Understanding the boundary of your organisation is essential to being vigilant and maintaining a high level of security. Internet at home or in a single-site business can be straight forward but as businesses grow in size and complexity it is very easy to lose control through not understanding the boundary infrastructure, how it is maintained and who is responsible for its maintenance. This is not intended to be a comprehensive guide to boundary security but aims to cover basic aspects which if implemented will provide an improved level of security and reduced exposure to risk. In cases where firewall management has been outsourced, this also acts as a check against 3rd party suppliers.
Maintaining an inventory of firewalls is an essential starting point to understanding the boundary and how the business interacts with the outside world.
- Do you have an inventory of all firewalls?
- Does the inventory include the physical locations of each firewall?
- Who are the manufacturers and what are the models of each firewall?
- What are the internal and external network addresses of each firewall?
- Who is responsible for maintaining the accuracy of the inventory?
Put simply, if you don’t know where all your firewalls are, then it follows that you will not be able to guarantee that strong passwords are applied, that firmware is up to date, or that firewall rules accurately reflect the requirements of the business. The inventory should also include other information covered in subsequent sections below.
Strong passwords and secure storage of passwords are essential to controlling access to firewalls and preventing unauthorised changes to configuration.
- Have all manufacturer default passwords been replaced with strong passwords?
- Are you able to verify that strong passwords apply to all firewalls in the inventory?
- Does your business apply strategic division of labour when it comes to passwords or do one or more individuals have knowledge or access to all firewall passwords?
- How frequently are firewall passwords changed?
- What password vault is used to store firewall passwords?
- Do all persons with knowledge of firewall passwords or access to the password vault have a legitimate business requirement to do so?
Firmware is the software installed directly in the hardware. New versions of firmware are often released by hardware manufacturers during the usable life of the hardware.
- What is the latest version of firmware for each firewall’s make and model?
- What is the current version of firmware for each of the firewalls in the inventory?
- Are you able to verify that each of the firewalls in your business has the latest version of firmware?
- When was firmware last updated on each of the firewalls in the inventory?
- Who is responsible to checking firmware releases and performing updates?
New versions of firmware are often released specifically to mitigate security risks, and not having processes in place to check and upgrade firmware to the latest version will allow vulnerabilities to be exploited.
Firewall rules need to be documented for each of the firewalls in the inventory. Rule documentation should include:
- What is the business purpose of the rule?
- Does the rule control inbound or outbound traffic?
- What IP addresses and Network Ports are ‘allowed’ or ‘denied’?
- Who approved and who created the firewall rule?
Firewall rules do change over time as business requirements change. Unauthorised changes could also be made to firewall rules. Documentation and ongoing processes will ensure that the rules configured reflect business requirements.
- When was each firewall in the inventory last checked to ensure that all firewall rules fulfil a genuine business purpose?
- How frequently are firewall rules checked?
- Who is responsible for checking firewall rules?
- Are firewall rules disabled or deleted when there is no longer a genuine business purpose for the rule to exist?
Having effective processes in place to manage firewall configuration will reduce the risk of unauthorised changes.
- Can the firewalls in the inventory be administered from outside the network?
- What Network Port is used to administer the firewalls from outside the network?
- Is this different from the manufacturer’s default Network Port?
- Are time restrictions applied to when firewalls can be administered from outside the network?
- When accessing the firewall to manage the configuration, is the connection made using HTTP or HTTPS?
- Does your business use ‘change management’ process to request, approve and implement changes to firewall configuration?
- Are changes to firewall configuration undertaken by qualified persons?
- Who is responsible for approving firewall configuration changes?