How to Audit a Firewall | GRC | Cybersecurity

Rollback to version 1

0:01 - 0:03

hey everyone welcome back to cyber gray
0:03 - 0:05

matter in today's video we're going to
0:05 - 0:07

be going over the basics of how to audit
0:07 - 0:09

a firewall this video will have six
0:09 - 0:11

steps of the firewall auditing process
0:11 - 0:12

and i think you'll find a lot of these
0:12 - 0:14

concepts helpful and correlate to all
0:14 - 0:17

general technology fields including the
0:17 - 0:19

emphasis on procedures and documentation
0:19 - 0:21

this video won't be a deep dive into the
0:21 - 0:23

technical details but it goes over
0:23 - 0:25

compliance best practices and other
0:25 - 0:27

security concepts
0:27 - 0:29

it's a good start to get an idea of what
0:29 - 0:31

the auditing process is like let's jump
0:31 - 0:34

right into it
0:34 - 0:36

so let's start with what a firewall even
0:36 - 0:37

is
0:37 - 0:38

a firewall is a networking device and
0:38 - 0:40

tool that manages connections between
0:40 - 0:42

different internal or external networks
0:42 - 0:44

they can accept or reject connections or
0:44 - 0:47

even filter them and everything is based
0:47 - 0:48

on rules
0:48 - 0:50

remember that firewalls work on the
0:50 - 0:52

network and transport layer so three and
0:52 - 0:55

four of the osi model however there are
0:55 - 0:56

some firewalls that can operate on the
0:56 - 0:59

application layer or layer 7 of the osi
0:59 - 1:01

model and these are considered smarter
1:01 - 1:03

they're known as next generation
1:03 - 1:05

firewalls also please don't confuse the
1:05 - 1:07

application layer tidbit about the
1:07 - 1:09

next-gen firewall with a web application
1:09 - 1:13

firewall it's not the same thing so
1:13 - 1:15

what's a firewall audit a firewall audit
1:15 - 1:16

is a process of investigating the
1:16 - 1:19

existing aspects of a firewall and this
1:19 - 1:21

can include access and connections along
1:21 - 1:22

with the identification of
1:22 - 1:24

vulnerabilities and reports on any
1:24 - 1:27

changes
1:27 - 1:29

so why are audits important
1:29 - 1:31

with all the compliance standards out
1:31 - 1:33

and being used firewall audits are a way
1:33 - 1:34

to prove to regulators or business
1:34 - 1:36

partners that an organization's network
1:36 - 1:38

is secure some of these standards
1:38 - 1:40

include things such as the payment card
1:40 - 1:43

industry data security standards or pci
1:43 - 1:44

dss
1:44 - 1:46

the general data protection regulation
1:46 - 1:48

gdpr
1:48 - 1:50

sarbanes-oxley or sox the health
1:50 - 1:53

insurance portability and accountability
1:53 - 1:56

act hipaa or the california consumer
1:56 - 1:58

privacy act or ccpa
1:58 - 2:00

other than firewall audits being
2:00 - 2:03

required they're simply best practice if
2:03 - 2:05

you audit a firewall you're likely to
2:05 - 2:06

catch a weakness or openness within your
2:06 - 2:09

network and security posture this way
2:09 - 2:12

you can adapt your policies to fit this
2:12 - 2:13

doing due diligence is important in
2:13 - 2:16

cyber security in reviewing controls and
2:16 - 2:18

policies will be one piece that helps
2:18 - 2:20

protect an organization if there might
2:20 - 2:21

be the unfortunate circumstance of a
2:21 - 2:24

lawsuit breach or some sort of
2:24 - 2:26

regulatory issue that may come up
2:26 - 2:28

auditing a firewall will ensure that
2:28 - 2:30

your configuration and rules adhere to
2:30 - 2:33

internal cyber security policies
2:33 - 2:36

besides safety a firewall audit can help
2:36 - 2:38

improve performance by fixing the
2:38 - 2:40

optimization of the firewall rule base
2:40 - 2:42

and we'll go into that a little bit
2:42 - 2:44

later
2:44 - 2:45

now let's get into the six steps of the
2:45 - 2:48

firewall audit step one collect key
2:48 - 2:50

information
2:50 - 2:52

this is prior to the audit there needs
2:52 - 2:54

to be information gathered during this
2:54 - 2:56

time there needs to be visibility into
2:56 - 2:58

the network with software hardware
2:58 - 3:00

policies and risks
3:00 - 3:02

in order to plan the audit you will need
3:02 - 3:04

the following key information
3:04 - 3:07

copies of the relevant security policies
3:07 - 3:09

the firewall logs that can be compared
3:09 - 3:11

to the firewall rule base to find which
3:11 - 3:13

rules are being used
3:13 - 3:15

an accurate and updated copy of the
3:15 - 3:16

network in the firewall topology
3:16 - 3:18

diagrams
3:18 - 3:20

any previous audit documentation
3:20 - 3:23

including the rules objects and policy
3:23 - 3:25

revisions
3:25 - 3:27

vendor firewall information including
3:27 - 3:30

the os version latest patches in the
3:30 - 3:32

default configuration
3:32 - 3:34

and finally understanding all the
3:34 - 3:37

critical servers and repositories within
3:37 - 3:39

the network
3:39 - 3:40

step 2
3:40 - 3:43

assess the change management process
3:43 - 3:45

the change management process starts
3:45 - 3:46

with the request to change some sort of
3:46 - 3:48

process or technology
3:48 - 3:50

it's from the beginning with a
3:50 - 3:52

conception through the implementation
3:52 - 3:54

and then to the final resolution
3:54 - 3:56

change management within a firewall
3:56 - 3:58

audit is important because there needs
3:58 - 3:59

to be traceability of any firewall
3:59 - 4:02

changes and also ensure compliance for
4:02 - 4:03

the future
4:03 - 4:05

the most common problems with the change
4:05 - 4:07

control involved issues with the
4:07 - 4:09

documentation such as not including or
4:09 - 4:11

being clear why the change was needed
4:11 - 4:13

who authorized the changes in poor
4:13 - 4:16

validation of the network impact of each
4:16 - 4:18

change
4:18 - 4:19

some requirements for the rule-based
4:19 - 4:22

change management are the following
4:22 - 4:24

make sure the changes are going through
4:24 - 4:26

the proper approval and are implemented
4:26 - 4:28

by the authorized personnel
4:28 - 4:30

changes should be tested and documented
4:30 - 4:32

by regulatory and internal policy
4:32 - 4:34

requirements
4:34 - 4:36

each rule should be noted to include the
4:36 - 4:38

change id of the request and have a sign
4:38 - 4:40

off with the initials of the person who
4:40 - 4:43

implemented the change make sure there
4:43 - 4:45

is an expiration date for the change if
4:45 - 4:48

one should exist
4:48 - 4:49

determine whether there is a formal and
4:49 - 4:51

controlled process in place for the
4:51 - 4:53

request review approval and
4:53 - 4:56

implementation of the firewall changes
4:56 - 4:58

and this process should include business
4:58 - 5:00

purpose for the change request duration
5:00 - 5:02

from the new modification rule
5:02 - 5:04

assessment of the potential risk
5:04 - 5:07

associated with the new or modified rule
5:07 - 5:09

formal approvals from new and modified
5:09 - 5:11

rules assignment to the proper
5:11 - 5:13

administration for implementation
5:13 - 5:15

verification that the change has been
5:15 - 5:18

tested and implemented correctly
5:18 - 5:20

authorization must be granted to make
5:20 - 5:22

these changes and any unauthorized
5:22 - 5:24

changes should be flagged for future
5:24 - 5:26

investigation
5:26 - 5:27

it should be determined whether the
5:27 - 5:30

real-time monitoring of changes to the
5:30 - 5:31

firewall are enabled
5:31 - 5:33

authorized requesters admins and
5:33 - 5:35

stakeholders should be given rule change
5:35 - 5:38

notifications
5:39 - 5:41

step 3 audit the os and physical
5:41 - 5:43

security
5:43 - 5:45

firewall audits don't just involve the
5:45 - 5:47

rule-based policies but the actual
5:47 - 5:48

firewall itself
5:48 - 5:50

it's important to ensure that the
5:50 - 5:52

firewall has both physical and software
5:52 - 5:54

security feature verification
5:54 - 5:56

this involves the hardware and os
5:56 - 5:59

software of the firewall
5:59 - 6:00

it's important that there's a physical
6:00 - 6:02

security protecting the firewall and
6:02 - 6:04

management servers with controlled
6:04 - 6:05

access
6:05 - 6:07

this ensures that only authorized
6:07 - 6:09

personnel are permitted to access the
6:09 - 6:11

firewall server rooms
6:11 - 6:13

vendor operating system patches and
6:13 - 6:15

updates are extremely important and it
6:15 - 6:17

should be verified that these are here
6:17 - 6:18

the operating system should also be
6:18 - 6:20

audited to ensure that it passes common
6:20 - 6:23

hardening checklists
6:23 - 6:25

the device administration procedure
6:25 - 6:28

should also be reviewed
6:28 - 6:29

step 4
6:29 - 6:32

declutter and improve the rule base
6:32 - 6:34

in order to ensure that the firewall
6:34 - 6:36

performs at peak performance the rule
6:36 - 6:38

base should be decluttered and optimized
6:38 - 6:40

this also makes the auditing process
6:40 - 6:42

easier and will remove the unnecessary
6:42 - 6:43

overhead
6:43 - 6:45

to do this start by
6:45 - 6:47

deleting the rules that aren't useful
6:47 - 6:49

and disable expired and unused rules and
6:49 - 6:51

objects
6:51 - 6:52

delete the unused connections and this
6:52 - 6:55

includes source destination and service
6:55 - 6:57

routes that aren't in use
6:57 - 6:59

find the similar rules and consolidate
6:59 - 7:01

them into one rule
7:01 - 7:03

identify and fix any issues that are
7:03 - 7:05

over permissive and analyze the actual
7:05 - 7:07

policy against firewall logs
7:07 - 7:10

analyze vpn parameters in order to
7:10 - 7:12

uncover users and groups that are unused
7:12 - 7:15

unattached expired or those that are
7:15 - 7:17

about to expire
7:17 - 7:20

enforce object naming conventions
7:20 - 7:23

finally keep a record of rules objects
7:23 - 7:24

and policy revisions for future
7:24 - 7:27

reference
7:27 - 7:29

step 5
7:29 - 7:32

perform a risk assessment and fix issues
7:32 - 7:33

a thorough and comprehensive risk
7:33 - 7:36

assessment will help identify any risky
7:36 - 7:37

rules that ensure the rules are
7:37 - 7:39

compliant with internal policies and
7:39 - 7:42

relevant standards and regulations
7:42 - 7:44

this is done by prioritizing the rules
7:44 - 7:46

by severity and based on industry
7:46 - 7:48

standards and best practices
7:48 - 7:50

this is based upon company needs and
7:50 - 7:54

risk acceptance of an organization
7:54 - 7:56

things to look for
7:56 - 7:57

check to see if there are any rules or
7:57 - 7:59

go against and violate your corporate
7:59 - 8:01

security policy
8:01 - 8:03

do any of the firewall rules use any in
8:03 - 8:06

the source destination service protocol
8:06 - 8:09

application or use fields with a
8:09 - 8:11

permissive action
8:11 - 8:13

do any of the rules allow risky services
8:13 - 8:16

for your dmz to the internal network
8:16 - 8:18

what about any rules that allow risky
8:18 - 8:20

services from the internet coming
8:20 - 8:22

inbound to sensitive servers networks
8:22 - 8:26

devices and databases
8:26 - 8:28

it's also good to analyze firewall rules
8:28 - 8:30

and configurations and check to see if
8:30 - 8:32

there are any complying with regulatory
8:32 - 8:33

standards
8:33 - 8:38

such as pci dss socks iso and other
8:38 - 8:39

policies that are relevant to the
8:39 - 8:40

organization
8:40 - 8:42

these might be policies for hardware
8:42 - 8:44

software configurations and other
8:44 - 8:46

devices
8:46 - 8:48

there should be an action plan for
8:48 - 8:50

remediation of these risks and
8:50 - 8:51

compliance exceptions that are
8:51 - 8:54

identified in the risk analysis it
8:54 - 8:56

should be verified that the remediation
8:56 - 8:58

efforts have taken place and any rule
8:58 - 9:02

changes have been completed correctly
9:02 - 9:04

and as always these changes should be
9:04 - 9:07

tracked and documented
9:08 - 9:12

step six conduct ongoing audits
9:12 - 9:14

now that the initial audit is done we
9:14 - 9:16

need to continue auditing to ensure that
9:16 - 9:17

this is ongoing
9:17 - 9:19

ensure that there is a process that is
9:19 - 9:21

established and continuous for future
9:21 - 9:23

firewall audits
9:23 - 9:26

in order to avoid air and manual tasks
9:26 - 9:28

these can be automated with analysis and
9:28 - 9:29

reporting
9:29 - 9:32

all procedures need to be documented
9:32 - 9:33

and this is in order to create a
9:33 - 9:35

complete audit trail for all firewall
9:35 - 9:37

management activities
9:37 - 9:39

ensure that there is a robust firewall
9:39 - 9:41

change workflow in place to maintain
9:41 - 9:43

compliance over time
9:43 - 9:45

and finally ensure that there is an
9:45 - 9:47

alerting system in place for significant
9:47 - 9:49

events and activities
9:49 - 9:51

this includes changes to certain rules
9:51 - 9:53

or if a new high severity risk is
9:53 - 9:57

identified in the policy
9:58 - 10:00

thanks for watching i hope you've had
10:00 - 10:03

fun learning about firewall auditing
10:03 - 10:04

please leave a like and any questions
10:04 - 10:09

down in the comment section below thanks
10:21 - 10:23

you

Title:: How to Audit a Firewall | GRC | Cybersecurity
Description:: more » « less
Video Language:: English
Duration:: 10:22

	OEVIDEOS edited English subtitles for How to Audit a Firewall \| GRC \| Cybersecurity
	OEVIDEOS edited English subtitles for How to Audit a Firewall \| GRC \| Cybersecurity

English subtitles

Revisions Compare revisions

Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	2	OEVIDEOS
	1	OEVIDEOS

How to Audit a Firewall | GRC | Cybersecurity

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)