep dive into the

0:00:21.039,0:00:22.880
technical details but it goes over

0:00:22.880,0:00:25.039
compliance best practices and other

0:00:25.039,0:00:26.800
security concepts

0:00:26.800,0:00:28.960
it's a good start to get an idea of what

0:00:28.960,0:00:31.199
the auditing process is like let's jump

0:00:31.199,0:00:33.760
right into it

0:00:33.760,0:00:35.760
so let's start with what a firewall even

0:00:35.760,0:00:36.559
is

0:00:36.559,0:00:38.320
a firewall is a networking device and

0:00:38.320,0:00:40.160
tool that manages connections between

0:00:40.160,0:00:42.480
different internal or external networks

0:00:42.480,0:00:44.399
they can accept or reject connections or

0:00:44.399,0:00:46.640
even filter them and everything is based

0:00:46.640,0:00:47.920
on rules

0:00:47.920,0:00:49.600
remember that firewalls work on the

0:00:49.600,0:00:52.239
network and transport layer so three and

0:00:52.239,0:00:54.559
four of the osi model however there are

0:00:54.559,0:00:56.079
some firewalls that can operate on the

0:00:56.079,0:00:58.800
application layer or layer 7 of the osi

0:00:58.800,0:01:01.359
model and these are considered smarter

0:01:01.359,0:01:02.719
they're known as next generation

0:01:02.719,0:01:05.280
firewalls also please don't confuse the

0:01:05.280,0:01:07.040
application layer tidbit about the

0:01:07.040,0:01:09.280
next-gen firewall with a web application

0:01:09.280,0:01:12.640
firewall it's not the same thing so

0:01:12.640,0:01:14.960
what's a firewall audit a firewall audit

0:01:14.960,0:01:16.479
is a process of investigating the

0:01:16.479,0:01:18.799
existing aspects of a firewall and this

0:01:18.799,0:01:20.960
can include access and connections along

0:01:20.960,0:01:22.000
with the identification of

0:01:22.000,0:01:23.840
vulnerabilities and reports on any

0:01:23.840,0:01:26.799
changes

0:01:26.799,0:01:28.880
so why are audits important

0:01:28.880,0:01:30.560
with all the compliance standards out

0:01:30.560,0:01:32.640
and being used firewall audits are a way

0:01:32.640,0:01:34.079
to prove to regulators or business

0:01:34.079,0:01:35.840
partners that an organization's network

0:01:35.840,0:01:37.759
is secure some of these standards

0:01:37.759,0:01:39.840
include things such as the payment card

0:01:39.840,0:01:42.640
industry data security standards or pci

0:01:42.640,0:01:43.840
dss

0:01:43.840,0:01:46.320
the general data protection regulation

0:01:46.320,0:01:47.560
gdpr

0:01:47.560,0:01:50.320
sarbanes-oxley or sox the health

0:01:50.320,0:01:52.640
insurance portability and accountability

0:01:52.640,0:01:55.520
act hipaa or the california consumer

0:01:55.520,0:01:58.320
privacy act or ccpa

0:01:58.320,0:01:59.840
other than firewall audits being

0:01:59.840,0:02:02.799
required they're simply best practice if

0:02:02.799,0:02:04.560
you audit a firewall you're likely to

0:02:04.560,0:02:06.320
catch a weakness or openness within your

0:02:06.320,0:02:08.878
network and security posture this way

0:02:08.878,0:02:11.520
you can adapt your policies to fit this

0:02:11.520,0:02:13.200
doing due diligence is important in

0:02:13.200,0:02:15.680
cyber security in reviewing controls and

0:02:15.680,0:02:17.680
policies will be one piece that helps

0:02:17.680,0:02:19.680
protect an organization if there might

0:02:19.680,0:02:21.440
be the unfortunate circumstance of a

0:02:21.440,0:02:23.520
lawsuit breach or some sort of

0:02:23.520,0:02:25.920
regulatory issue that may come up

0:02:25.920,0:02:27.680
auditing a firewall will ensure that

0:02:27.680,0:02:30.400
your configuration and rules adhere to

0:02:30.400,0:02:33.280
internal cyber security policies

0:02:33.280,0:02:35.680
besides safety a firewall audit can help

0:02:35.680,0:02:37.840
improve performance by fixing the

0:02:37.840,0:02:40.480
optimization of the firewall rule base

0:02:40.480,0:02:41.920
and we'll go into that a little bit

0:02:41.920,0:02:43.760
later

0:02:43.760,0:02:45.280
now let's get into the six steps of the

0:02:45.280,0:02:48.319
firewall audit step one collect key

0:02:48.319,0:02:49.599
information

0:02:49.599,0:02:51.599
this is prior to the audit there needs

0:02:51.599,0:02:53.760
to be information gathered during this

0:02:53.760,0:02:55.519
time there needs to be visibility into

0:02:55.519,0:02:58.000
the network with software hardware

0:02:58.000,0:03:00.400
policies and risks

0:03:00.400,0:03:02.000
in order to plan the audit you will need

0:03:02.000,0:03:04.400
the following key information

0:03:04.400,0:03:07.040
copies of the relevant security policies

0:03:07.040,0:03:08.879
the firewall logs that can be compared

0:03:08.879,0:03:10.879
to the firewall rule base to find which

0:03:10.879,0:03:12.720
rules are being used

0:03:12.720,0:03:14.560
an accurate and updated copy of the

0:03:14.560,0:03:16.400
network in the firewall topology

0:03:16.400,0:03:18.000
diagrams

0:03:18.000,0:03:20.159
any previous audit documentation

0:03:20.159,0:03:22.800
including the rules objects and policy

0:03:22.800,0:03:24.560
revisions

0:03:24.560,0:03:27.040
vendor firewall information including

0:03:27.040,0:03:29.920
the os version latest patches in the

0:03:29.920,0:03:32.239
default configuration

0:03:32.239,0:03:34.319
and finally understanding all the

0:03:34.319,0:03:36.560
critical servers and repositories within

0:03:36.560,0:03:38.799
the network

0:03:38.799,0:03:40.239
step 2

0:03:40.239,0:03:43.040
assess the change management process

0:03:43.040,0:03:44.879
the change management process starts

0:03:44.879,0:03:46.480
with the request to change some sort of

0:03:46.480,0:03:48.319
process or technology

0:03:48.319,0:03:49.599
it's from the beginning with a

0:03:49.599,0:03:51.599
conception through the implementation

0:03:51.599,0:03:54.239
and then to the final resolution

0:03:54.239,0:03:55.840
change management within a firewall

0:03:55.840,0:03:57.519
audit is important because there needs

0:03:57.519,0:03:59.280
to be traceability of any firewall

0:03:59.280,0:04:01.680
changes and also ensure compliance for

0:04:01.680,0:04:03.040
the future

0:04:03.040,0:04:04.959
the most common problems with the change

0:04:04.959,0:04:06.560
control involved issues with the

0:04:06.560,0:04:09.120
documentation such as not including or

0:04:09.120,0:04:11.200
being clear why the change was needed

0:04:11.200,0:04:13.200
who authorized the changes in poor

0:04:13.200,0:04:15.599
validation of the network impact of each

0:04:15.599,0:04:17.839
change

0:04:17.839,0:04:19.358
some requirements for the rule-based

0:04:19.358,0:04:22.240
change management are the following

0:04:22.240,0:04:23.600
make sure the changes are going through

0:04:23.600,0:04:25.600
the proper approval and are implemented

0:04:25.600,0:04:28.240
by the authorized personnel

0:04:28.240,0:04:30.160
changes should be tested and documented

0:04:30.160,0:04:32.160
by regulatory and internal policy

0:04:32.160,0:04:33.840
requirements

0:04:33.840,0:04:35.759
each rule should be noted to include the

0:04:35.759,0:04:38.400
change id of the request and have a sign

0:04:38.400,0:04:40.160
off with the initials of the person who

0:04:40.160,0:04:42.880
implemented the change make sure there

0:04:42.880,0:04:45.199
is an expiration date for the change if

0:04:45.199,0:04:47.520
one should exist

0:04:47.520,0:04:49.360
determine whether there is a formal and

0:04:49.360,0:04:51.120
controlled process in place for the

0:04:51.120,0:04:53.280
request review approval and

0:04:53.280,0:04:55.840
implementation of the firewall changes

0:04:55.840,0:04:57.840
and this process should include business

0:04:57.840,0:05:00.320
purpose for the change request duration

0:05:00.320,0:05:02.240
from the new modification rule

0:05:02.240,0:05:03.840
assessment of the potential risk

0:05:03.840,0:05:06.560
associated with the new or modified rule

0:05:06.560,0:05:09.199
formal approvals from new and modified

0:05:09.199,0:05:11.120
rules assignment to the proper

0:05:11.120,0:05:13.360
administration for implementation

0:05:13.360,0:05:15.120
verification that the change has been

0:05:15.120,0:05:18.160
tested and implemented correctly

0:05:18.160,0:05:20.000
authorization must be granted to make

0:05:20.000,0:05:22.160
these changes and any unauthorized

0:05:22.160,0:05:24.240
changes should be flagged for future

0:05:24.240,0:05:26.000
investigation

0:05:26.000,0:05:27.440
it should be determined whether the

0:05:27.440,0:05:29.520
real-time monitoring of changes to the

0:05:29.520,0:05:31.199
firewall are enabled

0:05:31.199,0:05:33.199
authorized requesters admins and

0:05:33.199,0:05:35.440
stakeholders should be given rule change

0:05:35.440,0:05:38.440
notifications

0:05:39.120,0:05:41.440
step 3 audit the os and physical

0:05:41.440,0:05:43.039
security

0:05:43.039,0:05:44.639
firewall audits don't just involve the

0:05:44.639,0:05:46.639
rule-based policies but the actual

0:05:46.639,0:05:48.240
firewall itself

0:05:48.240,0:05:49.600
it's important to ensure that the

0:05:49.600,0:05:52.080
firewall has both physical and software

0:05:52.080,0:05:54.320
security feature verification

0:05:54.320,0:05:56.160
this involves the hardware and os

0:05:56.160,0:05:58.639
software of the firewall

0:05:58.639,0:06:00.319
it's important that there's a physical

0:06:00.319,0:06:02.240
security protecting the firewall and

0:06:02.240,0:06:04.080
management servers with controlled

0:06:04.080,0:06:05.199
access

0:06:05.199,0:06:06.720
this ensures that only authorized

0:06:06.720,0:06:08.639
personnel are permitted to access the

0:06:08.639,0:06:11.280
firewall server rooms

0:06:11.280,0:06:12.960
vendor operating system patches and

0:06:12.960,0:06:14.800
updates are extremely important and it

0:06:14.800,0:06:16.960
should be verified that these are here

0:06:16.960,0:06:18.479
the operating system should also be

0:06:18.479,0:06:20.400
audited to ensure that it passes common

0:06:20.400,0:06:22.639
hardening checklists

0:06:22.639,0:06:24.560
the device administration procedure

0:06:24.560,0:06:27.759
should also be reviewed

0:06:27.759,0:06:28.960
step 4

0:06:28.960,0:06:31.840
declutter and improve the rule base

0:06:31.840,0:06:33.520
in order to ensure that the firewall

0:06:33.520,0:06:35.600
performs at peak performance the rule

0:06:35.600,0:06:38.000
base should be decluttered and optimized

0:06:38.000,0:06:39.759
this also makes the auditing process

0:06:39.759,0:06:41.759
easier and will remove the unnecessary

0:06:41.759,0:06:43.360
overhead

0:06:43.360,0:06:45.120
to do this start by

0:06:45.120,0:06:46.720
deleting the rules that aren't useful

0:06:46.720,0:06:48.960
and disable expired and unused rules and

0:06:48.960,0:06:50.560
objects

0:06:50.560,0:06:52.479
delete the unused connections and this

0:06:52.479,0:06:55.280
includes source destination and service

0:06:55.280,0:06:57.199
routes that aren't in use

0:06:57.199,0:06:59.039
find the similar rules and consolidate

0:06:59.039,0:07:00.800
them into one rule

0:07:00.800,0:07:02.639
identify and fix any issues that are

0:07:02.639,0:07:04.720
over permissive and analyze the actual

0:07:04.720,0:07:07.440
policy against firewall logs

0:07:07.440,0:07:09.919
analyze vpn parameters in order to

0:07:09.919,0:07:12.479
uncover users and groups that are unused

0:07:12.479,0:07:14.800
unattached expired or those that are

0:07:14.800,0:07:16.800
about to expire

0:07:16.800,0:07:20.080
enforce object naming conventions

0:07:20.080,0:07:22.639
finally keep a record of rules objects

0:07:22.639,0:07:24.400
and policy revisions for future

0:07:24.400,0:07:26.880
reference

0:07:27.280,0:07:28.720
step 5

0:07:28.720,0:07:31.919
perform a risk assessment and fix issues

0:07:31.919,0:07:33.440
a thorough and comprehensive risk

0:07:33.440,0:07:35.520
assessment will help identify any risky

0:07:35.520,0:07:37.280
rules that ensure the rules are

0:07:37.280,0:07:39.039
compliant with internal policies and

0:07:39.039,0:07:41.520
relevant standards and regulations

0:07:41.520,0:07:43.599
this is done by prioritizing the rules

0:07:43.599,0:07:45.759
by severity and based on industry

0:07:45.759,0:07:48.000
standards and best practices

0:07:48.000,0:07:50.319
this is based upon company needs and

0:07:50.319,0:07:53.919
risk acceptance of an organization

0:07:53.919,0:07:55.759
things to look for

0:07:55.759,0:07:57.039
check to see if there are any rules or

0:07:57.039,0:07:58.879
go against and violate your corporate

0:07:58.879,0:08:01.199
security policy

0:08:01.199,0:08:03.360
do any of the firewall rules use any in

0:08:03.360,0:08:06.080
the source destination service protocol

0:08:06.080,0:08:08.639
application or use fields with a

0:08:08.639,0:08:11.039
permissive action

0:08:11.039,0:08:13.360
do any of the rules allow risky services

0:08:13.360,0:08:16.160
for your dmz to the internal network

0:08:16.160,0:08:18.080
what about any rules that allow risky

0:08:18.080,0:08:20.000
services from the internet coming

0:08:20.000,0:08:22.479
inbound to sensitive servers networks

0:08:22.479,0:08:26.080
devices and databases

0:08:26.080,0:08:28.080
it's also good to analyze firewall rules

0:08:28.080,0:08:30.319
and configurations and check to see if

0:08:30.319,0:08:32.399
there are any complying with regulatory

0:08:32.399,0:08:33.440
standards

0:08:33.440,0:08:37.519
such as pci dss socks iso and other

0:08:37.519,0:08:38.958
policies that are relevant to the

0:08:38.958,0:08:40.399
organization

0:08:40.399,0:08:42.479
these might be policies for hardware

0:08:42.479,0:08:44.240
software configurations and other

0:08:44.240,0:08:46.160
devices

0:08:46.160,0:08:47.680
there should be an action plan for

0:08:47.680,0:08:49.680
remediation of these risks and

0:08:49.680,0:08:51.279
compliance exceptions that are

0:08:51.279,0:08:54.160
identified in the risk analysis it

0:08:54.160,0:08:56.080
should be verified that the remediation

0:08:56.080,0:08:58.399
efforts have taken place and any rule

0:08:58.399,0:09:01.920
changes have been completed correctly

0:09:01.920,0:09:03.839
and as always these changes should be

0:09:03.839,0:09:07.399
tracked and documented

0:09:08.399,0:09:11.839
step six conduct ongoing audits

0:09:11.839,0:09:13.760
now that the initial audit is done we

0:09:13.760,0:09:15.519
need to continue auditing to ensure that

0:09:15.519,0:09:17.440
this is ongoing

0:09:17.440,0:09:19.120
ensure that there is a process that is

0:09:19.120,0:09:21.279
established and continuous for future

0:09:21.279,0:09:23.279
firewall audits

0:09:23.279,0:09:25.760
in order to avoid air and manual tasks

0:09:25.760,0:09:27.519
these can be automated with analysis and

0:09:27.519,0:09:28.959
reporting

0:09:28.959,0:09:31.519
all procedures need to be documented

0:09:31.519,0:09:32.880
and this is in order to create a

0:09:32.880,0:09:35.040
complete audit trail for all firewall

0:09:35.040,0:09:37.440
management activities

0:09:37.440,0:09:39.440
ensure that there is a robust firewall

0:09:39.440,0:09:41.440
change workflow in place to maintain

0:09:41.440,0:09:43.440
compliance over time

0:09:43.440,0:09:45.200
and finally ensure that there is an

0:09:45.200,0:09:47.200
alerting system in place for significant

0:09:47.200,0:09:48.880
events and activities

0:09:48.880,0:09:51.279
this includes changes to certain rules

0:09:51.279,0:09:53.279
or if a new high severity risk is

0:09:53.279,0:09:56.800
identified in the policy

0:09:58.160,0:10:00.000
thanks for watching i hope you've had

0:10:00.000,0:10:02.560
fun learning about firewall auditing

0:10:02.560,0:10:04.079
please leave a like and any questions

0:10:04.079,0:10:08.920
down in the comment section below thanks

0:10:21.040,0:10:23.120
you