AN ALGOSEC WHITE PAPERTHE FIREWALLAUDIT CHECKLISTSix Best Practices for SimplifyingFirewall Compliance andRisk Mitigation

ENSURING CONTINUOUS COMPLIANCEMore regulations and standards relating to informationsecurity, such as the Payment Card Industry Data SecurityStandard (PCI-DSS), the General Data Protection Regulation(GDPR), Sarbanes-Oxley (SOX), Health Insurance Portabilityand Accountability Act (HIPAA), California ConsumerPrivacy Act (CCPA) and ISO 27001, have forced enterprisesto put more emphasis—in terms of time and money—oncompliance and the regular and ad hoc auditing of securitypolicies and controls. While regulatory and internal auditscover a broad range of security checks, the firewall isfeatured prominently since it is the first and main line ofdefense between the public and the corporate network.The number of enterprises that are not affected byregulations is shrinking. But even if you do not have tocomply with specific government or industrial regulationsand security standards, it is now commonplace to conductregular, thorough audits of your firewalls. Not only dothese audits ensure that your firewall configurations andrules meet the proper requirements of external regulationsor internal security policy, but these audits can also play acritical role in reducing risk and actually improve firewallperformance by optimizing the firewall rule base.In today’s complex, multi-vendor network environments,typically including tens or hundreds of firewalls runningthousands of rules, completed a manual security auditnow borders on the impossible. Conducting the auditprocess manually, firewall administrators must rely on theirown experience and expertise—which can vary greatlyacross organizations—to determine if a given firewall ruleshould or should not be included in the configurationfile. Furthermore, documentation of current rules andtheir evolution of changes is usually lacking. The time andresources required to find, organize and pour through allof the firewall rules to determine the level of compliancesignificantly impacts IT staff.As networks grow in complexity, auditing becomes morecumbersome. Manual processes cannot keep up. Automatingthe firewall audit process is crucial as compliance must becontinuous, not simply at a point in time.The firewall audit process is arduous. Each new rule mustpre-analyzed and simulated before it can be implemented.A full and accurate audit log of each change must bemaintained. Today’s security staffs now find that beingaudit-ready without automation is impractical if not virtuallyimpossible.It’s time to look to automation along with the establishmentof auditing best practices to maintain continuous compliance.THE FIREWALL AUDIT CHECKLIST Six Best Practices for Simplifying Firewall Compliance and Risk MitigationPAGE 02

THE FIREWALL AUDIT CHECKLISTBelow, we share a proven checklist of six best practices for a firewall audits based on AlgoSec’s extensive experience inconsulting with some of the largest global organizations and auditors who deal with firewall audit, optimization andchange management processes and procedures. While this is not an exhaustive list that every organization must follow, itprovides guidance on some critical areas to cover when conducting a firewall audit.FIGURE 1: Overview of the Recommended Firewall Audit Process01 GATHER KEY INFORMATION PRIOR TO STARTING THE AUDITAn audit has little chance of success without visibility into the network, including software, hardware, policies andrisks. The following are examples of the key information required to plan the audit work: Copies of relevant security policies Access to firewall logs that can be analyzed against thefirewall rule base to understand which rules are actuallybeing usedAll relevant firewall vendor information including OSversion, latest patches and default configuration Understanding all the key servers and informationrepositories in the network and the value of each An accurate diagram of the current network and firewalltopologies Reports and documents from previous audits, includingfirewall rules, objects and policy revisions Identification of all Internet Service Providers (ISP) andVirtual Private Networks (VPN)Once you have gathered this information, how are yougoing to aggregate it and storing it? Trying to trackcompliance on spreadsheets is a surefire way to make theaudit process painful, tedious and time-consuming. Insteadof spreadsheets, the auditor needs to document, store andconsolidate this vital information in a way that enablescollaboration with IT counterparts. With this convenienceaccess, auditors you can start reviewing policies andprocedures and tracking their effectiveness in terms ofcompliance, operational efficiency and risk mitigation.THE FIREWALL AUDIT CHECKLIST Six Best Practices for Simplifying Firewall Compliance and Risk MitigationPAGE 03

02 REVIEW THE CHANGE MANAGEMENT PROCESSA good change management process is essential to ensure proper execution and traceability of firewall changes as well asfor sustainability over time to ensure compliance continuously. Poor documentation of changes, including why each changeis needed, who authorized the change, etc. and poor validation of the impact on the network of each change are two ofthe most common problems when it comes to change control. Reviewthe procedures for rule-base changemanagement. Just a few key questions to reviewinclude: Determineif there is a formal and controlled processin place to request, review, approve and implementfirewall changes. This process should include at leastthe following:– Are requested changes going through properapprovals?– Business purpose for a change request– Are changes being implemented by authorizedpersonnel?– Duration (time period) for new/modified rule– Assessment of the potential risks associated with thenew/modified rule– Are changes being tested?– Are changes being documented per regulatory and/or internal policy requirements? Each rule shouldhave a comment that includes the change ID of therequest and the name/initials of the person whoimplemented the change.– Is there an expiration date for the change?– Formal approvals for new/modified rule– Assignment to proper administrator forimplementation– Verification that change has been tested andimplemented correctly Determine whether all of the changes have beenauthorized and flag unauthorized rule changes forfurther investigation. Determine if real-time monitoring of changes to afirewall are enabled and if access to rule- changenotifications is granted to authorized requestors,administrators and stakeholders.THE FIREWALL AUDIT CHECKLIST Six Best Practices for Simplifying Firewall Compliance and Risk MitigationPAGE 04

03 AUDIT THE FIREWALL’S PHYSICAL AND OS SECURITYIt is important to be certain as to each firewall’s physical and software security to protect against the most fundamentaltypes of cyberattack. Ensure that firewall and management servers arephysically secured with controlled access. Verify that all appropriate vendor patches and updateshave been applied. Ensure that there is a current list of authorized personnelpermitted to access the firewall server rooms. Ensure that the operating system passes commonhardening checklists. Review the procedures used for device administration.04 CLEANUP AND OPTIMIZE THE RULE BASERemoving firewall clutter and optimizing the rule base can greatly improve IT productivity and firewall performance.Additionally, optimizing firewall rules can significantly reduce a lot of unnecessary overhead in the audit process. Delete covered rules that are effectively useless. Delete or disable expired and unused rules and objects. Identify disabled, time-inactive and unused rules that arecandidates for removal. Evaluate the order of firewall rules for effectiveness andperformance. Remove unused connections, including source/destination/service routes, that are not in use. Detect similar rules that can be consolidated into asingle rule. Identify overly permissive rules by analyzing the actualpolicy usage against firewall logs. Tune these rules asappropriate for policy and actual use scenarios. Analyze VPN parameters to identify unused users,unattached users, expired users, users about to expire,unused groups, unattached groups and expired groups. Enforce object-naming conventions. Document rules, objects and policy revisions for futurereference.THE FIREWALL AUDIT CHECKLIST Six Best Practices for Simplifying Firewall Compliance and Risk MitigationPAGE 05

05 CONDUCT A RISK ASSESSMENT AND REMEDIATE ISSUESEssential for any firewall audit, a comprehensive risk assessment will identify risky rules and ensure that rules are compliantwith internal policies and relevant standards and regulations. Identify any and all potentially “risky” rules, based onindustry standards and best practices, and prioritizethem by severity. What is “risky” can be different foreach organization depending on the network and thelevel of acceptable risk, but there are many frameworksand standards you can leverage that provide a goodreference point. A few things to look for and validateinclude:– Are there rules that allow direct traffic from theInternet to the internal network (not the DMZ)?– Are there any rules that allow traffic from the Internetto sensitive servers, networks, devices or databases? Analyze firewall rules and configurations against relevantregulatory and/or industry standards such as PCI-DSS,SOX, ISO 27001, NERC CIP, Basel-II, FISMA and J-SOX, aswell as corporate policies that define baseline hardwareand software configurations to which devices mustadhere (See Figure 4 on page 9). Document and assign an action plan for remediation ofrisks and compliance exceptions found in risk analysis. Verify that remediation efforts and any rule changeshave been completed correctly. Track and document that remediation efforts arecompleted.– Are there firewall rules that violate your corporatesecurity policy?– Are there any firewall rules with “ANY” in the source,destination, service/protocol, application or user fields,and with a permissive action?– Are there rules that allow risky services from your DMZto your internal network?– Are there rules that allow risky services inbound fromthe Internet?– Are there rules that allow risky services outbound tothe Internet?06 ONGOING AUDITSUpon successful firewall and security device auditing, verifying secure configuration, proper steps must be put in place toensure continuous compliance. Ensure that a process is established for continuousauditing of firewalls. Consider replacing error-prone manual tasks withautomated analysis and reporting. Ensure that all audit procedures are properlydocumented, providing a complete audit trail of allfirewall management activities. Make sure that a robust firewall-change workflow is inplace to sustain compliance over time.– This repeats Audit Checklist item #2 because isnecessary to ensure continuous compliance, i.e.,compliance might be achieved now, but in a month,the organization might once again be out ofcompliance. Ensurethat there is an alerting system in place forsignificant events or activities, such as changes incertain rules or the discovery of a new, high severityrisk in the policy.THE FIREWALL AUDIT CHECKLIST Six Best Practices for Simplifying Firewall Compliance and Risk MitigationPAGE 06

AUTOMATING FIREWALL COMPLIANCE AUDITS WITH ALGOSECWhen it comes to compliance, the firewall policy management solution must have the breadth and depth toautomatically generate detailed reports for multiple regulations and standards. It also must support multiple firewallsand related security devices.By combining this firewall audit checklist with the AlgoSec Security Management Solution, organizations can significantlyimprove their security posture and reduce the pain of ensuring compliance with regulations, industry standards andcorporate policies. Furthermore, they can ensure compliance continuously without spending significant resources wastingtime and effort on complex security policies on a regular basis.Let’s go back through the checklist and look at a few examples of how AlgoSec can help.GAIN VISIBILITY OF NETWORK POLICIES AND THEIR CHANGESAlgoSec enables you to gather all of the key informationneeded to start the audit process. By generating a dynamic,interactive network map AlgoSec visualizes and helps youanalyze complex networks. (See Figure 2.) You can viewrouting tables and automatically detect all interfaces,subnets and zones. Additionally, AlgoSec provides you withvisibility of all changes to your network security policies inreal-time and creates detailed firewall audit reports to helpapprovers make informed decisions about changes thataffect risk or compliance levels.FIGURE 2: AlgoSec provides network topology awareness with a map that provides visibility of all firewalls and routersincluding all relevant interfaces, subnets and zones, and the ability to drill down to specific information about each device.THE FIREWALL AUDIT CHECKLIST Six Best Practices for Simplifying Firewall Compliance and Risk MitigationPAGE 07

UNDERSTAND THE FIREWALL CHANGES IN YOUR NETWORK AND AUTOMATE THE PROCESSAlgoSec intelligently automates the security-policy change workflow, dramatically cutting the time required to processfirewall changes, increasing accuracy and accountability, enforcing compliance and mitigating risk. In addition, AlgoSecprovides flexible workflows and templates to help you manage change requests and tailor processes to your business needs.CLEAN UP AND OPTIMIZE YOUR RULE BASEAlgoSec enables you to optimize and clean up cluttered policies with actionable recommendations to: Consolidate similar rules. Discover and remove unused rules and objects (See Figure 3). Identify and remove shadowed, duplicate, and expired rules. Reorder rules for optimal firewall performance while retaining policy logic. Tighten overly permissive rules based on actual usage patterns.Not only does this help you improve the performance and extend the life of your firewalls, it also saves time when it comesto troubleshooting issues and IT audits.FIGURE 3: Unused rules that AlgoSec has identified for removal.THE FIREWALL AUDIT CHECKLIST Six Best Practices for Simplifying Firewall Compliance and Risk MitigationPAGE 08

CONDUCT A RISK ASSESSMENT AND REMEDIATE ISSUESAlgoSec enables you to instantly discover and prioritize all risks and potentially risky rules in the firewall policy, leveragingthe largest risk knowledgebase available. The knowledgebase includes industry regulations, best practices and customizablecorporate security policies. AlgoSec assigns and tracks a security rating for each device and group of devices to help you toquickly pinpoint devices that require attention and to measure the effectiveness of a security policy over time.FIGURE 4: AlgoSec identifies and prioritizes risky rules based on industry standards and frameworks and provides detailedinformation of source, destination, service, as well as user and application when analyzing next-generation firewalls.THE FIREWALL AUDIT CHECKLIST Six Best Practices for Simplifying Firewall Compliance and Risk MitigationPAGE 09

OUT-OF-THE-BOX COMPLIANCE REPORTSAlgoSec ensures continuous compliance and instantly provides you with a view of your firewall compliance status by automatically generating reportsfor industry regulations, including Payment Card Industry Data Security Standard (PCI DSS), GDPR, Sarbanes-Oxley (SOX), Financial Instruments andExchange Act (J-SOX, also known as Japan-SOX), North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), andInternational Organization for Standardization (ISO 20071). If the network security policy doesn’t adhere to regulatory or corporate standards, thereports identify the exact rules and devices that cause gaps in compliance. A single report provides visibility into risk and compliance associated witha group of devices.FIGURE 5: PCI DSS firewall compliance report automatically generated by AlgoSec.THE FIREWALL AUDIT CHECKLIST Six Best Practices for Simplifying Firewall Compliance and Risk MitigationPAGE 10

CONCLUSIONEnsuring and proving compliance typically require significant organizational resources and budget. With the growing litanyof regulations, the cost and time involved in the audit process is increasing rapidly. Armed with the firewall audit checklistand with the AlgoSec security policy management solution you can:REDUCE THE TIME REQUIRED FOR AN AUDIT — Manual reviews can take a significant amount of time to producea report for each firewall in the network. AlgoSec aggregates data across a defined group of firewalls and devices fora unified compliance view, doing away with running reports for each device, thereby saving a tremendous amount oftime and effort that is wasted on collating individual device reports. AlgoSec enables you to produce a report in minutes,reducing time and effort by as much as 80%.IMPROVE COMPLIANCE WHILE REDUCING COSTS — As the auditor’s time to gather pertinent information andanalyze the network security status is reduced, the total cost of the audit decreases substantially. AlgoSec facilitates theremediation of non-compliant items by providing actionable information that further reduces the time to re- establish acompliant state.ABOUT ALGOSECAlgoSec enables the world’s largest organizations to align business and security strategies, and manage their networksecurity based on what matters most — the applications that power their businesses.Through a single pane of glass, the AlgoSec Security Management Solution provides holistic, business-level visibility acrossthe entire network security infrastructure, including business applications and their connectivity flows — in the cloudand across SDN and on-premise networks. With AlgoSec users can auto-discover and migrate application connectivity,proactively analyze risk from the business perspective, tie cyber-attacks to business processes and intelligently automate timeconsuming security changes — all with zero-touch, and seamlessly orchestrated across any heterogeneous environment.Over 1,800 leading organizations, including 20 of the Fortune 50, have relied on AlgoSec to drive business agility, securityand compliance. AlgoSec has provided the industry’s only money-back guarantee since 2005.AlgoSec.comCopyright 2020 AlgoSec Inc. All rights reserved. AlgoSec is a registered trademark of AlgoSec Inc. The AlgoSec Logo is a trademark of AlgoSec Inc. All other trademarks used herein are the propertyof their respective owners. SB-F5-EN-1