More information security-related legislation and guidelines, such as the Payment Card Industry Data Security Standard (PCI-DSS), Sarbanes-Oxley (SOX), General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA), assist companies in meeting enforcement and security requirements. It forced more emphasis on regular audits of their policies and controls.
While regulatory and internal audits cover a wide range of security controls, the firewall stands out as it is the first and foremost defense line between the public and the corporate network.
The number of businesses that are not affected by the regulations is decreasing. However, even if you don’t have to comply with a particular government or industry regulations and security standards, it is usual to conduct regular and thorough reviews on your firewalls.
These controls not only ensure that your firewall configurations and rules meet the compliance requirements of external regulations or internal security policies but can play a critical role in reducing security risk and improving firewall performance by optimizing the firewall rule base.
In today’s complex, multi-vendor network environments that typically involve tens or hundreds of firewalls running thousands of rules, firewall administrators who manually conduct the audit process should rely on their own experience and expertise to determine a particular firewall rule that should be included in the configuration file.
Moreover, the documentation of existing rules and the development of changes are often lacking. The time and resources required to find, edit and implement all firewall rules to determine compliance level significantly impact IT staff.
As networks grow in complexity, reviews become more demanding. Automating the firewall review process is crucial as compliance needs to be continuous, not just at one point in time. The firewall review process is complicated. Each new rule must be analyzed and simulated in advance before it is applied. Also, a complete and accurate audit log of every change should be kept.
How to do Firewall Rule Base Review?
More than one administrator often controls the firewall. Some administrators are likely to add the rule in their way. Some may set incorrect rules in a way that allows an attacker to take advantage of the vulnerable rule that could lead to abuse. Therefore, the firewall rule base should be reviewed at least every three months, and a change management process established to add and forward the policy to the firewall.
Firewall Basic Ruleset Analysis is an activity that can be executed based on firewall goals. The firewall rule base analyzer should know the network architecture, IP address scheme, and VLAN or logical network separation.
Modification procedures for your firewall settings may differ depending on your firewalls’ brand and model and whether you use hardware or software-based solutions. However, regardless of the technology you use, following the firewall rules below will maximize your solution’s effectiveness.
Firewall Rule Base Review Checklist
Eliminating firewall clutter and optimizing the rule base can significantly increase IT productivity and firewall performance. Additionally, optimizing firewall rules can dramatically reduce many unnecessary overheads in the audit process.
Below are detailed checklist steps to review the firewall rule base:
# 1: It is essential to know the Architecture of the Network, Scheme IP address, and VLAN information.
# 2: Check out the rule about cleaning. Cleanup rules are defined under the rule base where you must deny “Any” Source to “Any” Port to “Any” Port. The purpose of having a cleanup rule is to log and deny traffic that doesn’t follow any rule bases.
# 3: Make sure it’s a secret rule. The privacy rule is the rules that tell you to deny “any” resource for the firewall. There must be a confidentiality rule as per the Rules of Management.
Note that the cleanup rule at the end of the rule base will block malicious traffic targeted for the firewall even if there is no privacy rule. The stealth rule is specially created to block traffic instantly as it detects the target because it is undesirable to search thousands of rule bases for the best match and increase unnecessary firewall processing power.
# 4: Ensure the rules for firewall management are at the top of the list of rules. Ensure a limited administrator in the Source Address field and large subnets are not allowed to access the firewall, and limited ports are defined for access to management.
# 5: Make sure duplicate objects, services, or host networks are removed from the rule base.
# 6: Make sure that the rules must be named, making the rule base easier to understand. For example, use a consistent host format such as Host Name IP.
# 7: Make sure the excess/shadow rules are removed from the rule base.
# 8: Make sure unused links are excluded from the base rule, including unique source, destination, and services. You can check the hit count column to see what the last hit count is for the rules.
# 9: Remove rules that haven’t been used for a long time. Remove the rule with zero-hit total count links.
# 10: Make sure the highest number of hits is above the base for the rule. Make sure that the best services and goals are adequately positioned within the rule base.
# 11: Make sure that expiring rules and objects are removed from the rule base. The administrator usually provides temporary access to the rules but forgets to delete them if the rule expires.
# 12: Ensure that no service/port is allowed in the basic rule, regardless of inbound or outbound connections, as long as there is a legitimate business justification and accepts the risk.
# 13: Ensure that no source or destination is allowed in the rule base, regardless of inbound or outbound connection, provided a valid business justification and acceptance of risk.
# 14: Beware of no direct inbound connections to the internal network.
# 15: Make sure that two-way access is used legitimately. An administrator can configure bidirectional access even though sometimes bidirectional access is not required.
# 16: Evaluate firewall rule order to get adequate performance.
# 17: Be sure to include the rule base header for quick recognition of rules. For example, add headings like management rules, HR rules, cleanup rules, Vendor rules.
# 18: Make sure vulnerable ports/services are not allowed based on rules.
# 19: Make sure the rule base should contain standard comments for each rule.
# 20: Identify similar rules that can be combined into a single rule.
# 21: Make sure you add the IP address to the group and have the proper naming convention. Groups can hide errors while applying or changing policies.
# 22: Make sure logs are enabled for each rule in the rule base.
# 23: Ensure that appropriate business rationale exists for the wide variety of subnets given access in the rule base.
# 24: Make sure the rules are given according to the policy matrix the organization has created. The policy matrix is the table that gives information to allow or block traffic from which zone or VLAN.
Firewall Security Checklist
To make sure your firewall is deployed and working as intended, essential questions to ask are:
- Are the rules governing firewalls regularly reviewed?
- Is there a list of what rules should be allowed in the firewall?
- Is there a complete list of which rules should not be allowed in the firewall?
- Are Firewalls updated regularly?
- Firewall Rule Sets and Router Rule Sets should be reviewed every six months to verify Firewall Configuration Standards and Router Configuration Standards.
- Examine the ruleset documentation and responsible interview personnel to check that the firewall rule sets are reviewed every six months.
- Establish and implement firewall configuration standards and router configuration standards that require analysis of firewall rule sets and router rule sets at least every six months.
- Do firewall and router configuration standards require a review of firewall and router rule sets at least every six months?
- Are rule sets for firewalls and routers reviewed at least once every six months?
- Network devices should be checked periodically to verify configuration parameters, test authentication weaknesses, and analyze network system activities.
- Network traffic filtering should be based on predefined rules that are documented and kept up to date.
- Firewall configurations should be reviewed regularly to ensure that an authorized person has approved and signed each firewall rule.
- Firewall configurations should be checked regularly to make sure outdated or outdated policies are disabled or removed.
- Firewall configurations should be reviewed periodically to ensure that conflicting rules are resolved.
- Firewall settings should be checked periodically to ensure that unused/unnecessary objects and rules are eliminated.
- Are all firewall rules reviewed and updated at least annually to identify and delete obsolete networks, subnets, hosts, protocols, or ports?
- Are firewall rules, policies, and procedures reviewed at least annually by a professional auditor?
- Are there documents that clearly define firewall management roles and responsibilities?
- Is there a list of authorized firewall administrators?
- Has the activity of backup administrators supporting the firewall been tested?
- Is anyone responsible for following up-to-date security recommendations?
- Is there a password policy?
- Are password control features implemented for all accounts?
- Make sure the default accounts are disabled, or the original password provided by the seller is changed.
- Get a list of users with access to the firewall and compare it with documented approved requests.
- Can each user be uniquely identified?
- Consider whether the authentication methodologies used are effective.
- Are there periodic reviews for inactive accounts?
- Are firewall activities logged?
- Are alarms set for important events or activities?
- Is there a firewall change control procedure?
Although firewall rules review can be done manually, it is time-consuming and costly to operational resources and personnel. Many organizations decide to seek outside help to simplify and improve the firewall rule baseline review.
This review task cannot be delegated entirely to a third party, as verifying the firewall configuration is still the organization’s ultimate responsibility. If you decide to seek assistance from third parties with this responsibility, ask for details and examples of how they can help you meet this regulatory requirement and keep your network secure.
A good third-party service provider can save your organization time while ensuring that your organization has the most up-to-date and efficient firewall to protect against todays ongoing threats and ensure that all compliance and regulatory requirements are met.
This type of firewall security audit can also be done in a more automated manner. The automated firewall rule base review tools show you who added the rule and when and whether they added anything else to the policy. You can put the change ticket number in the comment field, so the rule will link back to the change ticket to make it easier to search for the firewall audit trail.
You can even run a rule history report over time to see how this rule has changed with other change tickets since it was applied. A complete solution would be to use a security change automation product.
Automating the process as much as possible provides the information managers need to perform the audit. However, if you have to control extensive firewalls with difficult rule bases yourself, it would be more cost-effective to automate the process.
Automated firewall rule base review tools show the rule request to the rule base along with firewall audit termination, risk analysis, and implementation, so the entire lifecycle from the application request is documented and audited.