Compliance Standards Integration#
Overview#
opnDossier integrates industry-standard security compliance frameworks to provide comprehensive blue team audit reports. The system supports STIG (Security Technical Implementation Guide), SANS Firewall Checklist, and Firewall Security Controls (independently developed cybersecurity best practices) for firewall security assessment.
Status#
Audit mode is implemented but has known issues with finding aggregation and display. See #266 for details.
Three-State Check Pattern#
Firewall compliance checks use a three-state checkResult pattern:
| State | Meaning | Audit Behavior |
|---|---|---|
Compliant (Known=true, Result=pass) | The check passed | No finding emitted |
Non-Compliant (Known=true, Result=fail) | The check failed | Finding emitted with remediation guidance |
Unknown (Known=false) | Data not available in config.xml | Check skipped entirely |
The "Unknown" state prevents false positives. Some settings (e.g., SSH banners, MOTD) are OS-level configurations stored outside config.xml and cannot be assessed from the exported configuration alone. When a check returns Unknown, opnDossier does not report a finding rather than guessing.
Supported Standards#
STIG (Security Technical Implementation Guide)#
STIGs are cybersecurity methodologies for standardizing security configuration within networks, servers, computers, and logical designs to enhance overall security. opnDossier implements the DISA Firewall Security Requirements Guide controls listed below.
Implemented STIG Controls#
| Control ID | Title | Severity | Category | Status |
|---|---|---|---|---|
| V-206694 | Firewall must deny network communications traffic by default | High | Default Deny Policy | Implemented |
| V-206674 | Firewall must use packet headers and attributes for filtering | High | Packet Filtering | Implemented |
| V-206690 | Firewall must disable unnecessary network services | Medium | Service Hardening | Implemented |
| V-206682 | Firewall must generate comprehensive traffic logs | Medium | Logging | Implemented |
SANS Firewall Checklist#
The SANS SCORE Firewall Checklist (prepared by Krishni Naidu) is a practical security audit checklist containing 24 numbered security elements for firewall configuration and management. It covers ruleset management, application-layer controls, logging, patching, DMZ architecture, anti-spoofing, port security, remote access, traffic filtering, and availability.
The current SANS plugin defines 4 controls with placeholder check logic. The checklist has been fully analyzed and 16 additional controls are planned for implementation, covering the complete SANS checklist.
Implemented SANS Controls#
| Control ID | SANS # | Category | Title | Severity | Status |
|---|---|---|---|---|---|
| SANS-FW-001 | 1, 9 | Access Control | Default Deny Policy | High | Placeholder |
| SANS-FW-002 | 1 | Rule Management | Explicit Rule Configuration | Medium | Placeholder |
| SANS-FW-003 | 6 | Network Segmentation | Network Zone Separation | High | Placeholder |
| SANS-FW-004 | 4 | Logging and Monitoring | Comprehensive Logging | Medium | Placeholder |
Planned SANS Controls#
The following controls map to specific SANS SCORE Firewall Checklist items and are planned for implementation. "Implementability" indicates whether the control can be evaluated from config.xml data alone.
Ruleset and Filtering (SANS Checklist #1, #2, #3)#
| Control ID | SANS # | Title | Severity | Implementability | Description |
|---|---|---|---|---|---|
| SANS-FW-005 | 1 | Ruleset Ordering | High | Full | Verify rules follow correct processing order: anti-spoofing filters, user permit rules, management permits, deny-and-log |
| SANS-FW-006 | 2 | Application Layer Filtering | Medium | Partial | Check for application-layer controls: proxy plugins, URL filtering, content inspection |
| SANS-FW-007 | 3 | Stateful Inspection | High | Full | Verify stateful inspection is enabled (StateType field), check state timeouts are not excessively long |
Maintenance and Compliance (SANS Checklist #5, #7, #8)#
| Control ID | SANS # | Title | Severity | Implementability | Description |
|---|---|---|---|---|---|
| SANS-FW-008 | 5 | Firmware Currency | High | Partial | Check device firmware version against known current versions; verify update mirror uses HTTPS |
| SANS-FW-010 | 7 | Vulnerability Testing Procedure | Medium | Advisory only | Advisory: verify that open port testing and ruleset validation procedures are documented |
| SANS-FW-011 | 8 | Security Policy Compliance | High | Advisory only | Advisory: verify ruleset compliance with organizational security policy |
Anti-Spoofing and Traffic Validation (SANS Checklist #9, #10, #18)#
| Control ID | SANS # | Title | Severity | Implementability | Description |
|---|---|---|---|---|---|
| SANS-FW-012 | 9 | Anti-Spoofing / Bogon Filtering | Critical | Full | Block RFC 1918, bogon, broadcast, and illegal addresses on WAN interfaces; check BlockPrivate and BlockBogons flags |
| SANS-FW-013 | 10 | Source Routing Prevention | High | Full | Verify net.inet.ip.sourceroute=0 and net.inet.ip.accept_sourceroute=0 in system tunables |
| SANS-FW-021 | 18 | Egress Filtering | High | Full | Verify outbound rules restrict source addresses to internal network ranges; flag rules allowing non-internal source IPs out |
Port and Service Filtering (SANS Checklist #11, #12, #14, #15, #17)#
| Control ID | SANS # | Title | Severity | Implementability | Description |
|---|---|---|---|---|---|
| SANS-FW-014 | 11 | Dangerous Service Port Blocking | High | Full | Scan WAN pass rules for dangerous ports: NetBIOS (135-139, 445), SNMP (161-162), NFS (2049), X11 (6000-6255), Telnet (23) |
| SANS-FW-015 | 12 | Secure Remote Access | High | Full | Verify SSH is used instead of Telnet; check for Telnet-related pass rules on WAN; verify System.SSH.Enabled |
| SANS-FW-017 | 14 | Mail Traffic Restriction | Medium | Full | Check SMTP (TCP 25) and submission (TCP 587) pass rules target specific mail relay IPs, not "any" destination |
| SANS-FW-018 | 15 | ICMP Filtering | Medium | Full | Verify ICMP echo requests blocked on WAN; check for type-specific ICMP rules |
| SANS-FW-020 | 17 | DNS Zone Transfer Restriction | High | Full | Verify TCP 53 pass rules on WAN are restricted to authorized secondary DNS server IPs, not "any" source |
Network Architecture (SANS Checklist #6, #13, #16)#
| Control ID | SANS # | Title | Severity | Implementability | Description |
|---|---|---|---|---|---|
| SANS-FW-009 | 6 | DMZ Configuration | High | Full | Check for DMZ interface existence; verify rules enforce DMZ-to-WAN and DMZ-to-LAN segmentation |
| SANS-FW-016 | 13 | FTP Server Isolation | Medium | Partial | Check that FTP-related (TCP 21) pass rules route to DMZ/separate interface, not internal network |
| SANS-FW-019 | 16 | NAT / IP Masquerading | High | Full | Verify outbound NAT configured on WAN; check NATConfig.OutboundMode; ensure internal IPs are not exposed externally |
Server Protection and Availability (SANS Checklist #19, #22, #23, #24)#
| Control ID | SANS # | Title | Severity | Implementability | Description |
|---|---|---|---|---|---|
| SANS-FW-022 | 19 | Critical Server Protection | High | Partial | Check for explicit deny rules protecting internal server IPs from WAN; flag any rules allowing direct WAN-to-LAN access |
| SANS-FW-023 | 22 | Default Credential Reset | Critical | Partial | Check Users for default/well-known usernames (admin, root); cannot verify password change from config alone |
| SANS-FW-024 | 23 | TCP State Enforcement | High | Full | Verify stateful inspection (keep state) is used on TCP rules rather than stateless filtering |
| SANS-FW-025 | 24 | Firewall High Availability | Medium | Full | Check for CARP/HA configuration in HighAvailability; verify pfsync peer and synchronization settings |
SANS Checklist Items Not Applicable to Config Audit#
The following SANS checklist items are procedural or endpoint-focused and cannot be evaluated from a single device configuration export:
| SANS # | Title | Reason |
|---|---|---|
| 20 | Personal Firewalls | Endpoint security — not a network firewall configuration control |
| 21 | Distributed Firewall Policy | Multi-device policy distribution — requires enterprise architecture |
Firewall Security Controls#
Firewall security controls provide comprehensive security guidance designed for OPNsense and pfSense firewalls, based on general cybersecurity best practices for network firewall security. They are independently developed by EvilBit Labs and draw from industry frameworks including NIST SP 800-41, PCI DSS Requirement 1, CIS Benchmarks, and NSA/CISA network infrastructure guidance.
See the Firewall Security Controls Reference for detailed per-control documentation.
Implemented Firewall Security Controls#
| Control ID | Category | Title | Severity | Status |
|---|---|---|---|---|
| FIREWALL-001 | SSH Security | SSH Warning Banner Configuration | Medium | Unknown |
| FIREWALL-002 | Backup and Recovery | Auto Configuration Backup | Medium | Implemented |
| FIREWALL-003 | System Configuration | Message of the Day | Low | Unknown |
| FIREWALL-004 | System Configuration | Hostname Configuration | Low | Implemented |
| FIREWALL-005 | Network Configuration | DNS Server Configuration | Medium | Implemented |
| FIREWALL-006 | Network Configuration | IPv6 Disablement | Medium | Implemented |
| FIREWALL-007 | DNS Security | DNS Rebind Check | Low | Unknown |
| FIREWALL-008 | Management Access | HTTPS Web Management | High | Implemented |
Status key:
- Implemented - Check logic evaluates config.xml data and produces compliant/non-compliant results
- Unknown - Control is defined but the required data is not available in config.xml (OS-level or model gap); the check always returns Unknown and no finding is emitted
- Placeholder - Control is defined with placeholder check logic that always returns compliant; real analysis will be added in a future release
Planned Firewall Security Controls#
The following controls are organized by security domain and represent the full planned expansion of the firewall plugin. Controls are sourced from NIST SP 800-41, PCI DSS v4.0 Requirement 1, CIS Benchmarks, NSA/CISA guidance, and OPNsense/pfSense-specific best practices.
Management Plane Security#
| Control ID | Title | Severity | Implementability | Description |
|---|---|---|---|---|
| FIREWALL-009 | Non-Default Web GUI Port | Low | Full | Web GUI port changed from default 443 to reduce automated scanning risk |
| FIREWALL-010 | Management Interface Restriction | High | Partial | Web GUI bound to specific interfaces, not all interfaces |
| FIREWALL-011 | TLS Version Minimum | High | Partial | Web GUI TLS minimum version >= 1.2; no SSLv3/TLS 1.0/1.1 |
| FIREWALL-012 | Anti-Lockout Rule Awareness | Low | Partial | Anti-lockout rule status is explicitly configured and intentional |
| FIREWALL-013 | Session Timeout | Medium | Partial | Web GUI idle session timeout configured (<= 30 minutes recommended) |
| FIREWALL-014 | Console Menu Protection | Medium | Full | Serial/console access password-protected (DisableConsoleMenu) |
| FIREWALL-015 | Login Protection / Brute Force | Medium | Partial | Web GUI login protection enabled with rate limiting on authentication failures |
Authentication and Access Control#
| Control ID | Title | Severity | Implementability | Description |
|---|---|---|---|---|
| FIREWALL-016 | Default Credential Reset | Critical | Partial | Default admin password changed; check for known default username patterns |
| FIREWALL-017 | Unique Administrator Accounts | Medium | Full | Each administrator has a unique named account; shared "admin" usage flagged |
| FIREWALL-018 | Least Privilege Access | Medium | Full | Users assigned minimum necessary privileges; flag users with page-all or overly broad permissions |
| FIREWALL-019 | Centralized Authentication | Medium | Full | LDAP/RADIUS configured for admin authentication (System.AuthServer) |
| FIREWALL-020 | Disabled Unused Accounts | Medium | Full | Unused or default accounts are disabled; flag active accounts with no recent purpose |
| FIREWALL-021 | Group-Based Privileges | Low | Full | Privileges assigned via groups rather than per-user for consistent access control |
Firewall Rule Hygiene#
| Control ID | Title | Severity | Implementability | Description |
|---|---|---|---|---|
| FIREWALL-022 | No "Any-Any" Pass Rules | High | Full | No rules with source=any, destination=any, port=any, protocol=any |
| FIREWALL-023 | No "Any" Source on WAN Inbound | High | Full | Inbound WAN pass rules have specific source restrictions where possible |
| FIREWALL-024 | Specific Port Rules | Medium | Full | Rules specify exact ports/services, not "any" port with TCP/UDP |
| FIREWALL-025 | Rule Documentation | Medium | Full | Every firewall rule has a non-empty description (descr field) |
| FIREWALL-026 | Disabled Rule Cleanup | Low | Full | Flag excessive disabled rules (threshold: >10) indicating stale configuration |
| FIREWALL-027 | Protocol Specification | Medium | Full | Pass rules specify protocol (TCP, UDP, ICMP), not "any" |
| FIREWALL-028 | Pass Rule Logging | Medium | Full | Critical pass rules have logging enabled for security monitoring |
Network Segmentation#
| Control ID | Title | Severity | Implementability | Description |
|---|---|---|---|---|
| FIREWALL-029 | Private Address Filtering on WAN | Critical | Full | BlockPrivate enabled on WAN interface to block RFC 1918 addresses |
| FIREWALL-030 | Bogon Filtering on WAN | Critical | Full | BlockBogons enabled on WAN interface to block unallocated/reserved addresses |
| FIREWALL-031 | Unused Interface Disablement | Low | Full | Interfaces not in use are administratively disabled |
| FIREWALL-032 | VLAN Segmentation | Medium | Full | VLANs configured for network segmentation where multiple security zones exist |
Anti-Spoofing and Traffic Validation#
| Control ID | Title | Severity | Implementability | Description |
|---|---|---|---|---|
| FIREWALL-033 | Source Route Rejection | High | Full | IP source routing disabled via net.inet.ip.sourceroute=0 in system tunables |
| FIREWALL-034 | SYN Flood Protection | Medium | Full | SYN cookies enabled via net.inet.tcp.syncookies=1 in system tunables |
| FIREWALL-035 | Connection State Limits | Medium | Full | Maximum state table entries configured (System.MaximumStates) |
Encryption and TLS#
| Control ID | Title | Severity | Implementability | Description |
|---|---|---|---|---|
| FIREWALL-036 | Valid Web GUI Certificate | Medium | Partial | Web GUI uses a valid (non-self-signed or internally-trusted CA) certificate |
| FIREWALL-037 | Certificate Expiration | Medium | Full | No certificates expired or expiring within 30 days |
| FIREWALL-038 | Strong Key Lengths | Medium | Full | RSA keys >= 2048 bits, EC keys >= 256 bits across all configured certificates |
Logging and Monitoring#
| Control ID | Title | Severity | Implementability | Description |
|---|---|---|---|---|
| FIREWALL-039 | Remote Syslog Configured | High | Full | Logs forwarded to remote syslog/SIEM server (Syslog.RemoteServer non-empty) |
| FIREWALL-040 | Authentication Event Logging | Medium | Full | Auth logging enabled (Syslog.AuthLogging) |
| FIREWALL-041 | Firewall Filter Logging | Medium | Full | Firewall filter logging enabled (Syslog.FilterLogging) |
| FIREWALL-042 | Log Retention Configuration | Low | Full | Local log rotation and size limits configured (Syslog.LogFileSize, Syslog.RotateCount) |
Time Synchronization#
| Control ID | Title | Severity | Implementability | Description |
|---|---|---|---|---|
| FIREWALL-043 | NTP Configuration | Medium | Full | At least 2 NTP time sources configured in System.TimeServers |
| FIREWALL-044 | Timezone Configuration | Low | Full | System timezone explicitly set (not empty/default) |
SNMP Security#
| Control ID | Title | Severity | Implementability | Description |
|---|---|---|---|---|
| FIREWALL-045 | SNMP Disabled if Unused | Medium | Full | SNMP service disabled if ROCommunity is empty and no operational need |
| FIREWALL-046 | No Default Community Strings | High | Full | SNMP community strings changed from well-known defaults ("public", "private") |
VPN Configuration#
| Control ID | Title | Severity | Implementability | Description |
|---|---|---|---|---|
| FIREWALL-047 | Strong VPN Encryption | High | Full | VPN tunnels use AES-256-GCM or AES-128-GCM; no DES, 3DES, or Blowfish |
| FIREWALL-048 | Strong VPN Integrity | High | Full | VPN uses SHA-256+ for integrity; no MD5 or SHA-1 |
| FIREWALL-049 | Perfect Forward Secrecy | High | Full | PFS enabled on all IPsec Phase 2 tunnels (PFSGroup is set, not "off") |
| FIREWALL-050 | VPN Key Lifetime | Medium | Full | IKE Phase 1 lifetime <= 28800s, Phase 2 lifetime <= 3600s |
| FIREWALL-051 | No IKEv1 Aggressive Mode | High | Full | IKEv1 aggressive mode disabled; use main mode or IKEv2 |
| FIREWALL-052 | IKEv2 Preferred | Medium | Full | IKEv2 used instead of IKEv1 where possible (IKEType = "ikev2") |
| FIREWALL-053 | Dead Peer Detection | Medium | Full | DPD enabled on IPsec Phase 1 tunnels (DPDDelay, DPDMaxFail) |
NAT Security#
| Control ID | Title | Severity | Implementability | Description |
|---|---|---|---|---|
| FIREWALL-054 | Documented Port Forwards | Medium | Full | Every inbound NAT rule has a non-empty description |
| FIREWALL-055 | Outbound NAT Control | Medium | Full | Outbound NAT mode is "Hybrid" or "Manual", not "Automatic" for production environments |
| FIREWALL-056 | NAT Reflection Disabled | Low | Full | NAT reflection (hairpin NAT) disabled unless explicitly required (System.DisableNATReflection) |
Service Hardening#
| Control ID | Title | Severity | Implementability | Description |
|---|---|---|---|---|
| FIREWALL-057 | UPnP/NAT-PMP Disabled | High | Partial | UPnP and NAT-PMP disabled (automatic port forwarding is a security risk) |
| FIREWALL-058 | DNSSEC Validation | Medium | Full | Unbound DNS resolver has DNSSEC validation enabled (DNS.Unbound.DNSSEC) |
| FIREWALL-059 | DNS Resolver Access Restriction | Medium | Partial | DNS resolver serves only internal networks, not WAN-facing |
Change Management and Backup#
| Control ID | Title | Severity | Implementability | Description |
|---|---|---|---|---|
| FIREWALL-060 | Configuration Revision Tracking | Low | Full | Configuration change history and revision tracking enabled |
High Availability#
| Control ID | Title | Severity | Implementability | Description |
|---|---|---|---|---|
| FIREWALL-061 | HA Configuration | Medium | Full | CARP/pfsync HA peer and synchronization properly configured when HA is in use |
Implementation Details#
Plugin Architecture#
Compliance checking is implemented via the plugin system in internal/compliance/ and internal/plugins/:
internal/compliance/interfaces.go- Defines thePlugininterface,Control, andFindingtypesinternal/audit/plugin.go- Plugin registry for dynamic plugin loadinginternal/audit/plugin_manager.go- Plugin lifecycle managementinternal/plugins/stig/- STIG compliance plugininternal/plugins/sans/- SANS compliance plugininternal/plugins/firewall/- Firewall security compliance plugin
Each plugin implements the compliance.Plugin interface:
type Plugin interface {
Name() string
Version() string
Description() string
RunChecks(device *common.CommonDevice) []Finding
GetControls() []Control
GetControlByID(id string) (*Control, error)
ValidateConfiguration() error
}
Compliance Checks#
The audit engine performs the following checks per plugin:
STIG Compliance Checks#
-
Default Deny Policy (V-206694) - Looks for explicit block/reject rules in the rule set and checks that no any/any pass rules override them. If no rules exist, assumes default deny (conservative approach).
-
Packet Filtering (V-206674) - Scans pass rules for overly broad source/destination addresses (any, 0.0.0.0/0, ::/0, RFC 1918 ranges) and flags rules without specific port restrictions.
-
Service Hardening (V-206690) - Checks for SNMP with community strings, Unbound DNS with DNSSEC stripping, more than 2 DHCP interfaces, and configured load balancer services.
-
Logging Configuration (V-206682) - Analyzes syslog configuration for system and auth logging. Returns comprehensive, partial, not-configured, or unable-to-determine status. Finds non-compliant when syslog is disabled, logging is only partial, or logging status cannot be determined (e.g., rules exist but syslog is not configured).
SANS Compliance Checks#
All four SANS checks currently use placeholder logic:
- Default Deny Policy (SANS-FW-001) - Placeholder: always returns compliant
- Explicit Rule Configuration (SANS-FW-002) - Placeholder: always returns compliant
- Network Zone Separation (SANS-FW-003) - Placeholder: always returns compliant
- Comprehensive Logging (SANS-FW-004) - Placeholder: always returns compliant
Firewall Security Compliance Checks#
-
SSH Warning Banner (FIREWALL-001) - Always returns Unknown. SSH banners are OS-level configs (
/etc/ssh/sshd_config) not present in config.xml. -
Auto Configuration Backup (FIREWALL-002) - Checks the
Packageslist andFirmware.Pluginsstring for theos-acbpackage. -
Message of the Day (FIREWALL-003) - Always returns Unknown. MOTD is an OS-level file (
/etc/motd) not present in config.xml. -
Hostname Configuration (FIREWALL-004) - Checks the device hostname against known defaults (
opnsense,pfsense,firewall,localhost). Empty hostnames are also flagged. -
DNS Server Configuration (FIREWALL-005) - Checks whether
System.DNSServersis non-empty. -
IPv6 Disablement (FIREWALL-006) - Checks
System.IPv6Allow. Finding emitted when IPv6 is enabled. -
DNS Rebind Check (FIREWALL-007) - Always returns Unknown. The CommonDevice model does not yet expose this setting (tracked in #296).
-
HTTPS Web Management (FIREWALL-008) - Checks
System.WebGUI.Protocolfor case-insensitive match against "https".
Blue Team Reports#
When audit mode is working correctly (#266), the blue team report provides:
- Executive Summary with compliance metrics
- Findings by Severity with control references
- STIG Compliance Details with status matrix
- SANS Compliance Details with status matrix
- Firewall Security Compliance Details with status matrix
- Security Recommendations mapped to controls
- Compliance Roadmap for remediation
- Risk Assessment based on findings
Report Sections#
Executive Summary#
- Total findings count
- Severity breakdown
- Compliance status summary across all standards
Critical/High Findings#
- Detailed findings with control references
- Specific remediation guidance
- STIG/SANS/Firewall control mappings
Compliance Details#
- Control-by-control status for each standard
- Compliance matrices
- Risk assessments
Recommendations#
- Prioritized action items
- Control-specific guidance
- Implementation roadmap
Compliance Mapping#
Finding to Control Mapping#
Each plugin maps its findings to the relevant compliance controls using the Finding type from internal/compliance/interfaces.go. Findings include description, recommendation, and component references. Each finding carries a Severity field copied from its originating control, enabling the audit engine to accurately tally findings by severity level (critical, high, medium, low).
Cross-Standard Coverage#
Many controls overlap across standards. The following matrix shows where SANS and Firewall controls address the same security concern:
| Security Concern | STIG | SANS | Firewall |
|---|---|---|---|
| Default deny policy | V-206694 | SANS-FW-001 | FIREWALL-022 |
| Specific packet filtering | V-206674 | SANS-FW-002 | FIREWALL-024 |
| Unnecessary services | V-206690 | — | FIREWALL-057 |
| Comprehensive logging | V-206682 | SANS-FW-004 | FIREWALL-039 |
| Anti-spoofing / bogons | — | SANS-FW-012 | FIREWALL-029 |
| HTTPS management | — | — | FIREWALL-008 |
| Strong VPN encryption | — | — | FIREWALL-047 |
| Default credentials | — | SANS-FW-023 | FIREWALL-016 |
| High availability | — | SANS-FW-025 | FIREWALL-061 |
| NAT / IP masquerading | — | SANS-FW-019 | FIREWALL-055 |
Implementation Priority#
Phase 1 — High Impact, Directly Implementable#
Controls that can be fully evaluated from existing CommonDevice fields:
SANS: SANS-FW-012 (anti-spoofing/bogon), SANS-FW-014 (dangerous ports), SANS-FW-005 (ruleset ordering), SANS-FW-021 (egress filtering), SANS-FW-019 (NAT), SANS-FW-024 (TCP state), SANS-FW-015 (secure remote access)
Firewall: FIREWALL-022 (no any-any rules), FIREWALL-029 (private address filtering), FIREWALL-030 (bogon filtering), FIREWALL-025 (rule documentation), FIREWALL-039 (remote syslog), FIREWALL-043 (NTP), FIREWALL-046 (SNMP community strings), FIREWALL-047 through 053 (VPN controls)
Phase 2 — Cross-Reference Checks#
Controls requiring correlation between multiple config sections:
FIREWALL-018 (least privilege), FIREWALL-054-056 (NAT controls), FIREWALL-032 (VLAN segmentation), FIREWALL-036-038 (certificate controls), SANS-FW-017 (mail traffic), SANS-FW-020 (DNS zone transfers), SANS-FW-022 (critical server protection)
Phase 3 — Advanced Analysis#
Controls requiring deeper algorithmic analysis or external data:
SANS-FW-008 (firmware version comparison), FIREWALL-034-035 (DoS protection tunables), SANS-FW-006 (application layer filtering)
Benefits#
For Blue Teams#
- Standardized Assessment: Use industry-recognized security controls
- Compliance Reporting: Generate reports for regulatory requirements
- Risk Prioritization: Focus on high-impact security issues
- Remediation Guidance: Get specific action items for each finding
- Framework Alignment: Align with STIG, SANS, and industry best practices
For Organizations#
- Regulatory Compliance: Meet STIG, SANS, and industry security requirements
- Security Posture: Understand current security state
- Improvement Roadmap: Plan security enhancements
- Audit Readiness: Prepare for security assessments
- Industry Standards: Follow recognized best practices
Future Enhancements#
Additional STIG Controls#
Additional DISA Firewall SRG controls under consideration:
- V-206701: DoS attack prevention filters
- V-206680: Network location information logging
- V-206679: Event timestamp logging
- V-206678: Event type logging
- V-206681: Source information logging
- V-206711: DoS incident alerting
Additional Standards#
- NIST Cybersecurity Framework — Map existing controls to NIST CSF categories
- PCI DSS v4.0 — Requirement 1 (network security controls) alignment
- ISO 27001 — Annex A network security controls
- CIS Benchmarks — Community-derived firewall hardening controls
- Custom Controls — Organization-specific security requirements
Planned Features#
- Real SANS Check Logic: Replace placeholder stubs with actual analysis
- Automated Remediation: Generate configuration fixes
- Compliance Monitoring: Track compliance over time
- Integration: SIEM and ticketing system integration
References#
- DISA STIG Library
- DISA Firewall Security Requirements Guide
- SANS SCORE Firewall Checklist (PDF)
- NIST SP 800-41 Rev. 1 — Guidelines on Firewalls and Firewall Policy
- NIST SP 800-53 — Security and Privacy Controls
- PCI DSS v4.0 — Requirement 1
- NSA/CISA Network Infrastructure Security Guide
- NIST Cybersecurity Framework
- Firewall Security Controls Reference
Support#
For questions about compliance standards integration:
- Documentation: Review this guide and API documentation
- Issues: Report bugs or feature requests via GitHub
- Contributions: Submit improvements to compliance mappings
- Standards: Suggest additional security frameworks to support
