[Music]. Hey, everyone. Welcome back to Cyber Gray Matter. In today's video, we're going to be going over the basics of how to audit a firewall. This video will have six steps of the firewall auditing process, and I think you'll find a lot of these concepts helpful and correlate to all general technology fields, including the emphasis on procedures and documentation. This video won't be a deep dive into the technical details, but it goes over compliance, best practices, and other security concepts. It's a good start to get an idea of what the auditing process is like. Let's jump right into it. So, let's start with what a firewall even is. A firewall is a networking device and tool that manages connections between different internal or external networks. They can accept or reject connections or even filter them, and everything is based on rules. Remember that firewalls work on the network and transport layers, so three and four of the OSI model. However, there are some firewalls that can operate on the application layer or layer seven of the OSI model, and these are considered smarter. They're known as next-generation firewalls. Also, please don't confuse the application layer tidbit about the next-gen firewall with a web application firewall. It's not the same thing. So, what's a firewall audit? A firewall audit is a process of investigating the existing aspects of a firewall, and this can include access and connections, along with the identification of vulnerabilities and reports on any changes. So, why are audits important? With all the compliance standards out and being used, firewall audits are a way to prove to regulators or business partners that an organization's network is secure. Some of these standards include things such as the Payment Card Industry Data Security Standards (PCI DSS), the General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), or the California Consumer Privacy Act (CCPA). Other than firewall audits being required, they're simply best practice. If you audit a firewall, you're likely to catch a weakness or openness within your network and security posture. This way, you can adapt your policies to fit this. Doing due diligence is important in cybersecurity, and reviewing controls and policies will be one piece that helps protect an organization, if there might be the unfortunate circumstance of a lawsuit, breach, or some sort of regulatory issue that may come up. Auditing a firewall will ensure that your configuration and rules adhere to internal cybersecurity policies. Besides safety, a firewall audit can help improve performance by fixing the optimization of the firewall rule base, and we'll go into that a little bit later. Now, let's get into the six steps of the firewall audit. Step 1: Collect Key Information This is prior to the audit. There needs to be information gathered. During this time, there needs to be visibility into the network with software, hardware, policies, and risks. In order to plan the audit, you will need the following key information: Copies of the relevant security policies, the firewall logs that can be compared to the firewall rule base to find which rules are being used, an accurate and updated copy of the network and the firewall topology diagrams, any previous audit documentation, including the rules, objects, and policy revisions, vendor firewall information, including the OS version, latest patches, and the default configuration, and finally, understanding all the critical servers and repositories within the network. Step 2: Assess the Change Management Process The change management process starts with the request to change some sort of process or technology. It's from the beginning with a conception, through the implementation, and then to the final resolution. Change management within a firewall audit is important because there needs to be traceability of any firewall changes and also ensure compliance for the future. The most common problems with the change control involve issues with the documentation, such as not including or being clear why the change was needed, who authorized the changes, and poor validation of the network impact of each change. Some requirements for the rule-based change management are the following: Make sure the changes are going through the proper approval and are implemented by the authorized personnel, changes should be tested and documented by regulatory and internal policy requirements, each rule should be noted to include the change ID of the request and have a sign-off with the initials of the person who implemented the change, make sure there is an expiration date for the change, if one should exist, determine whether there is a formal and controlled process in place for the request, review, approval, and implementation of the firewall changes. And this process should include business purpose for the change request, duration from the new modification rule, assessment of the potential risk associated with the new or modified rules, formal approvals from new and modified rules, assignment to the proper administration for implementation, verification that the change has been tested and implemented correctly. Authorization must be granted to make these changes, and any unauthorized changes should be flagged for future investigation. It should be determined whether the real-time monitoring of changes to the firewall are enabled. Authorized requesters, admins, and stakeholders should be given rule change notifications. Step 3: Audit the OS and Physical Security Firewall audits don't just involve the rule-based policies, but the actual firewall itself. It's important to ensure that the firewall has both physical and software security feature verification. This involves the hardware and OS software of the firewall. It's important that there's physical security protecting the firewall and management servers with controlled access. This ensures that only authorized personnel are permitted to access the firewall server rooms. Vendor operating system patches and updates are extremely important, and it should be verified that these are here. The operating system should also be audited to ensure that it passes common hardening checklists. The device administration procedure should also be reviewed. Step 4: Declutter and Improve the Rule Base In order to ensure that the firewall performs at peak performance, the rule base should be decluttered and optimized. This also makes the auditing process easier and will remove the unnecessary overhead. To do this, start by deleting the rules that aren't useful and disable expired and unused rules and objects. Delete the unused connections, and this includes source, destination, and service routes that aren't in use. Find the similar rules and consolidate them into one rule. Identify and fix any issues that are over-permissive and analyze the actual policy against firewall logs. Analyze VPN parameters in order to uncover users and groups that are unused, unattached, expired, or those that are about to expire. Enforce object naming conventions. Finally, keep a record of rules, objects, and policy revisions for future reference. Step 5: Perform a Risk Assessment and Fix Issues A thorough and comprehensive risk assessment will help identify any risky rules and ensure the rules are compliant with internal policies and relevant standards and regulations. This is done by prioritizing the rules by severity and based on industry standards and best practices. This is based upon company needs and risk acceptance of an organization. Things to look for: Check to see if there are any rules or go against and violate your corporate security policy, do any of the firewall rules use any in the source, destination, service protocol, application, or use fields with a permissive action? Do any of the rules allow risky services for your DMZ to the internal network? What about any rules that allow risky services from the internet coming inbound to sensitive servers, networks, devices, and databases? It's also good to analyze firewall rules and configurations and check to see if there are any complying with regulatory standards such as PCI DSS, SOX, ISO, and other policies that are relevant to the organization. These might be policies for hardware, software configurations, and other devices. There should be an action plan for remediation of these risks and compliance exceptions that are identified in the risk analysis. It should be verified that the remediation efforts have taken place and any rule changes have been completed correctly. And, as always, these changes should be tracked and documented. Step 6: Conduct Ongoing Audits Now that the initial audit is done, we need to continue auditing to ensure that this is ongoing. Ensure that there is a process that is established and continuous for future firewall audits. In order to avoid errors and manual tasks, these can be automated with analysis and reporting. All procedures need to be documented and this is in order to create a complete audit trail for all firewall management activities. Ensure that there is a robust firewall change workflow in place to maintain compliance over time. And finally, ensure that there is an alerting system in place for significant events and activities. This includes changes to certain rules or if a new high-severity risk is identified in the policy. Thanks for watching. I hope you've had fun learning about firewall auditing. Please leave a like and any questions down in the comment section below. Thanks. [Music].