WEBVTT 00:00:01.280 --> 00:00:02.960 hey everyone welcome back to cyber gray 00:00:02.960 --> 00:00:04.960 matter in today's video we're going to 00:00:04.960 --> 00:00:06.720 be going over the basics of how to audit 00:00:06.720 --> 00:00:08.880 a firewall this video will have six 00:00:08.880 --> 00:00:11.200 steps of the firewall auditing process 00:00:11.200 --> 00:00:12.480 and i think you'll find a lot of these 00:00:12.480 --> 00:00:14.320 concepts helpful and correlate to all 00:00:14.320 --> 00:00:16.640 general technology fields including the 00:00:16.640 --> 00:00:19.279 emphasis on procedures and documentation 00:00:19.279 --> 00:00:21.039 this video won't be a deep dive into the 00:00:21.039 --> 00:00:22.880 technical details but it goes over 00:00:22.880 --> 00:00:25.039 compliance best practices and other 00:00:25.039 --> 00:00:26.800 security concepts 00:00:26.800 --> 00:00:28.960 it's a good start to get an idea of what 00:00:28.960 --> 00:00:31.199 the auditing process is like let's jump 00:00:31.199 --> 00:00:33.760 right into it 00:00:33.760 --> 00:00:35.760 so let's start with what a firewall even 00:00:35.760 --> 00:00:36.559 is 00:00:36.559 --> 00:00:38.320 a firewall is a networking device and 00:00:38.320 --> 00:00:40.160 tool that manages connections between 00:00:40.160 --> 00:00:42.480 different internal or external networks 00:00:42.480 --> 00:00:44.399 they can accept or reject connections or 00:00:44.399 --> 00:00:46.640 even filter them and everything is based 00:00:46.640 --> 00:00:47.920 on rules 00:00:47.920 --> 00:00:49.600 remember that firewalls work on the 00:00:49.600 --> 00:00:52.239 network and transport layer so three and 00:00:52.239 --> 00:00:54.559 four of the osi model however there are 00:00:54.559 --> 00:00:56.079 some firewalls that can operate on the 00:00:56.079 --> 00:00:58.800 application layer or layer 7 of the osi 00:00:58.800 --> 00:01:01.359 model and these are considered smarter 00:01:01.359 --> 00:01:02.719 they're known as next generation 00:01:02.719 --> 00:01:05.280 firewalls also please don't confuse the 00:01:05.280 --> 00:01:07.040 application layer tidbit about the 00:01:07.040 --> 00:01:09.280 next-gen firewall with a web application 00:01:09.280 --> 00:01:12.640 firewall it's not the same thing so 00:01:12.640 --> 00:01:14.960 what's a firewall audit a firewall audit 00:01:14.960 --> 00:01:16.479 is a process of investigating the 00:01:16.479 --> 00:01:18.799 existing aspects of a firewall and this 00:01:18.799 --> 00:01:20.960 can include access and connections along 00:01:20.960 --> 00:01:22.000 with the identification of 00:01:22.000 --> 00:01:23.840 vulnerabilities and reports on any 00:01:23.840 --> 00:01:26.799 changes 00:01:26.799 --> 00:01:28.880 so why are audits important 00:01:28.880 --> 00:01:30.560 with all the compliance standards out 00:01:30.560 --> 00:01:32.640 and being used firewall audits are a way 00:01:32.640 --> 00:01:34.079 to prove to regulators or business 00:01:34.079 --> 00:01:35.840 partners that an organization's network 00:01:35.840 --> 00:01:37.759 is secure some of these standards 00:01:37.759 --> 00:01:39.840 include things such as the payment card 00:01:39.840 --> 00:01:42.640 industry data security standards or pci 00:01:42.640 --> 00:01:43.840 dss 00:01:43.840 --> 00:01:46.320 the general data protection regulation 00:01:46.320 --> 00:01:47.560 gdpr 00:01:47.560 --> 00:01:50.320 sarbanes-oxley or sox the health 00:01:50.320 --> 00:01:52.640 insurance portability and accountability 00:01:52.640 --> 00:01:55.520 act hipaa or the california consumer 00:01:55.520 --> 00:01:58.320 privacy act or ccpa 00:01:58.320 --> 00:01:59.840 other than firewall audits being 00:01:59.840 --> 00:02:02.799 required they're simply best practice if 00:02:02.799 --> 00:02:04.560 you audit a firewall you're likely to 00:02:04.560 --> 00:02:06.320 catch a weakness or openness within your 00:02:06.320 --> 00:02:08.878 network and security posture this way 00:02:08.878 --> 00:02:11.520 you can adapt your policies to fit this 00:02:11.520 --> 00:02:13.200 doing due diligence is important in 00:02:13.200 --> 00:02:15.680 cyber security in reviewing controls and 00:02:15.680 --> 00:02:17.680 policies will be one piece that helps 00:02:17.680 --> 00:02:19.680 protect an organization if there might 00:02:19.680 --> 00:02:21.440 be the unfortunate circumstance of a 00:02:21.440 --> 00:02:23.520 lawsuit breach or some sort of 00:02:23.520 --> 00:02:25.920 regulatory issue that may come up 00:02:25.920 --> 00:02:27.680 auditing a firewall will ensure that 00:02:27.680 --> 00:02:30.400 your configuration and rules adhere to 00:02:30.400 --> 00:02:33.280 internal cyber security policies 00:02:33.280 --> 00:02:35.680 besides safety a firewall audit can help 00:02:35.680 --> 00:02:37.840 improve performance by fixing the 00:02:37.840 --> 00:02:40.480 optimization of the firewall rule base 00:02:40.480 --> 00:02:41.920 and we'll go into that a little bit 00:02:41.920 --> 00:02:43.760 later 00:02:43.760 --> 00:02:45.280 now let's get into the six steps of the 00:02:45.280 --> 00:02:48.319 firewall audit step one collect key 00:02:48.319 --> 00:02:49.599 information 00:02:49.599 --> 00:02:51.599 this is prior to the audit there needs 00:02:51.599 --> 00:02:53.760 to be information gathered during this 00:02:53.760 --> 00:02:55.519 time there needs to be visibility into 00:02:55.519 --> 00:02:58.000 the network with software hardware 00:02:58.000 --> 00:03:00.400 policies and risks 00:03:00.400 --> 00:03:02.000 in order to plan the audit you will need 00:03:02.000 --> 00:03:04.400 the following key information 00:03:04.400 --> 00:03:07.040 copies of the relevant security policies 00:03:07.040 --> 00:03:08.879 the firewall logs that can be compared 00:03:08.879 --> 00:03:10.879 to the firewall rule base to find which 00:03:10.879 --> 00:03:12.720 rules are being used 00:03:12.720 --> 00:03:14.560 an accurate and updated copy of the 00:03:14.560 --> 00:03:16.400 network in the firewall topology 00:03:16.400 --> 00:03:18.000 diagrams 00:03:18.000 --> 00:03:20.159 any previous audit documentation 00:03:20.159 --> 00:03:22.800 including the rules objects and policy 00:03:22.800 --> 00:03:24.560 revisions 00:03:24.560 --> 00:03:27.040 vendor firewall information including 00:03:27.040 --> 00:03:29.920 the os version latest patches in the 00:03:29.920 --> 00:03:32.239 default configuration 00:03:32.239 --> 00:03:34.319 and finally understanding all the 00:03:34.319 --> 00:03:36.560 critical servers and repositories within 00:03:36.560 --> 00:03:38.799 the network 00:03:38.799 --> 00:03:40.239 step 2 00:03:40.239 --> 00:03:43.040 assess the change management process 00:03:43.040 --> 00:03:44.879 the change management process starts 00:03:44.879 --> 00:03:46.480 with the request to change some sort of 00:03:46.480 --> 00:03:48.319 process or technology 00:03:48.319 --> 00:03:49.599 it's from the beginning with a 00:03:49.599 --> 00:03:51.599 conception through the implementation 00:03:51.599 --> 00:03:54.239 and then to the final resolution 00:03:54.239 --> 00:03:55.840 change management within a firewall 00:03:55.840 --> 00:03:57.519 audit is important because there needs 00:03:57.519 --> 00:03:59.280 to be traceability of any firewall 00:03:59.280 --> 00:04:01.680 changes and also ensure compliance for 00:04:01.680 --> 00:04:03.040 the future 00:04:03.040 --> 00:04:04.959 the most common problems with the change 00:04:04.959 --> 00:04:06.560 control involved issues with the 00:04:06.560 --> 00:04:09.120 documentation such as not including or 00:04:09.120 --> 00:04:11.200 being clear why the change was needed 00:04:11.200 --> 00:04:13.200 who authorized the changes in poor 00:04:13.200 --> 00:04:15.599 validation of the network impact of each 00:04:15.599 --> 00:04:17.839 change 00:04:17.839 --> 00:04:19.358 some requirements for the rule-based 00:04:19.358 --> 00:04:22.240 change management are the following 00:04:22.240 --> 00:04:23.600 make sure the changes are going through 00:04:23.600 --> 00:04:25.600 the proper approval and are implemented 00:04:25.600 --> 00:04:28.240 by the authorized personnel 00:04:28.240 --> 00:04:30.160 changes should be tested and documented 00:04:30.160 --> 00:04:32.160 by regulatory and internal policy 00:04:32.160 --> 00:04:33.840 requirements 00:04:33.840 --> 00:04:35.759 each rule should be noted to include the 00:04:35.759 --> 00:04:38.400 change id of the request and have a sign 00:04:38.400 --> 00:04:40.160 off with the initials of the person who 00:04:40.160 --> 00:04:42.880 implemented the change make sure there 00:04:42.880 --> 00:04:45.199 is an expiration date for the change if 00:04:45.199 --> 00:04:47.520 one should exist 00:04:47.520 --> 00:04:49.360 determine whether there is a formal and 00:04:49.360 --> 00:04:51.120 controlled process in place for the 00:04:51.120 --> 00:04:53.280 request review approval and 00:04:53.280 --> 00:04:55.840 implementation of the firewall changes 00:04:55.840 --> 00:04:57.840 and this process should include business 00:04:57.840 --> 00:05:00.320 purpose for the change request duration 00:05:00.320 --> 00:05:02.240 from the new modification rule 00:05:02.240 --> 00:05:03.840 assessment of the potential risk 00:05:03.840 --> 00:05:06.560 associated with the new or modified rule 00:05:06.560 --> 00:05:09.199 formal approvals from new and modified 00:05:09.199 --> 00:05:11.120 rules assignment to the proper 00:05:11.120 --> 00:05:13.360 administration for implementation 00:05:13.360 --> 00:05:15.120 verification that the change has been 00:05:15.120 --> 00:05:18.160 tested and implemented correctly 00:05:18.160 --> 00:05:20.000 authorization must be granted to make 00:05:20.000 --> 00:05:22.160 these changes and any unauthorized 00:05:22.160 --> 00:05:24.240 changes should be flagged for future 00:05:24.240 --> 00:05:26.000 investigation 00:05:26.000 --> 00:05:27.440 it should be determined whether the 00:05:27.440 --> 00:05:29.520 real-time monitoring of changes to the 00:05:29.520 --> 00:05:31.199 firewall are enabled 00:05:31.199 --> 00:05:33.199 authorized requesters admins and 00:05:33.199 --> 00:05:35.440 stakeholders should be given rule change 00:05:35.440 --> 00:05:38.440 notifications 00:05:39.120 --> 00:05:41.440 step 3 audit the os and physical 00:05:41.440 --> 00:05:43.039 security 00:05:43.039 --> 00:05:44.639 firewall audits don't just involve the 00:05:44.639 --> 00:05:46.639 rule-based policies but the actual 00:05:46.639 --> 00:05:48.240 firewall itself 00:05:48.240 --> 00:05:49.600 it's important to ensure that the 00:05:49.600 --> 00:05:52.080 firewall has both physical and software 00:05:52.080 --> 00:05:54.320 security feature verification 00:05:54.320 --> 00:05:56.160 this involves the hardware and os 00:05:56.160 --> 00:05:58.639 software of the firewall 00:05:58.639 --> 00:06:00.319 it's important that there's a physical 00:06:00.319 --> 00:06:02.240 security protecting the firewall and 00:06:02.240 --> 00:06:04.080 management servers with controlled 00:06:04.080 --> 00:06:05.199 access 00:06:05.199 --> 00:06:06.720 this ensures that only authorized 00:06:06.720 --> 00:06:08.639 personnel are permitted to access the 00:06:08.639 --> 00:06:11.280 firewall server rooms 00:06:11.280 --> 00:06:12.960 vendor operating system patches and 00:06:12.960 --> 00:06:14.800 updates are extremely important and it 00:06:14.800 --> 00:06:16.960 should be verified that these are here 00:06:16.960 --> 00:06:18.479 the operating system should also be 00:06:18.479 --> 00:06:20.400 audited to ensure that it passes common 00:06:20.400 --> 00:06:22.639 hardening checklists 00:06:22.639 --> 00:06:24.560 the device administration procedure 00:06:24.560 --> 00:06:27.759 should also be reviewed 00:06:27.759 --> 00:06:28.960 step 4 00:06:28.960 --> 00:06:31.840 declutter and improve the rule base 00:06:31.840 --> 00:06:33.520 in order to ensure that the firewall 00:06:33.520 --> 00:06:35.600 performs at peak performance the rule 00:06:35.600 --> 00:06:38.000 base should be decluttered and optimized 00:06:38.000 --> 00:06:39.759 this also makes the auditing process 00:06:39.759 --> 00:06:41.759 easier and will remove the unnecessary 00:06:41.759 --> 00:06:43.360 overhead 00:06:43.360 --> 00:06:45.120 to do this start by 00:06:45.120 --> 00:06:46.720 deleting the rules that aren't useful 00:06:46.720 --> 00:06:48.960 and disable expired and unused rules and 00:06:48.960 --> 00:06:50.560 objects 00:06:50.560 --> 00:06:52.479 delete the unused connections and this 00:06:52.479 --> 00:06:55.280 includes source destination and service 00:06:55.280 --> 00:06:57.199 routes that aren't in use 00:06:57.199 --> 00:06:59.039 find the similar rules and consolidate 00:06:59.039 --> 00:07:00.800 them into one rule 00:07:00.800 --> 00:07:02.639 identify and fix any issues that are 00:07:02.639 --> 00:07:04.720 over permissive and analyze the actual 00:07:04.720 --> 00:07:07.440 policy against firewall logs 00:07:07.440 --> 00:07:09.919 analyze vpn parameters in order to 00:07:09.919 --> 00:07:12.479 uncover users and groups that are unused 00:07:12.479 --> 00:07:14.800 unattached expired or those that are 00:07:14.800 --> 00:07:16.800 about to expire 00:07:16.800 --> 00:07:20.080 enforce object naming conventions 00:07:20.080 --> 00:07:22.639 finally keep a record of rules objects 00:07:22.639 --> 00:07:24.400 and policy revisions for future 00:07:24.400 --> 00:07:26.880 reference 00:07:27.280 --> 00:07:28.720 step 5 00:07:28.720 --> 00:07:31.919 perform a risk assessment and fix issues 00:07:31.919 --> 00:07:33.440 a thorough and comprehensive risk 00:07:33.440 --> 00:07:35.520 assessment will help identify any risky 00:07:35.520 --> 00:07:37.280 rules that ensure the rules are 00:07:37.280 --> 00:07:39.039 compliant with internal policies and 00:07:39.039 --> 00:07:41.520 relevant standards and regulations 00:07:41.520 --> 00:07:43.599 this is done by prioritizing the rules 00:07:43.599 --> 00:07:45.759 by severity and based on industry 00:07:45.759 --> 00:07:48.000 standards and best practices 00:07:48.000 --> 00:07:50.319 this is based upon company needs and 00:07:50.319 --> 00:07:53.919 risk acceptance of an organization 00:07:53.919 --> 00:07:55.759 things to look for 00:07:55.759 --> 00:07:57.039 check to see if there are any rules or 00:07:57.039 --> 00:07:58.879 go against and violate your corporate 00:07:58.879 --> 00:08:01.199 security policy 00:08:01.199 --> 00:08:03.360 do any of the firewall rules use any in 00:08:03.360 --> 00:08:06.080 the source destination service protocol 00:08:06.080 --> 00:08:08.639 application or use fields with a 00:08:08.639 --> 00:08:11.039 permissive action 00:08:11.039 --> 00:08:13.360 do any of the rules allow risky services 00:08:13.360 --> 00:08:16.160 for your dmz to the internal network 00:08:16.160 --> 00:08:18.080 what about any rules that allow risky 00:08:18.080 --> 00:08:20.000 services from the internet coming 00:08:20.000 --> 00:08:22.479 inbound to sensitive servers networks 00:08:22.479 --> 00:08:26.080 devices and databases 00:08:26.080 --> 00:08:28.080 it's also good to analyze firewall rules 00:08:28.080 --> 00:08:30.319 and configurations and check to see if 00:08:30.319 --> 00:08:32.399 there are any complying with regulatory 00:08:32.399 --> 00:08:33.440 standards 00:08:33.440 --> 00:08:37.519 such as pci dss socks iso and other 00:08:37.519 --> 00:08:38.958 policies that are relevant to the 00:08:38.958 --> 00:08:40.399 organization 00:08:40.399 --> 00:08:42.479 these might be policies for hardware 00:08:42.479 --> 00:08:44.240 software configurations and other 00:08:44.240 --> 00:08:46.160 devices 00:08:46.160 --> 00:08:47.680 there should be an action plan for 00:08:47.680 --> 00:08:49.680 remediation of these risks and 00:08:49.680 --> 00:08:51.279 compliance exceptions that are 00:08:51.279 --> 00:08:54.160 identified in the risk analysis it 00:08:54.160 --> 00:08:56.080 should be verified that the remediation 00:08:56.080 --> 00:08:58.399 efforts have taken place and any rule 00:08:58.399 --> 00:09:01.920 changes have been completed correctly 00:09:01.920 --> 00:09:03.839 and as always these changes should be 00:09:03.839 --> 00:09:07.399 tracked and documented 00:09:08.399 --> 00:09:11.839 step six conduct ongoing audits 00:09:11.839 --> 00:09:13.760 now that the initial audit is done we 00:09:13.760 --> 00:09:15.519 need to continue auditing to ensure that 00:09:15.519 --> 00:09:17.440 this is ongoing 00:09:17.440 --> 00:09:19.120 ensure that there is a process that is 00:09:19.120 --> 00:09:21.279 established and continuous for future 00:09:21.279 --> 00:09:23.279 firewall audits 00:09:23.279 --> 00:09:25.760 in order to avoid air and manual tasks 00:09:25.760 --> 00:09:27.519 these can be automated with analysis and 00:09:27.519 --> 00:09:28.959 reporting 00:09:28.959 --> 00:09:31.519 all procedures need to be documented 00:09:31.519 --> 00:09:32.880 and this is in order to create a 00:09:32.880 --> 00:09:35.040 complete audit trail for all firewall 00:09:35.040 --> 00:09:37.440 management activities 00:09:37.440 --> 00:09:39.440 ensure that there is a robust firewall 00:09:39.440 --> 00:09:41.440 change workflow in place to maintain 00:09:41.440 --> 00:09:43.440 compliance over time 00:09:43.440 --> 00:09:45.200 and finally ensure that there is an 00:09:45.200 --> 00:09:47.200 alerting system in place for significant 00:09:47.200 --> 00:09:48.880 events and activities 00:09:48.880 --> 00:09:51.279 this includes changes to certain rules 00:09:51.279 --> 00:09:53.279 or if a new high severity risk is 00:09:53.279 --> 00:09:56.800 identified in the policy 00:09:58.160 --> 00:10:00.000 thanks for watching i hope you've had 00:10:00.000 --> 00:10:02.560 fun learning about firewall auditing 00:10:02.560 --> 00:10:04.079 please leave a like and any questions 00:10:04.079 --> 00:10:08.920 down in the comment section below thanks 00:10:21.040 --> 00:10:23.120 you