About this program
Are your firewall rules documented, reviewed and free of any-any? A 7-question hygiene audit for perimeter + segmentation rules.
Risks addressed
- Critical Any-any rules allow unintended lateral movement
- Medium Stale rules accumulate as systems are decommissioned
- Medium No audit trail of rule changes
- High Implicit allow at the end of the rule base
Controls (7)
-
Rule base reviewed at least annually
HighRule base reviewed at least annually
How to test + evidence
Testing procedure: Inspect last firewall review minutes; confirm owners + decisions documented.
Evidence to collect: Review report.
-
No any-any allow rules
CriticalNo any-any allow rules
How to test + evidence
Testing procedure: Filter the rule export for source=any dst=any allow. Expect zero (or documented exceptions).
Evidence to collect: Rule export + exception register.
-
Rules tied to a business owner / ticket
MediumRules tied to a business owner / ticket
How to test + evidence
Testing procedure: Spot-check 10 rules; each must reference a ticket + owner.
Evidence to collect: Rule-to-ticket mapping.
-
Unused rules removed quarterly
MediumUnused rules removed quarterly
How to test + evidence
Testing procedure: Verify hit-counter analysis and removal of rules with zero hits for >90 days.
Evidence to collect: Rule-usage report.
-
Logging enabled on deny + critical allow rules
HighLogging enabled on deny + critical allow rules
How to test + evidence
Testing procedure: Confirm logging enabled and forwarded to SIEM.
Evidence to collect: Logging config + SIEM source.
-
Segmentation between user and server VLANs
HighSegmentation between user and server VLANs
How to test + evidence
Testing procedure: Verify ACLs prevent direct user->server traffic except for documented services.
Evidence to collect: Network diagram + rule export.
-
Default-deny posture
CriticalDefault-deny posture
How to test + evidence
Testing procedure: Final rule is default-deny; no implicit allow at the end.
Evidence to collect: Rule export — last rule.