Certainly we are no strangers to increased regulations, standards and internal policies, and the resulting audits that impact most organizations – often multiple times per year.
While regulations and ensuing IT audits go beyond firewalls and firewall policies, these devices are often a good place to start when it comes to becoming "audit-ready" and gaining continuous visibility of what's going on in your network.
Here are six steps to ensure you ace your next firewall audit:
Step 1: Gathering Pertinent Information Before You Undergo an Audit
Without understanding what’s in your network, you have no chance for success come audit time. So prior to undergoing an audit, make sure you can collect all relevant security policies and firewall logs (then you can analyze the logs against the firewall rule base to understand what is actually being used). Make sure you have a diagram of the current network and firewall topologies. Gather all documentation from previous audits, including firewall rules, objects and policy revisions. Review relevant firewall vendor information including OS version, latest patches and default configuration. Understand what servers and information repositories are in the network as well as their relative value to the company.
Once you’ve gathered this information, it is imperative that you can aggregate and update this information in something better than a spreadsheet because you're most likely going to have multiple audits per year and spreadsheet compliance usually ends up badly.
Step 2: Review Your Firewall Change Management Process
Poor documentation of changes, including why the change is needed, who authorized the change, etc. and poor validation of the impact on the network are two of the most common issues when it comes to firewall change management. As time goes on, this challenge is exacerbated by staff turnover - that internal knowledgebase of why a change was made disappears and then you're left wondering what you should do – and poor documentation. Make sure you have regular reviews of the procedures for rule-base maintenance and that you can determine:
• If there is a formal and controlled process in place to request, review, approve and implement firewall changes.
• Whether or not all of the changes have been authorized. If you discover unauthorized rule changes, flag them for further investigation.
• If real-time monitoring of changes to the firewall is enabled and access to rule change notifications is granted to authorized personnel. Taking these recommendations into account will get you off to a good start with solidifying your firewall change management processes and ensuring continuous compliance.
Step 3: Audit Your Firewalls' Physical and OS Security
Make sure you can define and enforce corporate baselines... and report against them so you know where you stand. By reporting against these baselines that you determine, you will always be "in the know" of your firewalls' configuration status and how they stack up to the policy. Ensure your firewalls and management servers are physically secured with controlled access and that the OS passes common hardening checklists.
Step 4: Cleanup and Optimize Your Rule Base
Over time, firewall policies have more and more rules added, removed and changed, and oftentimes with little documentation for the what, why, who, etc. This creates unnecessary overhead in the audit process and slows down firewall performance. Identify and remove unused rules and objects as well as covered rules, consolidate similar rules and tighten overly permissive rules (i.e. “ANY” in the source address).
Step 5: Conduct a Risk Assessment and Remediate Issues
When reviewing firewall rules and configurations, you want to be able to identify any potentially “risky” rules. What is “risky” can be different for each organization depending on the network and the level of acceptable risk, but there are many frameworks and standards you can leverage that provide a good reference point, in addition to your own definitions of course. Risky rules should be prioritized by severity. Once you've gone through your list of risk analysis questions, then it is time to document and assign an action plan for remediation of risks and compliance exceptions found in risk analysis. Once you've conducted remediation efforts, make sure you document those as well and verify that these efforts and any rule changes have been completed correctly.
Step 6: Ensure Ongoing Audit-Readiness
When it comes to your firewall configurations, building audit-readiness must be a business process that is maintained over time. "Manual" and "audits" just don’t mix. I've personally spoken to customers who prior to leveraging an automation tool spent 2-3 weeks to perform an audit of just ONE firewall, whereas with automation, that painstaking audit process was under a minute or as one customer told me "a push of a button". Additionally, proper documentation and a solid change process are instrumental pieces to ensuring audit-readiness at the drop of a hat.
A final consideration is that while this article has focused on firewalls, there are different types of firewalls (traditional, next-generation, etc.) as well as secure web gateways, VPNs and other security devices typically found within an organization's network. Make sure that your audit process covers all of these devices as well. Good luck on your next audit!