Firewall AUDIT CHECKLIST

Application Access Controls Network Access Controls

☐ User accounts provisioned ☐ Firewall for remote access

☐ Access levels modifiable, user privileges limited ☐ IDS for remote access
to job function ☐ IPS for remote access
☐ Periodical access reviews scheduled ☐ VPN for remote access
☐ Password complexity requirement ☐ MFA for remote access
☐ Admin activity monitored

Physical Security Controls

Database Access Controls
☐ Physical perimeter protections

☐ Database admin accounts controlled ☐ Locks

☐ Admin activity monitored ☐ Badge access

☐ Application access to database restricted ☐ Battery backup up

☐ Generators
☐ HVAC

Operating System Access Controls

☐ System installation checklists or images used Anti Malware Controls

☐ Security and event logs enabled
☐ Anti-virus software
☐ Unnecessary services turned off
☐ Gateway filtering
☐ Browser protections

Virtual Access Controls

☐ Access to hypervisors restricted Vulnerability Management Controls

☐ Access levels modifiable
☐ Scanning and remediation for vulnerabilities
☐ Periodical access reviews
☐ Patch management program
☐ Password complexity requirement
☐ Secure configuration guide applied to
hypervisors and SANs
☐ Access to services running on host restricted

| 1
 Firewall AUDIT CHECKLIST

Software Development Controls User Awareness Controls

☐ Software development lifecycle established ☐ Users trained on security
☐ Secure coding and web app firewall/security ☐ Background checks for new employees
testing ☐ Duties separated and documented
☐ Security logs collected and reviewed

Change Management Controls

Data Protection Controls
☐ Process for change management instated
☐ Inventory of IT assets ☐ Encryption in transit and at rest
☐ Data classification
☐ Usb restrictions in place
Disaster Recovery Controls ☐ Removal of data from storage media

☐ Backups for systems and data

☐ Disaster recovery plan established and Asset Management Controls
regularly tested
☐ Business impact analysis plan established and ☐ Hardware and software inventoried
regularly tested ☐ Installation of unauthorized software, utility
and audit tools prohibited
☐ System capacity and performance monitored
Vendor Management Controls
☐ Security clauses included in contracts Security Program Controls
☐ SLA’s are monitored
☐ Vendor incident notifications sent to ☐ Risk assessments regularly performed

subservice organizations regularly

☐ Risks mitigated to acceptable levels
☐ Information security policies approved and in place

Incident Management Controls ☐ Periodical independent audits performed

☐ Incident response plan instated and regularly

tested
☐ Customers notified following vendor incidents
 Firewall AUDIT CHECKLIST
1. 1. Gather Firewall Key Information Before Beginning the Audit

A firewall audit has little chance of success without visibility into the network, including software, hardware,
policies, and risks. Below are examples of the basic information needed to plan firewall audit work:

 Obtain previous audit reports.

 Obtain internet policy, standards, and procedures regarding firewall inspection.
 Access to firewall logs, which the firewall rule base can analyze to determine which rules are being used.
 Obtain existing network diagrams and define firewall topologies.
 Get reports and documentation from previous audits, including firewall rules, objects, and policy revisions.
 List all Internet Service Providers (ISPs) and Virtual Private Networks (VPNs) (VPN).
 Learn about ISP and VPN contracts.
 Determine whether methods other than firewall are used to access the Internet.
 Obtain all relevant firewall vendor information, including the operating system version, the most recent patches, and the default
configuration.
 Understand the value of all critical servers and repositories on the network.

2. 2. Check Firewall Access Controls

Firewalls exist between a router and application servers to provide access control. Firewalls were initially used to
protect a trusted network from an untrusted network. Still, these days it is increasingly common to protect
application servers on their networks from untrusted networks.

In this context, you need to establish a robust firewall access control and audit it regularly.

 Is there a formal process or controls to authorize employees and non-employees to use the Internet, and what access levels are
granted?
 Evaluate the timeliness and completeness of the methods used.
 Is there a password policy and are password control features implemented for all accounts?
 Have default accounts been disabled or default passwords changed from vendor-supplied values?
 Get a list of users with firewall access and compare it to documented approved requests.
 Can each user be uniquely identified?
 Evaluate whether the authentication methodologies used are effective.
 Are outsourcing accesses made?
 Do users who have access to the Internet periodically review it? When was the last review done?
 Are there periodic reviews of inactive accounts? What are the measures taken to resolve conflicts?

3. 3. Review Firewall Change Management Process

An effective change management process is required to ensure that firewall changes are executed and traced
correctly and provide ongoing compliance. Information such as why each change is needed and who authorized
the change should be specified in firewall changes.

Also, poor documentation of changes and insufficient verification of the impact of each change on the network
are two of the most common problems when it comes to change control.

 Review change management procedures on a per-rule basis. A few essential questions to explore include:
o Do the requested changes undergo appropriate approvals?
o Does authorized personnel implement changes?
o Are changes being tested?
o Are changes documented against regulatory or internal policy requirements? Each firewall rule should have a
comment with the name of the person who applied the change.
o Is there an expiration date for the firewall changes?
 Firewall AUDIT CHECKLIST
 Check to see if there is a formal and controlled process in place for reviewing, approving, and implementing firewall changes.
This procedure should include at the very least the following steps:
o The business purpose for a change request
o Duration (timeframe) for the new/modified rule
o Evaluation of potential risks associated with the new/amended rule
o Formal approvals for new/amended rule
o Assign to the appropriate administrator for the application
o Verify that the change has been tested and implemented correctly
 Determine if all changes are allowed and flag unauthorized rule changes for further investigation.
 Determine whether real-time monitoring of changes to the firewall is enabled and authorized requesters, administrators, and
stakeholders are granted access to rule change notifications.

4. 4. Evaluate the Firewall Monitoring Process

Monitoring the activity of your firewalls means keeping track of data such as current rule configurations, alerts,
and event logs. In particular, keeping track of existing rule configurations is essential for monitoring accesses and
identifying legacy firewall rules that need to be removed or replaced.

Without monitoring your firewall, it is difficult to make informed decisions about firewall management and rule
configurations.

In addition, security controls are required to ensure that firewall rules are compliant with the organization and
external security regulations that apply to the network. Unauthorized firewall configuration changes with policy
violations can cause incompatibility. It is essential to perform regular security checks to ensure that unauthorized
changes are not made.

Monitoring the firewall will also keep you updated on necessary changes made to the firewall and alert you to the
potential risks posed by these changes. Security audits and monitoring are essential when a new firewall is
installed, firewall traversal activity occurs, or bulk configuration changes are made to firewalls.

 Is an Intrusion Detection System (IDS) used?

 If IDS is not implemented, what is the scope of intrusion detection automation?
 What are the threats for which the response is automated?
 Are firewall activities recorded and logged?
 Are there firewall policies and procedures in place to monitor and respond to inappropriate behavior?
 Are the actions of personnel with privileged access to the firewall verified, monitored, and reviewed?
 Are logging and reporting procedures in place to monitor and act on any inappropriate activity?
 Are all inbound services, outbound services, and firewall or firewall access attempts that violate the policy logged and
monitored?
 What tools are used to assist trend analysis?
 Are alarms set for important events or activities?
 Do the logs contain sufficient user responsibility, transaction type, date, timestamp, and terminal location?
 Are logs maintained to prevent unauthorized changes?
 How long are logs kept?
 What media are the logs stored on, or where are they backed up?
 Is there an established process for reporting, tracking, evaluating, and resolving all incidents?
 What are the processes used to track and resolve incidents?

5. 5. Clean Up and Optimize Firewall Rule Base

De-cluttering firewall rules and optimizing the rule base can significantly improve IT productivity and firewall
performance. In addition, optimizing firewall rules can dramatically reduce many unnecessary burdens in the
auditing process.
 Firewall AUDIT CHECKLIST
 Delete any useless firewall rules.
 Delete or disable expired and unused firewall rules and objects.
 Identify firewall rules that are disabled, inactive, or unused and should be removed.
 Assess the effectiveness and performance
  of the firewall rule order.
 Unused links, including unused source, destination, and service paths, should be removed.
 Identify and combine similar rules that can be incorporated into a single rule.
 Identify excessive permissive rules by analyzing actual policy usage against firewall logs. Adjust these rules according to
policy and real usage scenarios.
 Analyze VPN parameters to identify unused users, unadded users, expired users, near-expiring users, unused groups, unadded
groups, and expired groups.
 Enforce object naming conventions.
 Create document rules, objects, and policy revisions for future reference.

6. 6. Check Firewall’s Physical and Operating System Security

It is essential to ensure that each firewall is physically and software security to protect against the most basic
types of cyberattacks.

 Ascertain that the firewall and management servers are physically secure and have restricted access.
 Check that you have an up-to-date list of authorized personnel who have access to firewall server rooms.
 Check that all necessary vendor patches and updates have been installed.
 Make sure the operating system passes standard hardening checklists.
 Review the procedures used for device management.

7. 7. Review Firewall Restore and Recovery Processes

Often, when you least expect it, firewalls can crash, human errors can occur, and disasters can strike. Your data is
precious and having a backup and recovery plan in place is a crucial part of running your business. The best way
to back up data and understand what is valuable is to think about what would happen if you permanently lost
some or all of your data? and how it would affect your organization.

 Is there a disaster recovery contingency plan?

 Have the recovery process and plans been tested?
 Examine the effectiveness of backup and recovery procedures, including retention.
 How often are backups made?
 Is encryption used when backing up?
 What are the results of the last successful backup test?

8. 8. Evaluate Risk and Solve Problems You Identify

A comprehensive risk assessment required for any firewall audit will identify risky rules and ensure that the rules
comply with internal policies and relevant standards and regulations.

Identify all potentially “risky” rules based on industry standards and best practices and prioritize them by severity.
Risky rules may differ for each organization, depending on the network and the acceptable level of risk. Still,
there are many frameworks and standards you can leverage that provide a good point of reference.

A few things to look for and verify in a firewall risk assessment include:

 Are there any firewall rules that violate your corporate security policy?
 Is there a firewall rule with “ANY” on the source, destination, service, protocol, application, or user fields and action allowed?
 Are there rules allowing risky services from your DMZ to your internal network?
 Firewall AUDIT CHECKLIST
 Are there any rules that allow risky Internet services?
 Is there a set of rules that allows risky services to be offered on the Internet?
 Is there a set of rules in place that allow direct traffic from the Internet to the internal network?
 Are there rules in place that allow Internet traffic to sensitive servers, networks, devices, or databases?
 Examine firewall rules and configurations about relevant regulatory or industry standards such as PCI DSS, SOX, ISO 27001,
NERC CIP, and FISMA, as well as corporate policies that define critical hardware and software configurations.
 Document and assign an action plan to correct the risks and compliance exceptions found in the risk analysis.
 Verify that remediation work and rule changes are completed correctly.
 Track and document the completion of improvement work.

9. 9. Continue the Firewall Audit Process

A successful firewall audit requires validation of secure configuration and regular audits to ensure continued
compliance. Now that you’ve successfully audited and secured your firewall’s configuration, you must take the
necessary steps to ensure ongoing compliance. Ascertain that a process for continuous auditing of firewalls is in
place.

 Consider automating error-prone manual tasks such as analysis and reporting.

 Ensure that all audit procedures are appropriately documented, resulting in a complete audit trail of all firewall management
activities.
 Ensure a robust firewall change workflow is in place to maintain compliance over time.
 Ensure that an alert system is in place for significant events or activities, such as changes to specific rules or discovering a new,
high severity risk in policy.

 Below are detailed checklist steps to review the firewall rule base:
 # 1: It is essential to know the Architecture of the Network, Scheme IP address, and VLAN information.
 # 2: Check out the rule about cleaning. Cleanup rules are defined under the rule base where you must deny
“Any” Source to “Any” Port to “Any” Port. The purpose of having a cleanup rule is to log and deny traffic
that doesn’t follow any rule bases.
 # 3: Make sure it’s a secret rule. The privacy rule is the rules that tell you to deny “any” resource for the
firewall. There must be a confidentiality rule as per the Rules of Management.
 Note that the cleanup rule at the end of the rule base will block malicious traffic targeted for the firewall
even if there is no privacy rule. The stealth rule is specially created to block traffic instantly as it detects
the target because it is undesirable to search thousands of rule bases for the best match and increase
unnecessary firewall processing power.
 # 4: Ensure the rules for firewall management are at the top of the list of rules. Ensure a limited
administrator in the Source Address field and large subnets are not allowed to access the firewall, and
limited ports are defined for access to management.
 # 5: Make sure duplicate objects, services, or host networks are removed from the rule base.
 # 6: Make sure that the rules must be named, making the rule base easier to understand. For example, use
a consistent host format such as Host Name IP.
 # 7: Make sure the excess/shadow rules are removed from the rule base.
 # 8: Make sure unused links are excluded from the base rule, including unique source, destination, and
services. You can check the hit count column to see what the last hit count is for the rules.
 # 9: Remove rules that haven’t been used for a long time. Remove the rule with zero-hit total count links.
 # 10: Make sure the highest number of hits is above the base for the rule. Make sure that the best services
and goals are adequately positioned within the rule base.
 Firewall AUDIT CHECKLIST
 # 11: Make sure that expiring rules and objects are removed from the rule base. The administrator usually
provides temporary access to the rules but forgets to delete them if the rule expires.
 # 12: Ensure that no service/port is allowed in the basic rule, regardless of inbound or outbound
connections, as long as there is a legitimate business justification and accepts the risk.
 # 13: Ensure that no source or destination is allowed in the rule base, regardless of inbound or outbound
connection, provided a valid business justification and acceptance of risk.
 # 14: Beware of no direct inbound connections to the internal network.
 # 15: Make sure that two-way access is used legitimately. An administrator can configure bidirectional
access even though sometimes bidirectional access is not required.
 # 16: Evaluate firewall rule order to get adequate performance.
 # 17: Be sure to include the rule base header for quick recognition of rules. For example, add headings
like management rules, HR rules, cleanup rules, Vendor rules.
 # 18: Make sure vulnerable ports/services are not allowed based on rules.
 # 19: Make sure the rule base should contain standard comments for each rule.
 # 20: Identify similar rules that can be combined into a single rule.
 # 21: Make sure you add the IP address to the group and have the proper naming convention. Groups can
hide errors while applying or changing policies.
 # 22: Make sure logs are enabled for each rule in the rule base.
 # 23: Ensure that appropriate business rationale exists for the wide variety of subnets given access in the
rule base.
 # 24: Make sure the rules are given according to the policy matrix the organization has created. The policy
matrix is the table that gives information to allow or block traffic from which zone or VLAN.

| 2