3. WELCOME
Submit your questions via the chat tab
Click on the Attachments link to schedule a time to speak with an expert
This webinar is being recorded and available on-demand
Connect with us through your social network of choice
3
https://www.algosec.com/resources
4. 5 | Confidential
TODAY’S AGENDA
Audits and
Compliance – The
challenge
How to pass
an audit
How to ensure
compliance
now and ongoingly
Summary
1
2 4
3
6. Firewall is the main line of defense between public & corporate network
7. GET READY TO RUMBLE!
“Once released, an extended transition period will be provided for
organizations…
To support this transition, PCI DSS v3.2.1 will remain active for 18 months once
all PCI DSS v4.0 materials are released…
The PCI DSS v4.0 standard will therefore be available for 2 years prior to the
retirement of PCI DSS v3.2.1.” (Lauren Holloway)
6 Months
8. Ensure firewall configurations and rules:
Meet the requirements of external regulations
Meet internal security policy
Reduce risk
Improve firewall performance by
optimizing the firewall rule base
HOW CAN AN AUDIT HELP YOU?
9. <1 week,
26%
1-2 weeks,
29%
2-4 weeks,
27%
1-2 months,
12%
2+ months,
6%
12
HOW MUCH TIME DEVOTED FOR FW AUDIT EVERY YEAR?
Source: AlgoSec survey
Manual Audits
=
Slow Down Business
+
Error-Prone
10. WHY IS THE AUDIT PROCESS SO CHALLENGING?
Rule
Rule Change Audit Logs
Analyze…
Simulate…
Automation is eminent!
11. AUTOMATE YOUR AUDIT PROCESS!
Step
01
Step
02 Step
03
Step
04
Step
05
Step
06
Gather info
Review change management
Audit firewall physical & OS security
Clean up & organize rule base
Asses & remediate risk
12. GATHER KEY INFORMATION
✓ Copies of relevant security policies
✓ Firewall logs access
✓ Updated network and firewall topologies diagram
✓ Reports and documents from previous audits
✓ Identify all ISPs and VPNs
✓ Relevant firewall vendor information
✓ Key servers and information repositories in the network
Gather key information prior to starting the audit
Gather info
13. REVIEW CHANGE MANAGEMENT PROCESS
Review the procedures for rule-base change management
• Approvals?
• Authorized personnel only?
• Change testing?
• Change expiration date?
• Properly documented?
Determine if there is a formal and controlled process in place
Determine if changes have been authorized
Flag unauthorized rule changes for further investigation
Determine:
• real-time monitoring of changes to a firewall are enabled
• Access to rule-change notifications is granted to authorized personnel
Review change
management
14. REVIEW CHANGE MANAGEMENT PROCESS
Review the procedures for rule-base change management
Determine if there is a formal and controlled process in place
• Business purpose?
• Duration?
• Risk?
• Needed approvals?
• Who should implement?
• Correctly implemented?
Determine if changes have been authorized
Flag unauthorized rule changes for further investigation
Determine:
• real-time monitoring of changes to a firewall are enabled
• Access to rule-change notifications is granted to authorized personnel
Review change
management
15. REVIEW CHANGE MANAGEMENT PROCESS
Review the procedures for rule-base change management
Determine if there is a formal and controlled process in place
• Business purpose?
• Duration?
• Risk?
• Needed approvals?
• Who should implement?
• Correctly implemented?
Determine if changes have been authorized
Flag unauthorized rule changes for further investigation
Determine:
• real-time monitoring of changes to a firewall are enabled
• Access to rule-change notifications is granted to authorized personnel
Review change
management
16. REVIEW CHANGE MANAGEMENT PROCESS
Review the procedures for rule-base change management
Determine if there is a formal and controlled process in place
• Business purpose?
• Duration?
• Risk?
• Needed approvals?
• Who should implement?
• Correctly implemented?
Determine if changes have been authorized
Flag unauthorized rule changes for further investigation
Determine:
• real-time monitoring of changes to a firewall are enabled
• Access to rule-change notifications is granted to authorized personnel
Review change
management
17. FIREWALL’S PHYSICAL AND OS SECURITY
✓ Firewall and management servers are physically
secured
✓ List of authorized personnel permitted to access
the firewall server rooms
✓ Vendor patches and updates have been applied
✓ OS passes common hardening checklists
✓ Procedures used for device administration
Audit the Firewall’s Physical and OS Security
Audit firewall physical
& OS security
18. CLEANUP AND OPTIMIZE POLICY
✓ Perform needed deletions from FWs
✓ Consolidate similar / duplicate rules
✓ Identify
• Overly permissive rules
• Unused / unattached / expired users or groups
✓ Evaluate the order of firewall rules
✓ Enforce object-naming conventions
✓ Document rules, objects and policy revisions for
future reference
Cleanup and Optimize the Rule Base
Clean up & organize
rule base
19. ASSESS RISKS AND REMEDIATE ISSUES
Conduct a Risk Assessment and Remediate Issues
Identify “risky” rules and prioritize them by severity
• Firewall rules that violate corporate security policy?
• Firewall rules with “ANY” and a permissive action?
• Firewall rules that allow risky services from DMZ to internal network?
• Firewall rules that allow risky services inbound or outbound from the Internet?
• Firewall rules that allow traffic from the Internet to sensitive locations?
Analyze rules & configurations
Action plan for remediation of risks & compliance exceptions
Correct completion of remediation efforts and rule changes
Track and document remediation completion
Asses &
remediate risk
20. CONTINUE IMPROVING…
✓ A process is established for continuous auditing
of firewalls
✓ Manual tasks → automated analysis & reporting
✓ Audit procedures are properly documented
✓ Robust firewall change workflow is in place
✓ Alerting system in place for significant rule-
related events
Ongoing Audits
Continue
again and
again…
26. CLEAN UP AND OPTIMIZE YOUR RULE BASE
01 02 03 04 05
Consolidate
similar rules
Discover and remove
unused rules and
objects
Identify and remove
shadowed / duplicate /
expired rules
Reorder while
retaining policy logic
Tighten overly
permissive rules
based on actual
usage patterns