How to Audit a Firewall | GRC | Cybersecurity

Edit subtitles

0:00 - 0:01

[Music].
0:01 - 0:03

Hey, everyone. Welcome back to Cyber Gray
0:03 - 0:05

Matter. In today's video, we're going to
0:05 - 0:07

be going over the basics of how to audit
0:07 - 0:09

a firewall. This video will have six
0:09 - 0:11

steps of the firewall auditing process,
0:11 - 0:12

and I think you'll find a lot of these
0:12 - 0:14

concepts helpful and correlate to all
0:14 - 0:17

general technology fields, including the
0:17 - 0:19

emphasis on procedures and documentation.
0:19 - 0:21

This video won't be a deep dive into the
0:21 - 0:23

technical details, but it goes over
0:23 - 0:25

compliance, best practices, and other
0:25 - 0:27

security concepts.
0:27 - 0:29

It's a good start to get an idea of what
0:29 - 0:31

the auditing process is like. Let's jump
0:31 - 0:34

right into it.
0:34 - 0:36

So, let's start with what a firewall even
0:36 - 0:37

is.
0:37 - 0:38

A firewall is a networking device and
0:38 - 0:40

tool that manages connections between
0:40 - 0:42

different internal or external networks.
0:42 - 0:44

They can accept or reject connections or
0:44 - 0:47

even filter them, and everything is based
0:47 - 0:48

on rules.
0:48 - 0:50

Remember that firewalls work on the
0:50 - 0:52

network and transport layers, so three and
0:52 - 0:55

four of the OSI model. However, there are
0:55 - 0:56

some firewalls that can operate on the
0:56 - 0:59

application layer or layer seven of the OSI
0:59 - 1:01

model, and these are considered smarter.
1:01 - 1:03

They're known as next-generation
1:03 - 1:05

firewalls. Also, please don't confuse the
1:05 - 1:07

application layer tidbit about the
1:07 - 1:09

next-gen firewall with a web application
1:09 - 1:13

firewall. It's not the same thing. So,
1:13 - 1:15

what's a firewall audit? A firewall audit
1:15 - 1:16

is a process of investigating the
1:16 - 1:19

existing aspects of a firewall, and this
1:19 - 1:21

can include access and connections, along
1:21 - 1:22

with the identification of
1:22 - 1:24

vulnerabilities and reports on any
1:24 - 1:27

changes.
1:27 - 1:29

So, why are audits important?
1:29 - 1:31

With all the compliance standards out
1:31 - 1:33

and being used, firewall audits are a way
1:33 - 1:34

to prove to regulators or business
1:34 - 1:36

partners that an organization's network
1:36 - 1:38

is secure. Some of these standards
1:38 - 1:40

include things such as the Payment Card
1:40 - 1:44

Industry Data Security Standards (PCI DSS),
1:44 - 1:46

the General Data Protection Regulation
1:46 - 1:48

(GDPR),
1:48 - 1:50

Sarbanes-Oxley (SOX), the Health
1:50 - 1:53

Insurance Portability and Accountability
1:53 - 1:56

Act (HIPAA), or the California Consumer
1:56 - 1:58

Privacy Act (CCPA).
1:58 - 2:00

Other than firewall audits being
2:00 - 2:03

required, they're simply best practice. If
2:03 - 2:05

you audit a firewall, you're likely to
2:05 - 2:06

catch a weakness or openness within your
2:06 - 2:09

network and security posture. This way,
2:09 - 2:12

you can adapt your policies to fit this.
2:12 - 2:13

Doing due diligence is important in
2:13 - 2:16

cybersecurity, and reviewing controls and
2:16 - 2:18

policies will be one piece that helps
2:18 - 2:20

protect an organization, if there might
2:20 - 2:21

be the unfortunate circumstance of a
2:21 - 2:24

lawsuit, breach, or some sort of
2:24 - 2:26

regulatory issue that may come up.
2:26 - 2:28

Auditing a firewall will ensure that
2:28 - 2:30

your configuration and rules adhere to
2:30 - 2:33

internal cybersecurity policies.
2:33 - 2:36

Besides safety, a firewall audit can help
2:36 - 2:38

improve performance by fixing the
2:38 - 2:40

optimization of the firewall rule base,
2:40 - 2:42

and we'll go into that a little bit
2:42 - 2:44

later.
2:44 - 2:45

Now, let's get into the six steps of the
2:45 - 2:48

firewall audit. Step 1: Collect Key
2:48 - 2:50

Information
2:50 - 2:52

This is prior to the audit. There needs
2:52 - 2:54

to be information gathered. During this
2:54 - 2:56

time, there needs to be visibility into
2:56 - 2:58

the network with software, hardware,
2:58 - 3:00

policies, and risks.
3:00 - 3:02

In order to plan the audit, you will need
3:02 - 3:04

the following key information:
3:04 - 3:07

Copies of the relevant security policies,
3:07 - 3:09

the firewall logs that can be compared
3:09 - 3:11

to the firewall rule base to find which
3:11 - 3:13

rules are being used,
3:13 - 3:15

an accurate and updated copy of the
3:15 - 3:16

network and the firewall topology
3:16 - 3:18

diagrams,
3:18 - 3:20

any previous audit documentation,
3:20 - 3:23

including the rules, objects, and policy
3:23 - 3:25

revisions,
3:25 - 3:27

vendor firewall information, including
3:27 - 3:30

the OS version, latest patches, and the
3:30 - 3:32

default configuration,
3:32 - 3:34

and finally, understanding all the
3:34 - 3:37

critical servers and repositories within
3:37 - 3:39

the network.
3:39 - 3:40

Step 2:
3:40 - 3:43

Assess the Change Management Process
3:43 - 3:45

The change management process starts
3:45 - 3:46

with the request to change some sort of
3:46 - 3:48

process or technology.
3:48 - 3:50

It's from the beginning with a
3:50 - 3:52

conception, through the implementation,
3:52 - 3:54

and then to the final resolution.
3:54 - 3:56

Change management within a firewall
3:56 - 3:58

audit is important because there needs
3:58 - 3:59

to be traceability of any firewall
3:59 - 4:02

changes and also ensure compliance for
4:02 - 4:03

the future.
4:03 - 4:05

The most common problems with the change
4:05 - 4:07

control involve issues with the
4:07 - 4:09

documentation, such as not including or
4:09 - 4:11

being clear why the change was needed,
4:11 - 4:13

who authorized the changes, and poor
4:13 - 4:16

validation of the network impact of each
4:16 - 4:18

change.
4:18 - 4:19

Some requirements for the rule-based
4:19 - 4:22

change management are the following:
4:22 - 4:24

Make sure the changes are going through
4:24 - 4:26

the proper approval and are implemented
4:26 - 4:28

by the authorized personnel,
4:28 - 4:30

changes should be tested and documented
4:30 - 4:32

by regulatory and internal policy
4:32 - 4:34

requirements,
4:34 - 4:36

each rule should be noted to include the
4:36 - 4:39

change ID of the request and have a sign-off
4:39 - 4:40

with the initials of the person who
4:40 - 4:43

implemented the change, make sure there
4:43 - 4:45

is an expiration date for the change, if
4:45 - 4:48

one should exist,
4:48 - 4:49

determine whether there is a formal and
4:49 - 4:51

controlled process in place for the
4:51 - 4:53

request, review, approval, and
4:53 - 4:56

implementation of the firewall changes.
4:56 - 4:58

And this process should include business
4:58 - 5:00

purpose for the change request, duration
5:00 - 5:02

from the new modification rule,
5:02 - 5:04

assessment of the potential risk
5:04 - 5:07

associated with the new or modified rules,
5:07 - 5:09

formal approvals from new and modified
5:09 - 5:11

rules, assignment to the proper
5:11 - 5:13

administration for implementation,
5:13 - 5:15

verification that the change has been
5:15 - 5:18

tested and implemented correctly.
5:18 - 5:20

Authorization must be granted to make
5:20 - 5:22

these changes, and any unauthorized
5:22 - 5:24

changes should be flagged for future
5:24 - 5:26

investigation.
5:26 - 5:27

It should be determined whether the
5:27 - 5:30

real-time monitoring of changes to the
5:30 - 5:31

firewall are enabled.
5:31 - 5:33

Authorized requesters, admins, and
5:33 - 5:35

stakeholders should be given rule change
5:35 - 5:38

notifications.
5:39 - 5:41

Step 3: Audit the OS and Physical
5:41 - 5:43

Security
5:43 - 5:45

Firewall audits don't just involve the
5:45 - 5:47

rule-based policies, but the actual
5:47 - 5:48

firewall itself.
5:48 - 5:50

It's important to ensure that the
5:50 - 5:52

firewall has both physical and software
5:52 - 5:54

security feature verification.
5:54 - 5:56

This involves the hardware and OS
5:56 - 5:59

software of the firewall.
5:59 - 6:00

It's important that there's physical
6:00 - 6:02

security protecting the firewall and
6:02 - 6:04

management servers with controlled
6:04 - 6:05

access.
6:05 - 6:07

This ensures that only authorized
6:07 - 6:09

personnel are permitted to access the
6:09 - 6:11

firewall server rooms.
6:11 - 6:13

Vendor operating system patches and
6:13 - 6:15

updates are extremely important, and it
6:15 - 6:17

should be verified that these are here.
6:17 - 6:18

The operating system should also be
6:18 - 6:20

audited to ensure that it passes common
6:20 - 6:23

hardening checklists.
6:23 - 6:25

The device administration procedure
6:25 - 6:28

should also be reviewed.
6:28 - 6:29

Step 4:
6:29 - 6:32

Declutter and Improve the Rule Base
6:32 - 6:34

In order to ensure that the firewall
6:34 - 6:36

performs at peak performance, the rule
6:36 - 6:38

base should be decluttered and optimized.
6:38 - 6:40

This also makes the auditing process
6:40 - 6:42

easier and will remove the unnecessary
6:42 - 6:43

overhead.
6:43 - 6:45

To do this, start by
6:45 - 6:47

deleting the rules that aren't useful
6:47 - 6:49

and disable expired and unused rules and
6:49 - 6:51

objects.
6:51 - 6:52

Delete the unused connections, and this
6:52 - 6:55

includes source, destination, and service
6:55 - 6:57

routes that aren't in use.
6:57 - 6:59

Find the similar rules and consolidate
6:59 - 7:01

them into one rule.
7:01 - 7:03

Identify and fix any issues that are
7:03 - 7:05

over-permissive and analyze the actual
7:05 - 7:07

policy against firewall logs.
7:07 - 7:10

Analyze VPN parameters in order to
7:10 - 7:12

uncover users and groups that are unused,
7:12 - 7:15

unattached, expired, or those that are
7:15 - 7:17

about to expire.
7:17 - 7:20

Enforce object naming conventions.
7:20 - 7:23

Finally, keep a record of rules, objects,
7:23 - 7:24

and policy revisions for future
7:24 - 7:27

reference.
7:27 - 7:29

Step 5:
7:29 - 7:32

Perform a Risk Assessment and Fix Issues
7:32 - 7:33

A thorough and comprehensive risk
7:33 - 7:36

assessment will help identify any risky
7:36 - 7:37

rules and ensure the rules are
7:37 - 7:39

compliant with internal policies and
7:39 - 7:42

relevant standards and regulations.
7:42 - 7:44

This is done by prioritizing the rules
7:44 - 7:46

by severity and based on industry
7:46 - 7:48

standards and best practices.
7:48 - 7:50

This is based upon company needs and
7:50 - 7:54

risk acceptance of an organization.
7:54 - 7:56

Things to look for:
7:56 - 7:57

Check to see if there are any rules or
7:57 - 7:59

go against and violate your corporate
7:59 - 8:01

security policy,
8:01 - 8:03

do any of the firewall rules use any in
8:03 - 8:06

the source, destination, service protocol,
8:06 - 8:09

application, or use fields with a
8:09 - 8:11

permissive action?
8:11 - 8:13

Do any of the rules allow risky services
8:13 - 8:16

for your DMZ to the internal network?
8:16 - 8:18

What about any rules that allow risky
8:18 - 8:20

services from the internet coming
8:20 - 8:22

inbound to sensitive servers, networks,
8:22 - 8:26

devices, and databases?
8:26 - 8:28

It's also good to analyze firewall rules
8:28 - 8:30

and configurations and check to see if
8:30 - 8:32

there are any complying with regulatory
8:32 - 8:33

standards
8:33 - 8:38

such as PCI DSS, SOX, ISO, and other
8:38 - 8:39

policies that are relevant to the
8:39 - 8:40

organization.
8:40 - 8:42

These might be policies for hardware,
8:42 - 8:44

software configurations, and other
8:44 - 8:46

devices.
8:46 - 8:48

There should be an action plan for
8:48 - 8:50

remediation of these risks and
8:50 - 8:51

compliance exceptions that are
8:51 - 8:54

identified in the risk analysis. It
8:54 - 8:56

should be verified that the remediation
8:56 - 8:58

efforts have taken place and any rule
8:58 - 9:02

changes have been completed correctly.
9:02 - 9:04

And, as always, these changes should be
9:04 - 9:07

tracked and documented.
9:08 - 9:12

Step 6: Conduct Ongoing Audits
9:12 - 9:14

Now that the initial audit is done, we
9:14 - 9:16

need to continue auditing to ensure that
9:16 - 9:17

this is ongoing.
9:17 - 9:19

Ensure that there is a process that is
9:19 - 9:21

established and continuous for future
9:21 - 9:23

firewall audits.
9:23 - 9:26

In order to avoid errors and manual tasks,
9:26 - 9:28

these can be automated with analysis and
9:28 - 9:29

reporting.
9:29 - 9:32

All procedures need to be documented
9:32 - 9:33

and this is in order to create a
9:33 - 9:35

complete audit trail for all firewall
9:35 - 9:37

management activities.
9:37 - 9:39

Ensure that there is a robust firewall
9:39 - 9:41

change workflow in place to maintain
9:41 - 9:43

compliance over time.
9:43 - 9:45

And finally, ensure that there is an
9:45 - 9:47

alerting system in place for significant
9:47 - 9:49

events and activities.
9:49 - 9:51

This includes changes to certain rules
9:51 - 9:53

or if a new high-severity risk is
9:53 - 9:57

identified in the policy.
9:58 - 10:00

Thanks for watching. I hope you've had
10:00 - 10:03

fun learning about firewall auditing.
10:03 - 10:04

Please leave a like and any questions
10:04 - 10:07

down in the comment section below. Thanks.
10:07 - 10:14

[Music].

Title:: How to Audit a Firewall | GRC | Cybersecurity
Description:: more » « less
Video Language:: English
Duration:: 10:22

	OEVIDEOS edited English subtitles for How to Audit a Firewall \| GRC \| Cybersecurity
	OEVIDEOS edited English subtitles for How to Audit a Firewall \| GRC \| Cybersecurity

English subtitles

Revisions Compare revisions

Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	2	OEVIDEOS
	1	OEVIDEOS

How to Audit a Firewall | GRC | Cybersecurity

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)