Our Firewall Configuration Review Methodology

A firewall configuration review might seem like a pretty straightforward process. And truth be told, it is as far as security assessments go. But that being said, it can help to understand exactly what’s going on during this type of assessment, what the process includes, and what type of results you can expect. We’ve covered firewall configuration reviews from a high-level, detailing what the benefits are and what is included in the process. We’ve also explained how the pricing works. In this blog, we’ll cover more technical details of what we’re doing during this process and what our exact firewall configuration review methodology is.

Standards Followed for Firewall Configuration Reviews

CIS Benchmarks (when available)

Vendor Security Hardening Guides (when available)

NIST SP800-53 R4

Tools Commonly Used

This is a 95% manual process without the use of any automated tools. Configuration review tools are often extremely prone to false positives and the results can take longer to review than simply reviewing the firewall itself. Sometimes, we’ll use configuration audit review tools to help confirm results or speed up portions of a review (e.g. the secure configuration review portion).

  • CIS CAT Tool
  • Nessus Configuration Audit Policies

What’s the Process?

Our firewall configuration review methodology can be broken into 3 primary stages, each with several steps.

Planning

1. Gather Scoping Information

After initiating the project, scoping/target information will be collected from the client. In the case of a firewall configuration review, this information will include:

  • IP Address and/or URL for the firewalls in-scope
  • Read-Only Administrator-level credentials (we want to see all configuration settings without the ability to modify)
  • Any required access information (e.g. do we need VPN credentials to the your internal network before we can access, do we need MFA of some kind, etc.)
  • Any best practice standards preferred (e.g. NIST, PCI DSS)

2. Review Rules of Engagement

This process will involve a brief meeting with the client to review and acknowledge the rules of engagement, confirm project scope and testing timeline, identify specific testing objectives, document any testing limitations or restrictions, and answer any questions related to the project.

Execution

1. Security Configuration Review

We’ll start the device review by analyzing the current configuration, looking for issues or vulnerabilities from both a best practice perspective as well as a realistic risk perspective. As with all our assessments, the issues noted will be ranked and prioritized based on the risk they pose to your organization. This process can also help to uncover strategic issues in your device hardening process, misconfigurations in your hardening standards, unauthorized changes to your security devices, or simply missed configuration settings that need to be addressed. Some of the broad categories we’re looking at include:

  • Authentication
  • Authorization
  • Logging/Alerting
  • Firmware Patching
  • Administrative Access
  • Enabled Security Add-Ons and Configurations

2. Firewall Rule-set Review

The second major portion of this type of assessment is the access control list (ACL) review. Our engineers will evaluate your rules from a best practice perspective, highlighting dangerous or risky rules, potential misconfigurations, overly permissive rules, etc. This will take into account your organization’s business needs, where possible, and also detail administrative improvements that can be made in how your team is managing the target devices. Things like proper object creation, duplicate objects/rules, poorly documented rules, unused object/rules, and temporary rules can be just as dangerous to your security posture over time.

Post-Execution

1. Reporting

After completing the primary portion of the assessment, Triaxiom will formally document the findings. The output provided will generally include an executive-level report and a technical findings report. The executive-level report is written for management consumption and includes a high-level overview of assessment activities, scope, most critical/thematic issues discovered, overall risk scoring, organizational security strengths, and applicable screenshots. The technical findings report, on the other hand, will include all vulnerabilities listed individually, with details as to how to recreate the issue, a summary of the risk, recommended remediation actions, and any helpful reference links.

2. Quality Assurance

All assessments go through a rigorous technical and editorial quality assurance phase. This may also include follow-ups with the client to confirm or deny environment details, as appropriate.

3. Presentation

The final activity in any assessment will be a presentation of all documentation to the client. Triaxiom will walk the client through the information provided, make any updates needed, and address questions regarding the assessment output. Following this activity, we’ll provide new revisions of documentation and schedule any formal retesting, if applicable.

Conclusion

While this does not account for every scenario our engineers may encounter while assessing your firewall, it does provide the broader steps that our engineers will take. Our goal is to provide you with a holistic view of your risk by assessing your security devices from both a best practice perspective and a realistic perspective using our experience as penetration testers. Please let us know if you have any questions.