Page 163 - Courses
P. 163

Logical Security: The Network Layer


            Firewall Characteristics:

            Can be hardware, software, or an appliance.
            •  May use their own operating system or may reside under an operating system like Windows or
               Unix.
            •  Consist of rules and policies that govern what inbound and outbound network traffic is allowed.
            •  May require direct authentication to modify firewall settings.
                   •  Passwords are governed by the firewall software.
                   •  Access can be granted through a single administrator account or individual IDs.
                   •  Authentication can be done through existing network management systems like Active
                       Directory Systems (ADS).
            •  Have event logs that track activity that passes through.
            •  Are subject to standard organization logical and change controls and documentation
               requirements.

            Security Risks

            Security risks include:
            •  Unauthorized access occurs and goes undetected:
                   •  A hacker directly accesses firewall software and/or operating system.
                   •  Vendor-supplied default passwords are not changed.
                   •  Event logging is not enabled or no one reviews event logs.
            •  The incorrect policy or rule is applied:
                   •  All policies and rules should be processed through the organization’s change process.
                   •  Normally, there is no test firewall; therefore, all firewall changes occur to production
                       systems.

            Controls

            Controls include:
            •  Account vendor-supplied default passwords are changed. Each person accessing the system uses
               his or her own ID. The built-in administrator account is disabled, or processes exist to ensure
               access to the account’s password is restricted.
            •  Policies and rules comply with the organization’s policies or documented configuration.
            •  Changes adhere to the organization’s change control process.
            •  Systems containing operating systems (e.g., Windows, UNIX, etc.) should be hardened so the
               bare minimum essential system services, modules, and features are enabled.
            •  Access is restricted to a minimal number of users.
            •  The individual firewall rules are the controls, not the firewall itself.

            Suggested Audit Procedures

            Suggested audit procedures include:

            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   158   159   160   161   162   163   164   165   166   167   168