More regulations and standards related to information security, such as the PCI DSS, Sarbanes-Oxley (SOX), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and ISO 27001, forced businesses to place greater emphasis on compliance and regular auditing of security policies and controls.
While regulatory and internal controls cover a wide range of security controls, the firewall stands out as it is the first and foremost line of defense between the public and corporate network.
Therefore, it is now standard practice to perform regular and thorough audits of your firewalls. The firewall audit checklist not only ensures that your firewall configurations and rules comply with external regulations and internal security policies. It can also help to reduce risk and improve firewall performance by optimizing the firewall rule base.
In today’s complex, multi-vendor network environments, there are often dozens or hundreds of firewalls running. Firewall administrators manually performing the audit process must rely on their own experience and expertise to determine whether a particular firewall rule should be included in the configuration file.
Furthermore, documentation of existing rules and their evolution is frequently lacking. The time and resources needed to locate, edit and review all firewall rules to determine compliance levels significantly impact IT staff.
As networks increase in complexity, control becomes more cumbersome, and manual processes cannot continue. That’s why automating the firewall audit process is crucial, as compliance needs to be continuous, not just at a specific time.
The firewall audit process is demanding. Each new rule needs to be analyzed and simulated before it can be applied. A complete and accurate audit log of each change should be kept.
Below, the firewall audit checklist for firewall auditing, optimization, and change management processes and procedures can be found. While the firewall audit checklist is not an exhaustive list that every organization should follow, it does guide some critical areas that need to be addressed when performing a firewall audit.
Our firewall audit checklist includes many checklists under nine main headings, but keep in mind that checklist items may not apply to all organizations and may require additional items.
1. Gather Firewall Key Information Before Beginning the Audit
A firewall audit has little chance of success without visibility into the network, including software, hardware, policies, and risks. Below are examples of the basic information needed to plan firewall audit work:
- Obtain previous audit reports.
- Obtain internet policy, standards, and procedures regarding firewall inspection.
- Access to firewall logs, which the firewall rule base can analyze to determine which rules are being used.
- Obtain existing network diagrams and define firewall topologies.
- Get reports and documentation from previous audits, including firewall rules, objects, and policy revisions.
- List all Internet Service Providers (ISPs) and Virtual Private Networks (VPNs) (VPN).
- Learn about ISP and VPN contracts.
- Determine whether methods other than firewall are used to access the Internet.
- Obtain all relevant firewall vendor information, including the operating system version, the most recent patches, and the default configuration.
- Understand the value of all critical servers and repositories on the network.
2. Check Firewall Access Controls
Firewalls exist between a router and application servers to provide access control. Firewalls were initially used to protect a trusted network from an untrusted network. Still, these days it is increasingly common to protect application servers on their networks from untrusted networks.
In this context, you need to establish a robust firewall access control and audit it regularly.
- Is there a formal process or controls to authorize employees and non-employees to use the Internet, and what access levels are granted?
- Evaluate the timeliness and completeness of the methods used.
- Is there a password policy and are password control features implemented for all accounts?
- Have default accounts been disabled or default passwords changed from vendor-supplied values?
- Get a list of users with firewall access and compare it to documented approved requests.
- Can each user be uniquely identified?
- Evaluate whether the authentication methodologies used are effective.
- Are outsourcing accesses made?
- Do users who have access to the Internet periodically review it? When was the last review done?
- Are there periodic reviews of inactive accounts? What are the measures taken to resolve conflicts?
3. Review Firewall Change Management Process
An effective change management process is required to ensure that firewall changes are executed and traced correctly and provide ongoing compliance. Information such as why each change is needed and who authorized the change should be specified in firewall changes.
Also, poor documentation of changes and insufficient verification of the impact of each change on the network are two of the most common problems when it comes to change control.
- Review change management procedures on a per-rule basis. A few essential questions to explore include:
- Do the requested changes undergo appropriate approvals?
- Does authorized personnel implement changes?
- Are changes being tested?
- Are changes documented against regulatory or internal policy requirements? Each firewall rule should have a comment with the name of the person who applied the change.
- Is there an expiration date for the firewall changes?
- Check to see if there is a formal and controlled process in place for reviewing, approving, and implementing firewall changes. This procedure should include at the very least the following steps:
- The business purpose for a change request
- Duration (timeframe) for the new/modified rule
- Evaluation of potential risks associated with the new/amended rule
- Formal approvals for new/amended rule
- Assign to the appropriate administrator for the application
- Verify that the change has been tested and implemented correctly
- Determine if all changes are allowed and flag unauthorized rule changes for further investigation.
- Determine whether real-time monitoring of changes to the firewall is enabled and authorized requesters, administrators, and stakeholders are granted access to rule change notifications.
4. Evaluate the Firewall Monitoring Process
Monitoring the activity of your firewalls means keeping track of data such as current rule configurations, alerts, and event logs. In particular, keeping track of existing rule configurations is essential for monitoring accesses and identifying legacy firewall rules that need to be removed or replaced.
Without monitoring your firewall, it is difficult to make informed decisions about firewall management and rule configurations.
In addition, security controls are required to ensure that firewall rules are compliant with the organization and external security regulations that apply to the network. Unauthorized firewall configuration changes with policy violations can cause incompatibility. It is essential to perform regular security checks to ensure that unauthorized changes are not made.
Monitoring the firewall will also keep you updated on necessary changes made to the firewall and alert you to the potential risks posed by these changes. Security audits and monitoring are essential when a new firewall is installed, firewall traversal activity occurs, or bulk configuration changes are made to firewalls.
- Is an Intrusion Detection System (IDS) used?
- If IDS is not implemented, what is the scope of intrusion detection automation?
- What are the threats for which the response is automated?
- Are firewall activities recorded and logged?
- Are there firewall policies and procedures in place to monitor and respond to inappropriate behavior?
- Are the actions of personnel with privileged access to the firewall verified, monitored, and reviewed?
- Are logging and reporting procedures in place to monitor and act on any inappropriate activity?
- Are all inbound services, outbound services, and firewall or firewall access attempts that violate the policy logged and monitored?
- What tools are used to assist trend analysis?
- Are alarms set for important events or activities?
- Do the logs contain sufficient user responsibility, transaction type, date, timestamp, and terminal location?
- Are logs maintained to prevent unauthorized changes?
- How long are logs kept?
- What media are the logs stored on, or where are they backed up?
- Is there an established process for reporting, tracking, evaluating, and resolving all incidents?
- What are the processes used to track and resolve incidents?
5. Clean Up and Optimize Firewall Rule Base
De-cluttering firewall rules and optimizing the rule base can significantly improve IT productivity and firewall performance. In addition, optimizing firewall rules can dramatically reduce many unnecessary burdens in the auditing process.
- Delete any useless firewall rules.
- Delete or disable expired and unused firewall rules and objects.
- Identify firewall rules that are disabled, inactive, or unused and should be removed.
- Assess the effectiveness and performance
- of the firewall rule order.
- Unused links, including unused source, destination, and service paths, should be removed.
- Identify and combine similar rules that can be incorporated into a single rule.
- Identify excessive permissive rules by analyzing actual policy usage against firewall logs. Adjust these rules according to policy and real usage scenarios.
- Analyze VPN parameters to identify unused users, unadded users, expired users, near-expiring users, unused groups, unadded groups, and expired groups.
- Enforce object naming conventions.
- Create document rules, objects, and policy revisions for future reference.
6. Check Firewall’s Physical and Operating System Security
It is essential to ensure that each firewall is physically and software security to protect against the most basic types of cyberattacks.
- Ascertain that the firewall and management servers are physically secure and have restricted access.
- Check that you have an up-to-date list of authorized personnel who have access to firewall server rooms.
- Check that all necessary vendor patches and updates have been installed.
- Make sure the operating system passes standard hardening checklists.
- Review the procedures used for device management.
7. Review Firewall Restore and Recovery Processes
Often, when you least expect it, firewalls can crash, human errors can occur, and disasters can strike. Your data is precious and having a backup and recovery plan in place is a crucial part of running your business. The best way to back up data and understand what is valuable is to think about what would happen if you permanently lost some or all of your data? and how it would affect your organization.
- Is there a disaster recovery contingency plan?
- Have the recovery process and plans been tested?
- Examine the effectiveness of backup and recovery procedures, including retention.
- How often are backups made?
- Is encryption used when backing up?
- What are the results of the last successful backup test?
8. Evaluate Risk and Solve Problems You Identify
A comprehensive risk assessment required for any firewall audit will identify risky rules and ensure that the rules comply with internal policies and relevant standards and regulations.
Identify all potentially “risky” rules based on industry standards and best practices and prioritize them by severity. Risky rules may differ for each organization, depending on the network and the acceptable level of risk. Still, there are many frameworks and standards you can leverage that provide a good point of reference.
A few things to look for and verify in a firewall risk assessment include:
- Are there any firewall rules that violate your corporate security policy?
- Is there a firewall rule with “ANY” on the source, destination, service, protocol, application, or user fields and action allowed?
- Are there rules allowing risky services from your DMZ to your internal network?
- Are there any rules that allow risky Internet services?
- Is there a set of rules that allows risky services to be offered on the Internet?
- Is there a set of rules in place that allow direct traffic from the Internet to the internal network?
- Are there rules in place that allow Internet traffic to sensitive servers, networks, devices, or databases?
- Examine firewall rules and configurations about relevant regulatory or industry standards such as PCI DSS, SOX, ISO 27001, NERC CIP, and FISMA, as well as corporate policies that define critical hardware and software configurations.
- Document and assign an action plan to correct the risks and compliance exceptions found in the risk analysis.
- Verify that remediation work and rule changes are completed correctly.
- Track and document the completion of improvement work.
9. Continue the Firewall Audit Process
A successful firewall audit requires validation of secure configuration and regular audits to ensure continued compliance. Now that you’ve successfully audited and secured your firewall’s configuration, you must take the necessary steps to ensure ongoing compliance. Ascertain that a process for continuous auditing of firewalls is in place.
- Consider automating error-prone manual tasks such as analysis and reporting.
- Ensure that all audit procedures are appropriately documented, resulting in a complete audit trail of all firewall management activities.
- Ensure a robust firewall change workflow is in place to maintain compliance over time.
- Ensure that an alert system is in place for significant events or activities, such as changes to specific rules or discovering a new, high severity risk in policy.