How to Perform a Firewall Rule Review for PCI Compliance?

Due to constant change and the growing number of threats facing the industry, firewall security must continuously adapt to combat existing threats. In turn, companies should regularly evaluate their security processes and firewall rules.

Due to standards such as PCI-DSS, ISO 27001, SOX, and HIPAA, firewall audits are of great interest today. Even if you don’t need to meet these standards at this time, you may need to demonstrate that your network is secure for business relationships with specific partners and customers.

See Also: Firewall Audit Tools to Ease PCI Compliance

However, there are many reasons why firewall audits are considered good practice, leaving aside the compatibility requirements. Firewall rule reviews can improve your ability to find weaknesses in your network security posture and allow you to find out where your policies need to be changed.

See Also: Firewall Rule Configuration Best Practices

They can also help you exercise due diligence in reviewing your network security and policies in the event of a lawsuit or other issue that could challenge your security standards.

Two of the critical aspects of a firewall audit are reviewing the change process and rule base. If you need to pre-check your firewall before the inspectors arrive or have been tasked with inspecting the firewall yourself, there are some important technical details to check out.

What is Firewall Rule Review?

There are vulnerability assessments to make sure the firewall is not vulnerable to exploits. There are official controls that check security vulnerabilities, firewall software configuration, and Security Policy. Additionally, they make sure that the latest patches for firewall software and operating system are installed.

However, there is still a need for a Firewall Rule Review that focuses on how rules are configured by the Firewall Manager or Network Security Officer. You should review firewall rules one by one to make sure they are in the correct order.

See Also: Firewall Rule Baseline Review and Security Checklist

You should check if rules create open holes, such as vulnerable services or rules with various ports or protocols. Check old rules, rules that should be temporary, or rules that are no longer used. Make sure that the details and proper paperwork are in place for the original rule. Try to combine the rules whenever possible.

Managing your firewall rules effectively is a must for businesses to have a reliable network security infrastructure. Monitoring and reviewing firewall rules play an essential role in firewall policy management.

However, considering the large number of rule changes triggered by multiple security administrators, keeping track of all changes between different rule configurations becomes a hassle.

Why Should You Do a Firewall Rule Review?

Firewalls have been part of network security systems that monitor both outbound and inbound traffic for over 25 years. Firewalls act as the first line of defense, and they help prevent unauthorized access and block some security-based communications.

PCI DSS Requirement 1.1.7 states that organizations should be reviewed firewall rules at least every six months. This requirement includes verifying that firewall configuration standards, ruleset reviews, and documentation for staff interviews are reviewed every six months.

See Also: PCI DSS Firewall Requirements

For your company’s security, having a firewall in place is insufficient. Companies are dynamic by nature; they continuously add new service areas or change their business processes. If companies do not periodically test firewall configurations and rules in a dynamic environment, they can leave the door open to attacks and breaches.

• Invalid firewall rules can be used to gain unauthorized access.
• Rule location can increase or decrease the performance of the firewall.
• Using groups can cause performance issues.
• Incorrect configuration of a rule can put the firewall or network at risk.

Regular firewall rule reviews help identify network security weaknesses before abuse and allow rules to be updated as needed to address technology changes or new threats.

In some cases, the chance of using the old firewall rule for unauthorized access is minimal. Perhaps it is structured according to a specific source and goal. This will significantly reduce the risk of unauthorized access.

It may also be necessary to eliminate the rule for performance reasons. The more rules the firewall reads, the more CPU processing the firewall needs to make decisions about a connection. The extensive collection of rules in most firewall products can cause delayed processing and disruption to traffic.

Many firewall products allow objects such as hosts, networks, or services to be grouped. Groups can also cover errors when applying or changing policies. Objects can be unintentionally added to classes, and classes can contain some old objects. When updating the policy, reviewing a category’s content and legacy items in that category is necessary.

See Also: Firewall Rule Configuration Best Practices for PCI Compliance

The more you are responsible for many firewalls with large rule bases, the higher your chances of making mistakes. Usually, firewall administrators are the last to be involved in a project and are often eager to do something to complete the project.

Impatience often leads to a hasty decision when implementing firewall rules. So you need to go back and take a look at what’s happening, be familiar with the allowed connections, make sure the company security policy is followed, and delete unused rules.

Firewall Rule Review looks at the basics of configuration, destination, and cleanup rules. It would help if you did a firewall rule review regularly due to the “security erosion” caused by the firewall’s improper maintenance and putting the system at risk.

What Should Be Considered in Firewall Rules?

Knowing how to review or audit firewall rules can be challenging. Here are four key steps below to help guide the process:

• Evaluate Change Management procedures for your current firewall – Change Management procedures ensure that all past rule changes are properly logged, and all changes are made correctly.
• Compare existing firewall rules with previous firewall rules – Comparing previously in effect rules with those currently in effect helps to identify changes easily. The purpose of comparing rules is to track what changes have been made and check whether those changes are necessary. It will also help identify unused or passive rules.
• Evaluate external IP addresses allowed under firewall rules – Make sure the firewall addresses are still secure and meaningful to use. If any address seems out of order or doesn’t seem appropriate, the rules probably need to be updated.
• Ensure there is a real business requirement for open ports – Firewall rules often include open ports to allow external communication. A basic but important step is to evaluate open ports to make sure they are still needed. Otherwise, you can delete the rule to avoid unnecessary communication.

Firewall Rule review includes, but is not limited to, the following checks;

• How many rules are there compared to the last audit/year?
• Do you have any rules without comment?
• Are there any unnecessary rules and rules that need to be removed?
• Are there any unused rules?
• Are there any programs that are no longer used under the rules?
• Do rules contain unused groups or networks?
• Are there ANY firewall rules in the source, destination, and service/protocol domains with an action allowed?
• Has lenient action in a segment, and is there ANY rule?
• Are there broadly defined rules that are overly permissive?

What is the PCI DSS Firewall Rule Review Requirements?

For PCI compliance, firewalls’ key targets include all applicable policies, documented standards, and other senior management directives. Regular firewall rule reviews ensure organizations meet and maintain the PCI requirement.

See Also: Best Practices for Clean Up Your Firewall Rule Base

It also provides a measurable assurance of firewall compliance to senior management. Always keeping the infrastructure as close to the current as possible lowers the cost of continuous compliance. Periodic firewall reviews and good change and vulnerability management ensure that the organization keeps firewalls compliant with PCI standards.

See Also: Firewall Security Controls Checklist

The initial firewall inspection will require considerable effort, but subsequent firewall reviews will require less effort as business and compliance requirements are well understood, and procedures are established. A continuous improvement methodology will help reduce the number of deficiency cases that show non-compliance over time and the effort required.

Approved List Creation

PCI DSS requirement 1.1.5 requires that all services, protocols, and ports allowed through the firewall have a legitimate business purpose for PCI compliance. Since senior management has overall responsibility for compliance, they must sign the list of approved services, protocols, and ports to approve the list. The Approved List is an effective directive from top management on what traffic is allowed through the firewall.

Technical staff is responsible for obtaining senior management approval before introducing new services, protocols, or ports to the infrastructure. Approval is received when the Approved List is updated and submitted to senior management for approval. In this way, firewall rules can be set in a central location and then propagated to existing devices and configuration standards, reducing the risk of unnecessary services, protocols, or ports being active.

Although the Approved List is not explicitly defined in other security standards, it is a critical component. The Approved List identifies the acceptable risks associated with the services, protocols, and ports in use and which traffic is allowed to flow from where. That’s why the Approved List allows senior management to understand the infrastructure security status, and you can effectively measure the approved list and firewall rules.

If the Approved List is not already available, the data collected in documented information flows can be used to create the first approved list of approved services, protocols, and ports. The first firewall inspection will mark anything that was not initially defined in the Approved List.

Use of Unencrypted Services, Protocols, and Ports

PCI DSS requires the implementation of compensating controls if an unencrypted service/protocol/port is needed. The PCI evaluator will require that all compensating controls are well documented and meet PCI requirements.

It isn’t easy to identify and implement compensating controls. Even if the PCI Qualified Security Assessor (QSA) performing the PCI assessment initially accepts the compensatory control, the recipient bank has the final say.

Senior management is responsible for ensuring that all services, protocols, and ports specified in the Approved List can be justified for commercial purposes. Senior management is also responsible for ensuring that unencrypted services, protocols, and ports are not used whenever possible.

Traffic and Firewall Rule Base Analysis

Firewall rule group reviews require a list of the firewall rules, rule usage statistics for each rule, and traffic data allowed through the firewall and denied by the firewall.

The Approved List is also required for firewall rule group inspection. Review in “allow rules” to use “any” on the source, target, or port. For each “deny” rule, examine the actual traffic and determine what talks to what on which port.

Only traffic defined in the approved list should be allowed to pass through the firewall. This applies not only to inbound traffic but also to outbound traffic. Outbound filtering is generally ignored but required per PCI requirement 1.2.1.

Identify any traffic using unapproved ports that are allowed through the firewall. Record the source and destination IP addresses for each detected sample. Review all traffic that meets the “Deny” rules. Denied traffic can indicate unapproved services, protocols, and ports in use in the infrastructure.

Pay special attention to traffic denied between the DMZ and the internal network and traffic to the internet. Record the source IP and ports used for all denied traffic originating from inside the infrastructure.

Set any “deny” rules that do not contain comments. Each rule should have an interpretation outlining business requirements. If possible, the change ticket number associated with the application or last change of the rule should be included in the comments.

If there is a business requirement for an unencrypted service/protocol/port, senior management is responsible for defining, documenting, and adequately implementing appropriate compensating controls.

Rules that are never hit and “shadowed” or partially “overshadowed” must be observed. “Shadow” rules are rules that provide the same or similar access to other rules. Rules that are never followed indicate more permissive rules before unused rules or that rules are not required and can be removed.

Pay particular attention to any situation where more permissive rules are violated before the more restrictive rules. Finally, verify that there is a “deny all” rule at the end of the ruleset.

Firewall Rule Review Report

Based on the ruleset review findings, prepare an updated rule set to be applied to the firewall. The revised ruleset should address all the shortcomings and improvements identified in the ruleset review.

If there has not been a previous firewall review, there are likely to be missing from the Approved List. The biggest challenge when doing a firewall ruleset audit for the first time is that what traffic is required for the business is often not fully understood at the beginning of the inspection. Be prepared to go through several iterations of the firewall rule group review to align the Approved List and firewall ruleset.

Per the PCI DSS requirement 1.1.6, you must perform firewall inspections at least every six months. After the analysis is complete, you should create an audit trail document to show that firewall rule analysis has been performed and PCI compliance.

Store all firewall audit reports in a safe place and make sure they can be accessed when needed.

The final firewall rule review report should include the report’s date, the author of the report, the final result of the firewall review (compliant / non-compliant), an executive summary, the firewall review completed. It should also include the firewall rule review report, consolidated findings list, and remediation plan.

Including trend data in the report can be useful to show continuous improvement. Valuable metrics include the effort required to complete the firewall inspection and the number of deficiencies found. Since this data has already been collected, little effort is needed to aggregate trend data.

By presenting the previous reviews’ measurements with the most recent inspection, the organization can determine whether the firewall process or other processes have become more efficient over time.

The effort required to complete firewall reviews will decrease as procedures are improved and staff becomes qualified. The number of deficiencies that are not found to decrease over time is an indicator of continued non-compliance.

The first time a firewall inspection is conducted, the review is a practical discovery phase to determine what is happening with the infrastructure. With the knowledge gained from the initial firewall inspection and effective change management processes and procedures, the following ruleset reviews will require significantly less effort as the gap between the approved and the actual traffic allowed through the firewall is minimized.

How to Check the Firewall Rule Base?

Firewall rule base audit methodology differs significantly between inspection techniques as it is often difficult to do and is highly technology-dependent.

For each of the questions below, you should have an order by firewall type and placement in your infrastructure. For example, a disconnected firewall does not have the same risk as a firewall connected to the internet. Internal firewalls appear to be more permissive than external firewalls.

See Also: Firewall Policy Guidelines

The first questions about the firewall rule base are essential policy maintenance and acceptable design practices that provide minimum access for each device. To answer these questions, you need to look at the will rule in your rule base and the logs.

• How many rules does the policy have?
• How many rules were there in the last inspection?
• How many rules were there last year?
• Are there any rules that remain uninterpreted?
• Are there any unnecessary rules that need to be eliminated?
• Are there any unused rules?
• Are there any services that are no longer used in the rules?
• Are there groups or networks that are no longer used in the rules?
• Are there ANY firewall rules and permissive actions in the three domains (source, destination, service/protocol)?
• Are there broadly defined rules that are overly permissive?

The second list of questions to ask about a firewall rule base is about risk and compliance. You need to understand the infrastructure of the firewall and know what traffic goes through each rule. If you have a category of authoritative services, ports and protocols, even go through this rule.

Here are the questions you need to answer:

• Are there any rules that violate your security policy?
• Are there any rules that allow services from the risky internet?
• Are there any rules that go to the internet that require risky services?
• Are there any rules that allow Direct Internet to Internal (not DMZ) traffic?
• Are there any rules requiring internet traffic to insecure servers, networks, devices, or databases?

Keep Your Defense Line Updated with Firewall Rule Analysis

PCI Requirement 1.1.7 states that organizations should review their firewall and router rule sets at least every six months.

It is not enough for your organization to set rules for your network regarding incoming and outgoing traffic. Because as time passes, rules become obsolete, and protocols become insecure.

Many security frameworks, including PCI DSS, require a process to review firewall and router configurations. This process can be done using manual or automated tools, but you must have a rule analysis process.

PCI DSS does not define what organizations must do to establish a compliant firewall rule base review process, but you should document that firewall rules are regularly reviewed.

If you are being evaluated against PCI DSS standards, you should conduct your firewall rule reviews at least every six months. You must also have some form of evidence that the review process was taking place to present to the auditor.

Additionally, if a protocol becomes insecure for any reason, you must document what you are doing to secure it. You must implement specific controls that will secure the insecure protocol.

Manual review of firewall rules can be time-consuming. It can also be expensive, both in terms of operational resources and personnel. Many organizations choose to seek outside help to make this job more comfortable and more successful.

However, this review task cannot be delegated entirely to a third party, as ultimate responsibility remains with the institution for verifying the firewall configuration.

If you decide to seek assistance from third parties with this responsibility, ask for details and examples of how they can help you meet this regulatory requirement and keep your network secure.

A good third-party service provider will save your organization time by ensuring your company has the most up-to-date and reliable firewall in place to protect against today’s ongoing threats and comply with all regulatory and enforcement requirements.