Six best practices for simplifying firewall auditing and compliance, and reducing risk.
More regulations and standards relating to information security, such as the Payment Card Industry Data Security Standard (PCI-DSS), the General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA) and ISO 27001, have forced enterprises to put more emphasis—in terms of time and money—on compliance and the regular and ad hoc auditing of security policies and controls. While regulatory and internal audits cover a broad range of security checks, the firewall is featured prominently since it is the first and main line of defense between the public and the corporate network.
The number of enterprises that are not affected by regulations is shrinking. But even if you do not have to comply with specific government or industrial regulations and security standards, it is now commonplace to conduct regular, thorough audits of your firewalls. Not only do these audits ensure that your firewall configurations and rules meet the proper requirements of external regulations or internal security policy, but these audits can also play a critical role in reducing risk and actually improve firewall performance by optimizing the firewall rule base.
In today’s complex, multi-vendor network environments, typically including tens or hundreds of firewalls running thousands of rules, completed a manual security audit now borders on the impossible. Conducting the audit process manually, firewall administrators must rely on their own experience and expertise—which can vary greatly across organizations—to determine if a given firewall rule should or should not be included in the configuration file. Furthermore, documentation of current rules and their evolution of changes is usually lacking. The time and resources required to find, organize and pour through all of the firewall rules to determine the level of compliance significantly impacts IT staff.
As networks grow in complexity, auditing becomes more cumbersome. Manual processes cannot keep up. Automating the firewall audit process is crucial as compliance must be continuous, not simply at a point in time.
The firewall audit process is arduous. Each new rule must pre-analyzed and simulated before it can be implemented. A full and accurate audit log of each change must be maintained. Today’s security staffs now find that being audit-ready without automation is impractical if not virtually impossible.
It’s time to look to automation along with the establishment of auditing best practices to maintain continuous compliance.
Below, we share a proven checklist of six best practices for a firewall audits based on AlgoSec’s extensive experience in consulting with some of the largest global organizations and auditors who deal with firewall audit, optimization and change management processes and procedures. While this is not an exhaustive list that every organization must follow, it provides guidance on some critical areas to cover when conducting a firewall audit.
FIGURE 1: Overview of the Recommended Firewall Audit Process
An audit has little chance of success without visibility into the network, including software, hardware, policies and risks. The following are examples of the key information required to plan the audit work:
Once you have gathered this information, how are you going to aggregate it and storing it? Trying to track compliance on spreadsheets is a surefire way to make the audit process painful, tedious and time-consuming. Instead of spreadsheets, the auditor needs to document, store and consolidate this vital information in a way that enables collaboration with IT counterparts. With this convenience access, auditors you can start reviewing policies and procedures and tracking their effectiveness in terms of compliance, operational efficiency and risk mitigation.
It is important to be certain as to each firewall’s physical and software security to protect against the most fundamental types of cyberattack.
Removing firewall clutter and optimizing the rule base can greatly improve IT productivity and firewall performance. Additionally, optimizing firewall rules can significantly reduce a lot of unnecessary overhead in the audit process.
Essential for any firewall audit, a comprehensive risk assessment will identify risky rules and ensure that rules are compliant with internal policies and relevant standards and regulations.
Upon successful firewall and security device auditing, verifying secure configuration, proper steps must be put in place to ensure continuous compliance.
When it comes to compliance, the firewall policy management solution must have the breadth and depth to automatically generate detailed reports for multiple regulations and standards. It also must support multiple firewalls and related security devices.
By combining this firewall audit checklist with the AlgoSec Security Management Solution, organizations can significantly improve their security posture and reduce the pain of ensuring compliance with regulations, industry standards and corporate policies. Furthermore, they can ensure compliance continuously without spending significant resources wasting time and effort on complex security policies on a regular basis.
Let’s go back through the checklist and look at a few examples of how AlgoSec can help.
AlgoSec enables you to gather all of the key information needed to start the audit process. By generating a dynamic, interactive network map AlgoSec visualizes and helps you analyze complex networks. (See Figure 2.) You can view routing tables and automatically detect all interfaces,
subnets and zones. Additionally, AlgoSec provides you with visibility of all changes to your network security policies in real-time and creates detailed firewall audit reports to help approvers make informed decisions about changes that affect risk or compliance levels.
FIGURE 2: AlgoSec provides network topology awareness with a map that provides visibility of all firewalls and routers including all relevant interfaces, subnets and zones, and the ability to drill down to specific information about each device.
AlgoSec intelligently automates the security-policy change workflow, dramatically cutting the time required to process firewall changes, increasing accuracy and accountability, enforcing compliance and mitigating risk. In addition, AlgoSec provides flexible workflows and templates to help you manage change requests and tailor processes to your business needs.
AlgoSec enables you to optimize and clean up cluttered policies with actionable recommendations to:
Not only does this help you improve the performance and extend the life of your firewalls, it also saves time when it comes to troubleshooting issues and IT audits.
FIGURE 3: Unused rules that AlgoSec has identified for removal.
AlgoSec enables you to instantly discover and prioritize all risks and potentially risky rules in the firewall policy, leveraging the largest risk knowledgebase available. The knowledgebase includes industry regulations, best practices and customizable corporate security policies. AlgoSec assigns and tracks a security rating for each device and group of devices to help you to quickly pinpoint devices that require attention and to measure the effectiveness of a security policy over time.
FIGURE 4: AlgoSec identifies and prioritizes risky rules based on industry standards and frameworks and provides detailed information of source, destination, service, as well as user and application when analyzing next-generation firewalls.
AlgoSec ensures continuous compliance and instantly provides you with a view of your firewall compliance status by automatically generating reports for industry regulations, including Payment Card Industry Data Security Standard (PCI DSS), GDPR, Sarbanes-Oxley (SOX), Financial Instruments and Exchange Act (J-SOX, also known as Japan-SOX), North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), and International Organization for Standardization (ISO 20071). If the network security policy doesn’t adhere to regulatory or corporate standards, the reports identify the exact rules and devices that cause gaps in compliance. A single report provides visibility into risk and compliance associated with a group of devices.
FIGURE 5: PCI DSS firewall compliance report automatically generated by AlgoSec.
Ensuring and proving compliance typically require significant organizational resources and budget. With the growing litany of regulations, the cost and time involved in the audit process is increasing rapidly. Armed with the firewall audit checklist and with the AlgoSec security policy management solution you can:
Reduce the time required for an audit — Manual reviews can take a significant amount of time to produce a report for each firewall in the network. AlgoSec aggregates data across a defined group of firewalls and devices for a unified compliance view, doing away with running reports for each device, thereby saving a tremendous amount of time and effort that is wasted on collating individual device reports. AlgoSec enables you to produce a report in minutes, reducing time and effort by as much as 80%.
Improve compliance while reducing costs — As the auditor’s time to gather pertinent information and analyze the network security status is reduced, the total cost of the audit decreases substantially. AlgoSec facilitates the remediation of non-compliant items by providing actionable information that further reduces the time to re- establish a compliant state.