Network security audits are getting a lot of coverage these days thanks to standards like SOX, PCI-DSS, and HIPAA. Even if you don't need to comply with any of those standards - yet - business relationships with partners or customers may require you to show that your network is secure. However, beyond compliance requirements, firewall audits are best practice for a very good reason. They increase your chances of catching weaknesses in your network security posture and finding places your policies need to be adapted. They also help prove you have been doing your due diligence in reviewing your security controls and policy controls, should you ever need to respond to a lawsuit, breach or regulatory issue that call your security standards into question.
To help you better understand the depth and breadth of a full firewall audit, we compiled the steps of a typical audit process. In our next tip, we'll take a closer look at several of these areas and dive into the technical details of the firewall policy audit.
The main steps of a firewall audit:
Review the company's firewall security policy
- If you're going to audit something, you need to know what you're looking for. Your company should have a written set of security guidelines that sum up policy for firewalls and related security infrastructure.
- If you need to comply with industry, government or regulatory standards, review those as well. Are those requirements reflected in your corporate security guidelines?
Review the company's firewall operations policies
- Your company should have defined the accepted procedures for firewall management including changes, approvals, accountability, and record keeping.
- Your company should have defined procedures for responding to firewall security incidents. What is the escalation procedure? Who is authorized to respond? How do you coordinate with law enforcement? How is the impact of an attack and its response coordinated with the business and communicated to customers and other relevant stakeholders?
Review the firewall administrators who are authorized to make changes
- Are they all still employees of the company?
- Are they all still on the firewall management team?
- Are they all properly trained in the technology?
- Do they receive ongoing technical training?
- Do you have a procedure for identifying and removing administrators who have either left the organization or no longer have firewall access rights? Is it connected to HR?
Review the firewall change procedures
- How are changes managed? What is the procedure that is used to receive requests, track them, approve them and verify completion?
- Who signs off on firewall changes? Is there a formal process in place for this? Is an audit trail maintained?
- How are unauthorized changes detected?
- Are all actual changes on the firewall captured? Is there a complete audit trail? Can you demonstrate accountability for every change?
- Collect a sample of firewall change requests and verify that they were implemented. Was the company's approval policy maintained? Are the changes documented is in the firewall rule base?
Review the firewall system design
- Is the firewall technology current? Does your organization have an established, documented procedure for technology upgrades?
- Have all of the latest software versions been installed? Are patches applied regularly? It does not need to be bleeding edge but 3 years is too long!
- Does the firewall rule base adequately protect the organization? If you are not sure, refer to the corporate security guidelines.
- Are the controls specified in the written Policy adequately enforced? Is it clear to you exactly HOW they are being enforced?
Review the firewall review process
- Is the rule base reviewed at least once a year, and preferably more often- ideally once a quarter?
- Are redundant rules identified and removed from the rule base?
- Are unused rules and objects identified and removed from the rule base?
- Are overly permissive rules flagged for investigation?
- Are risky traffic flows identified?
In our next tip, we'll look at the practical side of conducting a firewall audit and see how automated tools can help you to do them more quickly and efficiently. If there is something you think we left out, or if you have suggestions on how to perform firewall audits, we'd like to hear from you before our next tip.