Firewall Audit Checklist | Process Street Firewall Audit Checklist – Process Street

Introduction to Firewall Audit Checklist:

Firewall Audit Checklist - Process Street

This Process Street firewall audit checklist is engineered to provide a step by step walkthrough of how to check your firewall is as secure as it can be.

We recommend utilizing this firewall audit checklist along with the other IT security processes as part of a continuous security review within your organization, provided you are able to do so with the resources you have.

This checklist searches for vulnerabilities in your security defenses and also serves as a maintenance tool to habitually clear away clutter and update your restrictions and permissions for relevancy.

This template is entirely editable and allows you to add and remove tasks while also editing the content inside them. This means you can tweak this checklist to fit the exact needs of your organization.

Throughout the template, you will see form fields where data can be entered. Any information inputted into the form fields is then stored in the template overview tab for further reference, which you can also download as a CSV file if you want to store your own logs.

If you want more information on firewalls, watch the video below:

Firewall Rules - CompTIA Security+ SY0-401: 1.2 - Professor Messer

Record checklist details

Record the details of the checklist in the form fields below.

Pre-Audit Information Gathering:

Make sure you have copies of security policies

Locate copies of all security policies and procedure documents for review. 

Upload or link to them in the form fields below.

Check you have access to all firewall logs

Make sure you have access to all relevant logs. 

Record in the form field below the person who gave you access, if applicable. 

Gain a diagram of the current network

A network diagram is a useful tool to provide a simple visual overview of the network's structure

This can help you make sure you have investigated all relevant areas. 

See the image below for tips on what to gather. 

Firewall Audit Network Diagrams

Review documentation from previous audits

Gather and review any reports from previous audits

This should help you understand how the firewall has evolved over time while revealing previous areas of weakness which you can pay extra attention to. 

Identify all relevant ISPs and VPNs

Use the form fields below to provide notes on relevant ISPs and VPNs.

Obtain all firewall vendor information

Gather as much information as you can about the vendor and the product.

Upload this information in the form field below. 

Understand the setup of all key servers

Review the setup of key servers and record any notes in the form field provided

Review the Change Management Process:

Review the procedures for rule-base maintenance

Maintaining effective firewall systems is as much about procedural setup as it is about software or hardware.  

Request, assess, and analyze the existing procedures for maintaining the rule-base.  

Leave any notes below. 

Analyze the process for firewall changes

Analyze the overall process for changes to the firewall. 

  • Does authorization have to be given every time?
  • If so, who are the involved participants?
  • What is the workflow like?

Leave any notes on this process in the field below.

Determine whether all previous changes were authorized

With this new knowledge of the existing procedures, processes, and workflows, gain access to firewall change logs. 

You should review the previous changes to the firewall to assess whether or not the procedures and processes were appropriately followed. 

There is little point in having strong processes in place if they are not being followed by the staff involved. 

Use the form field below to record your notes.

Audit the Firewall's Physical and OS Security:

Make sure your management servers are physically secure

Access to your systems is not only digital. Your physical security could be compromised also.

Review the security of the servers to make sure they cannot be tampered with without authorization.  

Leave any notes below. 

Check the access procedures to these restricted locations

These secure locations still require access. What are the procedures for gaining access to the restricted locations?

Request, review, and analyze the access procedures and authorization processes for restricted areas. 

Provide notes below. 

Verify all vendor updates have been applied

Review the vendor information you gathered previously in the process and analyze that against the recorded updates for the firewall. 

Make sure that all updates and patches have been applied. 

Make sure the OS passes common hardening checks

Your OS will need regular review to make sure it is as secure as it can be. 

For an in-depth assessment of hardening read: Operating System Hardening – CompTIA Security+ SY0-401: 3.6 

Or, watch the video below.

Operating System Hardening - CompTIA Security+ SY0-401: 3.6 - Professor Messer

Assess the procedures for device administration

How we deal with extra devices on the network should be standardized in clear and actionable procedures. 

Without this, we risk creating a loophole in our security by having an unsecured device on the network. 

For more information device administration read: Policies Affecting Network Device Administrators

Request, review, and analyze the existing procedures for device administration.

Leave any notes in the form field below.

Optimize Your Rule Base:

Delete redundant rules

Clutter within a firewall's rule-base should be removed like clutter of any other kind. 

If there are rules which are deemed redundant, simply delete them

Record deleted rules below. 

Delete or disable unused objects

Again, this is part of a process of de-cluttering. 

If there are unused objects present, disable or delete them as appropriate. 

Record your activity below

Evaluate the order of firewall rules for performance

Assess the order of your rules to maximize the performance of your system.

Leave any notes on changes in the form field below

Remove unused connections

If a connection is not in use it can be removed. 

Record your activity below

Document the rules and changes for future reference

Make sure you have documented these changes appropriately. 

If you included all changes in the form fields in the previous tasks, then you will be able to export that data as a CSV file for easy future review. Proper use of Process Street will make sure your work is always documented

Otherwise, take this opportunity to make sure the changes were documented. 

Conduct a Risk Assessment:

Review industry best practices for methodology

As part of a risk assessment, it is important to review industry guidelines to understand best practices and to better assess what constitutes risk in this scenario. 

Important industry documentation to review might include:

  • PCI-DSS,
  • SOX,
  • ISO 27001,
  • NERC CIP,
  • Basel-II,
  • FISMA
  • and J-SOX

Ask a series of thorough questions

Sam Erdheim of AlgoSec provides us with a series of potential questions to pose when we're considering risk within the context of our firewall:

  • Are there firewall rules that violate your corporate security policy?
  • Are there any firewall rules with “ANY” in the source, destination, service/protocol, application or user fields, and with a permissive action?
  • Are there rules that allow risky services from your DMZ to your internal network?
  • Are there rules that allow risky services inbound from the Internet?
  • Are there rules that allow risky services outbound to the Internet?
  • Are there rules that allow direct traffic from the Internet to the internal network (not the DMZ)?
  • Are there any rules that allow traffic from the Internet to sensitive servers, networks, devices or databases?

Consider questions like these and more in order to thoroughly analyze your risk exposure. 

Document your assessment and save as a report

Use one of the form fields below to upload or link to your risk assessment report.

Improve Firewall Processes:

Replace error-prone manual tasks with automations

Where possible, it is advantageous to replace manual tasks with automated solutions. 

This saves time and reduces errors, allowing the relevant member of staff to act as a reviewer - a second line of security. 

The level of reporting available from automated tasks will also make future audits easier. 

Check out this article from CSO about picking your firewall tech: Firewall Audits Dos and Don'ts

Make sure all auditing activities have been documented

If you have utilized this checklist properly, then your auditing activities should be thoroughly documented

If you haven't been filling in your form fields, now is the time to make sure you document your actions and store that information in one accessible place. 

Create an actionable firewall change workflow

You need to make sure that the results of this audit are actionable. 

Create a firewall change workflow to make maximum use of this audit. 

Change management is vitally important within this process. Upload your report with your firewall change workflow in the form field provided. 

If you need further information about firewall change workflows, watch the video below

Firewall Workflow to Make the Right Change the First Time - FireMon

Sources: