Why It's Important to Review Firewall Rules on a Quarterly Basis

Why It's Important to Review Firewall Rules on a Quarterly Basis

Due to constant change and the growing number of threats the industry experiences, firewall security must continuously adapt to combat current threats. In response, banks and credit unions should evaluate security processes and firewall rules on a regular (quarterly) basis.

Why Should You Review

Firewalls have been a part of network security systems, monitoring both outgoing and incoming traffic, for more than 25 years. They serve as the first line of defense, helping to prevent unauthorized access and blocking certain communications based on security settings.

However, just having a firewall in place is not enough. Banks and credit unions are dynamic in nature and are constantly adding new services or changing business processes. If they are not checking the firewall configuration and rules regularly, it opens the institution up to attacks and breaches. Regular reviews help ensure a weakness in the security of the network will be found prior to exploitation and allow rules to be updated as necessary to meet technology changes or new threats.

For banks, there is an additional regulatory reason to perform quarterly reviews: the FFIEC Cybersecurity Assessment Tool (CAT). The quarterly Firewall Audit serves as a baseline standard, meaning that if you can’t answer “yes,” you will not meet the baseline requirements for the CAT in Domain 3. The quarterly audit is also part of the FFIEC Information Security Booklet.

Where to Start with Quarterly Firewall Rule Evaluations

To better understand how to assess your firewall rules, a few basic areas must be addressed.

First, you should have a solid understanding of how your firewall works and how it is setup. You should also receive firewall reports on a regular basis, and these should be reviewed carefully.

What to look for in Firewall Rules

Download the PDFThe 2019 IT Outlook for Community Banking Get a Copy

Knowing how to review or audit firewall rules can be a challenge. Here are four basic things to start with to help guide the process.

  1. Evaluate your existing firewall’s change management procedures
    This helps ensure that all rule changes that have been made in the past are adequately logged and all procedures have been done correctly.
  2. Compare current firewall rules with previous firewall rules
    Comparing rules that were previously in place with those currently in place helps to easily identify any changes; track which changes have been made; and verify whether those changes are necessary. It will also help identify unused or “stale” rules.
  3. Evaluate external IP addresses that are allowed by firewall rules
    Make sure the addresses the firewall allows are still safe and that they make sense for your bank or credit union to utilize. If some addresses now seem odd or out of place, it is likely that the rules should be changed.
  4. Ensure there is still a true business need for open ports
    Firewall rules often contain open ports to allow for external communication. Evaluating open ports to ensure they are still needed is a basic — but important — step. If they are not, the rule can be deleted to avoid unnecessary communication.

While reviews of firewall rules can be done manually, it is time consuming and can be costly in terms operational resources and personnel. Many institutions decide to seek external assistance to simplify and enhance this task. This review task cannot be completely outsourced to a third-party, as it is still the institution’s final responsibility to validate the firewall configuration. If you decide to seek third-party assistance with this responsibility, be sure to ask for specifics and examples on how they help you meet this regulatory requirement and keep your network secure. A good third-party service provider can save your institution time while ensuring your organization has the most up-to-date and efficient firewall in place to protect against today’s constant threats and ensures all compliance and regulatory requirements are met.