Gather Key Information Prior to Starting the Audit
An audit has little chance of success without having visibility of your network, including software, hardware, policies and risks. The following are examples of key information required to plan the audit work:
  • Obtain copies of relevant security policies.
  • Obtain access to firewall logs that can be analyzed against the firewall rule base to understand what is actually being used.
  • Obtain a diagram of the current network and firewall topologies
  • Obtain reports and documents of previous audits, including firewall rules, objects and policy revisions.
  • Identify all Internet Service Providers (ISP) and Virtual Private Networks (VPN)
  • Obtain all relevant firewall vendor information including OS version, latest patches and default configuration.
  • Understand all the key servers and key information repositories in the network and their relative values to the company.
Once you have gathered this information, how are you aggregating it and storing it? Spreadsheet compliance is a surefire way to make the audit process painful. Document, store and consolidate this important information in a way that enables collaboration with your IT counterparts. Then you can start reviewing policies and procedures and tracking their effectiveness in terms of compliance, operational efficiency and risk mitigation.
Review Your Change Management Process

A good change management process is essential to ensure proper execution and traceability of
firewall changes, as well as sustainability over time to ensure continuous compliance vs. point-intime compliance. Poor documentation of changes, including why the change is needed, who
authorized the change, etc. and poor validation of the impact on the network are two of the most
common issues when it comes to change control.

  1. Review the procedures for rule-base maintenance. Just a few key questions to review include:
    • Are requested changes going through proper approvals?
    • Are changes being implemented by authorized personnel? And are they being tested?
    • Are the changes being documented per regulatory or internal policy requirements?
      Each rule should have a comment that includes the change ID of the request and the
      name/initials of the person who implemented the change
    • Is there an expiration date for the change?
  2. Determine if there is a formal and controlled process in place to request, review, approve and
    implement firewall changes.

    Note: This process should include at least the following:

    • Business purpose for the request
    • Duration (time period) for the new/modified rule
    • Assessment of the potential risks associated with the new/modified rule
    • Formal approvals for the new/modified rule
    • Assignment to proper administrator for implementation
    • Verification that change has been tested and implemented correctly
  3. Determine whether or not all of the changes been authorized, and flag any unauthorized rule
    changes for further investigation.
  4. Determine if real-time monitoring of changes to the firewall is enabled and access to rule
    change notifications is granted to authorized requestors, administrators and stakeholders
Audit the Firewall Physical and OS Security
This is important to help protect against the most fundamental types of attack. If you define corporate baselines and report against them, you can be assured of always knowing the configuration status and how your firewalls stack up to policy
  • Ensure firewall and management servers are physically secured with controlled access.
  • Ensure there is a current list of authorized personnel permitted to access the firewall server rooms.
  • Verify that all appropriate vendor patches and updates have been applied.
  • Ensure the operating system passes common hardening checklists.
  • Review the procedures used for device administration.
Cleanup and Optimize Your Rule Base
Removing firewall clutter and optimizing the rule base can greatly improve IT productivity and firewall performance. Additionally, optimizing firewall rules can significantly reduce a lot of unnecessary overhead in the audit process.
  • Delete covered rules that are effectively useless.
  • Delete or disable expired and unused rules and objects.
  • Identify disabled, time inactive and unused rules which are candidates for removal.
  • Evaluate the order of firewall rules for effectiveness/performance.
  • Remove unused connections, including specific source/destination/service routes that are not in use.
  • Detect similar rules that can be consolidated into a single rule.
  • Identify overly permissive rules by analyzing the actual policy usage against the firewall logs. Tune these rules as appropriate for policy and actual real use scenarios. For example, “ANY” might be used for the source address in several rules when actual traffic only originates from a handful of IP addresses
  • Analyze VPN parameters to identify unused users, unattached users, expired users, users about to expire, unused groups, unattached groups and expired groups.
  • Enforce object naming conventions.
  • Document rules, objects and policy revisions for future reference.
Conduct a Risk Assessment and Remediate Issues
Essential for any firewall audit, a comprehensive risk assessment will identify risky rules and ensure that rules are compliant with internal policies and relevant standards and regulations.
  1. Identify any and all potentially “risky” rules, based on industry standards and best practices, and prioritize them by severity. What is “risky” can be different for each organization depending on the network and the level of acceptable risk, but there are many frameworks and standards you can leverage that provide a good reference point. A few things to look for and validate include:
    • Are there firewall rules that violate your corporate security policy?
    • Are there any firewall rules with “ANY” in the source, destination, service/protocol, application or user fields, and with a permissive action?
    • Are there rules that allow risky services from your DMZ to your internal network?
    • Are there rules that allow risky services inbound from the Internet?
    • Are there rules that allow risky services outbound to the Internet?
    • Are there rules that allow direct traffic from the Internet to the internal network (not the DMZ)?
    • Are there any rules that allow traffic from the Internet to sensitive servers, networks, devices or databases?
  2. Analyze firewall rules and configurations against relevant regulatory and/or industry standards such as PCI-DSS, SOX, ISO 27001, NERC CIP, Basel-II, FISMA and J-SOX, as well as corporate policies that define baseline hardware and software configurations to which devices must adhere. See Figure 4 below.
  3. Document and assign an action plan for remediation of risks and compliance exceptions found in risk analysis.
  4. Track and document that remediation efforts are completed.
  5. Verify that remediation efforts and any rule changes have been completed correctly.
Ongoing Audits
Now that you have successfully audited your firewall and secured its configuration, you need to ensure the proper steps are in place to ensure continuous compliance.
    • Ensure a process is established for continuous auditing of firewalls
    • Consider replacing error-prone manual tasks with automated analysis and reporting.
    • Ensure all audit procedures are properly documented, providing a complete audit trail of all firewall management activities.
    • Make sure that solid firewall change workflow is in place to sustain compliance over time.
Note: This is purposely repetitive from Audit Checklist item #2 because without change management, you won’t be able to ensure continuous compliance – you will go through the cleanup and optimization at a point in time, but a month later you may no longer be compliant. 
  • Ensure there is an alerting system in place for significant events or activities, such as changes in certain rules or the discovery of a new, high severity risk in the policy.