How do you plan for a security review for firewalls?

If you are a small shop, you need to trust your MSP, VAR or another reseller when purchasing a firewall. Don't just go online and buy direct. Resellers have trained people. Most mainstream vendors even have devices that can be deployed ahead of time to get a good idea of your firewall needs. In today's firewall world, it comes down to the software package that you license on your firewall. If you get a firewall without the security software, you are not getting an effective firewall.

If you a midmarket or large company, there are tools such as ThreatCare that can help you test the effectiveness of the firewalls your are putting through proof-of-concept testing. They will test how well the capabilities are working, especially the ones that are in place to ensure confidential information does not go out of your network without authorization.

BEFORE BUYING A HARDWARE FIREWALL YOU NEED ANS OF BELLOW QUESTIONS

If you are going to buy hardware firewall there are a number of things to be concerned:

1. What Type of Business Do You Run?
Hardware firewalls may be overkill for some businesses. If your business is a one-man web-based operation that does not store any personal customer data then a software firewall will likely be sufficient. But if your business is a financial firm or you deal with customer accounts then a strong firewall is absolutely necessary.

2. What is the Size of Your Business and Your Bandwidth Needs?
The size of the firewall you will need somewhat depends on the number of users on your network and how much bandwidth is used. In general, the more users on a network, the larger the firewall has to be. It is best to anticipate growth as most firewalls cannot be upgraded.

3. What Type of Firewall Do You Need?
Each type of firewall has its advantages and disadvantages. Research carefully and ask advice of a specialist before making your final decision. Here (link to previous blog)are the main types of firewalls explained.

4. What About Anti-Virus Software?
Even with a firewall you will still need to have a reliable anti-virus software installed on each machine as viruses, worms, Trojan Horses etc. can infect your machine and network from sources such as e-mail links, DVD’s, USB’s and SD cards.

5. Do You Need Data Logging?
Data Logging referrers to the recording of traffic in and out of your site. And depending on the type of site you operate and where you live you may be required by law or company policy to keep your logging records for a certain amount of time. Records can be kept on a disk if your traffic is low to moderate or on a separate device for sites with higher traffic.

6. Do You Need Identity Management (IdM)?
IdM is the task of recognising and authenticating the identity and data of users on a network. Standard firewalls typically can only enforce policies and record traffic against IP addresses where as more advanced firewall (UTMs and NGFWs) are able to integrate with directory services so that the policies can be enforced and traffic recorded for users and user groups.

7. Do You Need Virtual Private Networking (VPN)?
VPN allows users to log into a secure network remotely, this could be site to site Internet Protocol Security (IPSec), so that you can securely connect to remote company locations or third parties. You may need Secure Socket Layer (SSL) VPN’s to allow home workers and roaming workers to connect to your resources securely. The amount of remote workers you have will affect the type of firewall you require and how much it will cost.

8. Do you Need Device Awareness?
Device Awareness facilitate Bring Your Own Device schemes. Some firewalls can control network access for different types of devices that your employees may bring onto your premises enabling you to identify, monitor and report on the types of devices being used in your network and enforce policies based on the device type – this may be a consideration for you when choosing a firewall solution.

9. Do You Need High Availability?
This is typically where you have two firewalls working in a cluster where one is the primary device and the other is the secondary device. All configuration is automatically updated onto both firewalls, so should the primary firewall fail, then the secondary firewall will take over in seconds keeping your business running rather than waiting for hours or even days for you to get a replacement firewall and configure it.

10. Is Ease of Management Important?
Some firewalls are more user friendly than others, it is important to know how well the Graphical User Interface (GUI) is designed and how easy is it to manage and operate the firewall.

Most of all, it is important to remember that your security worries to do not end with the installation of your firewall. Firewalls must be regularly tested and maintained to ensure they run at peak performance. And even the strongest firewalls can be breeched through human error, i.e. weak or re-used passwords, leaving ports open, etc.

Without disclosing much, I can say that almost all Firewalls have a moderate chance of being compromised by suffering supply-chain attack as a very probable vector.

An in-series combination of commercial and open-source firewalls(with IPS and managed threat data) managed by an internal team of IT professionals covers 97% of the risk.

The latter 2% are covered by an FPGA-based whitelist firewall developed in-house that filters traffic by an automated 5 Tuple classification engine negating the risk of port-knocking and other low-level system backdoors.

All in all, there is not a single solution that covers both IPS and firewalling at 99% risk mitigation, you can certainly get to 90% with one solution and call it a day.

However, paranoia doesn't work retroactively, if you wait for the first hit it might as well be the last one.

Therefore a combination of open-source and commercial will surely be a major challenge to the adversaries to the extent where they will reach for the lower hanging fruit.

The most important thing to understand when building a secure network is that absolutely nothing will cover 100% of the exposure and a coordinated attack by a directly interested adversary(APT) will almost never get stopped, at this point the name of the game is disaster recovery protocols, automated reliable offsite network-wide backups and data encryption.

The main rules are:
1. Verify
2. Encrypt
3. Backup
4. Plan for the worst

Regards, a fellow techie.

Hi everybody,

What should I add? Thanks to all for your good support.

To sum it up:

Talk to your trusted advisor and together take or create your checklist out of all these stuff and then go ahead with the business case or whatever is needed to get the budget. 

If later this "security thing" gets bigger, you can permanently monitor firewall rules and other rules apllied through a SIEM/SOC like Splunk/Q-Radar to name the two on top.

Stay Healthy :)

Best Regards

Norman

Companies generally don’t require a security review before purchasing a firewall but it differs from company to company. There needs to be a business justification for the purchase of a firewall but a full on review is not a requirement in most cases.

The review of a firewall in most cases is performed manually by a human. There are best practice guidelines that you can follow depending on the firewall vendor to further supplement the review. Depending on the scope, you might be asked to complete a full review which would include reviewing the ACL, NAT, IDS/IPS, URL filtering and bandwidth reports.

I can’t think of any pitfalls since the majority of the work is done in read-only mode so the chances of making a configuration mistake are rare.

Well in terms of a review for a firewall or actually any security product your security functionality must come first and the best place to start is using your organization's security policies to see if the firewall will fulfill those policies. Also you need to see how well it will help you to stay in compliance if your company is under one or more regulations such as HIPAA/SOX/GDPR, in other words will it help you to fill a requirement under such regulation?

Then it comes the support there is nothing more frustrating than once you have the product in your network you realize that technical support is a disaster, research in forums or ask the vendor for cases of success and if you can speak with some of them regarding the product. Also is important to have a escalation procedure established with the vendor during an incident you want to have a clear communication channel with the vendor technical support to help you during an incident

As mentioned in other replies you must test, you can arrange such test with the vendor and most vendor will happy to help you with that with a demo unit or something similar, now for the test is advised that you create a series of test cases that allows you to really get the felling on how it operates and its limitations. To generate the test cases again use your security requirements based on your security policy.

Tip: Also integrate into your requirements anything that is not in the current policy but has been detected as something that needs to be mitigated or acquire due a change in processes within the organization or a recent incident.

Others that posted here are putting you on the right track. Here is my 2 cents added to the pile.

1. Ensure your new firewall can Scan https traffic in an adequate way.
2. When reviewing forum reviews or problem posts keep this in mind (a lot of people rule out point 3 below and are bitter): The firewall gives the customer the tools to secure their network, it is the customers understanding and know how that secures and makes exceptions for your system to function.
3. If doing the legwork others specified or networking is not your cup of tea, hire a consultant to review your needs, present solutions, and implement them. You will be a much happier person.

1- Check if the current vendor product is not End of Full Support and Services. You should be able to get updates and/or upgrades for firmware/OS/UTM subscription.
2- Review you sizing requirement. If the current specifications still apply? For example: concurrent sessions.
3- Review your organization security policy. This should be done on periodic basis. And on very basic, try to comply with Standard Requirement for your business domain. For example, for a financial institution, PCI DSS audit compliance.
4- For a comparison, you can also review latest NSS reports. These are readily available on Internet.

Is it required in your company to conduct a security review before
purchasing a firewall?
Firewalls review are usually done annually and equipment is purchased to
protect each network data point

What are the common materials you use in the review?
To verify the open ports, services, and applications of what is allowed and
disallowed. Most companies are moving towards software like TUFIN to help
continually perform these rule deployments and changes globally.

Do you have any tips or advice for the community?
Adapt to a common service platform to connect to service desk,
deployments and regular review to reduce errors and service time to deploy
FW changes.

Any pitfalls to watch out for?
Not being able to survey automatically current FW rules and settings could
leave the company vulnerable to intrusion or failed services for internal
stakeholders.

Yes, I recommend doing a security review regularly. Not necessarily before a firewall purchase unless you have not done one lately. Having the results of the review will help you understand what capabilities you need in a firewall. As an example, if you get a ton of login attempts from outside your country of origin but have no customers or partners outside the country you will want to have "country blocking" capabilities. There are a number of tools that can be used for evaluations. We currently use RMM and Security tools from SolarWinds.

We have other tools as well. To perform a security review you have to have tools do the work. It simply is not possible for an individual to perform a thorough check without significant automation. We offer this as a service as well.

Pro's: SolarWinds has a free version of some of the useful tools such as SIEM Security Information and Event Management (SIEM) Tool. You can rent some tools by going though a partner (such as us BayStateTechnology.com)

Con's: Tools to purchase are a bit expensive. Performance checks that RMM uses is not accurate on large busy machines. Support leaves much to be desired.

Anyone in the market for any security product needs to find an MSP to have the service monitored and maintained. 

The complexity and the current state of the world it is becoming more important every day to ensure you are monitoring the current state of your network and security posture. 

Most organizations typically deploy and forget and believe because the firewall is in place they are secure. This is the furthest thing from the truth. 

Constant monitoring and adjustment of the firewall and ALL internal security measures are imperative. Most vulnerabilities and breaches occur internally in the network and not externally. Although complete security is never achievable, designing and deploying a multi-layered security posture with continuous monitoring is the best way to ensure a secure environment.

Ok there are a few big questions

1) QoS management
2) How its managed the different lists, black and white
3) How is the ISP control, with only one and more than one
4) How is it work with apps control?
5) How much info you can get for reporting
6) How far you can go with IP or host names for block or allow content
7) If you can use Vlans for management
8) If you can have a DB for elements (Vlan, IP etc.)

I think that’s just for made an accurate interview with your favorite IT dealer, and homework for you guys.

The best recommendation whether you are preparing to purchase new equipment or simply want to understand where you may have potential vulnerabilities within your network, is to conduct a Security Check Up by a Check Point Representative. It’s a free service and only takes up to two weeks for best results. We can provide the highest level of security throughout the process and no data is retained. Our process and the resulting reporting is “user friendly” and easy to understand. Once you have the final report of your security checkup, you will find our recommendations based upon the results. You don’t have to own any Check Point product to request a security check-up. Since Check Point product is noted by Gartner, NSS Labs, Mericom and many other 3rd party professional evaluations as the highest performing threat prevention product on the market today, you can be assured that we will provide the most accurate assessment above all others. Check Point is 100% pure cybersecurity-focused and has been in the industry longer than any other vendor. Our product is recorded to be faster at detection; more thorough with the largest signature database of any security vendor and we also provide preventive measures for future attacks. We have the greatest level of financial investment in our R&D which is why our product consistently outperforms any other vendor in any capacity. We don’t just detect malware, we actually proactively prevent malware from gaining access to your network. Financially, our product will be a better fit as we decrease the need for remediation as well as lower cost of management.

If you are not currently using Fortinet, ask your Fortinet partner for a CTAP - "Cyber Threat Assessment" It takes a couple of weeks and gives a useful (if somewhat marketing-focussed) report that identifies what is going on with your network now, and helps identify answers for the questions raised by the other posters. It shouldn't anything (other than your time) to get this done, and the process is designed to be non-disruptive.

How do you plan for a security review for firewalls?

Few steps to follow for Firewall Security Review

A firewall security review examines vulnerabilities associated with a specific vendor's solution, the susceptibility of the firewall to focused connection and information-driven attacks and exploits, and miss-configurations that allow an attacker to overcome specific firewall protections.

* Request Datasheet from top 3-5 FW Vendors

* Request Quote from top 3-5 FW Vendors

* Request Demo from top 3-5 FW Vendors

Is it required in your company to conduct a security review before purchasing a firewall?
No, I work for a distributor, therefore, I sell Firewall to clients, however, Firewall security reviews help the organization to verify that their firewalls adequately protect critical business information and data as required. Firewall reviews are a key requirement within a number of industry related standards and regulations, such as PCI and HIPAA.

What are the common materials you use in the review?
Security experts will work with you and your team to review your firewall and provide recommendations. The review process can be performed remotely through secure communications or onsite.

Do you have any tips or advice for the community?
With constant changes to your network and the necessity for reliable communications via the Internet, your firewall is a critical component to maintaining security. Firewall Review provides an expert analysis of your unique situation and reports any open concerns, threats and/or vulnerabilities in your current configurations.

Any pitfalls to watch out for?
Testing firewall and IDS rules is a regular part of penetration testing or security auditing. However, because of the unique complexity involved in different environments, automated scanners are not able to provide much use in this area. Several free and open source tools exist to help craft packets to test firewalls and IDS rules, which can aid in general assessment. A general working knowledge of TCP/IP is required to make use of such tools, as well as recommended access to a Linux or OS X laptop for portable testing. After obtaining a general assessment of a firewall and its rules, corrections to rules can be updated as appropriate

yes when we buy security tools we should consider for everything and organization need and challenge my favorite security solutions is pfsense because we can use many packages like snort, Zabbix agent, traffic monitoring like ntop and much more

a number of considerations for security review if it has to do with
purchasing new firewalls namely:

1.Throughout (how much traffic can the firewall process per second at peak
capacity versus how much traffic you intend to push to the firewall)
2. GUI (management interface from GUI perspective provides for easier
firewall management and to some extent prevents misconfigurations. Look out
for good, user-friendly management software)
3. IPS/IDS functionality (verify IPS/IDS capability of the firewall and
determine if the facility is offered as part of the firewall chassis in
software or as a separate module you can plug on the main firewall chassis
or as an entirely separate box. This should help you to decide whether to
place IPS/IDS in-line. Also be sure of sensor and signature update
parameters with regards to IPS/IDS functionality for UTM purposes )
4. Licenses and keys (be sure to find out what additional licenses and keys
would be required for activating additional features such as remote access
VPNs including SSL VPNs etc
5. Support for VPN types including IPSec site to site etc
6. Logging functionality ( Syslog etc) and remote management and monitoring
functionality using SNMP v3 etc

I would say yes because according to me whenever you are going to purchase any of security device you should conduct a security review so that you can get to know that according to your organizational need which one is best because you will never compromise when it comes to organization security and you should do reviews on regular basis as lot of things/ frequently changes in particular product. The common materials you can use in the review is contact partner/reseller and include them in your review or you can simply visit all OEM's official sites and compare products including Gartner or NSS labs or any of comparison standards.
Tips or advice for the community is include partner/reseller to get review done and end up getting the best product for your organization, because partner/reseller always do reviews on different products regularly and can advice you which one is best according to your requirements.

Yes, a security review is a must when acquiring a firewall solution.  In particular, one should determine what are the requirements for access for the different user's groups.  This, in turn, will lead to the formulation of the different policies for the access requirements.  All of these will serve as inputs for determining what kind of features would one need for a firewall.  One critical aspect is sizing properly the firewall.  This includes all the policies that one would have to implement as well as the available/required bandwidth for internet access.

The security issues of a company, however small or large, must always be analyzed. Safeguard data and information is to think about the welfare of the company.
Faced with this, the important thing to take into account is to consider at least one expert advice on the subject, consider what is indicated not by an msp but by several suppliers, who may even be a first consultant for selling their product, without identifying at least If it is better or worse, how important it is that you deliver and watch over your needs and always look to the future.
There are many solutions today, very similar, so sometimes the difference in what some deliver for the same value is what makes the difference, beyond a specific product.

I work for a fairly small company and we don't exactly have written policy yet on this (I know we should). However, we did recently switch to a different security appliance and the main concerns were on what is required by the company, and also considering company growth will the device be sufficient for the next few years.

I agree with Matthew. First understand requirements and how it fits with your current organisation ( network as well as skill set). FGFW are nowdays way to go. I use fortinet good balance between cost and UTM options.

The only question for a review would be based on your requirements. For example, does the firewall meet Common Criteria standards or other security controls.

Generally, we suggest pursuing a NGFW and our initial recommendation is Fortinet. Good news is the NSS results put Fortinet as the #1.