12 Best Practices for a Corporate Firewall Review.

A firewall review evaluates and assesses your company’s network security capabilities as aligned with your organization’s business needs and risk tolerance to mitigate cyberattack risk.  

Modern digitally transformed businesses often incorporate multiple firewall vendors with different naming conventions, making maintaining a consistent cybersecurity posture challenging.   

With new data protection requirements every year, you should incorporate firewall reviews as part of your network security monitoring initiatives.  

Identify Audit Plan Objectives and Scope 

Every audit begins by identifying the purpose and objectives. For example, you may engage in audits for the following reasons:  

• Document compliance: Compliance with security standards and industry standards, like PCI DSS, HIPAA, NIST, ECB, GDPR, SOX, or NERC CIP  

• Reduce attack surface: Decommission unused, shadowed, or outdated rules  

• Optimize performance: improve network speed by simplifying rules or deleting unnecessary rules 

Understand Network Topology 

A key information security control is creating demilitarized zones (DMZ), or security zones, that reduce the likelihood that cyber attacks will impact multiple subnets.  

However, these DMZs make establishing a baseline for firewall reviews more challenging. Understanding the network’s topology involves reviewing firewall:  

• Locations  

• Connectivity  

• Roles  

• Manufacturers 

Gather Audit Documentation 

To streamline firewall reviews, the following information should be available for cybersecurity management stakeholders:  

• Security policies: Internal controls detailing best practices  

• Firewall logs:  Technical documentation showing protocols, IP addresses, and subnets   

• Risk assessments: Risk identification, review, and remediation activities  

• Rulesets: Firewall configurations  

• Audit reports: Documents identifying previous audit outcomes or findings  

Evaluate Firewall Rule Placement and Order 

Firewall rules should be arranged logically, from highest priority at the top to lowest at the bottom. Best practices for firewall rule order are typically rulesets that:  

• Allow specific traffic   

• Block by default

Rulesets that allow traffic should be precise, often including:  

• Source IP address  

• Destination IP address  

• Destination port  

• Protocol, like TCP, ICMP, or UDP  

Assess Firewall Rule Unused Objects 

Unused objects are networks, subnets, services, applications, user groups, or connections not specified in the ruleset or as part of a group.  Unused objects create security vulnerabilities that malicious actors can exploit.  

Analyze Access Control Lists (ACLs) 

ACLs control the traffic allowed to enter the internal network from the public internet. Overly permissive rules can create security risks.  

Best practices for firewall rules’ validation include:  

• Limiting source and destination traffic as much as possible  

• Explicitly defining the destination IP address or groups rather than using “any”  

• Not allowing traffic from “any” source to “any” destination  

• Not allowing all traffic to a destination or group of destination  

• Limiting the number of open globally only ports, those defining the source as “any”  

Review Roles and Access Privileges 

To maintain least privilege access, you should periodically review network access controls for users, especially privileged users like administrators. When engaging in a firewall audit, some best practices for user access certification include reviewing whether:  

• User roles and permissions remain consistent across firewall vendors  

• Policies remain consistent when user and network asset IP address changes   

• User access was terminated appropriately  

• All user access to critical network resources is justified  

• Only current admins have access to the firewall console  

Review Change Management Procedures 

You should have structured procedures for managing, approving, and tracking firewall configuration changes. Reviewing the change management procedures should ensure you document, at minimum, the following:  

• Risks associated with policy changes  

• Effect policy changes have on the network  

• Remediation and mitigation strategy  

• Reasons and objectives for changing rulesets  

• Audit trail detailing the who, why, and when for any modifications  

Harden Firewall Hardware and Operating System  

Malicious actors can use security vulnerabilities in the firewall’s firmware or operating system to gain unauthorized access to networks and systems. Part of the firewall review should include:  

• Scanning regularly for vulnerabilities  

• Prioritizing remediation for high-risk vulnerabilities  

• Ensuring that all updates are applied in compliance with your organizational vulnerability management policies  

Review Firewall Logs 

Firewall logs document activity occurring within the environment to help monitor network security and vulnerabilities. Since firewall logs can be overwhelming, organizations should ensure they collect the right amount of data to achieve objectives. Some events that the firewall logs should track include:  

• Permitted, blocked, or dropped connections  

• Activity from intrusion detection systems (IDS)/intrusion prevention systems (IPS)  

• User activity  

• Protocol usage  

• Cut-through-proxy activity  

After determining that logging is appropriately configured, you can review the logs to identify trends about firewall security and compliance, including:  

• Anomalous traffic patterns indicating a potential security incident  

• Inbound and outbound traffic analysis for rule effectiveness and efficiency  

• Updates to blocklists and allowlists that can improve network security   

Review Risk Assessment Documentation  

Before and after making the necessary security policy and firewall ruleset changes, you should document their risk review. Before implementing changes in the change management process, look for risk assessment best practices such as: 

• Impact to security policy conformance   

• Source and destination vulnerabilities when changing access controls  

• Business continuity risks  

• “What-if” path analysis for path options that might impact risk  

• Impact to attack surface and exposure  

• Consistency with change management processes  

Remediate Issues and Test New Firewall Rules 

If the audit process identifies issues, the final step is to remediate them and test the new firewall rule configurations. Testing the changes prior to implementing them across the network reduces operational impact that can cause business disruption.   

Automated Documentation with Tufin  

Tufin provides a unified platform that streamlines firewall management and auditing with vendor-agnostic Unified Security Policies (USPs) that ensure consistency across hybrid and multi-cloud network architectures.  

With comprehensive visibility from Tufin’s network topology maps and risk assessment workflow automations, you can achieve continuous compliance monitoring with detailed reports to reduce preparation time for improved audit readiness.