[Music].
Hey, everyone. Welcome back to Cyber Gray
Matter. In today's video, we're going to
be going over the basics of how to audit
a firewall. This video will have six
steps of the firewall auditing process,
and I think you'll find a lot of these
concepts helpful and correlate to all
general technology fields, including the
emphasis on procedures and documentation.
This video won't be a deep dive into the
technical details, but it goes over
compliance, best practices, and other
security concepts.
It's a good start to get an idea of what
the auditing process is like. Let's jump
right into it.
So, let's start with what a firewall even
is.
A firewall is a networking device and
tool that manages connections between
different internal or external networks.
They can accept or reject connections or
even filter them, and everything is based
on rules.
Remember that firewalls work on the
network and transport layers, so three and
four of the OSI model. However, there are
some firewalls that can operate on the
application layer or layer seven of the OSI
model, and these are considered smarter.
They're known as next-generation
firewalls. Also, please don't confuse the
application layer tidbit about the
next-gen firewall with a web application
firewall. It's not the same thing. So,
what's a firewall audit? A firewall audit
is a process of investigating the
existing aspects of a firewall, and this
can include access and connections, along
with the identification of
vulnerabilities and reports on any
changes.
So, why are audits important?
With all the compliance standards out
and being used, firewall audits are a way
to prove to regulators or business
partners that an organization's network
is secure. Some of these standards
include things such as the Payment Card
Industry Data Security Standards (PCI DSS),
the General Data Protection Regulation
(GDPR),
Sarbanes-Oxley (SOX), the Health
Insurance Portability and Accountability
Act (HIPAA), or the California Consumer
Privacy Act (CCPA).
Other than firewall audits being
required, they're simply best practice. If
you audit a firewall, you're likely to
catch a weakness or openness within your
network and security posture. This way,
you can adapt your policies to fit this.
Doing due diligence is important in
cybersecurity, and reviewing controls and
policies will be one piece that helps
protect an organization, if there might
be the unfortunate circumstance of a
lawsuit, breach, or some sort of
regulatory issue that may come up.
Auditing a firewall will ensure that
your configuration and rules adhere to
internal cybersecurity policies.
Besides safety, a firewall audit can help
improve performance by fixing the
optimization of the firewall rule base,
and we'll go into that a little bit
later.
Now, let's get into the six steps of the
firewall audit. Step 1: Collect Key
Information
This is prior to the audit. There needs
to be information gathered. During this
time, there needs to be visibility into
the network with software, hardware,
policies, and risks.
In order to plan the audit, you will need
the following key information:
Copies of the relevant security policies,
the firewall logs that can be compared
to the firewall rule base to find which
rules are being used,
an accurate and updated copy of the
network and the firewall topology
diagrams,
any previous audit documentation,
including the rules, objects, and policy
revisions,
vendor firewall information, including
the OS version, latest patches, and the
default configuration,
and finally, understanding all the
critical servers and repositories within
the network.
Step 2:
Assess the Change Management Process
The change management process starts
with the request to change some sort of
process or technology.
It's from the beginning with a
conception, through the implementation,
and then to the final resolution.
Change management within a firewall
audit is important because there needs
to be traceability of any firewall
changes and also ensure compliance for
the future.
The most common problems with the change
control involve issues with the
documentation, such as not including or
being clear why the change was needed,
who authorized the changes, and poor
validation of the network impact of each
change.
Some requirements for the rule-based
change management are the following:
Make sure the changes are going through
the proper approval and are implemented
by the authorized personnel,
changes should be tested and documented
by regulatory and internal policy
requirements,
each rule should be noted to include the
change ID of the request and have a sign-off
with the initials of the person who
implemented the change, make sure there
is an expiration date for the change, if
one should exist,
determine whether there is a formal and
controlled process in place for the
request, review, approval, and
implementation of the firewall changes.
And this process should include business
purpose for the change request, duration
from the new modification rule,
assessment of the potential risk
associated with the new or modified rules,
formal approvals from new and modified
rules, assignment to the proper
administration for implementation,
verification that the change has been
tested and implemented correctly.
Authorization must be granted to make
these changes, and any unauthorized
changes should be flagged for future
investigation.
It should be determined whether the
real-time monitoring of changes to the
firewall are enabled.
Authorized requesters, admins, and
stakeholders should be given rule change
notifications.
Step 3: Audit the OS and Physical
Security
Firewall audits don't just involve the
rule-based policies, but the actual
firewall itself.
It's important to ensure that the
firewall has both physical and software
security feature verification.
This involves the hardware and OS
software of the firewall.
It's important that there's physical
security protecting the firewall and
management servers with controlled
access.
This ensures that only authorized
personnel are permitted to access the
firewall server rooms.
Vendor operating system patches and
updates are extremely important, and it
should be verified that these are here.
The operating system should also be
audited to ensure that it passes common
hardening checklists.
The device administration procedure
should also be reviewed.
Step 4:
Declutter and Improve the Rule Base
In order to ensure that the firewall
performs at peak performance, the rule
base should be decluttered and optimized.
This also makes the auditing process
easier and will remove the unnecessary
overhead.
To do this, start by
deleting the rules that aren't useful
and disable expired and unused rules and
objects.
Delete the unused connections, and this
includes source, destination, and service
routes that aren't in use.
Find the similar rules and consolidate
them into one rule.
Identify and fix any issues that are
over-permissive and analyze the actual
policy against firewall logs.
Analyze VPN parameters in order to
uncover users and groups that are unused,
unattached, expired, or those that are
about to expire.
Enforce object naming conventions.
Finally, keep a record of rules, objects,
and policy revisions for future
reference.
Step 5:
Perform a Risk Assessment and Fix Issues
A thorough and comprehensive risk
assessment will help identify any risky
rules and ensure the rules are
compliant with internal policies and
relevant standards and regulations.
This is done by prioritizing the rules
by severity and based on industry
standards and best practices.
This is based upon company needs and
risk acceptance of an organization.
Things to look for:
Check to see if there are any rules or
go against and violate your corporate
security policy,
do any of the firewall rules use any in
the source, destination, service protocol,
application, or use fields with a
permissive action?
Do any of the rules allow risky services
for your DMZ to the internal network?
What about any rules that allow risky
services from the internet coming
inbound to sensitive servers, networks,
devices, and databases?
It's also good to analyze firewall rules
and configurations and check to see if
there are any complying with regulatory
standards
such as PCI DSS, SOX, ISO, and other
policies that are relevant to the
organization.
These might be policies for hardware,
software configurations, and other
devices.
There should be an action plan for
remediation of these risks and
compliance exceptions that are
identified in the risk analysis. It
should be verified that the remediation
efforts have taken place and any rule
changes have been completed correctly.
And, as always, these changes should be
tracked and documented.
Step 6: Conduct Ongoing Audits
Now that the initial audit is done, we
need to continue auditing to ensure that
this is ongoing.
Ensure that there is a process that is
established and continuous for future
firewall audits.
In order to avoid errors and manual tasks,
these can be automated with analysis and
reporting.
All procedures need to be documented
and this is in order to create a
complete audit trail for all firewall
management activities.
Ensure that there is a robust firewall
change workflow in place to maintain
compliance over time.
And finally, ensure that there is an
alerting system in place for significant
events and activities.
This includes changes to certain rules
or if a new high-severity risk is
identified in the policy.
Thanks for watching. I hope you've had
fun learning about firewall auditing.
Please leave a like and any questions
down in the comment section below. Thanks.
[Music].