Firewall compliance audits are getting a lot of coverage these days thanks to standards such as SOX, PCI DSS, and HIPAA. If specific firewall compliance standards aren’t on your radar, business relationships with partners or customers may require you to still prove that your network is secure.
Beyond compliance requirements, firewall policy analysis is a best practice and an important mechanism for understanding your current security position. Performing a firewall audit increases your chances of catching weaknesses and finding blind spots and dark zones where your policies need to adapt. They also help prove you have been doing your due diligence – often, an audit finding helps correct policies and procedures that are incorrectly documented or omitted.
Here are 5 steps to help you use audits to ensure firewall policy compliance.
1. Identification: Know your Network
Knowing what you have in your environment is the cornerstone of your security practice and, ultimately, the success of your audit. Large, complex enterprises understandably struggle with managing complex, fast-changing environments – what you don’t know can hurt you. Dark zones and blind spots in your network only serve to give an auditor reason to question your security posture.
The problem of unauthorized, rogue, and insecure connections between the enterprise and the Internet continues to plague network and security managers alike. Disparate security management tools for cloud and physical networks limit the visibility of shadow networks and cloud instances that may harbor unknown potential threats. These backdoors provide a method by which the transport of critical data can circumvent security controls and escape the network.
Ask yourself these questions to ensure that you know every part of your network environment:
- What is your presumed list of endpoints/ network devices?
- Can you demonstrate that your asset management is robust and up to date?
- How do you discover additional or new devices added to the network?
- Can you detect unauthorized forwarding devices (Layer2/Layer3)?
- Are there unknown or non-responding networks in your environment?
- Have you identified any paths that may leak data around your security controls?
- If you must supply credentials to your network devices, are these credentials documented? Are they rotated regularly?
- Have you identified and documented all zones that keep sensitive data per regulatory requirements?
- Do you have a complete document of “Network Source of Truth” and topology map?
Discover More in Your Network
FireMon provides real-time visibility, vulnerability, and risk management that enables cloud, network, and security teams to find and secure unknown, rogue and shadow clouds, network infrastructure, and endpoints.
With FireMon, you:
- Eliminate 100% of your blind spots and monitor changes or unusual behaviors to eliminate any gaps in coverage that may leave you exposed.
- Discover, map, and alerts on topology changes across the entire hybrid enterprise, including multi-cloud environments.
- Monitor the hybrid infrastructure for telltale signs of nefarious activity and prioritizes findings for investigation and remediation.
- Find inbound and outbound leak paths to the Internet, virtual private cloud
2. Assessment: Evaluate the Change Process
A good change management process is essential to ensure proper execution and traceability of changes as well as for sustainability over-time to ensure continuous firewall compliance. 83% of all unplanned network outages are caused by mistakes made during an approved change; 70% of these mistakes are firewall related.
The goal of this step is to make sure that requested changes were adequately approved, implemented, and documented. Consider the following questions when auditing firewall change:
- Is the requester documented, and is s/he authorized to make firewall change requests?
- Is the business reason for the change documented?
- Are there proper reviewers and approval signatures (electronic or physical)?
- Were the approvals recorded before the change was implemented?
- Are the approvers all authorized to approve firewall changes (you will need to ask for a list of authorized individuals)?
- Are the requested changes well documented in the change ticket?
- Has there been an assessment of the potential risks associated with the new/modified rule?
- Is there documentation of the change window and install date for each change? Is there an expiration date for the change?
- Is there verification and documentation that changes were tested and implemented correctly?
- Are you monitoring firewall updates in real time to verify execution?
Streamline Your Policy Management
FireMon policy automation delivers a comprehensive blueprint for security processes that accelerates and streamlines policy management and intelligently upgrades your approval workflows.
FireMon simplifies your processes by:
- Integrating seamlessly with your existing ticketing systems to enable new requests to filter directly into our change automation platform and customizing request forms to ensure all relevant change information is captured up front.
- Delivering a comprehensive set of security policy change automation capabilities that drive smart security process automation to effectively address your unique use cases, infrastructure, or compliance requirements.
- Providing insight into any requests that would create duplicate rules, as well as any rules that allow similar access to a new request. These efforts work to reduce complexity and increase the efficiency of your hybrid cloud security.
- Performing a pre-change impact analysis that simulates a potential rule change and analyzes its impact on compliance and security.
Discover how automated security assessments & cleanup helped a Fortune 500 media company reach over $2 million in annual cost savings over manual processes.
3. Mitigation: Review the Policy Rule Base
The next logical step is usually a review of the firewall rule base or policies. The methodology for this step varies widely among auditors because it has traditionally been challenging to do and heavily technology dependent.
Keep these issues in mind when preparing to clean up your rule base:
- How many rules does the policy have? How many did it have at the last audit? Last year?
- Are there any undocumented rules?
- Are there any redundant rules that should be removed?
- Are there any rules that are no longer used?
- Are there any services in the rules that are no longer used?
- Are there any groups or networks in the rules that are no longer used?
- Are there any firewall rules with ANY in three critical fields (source, destination, service/protocol) and a permissive action?
- Are there any overly permissive rules with more than 1000 IP addresses allowed in the source or destination?
Prioritize Risk When Reviewing Your Rule Base
When reviewing your firewall rule base, it’s essential to prioritize risk by using firewall auditing software to identify rules that may expose your network to potential threats or violate corporate security policies.
- Are there any rules that violate your corporate security policy?
- Are there any rules that allow risky services inbound from the Internet? E.g., protocols that pass login credentials in the clear like Telnet, FTP, POP, IMAP, HTTP, NetBIOS, etc.
- Are there any rules that allow risky services outbound to the Internet?
- Are there any rules that allow direct traffic from the Internet to the internal network, excluding the demilitarized zone (DMZ)?
- Are there any rules that allow traffic from the Internet to sensitive servers, networks, devices, or databases?
- Analyze firewall rules and configurations against relevant regulatory and/or industry standards such as PCI-DSS, SOX, ISO 27001, NERC-CIP, Basel-II, FISMA and J-SOX.
FireMon helps you with security assessments and rule clean up by:
- Eliminating duplicate or stealth rules that adversely impact the performance of your devices and introduce unnecessary complexity to your network.
- Performing real-time analysis and providing an extensive history for rule and object usage in a policy to help you easily identify unused rules to optimize your network devices for peak performance and reduce risk.
- Showing unique traffic patterns that exist in a rule and report on what data is flowing across a broadly defined address range.
- Automating event-driven reviews and verification, recertifying the rules, and decommissioning those that are not needed.
Learn how to create a firewall and rule review process with our on-demand webinar.
4. Monitoring: Check for Vulnerabilities and Remediate Issues
Essential for any firewall audit, a comprehensive risk assessment will identify risky rules, paths, and connections. What is “risky” can be different for each organization depending on the network and the level of acceptable risk.
The best way to combat unwarranted access is to identify and analyze areas of vulnerability preemptively. However, the complex nature of security policies combined with the time-consuming burden of patching tens of thousands of vulnerabilities makes threats challenging to see and assess.
When reviewing network vulnerability points, ensure you:
- Check the network for published vulnerabilities in software, hardware, and network devices
- Document and assign an action plan for remediation of risks and compliance exceptions found in risk analysis
- Verify that remediation efforts and any rule changes have been completed correctly
- Track and document that remediation efforts are completed
With FireMon, you can enhance your risk management by:
- Scoring all attack simulations for risk and impact and then re-score once you’ve made improvements to determine the impact changes.
- Tracing possible paths that attackers might use to gain access to your critical assets.
- Integrating with your vulnerability management solutions (Qualys, Rapid7, and Tenable) to measure risk and identify potential attack penetration in your network.
- Detecting in real-time when new access will uncover vulnerable systems, scope proposed changes before implementation and streamline the approval process for access requests that have little impact to your risk profile.
5. Reporting: Achieve Continuous Compliance
Once firewall compliance and security device auditing are complete, and a secure configuration has been applied to all devices, proper steps must be put in place to ensure continuous compliance.
When laying out your process for continuous compliance, you should:
- Consider replacing error-prone manual tasks with automated analysis and reporting.
- Ensure that all procedures are adequately documented, providing a complete audit trail of all firewall management activities.
- Make sure that a robust firewall-change workflow is in place to sustain compliance over time.
- Check that there is an alerting system in place for significant events or activities, such as changes in specific rules or the discovery of new, high-severity risks.
- Repeat firewall compliance checklist items to ensure continuous compliance, i.e., compliance might be achieved now, but in a month, the organization may have drifted out of compliance.
Simplify the Process of Maintaining Firewall Policy Compliance
Simplify the process of maintaining firewall policy compliance with automated, customizable assessments, out-of-the-box reporting, and detailed documentation to meet regulatory standards and internal best practices.
- Providing out-of-the-box and customizable assessments to help you ensure compliance with regulatory bodies or internal best practices. Out-of-the-box reporting includes the most common compliance standards, including those based on PCI DSS, NERC-CIP, GDPR, and others. Our customization engine ensures that the assessments and reports are tailor-made for your needs.
- Automatically identifying rules that require immediate analysis based on real-world events. Event-driven rules are analyzed on criteria including time-frame expiration, critical security control failure, periodic review, or ad-hoc query to determine the appropriate remediation.
- Providing documentation of rule certification decisions and justification to aid in compliance audits. You can review detailed information regarding each discussed rule with the option to approve or reject current rule configurations.
Enhance Your Policy Compliance Strategy With FireMon
Enhance your policy compliance strategy with FireMon by leveraging its advanced firewall policy auditing software to automate assessments, identify risks, and ensure continuous compliance with regulatory standards.
Request a demo today and find out how FireMon can help streamline your firewall compliance.