Last updated July 17th, 2024 by Erez Tadmor
A firewall review evaluates and assesses your company’s network security capabilities as aligned with your organization’s business needs and risk tolerance to mitigate cyberattack risk.
Modern digitally transformed businesses often incorporate multiple firewall vendors with different naming conventions, making maintaining a consistent cybersecurity posture challenging.
With new data protection requirements every year, you should incorporate firewall reviews as part of your network security monitoring initiatives.
Identify Audit Plan Objectives and Scope
Every audit begins by identifying the purpose and objectives. For example, you may engage in audits for the following reasons:
- Document compliance: Compliance with security standards and industry standards, like PCI DSS, HIPAA, NIST, ECB, GDPR, SOX, or NERC CIP
- Reduce attack surface: Decommission unused, shadowed, or outdated rules
- Optimize performance: improve network speed by simplifying rules or deleting unnecessary rules
Understand Network Topology
A key information security control is creating demilitarized zones (DMZ), or security zones, that reduce the likelihood that cyber attacks will impact multiple subnets.
However, these DMZs make establishing a baseline for firewall reviews more challenging. Understanding the network’s topology involves reviewing firewall:
- Locations
- Connectivity
- Roles
- Manufacturers
Gather Audit Documentation
To streamline firewall reviews, the following information should be available for cybersecurity management stakeholders:
- Security policies: Internal controls detailing best practices
- Firewall logs: Technical documentation showing protocols, IP addresses, and subnets
- Risk assessments: Risk identification, review, and remediation activities
- Rulesets: Firewall configurations
- Audit reports: Documents identifying previous audit outcomes or findings
Evaluate Firewall Rule Placement and Order
Firewall rules should be arranged logically, from highest priority at the top to lowest at the bottom. Best practices for firewall rule order are typically rulesets that:
- Allow specific traffic
- Block by default
Rulesets that allow traffic should be precise, often including:
- Source IP address
- Destination IP address
- Destination port
- Protocol, like TCP, ICMP, or UDP
Assess Firewall Rule Unused Objects
Unused objects are networks, subnets, services, applications, user groups, or connections not specified in the ruleset or as part of a group. Unused objects create security vulnerabilities that malicious actors can exploit.
Analyze Access Control Lists (ACLs)
ACLs control the traffic allowed to enter the internal network from the public internet. Overly permissive rules can create security risks.
Best practices for firewall rules’ validation include:
- Limiting source and destination traffic as much as possible
- Explicitly defining the destination IP address or groups rather than using “any”
- Not allowing traffic from “any” source to “any” destination
- Not allowing all traffic to a destination or group of destination
- Limiting the number of open globally only ports, those defining the source as “any”
Review Roles and Access Privileges
To maintain least privilege access, you should periodically review network access controls for users, especially privileged users like administrators. When engaging in a firewall audit, some best practices for user access certification include reviewing whether:
- User roles and permissions remain consistent across firewall vendors
- Policies remain consistent when user and network asset IP address changes
- User access was terminated appropriately
- All user access to critical network resources is justified
- Only current admins have access to the firewall console
Review Change Management Procedures
You should have structured procedures for managing, approving, and tracking firewall configuration changes. Reviewing the change management procedures should ensure you document, at minimum, the following:
- Risks associated with policy changes
- Effect policy changes have on the network
- Remediation and mitigation strategy
- Reasons and objectives for changing rulesets
- Audit trail detailing the who, why, and when for any modifications
Harden Firewall Hardware and Operating System
Malicious actors can use security vulnerabilities in the firewall’s firmware or operating system to gain unauthorized access to networks and systems. Part of the firewall review should include:
- Scanning regularly for vulnerabilities
- Prioritizing remediation for high-risk vulnerabilities
- Ensuring that all updates are applied in compliance with your organizational vulnerability management policies
Review Firewall Logs
Firewall logs document activity occurring within the environment to help monitor network security and vulnerabilities. Since firewall logs can be overwhelming, organizations should ensure they collect the right amount of data to achieve objectives. Some events that the firewall logs should track include:
- Permitted, blocked, or dropped connections
- Activity from intrusion detection systems (IDS)/intrusion prevention systems (IPS)
- User activity
- Protocol usage
- Cut-through-proxy activity
After determining that logging is appropriately configured, you can review the logs to identify trends about firewall security and compliance, including:
- Anomalous traffic patterns indicating a potential security incident
- Inbound and outbound traffic analysis for rule effectiveness and efficiency
- Updates to blocklists and allowlists that can improve network security
Review Risk Assessment Documentation
Before and after making the necessary security policy and firewall ruleset changes, you should document their risk review. Before implementing changes in the change management process, look for risk assessment best practices such as:
- Impact to security policy conformance
- Source and destination vulnerabilities when changing access controls
- Business continuity risks
- “What-if” path analysis for path options that might impact risk
- Impact to attack surface and exposure
- Consistency with change management processes
Remediate Issues and Test New Firewall Rules
If the audit process identifies issues, the final step is to remediate them and test the new firewall rule configurations. Testing the changes prior to implementing them across the network reduces operational impact that can cause business disruption.
Automated Documentation with Tufin
Tufin provides a unified platform that streamlines firewall management and auditing with vendor-agnostic Unified Security Policies (USPs) that ensure consistency across hybrid and multi-cloud network architectures.
With comprehensive visibility from Tufin’s network topology maps and risk assessment workflow automations, you can achieve continuous compliance monitoring with detailed reports to reduce preparation time for improved audit readiness.
Don't miss out on more Tufin blogs
Subscribe to our weekly blog digest