WEBVTT 00:00:00.000 --> 00:00:01.280 [Music]. 00:00:01.280 --> 00:00:02.960 Hey, everyone. Welcome back to Cyber Gray 00:00:02.960 --> 00:00:04.960 Matter. In today's video, we're going to 00:00:04.960 --> 00:00:06.720 be going over the basics of how to audit 00:00:06.720 --> 00:00:08.880 a firewall. This video will have six 00:00:08.880 --> 00:00:11.200 steps of the firewall auditing process, 00:00:11.200 --> 00:00:12.480 and I think you'll find a lot of these 00:00:12.480 --> 00:00:14.320 concepts helpful and correlate to all 00:00:14.320 --> 00:00:16.640 general technology fields, including the 00:00:16.640 --> 00:00:19.279 emphasis on procedures and documentation. 00:00:19.279 --> 00:00:21.039 This video won't be a deep dive into the 00:00:21.039 --> 00:00:22.880 technical details, but it goes over 00:00:22.880 --> 00:00:25.039 compliance, best practices, and other 00:00:25.039 --> 00:00:26.800 security concepts. 00:00:26.800 --> 00:00:28.960 It's a good start to get an idea of what 00:00:28.960 --> 00:00:31.199 the auditing process is like. Let's jump 00:00:31.199 --> 00:00:33.760 right into it. 00:00:33.760 --> 00:00:35.760 So, let's start with what a firewall even 00:00:35.760 --> 00:00:36.559 is. 00:00:36.559 --> 00:00:38.320 A firewall is a networking device and 00:00:38.320 --> 00:00:40.160 tool that manages connections between 00:00:40.160 --> 00:00:42.480 different internal or external networks. 00:00:42.480 --> 00:00:44.399 They can accept or reject connections or 00:00:44.399 --> 00:00:46.640 even filter them, and everything is based 00:00:46.640 --> 00:00:47.920 on rules. 00:00:47.920 --> 00:00:49.600 Remember that firewalls work on the 00:00:49.600 --> 00:00:52.239 network and transport layers, so three and 00:00:52.239 --> 00:00:54.559 four of the OSI model. However, there are 00:00:54.559 --> 00:00:56.079 some firewalls that can operate on the 00:00:56.079 --> 00:00:58.800 application layer or layer seven of the OSI 00:00:58.800 --> 00:01:01.359 model, and these are considered smarter. 00:01:01.359 --> 00:01:02.719 They're known as next-generation 00:01:02.719 --> 00:01:05.280 firewalls. Also, please don't confuse the 00:01:05.280 --> 00:01:07.040 application layer tidbit about the 00:01:07.040 --> 00:01:09.280 next-gen firewall with a web application 00:01:09.280 --> 00:01:12.640 firewall. It's not the same thing. So, 00:01:12.640 --> 00:01:14.960 what's a firewall audit? A firewall audit 00:01:14.960 --> 00:01:16.479 is a process of investigating the 00:01:16.479 --> 00:01:18.799 existing aspects of a firewall, and this 00:01:18.799 --> 00:01:20.960 can include access and connections, along 00:01:20.960 --> 00:01:22.000 with the identification of 00:01:22.000 --> 00:01:23.840 vulnerabilities and reports on any 00:01:23.840 --> 00:01:26.799 changes. 00:01:26.799 --> 00:01:28.880 So, why are audits important? 00:01:28.880 --> 00:01:30.560 With all the compliance standards out 00:01:30.560 --> 00:01:32.640 and being used, firewall audits are a way 00:01:32.640 --> 00:01:34.079 to prove to regulators or business 00:01:34.079 --> 00:01:35.840 partners that an organization's network 00:01:35.840 --> 00:01:37.759 is secure. Some of these standards 00:01:37.759 --> 00:01:39.840 include things such as the Payment Card 00:01:39.840 --> 00:01:43.840 Industry Data Security Standards (PCI DSS), 00:01:43.840 --> 00:01:46.320 the General Data Protection Regulation 00:01:46.320 --> 00:01:47.560 (GDPR), 00:01:47.560 --> 00:01:50.320 Sarbanes-Oxley (SOX), the Health 00:01:50.320 --> 00:01:52.640 Insurance Portability and Accountability 00:01:52.640 --> 00:01:55.520 Act (HIPAA), or the California Consumer 00:01:55.520 --> 00:01:58.320 Privacy Act (CCPA). 00:01:58.320 --> 00:01:59.840 Other than firewall audits being 00:01:59.840 --> 00:02:02.799 required, they're simply best practice. If 00:02:02.799 --> 00:02:04.560 you audit a firewall, you're likely to 00:02:04.560 --> 00:02:06.320 catch a weakness or openness within your 00:02:06.320 --> 00:02:08.878 network and security posture. This way, 00:02:08.878 --> 00:02:11.520 you can adapt your policies to fit this. 00:02:11.520 --> 00:02:13.200 Doing due diligence is important in 00:02:13.200 --> 00:02:15.680 cybersecurity, and reviewing controls and 00:02:15.680 --> 00:02:17.680 policies will be one piece that helps 00:02:17.680 --> 00:02:19.680 protect an organization, if there might 00:02:19.680 --> 00:02:21.440 be the unfortunate circumstance of a 00:02:21.440 --> 00:02:23.520 lawsuit, breach, or some sort of 00:02:23.520 --> 00:02:25.920 regulatory issue that may come up. 00:02:25.920 --> 00:02:27.680 Auditing a firewall will ensure that 00:02:27.680 --> 00:02:30.400 your configuration and rules adhere to 00:02:30.400 --> 00:02:33.280 internal cybersecurity policies. 00:02:33.280 --> 00:02:35.680 Besides safety, a firewall audit can help 00:02:35.680 --> 00:02:37.840 improve performance by fixing the 00:02:37.840 --> 00:02:40.480 optimization of the firewall rule base, 00:02:40.480 --> 00:02:41.920 and we'll go into that a little bit 00:02:41.920 --> 00:02:43.760 later. 00:02:43.760 --> 00:02:45.280 Now, let's get into the six steps of the 00:02:45.280 --> 00:02:48.319 firewall audit. Step 1: Collect Key 00:02:48.319 --> 00:02:49.599 Information 00:02:49.599 --> 00:02:51.599 This is prior to the audit. There needs 00:02:51.599 --> 00:02:53.760 to be information gathered. During this 00:02:53.760 --> 00:02:55.519 time, there needs to be visibility into 00:02:55.519 --> 00:02:58.000 the network with software, hardware, 00:02:58.000 --> 00:03:00.400 policies, and risks. 00:03:00.400 --> 00:03:02.000 In order to plan the audit, you will need 00:03:02.000 --> 00:03:04.400 the following key information: 00:03:04.400 --> 00:03:07.040 Copies of the relevant security policies, 00:03:07.040 --> 00:03:08.879 the firewall logs that can be compared 00:03:08.879 --> 00:03:10.879 to the firewall rule base to find which 00:03:10.879 --> 00:03:12.720 rules are being used, 00:03:12.720 --> 00:03:14.560 an accurate and updated copy of the 00:03:14.560 --> 00:03:16.400 network and the firewall topology 00:03:16.400 --> 00:03:18.000 diagrams, 00:03:18.000 --> 00:03:20.159 any previous audit documentation, 00:03:20.159 --> 00:03:22.800 including the rules, objects, and policy 00:03:22.800 --> 00:03:24.560 revisions, 00:03:24.560 --> 00:03:27.040 vendor firewall information, including 00:03:27.040 --> 00:03:29.920 the OS version, latest patches, and the 00:03:29.920 --> 00:03:32.239 default configuration, 00:03:32.239 --> 00:03:34.319 and finally, understanding all the 00:03:34.319 --> 00:03:36.560 critical servers and repositories within 00:03:36.560 --> 00:03:38.799 the network. 00:03:38.799 --> 00:03:40.239 Step 2: 00:03:40.239 --> 00:03:43.040 Assess the Change Management Process 00:03:43.040 --> 00:03:44.879 The change management process starts 00:03:44.879 --> 00:03:46.480 with the request to change some sort of 00:03:46.480 --> 00:03:48.319 process or technology. 00:03:48.319 --> 00:03:49.599 It's from the beginning with a 00:03:49.599 --> 00:03:51.599 conception, through the implementation, 00:03:51.599 --> 00:03:54.239 and then to the final resolution. 00:03:54.239 --> 00:03:55.840 Change management within a firewall 00:03:55.840 --> 00:03:57.519 audit is important because there needs 00:03:57.519 --> 00:03:59.280 to be traceability of any firewall 00:03:59.280 --> 00:04:01.680 changes and also ensure compliance for 00:04:01.680 --> 00:04:03.040 the future. 00:04:03.040 --> 00:04:04.959 The most common problems with the change 00:04:04.959 --> 00:04:06.560 control involve issues with the 00:04:06.560 --> 00:04:09.120 documentation, such as not including or 00:04:09.120 --> 00:04:11.200 being clear why the change was needed, 00:04:11.200 --> 00:04:13.200 who authorized the changes, and poor 00:04:13.200 --> 00:04:15.599 validation of the network impact of each 00:04:15.599 --> 00:04:17.839 change. 00:04:17.839 --> 00:04:19.358 Some requirements for the rule-based 00:04:19.358 --> 00:04:22.240 change management are the following: 00:04:22.240 --> 00:04:23.600 Make sure the changes are going through 00:04:23.600 --> 00:04:25.600 the proper approval and are implemented 00:04:25.600 --> 00:04:28.240 by the authorized personnel, 00:04:28.240 --> 00:04:30.160 changes should be tested and documented 00:04:30.160 --> 00:04:32.160 by regulatory and internal policy 00:04:32.160 --> 00:04:33.840 requirements, 00:04:33.840 --> 00:04:35.759 each rule should be noted to include the 00:04:35.759 --> 00:04:38.726 change ID of the request and have a sign-off 00:04:38.726 --> 00:04:40.160 with the initials of the person who 00:04:40.160 --> 00:04:42.880 implemented the change, make sure there 00:04:42.880 --> 00:04:45.199 is an expiration date for the change, if 00:04:45.199 --> 00:04:47.520 one should exist, 00:04:47.520 --> 00:04:49.360 determine whether there is a formal and 00:04:49.360 --> 00:04:51.120 controlled process in place for the 00:04:51.120 --> 00:04:53.280 request, review, approval, and 00:04:53.280 --> 00:04:55.840 implementation of the firewall changes. 00:04:55.840 --> 00:04:57.840 And this process should include business 00:04:57.840 --> 00:05:00.320 purpose for the change request, duration 00:05:00.320 --> 00:05:02.240 from the new modification rule, 00:05:02.240 --> 00:05:03.840 assessment of the potential risk 00:05:03.840 --> 00:05:06.560 associated with the new or modified rules, 00:05:06.560 --> 00:05:09.199 formal approvals from new and modified 00:05:09.199 --> 00:05:11.120 rules, assignment to the proper 00:05:11.120 --> 00:05:13.360 administration for implementation, 00:05:13.360 --> 00:05:15.120 verification that the change has been 00:05:15.120 --> 00:05:18.160 tested and implemented correctly. 00:05:18.160 --> 00:05:20.000 Authorization must be granted to make 00:05:20.000 --> 00:05:22.160 these changes, and any unauthorized 00:05:22.160 --> 00:05:24.240 changes should be flagged for future 00:05:24.240 --> 00:05:26.000 investigation. 00:05:26.000 --> 00:05:27.440 It should be determined whether the 00:05:27.440 --> 00:05:29.520 real-time monitoring of changes to the 00:05:29.520 --> 00:05:31.199 firewall are enabled. 00:05:31.199 --> 00:05:33.199 Authorized requesters, admins, and 00:05:33.199 --> 00:05:35.440 stakeholders should be given rule change 00:05:35.440 --> 00:05:38.440 notifications. 00:05:39.120 --> 00:05:41.440 Step 3: Audit the OS and Physical 00:05:41.440 --> 00:05:43.039 Security 00:05:43.039 --> 00:05:44.639 Firewall audits don't just involve the 00:05:44.639 --> 00:05:46.639 rule-based policies, but the actual 00:05:46.639 --> 00:05:48.240 firewall itself. 00:05:48.240 --> 00:05:49.600 It's important to ensure that the 00:05:49.600 --> 00:05:52.080 firewall has both physical and software 00:05:52.080 --> 00:05:54.320 security feature verification. 00:05:54.320 --> 00:05:56.160 This involves the hardware and OS 00:05:56.160 --> 00:05:58.639 software of the firewall. 00:05:58.639 --> 00:06:00.319 It's important that there's physical 00:06:00.319 --> 00:06:02.240 security protecting the firewall and 00:06:02.240 --> 00:06:04.080 management servers with controlled 00:06:04.080 --> 00:06:05.199 access. 00:06:05.199 --> 00:06:06.720 This ensures that only authorized 00:06:06.720 --> 00:06:08.639 personnel are permitted to access the 00:06:08.639 --> 00:06:11.280 firewall server rooms. 00:06:11.280 --> 00:06:12.960 Vendor operating system patches and 00:06:12.960 --> 00:06:14.800 updates are extremely important, and it 00:06:14.800 --> 00:06:16.960 should be verified that these are here. 00:06:16.960 --> 00:06:18.479 The operating system should also be 00:06:18.479 --> 00:06:20.400 audited to ensure that it passes common 00:06:20.400 --> 00:06:22.639 hardening checklists. 00:06:22.639 --> 00:06:24.560 The device administration procedure 00:06:24.560 --> 00:06:27.759 should also be reviewed. 00:06:27.759 --> 00:06:28.960 Step 4: 00:06:28.960 --> 00:06:31.840 Declutter and Improve the Rule Base 00:06:31.840 --> 00:06:33.520 In order to ensure that the firewall 00:06:33.520 --> 00:06:35.600 performs at peak performance, the rule 00:06:35.600 --> 00:06:38.000 base should be decluttered and optimized. 00:06:38.000 --> 00:06:39.759 This also makes the auditing process 00:06:39.759 --> 00:06:41.759 easier and will remove the unnecessary 00:06:41.759 --> 00:06:43.360 overhead. 00:06:43.360 --> 00:06:45.120 To do this, start by 00:06:45.120 --> 00:06:46.720 deleting the rules that aren't useful 00:06:46.720 --> 00:06:48.960 and disable expired and unused rules and 00:06:48.960 --> 00:06:50.560 objects. 00:06:50.560 --> 00:06:52.479 Delete the unused connections, and this 00:06:52.479 --> 00:06:55.280 includes source, destination, and service 00:06:55.280 --> 00:06:57.199 routes that aren't in use. 00:06:57.199 --> 00:06:59.039 Find the similar rules and consolidate 00:06:59.039 --> 00:07:00.800 them into one rule. 00:07:00.800 --> 00:07:02.639 Identify and fix any issues that are 00:07:02.639 --> 00:07:04.720 over-permissive and analyze the actual 00:07:04.720 --> 00:07:07.440 policy against firewall logs. 00:07:07.440 --> 00:07:09.919 Analyze VPN parameters in order to 00:07:09.919 --> 00:07:12.479 uncover users and groups that are unused, 00:07:12.479 --> 00:07:14.800 unattached, expired, or those that are 00:07:14.800 --> 00:07:16.800 about to expire. 00:07:16.800 --> 00:07:20.080 Enforce object naming conventions. 00:07:20.080 --> 00:07:22.639 Finally, keep a record of rules, objects, 00:07:22.639 --> 00:07:24.400 and policy revisions for future 00:07:24.400 --> 00:07:26.880 reference. 00:07:27.280 --> 00:07:28.720 Step 5: 00:07:28.720 --> 00:07:31.919 Perform a Risk Assessment and Fix Issues 00:07:31.919 --> 00:07:33.440 A thorough and comprehensive risk 00:07:33.440 --> 00:07:35.520 assessment will help identify any risky 00:07:35.520 --> 00:07:37.280 rules and ensure the rules are 00:07:37.280 --> 00:07:39.039 compliant with internal policies and 00:07:39.039 --> 00:07:41.520 relevant standards and regulations. 00:07:41.520 --> 00:07:43.599 This is done by prioritizing the rules 00:07:43.599 --> 00:07:45.759 by severity and based on industry 00:07:45.759 --> 00:07:48.000 standards and best practices. 00:07:48.000 --> 00:07:50.319 This is based upon company needs and 00:07:50.319 --> 00:07:53.919 risk acceptance of an organization. 00:07:53.919 --> 00:07:55.759 Things to look for: 00:07:55.759 --> 00:07:57.039 Check to see if there are any rules or 00:07:57.039 --> 00:07:58.879 go against and violate your corporate 00:07:58.879 --> 00:08:01.199 security policy, 00:08:01.199 --> 00:08:03.360 do any of the firewall rules use any in 00:08:03.360 --> 00:08:06.080 the source, destination, service protocol, 00:08:06.080 --> 00:08:08.639 application, or use fields with a 00:08:08.639 --> 00:08:11.039 permissive action? 00:08:11.039 --> 00:08:13.360 Do any of the rules allow risky services 00:08:13.360 --> 00:08:16.160 for your DMZ to the internal network? 00:08:16.160 --> 00:08:18.080 What about any rules that allow risky 00:08:18.080 --> 00:08:20.000 services from the internet coming 00:08:20.000 --> 00:08:22.479 inbound to sensitive servers, networks, 00:08:22.479 --> 00:08:26.080 devices, and databases? 00:08:26.080 --> 00:08:28.080 It's also good to analyze firewall rules 00:08:28.080 --> 00:08:30.319 and configurations and check to see if 00:08:30.319 --> 00:08:32.399 there are any complying with regulatory 00:08:32.399 --> 00:08:33.440 standards 00:08:33.440 --> 00:08:37.519 such as PCI DSS, SOX, ISO, and other 00:08:37.519 --> 00:08:38.958 policies that are relevant to the 00:08:38.958 --> 00:08:40.399 organization. 00:08:40.399 --> 00:08:42.479 These might be policies for hardware, 00:08:42.479 --> 00:08:44.240 software configurations, and other 00:08:44.240 --> 00:08:46.160 devices. 00:08:46.160 --> 00:08:47.680 There should be an action plan for 00:08:47.680 --> 00:08:49.680 remediation of these risks and 00:08:49.680 --> 00:08:51.279 compliance exceptions that are 00:08:51.279 --> 00:08:54.160 identified in the risk analysis. It 00:08:54.160 --> 00:08:56.080 should be verified that the remediation 00:08:56.080 --> 00:08:58.399 efforts have taken place and any rule 00:08:58.399 --> 00:09:01.920 changes have been completed correctly. 00:09:01.920 --> 00:09:03.839 And, as always, these changes should be 00:09:03.839 --> 00:09:07.399 tracked and documented. 00:09:08.399 --> 00:09:11.839 Step 6: Conduct Ongoing Audits 00:09:11.839 --> 00:09:13.760 Now that the initial audit is done, we 00:09:13.760 --> 00:09:15.519 need to continue auditing to ensure that 00:09:15.519 --> 00:09:17.440 this is ongoing. 00:09:17.440 --> 00:09:19.120 Ensure that there is a process that is 00:09:19.120 --> 00:09:21.279 established and continuous for future 00:09:21.279 --> 00:09:23.279 firewall audits. 00:09:23.279 --> 00:09:25.760 In order to avoid errors and manual tasks, 00:09:25.760 --> 00:09:27.519 these can be automated with analysis and 00:09:27.519 --> 00:09:28.959 reporting. 00:09:28.959 --> 00:09:31.519 All procedures need to be documented 00:09:31.519 --> 00:09:32.880 and this is in order to create a 00:09:32.880 --> 00:09:35.040 complete audit trail for all firewall 00:09:35.040 --> 00:09:37.440 management activities. 00:09:37.440 --> 00:09:39.440 Ensure that there is a robust firewall 00:09:39.440 --> 00:09:41.440 change workflow in place to maintain 00:09:41.440 --> 00:09:43.440 compliance over time. 00:09:43.440 --> 00:09:45.200 And finally, ensure that there is an 00:09:45.200 --> 00:09:47.200 alerting system in place for significant 00:09:47.200 --> 00:09:48.880 events and activities. 00:09:48.880 --> 00:09:51.279 This includes changes to certain rules 00:09:51.279 --> 00:09:53.279 or if a new high-severity risk is 00:09:53.279 --> 00:09:56.800 identified in the policy. 00:09:58.160 --> 00:10:00.000 Thanks for watching. I hope you've had 00:10:00.000 --> 00:10:02.560 fun learning about firewall auditing. 00:10:02.560 --> 00:10:04.079 Please leave a like and any questions 00:10:04.079 --> 00:10:07.327 down in the comment section below. Thanks. 00:10:07.327 --> 00:10:13.787 [Music].