October 11, 2018
Quarterly Firewall Reviews are a Requirement – WST
For many companies there is only one device between their internal network and the whole wide world, AKA the Internet. This one device, called a firewall, is a key component in a secure architecture and it is often under managed. By that we mean the firewall is often not receiving the ongoing attention it deserves, a firewall review. The common issues we find with firewall configurations include:
- Managed Firewalls: In today’s environments we often see the management of firewalls outsourced and all but forgotten about by the institution. Most managed service providers are not conducting independent reviews of the managed firewall configuration or rules as part of the service agreement. A misconfiguration or undesirable rule will still affect the institution regardless of who’s managing it.
- Old Rules: Rules are usually added out of a need. This does not hold true for removing old and unneeded firewall rules. They tend to stay around.
- Default Settings: You would think that in today’s world a new firewall would default to most secure. Well they don’t. By default, all traffic is generally allowed outbound. This is not a good idea for many reasons, but we find overly permissive outbound rulesets all the time.
- Descriptions: The person adding a rule to a firewall knows why they are adding it, but 6 month later they may not remember and anyone else looking at the rule will not know the specific reason and history behind the rule. That is why every rule should have a comment or description with details about the rule. This will also help allow less technical staff to decipher the firewall configuration.
FFIEC guidance calls for quarterly firewall review. Significant network changes or rule changes may also warrant a firewall policy audit or review. NIST, PCI and HIPAA/HITECH have similar requirements as well.
These firewall reviews do not need to be performed by an independent source and can be done internally. For those not comfortable with doing this internally or for those that would just like to have an extra set of eyes review their firewall let us know, we will be glad to help.