Firewall management best practices are recommendations, guidelines, or standard operating procedures for obtaining reliable firewall security on a real-world budget.
Best practices are usually not specific recommendations for products or tools. Rather, these are recommendations for philosophies, stances, or concepts on how to proceed. The following items are suggested best practices, some of which also apply to network security in general.
These might not apply to every environment, although you should consider each, and adapt or adopt when appropriate.
- Have a written firewall policy
- Have a plan
- Understand your organization’s infrastructure
- Decide where a firewall is necessary
- Perform a risk assessment
- Review the policy regularly
- Establish a no-exceptions policy
- Maintain physical security
- Limit and filter Internet connectivity
- Use defense in depth
- Keep it simple: security (KISS)
- Harden both internal firewall hosts and border firewalls
- Always test new code
- Always make a backup
- Lock; then watch
- Maintain a firewall incident response plan
- ocus on balancing security and usability
- Develop a firewall checklist
- Test all uses of the firewall for sufficiency
- Perform regular vulnerability assessments
- Perform penetration testing
1. Have a written firewall policy
A written policy dictates which firewall features to enable or disable. It also describes how a firewall should handle inbound and outbound network traffic, based on Internet Protocol (IP) addresses, protocols, applications, and other factors. A written firewall policy complements an organization’s overall security policy.
To write a firewall policy, learn about and thoroughly examine every communication, transaction, and service within, across, and through the IT infrastructure. You can write a comprehensive and effective firewall policy only when you know and understand your operating environment.
2. Have a plan
This is the foundation of every firewall implementation. Any other method, process, or procedure for configuring, using, and managing a firewall is at risk of failure without a plan. Only a written firewall policy can guide you toward a successful and reliable firewall deployment.
3. Understand your organization’s infrastructure
Determine which parts of the network need protection to create an effective plan. You must also understand your organization’s technology use, assets availability, and resource consumption, in addition to understanding where everything resides and how users work with the infrastructure.
4. Decide where a firewall is necessary
Make the decision once you understand your operating environment thoroughly. In most cases, every host should have a local software firewall.
Firewalls are necessary at every border communication point and at every transition between subnets of different trust, risk, or purpose. Firewalls provide communications control; deploy them liberally.
5. Perform a risk assessment
It is important to create a useful and relevant firewall policy. Only through a proper risk assessment can you determine the threats and risks facing your environment and its communications. This, in turn, will guide the configuration of a firewall for maximum benefit.
6. Review the policy regularly
Once a firewall policy is in place, the policy should be reviewed at least annually. Update policy rules to accommodate network changes, such as the implementation of new applications and addition of servers. Verify that all services are still properly protected.
Evaluate whether prevention, deterrence, and response have been adequate and effective. If you discover deficiencies, fix them immediately.
7. Establish a no-exceptions policy
Every service, every transaction, and every communication must pass through one or more firewalls, filtered according to the guidelines of the firewall policy. Terminate any communication found to take place without firewall filtering immediately.
Focus on establishing a philosophy of default deny rather than default allow. By blocking everything as a starting point, only those features, services, protocols, ports, applications, and users you deem safe and appropriate can proceed by an exception.
Using a default-allow stance forces a never-ending stream of explicit denials as new compromises or malicious events arise. Deny by default/allow by exception is always the preferred security stance.
8. Maintain physical security
Monitor all personnel access to firewalls. No one, except the firewall administrator, should have physical access to the firewall devices. Firewalls are concentrations of security and often the main embodiment of communications security. The risk of compromise from unauthorized access is significant.
9. Limit and filter Internet connectivity
The Internet is a significant risk for most organizations, as an unrestricted or unfiltered Internet connection is a highway for malicious code, social engineering attacks, and intrusion attempts. If an Internet service, protocol, domain, or IP address is not essential to a necessary business task, block it.
10. Use defense in depth
A multiple-layered defense should be used wherever possible. Do not rely upon a single or individual firewall. Attempt to interlock and layer firewalls along the pathways of communication and transactions. If you do, numerous filtering events will shield each asset.
Configure firewalls to allow Internet Protocol Security (IPSec), VPNs, and other forms of encrypted communications. Use these where appropriate, but do not universally allow encrypted communications. Encryption can obfuscate malicious activities. Strongly authenticated endpoints are less likely to be sources of malicious actions.
11. Keep it simple: security (KISS)
Focus on designing and configuring firewalls that use simple and direct rule sets. The greater the complexity involved, the greater the chance for mis-configuring, incorrectly ordering rules, or creating loopholes in protection.
Placing a firewall on a network is only the beginning. Once in place, there is maintenance that must be performed to ensure security. Keeping access rules and lists up to date is important to the success of network traffic.
The deny-by-default/allow-by-exception philosophy should keep minor nuisances to a minimum. Be sure to assess whether the firewall is functioning properly on a regular basis, even if everything appears to be fine.
13. Harden both internal firewall hosts and border firewalls
Use firewalls hardened against compromise, regardless of the network location. Provide consistent and thorough security throughout the IT infrastructure. Protecting the stability and reliability of firewalls will, in turn, protect the security of the network as a whole.
14. Always test new code
Before you deploy it onto a firewall, test it—regardless of the source of the new code or whether it addresses a mission-critical issue.
All untested code is unauthorized, and it should be blocked from all production firewalls. Testing is relatively inexpensive, and recovering from intrusion damage can be disastrously expensive. You will learn more about firewall code later in this chapter.
15. Always make a backup
Do not allow the only copy of a firewall configuration to be in memory on the firewall. Be sure all backups are easily retrieved in an emergency. If using the cloud for storage, consider download speeds and how long it will take to restore a system. It may be faster to have a traditional media backup on-site for redundancy.
16. Lock; then watch
If an asset is worth the time and effort to secure, then it is also worth monitoring. Configure each firewall per the security policy, and then watch for attempted breaches of that security. Perfect security does not exist. To improve security, be prepared to respond when breaches occur.
Failure to watch a secured asset means only that when the compromise occurs, you won’t notice it immediately. Firewalls can be the focus of an attack, just like any other host. Be aware and be prepared for such an attack; this will give you the edge to respond promptly.
17. Maintain a firewall incident response plan
Bad things will occur. Failures will happen. Breaches will take place. Firewalls can fail. Malicious traffic goes overlooked. Nevertheless, be prepared. Evaluate and examine the realistic threats that face your environment. Plan for the worst. Define procedures to respond to any and all situations.
18. Focus on balancing security and usability
Firewall filtering should not make all work tasks more difficult. Likewise, essential work functions need not compromise security. It is important to find a balance between these two extremes. Focus on reducing the risk to the infrastructure while enabling users to perform authorized tasks with minimal hassle.
19. Develop a firewall checklist
Review it for completeness and accuracy periodically, such as every quarter. Confirm every element on the checklist frequently, such as once a week or once a day. You can automate this to an extent, but it often requires human effort to test and confirm that every security mechanism is in place, active, armed, and effective.
20. Test all uses of the firewall for sufficiency
Perform verification scans of all deployed firewall settings to ensure functionality. Improper installation or misconfiguration can render even well-designed safeguards worthless. Test every new security setting or rule upon installation and at every reconfiguration.
21. Perform regular vulnerability assessments (VA)
Use automated tools with updated databases of security tests and exploit simulations. These tools should confirm patches and updates, verify security configurations, and probe for known vulnerabilities to exploits and weaknesses. Quickly resolve any issues the scans uncover.
22. Perform penetration testing (PT)
After you have improved and tuned firewall security, this is the ultimate test. Hire or develop an ethical hacking team to test the strengths and weaknesses of the firewalls.
Ethical hackers use the same tools and attack techniques as criminals, but without the intent to cause actual damage. Professional security assessment teams can customize attacks, modify exploits, and react in real time to fully stress security defenses.
This collection of firewall management best practices should serve as a starting point for the development of an effective firewall deployment.
Other valid and useful guidelines deserve consideration, so do not assume this list of recommendations, or any list from any source, is exhaustive. There are always new lessons to learn and new challenges to face, as well as new wisdom to obtain.