Auditing Firewalls - A Practical Guide

Firewalls are computer security facilities used to control or restrict network connectivity; they are used to enforce a security policy, and are typically placed between networks with different security needs. Any time a control system is in place, it's important to audit it appropriately to confirm that it is meeting your needs.

In some fields, this is a very streamlined and formalized process, thanks to a mature and stable understanding of the field and what kinds of controls are needed. Computer firewalls don't as yet enjoy this luxury; we're still figuring out what they should do and how they should do it.

So the process of auditing a firewall ends up reproducing the process of initially specifying, designing, and configuring the firewall. And if any time has passed since the initial firewall deployment, a good audit is almost guaranteed to find important room for improvement.

Audits come in two varieties: internal and external. An internal audit is one intended to provide guidance to an organization's management. An external audit is provided for the benefit of individuals outside the organization, be they investors, regulators, or whatever. This discussion will be focused on the internal audit; so far regulatory organizations, under whose purview external financial audits are generally performed, have not taken up computer security.