Firewall and Network Security

Why it matters

Weak or misconfigured firewall rules expose systems to unauthorized network access, lateral movement, and data exfiltration. Default-allow postures and orphaned rules create attack surface that adversaries exploit to bypass network segmentation and reach sensitive resources without detection.

Evidence to collect

• Firewall rule inventory with version control commits (CloudFormation/Terraform state, Git history showing approval dates and changes)
• VPC flow logs sample (24-48 hour window showing dropped and allowed traffic with source/destination IPs and ports)
• Network security group audit report showing last review date and rules pruned in past 90 days
• Screenshots of firewall management console showing default-deny rules, management port restrictions, and approved exception justifications

Testing procedure

Auditor obtains current firewall ruleset and validates: (1) all rules are documented in IaC with change history; (2) inbound rules default to deny with explicit allow-list only for business-required ports; (3) SSH (22) and RDP (3389) restricted to named bastion/VPN IP ranges or security groups with MFA enforcement; (4) VPC/network flow logs are enabled and contain deny decisions; (5) dated records show quarterly rule reviews with documented removal of unused rules.

Common gotchas