Review Your Change Management Process

A good change management process is essential to ensure proper execution and traceability of firewall changes, as well as sustainability over time to ensure continuous compliance vs. point-in-time compliance. Poor documentation of changes, including why the change is needed, who authorized the change, etc. and poor validation of the impact on the network are two of the most common issues when it comes to change control. Review the procedures for rule-base maintenance.

Just a few key questions to review include:

  • Are requested changes going through proper approvals?
  • Are changes being implemented by authorized personnel? And are they being tested?
  • Are the changes being documented per regulatory or internal policy requirements?
  • Each rule should have a comment that includes the change ID of the request and the name/initials of the person who implemented the change.
  • Is there an expiration date for the change?

The second technical step in an audit is usually a review of the firewall rule base (also called a policy). The methodology for this step varies widely among auditors because it has traditionally been difficult to do and heavily technology-dependent.

For each of these questions you should have a ranking based on the type of firewall and its placement in your infrastructure. For example, a firewall not connected to the Internet does not have the same risk as one that is connected to the Internet; internal firewalls tend to be more permissive than external firewalls.

The first questions that should be asked about the rule base are related to basic policy maintenance and good design practices that grant minimal access for each device. To answer these questions, you need to look at each rule in your rule base and as well as a year"s worth of logs, which will tell you which rules are being used. This has always been a lengthy manual process until recently, with the arrival of tools that can be used to answer these questions programmatically and automatically.

The second list of questions

  • Are there any rules that violate our corporate security policy?
  • Are there any rules that allow risky services inbound from the Internet?
  • While you may have a different list of what is considered "risky" for your company, most start with protocols that pass login credentials in the clear like telnet, ftp, pop, imap, http, netbios, etc.
  • Are there any rules that allow risky services outbound to the Internet?
  • Are there any rules that allow direct traffic from the Internet to the internal network (not the DMZ)?

If you take the time to master those two processes you will find that it is much easier to pass firewall audits. Having responded to hundreds of firewall audits, I"m a huge fan of automating this process as much and as deeply as possible. That provides the information administrators need to answer difficult audit questions.

However, if you are tasked with auditing a large set of firewalls on an ongoing basis or even a couple of firewalls with large and unwieldy rule bases - the time and money saved combined with eliminating the margin for error that exists with any attacking any granular, data-intensive, audit manually makes it worth the cost and effort.

Security Management






What Our Customers Say?

Valency Networks is a very techie company, focusing on a continuous improvement in service quality. Our customers like us exactly for that and that helps us keep our quality to the best extent.