Simplifying Firewall Audits and Ensuring Continuous Compliance: Part 3 of 6

In the first two parts of this blog series I focused on Gathering Pertinent Data for a Firewall Audit and Reviewing the Firewall Change Control Process.

In this third installment, I’d like to examine the steps you need to audit your firewalls’ physical and operating systems’ security. This is important because as there is risk within firewall policies and change control processes that you must get a handle on, there is also potential risk within the firewall configuration itself. As part of your audit-readiness and goal of being continuously in compliance with internal policies or external regulations and standards, a key step is to make sure your firewalls are hardened against the most fundamental types of attack.

Step 3: Audit Your Firewalls’ Physical and OS Security

Make sure you can define and enforce corporate baselines… and report against them so you know where you stand. By reporting against these baselines that you determine, you will always be “in the know” of your firewalls’ configuration status and how they stack up to the policy. Some more specific steps to consider are:

1. Ensure your firewalls and management servers are physically secured with controlled access. Just as your firewalls filter traffic, you need to physically filter accessibility to your firewalls.
2. Ensure there is a current list of authorized personnel permitted to access the firewall server rooms. There is no need for John in sales to access these rooms.
3. Verify that all appropriate vendor patches and updates have been applied. Financially motivated cybercriminals look for openings to exploit in your security defenses. Don’t give them any easy target.
4. Ensure the operating system passes common hardening checklists. Again, you want to make sure there are no known security holes that attackers can take advantage of.
5. Review the procedures used for device administration.

In the latest version of AlgoSec Security Management Suite, we have added a baseline compliance capability that allows you to define and report against corporate-defined configuration baselines for devices – and ultimately minimize risk. Here’s a short video that examines this capability… Enjoy!