hey everyone welcome back to cyber gray

matter in today's video we're going to

be going over the basics of how to audit

a firewall this video will have six

steps of the firewall auditing process

and i think you'll find a lot of these

concepts helpful and correlate to all

general technology fields including the

emphasis on procedures and documentation

this video won't be a deep dive into the

technical details but it goes over

compliance best practices and other

security concepts

it's a good start to get an idea of what

the auditing process is like let's jump

right into it

so let's start with what a firewall even

is

a firewall is a networking device and

tool that manages connections between

different internal or external networks

they can accept or reject connections or

even filter them and everything is based

on rules

remember that firewalls work on the

network and transport layer so three and

four of the osi model however there are

some firewalls that can operate on the

application layer or layer 7 of the osi

model and these are considered smarter

they're known as next generation

firewalls also please don't confuse the

application layer tidbit about the

next-gen firewall with a web application

firewall it's not the same thing so

what's a firewall audit a firewall audit

is a process of investigating the

existing aspects of a firewall and this

can include access and connections along

with the identification of

vulnerabilities and reports on any

changes

so why are audits important

with all the compliance standards out

and being used firewall audits are a way

to prove to regulators or business

partners that an organization's network

is secure some of these standards

include things such as the payment card

industry data security standards or pci

dss

the general data protection regulation

gdpr

sarbanes-oxley or sox the health

insurance portability and accountability

act hipaa or the california consumer

privacy act or ccpa

other than firewall audits being

required they're simply best practice if

you audit a firewall you're likely to

catch a weakness or openness within your

network and security posture this way

you can adapt your policies to fit this

doing due diligence is important in

cyber security in reviewing controls and

policies will be one piece that helps

protect an organization if there might

be the unfortunate circumstance of a

lawsuit breach or some sort of

regulatory issue that may come up

auditing a firewall will ensure that

your configuration and rules adhere to

internal cyber security policies

besides safety a firewall audit can help

improve performance by fixing the

optimization of the firewall rule base

and we'll go into that a little bit

later

now let's get into the six steps of the

firewall audit step one collect key

information

this is prior to the audit there needs

to be information gathered during this

time there needs to be visibility into

the network with software hardware

policies and risks

in order to plan the audit you will need

the following key information

copies of the relevant security policies

the firewall logs that can be compared

to the firewall rule base to find which

rules are being used

an accurate and updated copy of the

network in the firewall topology

diagrams

any previous audit documentation

including the rules objects and policy

revisions

vendor firewall information including

the os version latest patches in the

default configuration

and finally understanding all the

critical servers and repositories within

the network

step 2

assess the change management process

the change management process starts

with the request to change some sort of

process or technology

it's from the beginning with a

conception through the implementation

and then to the final resolution

change management within a firewall

audit is important because there needs

to be traceability of any firewall

changes and also ensure compliance for

the future

the most common problems with the change

control involved issues with the

documentation such as not including or

being clear why the change was needed

who authorized the changes in poor

validation of the network impact of each

change

some requirements for the rule-based

change management are the following

make sure the changes are going through

the proper approval and are implemented

by the authorized personnel

changes should be tested and documented

by regulatory and internal policy

requirements

each rule should be noted to include the

change id of the request and have a sign

off with the initials of the person who

implemented the change make sure there

is an expiration date for the change if

one should exist

determine whether there is a formal and

controlled process in place for the

request review approval and

implementation of the firewall changes

and this process should include business

purpose for the change request duration

from the new modification rule

assessment of the potential risk

associated with the new or modified rule

formal approvals from new and modified

rules assignment to the proper

administration for implementation

verification that the change has been

tested and implemented correctly

authorization must be granted to make

these changes and any unauthorized

changes should be flagged for future

investigation

it should be determined whether the

real-time monitoring of changes to the

firewall are enabled

authorized requesters admins and

stakeholders should be given rule change

notifications

step 3 audit the os and physical

security

firewall audits don't just involve the

rule-based policies but the actual

firewall itself

it's important to ensure that the

firewall has both physical and software

security feature verification

this involves the hardware and os

software of the firewall

it's important that there's a physical

security protecting the firewall and

management servers with controlled

access

this ensures that only authorized

personnel are permitted to access the

firewall server rooms

vendor operating system patches and

updates are extremely important and it

should be verified that these are here

the operating system should also be

audited to ensure that it passes common

hardening checklists

the device administration procedure

should also be reviewed

step 4

declutter and improve the rule base

in order to ensure that the firewall

performs at peak performance the rule

base should be decluttered and optimized

this also makes the auditing process

easier and will remove the unnecessary

overhead

to do this start by

deleting the rules that aren't useful

and disable expired and unused rules and

objects

delete the unused connections and this

includes source destination and service

routes that aren't in use

find the similar rules and consolidate

them into one rule

identify and fix any issues that are

over permissive and analyze the actual

policy against firewall logs

analyze vpn parameters in order to

uncover users and groups that are unused

unattached expired or those that are

about to expire

enforce object naming conventions

finally keep a record of rules objects

and policy revisions for future

reference

step 5

perform a risk assessment and fix issues

a thorough and comprehensive risk

assessment will help identify any risky

rules that ensure the rules are

compliant with internal policies and

relevant standards and regulations

this is done by prioritizing the rules

by severity and based on industry

standards and best practices

this is based upon company needs and

risk acceptance of an organization

things to look for

check to see if there are any rules or

go against and violate your corporate

security policy

do any of the firewall rules use any in

the source destination service protocol

application or use fields with a

permissive action

do any of the rules allow risky services

for your dmz to the internal network

what about any rules that allow risky

services from the internet coming

inbound to sensitive servers networks

devices and databases

it's also good to analyze firewall rules

and configurations and check to see if

there are any complying with regulatory

standards

such as pci dss socks iso and other

policies that are relevant to the

organization

these might be policies for hardware

software configurations and other

devices

there should be an action plan for

remediation of these risks and

compliance exceptions that are

identified in the risk analysis it

should be verified that the remediation

efforts have taken place and any rule

changes have been completed correctly

and as always these changes should be

tracked and documented

step six conduct ongoing audits

now that the initial audit is done we

need to continue auditing to ensure that

this is ongoing

ensure that there is a process that is

established and continuous for future

firewall audits

in order to avoid air and manual tasks

these can be automated with analysis and

reporting

all procedures need to be documented

and this is in order to create a

complete audit trail for all firewall

management activities

ensure that there is a robust firewall

change workflow in place to maintain

compliance over time

and finally ensure that there is an

alerting system in place for significant

events and activities

this includes changes to certain rules

or if a new high severity risk is

identified in the policy

thanks for watching i hope you've had

fun learning about firewall auditing

please leave a like and any questions

down in the comment section below thanks

you