Network Security Audit Checklist

Rules without documentation are candidates for removal. Undocumented rules may be legacy exploits.

Without an implicit deny, unknown traffic reaches internal systems by default.

ANY-to-ANY rules bypass all firewall protection. Replace with specific port, IP, and protocol rules.

If they must be accessible, require MFA + IP restriction + VPN as minimum controls.

Every exposed port is an attack surface. Verify what's exposed via an external port scan (Shodan/Nmap).

Unrestricted outbound traffic enables data exfiltration and C2 beaconing.

Critical CVEs in FortiGate, Cisco ASA, and Palo Alto have been actively exploited. Patch promptly.

Flat networks allow lateral movement from any compromised device. Segmentation contains breaches.

DMZ should contain: web servers, mail gateways, VPN concentrators. Never internal DBs or file servers.

Misconfigured 802.1Q trunking allows VLAN hopping attacks.

User VLAN should not be able to directly reach server admin VLAN without passing through the firewall.

IoT is a primary lateral movement target. CCTV, printers, and smart devices should be isolated.

Credential stuffing against VPN endpoints is one of the most common initial access vectors.

Or, if using full tunnel VPN, ensure your internet policy is enforced on the VPN gateway.

Critical CVEs in Pulse Secure, Citrix, FortiVPN have been exploited at scale. Patch within days of disclosure.

Apply least-privilege: HR team should only access HR systems, not the entire internal network.

Direct RDP (3389) exposure to the internet is high-risk. Block at firewall; require VPN.

WPA2-Personal with a shared key is insecure for business use. Any user with the password can intercept traffic.

Guest should have internet access only, isolated from all corporate resources.

Management networks should use a hidden SSID with MAC filtering and certificate-based auth.

Rogue access points allow attackers to capture credentials off-network. Most enterprise WAP controllers include detection.

Ex-employees with WPA2-PSK knowledge can still connect from nearby.

You cannot detect lateral movement or data exfiltration without network visibility.

DNS is used for C2 (command and control) by most modern malware families. DNS sinkholes catch known bad domains.

Log correlation requires consistent timestamps. Use an internal NTP server or pool.ntp.org.

Flow data reveals unusual communication patterns, large data transfers, and lateral movement — without full packet capture.