Firewall configuration reviews play a critical role in ensuring the ongoing protection of the perimeter. As any firewall administrator knows, it's all too easy for a rule base to become convoluted over time, containing rules that may be outdated or simply incorrect. Regular reviews help remedy this effect and allow administrators to conduct a periodic policy "health check." Configuration reviews may be mandatory for firewalls that process regulated data. In fact, the Payment Card Industry Data Security Standard (PCI DSS) requires quarterly firewall reviews for systems involved in credit card processing.
When performing firewall configuration reviews, there are a few simple questions that you should be able to answer:
- Does the firewall rule base correctly implement the business policy? Verify that the rules in place deny any traffic that is not explicitly required for business purposes.
- Can all of the rules be traced back to specific change requests in your change-management system? Each change request should include business justification for the rule, appropriate management approval and a scheduled implementation/rollback plan.
- Is the firewall properly auditing and logging activity? Verify that firewall logs are stored on a secured log server for a period
- of time that meets your organization's retention policy.
In addition to these steps, you should ensure that your firewall rule base is clear of overlapping/shadowed rules, orphaned rules and unused rules. I discuss these issues and rule base analysis tools in my response to the question: "How should multiple firewall rules be managed?"
This was first published in February 2009