0:00:00.000,0:00:01.280
[Music].

0:00:01.280,0:00:02.960
Hey, everyone. Welcome back to Cyber Gray

0:00:02.960,0:00:04.960
Matter. In today's video, we're going to

0:00:04.960,0:00:06.720
be going over the basics of how to audit

0:00:06.720,0:00:08.880
a firewall. This video will have six

0:00:08.880,0:00:11.200
steps of the firewall auditing process,

0:00:11.200,0:00:12.480
and I think you'll find a lot of these

0:00:12.480,0:00:14.320
concepts helpful and correlate to all

0:00:14.320,0:00:16.640
general technology fields, including the

0:00:16.640,0:00:19.279
emphasis on procedures and documentation.

0:00:19.279,0:00:21.039
This video won't be a deep dive into the

0:00:21.039,0:00:22.880
technical details, but it goes over

0:00:22.880,0:00:25.039
compliance, best practices, and other

0:00:25.039,0:00:26.800
security concepts.

0:00:26.800,0:00:28.960
It's a good start to get an idea of what

0:00:28.960,0:00:31.199
the auditing process is like. Let's jump

0:00:31.199,0:00:33.760
right into it.

0:00:33.760,0:00:35.760
So, let's start with what a firewall even

0:00:35.760,0:00:36.559
is.

0:00:36.559,0:00:38.320
A firewall is a networking device and

0:00:38.320,0:00:40.160
tool that manages connections between

0:00:40.160,0:00:42.480
different internal or external networks.

0:00:42.480,0:00:44.399
They can accept or reject connections or

0:00:44.399,0:00:46.640
even filter them, and everything is based

0:00:46.640,0:00:47.920
on rules.

0:00:47.920,0:00:49.600
Remember that firewalls work on the

0:00:49.600,0:00:52.239
network and transport layers, so three and

0:00:52.239,0:00:54.559
four of the OSI model. However, there are

0:00:54.559,0:00:56.079
some firewalls that can operate on the

0:00:56.079,0:00:58.800
application layer or layer seven of the OSI

0:00:58.800,0:01:01.359
model, and these are considered smarter.

0:01:01.359,0:01:02.719
They're known as next-generation

0:01:02.719,0:01:05.280
firewalls. Also, please don't confuse the

0:01:05.280,0:01:07.040
application layer tidbit about the

0:01:07.040,0:01:09.280
next-gen firewall with a web application

0:01:09.280,0:01:12.640
firewall. It's not the same thing. So,

0:01:12.640,0:01:14.960
what's a firewall audit? A firewall audit

0:01:14.960,0:01:16.479
is a process of investigating the

0:01:16.479,0:01:18.799
existing aspects of a firewall, and this

0:01:18.799,0:01:20.960
can include access and connections, along

0:01:20.960,0:01:22.000
with the identification of

0:01:22.000,0:01:23.840
vulnerabilities and reports on any

0:01:23.840,0:01:26.799
changes.

0:01:26.799,0:01:28.880
So, why are audits important?

0:01:28.880,0:01:30.560
With all the compliance standards out

0:01:30.560,0:01:32.640
and being used, firewall audits are a way

0:01:32.640,0:01:34.079
to prove to regulators or business

0:01:34.079,0:01:35.840
partners that an organization's network

0:01:35.840,0:01:37.759
is secure. Some of these standards

0:01:37.759,0:01:39.840
include things such as the Payment Card

0:01:39.840,0:01:43.840
Industry Data Security Standards (PCI DSS),

0:01:43.840,0:01:46.320
the General Data Protection Regulation

0:01:46.320,0:01:47.560
(GDPR),

0:01:47.560,0:01:50.320
Sarbanes-Oxley (SOX), the Health

0:01:50.320,0:01:52.640
Insurance Portability and Accountability

0:01:52.640,0:01:55.520
Act (HIPAA), or the California Consumer

0:01:55.520,0:01:58.320
Privacy Act (CCPA).

0:01:58.320,0:01:59.840
Other than firewall audits being

0:01:59.840,0:02:02.799
required, they're simply best practice. If

0:02:02.799,0:02:04.560
you audit a firewall, you're likely to

0:02:04.560,0:02:06.320
catch a weakness or openness within your

0:02:06.320,0:02:08.878
network and security posture. This way,

0:02:08.878,0:02:11.520
you can adapt your policies to fit this.

0:02:11.520,0:02:13.200
Doing due diligence is important in

0:02:13.200,0:02:15.680
cybersecurity, and reviewing controls and

0:02:15.680,0:02:17.680
policies will be one piece that helps

0:02:17.680,0:02:19.680
protect an organization, if there might

0:02:19.680,0:02:21.440
be the unfortunate circumstance of a

0:02:21.440,0:02:23.520
lawsuit, breach, or some sort of

0:02:23.520,0:02:25.920
regulatory issue that may come up.

0:02:25.920,0:02:27.680
Auditing a firewall will ensure that

0:02:27.680,0:02:30.400
your configuration and rules adhere to

0:02:30.400,0:02:33.280
internal cybersecurity policies.

0:02:33.280,0:02:35.680
Besides safety, a firewall audit can help

0:02:35.680,0:02:37.840
improve performance by fixing the

0:02:37.840,0:02:40.480
optimization of the firewall rule base,

0:02:40.480,0:02:41.920
and we'll go into that a little bit

0:02:41.920,0:02:43.760
later.

0:02:43.760,0:02:45.280
Now, let's get into the six steps of the

0:02:45.280,0:02:48.319
firewall audit. Step 1: Collect Key

0:02:48.319,0:02:49.599
Information

0:02:49.599,0:02:51.599
This is prior to the audit. There needs

0:02:51.599,0:02:53.760
to be information gathered. During this

0:02:53.760,0:02:55.519
time, there needs to be visibility into

0:02:55.519,0:02:58.000
the network with software, hardware,

0:02:58.000,0:03:00.400
policies, and risks.

0:03:00.400,0:03:02.000
In order to plan the audit, you will need

0:03:02.000,0:03:04.400
the following key information:

0:03:04.400,0:03:07.040
Copies of the relevant security policies,

0:03:07.040,0:03:08.879
the firewall logs that can be compared

0:03:08.879,0:03:10.879
to the firewall rule base to find which

0:03:10.879,0:03:12.720
rules are being used,

0:03:12.720,0:03:14.560
an accurate and updated copy of the

0:03:14.560,0:03:16.400
network and the firewall topology

0:03:16.400,0:03:18.000
diagrams,

0:03:18.000,0:03:20.159
any previous audit documentation,

0:03:20.159,0:03:22.800
including the rules, objects, and policy

0:03:22.800,0:03:24.560
revisions,

0:03:24.560,0:03:27.040
vendor firewall information, including

0:03:27.040,0:03:29.920
the OS version, latest patches, and the

0:03:29.920,0:03:32.239
default configuration,

0:03:32.239,0:03:34.319
and finally, understanding all the

0:03:34.319,0:03:36.560
critical servers and repositories within

0:03:36.560,0:03:38.799
the network.

0:03:38.799,0:03:40.239
Step 2:

0:03:40.239,0:03:43.040
Assess the Change Management Process

0:03:43.040,0:03:44.879
The change management process starts

0:03:44.879,0:03:46.480
with the request to change some sort of

0:03:46.480,0:03:48.319
process or technology.

0:03:48.319,0:03:49.599
It's from the beginning with a

0:03:49.599,0:03:51.599
conception, through the implementation,

0:03:51.599,0:03:54.239
and then to the final resolution.

0:03:54.239,0:03:55.840
Change management within a firewall

0:03:55.840,0:03:57.519
audit is important because there needs

0:03:57.519,0:03:59.280
to be traceability of any firewall

0:03:59.280,0:04:01.680
changes and also ensure compliance for

0:04:01.680,0:04:03.040
the future.

0:04:03.040,0:04:04.959
The most common problems with the change

0:04:04.959,0:04:06.560
control involve issues with the

0:04:06.560,0:04:09.120
documentation, such as not including or

0:04:09.120,0:04:11.200
being clear why the change was needed,

0:04:11.200,0:04:13.200
who authorized the changes, and poor

0:04:13.200,0:04:15.599
validation of the network impact of each

0:04:15.599,0:04:17.839
change.

0:04:17.839,0:04:19.358
Some requirements for the rule-based

0:04:19.358,0:04:22.240
change management are the following:

0:04:22.240,0:04:23.600
Make sure the changes are going through

0:04:23.600,0:04:25.600
the proper approval and are implemented

0:04:25.600,0:04:28.240
by the authorized personnel,

0:04:28.240,0:04:30.160
changes should be tested and documented

0:04:30.160,0:04:32.160
by regulatory and internal policy

0:04:32.160,0:04:33.840
requirements,

0:04:33.840,0:04:35.759
each rule should be noted to include the

0:04:35.759,0:04:38.726
change ID of the request and have a sign-off

0:04:38.726,0:04:40.160
with the initials of the person who

0:04:40.160,0:04:42.880
implemented the change, make sure there

0:04:42.880,0:04:45.199
is an expiration date for the change, if

0:04:45.199,0:04:47.520
one should exist,

0:04:47.520,0:04:49.360
determine whether there is a formal and

0:04:49.360,0:04:51.120
controlled process in place for the

0:04:51.120,0:04:53.280
request, review, approval, and

0:04:53.280,0:04:55.840
implementation of the firewall changes.

0:04:55.840,0:04:57.840
And this process should include business

0:04:57.840,0:05:00.320
purpose for the change request, duration

0:05:00.320,0:05:02.240
from the new modification rule,

0:05:02.240,0:05:03.840
assessment of the potential risk

0:05:03.840,0:05:06.560
associated with the new or modified rules,

0:05:06.560,0:05:09.199
formal approvals from new and modified

0:05:09.199,0:05:11.120
rules, assignment to the proper

0:05:11.120,0:05:13.360
administration for implementation,

0:05:13.360,0:05:15.120
verification that the change has been

0:05:15.120,0:05:18.160
tested and implemented correctly.

0:05:18.160,0:05:20.000
Authorization must be granted to make

0:05:20.000,0:05:22.160
these changes, and any unauthorized

0:05:22.160,0:05:24.240
changes should be flagged for future

0:05:24.240,0:05:26.000
investigation.

0:05:26.000,0:05:27.440
It should be determined whether the

0:05:27.440,0:05:29.520
real-time monitoring of changes to the

0:05:29.520,0:05:31.199
firewall are enabled.

0:05:31.199,0:05:33.199
Authorized requesters, admins, and

0:05:33.199,0:05:35.440
stakeholders should be given rule change

0:05:35.440,0:05:38.440
notifications.

0:05:39.120,0:05:41.440
Step 3: Audit the OS and Physical

0:05:41.440,0:05:43.039
Security

0:05:43.039,0:05:44.639
Firewall audits don't just involve the

0:05:44.639,0:05:46.639
rule-based policies, but the actual

0:05:46.639,0:05:48.240
firewall itself.

0:05:48.240,0:05:49.600
It's important to ensure that the

0:05:49.600,0:05:52.080
firewall has both physical and software

0:05:52.080,0:05:54.320
security feature verification.

0:05:54.320,0:05:56.160
This involves the hardware and OS

0:05:56.160,0:05:58.639
software of the firewall.

0:05:58.639,0:06:00.319
It's important that there's physical

0:06:00.319,0:06:02.240
security protecting the firewall and

0:06:02.240,0:06:04.080
management servers with controlled

0:06:04.080,0:06:05.199
access.

0:06:05.199,0:06:06.720
This ensures that only authorized

0:06:06.720,0:06:08.639
personnel are permitted to access the

0:06:08.639,0:06:11.280
firewall server rooms.

0:06:11.280,0:06:12.960
Vendor operating system patches and

0:06:12.960,0:06:14.800
updates are extremely important, and it

0:06:14.800,0:06:16.960
should be verified that these are here.

0:06:16.960,0:06:18.479
The operating system should also be

0:06:18.479,0:06:20.400
audited to ensure that it passes common

0:06:20.400,0:06:22.639
hardening checklists.

0:06:22.639,0:06:24.560
The device administration procedure

0:06:24.560,0:06:27.759
should also be reviewed.

0:06:27.759,0:06:28.960
Step 4:

0:06:28.960,0:06:31.840
Declutter and Improve the Rule Base

0:06:31.840,0:06:33.520
In order to ensure that the firewall

0:06:33.520,0:06:35.600
performs at peak performance, the rule

0:06:35.600,0:06:38.000
base should be decluttered and optimized.

0:06:38.000,0:06:39.759
This also makes the auditing process

0:06:39.759,0:06:41.759
easier and will remove the unnecessary

0:06:41.759,0:06:43.360
overhead.

0:06:43.360,0:06:45.120
To do this, start by

0:06:45.120,0:06:46.720
deleting the rules that aren't useful

0:06:46.720,0:06:48.960
and disable expired and unused rules and

0:06:48.960,0:06:50.560
objects.

0:06:50.560,0:06:52.479
Delete the unused connections, and this

0:06:52.479,0:06:55.280
includes source, destination, and service

0:06:55.280,0:06:57.199
routes that aren't in use.

0:06:57.199,0:06:59.039
Find the similar rules and consolidate

0:06:59.039,0:07:00.800
them into one rule.

0:07:00.800,0:07:02.639
Identify and fix any issues that are

0:07:02.639,0:07:04.720
over-permissive and analyze the actual

0:07:04.720,0:07:07.440
policy against firewall logs.

0:07:07.440,0:07:09.919
Analyze VPN parameters in order to

0:07:09.919,0:07:12.479
uncover users and groups that are unused,

0:07:12.479,0:07:14.800
unattached, expired, or those that are

0:07:14.800,0:07:16.800
about to expire.

0:07:16.800,0:07:20.080
Enforce object naming conventions.

0:07:20.080,0:07:22.639
Finally, keep a record of rules, objects,

0:07:22.639,0:07:24.400
and policy revisions for future

0:07:24.400,0:07:26.880
reference.

0:07:27.280,0:07:28.720
Step 5:

0:07:28.720,0:07:31.919
Perform a Risk Assessment and Fix Issues

0:07:31.919,0:07:33.440
A thorough and comprehensive risk

0:07:33.440,0:07:35.520
assessment will help identify any risky

0:07:35.520,0:07:37.280
rules and ensure the rules are

0:07:37.280,0:07:39.039
compliant with internal policies and

0:07:39.039,0:07:41.520
relevant standards and regulations.

0:07:41.520,0:07:43.599
This is done by prioritizing the rules

0:07:43.599,0:07:45.759
by severity and based on industry

0:07:45.759,0:07:48.000
standards and best practices.

0:07:48.000,0:07:50.319
This is based upon company needs and

0:07:50.319,0:07:53.919
risk acceptance of an organization.

0:07:53.919,0:07:55.759
Things to look for:

0:07:55.759,0:07:57.039
Check to see if there are any rules or

0:07:57.039,0:07:58.879
go against and violate your corporate

0:07:58.879,0:08:01.199
security policy,

0:08:01.199,0:08:03.360
do any of the firewall rules use any in

0:08:03.360,0:08:06.080
the source, destination, service protocol,

0:08:06.080,0:08:08.639
application, or use fields with a

0:08:08.639,0:08:11.039
permissive action?

0:08:11.039,0:08:13.360
Do any of the rules allow risky services

0:08:13.360,0:08:16.160
for your DMZ to the internal network?

0:08:16.160,0:08:18.080
What about any rules that allow risky

0:08:18.080,0:08:20.000
services from the internet coming

0:08:20.000,0:08:22.479
inbound to sensitive servers, networks,

0:08:22.479,0:08:26.080
devices, and databases?

0:08:26.080,0:08:28.080
It's also good to analyze firewall rules

0:08:28.080,0:08:30.319
and configurations and check to see if

0:08:30.319,0:08:32.399
there are any complying with regulatory

0:08:32.399,0:08:33.440
standards

0:08:33.440,0:08:37.519
such as PCI DSS, SOX, ISO, and other

0:08:37.519,0:08:38.958
policies that are relevant to the

0:08:38.958,0:08:40.399
organization.

0:08:40.399,0:08:42.479
These might be policies for hardware,

0:08:42.479,0:08:44.240
software configurations, and other

0:08:44.240,0:08:46.160
devices.

0:08:46.160,0:08:47.680
There should be an action plan for

0:08:47.680,0:08:49.680
remediation of these risks and

0:08:49.680,0:08:51.279
compliance exceptions that are

0:08:51.279,0:08:54.160
identified in the risk analysis. It

0:08:54.160,0:08:56.080
should be verified that the remediation

0:08:56.080,0:08:58.399
efforts have taken place and any rule

0:08:58.399,0:09:01.920
changes have been completed correctly.

0:09:01.920,0:09:03.839
And, as always, these changes should be

0:09:03.839,0:09:07.399
tracked and documented.

0:09:08.399,0:09:11.839
Step 6: Conduct Ongoing Audits

0:09:11.839,0:09:13.760
Now that the initial audit is done, we

0:09:13.760,0:09:15.519
need to continue auditing to ensure that

0:09:15.519,0:09:17.440
this is ongoing.

0:09:17.440,0:09:19.120
Ensure that there is a process that is

0:09:19.120,0:09:21.279
established and continuous for future

0:09:21.279,0:09:23.279
firewall audits.

0:09:23.279,0:09:25.760
In order to avoid errors and manual tasks,

0:09:25.760,0:09:27.519
these can be automated with analysis and

0:09:27.519,0:09:28.959
reporting.

0:09:28.959,0:09:31.519
All procedures need to be documented

0:09:31.519,0:09:32.880
and this is in order to create a

0:09:32.880,0:09:35.040
complete audit trail for all firewall

0:09:35.040,0:09:37.440
management activities.

0:09:37.440,0:09:39.440
Ensure that there is a robust firewall

0:09:39.440,0:09:41.440
change workflow in place to maintain

0:09:41.440,0:09:43.440
compliance over time.

0:09:43.440,0:09:45.200
And finally, ensure that there is an

0:09:45.200,0:09:47.200
alerting system in place for significant

0:09:47.200,0:09:48.880
events and activities.

0:09:48.880,0:09:51.279
This includes changes to certain rules

0:09:51.279,0:09:53.279
or if a new high-severity risk is

0:09:53.279,0:09:56.800
identified in the policy.

0:09:58.160,0:10:00.000
Thanks for watching. I hope you've had

0:10:00.000,0:10:02.560
fun learning about firewall auditing.

0:10:02.560,0:10:04.079
Please leave a like and any questions

0:10:04.079,0:10:07.327
down in the comment section below. Thanks.

0:10:07.327,0:10:13.787
[Music].