Tel: +44 (0)1525 850 440
FIREWALL HEALTH CHECK & AUDIT
Why do I need a firewall health check and audit?
Firewall rules have changed over time and may no longer adhere to best practice and be leaving the organisation vulnerable. Often organisations are unaware what their firewall is actually doing? In some cases organisations lack understanding of the traffic traversing their firewall and the protocols and applications that make up that traffic? Also, firewall services availability, resilience and risk assessments are often un-investigated. More-over, the firewall may have additional features available which could improve security or the performance of the firewall? Or, it could be the organisation has changed, and the firewall is no longer meeting the needs of the business? So - why not mitigate risk and increase peace of mind with expert validation of your firewall performance?
When shall I have a firewall health check and audit?
We recommend a firewall health check/audit on an infrequent but regular basis, e.g. once per year, depending on how often the firewall rules change or changes are made within the organisation.
Who will perform the firewall health check and audit?
A certified security consultant with extensive experience.
Where is the work performed?
The entire exercise can be done remotely using remote meeting capabilities or on site according to the customer’s preference.
How long will it take typically?
Typically a complete health check and audit will take 2-5 days per firewall or firewall HA cluster. The amount of time depending on the complexity of the rule base and the availability of tools such as FortiAnalyzer to review traffic historically.
What will be assessed?
We will take a holistic view of your firewalling services. The basis of our approach is as follows:
Firstly, we will review the firewall platform: Software revision, CPU / Memory utilisation, Admin accounts, Certificates, UTM features (Anti-Virus/Intrusion Prevention/Application Control/Web Filtering/Botnet Protection), Interfaces, VLANs, High Availability review (failover test optional), SSL VPN, IPSec, Static routing, Equal Cost Multi Path routing, Policy based routing, Logging and logs, Alerting and alerts, Network integration and positioning.
Secondly we will perform the firewall policy audit - review each firewall policy (or firewall rule) one at a time. The related features that are used in the policy would also be reviewed such as: Security profiles, Objects, Source NAT, Destination NAT, SSL inspection, Traffic shapers.
We can also optionally provide a Firewall Change Process review, to ensure any change requests are properly approved, implemented and documented.
Finally, we would complete and submit a comprehensive report that includes: Executive Summary, documentation of the environment, detailed findings and Recommendations.
Post the Firewall Health Check and Audit we can also provide a service to implement the firewall policy changes needed - if requested to do so.
Contact Us for more details.
If you would like more details on the Audit:
This is the review of the firewall’s rule base/policy. Procedure for this step varies between auditors as it is traditionally a difficult task heavily dependent on technology. For each question we should have a ranking based on the nature of the firewall and its placement within your infrastructure. For example, firewalls that are connected to the internet are generally much more at risk than those that are not, and internal firewalls are often more permissive than external ones. Questions related to basic policy management and good design practice should be asked first. To answer these questions we should examine each rule in the rule base, as well as a year’s worth of logs to ascertain which rules are actually used. Until recently, this has been a lengthy manual process, however, with the development of tools (e.g. FortiAnalyzer) which can be used to answer these questions automatically, it has become far easier.
The second list of questions is related to the risk and compliance of the rule base. These rules are more technically challenging to answer. We must possess an understanding of the workings of your firewall to infer what traffic is actually being passed by a rule, and if there is an ‘allowed services’ group, which ports and protocols actually pass through that rule.
The aim of the Firewall Change Process Audit is to ensure that any requested changes were properly approved, implemented and documented. We can achieve this in several different ways depending on whether you have a tool to assist you or whether you need to do it manually.
We will need to randomly select approximately 10 change requests created since the most recent audit. The questions we should ask when we audit a firewall change are:
If we are performing this process manually, the first thing you must do is match each change with a firewall device and a policy. Now match the change requests to the specific firewall rule or rules. If we get stuck on this then we already know where we need to improve. The comment with each rule should contain, as a minimum, the change ID of the request and the initials of who implemented the change.
Automated tools (e.g. FortiManager) are readily available and, due to the quantity or rules on most modern firewalls, they are highly recommended to make the auditing process more manageable. They also allow greater visibility and control over your rule base.