By Ruby Nahal, Senior Engineer
Firewalls are the guards that hackers have to deal with first when entering your network, so it is critical that they are configured correctly. In fact, it really doesn’t matter how much money you spend on buying highly secure edge systems to secure your network if you fail to configure, monitor and change it dynamically to reflect the level of security you need. Following my tried-and-true best practices will ensure your firewall is working as hard as you need it to.
- Follow the minimal access rule – Never just configure an “allow all rule”. If a vendor needs a direct RDP access to one of your servers, configure a rule to restrict access to the vendor’s IP. Always configure the firewall so the rules reflect the minimal access that is needed by a service to get it up and running. For example, restrict outbound SMTP so it is only allowed from your exchange servers. Object groups can be used to incorporate multiple objects in the rule. Stay as far away as possible from the “ANY” rules.
- Say “NO” to rule bloat. Disable inactive rules – if a user no longer uses RDP at his/her workstation, disable the rule. Disabling such rules also makes troubleshooting the firewall more efficient because you won’t have to deal with inactive rules. It may be useful to add disabling inactive rules to your servers/network equipment decommissioning process. “Rule bloat” is a very common occurrence with firewalls because most operations teams have no process for deleting rules.
- Employ subscription services on your firewall. Many firewall vendors offer subscription services with licensing or as an add-on feature for intrusion prevention, web content filtering, application control, gateway anti-virus protection, etc. If you already have these services, use them to your advantage. Recently with the growing threat of ransomware, most firewall vendors released best practice configurations for preventing ransomware. These services offer an additional layer of security for your internal network.
- Update your firmware – Most vendors release patches and signatures for their products fairly often. This is especially true for the subscription services. Being on the most current stable version of firmware for the firewall can prevent recently released/new attacks.
- Audit, and audit often – Check on your firewall periodically. If you are a merchant with significant credit card activity, then PCI requirement 1.1.6 calls for reviews at least every six months, which is a good timeframe for everyone to stick to. Compliance needs change, your network may evolve, so it is best to use these opportunities to clean your firewall up.
- Document all changes – I consider this a very important step because most firewalls have no change tracking built into them and good documentation can save everyone a lot of downtime. Making a backup of the configuration before making changes is also a good practice as it allows you to roll back quickly.
Remember, the best way to prevent bad things from happening is to not create an environment where they can.