Voxai Solutions

Firewall Rule-Set Review Report

Version 1.1
February 28, 2023
Statement of Confidentiality
This Confidential Information is being provided to Voxai Solutions, as a delivery of this consulting engagement. The sole
purpose of this document is to provide you with the results of, and recommendations derived from this consulting
engagement. Each recipient agrees that, prior to reading this document, it shall not distribute or use the information
contained herein and any other information regarding ControlCase for any purpose other than those stated.

Firewall Rule-Set Review Report Confidential 3

Table of Contents
1 Executive Summary ....................................................................................................................................... 4
2 Statement on Compliance .............................................................................................................................. 5
3 Project Team ................................................................................................................................................. 6
3.1 Project Timeline ................................................................................................................................................................. 6
4 Summary of Observations and Recommendations ............................................................................................ 7
5 Approach...................................................................................................................................................... 9
6 Detailed Observations and Recommendations................................................................................................. 10
6.1 Assessor Note ................................................................................................................................................................... 11

Firewall Rule-Set Review Report Confidential 4

1 Executive Summary
Voxai Solutions engaged ControlCase to conduct a ruleset review of firewall located at Voxai Solutions. The purpose of the engagement was to conduct comprehensive
analysis and review of the access control lists configured to restrict traffic between different network zones. This analysis is essential to determine the adequacy and
effectiveness of the controls, which are in place, to the organization. The review was conducted from November 23, 2022. to February 28, 2023. and included review
of rule-sets provided by Voxai Solutions for following device:

Device Name

Meraki Firewall

DO Firewall

During the first round of firewall rule-set review, controlcase assessor observed compliance effecting rules which we reported to Voxai Solutions.

• Voxai_Summary_Sheet_Firewall_Review_H1_v1.0.xlsx
During the second round of client jusfication review we can accept the business justification provided by client.

• Voxai_Summary_Sheet_Firewall_Review_H1_v1.0-23rdFEB2023.xlsx

Firewall Rule-Set Review Report Confidential 4

2 Statement on Compliance
ControlCase has determined that Voxai Solutions firewall as identified above is Compliant with ControlCase validation requirement as mentioned in section 5.

Firewall Rule-Set Review Report Confidential 5

3 Project Team
The engagement involved contributions from the following team members:

ControlCase Team Voxai Solutions

Ganesh Gaikwad Akhil Saya

Harshvardhan Shukla

3.1 Project Timeline

The following table outlines key milestones during the penetration test:

Penetration Timeline
Date Milestone

November 23, 2022 Start of Project

February 08, 2023 First report released

February 28, 2023 Final Deliverable

Firewall Rule-Set Review Report Confidential 6

4 Summary of Observations and Recommendations
The table below summarizes the analysis, findings and recommendations for the firewall rule-set review carried out by ControlCase. These findings are based on the
configuration and network diagram provided to us. Below findings have been documented, on the base of defined zones on in the network diagram and the interface
information in the configuration file and then have assessed against applicable PCI DSS requirement 1.

Requirement Summary of Observations and Recommendations Status

1.2.1.a Verify that inbound and outbound
traffic is limited to that which is necessary for
the Cardholder Data Environment, and that
the restrictions are documented.
Assessor observed that inbound and outbound traffic were allowed through Compliant
unsecured port. Voxai Solutions team modified some rules and provided
relevant evidence. ControlCase assessor reviewed the evidence and
concluded that the configured rules are as per PCI DSS requirements. Please
refer to the Section 6.1 for more information.

1.2.1.b Verify that all other inbound and Assessor observed that drop all rule has been implemented to deny all Compliant
outbound traffic is specifically denied, for inbound and outbound traffic not specifically needed which will prevent
example by using an explicit “deny all” or an inadvertent holes that would allow other, unintended and potentially
implicit deny after allow statement. harmful traffic in or out.

1.3.1 Verify that a DMZ is implemented to Assessor observed that DMZ is implemented to prevent malicious individuals Compliant
limit inbound traffic to only system from accessing the organization’s network via unauthorized IP addresses or
components that provide authorized publicly from using services, protocols, or ports in an unauthorized Manner.
accessible services, protocols, and ports.

1.3.2 Verify that inbound Internet traffic is Assessor observed that the inbound internet traffic was limited to IP Compliant
limited to IP addresses within the DMZ. addresses within the DMZ as per PCI requirement. ControlCase assessor
reviewed the evidence and concluded that the configured rules are as per
PCI DSS requirements.

1.3.3 Verify direct connections inbound or Assessor observed that the direct inbound or outbound connections are not Compliant
outbound are not allowed for traffic between allowed for traffic between internet and Cardholder Data Environment.
the Internet and the Cardholder Data ControlCase assessor reviewed the evidence and concluded that the
Environment. configured rules are as per PCI DSS requirements.

Firewall Rule-Set Review Report Confidential 7

 1.3.5 Verify that outbound traffic from the Assessor observed that there was direct outbound connectivity from internal Compliant
cardholder data environment to the Internet network on the internet. ControlCase assessor reviewed the evidence and
is explicitly authorized concluded that the configured rules are as per PCI DSS requirements.

Potentially Dangerous Services
Assessor observed that the access was allowed for clear text protocols and Not Applicable
potentially dangerous services as well. Voxai Solutions team either
removed/disabled or provided the business justifications for access allowed
to clear-text protocols but there are still few rules where potentially
dangerous services are allowed (refer finding no. 1).

The methods used to collect information included Interview with Voxai Solutions Team, manual review of firewall rule-sets and justification document to
understand the business requirements for the policies of firewall.

Firewall Rule-Set Review Report Confidential 8

5 Approach
The firewall rule set review is based on different industry standard requirements such as PCI DSS, ISO/IEC 27001. Following are key factors considered while doing the
firewall rule set review
• Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone
• Looking for duplicate rules
• Reviewing administrative access to the firewall
• Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP), and secure sockets layer (SSL), secure shell (SSH), and
virtual private network (VPN)
• Restricting inbound Internet traffic to Internet protocol (IP) addresses within the DMZ
• Not allowing internal addresses to pass from the Internet into the DMZ
• Placing the database in an internal network zone, segregated from the DMZ
• Restricting inbound and outbound traffic to that which is necessary
• Denying all other inbound and outbound traffic not specifically allowed
• Implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic
• Restrict outbound traffic from internal applications to IP addresses within the DMZ.
• Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918
address space, such as port address translation (PAT) or network address translation (NAT).

Firewall Rule-Set Review Report Confidential 9

 6 Detailed Observations and Recommendations
During the first round of review, ControlCase assessor observed compliant reffecting rules which was reported to client for mitigation.
• Voxai_Summary_Sheet_Firewall_Review_H1_v1.0.xlsx
• Voxai_Summary_Sheet_Firewall_Review_H1_v1.0-23rdFEB2023.xlsx

Firewall Rule-Set Review Report Confidential 10

6.1 Assessor Note
ControlCase Assessor observed the compliance effecting rules, below is the files and documents we used for firewall review.

• DO+Firewall+ACL's.xlsx
• Meraki+Firewall+Rule+Set.docx

Firewall Rule-Set Review Report Confidential 11