Last updated August 21st, 2024 by Erez Tadmor
From PCI-DSS 4.0 to HIPAA and GDPR, an organization’s network security integrity is held to some pretty high standards. While network audits cover an organization’s entire network infrastructure, a firewall audit is crucial and critical to whether an entity is best prepared to protect its network from unauthorized access and potential threats.
How does an organization conduct the right kind of firewall audit so they know – with confidence – it can meet compliance needs, reduce audit fines, and better secure its network? It starts with asking the right questions.
This firewall audit checklist provides clarity and direction, covering the questions security leaders need to ask.
The Basics
In cybersecurity, when the “house” – including its “walls”, or firewalls 😉 – are in order, it’s a beautiful thing. Vulnerabilities are more likely to be identified, and organizations are quick to come by instances and situations where adjustments to information security policy are needed. These basic steps – questions addressing policy, people, procedures, and process – are the perfect “foundation”.
Review Firewall Security Policy
Before an audit kicks off, security/executive leaders must understand the specific criteria being investigated. This requires organizations to possess a documented set of security guidelines outlining policies for firewalls and associated security infrastructure.
Compliance (government, regulatory and/or industry standards) is required, and those standards must be reviewed to ensure alignment with guidelines.
- Does a documented set of security guidelines exist?
- Do the guidelines outline policies for firewalls?
- Do these guidelines align with regulatory compliance standards?
Review Firewall Operations Policies
Every organization needs well-defined incident response workflow protocols pertaining to firewall security. These protocols must include (1) escalation procedure details, (2) authorized responders, (3) the process for coordinating with law enforcement, and (4) an established framework for coordinating the impact of cyberattacks on the business and the response.
- What is the incident response escalation (and remediation) procedure?
- Who is authorized to respond to a firewall security incident?
- How does the incident response team coordinate with law enforcement?
- What is the framework for coordinating the impact of an attack on the business and the response?
Review Who’s Authorized to Make Firewall Changes
Organizations must address who is authorized to review, edit, and/or change the above policies. And when/how to review or change who has that access.
- Who is authorized to make changes to organizational security policy?
- Are these individuals employees and/or active members of the firewall management team?
- Are the authorized parties adequately trained and partake in continuing education/ongoing training?
- Is there an established procedure for identifying and removing firewall administrators – and/or access rights – in light of departures or organizational changes? Is it integrated with HR protocols?
Review Firewall Change Procedures
Focus should then turn to how any changes to a firewall are to be implemented.
- Was the company’s approval policy adhered to?
- Are the changes appropriately documented in the firewall rulebase?
- What procedure is employed for receiving, tracking, approving, and verifying the completion of change requests?
- Is there a formalized change management process with a documented audit trail?
- What mechanisms are in place for detecting unauthorized changes?
- Can accountability for each change be demonstrated?
Review the Firewall System Design
With a healthy understanding of the above, the next focus is the firewalls themselves.
- Is firewall technology up to date?
- Are the latest software versions installed? Are patches applied regularly?
- Is there a well-defined and documented procedure in place for upgrades?
- Does the firewall rulebase sufficiently safeguard the organization? (Not sure? Reference the corporate security guidelines!)
- Are the security controls outlined in the written policy effectively enforced? Do all personnel understand the methods through which they are being enforced?
Assess the Firewall Review Process
Lastly, look at how – and how frequently – the above items are to be reviewed.
Does the rulebase undergo thorough review, risk assessment, and cleanup at least annually (preferably/ideally every quarter)?
- Are unused and/or redundant rules promptly identified and removed from the rulebase?
- Are overly permissive rules appropriately flagged for further investigation?
- Do you actively identify and assess risky traffic flows within the rule base?
Part 2: Auditing Your Rulebase
With “the house in order”, the second phase in a firewall security audit process is examining your rulebase. This is critical to understanding whether firewall operations are both auditable and repeatable.
Rules and rulesets dictate how to handle inbound and outbound network traffic, which also determines how traffic across the network is managed (East-West, segmentation, etc.), and, in turn, regulates access to subnets AND ensures a secure network.
There are 4 essential firewall rules to prioritize:
Deny All: deny all traffic unless explicitly permitted, thwarting unauthorized access and potential denial-of-service attacks.
Least Privilege: permit only necessary network connections based on specific IP addresses, denying all other connections, ensuring secure access to network devices.
Explicit Allow: grant access to specific network traffic based on criteria such as source and destination addresses, type of service, TCP/UDP protocol, and authentication.
Stateful Inspection: actively monitor the state of network connections, using the information to discern which network packets should be allowed through the firewall.
Simply put, for the purposes of this checklist:
- Have the essential firewall rules been implemented, in conjunction with monitoring firewall logs?
Checking the box above contributes to maintaining data security, controlling bandwidth, and bolstering your network’s overall security posture.
Best Practices
A firewall security checklist provides the proper tools to assess and enhance the security posture of an organization’s infrastructure, empowering it with necessary insights and guidelines. By addressing network segmentation, change management, compliance adherence, access control policies, logging and monitoring, and the overall rulebase, organizations will be on a clear path to meeting security goals and improving compliance ratings.
These best practices will ensure you are consistently meeting firewall security sets and rules:
- Perform regular firewall audits and drive continuous compliance at the network level
Routine audits are crucial to pinpointing misconfigurations, tracking policy changes, and ensuring optimal firewall device functionality. These audits are vital for administrators overseeing host-based or web server firewalls, particularly on Microsoft/Windows operating systems.
- Establish a proper, complete firewall policy
A comprehensive policy is essential for effective management, covering router configuration, remote access, and gateway security. And it’s critical for achieving PCI DSS 4.0 compliance.
- Deploying advanced firewall solutions
Solutions like SecureTrack+ provide visibility and in-depth analysis of firewall configurations, enhancing security management and defense against threats like denial-of-service attacks.
Questions? Curiosities? Tufin helps minimize the risk of failed audits, enables organizations with automatically generated customizable audit reports, and offers support for thousands of firewalls – as well as internal network devices and cloud resources – through one consolidated platform. Not sure where, how, and/or if to start? Book a demo or reach out to your account manager.
Don't miss out on more Tufin blogs
Subscribe to our weekly blog digest