How to Perform a Firewall Audit: 6 Steps

A firewall audit is a multistep process that gives organizations insight into the status and effectiveness of the firewalls installed throughout their network. These audits provide visibility into potential vulnerabilities and the health of connections going to and from firewalls. They also uncover information about firewall changes since the last audit. 

Firewalls are critical elements within a larger network security structure, serving as gatekeepers for incoming, outgoing, and internal network traffic. As traffic flows across the network, firewalls located at each network segment evaluate traffic packets, blocking traffic that does not meet pre-established security parameters. While firewalls are effective network security tools, they must be kept up-to-date and routinely monitored. That’s where the firewall audit process comes in. 

On a related topic, also see: Top Cybersecurity Software

Why is a Firewall Audit Important?

The primary reason to invest time and resources into firewalls audits is the inherent nature of firewalls — they need constant updating to remain effective against rapidly evolving threats.

It’s also an important best security practice to monitor firewall rules to ensure they have been properly configured. Improperly configured rules can weaken firewalls and attract unauthorized access. If firewalls are unable to identify, isolate, and reject malicious traffic packets, an entire enterprise network can be put in significant danger. 

Firewall audits are also important for maintaining compliance with various industry regulations focused on network security and data protection. By performing in-house audits, organizations can feel assured they will be ready for an unexpected network audit by a regulatory body.

Firewall audits address the fact that firewall management can be complex and time-consuming. Having a step-by-step process for working through the review process helps to make sense of what can feel like an overwhelming task. 

For more information, also see: What is Big Data Security?

How to Perform a Firewall Audit: 6 Steps

These 6 steps will help you develop a firewall audit plan. For organizations operating in sectors like finance and banking, healthcare, and other industries where sensitive public data needs to be protected, you may need to seek out additional checkpoints to include in your firewall audit process. 

1. Gather Information Ahead of the Firewall Audit

Before you launch your firewall audit, it’s important to ensure you have good visibility into your network, including a good handle on hardware, software, policies, risks, and how users interact with the network. Gather the following information:

• Information from prior audits, especially documents and reports covering firewall objects, policy revisions, and most importantly, details about firewall rules that have been applied.
• List of every internet service provider (ISP) and virtual private network (VPN) used by the organization.
• Security policy documentation (including updates that have been communicated but not added to official documentation yet).
• Firewall log reports (at least at a high level — make sure you know how to quickly access more detailed information you may need later).
• Firewall vendor information like OS version, default configurations, and reporting on the latest patches that have been provided onsite or remotely.

At this stage, be sure to centralize this information in a place where other people involved in the firewall audit can access it. This will make it much simpler to keep everyone on the same page and to avoid situations where time is being wasted tracking down redundant information. Establishing a “single source of truth” goes a long way toward conducting a good firewall audit. 

2. Evaluate the Organization’s Change Management Approach

A firewall audit is a good opportunity to determine the effectiveness of the organization’s change management processes. Before making firewall changes, it’s a good idea to make sure the process is well-documented and uniform. The goal should always be to have a stable, reliable change management process. When changes are made in haphazard ways, myriad issues can arise. Consider these questions as you evaluate the change management process:

• Who is implementing changes? It should be easy to determine who “owns” every change made to a firewall. 
• Are changes being tested? Documentation about testing should be available to review during a firewall audit. 
• Who is approving requested changes? Ideally, there should be a reliable “chain of command” when it comes to making substantial changes to any firewall across the organization’s network. 

Ultimately, firewall changes should be governed by a formal, documented process that maintains integrity. Every category of firewall changes should be handled in the same way, every time. 

For more information, also see: Data Security Trends

3. Audit the Operating System and Physical Security of the Firewall.

This step relates to the rate of responsiveness an organization has for neutralizing cyber threats. Can your organization quickly isolate and stop attacks before they spread throughout the wider network? A close examination of each firewall’s physical and software security perspectives can help to answer this fundamental network security question. Here are a few ways to perform these evaluations:

• Introduce controlled access to secure firewall and other relevant servers.
• Determine if the operating system conforms to standard hardening checklists.
• Examine device administration procedures to ensure they are robust enough.
• Verify that vendor patches and updates are being implemented fully and in a timely manner.
• Review a list of authorized users who can physically access firewall server rooms.

4. Take a Hard Look at Firewall Rule Settings

One big advantage of performing a firewall audit is the opportunity to clean things up and optimize the rule base that determines which traffic a given firewall will allow or deny. As you examine firewall rules, here are a few questions to consider:

• Are there rules in the mix that don’t serve a purpose?
• Can you disable any unused or expired objects and rules? 
• Are firewall rules related to performance and effectiveness prioritized correctly?
• Are there any unused connections, including irrelevant routes?
• Are objects labeled according to standard object-naming conventions?
• Are VPN parameters up-to-date? Are there any expired or unattached groups, expired or unattached users or unused users? 
• Do firewall logs reveal whether policies are being applied adequately? 
• Are permissive rules still relevant or do these need adjusting or updating?
• Are there similar rules that could be merged into single rules?

5. Perform a Risk Assessment and Address Issues that are Uncovered

Risk assessment is a major component of any firewall audit. After all, your main goal is to determine whether the organization’s network is sitting vulnerable due to firewall inadequacies. Take your time to determine whether firewall rules truly comply with internal policies and evolving industry regulations and standards. 

This step will be unique to each organization, so be sure to apply the industry standards and best practices that apply to you. Every organization also carries its own determination of acceptable risk (a financial services company may have a much lower tolerance for risk versus a small outbound call center, for example, though both rely on up-to-date firewall protection). 

As you evaluate the list of rules, consider whether:

• The rule permits risky services from your demilitarized zone (DMZ) to the internal network.
• The rule permits risky services inbound from the internet, in general.
• The rule permits risky services outbound from the internet.
• The rule contains “ANY” in any user field.
• The rule runs afoul of corporate security policy.
• The rule falls short of corporate security policy requirements.

It’s also a good idea to review firewall configurations and rules against any regulatory standards that may apply, including:

• J-SOX
• FISMA
• Basel-II
• NERC CIP
• ISO 27001
• SOX
• PCI-DSS

6. Make a Plan for Conducting Ongoing Audits

Keep the momentum going. Once you’ve had success with your first firewall audit, make a goal of continuous compliance. These steps can help:

• Create a process that can be replicated in the future, and make sure the process is well-documented so that any analyst can conduct the audit based on the materials.
• Consider smart automation that could be integrated into the process, with a goal of eliminating error-prone manual tasks.
• Be sure any significant changes impacting firewall policy and rule changes are communicated to the point person or team responsible for conducting firewall audits so that these modifications can be considered during the next audit.

For more information, also see: Artificial Intelligence in Cybersecurity

Bottom Line: Firewall Audits

By creating a process for conducting ongoing firewall audits, you’ll have a better handle on your organization’s overall security posture. Firewalls are integral to any network security approach, so it is vital they are maintained and monitored as thoroughly as any other network asset. 

While this process can feel overwhelming, having a firewall audit checklist like this can help keep things organized and straightforward.