What is a firewall audit?

A firewall audit is a set of processes by which organizations may analyze and improve their existing network security posture.

Being able to access the internet is absolutely vital in nearly every modern business. Through the internet, organizations can connect with customers, sell products or services, collect data, access essential third-party tools, and so much more. However, with these capabilities come certain dangers. After all, the internet is a door that swings both ways, and sometimes it can be difficult for companies to keep the rest of the world out of their sensitive internal systems.

This is where firewalls come into play.

A firewall is an important part of network security, acting as a virtual guard gate for incoming and outgoing network traffic packets. When traffic does not meet established security requirements, the firewall swings shut and blocks the network packets from progressing. By monitoring and reviewing all the data entering or exiting a network, the firewall provides increased protection against unauthorized data access—but only if the firewall itself is fully updated and in compliance with established regulations.

To ensure that existing firewalls are fully capable of performing their essential functions, organizations must implement regular firewall audits.

To understand the importance of a firewall audit, it’s necessary to first understand how a firewall works. Firewalls are capable of using signature-pattern recognition to analyze and compare packets against an expansive database of known threats, malicious code, or attack vectors, restricting access for traffic that matches any of these dangers.

But this presents certain issues that may be exploited. For one, firewalls must be constantly updated to take into account rapidly evolving threats and malicious payloads. At the same time, improperly-configured rules can introduce weakness in firewalls that may be exploited to gain unauthorized access. In both cases, the inability of the firewall to identify, isolate, and restrict malicious packets may place the entire network in significant danger.

At the same time, managing firewalls can be extremely difficult, particularly within complex systems. Lack of visibility and incomplete documentation stands in the way of effective firewall management, potentially exposing sensitive systems and data to risk.

The firewall audit as a concept is built on the idea that security is more than just tools; it’s an ongoing process in which existing defenses are constantly reviewed, audited, and improved upon to provide the best-possible network and data protection. Regularly and consistently performed, firewall audits are a vital component in ensuring firewall viability, and play a key role in improving network security, companywide.

To defend against the ever-present risk of data breaches and other forms of cybercrime, modern businesses need effective, reliable firewalls. To help ensure that firewalls can perform their assigned functions, consider the following steps for conducting a firewall audit:

1. Collect relevant information

A key factor in performing a successful audit is visibility. Unless an organization has access to all relevant information associated with their firewall, they will not be able to accurately assess its current effectiveness or identify potential problems. Create a database or similarly structured repository to consolidate, document, and store this information so that it may be searched, retrieved, and shared with stakeholders throughout the enterprise.

Graphic outlining the steps on performing a firewall audit.

Examples of information relevant to a firewall audit include internet service provider (ISP) information, virtual private network (VPN) information, security policies, vendor information, OS version, configuration information, patch details, firewall access credentials, and any documents or reports from previous audits. Having the right information on hand will make it easier to review and track policies and procedures.

2. Review the firewall change-management process

Making changes to existing firewalls isn’t as simple as flipping a switch—and even if it were, without proper documentation and tracking, these changes would likely only create more problems. A firewall audit must have proven processes in place to follow up on once necessary changes have been identified.

Firewall change management should provide a stable procedure for implementing changes to existing firewalls, including requesting and receiving approvals, and reviewing and testing changes once they have been implemented. If a reliable change management process is not in place, then one will have to be established before any firewall audit is performed.

3. Assess existing security capabilities

A firewall audit is an essential step to ensuring that an organization’s firewalls are up to code and capable of stopping malicious traffic. That said, the firewall must also work in conjunction with other operating-system and physical security measures, so that common threats can be quickly neutralized once they have been discovered.

Evaluating existing security capabilities includes reviewing device administration procedures, reviewing and assessing systems in relation to regulatory standards, controlling access to secure servers, verifying that all relevant systems are fully up to date on all necessary security patches, and maintaining a detailed list of all employees with system and access permissions.

4. Review and simplify the firewall rule base

How a firewall operates and what kind of traffic it allows or disallows through a network is dictated by its rule base. Unfortunately, as firewalls are updated to address new and evolving threats, those rule bases may likewise grow out of control. During the firewall audit, take the time to review the firewall rule base, looking for any that include disabled, expired, or unused rules or objects. Likewise, take note of unused connections and irrelevant routes, and identify any areas where expired, unattached, or unused groups or users may be collecting in VPN parameters. Disable, remove, or eliminate any of these superfluous elements that are found.

Additionally, the rules base can be streamlined by merging similar rules, identifying and revising overly permissive rules, and prioritizing rules based on effectiveness and performance.

5. Perform a detailed risk assessment

Not every issue with the rule base will be clearly apparent. To discover less-obvious problems, organizations should conduct a risk assessment. This will not only help identify risky rules which could lead to data breaches and other problems, but will also help ensure compliance with policies, company standards, and other regulations. Established standards are often unique to specific industries. Some widely used standards include Basel-II, FISMA, ISO 27001, J-SOX, NERC CIP, PCI-DSS, and SOX.

6. Resolve any issues

With key issues identified, the next obvious step is to resolve them. Issues should be prioritized based on severity and risk potential. Create a list of all discovered issues in terms of priority and assign responsibilities for resolving these issues. Follow up by reviewing to make sure that the issues have been properly addressed.

7. Establish a schedule for future firewall audits

By their nature, firewall audits are only effective if they are performed regularly. With this in mind, the last step of conducting a firewall audit is to schedule the next one. Establish a regular cadence for future, ongoing firewall audits, and further protect vital networks by creating alerts to notify network administrators of any events, changes, activities, or emergent risks that may necessitate an audit before the scheduled date. Automation and other technologies may be applied to further streamline the firewall-audit process.

When threat actors attempt to gain access to your networks, the firewall is the bouncer who stops them at the door. But cybercrime is always advancing, and as threats become more sophisticated and pervasive, the need for increased oversight and control over firewalls is becoming something that every business can benefit from. Regularly performed firewall audits are an essential step in reinforcing an organization’s IT security posture, but for optimal protection, businesses need to go further. ServiceNow has the solution.

ServiceNow Firewall Audit and Reporting eliminates the visibility and compliance issues that so often stand in the way of a comprehensive firewall management strategy. With Firewall Audit and Reporting backed by ServiceNow Discovery, organizations gain full visibility into their entire firewall infrastructure and related processes, ensuring regulatory compliance while significantly reducing security risk. IT and other authorized users can manage firewall policies from the same central location, using dashboards and applying insights from across the business for a fully transparent and integrated solution. Additionally, owners and users can send and track requests through ServiceNow portals, while advanced automation solutions offload tasks from valuable IT teams and eliminate bottlenecks.

ServiceNow Firewall Audit and Reporting delivers complete firewall process visibility and full data integration to your IT infrastructure. Protect the firewalls that protect your business, with ServiceNow.

Capabilities that scale with your business

Gain complete visibility into your firewall policies and make audits easier.