ISO 27001 Firewall Security Audit ChecklistPublished August 27, 2020 by Tricia Scherer • 6 min read
Because of additional regulations and standards pertaining to information security, including Payment Card Industry Data Security Standard (PCI-DSS), the General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA) and ISO 27001, organizations are putting more emphasis on compliance as well as the auditing of their cybersecurity policies and cybersecurity controls.
Even if your company doesn’t have to comply with industry or government regulations and cybersecurity standards, it still makes sense to conduct comprehensive audits of your firewalls on a regular basis.
These audits ensure that your firewall configurations and rules adhere to the requirements of external regulations and your internal cybersecurity policy. However, these audits can also play a critical role in reducing risk and actually improve firewall performance by optimizing the firewall rule base.
Because of today’s multi-vendor network environments, which usually include tens or hundreds of firewalls running thousands of firewall rules, it’s practically impossible to conduct a manual cybersecurity audit.
That’s because when firewall administrators manually conduct audits, they must rely on their own experiences and expertise, which usually varies greatly among organizations, to determine if a particular firewall rule should or shouldn’t be included in the configuration file.
Additionally, because the documentation of the current rules and the evolution of their changes isn’t typically up to date, it takes time and resources to manually find, organize, and review all of the firewall rules to determine how compliant you are. And that takes a toll on your information security staff.
As networks become more complex, so does auditing. And manual processes just can’t keep up. As such, you should automate the process to audit your firewalls because it’s important to continually audit for compliance, not just at a particular point in time.
What is a Firewall?
Basically, a firewall is a cybersecurity tool that manages connections between different internal or external networks that can accept or reject connections, or filter them under specific parameters.
Since ISO 27001 doesn’t set the technical details, it requires the cybersecurity controls of ISO 27002 to minimize the risks pertaining to the loss of confidentiality, integrity, and availability. So you have to perform a risk assessment to find out what kind of protection you need and then set your own rules for mitigating those risks. It’s critical that you know how to implement the controls related to firewalls because they protect your company from threats related to connections and networks and help you reduce risks.
The ISO 27001 standard doesn’t have a control that explicitly indicates that you need to install a firewall. And the brand of firewall you choose isn’t relevant to ISO compliance. Rather, you must document the purpose of the control, how it will be deployed, and what benefits it will provide toward reducing risk. This is critical when you undergo an ISO audit. You’re not going to pass an ISO audit just because you picked any specific firewall.
Consequently, the following checklist of best practices for firewall audits offers basic information about the configuration of a firewall. And since ISO 27001 doesn’t specify how to configure the firewall, it’s important that you have the basic knowledge to configure firewalls and reduce the risks that you’ve identified to your network.
- Collect Key Information Before Beginning the Audit
Your firewall audit probably won’t succeed if you don’t have visibility into your network, which includes hardware, software, policies, as well as risks. The critical information you need to gather to plan the audit work includes:
- Copies of pertinent security policies
- Access to firewall logs to be analyzed against the firewall rule base so you can understand the rules that are really being used
- An accurate diagram of your current network and firewall topologies
- Expected system data flows and interconnections
- Reports and documents from past audits, including objects, firewall rules, and policy revisions
- Identification of all virtual private networks and Internet service providers
- All the pertinent information about a firewall vendor, including the version of the operating system, the latest patches, and default configuration
- An understanding of all the critical servers and data repositories in the network and the value and classification of each of them
Once you’ve collected this data, your auditor has to document, store, and consolidate it to enable collaboration with your IT staff.
2. Review the Change Management Process
You have to have a good change management process to ensure you execute the firewall changes properly and are able to trace the changes. When it comes to change control, two of the most common problems are not having good documentation of the changes, including why you need each change, who authorized the change, etc., and not properly validating the effect of each change on the network.
When you review the procedures for rule-base change management, you should ask the following questions.
- Are the changes that are requested going through the proper approvals?
- Are authorized personnel implementing the changes?
- Are you testing the changes?
- Are you documenting the changes per the requirements of regulatory bodies and/or your internal policies? Each rule should have a comment, including the change ID of the request and the name/initials of the individual who implemented the change.
- Is there an expiration date for the change?
You also need to determine if you have a formal and controlled process in place to request, review, approve, and implement firewall changes. At the very least, this process should include:
- The business reason for a change request.
- The time period for a new or modified rule.
- The assessment of the potential risk that’s associated with a new or modified rule.
- The formal approval for a new or modified rule.
- Assigning implementation to the proper administrator.
- Verifying that the change has been tested and correctly implemented.
In addition, you have to determine if real-time monitoring of the changes to a firewall are enabled and if authorized requestors, administrators, and stakeholders have access to notifications of the rule changes.
- Audit the Physical and Operating System Security of the Firewall
It’s also critical that you’re certain about the physical and software security of each firewall to protect against cyberattacks. As such:
- Be sure that the firewall and management servers are physically secured with controlled access.
- Ensure that you have a current list of the individuals who are authorized to access the firewall server rooms.
- Verify that you’ve applied all the appropriate vendor patches and updates.
- Make certain that the operating system passes common hardening checklists.
- Review the policies and procedures for device administration.
- Clean Up and Enhance the Rule Base
You can significantly improve IT productivity as well as the performance of the firewall if you remove firewall clutter and enhance the rule base. In addition, enhancing the firewall rules can greatly cut down on a lot of the needless overhead in the audit process. Therefore, you should:
- Remove the rules that aren’t really useful.
- Identify the disabled and unused rules that should be removed.
- Delete or disable the unused and expired rules and objects.
- Assess the order of firewall rules for their performance and effectiveness.
- Delete the unused connections, including source/destination/service routes, that you’re not using.
- Identify the duplicate rules and consolidate them into one rule.
- Pinpoint and remediate overly permissive rules by analyzing the actual policy usage against firewall logs.
- Analyze VPN parameters to uncover unused users and groups, unattached users and groups, expired users and groups, as well as users about to expire.
- Enforce object-naming conventions.
- Keep a record of rules, objects, and policy revisions for future reference.
- Conduct a Risk Assessment and Remediate Problems
A thorough risk assessment will uncover rules that may be at risk and ensure that rules comply with relevant standards and regulations and internal policies.
Be sure to identify all the rules that may be at risk based on industry standards and best practices, and prioritize them by how severe they are. Although the rules that may be at risk will differ for every company depending on its network and the level of acceptable risk, there are many frameworks and standards to provide you with a good reference point.
Here are some things to look for and validate:
- Do any firewall rules violate your security policy?
- Do any firewall rules allow risky services from your demilitarized zone (DMZ) to your internal network?
- Do any firewall rules allow risky services inbound from the Internet?
- Do any firewall rules allow direct traffic from the Internet to your internal network (not the DMZ)?
- Do any firewall rules allow traffic from the Internet to sensitive servers, networks, devices, or databases?
You should analyze firewall rules and configurations against relevant regulatory and/or industry standards, such as PCI-DSS, SOX, ISO 27001, along with corporate policies that define baseline hardware and software configurations that devices must adhere to. Be sure to:
- Document and assign an action plan for remediation of risks and compliance exceptions identified in the risk analysis.
- Verify that you have correctly completed remediation efforts and any rule changes.
- Track and document that you’ve completed the remediation efforts.
- Ongoing Audits
After you’ve successfully completed the firewall and security device auditing and verified that the configurations are secure, you must take the proper steps to ensure continuous compliance, including:
- Establishing a process to continually audit the firewalls.
- Replacing manual tasks that are prone to errors with automated analysis and reporting.
- Properly documenting your audit procedures and providing a complete audit trail of all firewall management activities.
- Ensuring that you have a robust firewall-change workflow in place to maintain compliance over time.
- Ensuring that you have an alerting system in place for significant events or activities, e.g., changes in certain rules or if you identify a new, high-severity risk in your policy.
Firewalls are very important because they’re the digital doors to your organization, and as such you need to know basic information about their configurations. In addition, firewalls will help you implement security controls to reduce risk in ISO 27001.