November 21, 2019

Firewall Management Basics – WST

Bottom line…firewalls can be complicated.  Even in simple environments, keeping track of the rules, objects, policies, settings, etc. can seem overwhelming.  Unfortunately, misconfigured firewall rules can be detrimental to the health and security of your network.  This is why FFIEC guidance (and general best practice) is to perform regular reviews of your firewall configurations.  The good news is that applying some basic principles to your firewall management can go a long way.  Here are some best practices to help start with a secure configuration, and keep it that way:

  • Establish a routine for checking and applying security-related firmware updates. The “security-related” part is important, as not every firmware update contains vulnerability fixes.  Also, you don’t need to be on the latest greatest firmware to be sufficiently up to date.  Many firewall vendors have multiple versions or “forks” that they keep updated at the same time.  If you are on the latest supported 6.x version, you may not need to be on the 7.x version number.  As long as your firmware is currently supported and doesn’t contain unpatched security vulnerabilities, you are probably fine.
  • At their simplest, firewalls play traffic cop, using a list of rules to either allow or disallow traffic between systems or networks. To be effective, firewall rules should restrict traffic to only what is needed for functionality.  Most firewall rules follow the model “Let this system(source) talk to this system(destination) over this port(service).”  Wherever possible, each of those three items should be specific, and not “Any.”
  • Use comments! Most firewalls allow you to add notes or comments to each rule or object, so you know you can document when it was created, why, and by whom.  This helps immensely when, a year later, you are looking at the rules and don’t remember why one was created…Who did this.  Was it a test?  Is it still needed?
  • Have a change control/logging process. We know…change control is a hated subject!  The process can be as simple as an email chain describing what is about to be changed and why, or a formal ticket system with approvals.  Whatever process you choose, it should include keeping a log of what was changed on the firewall, why, and ideally allow key stakeholders to ask questions.  This is critically important for firewalls managed by vendors.  You don’t want a helpdesk tech to create a rule to solve a problem that opens a much bigger hole in your perimeter than is needed.

Past Weekly Security Tips – WST