One thing I come across time and time again are poorly configured firewalls. The reason for this is largely down to the people who configure them. Companies often put all their eggs in one basket when it comes to IT services which means people who perhaps aren’t best suited to managing security products, end up doing just that. If that’s not the case, then it’s usually down to stretched IT teams filling multiple roles; roles that aren’t necessarily their expertise, such as firewall management.
Firewalls are often the first line of defence, and it’s not too difficult to ensure they are configured correctly. Here we will cover a few key points that will help you secure your device.
It’s important to appropriately limit access to your firewall. This will mean limiting what protocols can be used to manage it (e.g. HTTPS, SSH and Ping) and also limiting what networks can access it (ideally internal only). It may also be worth considering changing the default access ports for these protocols (e.g. HTTPS 443 to 8443). This prevents automated scripts trying to brute force your firewall on default ports.
Further to limiting access on a network level, it is also important to ensure appropriate logging is in place to ensure you are capturing who makes changes; Further to this, every user must have a unique account, identifiable to them so they can be held accountable for changes they make on the firewall.
It’s important to ensure your policy is correctly organised for two reasons.
- To prevent rules shadowing other rules (e.g. placing a permissive allow rule above a specific block rule, preventing the traffic from being blocked).
- Performance. Firewalls will process every rule until they find a match. If you have a frequently hit rule at the bottom of a 1,000 rule policy, that will have a performance impact as every rule is processed with each new session.
As a loose rule of thumb, you may want to configure your policy as follows:
- Management Access Rules (not applicable to all firewalls)
- Management Cleanup (not applicable to all, but deny all traffic to your firewalls)
- Specific denies (this may be blocking an entire country or known malicious IPs)
- Permit rules (e.g. Internet access for all users, or east-west traffic)
- Deny-no log (some traffic is not interesting, but generates a lot of noise)
- Deny-log (Deny everything and log)
This is not a rigid format, but serves as a very rough guide. Firewall vendors often have their own best practices on firewall rule ordering.
It’s important to think about what you are letting through your firewall, this will also lead you to think about how you’re configuring other devices. Here’s some examples:
- Ensure insecure protocols are not allowed (e.g. TELNET and FTP – these are not encrypted and expose passwords in clear text).
- Lock down VPNs from third parties (and your own remote offices) – these are often allowed unfiltered access to networks.
- Only allow what is needed – any/any rules are not acceptable, if you only need AD services between your user network and your DC, only allow AD services.
You’ll be hard pushed to find a firewall that is just a firewall these days. They come with a wealth of security features that should be used. I’ll discuss a few of these options now:
- Application Awareness – This configures your firewall to inspect the content of a session. It ensures that traffic coming over TCP80 is indeed HTTP traffic and not something potentially malicious.
- Intrusion Prevent – This looks for common exploitation attempts of known vulnerabilities and will block (or alert) when triggered. This is particularly important for any devices that are externally accessible.
- Anti-Virus – Already a well known tool, this will scan traffic as it passes through the firewall for viruses.
- URL Filtering – Many firewalls will allow you to filter user traffic based on category, allowing you to block many known malicious websites and potentially less productive sites.
- File Blocking/DLP – Not really the same thing, but you can block file types that are often used to distribute malware. You can also use DLP to block or detect files with certain contents, which may indicate if sensitive information is leaving the organisation through the firewall.
- SSL Inspection – This is an important one. As the internet moves more and more to HTTPS, so are the bad guys to distribute malware. Without SSL inspection you cannot see in to encrypted HTTPS traffic and may miss malicious traffic.
Each firewall vendor offers their own best practices when it comes to configuring your firewall to operate efficiently. It’s worth seeking these out.
The other thing to factor in when implementing these additional features on your firewall is the processing power they require. When purchasing a new appliance, it’s important to size the appliance based on your session, bandwidth and interface requirements with these features turned on.
I hope this serves as a start guide for you when reviewing your firewall. I will probably follow this post up and cover each area in more detail, perhaps demonstrating how to limit management access on each device for example.