1
00:00:00,000 --> 00:00:01,280
[Music].

2
00:00:01,280 --> 00:00:02,960
Hey, everyone. Welcome back to Cyber Gray

3
00:00:02,960 --> 00:00:04,960
Matter. In today's video, we're going to

4
00:00:04,960 --> 00:00:06,720
be going over the basics of how to audit

5
00:00:06,720 --> 00:00:08,880
a firewall. This video will have six

6
00:00:08,880 --> 00:00:11,200
steps of the firewall auditing process,

7
00:00:11,200 --> 00:00:12,480
and I think you'll find a lot of these

8
00:00:12,480 --> 00:00:14,320
concepts helpful and correlate to all

9
00:00:14,320 --> 00:00:16,640
general technology fields, including the

10
00:00:16,640 --> 00:00:19,279
emphasis on procedures and documentation.

11
00:00:19,279 --> 00:00:21,039
This video won't be a deep dive into the

12
00:00:21,039 --> 00:00:22,880
technical details, but it goes over

13
00:00:22,880 --> 00:00:25,039
compliance, best practices, and other

14
00:00:25,039 --> 00:00:26,800
security concepts.

15
00:00:26,800 --> 00:00:28,960
It's a good start to get an idea of what

16
00:00:28,960 --> 00:00:31,199
the auditing process is like. Let's jump

17
00:00:31,199 --> 00:00:33,760
right into it.

18
00:00:33,760 --> 00:00:35,760
So, let's start with what a firewall even

19
00:00:35,760 --> 00:00:36,559
is.

20
00:00:36,559 --> 00:00:38,320
A firewall is a networking device and

21
00:00:38,320 --> 00:00:40,160
tool that manages connections between

22
00:00:40,160 --> 00:00:42,480
different internal or external networks.

23
00:00:42,480 --> 00:00:44,399
They can accept or reject connections or

24
00:00:44,399 --> 00:00:46,640
even filter them, and everything is based

25
00:00:46,640 --> 00:00:47,920
on rules.

26
00:00:47,920 --> 00:00:49,600
Remember that firewalls work on the

27
00:00:49,600 --> 00:00:52,239
network and transport layers, so three and

28
00:00:52,239 --> 00:00:54,559
four of the OSI model. However, there are

29
00:00:54,559 --> 00:00:56,079
some firewalls that can operate on the

30
00:00:56,079 --> 00:00:58,800
application layer or layer seven of the OSI

31
00:00:58,800 --> 00:01:01,359
model, and these are considered smarter.

32
00:01:01,359 --> 00:01:02,719
They're known as next-generation

33
00:01:02,719 --> 00:01:05,280
firewalls. Also, please don't confuse the

34
00:01:05,280 --> 00:01:07,040
application layer tidbit about the

35
00:01:07,040 --> 00:01:09,280
next-gen firewall with a web application

36
00:01:09,280 --> 00:01:12,640
firewall. It's not the same thing. So,

37
00:01:12,640 --> 00:01:14,960
what's a firewall audit? A firewall audit

38
00:01:14,960 --> 00:01:16,479
is a process of investigating the

39
00:01:16,479 --> 00:01:18,799
existing aspects of a firewall, and this

40
00:01:18,799 --> 00:01:20,960
can include access and connections, along

41
00:01:20,960 --> 00:01:22,000
with the identification of

42
00:01:22,000 --> 00:01:23,840
vulnerabilities and reports on any

43
00:01:23,840 --> 00:01:26,799
changes.

44
00:01:26,799 --> 00:01:28,880
So, why are audits important?

45
00:01:28,880 --> 00:01:30,560
With all the compliance standards out

46
00:01:30,560 --> 00:01:32,640
and being used, firewall audits are a way

47
00:01:32,640 --> 00:01:34,079
to prove to regulators or business

48
00:01:34,079 --> 00:01:35,840
partners that an organization's network

49
00:01:35,840 --> 00:01:37,759
is secure. Some of these standards

50
00:01:37,759 --> 00:01:39,840
include things such as the Payment Card

51
00:01:39,840 --> 00:01:43,840
Industry Data Security Standards (PCI DSS),

52
00:01:43,840 --> 00:01:46,320
the General Data Protection Regulation

53
00:01:46,320 --> 00:01:47,560
(GDPR),

54
00:01:47,560 --> 00:01:50,320
Sarbanes-Oxley (SOX), the Health

55
00:01:50,320 --> 00:01:52,640
Insurance Portability and Accountability

56
00:01:52,640 --> 00:01:55,520
Act (HIPAA), or the California Consumer

57
00:01:55,520 --> 00:01:58,320
Privacy Act (CCPA).

58
00:01:58,320 --> 00:01:59,840
Other than firewall audits being

59
00:01:59,840 --> 00:02:02,799
required, they're simply best practice. If

60
00:02:02,799 --> 00:02:04,560
you audit a firewall, you're likely to

61
00:02:04,560 --> 00:02:06,320
catch a weakness or openness within your

62
00:02:06,320 --> 00:02:08,878
network and security posture. This way,

63
00:02:08,878 --> 00:02:11,520
you can adapt your policies to fit this.

64
00:02:11,520 --> 00:02:13,200
Doing due diligence is important in

65
00:02:13,200 --> 00:02:15,680
cybersecurity, and reviewing controls and

66
00:02:15,680 --> 00:02:17,680
policies will be one piece that helps

67
00:02:17,680 --> 00:02:19,680
protect an organization, if there might

68
00:02:19,680 --> 00:02:21,440
be the unfortunate circumstance of a

69
00:02:21,440 --> 00:02:23,520
lawsuit, breach, or some sort of

70
00:02:23,520 --> 00:02:25,920
regulatory issue that may come up.

71
00:02:25,920 --> 00:02:27,680
Auditing a firewall will ensure that

72
00:02:27,680 --> 00:02:30,400
your configuration and rules adhere to

73
00:02:30,400 --> 00:02:33,280
internal cybersecurity policies.

74
00:02:33,280 --> 00:02:35,680
Besides safety, a firewall audit can help

75
00:02:35,680 --> 00:02:37,840
improve performance by fixing the

76
00:02:37,840 --> 00:02:40,480
optimization of the firewall rule base,

77
00:02:40,480 --> 00:02:41,920
and we'll go into that a little bit

78
00:02:41,920 --> 00:02:43,760
later.

79
00:02:43,760 --> 00:02:45,280
Now, let's get into the six steps of the

80
00:02:45,280 --> 00:02:48,319
firewall audit. Step 1: Collect Key

81
00:02:48,319 --> 00:02:49,599
Information

82
00:02:49,599 --> 00:02:51,599
This is prior to the audit. There needs

83
00:02:51,599 --> 00:02:53,760
to be information gathered. During this

84
00:02:53,760 --> 00:02:55,519
time, there needs to be visibility into

85
00:02:55,519 --> 00:02:58,000
the network with software, hardware,

86
00:02:58,000 --> 00:03:00,400
policies, and risks.

87
00:03:00,400 --> 00:03:02,000
In order to plan the audit, you will need

88
00:03:02,000 --> 00:03:04,400
the following key information:

89
00:03:04,400 --> 00:03:07,040
Copies of the relevant security policies,

90
00:03:07,040 --> 00:03:08,879
the firewall logs that can be compared

91
00:03:08,879 --> 00:03:10,879
to the firewall rule base to find which

92
00:03:10,879 --> 00:03:12,720
rules are being used,

93
00:03:12,720 --> 00:03:14,560
an accurate and updated copy of the

94
00:03:14,560 --> 00:03:16,400
network and the firewall topology

95
00:03:16,400 --> 00:03:18,000
diagrams,

96
00:03:18,000 --> 00:03:20,159
any previous audit documentation,

97
00:03:20,159 --> 00:03:22,800
including the rules, objects, and policy

98
00:03:22,800 --> 00:03:24,560
revisions,

99
00:03:24,560 --> 00:03:27,040
vendor firewall information, including

100
00:03:27,040 --> 00:03:29,920
the OS version, latest patches, and the

101
00:03:29,920 --> 00:03:32,239
default configuration,

102
00:03:32,239 --> 00:03:34,319
and finally, understanding all the

103
00:03:34,319 --> 00:03:36,560
critical servers and repositories within

104
00:03:36,560 --> 00:03:38,799
the network.

105
00:03:38,799 --> 00:03:40,239
Step 2:

106
00:03:40,239 --> 00:03:43,040
Assess the Change Management Process

107
00:03:43,040 --> 00:03:44,879
The change management process starts

108
00:03:44,879 --> 00:03:46,480
with the request to change some sort of

109
00:03:46,480 --> 00:03:48,319
process or technology.

110
00:03:48,319 --> 00:03:49,599
It's from the beginning with a

111
00:03:49,599 --> 00:03:51,599
conception, through the implementation,

112
00:03:51,599 --> 00:03:54,239
and then to the final resolution.

113
00:03:54,239 --> 00:03:55,840
Change management within a firewall

114
00:03:55,840 --> 00:03:57,519
audit is important because there needs

115
00:03:57,519 --> 00:03:59,280
to be traceability of any firewall

116
00:03:59,280 --> 00:04:01,680
changes and also ensure compliance for

117
00:04:01,680 --> 00:04:03,040
the future.

118
00:04:03,040 --> 00:04:04,959
The most common problems with the change

119
00:04:04,959 --> 00:04:06,560
control involve issues with the

120
00:04:06,560 --> 00:04:09,120
documentation, such as not including or

121
00:04:09,120 --> 00:04:11,200
being clear why the change was needed,

122
00:04:11,200 --> 00:04:13,200
who authorized the changes, and poor

123
00:04:13,200 --> 00:04:15,599
validation of the network impact of each

124
00:04:15,599 --> 00:04:17,839
change.

125
00:04:17,839 --> 00:04:19,358
Some requirements for the rule-based

126
00:04:19,358 --> 00:04:22,240
change management are the following:

127
00:04:22,240 --> 00:04:23,600
Make sure the changes are going through

128
00:04:23,600 --> 00:04:25,600
the proper approval and are implemented

129
00:04:25,600 --> 00:04:28,240
by the authorized personnel,

130
00:04:28,240 --> 00:04:30,160
changes should be tested and documented

131
00:04:30,160 --> 00:04:32,160
by regulatory and internal policy

132
00:04:32,160 --> 00:04:33,840
requirements,

133
00:04:33,840 --> 00:04:35,759
each rule should be noted to include the

134
00:04:35,759 --> 00:04:38,726
change ID of the request and have a sign-off

135
00:04:38,726 --> 00:04:40,160
with the initials of the person who

136
00:04:40,160 --> 00:04:42,880
implemented the change, make sure there

137
00:04:42,880 --> 00:04:45,199
is an expiration date for the change, if

138
00:04:45,199 --> 00:04:47,520
one should exist,

139
00:04:47,520 --> 00:04:49,360
determine whether there is a formal and

140
00:04:49,360 --> 00:04:51,120
controlled process in place for the

141
00:04:51,120 --> 00:04:53,280
request, review, approval, and

142
00:04:53,280 --> 00:04:55,840
implementation of the firewall changes.

143
00:04:55,840 --> 00:04:57,840
And this process should include business

144
00:04:57,840 --> 00:05:00,320
purpose for the change request, duration

145
00:05:00,320 --> 00:05:02,240
from the new modification rule,

146
00:05:02,240 --> 00:05:03,840
assessment of the potential risk

147
00:05:03,840 --> 00:05:06,560
associated with the new or modified rules,

148
00:05:06,560 --> 00:05:09,199
formal approvals from new and modified

149
00:05:09,199 --> 00:05:11,120
rules, assignment to the proper

150
00:05:11,120 --> 00:05:13,360
administration for implementation,

151
00:05:13,360 --> 00:05:15,120
verification that the change has been

152
00:05:15,120 --> 00:05:18,160
tested and implemented correctly.

153
00:05:18,160 --> 00:05:20,000
Authorization must be granted to make

154
00:05:20,000 --> 00:05:22,160
these changes, and any unauthorized

155
00:05:22,160 --> 00:05:24,240
changes should be flagged for future

156
00:05:24,240 --> 00:05:26,000
investigation.

157
00:05:26,000 --> 00:05:27,440
It should be determined whether the

158
00:05:27,440 --> 00:05:29,520
real-time monitoring of changes to the

159
00:05:29,520 --> 00:05:31,199
firewall are enabled.

160
00:05:31,199 --> 00:05:33,199
Authorized requesters, admins, and

161
00:05:33,199 --> 00:05:35,440
stakeholders should be given rule change

162
00:05:35,440 --> 00:05:38,440
notifications.

163
00:05:39,120 --> 00:05:41,440
Step 3: Audit the OS and Physical

164
00:05:41,440 --> 00:05:43,039
Security

165
00:05:43,039 --> 00:05:44,639
Firewall audits don't just involve the

166
00:05:44,639 --> 00:05:46,639
rule-based policies, but the actual

167
00:05:46,639 --> 00:05:48,240
firewall itself.

168
00:05:48,240 --> 00:05:49,600
It's important to ensure that the

169
00:05:49,600 --> 00:05:52,080
firewall has both physical and software

170
00:05:52,080 --> 00:05:54,320
security feature verification.

171
00:05:54,320 --> 00:05:56,160
This involves the hardware and OS

172
00:05:56,160 --> 00:05:58,639
software of the firewall.

173
00:05:58,639 --> 00:06:00,319
It's important that there's physical

174
00:06:00,319 --> 00:06:02,240
security protecting the firewall and

175
00:06:02,240 --> 00:06:04,080
management servers with controlled

176
00:06:04,080 --> 00:06:05,199
access.

177
00:06:05,199 --> 00:06:06,720
This ensures that only authorized

178
00:06:06,720 --> 00:06:08,639
personnel are permitted to access the

179
00:06:08,639 --> 00:06:11,280
firewall server rooms.

180
00:06:11,280 --> 00:06:12,960
Vendor operating system patches and

181
00:06:12,960 --> 00:06:14,800
updates are extremely important, and it

182
00:06:14,800 --> 00:06:16,960
should be verified that these are here.

183
00:06:16,960 --> 00:06:18,479
The operating system should also be

184
00:06:18,479 --> 00:06:20,400
audited to ensure that it passes common

185
00:06:20,400 --> 00:06:22,639
hardening checklists.

186
00:06:22,639 --> 00:06:24,560
The device administration procedure

187
00:06:24,560 --> 00:06:27,759
should also be reviewed.

188
00:06:27,759 --> 00:06:28,960
Step 4:

189
00:06:28,960 --> 00:06:31,840
Declutter and Improve the Rule Base

190
00:06:31,840 --> 00:06:33,520
In order to ensure that the firewall

191
00:06:33,520 --> 00:06:35,600
performs at peak performance, the rule

192
00:06:35,600 --> 00:06:38,000
base should be decluttered and optimized.

193
00:06:38,000 --> 00:06:39,759
This also makes the auditing process

194
00:06:39,759 --> 00:06:41,759
easier and will remove the unnecessary

195
00:06:41,759 --> 00:06:43,360
overhead.

196
00:06:43,360 --> 00:06:45,120
To do this, start by

197
00:06:45,120 --> 00:06:46,720
deleting the rules that aren't useful

198
00:06:46,720 --> 00:06:48,960
and disable expired and unused rules and

199
00:06:48,960 --> 00:06:50,560
objects.

200
00:06:50,560 --> 00:06:52,479
Delete the unused connections, and this

201
00:06:52,479 --> 00:06:55,280
includes source, destination, and service

202
00:06:55,280 --> 00:06:57,199
routes that aren't in use.

203
00:06:57,199 --> 00:06:59,039
Find the similar rules and consolidate

204
00:06:59,039 --> 00:07:00,800
them into one rule.

205
00:07:00,800 --> 00:07:02,639
Identify and fix any issues that are

206
00:07:02,639 --> 00:07:04,720
over-permissive and analyze the actual

207
00:07:04,720 --> 00:07:07,440
policy against firewall logs.

208
00:07:07,440 --> 00:07:09,919
Analyze VPN parameters in order to

209
00:07:09,919 --> 00:07:12,479
uncover users and groups that are unused,

210
00:07:12,479 --> 00:07:14,800
unattached, expired, or those that are

211
00:07:14,800 --> 00:07:16,800
about to expire.

212
00:07:16,800 --> 00:07:20,080
Enforce object naming conventions.

213
00:07:20,080 --> 00:07:22,639
Finally, keep a record of rules, objects,

214
00:07:22,639 --> 00:07:24,400
and policy revisions for future

215
00:07:24,400 --> 00:07:26,880
reference.

216
00:07:27,280 --> 00:07:28,720
Step 5:

217
00:07:28,720 --> 00:07:31,919
Perform a Risk Assessment and Fix Issues

218
00:07:31,919 --> 00:07:33,440
A thorough and comprehensive risk

219
00:07:33,440 --> 00:07:35,520
assessment will help identify any risky

220
00:07:35,520 --> 00:07:37,280
rules and ensure the rules are

221
00:07:37,280 --> 00:07:39,039
compliant with internal policies and

222
00:07:39,039 --> 00:07:41,520
relevant standards and regulations.

223
00:07:41,520 --> 00:07:43,599
This is done by prioritizing the rules

224
00:07:43,599 --> 00:07:45,759
by severity and based on industry

225
00:07:45,759 --> 00:07:48,000
standards and best practices.

226
00:07:48,000 --> 00:07:50,319
This is based upon company needs and

227
00:07:50,319 --> 00:07:53,919
risk acceptance of an organization.

228
00:07:53,919 --> 00:07:55,759
Things to look for:

229
00:07:55,759 --> 00:07:57,039
Check to see if there are any rules or

230
00:07:57,039 --> 00:07:58,879
go against and violate your corporate

231
00:07:58,879 --> 00:08:01,199
security policy,

232
00:08:01,199 --> 00:08:03,360
do any of the firewall rules use any in

233
00:08:03,360 --> 00:08:06,080
the source, destination, service protocol,

234
00:08:06,080 --> 00:08:08,639
application, or use fields with a

235
00:08:08,639 --> 00:08:11,039
permissive action?

236
00:08:11,039 --> 00:08:13,360
Do any of the rules allow risky services

237
00:08:13,360 --> 00:08:16,160
for your DMZ to the internal network?

238
00:08:16,160 --> 00:08:18,080
What about any rules that allow risky

239
00:08:18,080 --> 00:08:20,000
services from the internet coming

240
00:08:20,000 --> 00:08:22,479
inbound to sensitive servers, networks,

241
00:08:22,479 --> 00:08:26,080
devices, and databases?

242
00:08:26,080 --> 00:08:28,080
It's also good to analyze firewall rules

243
00:08:28,080 --> 00:08:30,319
and configurations and check to see if

244
00:08:30,319 --> 00:08:32,399
there are any complying with regulatory

245
00:08:32,399 --> 00:08:33,440
standards

246
00:08:33,440 --> 00:08:37,519
such as PCI DSS, SOX, ISO, and other

247
00:08:37,519 --> 00:08:38,958
policies that are relevant to the

248
00:08:38,958 --> 00:08:40,399
organization.

249
00:08:40,399 --> 00:08:42,479
These might be policies for hardware,

250
00:08:42,479 --> 00:08:44,240
software configurations, and other

251
00:08:44,240 --> 00:08:46,160
devices.

252
00:08:46,160 --> 00:08:47,680
There should be an action plan for

253
00:08:47,680 --> 00:08:49,680
remediation of these risks and

254
00:08:49,680 --> 00:08:51,279
compliance exceptions that are

255
00:08:51,279 --> 00:08:54,160
identified in the risk analysis. It

256
00:08:54,160 --> 00:08:56,080
should be verified that the remediation

257
00:08:56,080 --> 00:08:58,399
efforts have taken place and any rule

258
00:08:58,399 --> 00:09:01,920
changes have been completed correctly.

259
00:09:01,920 --> 00:09:03,839
And, as always, these changes should be

260
00:09:03,839 --> 00:09:07,399
tracked and documented.

261
00:09:08,399 --> 00:09:11,839
Step 6: Conduct Ongoing Audits

262
00:09:11,839 --> 00:09:13,760
Now that the initial audit is done, we

263
00:09:13,760 --> 00:09:15,519
need to continue auditing to ensure that

264
00:09:15,519 --> 00:09:17,440
this is ongoing.

265
00:09:17,440 --> 00:09:19,120
Ensure that there is a process that is

266
00:09:19,120 --> 00:09:21,279
established and continuous for future

267
00:09:21,279 --> 00:09:23,279
firewall audits.

268
00:09:23,279 --> 00:09:25,760
In order to avoid errors and manual tasks,

269
00:09:25,760 --> 00:09:27,519
these can be automated with analysis and

270
00:09:27,519 --> 00:09:28,959
reporting.

271
00:09:28,959 --> 00:09:31,519
All procedures need to be documented

272
00:09:31,519 --> 00:09:32,880
and this is in order to create a

273
00:09:32,880 --> 00:09:35,040
complete audit trail for all firewall

274
00:09:35,040 --> 00:09:37,440
management activities.

275
00:09:37,440 --> 00:09:39,440
Ensure that there is a robust firewall

276
00:09:39,440 --> 00:09:41,440
change workflow in place to maintain

277
00:09:41,440 --> 00:09:43,440
compliance over time.

278
00:09:43,440 --> 00:09:45,200
And finally, ensure that there is an

279
00:09:45,200 --> 00:09:47,200
alerting system in place for significant

280
00:09:47,200 --> 00:09:48,880
events and activities.

281
00:09:48,880 --> 00:09:51,279
This includes changes to certain rules

282
00:09:51,279 --> 00:09:53,279
or if a new high-severity risk is

283
00:09:53,279 --> 00:09:56,800
identified in the policy.

284
00:09:58,160 --> 00:10:00,000
Thanks for watching. I hope you've had

285
00:10:00,000 --> 00:10:02,560
fun learning about firewall auditing.

286
00:10:02,560 --> 00:10:04,079
Please leave a like and any questions

287
00:10:04,079 --> 00:10:07,327
down in the comment section below. Thanks.

288
00:10:07,327 --> 00:10:13,787
[Music].