You're reading from IT Audit Field Manual Strengthen your cyber defense through proactive IT auditing

Product type Paperback

Published in Sep 2024

Publisher Packt

ISBN-13 9781835467930

Length 336 pages

Edition 1st Edition

Tools

AWS

Concepts

Cybersecurity

Author (1):

Lewis Heuermann

View More author details

Table of Contents (18) Chapters

Preface

1. Part 1: Foundations of IT Auditing FREE CHAPTER

2. Chapter 1: Introduction to IT Auditing

3. Chapter 2: Audit Planning and Preparation

4. Part 2: Auditing IT Systems and Networks

5. Chapter 3: Cisco Switches and Routers: Access Methods and Security Assessments

6. Chapter 4: Next-Generation Firewall Auditing

7. Chapter 5: Cloud Security Auditing

8. Chapter 6: Endpoint Security: Windows 10 and Windows 11

9. Chapter 7: Linux Systems Auditing

10. Chapter 8: Wireless Access Points and Storage Technology Auditing

11. Chapter 9: Data Protection and Privacy Considerations

12. Chapter 10: Reporting and Remediation

13. Chapter 11: Advanced Topics in IT Auditing

14. Chapter 12: Building an IT Audit Career

15. Index

Why subscribe?

16. Other Books You May Enjoy

Appendix: Conclusion and Future Outlook

Common firewall features and security assessment approaches

Even the most advanced NGFWs rely on some fundamental configurations to control network traffic flow. As an IT auditor, you should always try to have an in-depth understanding of these core features, which are necessary to ensure robust security and alignment with an organization’s needs. In this section, we will explore three essential firewall features – Access Control Lists (ACLs), Network Address Translation (NAT), and security zones. We will discuss the purpose of each feature, common auditing considerations, and potential security risks.

To better understand how these common firewall features and security assessment approaches apply in a real-world context, we will introduce a fictional healthcare organization, Healthy Bones Health Services, and examine how these concepts relate to their network infrastructure. By using this example, we can make the technical concepts more tangible and demonstrate how auditors can assess the effectiveness of firewall configurations to protect sensitive data and resources.

Example – introducing Healthy Bones Health Services

Let’s introduce a fictional healthcare organization, Healthy Bones Health Services, to make these concepts a little more tangible. Their network handles sensitive patient information, internal systems, and internet-facing resources, such as web servers and, potentially, a patient portal. Like any modern organization, its network relies on a carefully structured firewall configuration for protection from cyber threats.

To better understand how these common firewall features and security assessment approaches apply in a real-world environment, let’s explore their relevance to Healthy Bones Health Services’ network infrastructure.

Access Control Lists (ACLs)

ACLs act as the “traffic cop” at the heart of a firewall. ACLs are sets of rules that dictate whether specific network traffic is permitted or denied, based on criteria such as source and destination IP addresses, protocols, and ports.

As an auditor, when reviewing ACLs, you look for “red flags” or specific items that indicate whether further analysis is required. You might encounter one of the following when examining the ACLs for Healthy Bones’ systems:

Overly permissive rules: A rule in Healthy Bones’ firewall might allow unrestricted access from a broad range of external IP addresses to their critical internal zone. This poses a high-risk vulnerability and must be investigated, checked, and verified against company policy.
Stale rules: Rules no longer required due to decommissioned servers, past projects, or temporary workarounds leave doors open for attackers. Auditors must scrutinize ACLs to ensure that rules are still needed and that each rule is accurate according to the current network setup.
Missing documentation: Clear justifications for why certain ACL rules exist are vital for auditors and network admins during any later troubleshooting. All ACL rules should have a clear paper trail to confirm that an organization’s leadership is aware of the rules.

NAT

As a quick refresher, NAT allows internal (private) IP addresses within a network such as Healthy Bones’ to “share” external (public) addresses for communication with the outside world. NAT also provides a means of address management, helping an internal network such as Healthy Bones’ to function with a limited pool of public IP addresses.

An important auditing step about NAT is the careful examination of existing translations. Specifically, an auditor would look for scenarios where internal services are unnecessarily exposed to the outside world without a solid business justification, representing a potential attack entry point. Some of the scenarios are as follows:

Unnecessary exposure: Does Healthy Bones have NAT translations exposing internal services without a solid business case? This weakens its security posture.
Masking issues: Can overly broad NAT hinder investigations by obscuring the original source IP addresses of traffic? Auditors might assess NAT’s impact on the ability to analyze network logs and trace malicious activity.
Resource contention: If Healthy Bones relies heavily on dynamic NAT, are there enough external IP addresses for peak periods, or is their network connectivity likely to suffer?

Security zones

Security zones provide a logical segmentation of network interfaces into well-defined areas such as “internal,” “DMZ,” and “external.” These zones dictate permissible traffic flows within the firewall. To ensure network safety at Healthy Bones, an auditor focuses on several important aspects:

Logically dividing the network: Firewalls group network interfaces into zones such as “internal,” “DMZ,” and “external,” helping to ensure proper security segmentation. Traffic rules specific to each zone pairing help define which network communication is allowed.
A Healthy Bones audit focus: One major concern for an auditor is ensuring that resources and services handling sensitive data remain tightly restricted to well-protected internal zones. Here are some focus areas to consider when auditing security zones:
- Zone breakdown: Healthy Bones may have sensitive patient data and file shares in its internal zone. Do any of these systems fall into less protected zones, such as the DMZ, leading to increased risk?
- Least privilege policies: Do the rules that control traffic between Healthy Bones’ zones only allow what’s strictly necessary? Unrestricted traffic among zones undermines the entire purpose of segmentation.
- Tracking changes: Auditors must check that zone definition and policy changes are well-documented and subject to a rigorous review process.

In the upcoming sections, we’ll see how these common principles translate into vendor-specific implementations, such as Palo Alto PAN-OS.

Example – Palo Alto PAN-OS – its capabilities and auditing techniques

Palo Alto Networks has carved out a leading position in the NGFW market. PAN-OS is at the heart of its firewalls, a uniquely capable and sophisticated system that empowers network administrators to craft fine-grained security policies. For IT auditors, mastering this platform translates to the ability to thoroughly assess Palo Alto firewalls, proactively uncovering configuration flaws and vulnerabilities that jeopardize organizational security.

Let’s look at some specific benefits and characteristics of PAN-OS that make auditing it valuable:

Market dominance: Palo Alto enjoys widespread adoption across industries. Learning to audit PAN-OS gives you skills directly applicable to a large number of real-world security setups.
Granular control: PAN-OS goes beyond traditional firewalls by integrating elements such as application awareness, user identification, and content-based filtering. This translates to greater potential for complex rule design, requiring specialized auditing to catch misconfigurations.
Flexibility can be a challenge: PAN-OS’s power comes with potential complexity. Extensive options and customizable configurations mean more room for human error and less standardization, emphasizing the need for thorough audits.

In this section, we will explore the capabilities and auditing techniques specific to Palo Alto Networks’ PAN-OS, the operating system powering their NGFWs. We will also explore the PAN-OS interface and some of the common tabs you might encounter during an audit. Throughout this section, we will discuss the benefits and challenges of PAN-OS, providing practical auditing techniques and best practices to help you effectively assess the security posture of organizations using Palo Alto firewalls.

Navigating the PAN-OS interface

When logging into the PAN-OS web interface, you will encounter the main dashboard and a series of tabs across the top of the page. This initial screen provides a summarized view of crucial security and system health indicators. The options are typically Dashboard, Application Command Center (ACC), Monitor, Policies, and a few others. Let’s take a look at some of the high-level items that would be relevant during an audit to get an idea of how to approach these reviews.

The dashboard highlights sections dealing with current threats, the system’s health, and recent alerts. It is important to thoroughly examine these areas to understand the system’s overall status. Areas of particular importance for auditors include active infections blocked, known vulnerabilities discovered on internal systems, and high-risk traffic patterns. Even this at-a-glance view often flags specific items or trends that warrant immediate analysis within other areas of the interface.

Let’s take a look at some of the areas you might encounter in the main dashboard:

General Information: The General Information section is the auditor’s starting point for identifying a device and understanding its configuration, which is a basic requirement for all further auditing activities:
- Device Name: This section outlines the firewall’s identity and operational parameters. It includes details like the device name, management IP, and software version. An auditor must confirm that a device is identifiable and running the latest software to mitigate the risk of known vulnerabilities.
Interfaces Overview: The Interfaces Overview gives a snapshot of network connectivity and the status of the firewall’s various entry and exit points:
- Network interfaces: This is a series of icons that represent the firewall’s interfaces, with color coding indicating their status – green for active interfaces and red for inactive. Auditors must validate that each interface is configured correctly, adhering to the security policies prescribed by the organization.
Active Admin sessions: Least privilege is an important security point to consider when reviewing firewall configurations. The Active Admin widget will tell you which admins are logged in and what they are working on.
Admin monitoring: Here, the Logged In Admins widget lists all administrators currently logged into the system. It includes their usernames, source IPs, and session durations. This log assists auditors in verifying that only authorized personnel access the firewall and appropriate session timeout policies are enforced.
Threat intelligence monitoring: Auditors rely on threat intelligence data to evaluate the firewall’s threat detection and response capabilities.
- Threat Logs: The Threat Logs section displays real-time threat detections. Entries are classified by name, severity, and timestamp. For instance, a critical entry such as Bot: Mariposa Command and Control indicates a detected network control channel for a known botnet, which would require immediate action. Auditors leverage this data to assess the firewall’s real-time threat detection and response efficacy.

For the latest dashboard widgets and recommended setups, visit the main PAN-OS site by Palo Alto: https://docs.paloaltonetworks.com/pan-os. Recent widgets are typically listed in the first Spotlight section. You can locate the recommended configuration settings in the Documentation section. To effectively audit using the PAN-OS dashboard, focus on key areas that provide valuable insights into network activity and security:

ACC: When an auditor examines the ACC tab on the PAN-OS dashboard, it’s to get a sense of what is happening on the network and the implications of those activities on the organization’s security policies.
Here are a few items you would review on the ACC dashboard:
- Application usage breakdown: The Application Usage metrics provide a granular view of network traffic, segmented by application, which is important for assessing compliance and detecting potential risks.
- Risk assessment: Applications are rated with a risk level to help prioritize auditing efforts. A high-risk rating, such as that assigned to P2P, may require closer inspection to see whether someone is on the network using a P2P application.
- Traffic analysis: Auditors scrutinize the volume of data traffic per application to identify which applications dominate bandwidth and to detect any anomalies.
- Session count: The number of sessions associated with each application can reveal irregular usage patterns, potentially flagging unauthorized access or activities.
User activity visualization: User activity helps trend data for user activity on a network. Auditors must understand typical patterns and identify outliers that could indicate security policy violations or cyber threats.
- Traffic trends: By analyzing the trends of bytes sent and received over time, auditors can pinpoint unusual spikes or patterns in traffic that warrant further investigation.
- User identification: The ability to link network activity to specific users is a powerful tool in an auditor’s arsenal, helping you track individual actions and enforce accountability.
Source and destination IP activity: Source and destination IP visualizations are usually seen as line charts. Activity insights based on source and destination IPs provide auditors with data points to map network interactions and highlight potential areas of concern.
- IP address tracking: Auditors pay close attention to the most frequently used IP addresses to uncover any irregular communication patterns that might suggest a security breach or non-compliance. You can also view these data points by URL to pinpoint specific websites.
The Policies tab: The Policies tab in PAN-OS serves as the command center where network traffic rules are defined and enforced.
The Policy section is an auditor’s blueprint for understanding how traffic is managed across a network, outlining the rules that govern what is allowed, denied, or logged. Here, you want to ensure you are fully briefed on an organization’s security policies to prevent flagging things considered normal.
The policies are typically listed by name, with accompanying tags indicating their function or categorization, such as Deny_Malicious or Allow_DNS. Each rule specifies the type of traffic it controls, the source and destination zones, addresses, users, and even the applications and services it pertains to, along with the action to be taken, such “allow” or “deny.”

Dissecting policy details for compliance

For an auditor, compliance details are needed to verify whether security policies align with an organization’s stated security posture and compliance requirements:

Rules such as Block_Social Media signify an organization’s intent to restrict certain types of traffic, including social media platforms such as Facebook and LinkedIn
The presence of tags such as Gartner or SCADA could indicate compliance with specific regulatory guidelines or industry standards, reflecting the targeted nature of a policy

Action and enforcement verification

The action column within the policy table is of particular interest to auditors, as it reveals how a firewall is instructed to respond to matched traffic – crucial for assessing policy enforcement:

Actions such as deny are straightforward, indicating that a firewall will block any traffic that matches the policy criteria, such as traffic from known malicious hosts
Observing the allow action, especially in policies concerning sensitive areas such as SCADA systems, prompts auditors to further investigate to ensure that these permissions are justified and secure

Policy optimization and rule usage

An efficient policy set is free from redundancy and obsolete rules, so auditors also focus on the Policy Optimizer feature to evaluate rule effectiveness and relevance.

The Optimizer can flag unused rules, such as those not triggered within a set period, indicating a need for policy cleanup to prevent unnecessary complexity and potential security loopholes.

When reviewing firewall rules, auditors should check for the following issues:

Redundant rules: These are duplicate rules that perform the same function. Removing these can simplify a policy and improve performance.
Obsolete rules: These are rules that are no longer needed due to changes in network architecture or business requirements. Identifying and removing these rules helps to streamline a firewall policy.
Shadow rules: These are rules that are never triggered because a previous rule already matches all traffic that the shadow rule would match. Identifying shadow rules is important to ensure that all rules in a policy are necessary and effective.
Overlapping rules: These rules cover the same traffic but with different actions. Auditors need to identify and resolve these overlaps to avoid conflicts and ensure that the correct actions are applied to network traffic.
Inefficient ordering: The order of rules can impact firewall performance. Rules should be ordered from the most specific to the most general, optimizing processing efficiency and ensuring that a firewall performs as expected.

Auditors can check these common issues to ensure that firewall policies are optimized for security and performance.

The Monitoring tab

An important part of an auditor’s role involves examining logs to identify normal and potentially malicious activity patterns. The Monitor tab in PAN-OS is a treasure trove of such information, presenting a detailed ledger of network events. You would view the Monitor tab in the PAN-OS dashboard to view specific details about potential security breaches or policy violations.

The logs section is an auditor’s detailed record, capturing every packet’s journey through a network and flagging activities that deviate from the norm. You will come to immediately seek out logs before reviewing anything else in an audit:

Each entry in the logs provides comprehensive details such as the type of traffic (e.g., spyware and vulnerability), the threat ID/name if applicable, the source and destination zones, along with IP addresses, and the action taken by the firewall (e.g., allow, drop, and alert)
Critical entries are marked with severity levels to draw immediate attention, with critical indicating events that may significantly impact the network’s integrity

Dissecting log entries for auditing

Analyzing these logs provides an auditor with a chronological sequence of events to scrutinize, allowing for a methodical approach to security analysis:

Specific columns such as Type and Threat ID/Name help categorize the nature of a logged event, while Source and Destination details are pivotal in tracing an event’s path
The action taken by the firewall, especially when it is set to drop or alert, can be indicative of a firewall’s rules at work, reflecting an organization’s security policies in action

Severity indicators and an auditor’s focus

Severity indicators within logs are vital signposts for auditors, marking the events that require immediate investigation or routine review.

Entries flagged as critical often denote incidents that could pose serious security risks, such as unauthorized access attempts or detected malware
Informational alerts might indicate permitted activities or minor events but can also provide context to critical events, helping to build a complete picture of a network’s security events

If you were to discover a “critical” log alert during an audit, you should alert the organization’s team immediately.

By examining the Monitor tab’s detailed logs, an auditor can ascertain a firewall’s performance in real-time defense and gather actionable insights to reinforce a network’s security framework. This meticulous process helps ensure that no significant threat goes unnoticed and that an organization’s cybersecurity posture is resilient against the evolving landscape of cyber threats.

Let’s take a look at an example to show how you might use log analysis during an audit.

In the process of auditing a network’s security measures, the Log Traffic table is a valuable resource. This table provides real-time data on network traffic interacting with established security policies. Network traffic data is critical for verifying that a network’s security protocols are operating correctly and identifying any deviations that may pose a risk.

Table 4.1 is an extracted view of a network traffic table, showcasing a simplified set of columns that are of utmost relevance to an auditor:

Receive time	Source user	Application	Action	Rule	Severity	Notes
07/15 10:30:05	`alice.smith`	Web browser	Allow	`Allow_Web`	Low	Regular activity
07/15 10:30:21	`bob.johnson`	SSH	Deny	`Deny_SSH`	High	Attempted SSH to secure zone
07/15 10:31:10	`chris.doe`	SMTP	Allow	`Email_Out`	Low	Business email traffic
07/15 10:32:07	`dana.white`	HTTP	Allow	`CDN_Access`	Low	CDN resource access
07/15 10:32:45	`evan.black`	https-custom	deny	`Block_Public`	Critical	Unauthorized access attempt to sensitive data

Table 4.1 – A network traffic log (sample)

Let’s take a look at each column from the perspective of an auditor. The Receive time and Source user columns are needed to establish the timeline of network events and identify which users are involved, which is essential for any subsequent investigation. The type of service is captured in the Application column, shedding light on the user’s activities and the nature of the network traffic. We can see that alice.smith did some web browsing and chris.doe sent some emails.

The real-time application of security policies is reflected in the Action column, which records whether traffic was permitted or blocked, and the Rule column shows which specific policy was enforced. This instant snapshot is important for auditors to determine whether the firewall’s policies are being correctly implemented.

The Severity rating in the log highlights the importance of the event. A high or critical rating requires immediate attention, suggesting a significant security event, while a low severity is typically associated with permitted, everyday activities. For example, a positive finding in the log would be routine web browsing traffic from a user such as alice.smith that is allowed by a rule labeled Allow_Web. A low severity level here reassures an auditor that this is a standard operation and that security policies support business activities without imposing unnecessary restrictions.

Conversely, a critical audit finding would be highlighted by a log entry showing denied https-custom traffic from evan.black, triggered by the Block_Public rule. The critical severity rating on this action points to a significant security event, indicating that the firewall is actively preventing potential threats. If you are auditing a system, such a finding would prompt you to investigate further, assessing the context of the denied access and the effectiveness of the current security settings in protecting sensitive network areas.

The Application Filter

A featured component in configuring security policies within PAN-OS is the Application Filter, which allows auditors to refine and enforce security rules based on applications’ characteristics. This tool plays a pivotal role in streamlining the process of policy rule creation and modification.

Refining policies with the Application Filter

The Application Filter interface is designed to help auditors efficiently identify and manage applications, categorizing them by various attributes to tailor security policies precisely:

Within the filter, applications can be sorted and viewed by categories, subcategories, risk levels, and technological characteristics such as Evasive and Excessive Bandwidth, or compliance with standards such as HIPAA and FERPA
Tags such as Email or Internal provide additional context, allowing you to group applications by vendor or usage, making it easier to apply rules to specific sets of applications

Application characteristics and compliance

Auditors can leverage the Application Filter to ensure that security policies are technically accurate and compliant with regulatory and corporate standards.

Characteristics and tags within the filter can be selected to include or exclude applications from rules, ensuring that only appropriate traffic is allowed or denied based on an organization’s compliance needs.

Actionable insights and policy optimization

By leveraging the information from the Application Filter, auditors can deliver actionable insights that lead to more effective and compliant security policies. The Application Filter tool helps reveal redundant or obsolete rules, identify unmonitored applications, and suggest policy adjustments to cover gaps in a security framework.

In the next section, we will explore best practices in NGFW configuration and management. We will discuss how effective NGFW deployment extends beyond the initial technical setup, as well as why IT auditors must validate the presence of optimal firewall rule designs and robust change management processes. The section will provide practical guidelines based on industry standards and common pitfalls identified during real-world audits, equipping you with the knowledge to ensure the operational integrity of your organization’s NGFWs.

The rest of the chapter is locked