martes, 14 de mayo de 2013

Mastering Your Next Audit with THE Firewall Audit Checklist

Written by Sam Erdheim
Today's business environment has become more regulated - with different mandates and requirements spanning multiple industries and regions. Some regulations require multiple audits per year and depending on your industry, you may have to comply with multiple regulations. Even if you don't have to comply with the bevy of standards or requirements such as PCI-DSS, SOX, NERC CIP, HIPAA, and so on, you most likely still have (or you SHOULD have) internal reviews and checks of security policies.
While regulations and ensuing IT audits go beyond firewalls and firewall policies, these devices are often a good place to start when it comes to becoming "audit-ready" and gaining continuous visibility of what's going on in your network. Here’s a firewall audit checklist that you should use to ensure that you have all the "I’s" dotted and the "T’s" crossed.

Step 1: Gathering Pertinent Information Before You Undergo an Audit
An audit has little chance of success if you do not have proper visibility of your network, including software, hardware, policies and risks. This sounds like an obvious statement, but many organizations do not have the necessary visibility of their IT environment. Some examples of "quick wins" in the pre-audit phase would be to collect the following information:
  • Make sure you have copies of all the relevant security policies.
  • Ensure you can access the firewall logs - this is important so that you can analyze the logs against the firewall rule base to understand what is actually being used.
  • Obtain a diagram of the current network and firewall topologies.
  • Gather and review documentation from previous audits, including firewall rules, objects and policy revisions. This can prevent you from repeating the same mistakes and hopefully key in on issues from the past that may not have been properly addressed.
  • Identify all Internet Service Providers (ISP) and Virtual Private Networks (VPN).
  • Obtain all relevant firewall vendor information including OS version, latest patches and default configuration.
  • Understand all the key servers and key information repositories in the network and their relative values to the company.
Even though this is just the preparation for the audit, you're not quite finished. Once you have gathered this information, you must have a plan to aggregate and store this information in a way that will make analysis and reporting easier - and no spreadsheets do not really count. Spreadsheet compliance is a surefire way to make the audit process painful. Document, store and consolidate this important information in a way that enables collaboration with your IT counterparts. Remember, you're most likely going to have multiple audits per year.

Step 2: Review Your Firewall Change Management Process
Poor documentation of changes (i.e why the change is needed, who authorized the change, etc.) and poor validation of the impact on the network are two of the most common issues when it comes to firewall change management. As time goes on, this challenge is exacerbated by staff turnover - that internal knowledgebase of why a change was made disappears and then you're left wondering what you should do. Here are some recommendations to consider:
  1. Review the procedures for rule-base maintenance. Make sure you can answer questions such as:
    • Are requested changes going through proper approvals?
    • Are changes being implemented by authorized personnel? And are they being tested?
    • Are the changes being documented per regulatory or internal policy requirements? Each rule should have a comment that includes the change ID of the request and the name/initials of the person who implemented the change.
    • Is there an expiration date for the change?
  2. Determine if there is a formal and controlled process in place to request, review, approve and implement firewall changes. This process should include at least the following: 
    • Business purpose for the request
    • Duration (time period) for the new/modified rule
    • Assessment of the potential risks associated with the new/modified rule
    • Formal approvals for the new/modified rule
    • Assignment to proper administrator for implementation
    • Verification that change has been tested and implemented correctly
  3. Determine whether or not all of the changes have been authorized. If you discover unauthorized rule changes, flag them for further investigation.
  4. Determine if real-time monitoring of changes to the firewall is enabled and access to rule change notifications is granted to authorized requestors, administrators and stakeholders.
Taking these recommendations into account will get you off to a good start with solidifying your firewall change management processes and ensuring continuous compliance.

Step 3: Audit Your Firewalls' Physical and OS Security
Make sure you can define and enforce corporate baselines... and report against them so you know where you stand. By reporting against these baselines that you determine, you will always be "in the know" of your firewalls' configuration status and how they stack up to the policy. Some more specific steps to consider are:
  1. Ensure your firewalls and management servers are physically secured with controlled access. Just as your firewalls filter traffic, you need to physically filter accessibility to your firewalls.
  2. Ensure there is a current list of authorized personnel permitted to access the firewall server rooms. There is no need for John in sales to access these rooms.
  3. Verify that all appropriate vendor patches and updates have been applied. Financially motivated cybercriminals look for openings to exploit in your security defenses. Don't give them any easy target.
  4. Ensure the operating system passes common hardening checklists. Again, you want to make sure there are no known security holes that attackers can take advantage of.
  5. Review the procedures used for device administration.
Step 4: Cleanup and Optimize Your Rule Base
In general, if you don't maintain and take care of something, it will get messy. Firewalls are no different. Over time, firewall policies have more and more policies added, removed and changed, and oftentimes with little documentation for the what, why, who, etc.
Removing firewall clutter and optimizing your rule base can greatly improve IT productivity and firewall performance. Additionally, optimizing firewall rules can significantly reduce a lot of unnecessary overhead in the audit process. Here's a top ten list (in no particular order) of items for you to manage (Again, as with an audit, this can't be set and forgotten... once you've optimized your rule set, you want to maintain that optimized policy over time):
  1. Delete covered rules that are effectively useless.
  2. Delete or disable expired and unused rules and objects.
  3. Identify disabled, time inactive and unused rules which are candidates for removal.
  4. Evaluate the order of firewall rules for effectiveness/performance.
  5. Remove unused connections, including specific source/destination/service routes that are not in use.
  6. Detect similar rules that can be consolidated into a single rule.
  7. Identify overly permissive rules by analyzing the actual policy usage against the firewall logs. Tune these rules as appropriate for policy and actual real use scenarios. For example, “ANY” might be used for the source address in several rules when actual traffic only originates from a handful of IP addresses.
  8. Review other security devices such as VPNs. Analyze VPN parameters to identify unused users, unattached users, expired users, users about to expire, unused groups, unattached groups and expired groups.
  9. Enforce object naming conventions.
  10. Document rules, objects and policy revisions for future reference.
Step 5: Conduct a Risk Assessment and Remediate Issues
A good place to start is to review firewall rules and configurations and identify any potentially “risky” rules. What is “risky” can be different for each organization depending on the network and the level of acceptable risk, but there are many frameworks and standards you can leverage that provide a good reference point. This can be based on your own definitions of what a risky rule or configuration is, but should also include those defined by industry standards and best practices such as PCI-DSS, SOX, ISO 27001, NERC CIP, Basel-II, FISMA and J-SOX. And they should be prioritized by severity. Some questions that you should be able to answer as part of this step include:
  • Are there firewall rules that violate your corporate security policy?
  • Are there any firewall rules with “ANY” in the source, destination, service/protocol, application or user fields, and with a permissive action?
  • Are there rules that allow risky services from your DMZ to your internal network?
  • Are there rules that allow risky services inbound from the Internet?
  • Are there rules that allow risky services outbound to the Internet?
  • Are there rules that allow direct traffic from the Internet to the internal network (not the DMZ)?
  • Are there any rules that allow traffic from the Internet to sensitive servers, networks, devices or databases?


Visto en vigilance-securitymagazine.com