1
00:00:01,280 --> 00:00:02,960
hey everyone welcome back to cyber gray

2
00:00:02,960 --> 00:00:04,960
matter in today's video we're going to

3
00:00:04,960 --> 00:00:06,720
be going over the basics of how to audit

4
00:00:06,720 --> 00:00:08,880
a firewall this video will have six

5
00:00:08,880 --> 00:00:11,200
steps of the firewall auditing process

6
00:00:11,200 --> 00:00:12,480
and i think you'll find a lot of these

7
00:00:12,480 --> 00:00:14,320
concepts helpful and correlate to all

8
00:00:14,320 --> 00:00:16,640
general technology fields including the

9
00:00:16,640 --> 00:00:19,279
emphasis on procedures and documentation

10
00:00:19,279 --> 00:00:21,039
this video won't be a deep dive into the

11
00:00:21,039 --> 00:00:22,880
technical details but it goes over

12
00:00:22,880 --> 00:00:25,039
compliance best practices and other

13
00:00:25,039 --> 00:00:26,800
security concepts

14
00:00:26,800 --> 00:00:28,960
it's a good start to get an idea of what

15
00:00:28,960 --> 00:00:31,199
the auditing process is like let's jump

16
00:00:31,199 --> 00:00:33,760
right into it

17
00:00:33,760 --> 00:00:35,760
so let's start with what a firewall even

18
00:00:35,760 --> 00:00:36,559
is

19
00:00:36,559 --> 00:00:38,320
a firewall is a networking device and

20
00:00:38,320 --> 00:00:40,160
tool that manages connections between

21
00:00:40,160 --> 00:00:42,480
different internal or external networks

22
00:00:42,480 --> 00:00:44,399
they can accept or reject connections or

23
00:00:44,399 --> 00:00:46,640
even filter them and everything is based

24
00:00:46,640 --> 00:00:47,920
on rules

25
00:00:47,920 --> 00:00:49,600
remember that firewalls work on the

26
00:00:49,600 --> 00:00:52,239
network and transport layer so three and

27
00:00:52,239 --> 00:00:54,559
four of the osi model however there are

28
00:00:54,559 --> 00:00:56,079
some firewalls that can operate on the

29
00:00:56,079 --> 00:00:58,800
application layer or layer 7 of the osi

30
00:00:58,800 --> 00:01:01,359
model and these are considered smarter

31
00:01:01,359 --> 00:01:02,719
they're known as next generation

32
00:01:02,719 --> 00:01:05,280
firewalls also please don't confuse the

33
00:01:05,280 --> 00:01:07,040
application layer tidbit about the

34
00:01:07,040 --> 00:01:09,280
next-gen firewall with a web application

35
00:01:09,280 --> 00:01:12,640
firewall it's not the same thing so

36
00:01:12,640 --> 00:01:14,960
what's a firewall audit a firewall audit

37
00:01:14,960 --> 00:01:16,479
is a process of investigating the

38
00:01:16,479 --> 00:01:18,799
existing aspects of a firewall and this

39
00:01:18,799 --> 00:01:20,960
can include access and connections along

40
00:01:20,960 --> 00:01:22,000
with the identification of

41
00:01:22,000 --> 00:01:23,840
vulnerabilities and reports on any

42
00:01:23,840 --> 00:01:26,799
changes

43
00:01:26,799 --> 00:01:28,880
so why are audits important

44
00:01:28,880 --> 00:01:30,560
with all the compliance standards out

45
00:01:30,560 --> 00:01:32,640
and being used firewall audits are a way

46
00:01:32,640 --> 00:01:34,079
to prove to regulators or business

47
00:01:34,079 --> 00:01:35,840
partners that an organization's network

48
00:01:35,840 --> 00:01:37,759
is secure some of these standards

49
00:01:37,759 --> 00:01:39,840
include things such as the payment card

50
00:01:39,840 --> 00:01:42,640
industry data security standards or pci

51
00:01:42,640 --> 00:01:43,840
dss

52
00:01:43,840 --> 00:01:46,320
the general data protection regulation

53
00:01:46,320 --> 00:01:47,560
gdpr

54
00:01:47,560 --> 00:01:50,320
sarbanes-oxley or sox the health

55
00:01:50,320 --> 00:01:52,640
insurance portability and accountability

56
00:01:52,640 --> 00:01:55,520
act hipaa or the california consumer

57
00:01:55,520 --> 00:01:58,320
privacy act or ccpa

58
00:01:58,320 --> 00:01:59,840
other than firewall audits being

59
00:01:59,840 --> 00:02:02,799
required they're simply best practice if

60
00:02:02,799 --> 00:02:04,560
you audit a firewall you're likely to

61
00:02:04,560 --> 00:02:06,320
catch a weakness or openness within your

62
00:02:06,320 --> 00:02:08,878
network and security posture this way

63
00:02:08,878 --> 00:02:11,520
you can adapt your policies to fit this

64
00:02:11,520 --> 00:02:13,200
doing due diligence is important in

65
00:02:13,200 --> 00:02:15,680
cyber security in reviewing controls and

66
00:02:15,680 --> 00:02:17,680
policies will be one piece that helps

67
00:02:17,680 --> 00:02:19,680
protect an organization if there might

68
00:02:19,680 --> 00:02:21,440
be the unfortunate circumstance of a

69
00:02:21,440 --> 00:02:23,520
lawsuit breach or some sort of

70
00:02:23,520 --> 00:02:25,920
regulatory issue that may come up

71
00:02:25,920 --> 00:02:27,680
auditing a firewall will ensure that

72
00:02:27,680 --> 00:02:30,400
your configuration and rules adhere to

73
00:02:30,400 --> 00:02:33,280
internal cyber security policies

74
00:02:33,280 --> 00:02:35,680
besides safety a firewall audit can help

75
00:02:35,680 --> 00:02:37,840
improve performance by fixing the

76
00:02:37,840 --> 00:02:40,480
optimization of the firewall rule base

77
00:02:40,480 --> 00:02:41,920
and we'll go into that a little bit

78
00:02:41,920 --> 00:02:43,760
later

79
00:02:43,760 --> 00:02:45,280
now let's get into the six steps of the

80
00:02:45,280 --> 00:02:48,319
firewall audit step one collect key

81
00:02:48,319 --> 00:02:49,599
information

82
00:02:49,599 --> 00:02:51,599
this is prior to the audit there needs

83
00:02:51,599 --> 00:02:53,760
to be information gathered during this

84
00:02:53,760 --> 00:02:55,519
time there needs to be visibility into

85
00:02:55,519 --> 00:02:58,000
the network with software hardware

86
00:02:58,000 --> 00:03:00,400
policies and risks

87
00:03:00,400 --> 00:03:02,000
in order to plan the audit you will need

88
00:03:02,000 --> 00:03:04,400
the following key information

89
00:03:04,400 --> 00:03:07,040
copies of the relevant security policies

90
00:03:07,040 --> 00:03:08,879
the firewall logs that can be compared

91
00:03:08,879 --> 00:03:10,879
to the firewall rule base to find which

92
00:03:10,879 --> 00:03:12,720
rules are being used

93
00:03:12,720 --> 00:03:14,560
an accurate and updated copy of the

94
00:03:14,560 --> 00:03:16,400
network in the firewall topology

95
00:03:16,400 --> 00:03:18,000
diagrams

96
00:03:18,000 --> 00:03:20,159
any previous audit documentation

97
00:03:20,159 --> 00:03:22,800
including the rules objects and policy

98
00:03:22,800 --> 00:03:24,560
revisions

99
00:03:24,560 --> 00:03:27,040
vendor firewall information including

100
00:03:27,040 --> 00:03:29,920
the os version latest patches in the

101
00:03:29,920 --> 00:03:32,239
default configuration

102
00:03:32,239 --> 00:03:34,319
and finally understanding all the

103
00:03:34,319 --> 00:03:36,560
critical servers and repositories within

104
00:03:36,560 --> 00:03:38,799
the network

105
00:03:38,799 --> 00:03:40,239
step 2

106
00:03:40,239 --> 00:03:43,040
assess the change management process

107
00:03:43,040 --> 00:03:44,879
the change management process starts

108
00:03:44,879 --> 00:03:46,480
with the request to change some sort of

109
00:03:46,480 --> 00:03:48,319
process or technology

110
00:03:48,319 --> 00:03:49,599
it's from the beginning with a

111
00:03:49,599 --> 00:03:51,599
conception through the implementation

112
00:03:51,599 --> 00:03:54,239
and then to the final resolution

113
00:03:54,239 --> 00:03:55,840
change management within a firewall

114
00:03:55,840 --> 00:03:57,519
audit is important because there needs

115
00:03:57,519 --> 00:03:59,280
to be traceability of any firewall

116
00:03:59,280 --> 00:04:01,680
changes and also ensure compliance for

117
00:04:01,680 --> 00:04:03,040
the future

118
00:04:03,040 --> 00:04:04,959
the most common problems with the change

119
00:04:04,959 --> 00:04:06,560
control involved issues with the

120
00:04:06,560 --> 00:04:09,120
documentation such as not including or

121
00:04:09,120 --> 00:04:11,200
being clear why the change was needed

122
00:04:11,200 --> 00:04:13,200
who authorized the changes in poor

123
00:04:13,200 --> 00:04:15,599
validation of the network impact of each

124
00:04:15,599 --> 00:04:17,839
change

125
00:04:17,839 --> 00:04:19,358
some requirements for the rule-based

126
00:04:19,358 --> 00:04:22,240
change management are the following

127
00:04:22,240 --> 00:04:23,600
make sure the changes are going through

128
00:04:23,600 --> 00:04:25,600
the proper approval and are implemented

129
00:04:25,600 --> 00:04:28,240
by the authorized personnel

130
00:04:28,240 --> 00:04:30,160
changes should be tested and documented

131
00:04:30,160 --> 00:04:32,160
by regulatory and internal policy

132
00:04:32,160 --> 00:04:33,840
requirements

133
00:04:33,840 --> 00:04:35,759
each rule should be noted to include the

134
00:04:35,759 --> 00:04:38,400
change id of the request and have a sign

135
00:04:38,400 --> 00:04:40,160
off with the initials of the person who

136
00:04:40,160 --> 00:04:42,880
implemented the change make sure there

137
00:04:42,880 --> 00:04:45,199
is an expiration date for the change if

138
00:04:45,199 --> 00:04:47,520
one should exist

139
00:04:47,520 --> 00:04:49,360
determine whether there is a formal and

140
00:04:49,360 --> 00:04:51,120
controlled process in place for the

141
00:04:51,120 --> 00:04:53,280
request review approval and

142
00:04:53,280 --> 00:04:55,840
implementation of the firewall changes

143
00:04:55,840 --> 00:04:57,840
and this process should include business

144
00:04:57,840 --> 00:05:00,320
purpose for the change request duration

145
00:05:00,320 --> 00:05:02,240
from the new modification rule

146
00:05:02,240 --> 00:05:03,840
assessment of the potential risk

147
00:05:03,840 --> 00:05:06,560
associated with the new or modified rule

148
00:05:06,560 --> 00:05:09,199
formal approvals from new and modified

149
00:05:09,199 --> 00:05:11,120
rules assignment to the proper

150
00:05:11,120 --> 00:05:13,360
administration for implementation

151
00:05:13,360 --> 00:05:15,120
verification that the change has been

152
00:05:15,120 --> 00:05:18,160
tested and implemented correctly

153
00:05:18,160 --> 00:05:20,000
authorization must be granted to make

154
00:05:20,000 --> 00:05:22,160
these changes and any unauthorized

155
00:05:22,160 --> 00:05:24,240
changes should be flagged for future

156
00:05:24,240 --> 00:05:26,000
investigation

157
00:05:26,000 --> 00:05:27,440
it should be determined whether the

158
00:05:27,440 --> 00:05:29,520
real-time monitoring of changes to the

159
00:05:29,520 --> 00:05:31,199
firewall are enabled

160
00:05:31,199 --> 00:05:33,199
authorized requesters admins and

161
00:05:33,199 --> 00:05:35,440
stakeholders should be given rule change

162
00:05:35,440 --> 00:05:38,440
notifications

163
00:05:39,120 --> 00:05:41,440
step 3 audit the os and physical

164
00:05:41,440 --> 00:05:43,039
security

165
00:05:43,039 --> 00:05:44,639
firewall audits don't just involve the

166
00:05:44,639 --> 00:05:46,639
rule-based policies but the actual

167
00:05:46,639 --> 00:05:48,240
firewall itself

168
00:05:48,240 --> 00:05:49,600
it's important to ensure that the

169
00:05:49,600 --> 00:05:52,080
firewall has both physical and software

170
00:05:52,080 --> 00:05:54,320
security feature verification

171
00:05:54,320 --> 00:05:56,160
this involves the hardware and os

172
00:05:56,160 --> 00:05:58,639
software of the firewall

173
00:05:58,639 --> 00:06:00,319
it's important that there's a physical

174
00:06:00,319 --> 00:06:02,240
security protecting the firewall and

175
00:06:02,240 --> 00:06:04,080
management servers with controlled

176
00:06:04,080 --> 00:06:05,199
access

177
00:06:05,199 --> 00:06:06,720
this ensures that only authorized

178
00:06:06,720 --> 00:06:08,639
personnel are permitted to access the

179
00:06:08,639 --> 00:06:11,280
firewall server rooms

180
00:06:11,280 --> 00:06:12,960
vendor operating system patches and

181
00:06:12,960 --> 00:06:14,800
updates are extremely important and it

182
00:06:14,800 --> 00:06:16,960
should be verified that these are here

183
00:06:16,960 --> 00:06:18,479
the operating system should also be

184
00:06:18,479 --> 00:06:20,400
audited to ensure that it passes common

185
00:06:20,400 --> 00:06:22,639
hardening checklists

186
00:06:22,639 --> 00:06:24,560
the device administration procedure

187
00:06:24,560 --> 00:06:27,759
should also be reviewed

188
00:06:27,759 --> 00:06:28,960
step 4

189
00:06:28,960 --> 00:06:31,840
declutter and improve the rule base

190
00:06:31,840 --> 00:06:33,520
in order to ensure that the firewall

191
00:06:33,520 --> 00:06:35,600
performs at peak performance the rule

192
00:06:35,600 --> 00:06:38,000
base should be decluttered and optimized

193
00:06:38,000 --> 00:06:39,759
this also makes the auditing process

194
00:06:39,759 --> 00:06:41,759
easier and will remove the unnecessary

195
00:06:41,759 --> 00:06:43,360
overhead

196
00:06:43,360 --> 00:06:45,120
to do this start by

197
00:06:45,120 --> 00:06:46,720
deleting the rules that aren't useful

198
00:06:46,720 --> 00:06:48,960
and disable expired and unused rules and

199
00:06:48,960 --> 00:06:50,560
objects

200
00:06:50,560 --> 00:06:52,479
delete the unused connections and this

201
00:06:52,479 --> 00:06:55,280
includes source destination and service

202
00:06:55,280 --> 00:06:57,199
routes that aren't in use

203
00:06:57,199 --> 00:06:59,039
find the similar rules and consolidate

204
00:06:59,039 --> 00:07:00,800
them into one rule

205
00:07:00,800 --> 00:07:02,639
identify and fix any issues that are

206
00:07:02,639 --> 00:07:04,720
over permissive and analyze the actual

207
00:07:04,720 --> 00:07:07,440
policy against firewall logs

208
00:07:07,440 --> 00:07:09,919
analyze vpn parameters in order to

209
00:07:09,919 --> 00:07:12,479
uncover users and groups that are unused

210
00:07:12,479 --> 00:07:14,800
unattached expired or those that are

211
00:07:14,800 --> 00:07:16,800
about to expire

212
00:07:16,800 --> 00:07:20,080
enforce object naming conventions

213
00:07:20,080 --> 00:07:22,639
finally keep a record of rules objects

214
00:07:22,639 --> 00:07:24,400
and policy revisions for future

215
00:07:24,400 --> 00:07:26,880
reference

216
00:07:27,280 --> 00:07:28,720
step 5

217
00:07:28,720 --> 00:07:31,919
perform a risk assessment and fix issues

218
00:07:31,919 --> 00:07:33,440
a thorough and comprehensive risk

219
00:07:33,440 --> 00:07:35,520
assessment will help identify any risky

220
00:07:35,520 --> 00:07:37,280
rules that ensure the rules are

221
00:07:37,280 --> 00:07:39,039
compliant with internal policies and

222
00:07:39,039 --> 00:07:41,520
relevant standards and regulations

223
00:07:41,520 --> 00:07:43,599
this is done by prioritizing the rules

224
00:07:43,599 --> 00:07:45,759
by severity and based on industry

225
00:07:45,759 --> 00:07:48,000
standards and best practices

226
00:07:48,000 --> 00:07:50,319
this is based upon company needs and

227
00:07:50,319 --> 00:07:53,919
risk acceptance of an organization

228
00:07:53,919 --> 00:07:55,759
things to look for

229
00:07:55,759 --> 00:07:57,039
check to see if there are any rules or

230
00:07:57,039 --> 00:07:58,879
go against and violate your corporate

231
00:07:58,879 --> 00:08:01,199
security policy

232
00:08:01,199 --> 00:08:03,360
do any of the firewall rules use any in

233
00:08:03,360 --> 00:08:06,080
the source destination service protocol

234
00:08:06,080 --> 00:08:08,639
application or use fields with a

235
00:08:08,639 --> 00:08:11,039
permissive action

236
00:08:11,039 --> 00:08:13,360
do any of the rules allow risky services

237
00:08:13,360 --> 00:08:16,160
for your dmz to the internal network

238
00:08:16,160 --> 00:08:18,080
what about any rules that allow risky

239
00:08:18,080 --> 00:08:20,000
services from the internet coming

240
00:08:20,000 --> 00:08:22,479
inbound to sensitive servers networks

241
00:08:22,479 --> 00:08:26,080
devices and databases

242
00:08:26,080 --> 00:08:28,080
it's also good to analyze firewall rules

243
00:08:28,080 --> 00:08:30,319
and configurations and check to see if

244
00:08:30,319 --> 00:08:32,399
there are any complying with regulatory

245
00:08:32,399 --> 00:08:33,440
standards

246
00:08:33,440 --> 00:08:37,519
such as pci dss socks iso and other

247
00:08:37,519 --> 00:08:38,958
policies that are relevant to the

248
00:08:38,958 --> 00:08:40,399
organization

249
00:08:40,399 --> 00:08:42,479
these might be policies for hardware

250
00:08:42,479 --> 00:08:44,240
software configurations and other

251
00:08:44,240 --> 00:08:46,160
devices

252
00:08:46,160 --> 00:08:47,680
there should be an action plan for

253
00:08:47,680 --> 00:08:49,680
remediation of these risks and

254
00:08:49,680 --> 00:08:51,279
compliance exceptions that are

255
00:08:51,279 --> 00:08:54,160
identified in the risk analysis it

256
00:08:54,160 --> 00:08:56,080
should be verified that the remediation

257
00:08:56,080 --> 00:08:58,399
efforts have taken place and any rule

258
00:08:58,399 --> 00:09:01,920
changes have been completed correctly

259
00:09:01,920 --> 00:09:03,839
and as always these changes should be

260
00:09:03,839 --> 00:09:07,399
tracked and documented

261
00:09:08,399 --> 00:09:11,839
step six conduct ongoing audits

262
00:09:11,839 --> 00:09:13,760
now that the initial audit is done we

263
00:09:13,760 --> 00:09:15,519
need to continue auditing to ensure that

264
00:09:15,519 --> 00:09:17,440
this is ongoing

265
00:09:17,440 --> 00:09:19,120
ensure that there is a process that is

266
00:09:19,120 --> 00:09:21,279
established and continuous for future

267
00:09:21,279 --> 00:09:23,279
firewall audits

268
00:09:23,279 --> 00:09:25,760
in order to avoid air and manual tasks

269
00:09:25,760 --> 00:09:27,519
these can be automated with analysis and

270
00:09:27,519 --> 00:09:28,959
reporting

271
00:09:28,959 --> 00:09:31,519
all procedures need to be documented

272
00:09:31,519 --> 00:09:32,880
and this is in order to create a

273
00:09:32,880 --> 00:09:35,040
complete audit trail for all firewall

274
00:09:35,040 --> 00:09:37,440
management activities

275
00:09:37,440 --> 00:09:39,440
ensure that there is a robust firewall

276
00:09:39,440 --> 00:09:41,440
change workflow in place to maintain

277
00:09:41,440 --> 00:09:43,440
compliance over time

278
00:09:43,440 --> 00:09:45,200
and finally ensure that there is an

279
00:09:45,200 --> 00:09:47,200
alerting system in place for significant

280
00:09:47,200 --> 00:09:48,880
events and activities

281
00:09:48,880 --> 00:09:51,279
this includes changes to certain rules

282
00:09:51,279 --> 00:09:53,279
or if a new high severity risk is

283
00:09:53,279 --> 00:09:56,800
identified in the policy

284
00:09:58,160 --> 00:10:00,000
thanks for watching i hope you've had

285
00:10:00,000 --> 00:10:02,560
fun learning about firewall auditing

286
00:10:02,560 --> 00:10:04,079
please leave a like and any questions

287
00:10:04,079 --> 00:10:08,920
down in the comment section below thanks

288
00:10:21,040 --> 00:10:23,120
you