Firewall Audit – NCUA Questions

firewall auditSometimes the NCUA will have questions about a credit union’s firewall so I’ve decided to post what some of those questions from the NCUA might be:

  • Does management have a formal, documented firewall configuration management policy that addresses the following:
    • Purpose
    • Scope
    • Roles
    • Responsibilities
    • Management commitment
    • Coordination among organizational entities
    • Compliance
    • Does the firewall administrator receive adequate training?
    • Does the credit union have a comprehensive list of what should be allowed/disallowed through the firewall?
    • Is the firewall located in a controlled access area?
    • Is the firewall(s) secured against unauthorized access from the Internet, Extranet and Intranet users?
    • Are inner firewalls placed around all critical, financial and transactional systems?
    • Can the firewall be accessed by a secondary IT Committee member or assigned staff member in an emergency?
    • Do you place firewalls at all sub-network boundaries where policies differ between the connecting sub-networks?
    • Does the credit union maintain an inventory of all firewalls in use?
    • Are firewall configuration changes properly documented, reviewed, and approved?
    • Is adequate documentation maintained to support the specific business reason for each firewall rule?
    • Has the firewall been tested to ensure that it would fail closed?
    • Are internally hosted web services protected by firewalls that inspect all traffic for common web application attacks?
    • Are firewall rules reviewed periodically determine whether they are still required from a business perspective?

Firewall Security & Maintenance

  • Does the firewall system enforce approved authorizations for logical access to the system in accordance with applicable policy (policy reviewed above)?
  • Does Management configure the firewall to provide only essential capabilities and specifically prohibits or restricts the use of  management identified  functions, ports, protocols, and/or services such as:
  • IP spoofing attacks?
  • Denial of Service attacks?
  • Programs like finger, whois, tracert and nslookup?
  • Is there a default deny rule?
  • Is the firewall operating system updated regularly?
  • Is the firewall system(s) appropriately configured to protect the confidentiality and integrity of information at rest, i.e. rule sets?
  • Is the firewall rule change control process automated?
  • Does the credit union have an automated monitoring system that provides real-time alerts about firewall configuration changes?
  • Does the credit union use automated tools to evaluate the firewall rule set for errors or conflicts after making significant changes?
  • Is the firewall system(s) appropriately configured to protect the confidentiality and integrity of information at rest, i.e. rule sets?
  • Is the firewall rule change control process automated?
  • Do assigned individuals monitor events on the information system in accordance with Management’s organization defined monitoring objectives and detect information system attacks?
  • Are automated alerts in place?
  • Are alerts sent to a SIEM?
  • Are firewall logs reviewed?
  • Is the log review conducted at least each business day?
  • Are the firewall logs maintained for a specified period of time?
  • Are firewall logs backed up?

Firewall Business Continuity

  • Has Management obtained maintenance support and/or spare parts for firewalls within a Management defined time period of failure?
  • Can the firewall be quickly reconfigured from backups (e.g., to restore a previous configuration)?
  • Is backup recovery of the firewall tested at least annually?
  • Is the firewall on an Uninterruptible Power Supply (UPS)?
  • Does Management include dynamic reconfiguration of the firewall  as part of the incident response capability?
  • Is the firewall backed up?
  • Are backups safeguarded?
  • Has Management tested the firewall recovery using a firewall backup?
  • Is automatic failover enabled?

Firewall Security Assessment

  • Are vulnerability assessments periodically run on the firewall to identify open ports and services?
  • Did the last assessment result in a favorable rating?
  • Does management take corrective action on the recommendations from the assessments?
  • Are external penetration tests attempted after major system updates?
  • Is there an audit trail of who accesses the firewall administrative accounts?
  • Are firewall rules, policies, and procedures reviewed at least annually by a qualified auditor?
  • Is each rule documented sufficiently to allow for review by a qualified auditor?
  • Is there an audit trail of changes made during the past year?

Firewall Vendor Management

  • Do non-corporate personnel or vendors access the firewall? If no, skip this section
  • If so, have contracts with this vendor been reviewed by corporate legal personnel?
  • Does Management document, for each connection, the interface characteristics, security requirements, and the
  • nature of the information communicated with third party vendors?
  • Does Management authorize connections from the information system via the firewall to other information systems outside of the credit union’s authorization boundary (network)  through the use of appropriate contractual agreements?
  • Do access control limits restrict access to specific static external IP addresses in the case of remote vendor support?
  • Is access limited to only the firewall?  If vendor has other access please indicate.
  • Is all access by encrypted channel (e.g., SSH)?  Exception:  terminals directly connected to the firewall do not require a encrypted channel.
  • If the firewall product uses a remote management architecture (e.g., Checkpoint management module and firewall module), are the controls adequate?