CyberSecOn recognizes the importance of firewall audits which are a top priority of most organizations due to standards such as PCI-DSS, ISO 27001 and SOX. Firewall audits are required not only to meet the standards, but also to show that your network is secure for business relationships.
Our Firewall Audit checks for
- Best practices being followed
- Locate weakness in policies to improve network security posture
- Policy changes required as per standards
Change process audit
This audit reviews the change process which includes change documentation, standard backup and recovery procedures in place, approval mechanism. Compare the process defined with the actual change practise and document the gaps. Some questions asked during this audit include
- Is the requester recorded and do they have authorisation to make firewall change requests?
- Has the business reason for the change been recorded?
- Are the correct reviewer and approval signatures present (electronic or physical)?
- Was the change only implemented after the approvals had been recorded?
- Do the approvers have the authorisation to approve firewall changes?
- Does the change ticket document the change well?
- Is there risk analysis documentation for each change?
- Had the change window and/or install date for the change been recorded?
- Are there proper backup and restore documentation?
Rule Base Audit
Based on the technology used and placement of the firewall with in the company the audit varies, For example, firewalls that are connected to the internet are generally much more at risk than those that are not, and internal firewalls are often more permissive than external ones. This audit goes in to details of below questions
- How many rules are there compared to last audit/year?
- Are there any rules without comments?
- Are there any rules that are redundant and should be removed?
- Are any rules unused?
- Are any services within the rules no longer used?
- Are there any unused groups or networks in the rules?
- Are there any firewall rules with ANY in the source, destination and service/protocol fields with a permissive action?
- Are there any rules with a permissive action and ANY in two fields?
- Are there any rules with a permissive action and ANY in one field?
- Are there any overly permissive rules, for example, rules with more than 1000 IP addresses allowed in the source or destination?
Risk and Compliance Audit:
This audit checks for certain compliance issues based on clients security policy and risk appetite. Some questions asked in the audit are below:
- Are any rules in violation of the company’s security policy?
- Are there any rules that allow inbound risky services from the internet, such as those that pass login credentials in the clear like telnet, ftp, pop, imap, http, netbios, etc?
- Are there any rules that allow outbound risky services from the internet?
- Do any rules allow direct traffic from the Internet to access the internal network (not the DMZ)?
- Do any rules allow traffic from the Internet to networks, sensitive servers, devices or databases?