Answer yes if your organisation undertakes an annual firewall rule review in which it removes any redundant rules and makes sure that all of the rules are relevant to its business operations. Please state in the notes the date of the last review.
What is the control?
Since firewall rules, beyond the “deny all rule, typically explicitly allow traffic, it’s important that they be kept up to date. A review of firewall rules ensures that no unnecessary access is allowed and that any rules no longer needed have been removed.
Why should I have it?
Excess or excessively broad firewall rules allow unneeded and potentially malicious traffic into your network. The presence of these rules can happen, for example, because of changes in the environment behind the firewall. This can include systems being removed or changed where the old firewall rules are not removed as part of the decommissioning processes, or a move of the system the rules allowed access too. Reviews can also identify otherwise valid rules that can be narrowed down to better restrict access.
The presence of undocumented or deprecated firewall rules can increase significantly over time if no reviews are performed. Doing so is therefore essential to clean up any backlog of superfluous rules, and to ensure that any rules that should have been removed as part of decommissioning processes or projects actually have (providing evidence of the effectiveness of that process).
Such a review process therefore provides reassurance to you and potential clients that firewall rules are up to date and offering optimal protection.
A policy should be implemented stating that all firewall rules are reviewed at least annually to ensure that they are up to date and optimised to be as restrictive as possible. Note that doing so requires effective processes around asset management and discovery (which should include the assets’ configuration) in order to know which assets are present, what services they operate, for who, and how your firewall rules should reflect each asset’s purpose. Ideally this must be as real-time as possible and not rely on manual processes to ensure accuracy.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.