A Comprehensive NIST Firewall Audit Checklist

Last updated August 5th, 2024 by Erez Tadmor

• Firewall Best Practices
• Network Security Automation
• Regulations and Compliance

Today's digital business operations sit on a foundation of network security. As cyberattacks increasingly exploit vulnerabilities that give them remote access to systems and networks, managing firewall policies and rules is fundamental to protecting sensitive data.

In the US, the National Institute of Standards and Technology (NIST)sets the guidelines for information security controls. At a high level, the NIST Cybersecurity Framework (CSF) outlines Categories and Subcategories of security controls that organizations should implement.

However, as you dig deeper into the NIST documentation, you will find that NIST Special Publication (SP) 800-53 revision 5, released in 2020, details lower-level controls. However, to understand the detailed requirements for implementing compliance firewalls, SP 800-53 references the 2009 document NIST SP 800-41 revision 1 details "Guidelines on Firewalls and Firewall Policy."

Manyregulations, compliance frameworks, and security standards align with or use NIST to guide their network security posture, including:

• HIPAA

• ISO 27001

• PCI DSS

• FISMA

These information security standards and regulations act as a baseline for how to mitigate cyberattack risk by implementing robust network security.

This NIST firewall audit checklist can help you understand the key requirements for achieving compliance.

High Level Requirements in NIST 800-53

NIST 800-53 defines the security controls necessary for meeting basic cybersecurity hygiene. Across the 492 pages, you can find references to firewalls under the following control categories.

Access Control:

• Access Enforcement AC-3

• Information Flow Enforcement AC-4

• Least Privilege AC-6

Configuration Management:

• Least Functionality CM-7

Incident Response:

• Incident Handling IR-4

Risk Assessment:

• Threat Hunting RA-10

System and Services Acquisition:

• External System Services SA-9

System and Communications Protection:

• Boundary Protection SC-7

• Protection of Information at Rest SC-28

System and Information Integrity:

• Malicious Code Protection SI-3

• System Monitoring SI-4

• Software, Firmware, and Information Integrity SI-7

• Spam Protection SI-8

Understanding NIST 800-41

Despite its 2009 publication date, NIST 800-41 remains the primary guiding document for firewall implementation and management.

After defining the diverse types of firewall and network architecture models, the publication summarizes key recommendations:

• Firewalls should fit the current networks layout while being flexible enough to maintain and upgrade security as the architecture changes.

• Organizations should know their security goals to align their network architecture and firewall placement choices to them.

• When using a DMZ, organizations should carefully consider which services run from the DMZ and which remain on the internal network.

• NATs should not replace firewalls.

• While layering firewalls may achieve a cybersecurity objective, multiple layers can be troublesome.

After identifying these primary considerations, NIST discusses the different firewall policies. Fundamentally, the publication explains that you should build firewalls around your risk management objectives by identifying the traffic necessary for business operations and how to secure it.

Security Policies based on IP Address and Protocol

When basing your policies in IP addresses and protocols, you should consider the following:

• ICMP

• TCP

• UDP

• IPSec components, including Encapsulating Security Payload (ESP) and Authentication Header (AH)

Recommendations for firewall configurations that protect information systems and use IP addresses include blocking:

• Traffic with invalid source or destination IP address

• Incoming traffic with invalid source address or outgoing traffic with invalid destination address at the network perimeter to mitigate malware, spoofing, denial of service (DoS) attacks or misconfiguration risks

• Incoming traffic with a private destination address or outgoing traffic with a private source address at the network perimeter.

• Outgoing traffic with invalid source address.

• Incoming traffic using the firewall as its destination address unless the firewall offers specific services for incoming traffic, like acting as an application proxy

• Traffic containing IP source routing information

• Inbound traffic containing broadcast address directed to inside the network to mitigate DoS attack risks

For TCP and UDP, NIST recommends firewall rules that:

• Deny by default for incoming traffic

• Reporting or blocking malformed UDP and TCP traffic

Application-Based Security Policies

Application firewalls offer an additional security layer and can mitigate malicious traffic risks.

Inbound Application Firewalls

When using an application firewall to shield your application server against DoS, you should:

• Place it in the DMZ

• Use IP address-based blocking to reduce the traffic managed by the application firewall

Outbound Application Firewalls

Outbound application firewalls enable you to better detect and mitigate risky connections. You should use an HTTP proxy because it enables you to:

• Log user web traffic

• Detect activity tunneled over HTTP

• Alert users to risky sites

• Cache web pages to improve network speed and bandwidth

User Identity-Based Policies

To mitigate therisk of unauthorized access to resources, you should:

• Use a Virtual Private Network (VPN) to enforce access controls

• Implement multi-factor authentication

• Apply access controls that allow or deny access based on user authentication within applications

• Ensure firewall logs collect relevant information, including user IP address and user identity

Network Activity Based Policies

Even NIST notes that crafting firewall rules around network activity is challenging. Some considerations for network activity security policies include system administrators:

• Blocking connections after defined periods of inactivity

• Understanding baseline user network activity times and needs to define time-out periods

• Blocking connections for inactivity when applications disconnect sessions

• Throttling or redirecting traffic if traffic rates are too high

• Dropping incoming ICMP packets if traffic rates are too high

Hardening Hardware and Software

Your firewall software and hardware can pose a security risk, and these need to be treated similarly to other technologies. Some best practices include:

• Disabling services and functionalities, like SNMP, unless necessary to support the firewall's purpose

• Having system administrator accounts for each person performing administration duties

Firewall Management

Maintaining your firewall architecture, policies, and software is the most challenging part of NIST compliance. Some best practices include:

• Scanning hardware, operating systems, and software for vulnerabilities

• Applying security patches and vendor updates according to vulnerability managementpolicy timelines

• Updating firewall policy rules in response to new threats and requirements, like implementing new hosts or applications

• Periodically reviewing to ensure rules continue to comply with the security policy

• Monitoring firewall logs and alerts to identify threats

• Performing periodic auditsto ensure rulesets function as intended

• Backing up firewall policies and rulesets regularly

• Including firewall ruleset changes into change management processes

• Keeping an audit trail of all policy decisions and ruleset changes

• Documenting rulesets with comments and approvals

• Restricting which system administrators can make changes

• Reviewing the firewall policy to uncover unused, redundant, or outdated rules

• Engaging in risk assessments prior to implementing new rules to ensure continued security

• Employing penetration tests against the firewalls as part of network security

Tufin: Automation for NIST Firewall Compliance

Ensuring firewall policies remain effective is critical to network security. As you work to achieve compliance with cybersecurity and information security standards and regulations, you need visibility into security configurations across your on-premisesand cloud environments.

Tufin enables you to achieve continuous compliancewith automated change management workflows that give you real-time insights into risk, enable rapid remediation, and provide an audit trail.

To learn how Tufin can accelerate your NIST compliance objectives, contact us for a demo.

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest