Firewall Assessment in 2024: 5-step Methodology

During the fourth quarter of 2023, data breaches exposed 8+ million records globally.¹

Firewall assessment can help companies anticipate cyber risks and threats, detect alerts, and use a layered strategy to protect operational assets while also reducing the negative effects of data breaches.

This post discusses numerous methods and techniques describing firewall assessment and how organizations can leverage it for planning, configuring, testing, deploying, and managing firewall systems.

What is firewall assessment?

A firewall assessment is recognizing, quantifying, and prioritizing risks across a firewall architecture. This involves evaluating cyber-threats and vulnerabilities, and implementing firewall security (e.g. firewall audit) procedures to mitigate them.

The evaluation may assist organizations in improving and maintaining the various levels of their networks against the actions of hackers, or viruses that interrupt business operations.²

Figure: Risk assessment framework

Source: NIST, National Institute of Standards and Technology U.S. Department of Commerce³

Read more: Top 10 firewall audit software.

Why is firewall assessment important?

Organizations perform firewall assessments to evaluate technical effectiveness and security performance across their key operations, processes, operational business segments, and information systems. Firewall assessments may help organizational leaders make risk-based choices and actions at all levels of the risk management hierarchy. 

Examples include:

• Developing a firewall security framework, including those enabling business operations and common services.
• Designing firewall security remedies for information systems and operations, including selecting security controls, products, vendors, and contractors. 
• Controlling access to firewall management systems and their inherited security controls.
• Implementing firewall security solutions (e.g., ensuring specific technology products or configurations meet certain requirements)
• Operating and maintaining firewall security solutions (e.g., continuous network visibility practices).

The function of firewalls in network security

Firewalls are security hardware or software solutions that monitor and manage network traffic using specified rules and policies. They serve as barriers, allowing legitimate traffic to flow while preventing or filtering potentially risky interactions (e.g. third-party risks). Traditional firewalls act at the network level, examining packets and applying rules based on IP addresses, applications, and protocols.

Key firewall-related subjects that can be analyzed during firewall assessment:

• Software version and patch level.
• Location of firewall within the network.
• Overlapping policies.
• Insufficient network auditing.
• Missing rules (such as an espionage rule).
• Excessive user accounts.
• Security of VPN settings.
• Protections set against typical Denial of Service attacks.

Read more: Most common cyber attack vectors.

Firewall assessment 5-step methodology

Firewall assessment should be done in phases, comparable to any other new technology deployment.

A successful firewall assessment requires a defined, step-by-step planning and execution approach. Using a staged approach to deployment helps prevent unexpected complications and detect potential risks or threats early on. This section details the firewall assessment, planning, and implementation processes, including: 

1. Plan

Before developing and deploying a firewall, companies should ensure that it is necessary to enforce their security policies. This usually happens after a risk evaluation of the entire system. A firewall assessment involves identifying vulnerabilities and threats in an information system, assessing the expected impact of a breach on the company’s resources and operations, and analyzing security controls.

The key principles that enterprises should follow when planning firewall assessments are: 

Use devices as recommended: Firewalls shouldn’t be built using equipment not intended for firewall use. Routers are designed to handle routing, not complicated filtering, which might overload the CPU. Firewalls shouldn’t be used for non-security purposes like site or email hosting. 

Develop a multi-layered defensive strategy: Defense-in-depth firewall assessment entails implementing numerous levels of security across network layers. This approach improves firewall risk management by ensuring that if one layer of security is breached, another layer can take over and restrict the assault. To achieve defense-in-depth, use several firewalls across a company, including those at the perimeter, critical internal departments, and individual PCs. To achieve effective defense in depth, firewalls should be integrated with other security solutions like malware prevention and intrusion prevention systems. 

Pay attention to insider threats: Focusing primarily on external threats causes the network vulnerable to internal assaults. Internal hosts can be infiltrated with malware or hacked by external attackers, posing hazards that may not originate from insiders themselves. Key internal networks also need to be protected by internal firewalls. 

Define the firewall’s features: Firewall models vary in features and restrictions. These factors can impact the company’s security policies and firewall implementation approach. Include the positive or negative aspects of planning in the overall paper. 

When executing a firewall assessment, organizations should weigh the following factors: 

Security capabilities:

• Which elements of the company are protected, such as the perimeter, internal departments, and operational technology?
• Which firewall technologies, such as packet filtering, application firewalls, and application-proxy gateways, are most effective for protecting specific types of traffic?
• What extra security features, such as intrusion prevention systems (IPS), insider threat management (ITM) software, VPNs, and content filtering, should the firewall support? 

Management:

• What managerial protocols does the firewall support, including HTTP (hypertext transfer protocol), SSL (secure sockets layer), and SSH (secure socket shell)?
• Does the firewall allow for centralized control of multiple devices from the same administrator?
• Does the centralized administration require vendor-specific software or can it be managed by other software programs? 

Performance:

• What productivity, maximum concurrent connections, connections per second, and latency constraints are necessary for network traffic needs? 
• Does the firewall have enough accessibility for business needs?
• Does your firewall streamline network security with the addition of application control?

2. Configure

The configuration step covers all aspects of configuring the firewall platform. This process involves establishing firewall policies, logging, and alert modifications.

2.1 Establishing firewall policies

After installing a firewall, the firewall policies should be configured to reduce vulnerabilities and prevent unwanted access. Any terminal software required for controlling should be installed and only the administrator should have access to control the firewall (e.g. organizations should ensure firewall management services are deactivated permanently until needed during the policy modification phase.)

The process of generating a firewall policies and ruleset varies depending on the kind of firewall and the product. Typically, firewalls scan traffic against rules continuously until a match is discovered. To optimize these firewalls, prioritize rules with the best possibility of matching traffic patterns.

Figure: Firewall ruleset

Source: ManageEngine⁴

At least on a basic level, these two policies should be established: 

1. Activate port filtering (filtering packets based on port number to restrict traffic within a network) at both the network’s perimeter and internal areas. 
2. Content filtering should occur as near to the content receiver (e.g. router) as possible.

Figure: Content filtering

Source: Wallarm⁵

2.2 Logging, and alert modifications

Logging: Logging is crucial for preventing errors, and for maintaining adequate security configurations on the firewall. Proper logging can also give insight when responding to security-related cyber incidents.

Network administrators can set firewalls to maintain logs locally and send information to a central log management system. Administrators can make decisions on what to log and how long to maintain logs. Some network administrators can track all authorized connections to prevent unwanted traffic’ while some administrators may avoid tracking authorized inbound connections due to their high volume or resource usage.

Figure: Firewall logging statistics

Source:ManageEngine⁶

Alert modifications: Organizations can set up real-time notifications to alert administrators of critical firewall events.

 Notifications may feature the following: 

• Any changes or disabling of firewall rules.
• System restarts, storage deficiencies, and other technical problems.

3. Test

Before deployment, firewalls should be tested and analyzed to guarantee adequate functionality.

Testing should take place on a test network that is not connected to the operational network. The test network should closely resemble the production network, including its network topology and the data that will travel past the firewall. 

To assess a test, the following aspects should be considered: 

Connectivity: Users may create and maintain connections over the firewall. 

Rulesets: The rulesets should restrict traffic that violates the security policy.

Application interface: Host-based or local firewall technologies are compatible with existing software applications. This involves network connectivity between application elements. Network firewalls have no impact on applications that communicate over them, such as server software. 

Firewall management: Administrators may configure and administer the solution efficiently and securely.

Logging: Logging and data administration align with organizational policies and plans. 

Performance: Testing should analyze performance metrics (e.g. network speed or latency concerns)  of applications that will pass through the firewall.

Security of the testing: The firewall testing may include shortcomings and vulnerabilities that attackers can exploit. Organizations with high-security requirements might decide to conduct vulnerability scans for firewall network components. 

4. Deploy

After testing is completed, the firewall assessment methodology moves on to deployment. Before deploying the firewall, network administrators should notify users or owners of impacted systems and educate them on who to contact if problems arise. Any updates to other technology should be discussed as part of the overall firewall deployment process.

After coordinating the firewall deployment the following methods can be followed deployment types can be followed: 

Hardware: Hardware firewall deployments are often appliances that are deployed across a network’s perimeter.

Software: Software firewalls are deployed on PCs or servers at the network’s perimeter, and they allow or deny requests.

Cloud-based: Cloud firewalls secure storage services and apps by evaluating traffic that seeks to access a storage application.

5. Manage

The longest step of the firewall assessment approach is managing the solution, which includes maintaining its architecture, programs, and other deployed elements. 

Maintenance: Typical maintenance actions include testing and installing fixes to firewall devices. Policy guidelines need to be modified when risks emerge and priorities change, for example when new apps or hosts are added to the network. 

Performance monitoring: Monitoring firewall performance helps identify and fix resource concerns before they become overwhelmed. Organizations can continuously monitor logs and alarms to identify potential system attacks, both successful and failed. 

Read more: Network visibility.

Policy testing: Periodic testing is necessary to ensure firewall rules are operating properly. In addition, firewall policies and rule sets need to be backed up regularly. 

Penetration testing: Penetration testing may help organizations analyze the security of their network. This testing ensures that a firewall ruleset is functioning properly by simulating network traffic and comparing the response to expectations. Penetration testing should enhance, not replace, traditional auditing methods.

Figure: A firewall analyzer monitors and displays interfaces associated with the specified firewall devices

Source:ManageEngine⁷

Read more: Top 10 insider threat management software, top 10 network security policy management solutions (NSPM).

Firewall types

Several strategies for improving firewall security have been developed, a few of them include:

1. Packet filters

Packet filters monitor and manage network access by permitting or blocking packets depending on source and destination IP addresses, protocols, and ports. This firewall is sometimes referred to as a static firewall.

Figure: Packet filtering

Source: ScienceDirect[efn_notel]Chari, Kausha. ”Firewalls“.ScienceDirect. 2003. Retrieved February 5, 2024.[/efn_note]

2. Stateful Inspection firewalls

Stateful inspection firewalls utilize packet filtering to govern the flow of data packets via the firewall. It is also known as dynamic packet filtering. These firewalls can determine if a packet belongs to a specific event or not. It only allows communication if the event between two endpoints is completely established; otherwise, it blocks communication.

For example, when a device on the internal network (192.168.1.100) tries to connect to a device outside the firewall (192.0.2.71), the firewall ruleset determines if the connection is allowed (table 1). If authorized, a new session is launched, as shown by the first entry under “Connection State” in the state table.

Table 1: State table example

3. Circuit-level gateways

Circuit-level gateways analyze TCP (transmission control protocol) communications and other messages related to network protocol sessions between the local and remote hosts to determine whether the session is legitimate and trusted. 

4. Application-level gateways

Application-level gateways, frequently referred to as proxy gateways, function at the network’s application layer. 

An application proxy gateway can perform a range of roles on an infrastructure’s application layer, which is generally referred to as layer 7 in the OSI model. These functions may include address and port translation, distributing resources, software response control, and network synchronizing. An application layer gateway can control application sessions by preventing or eliminating connections when necessary.

For example, to access the WSDL (web service description language), a user needs to enter the endpoint of the virtual service URL in a web browser and add a string (e.g. http://zzz/Gold?wsdl), where http://zzz/ is the proxy gateway’s address and Gold is the virtual service name.

When the proxy gateway executes a user request, the virtual service name used to seek endpoints must be the same as the virtual service name in the request (see figure).

Figure: Overview of a proxy gateway request

Source: IBM[efn_notel]”Learn about proxy gateways“. IBM. March 3, 2021. Retrieved February 5, 2024.[/efn_note]

Read more: Firewalls vs proxy servers, top 10 application security tools.

5. Next-generation firewalls (NGFW)

NGFWs combine classic firewall capabilities with advanced features including deep packet inspection (DPI), intrusion prevention systems (IPS), software awareness, and user-based controls. These characteristics allow NGFWs to control network traffic more precisely compared to traditional firewalls and create application-specific policies.

Read more: NGFW features.

Traditional firewalls vs NGFW: Consider the two train station security agencies. One check to ensure that their names match the information on their tickets. The second one, in addition to verifying their names match the information on tickets, additionally inspects what passengers are carrying to ensure they do not have any harmful or prohibited items. The first agency secures airports from apparent dangers, while the second identifies less obvious concerns.

• A traditional firewall functions similarly to the first security agency, blocking or allowing data (passengers) based on where it moves, whether it is part of an authorized network connection, and where it originates. 
• An NGFW functions more like a second security agency, inspecting data at a higher level to detect and stop threats that may be submerged in typical traffic.

Figure: Next-generation firewalls (NGFW)

Source:CLOUDFLARE[efn_notel]”What is a next-generation firewall (NGFW)?“. CLOUDFLARE. March 3, 2021. Retrieved February 5, 2024.[/efn_note]

For guidance on choosing the right tool or service, check out our data-driven lists of unified threat management (UTM) software.

Further reading

• Top 10 Microsegmentation Tools
• Microsegmentation: What is it? Benefits & Challenges
• Role-based access control (RBAC)  
• Network Segmentation: 6 Benefits & 8 Best Practices
• 80+ Network Security Statistics
• Network Security Policy Management Solutions (NSPM)
• Cybersecurity Risk Management

AIMultiple can assist your organization in finding the right vendor for firewall audit and cybersecurity needs. Feel free to reach out to us:

External links

• 1. ”Number of user accounts exposed worldwide from 1st quarter 2020 to 4th quarter 2023“. Statista. January 31, 2024. Retrieved February 5, 2024.
• 2. ”Guide for Conducting Risk Assessments“. NIST, National Institute of Standards and Technology U.S. Department of Commerce. September 2012. Retrieved February 5, 2024.
• 3. ”Guide for Conducting Risk Assessments“. NIST, National Institute of Standards and Technology U.S. Department of Commerce. September 2012. Retrieved February 5, 2024.
• 4. ”Firewall Risk Analysis – Rule Management Reports“. ManageEngine. 2023. Retrieved February 5, 2024.
• 5. ”Web Filtering“. Wallarm. 2023. Retrieved February 5, 2024.
• 6. ”Firewall Analysis: Analyze Security, Traffic Logs and Configurations, Policies, Rules“. ManageEngine. 2023. Retrieved February 5, 2024.
• 7. ”Firewall monitoring“. ManageEngine. 2023. Retrieved February 5, 2024.