II.1 Firmware and patches a. Ensure Firewall firmware is up to date b. Ensure OS Security patches are updated c. Ensure the firewall (physical device) is store in a secure place with access control
II.2 SNMP version and Community string
d. SNMP V3 e. Set up a strong community name
II.3 Identity and authentication
f. Do not use default usernames and passwords change them g. Firewall must be authenticated with RADIUS or TACACS h. External access must be done using secure VPN (the VPN users must be reviewed regularly)
II.4 HA & BCP DR Testing
i. Secondary FW for HA j. BCP DR testing is performed regularly according to a documented test plan, test must be documented and reported and validated
II.5 Configuration back up, logs, Alerts & NTP Server
k. Firewall configurations files and rule base is backed up for future restoration purposes l. Ensure logs are collected at a centralized server and alerts configured to report system and security related events or incidents m. Privileged users’ activities are logged and reviewed regularly n. Make sure NTP Server is configured preferably with an internal server like AD Server
II.6 ANY (the most dangerous)
o. Make sure ANY is not used in source/destination service or ports
II.7 Access to vulnerable ports
p. Make sure there is no rules granting access from DMZ to internal network q. No rules providing direct communication or incoming communication from internet to internal network r. Make sure access to vulnerable ports like FTP finger are not configured for any usage
II.8 Access to a large subnet
s. No rules granting access to a large subnet: unnecessary access provided to Ips and endpoint t. Always end configuration with a DENY ALL at the end of the rules
II.9 Redundant, shadow, unused, inactive rules
u. Check duplicate rules v. Unused rules: not used or not performing any activity w. Inactive rules: not active or disables x. Shadow rules:
II.10 Change management
y. Make sure any changes to the FW configuration or rule base are done following proper change management policy/procedure z. Make sure all changes are approved and tracked in a change management tool