The Challenge #
A regulated technology company with operations across three continents had grown its network infrastructure organically over several years. The environment included next-generation firewalls at several office locations, a colocation data center, and an AWS account supporting cloud-hosted security appliances and remote analyst access. The company had no recent independent review of its network security posture and needed an assessment ahead of upcoming compliance requirements.
The network team was capable but stretched thin, managing hundreds of firewall rules across sites with limited documentation of the cumulative risk picture.
Scope #
The assessment covered multiple distinct environments: office firewalls at domestic and international locations (including the larger sites with 100+ rules each), a colocation data center firewall, and the corporate AWS account including VPCs, Transit Gateway, VPN tunnels, and security groups. Automated cloud security scanning supplemented the manual AWS review.
Approach #
Each firewall configuration was analyzed rule-by-rule against a consistent framework: zone architecture and segmentation, application-level controls, logging and forwarding, VPN configuration and crypto strength, inter-site trust relationships, and security profile coverage (IPS, AV, sandboxing). The AWS review focused on VPC architecture, flow log coverage, security group permissiveness, and VPN tunnel health.
Rather than generating a generic checklist, the assessment prioritized findings by actual exploitability and operational impact. Every finding included a specific remediation recommendation with enough context for the network team to implement without additional consulting.
Key Findings #
The assessment identified over a dozen findings across the environments, rated across High, Medium, and Low severity. Several themes emerged across all sites:
Logging gaps were the most pervasive issue. Multiple sites had the majority of their rules forwarding to a decommissioned SIEM instance, effectively creating a blind spot for security operations. Another site had no log forwarding configured at all. One site had logging active but the explicit deny rule was disabled, hiding all denied traffic from monitoring.
Site-to-site VPN rules consistently undermined zone segmentation. Every firewall had well-designed zone architectures with up to a dozen or more purpose-specific zones. But the VPN rules connecting sites allowed any application on any port with no security profiles, meaning an attacker who compromised one site could move laterally to any other site without restriction or detection.
Application-level controls were unevenly applied. Some rules demonstrated strong application identification (AD services, NTP, essential infrastructure), while adjacent rules permitted any/any traffic between the same zones. The inconsistency suggested policies were added incrementally without a unified standard.
The AWS environment had solid architecture but incomplete visibility. VPC Flow Logs were enabled on only a subset of VPCs, and one security group allowed all protocols from any source.
Deliverables #
The client received a two-part deliverable: an executive assessment with a prioritized findings table and remediation roadmap, and a detailed technical appendix with per-site analysis including architecture diagrams, rule-by-rule commentary, and specific configuration recommendations. The format was designed so the executive summary could go to leadership while the technical appendix went directly to the network operations team.
Outcome #
The assessment gave the company its first unified view of network security risk across all environments. The top two recommendations (restore log forwarding and harden VPN rules) were actionable within days using existing infrastructure. The remaining findings provided a six-month remediation roadmap aligned with the company’s operational capacity.
The technical appendix served as a baseline for ongoing firewall governance, giving the network team a documented standard to measure future changes against.