Many compliance efforts include a firewall review and doing it effectively will have cost and risk at odds. Reviewing each rule entry by verifying and justifying the “actual” business purpose/requirement can be a mind numbing experience since most IT and/or Security teams don’t own, validate/test (during SDLC phases), nor responsible for port/services usage …
As a result, allocate a FTE (Full-time employee) to chase down the culprit or just understanding of the ports and services open for any given interfaces/segments. Then, you’ll probably need to perform some level of remediation or at least negotiation of what to allow and how (i.e. in an acceptable DMZ or tier-architecture model).
So, the alternate becomes outsourced services provider and the cost will be a chunk though they are more inapt to solve the understanding of why ports/services are allowed to being with (and were not reference just port 23 or FTP scenarios). Perhaps the happy median is to utilize tools that allow you certain advantages…
The list is long but the three models that serve this discussion I will reference is Athena, Tufin andAlgosec…in order of capability/feature and in increasing price. Athena will by you the raw analysis and output needed to make actionable decisions rule-sets that pose risks and correction recommendations. A step above is the proliferation of Tufin appliances to give you more granular analysis, reporting, and customizations. This solution will also encompass start of a correlational approach/model…leading to Algosec. With a full package for optimized management of firewall as well also other network devices. Alogsec rounds out the solution for device and event management capability with a twist of notification and proactive management.