Firewall Management - WST

It’s always a good time for a refresher on some best practices and expectations for firewall management. Here are some concepts that should be observed while managing firewalls:

• Keep your firmware and software updated. This includes security applications that may run on top of firewall firmware or software operating systems (this is a shout-out to all you Cisco ASA/FirePOWER administrators). Beware of unstable versions and vulnerabilities.
• As part of the expected quarterly firewall review, pay close attention to access control list (ACL) rules with both the source and destination defined as ANY (a.k.a. undefined). Generally speaking, the practice of using undefined variables in rules should be rare and is typically acceptable only when applied general internet access using ports 80 (HTTP) or 443 (HTTPS). In other words, always define:
1. the source(s) and destination(s), or…
2. under specific conditions the source(s) or destination(s), and…
3. always the port(s) and protocol(s).
• A rule allowing ANY source, ANY destination, and ANY port should never exist in an access control list. Not even within your guest (wireless) networks.
• ACLs should end with an implicit deny rule (if not applied by default). If the communication is not explicitly allowed, it should be denied. Don’t put all your faith in Layer-7 application or data loss prevention features as these are best-efforts and not absolute.
• Review NATs and routes for misconfigurations.
• Always use a DMZ or other logical or physical interface with ACLs to segment untrusted networks, like your ATM processor, core provider, and services like FedLine.
• Typically only the Active Directory DNS server or some other centralized DNS service should be allowed access to public DNS resources over port 53 to provide DNS resolution to your endpoints. DNS Hijacking is still a valid concern. This goes for NTP as well.
• Firewall changes need to go through change control and risk acceptance processes and adhere to these policies. Accepted risks should be reviewed and never be perpetual.
• Keep documentation to describe firewall objects, rules, and other configurations. This will help supplement your firewall reviews, and make it easy for a third-party to help during an incident.
• Backup up your firewall configurations to a secure and accessible location for disaster recovery.
• Hold your managed security service providers accountable to the same standards above.

Firewalls should be managed with great care. Every open port is an opportunity for a threat actor to traverse your network and access data. If you’re questioning your sanity, and would like a second set of eyes, please reach out to your 10-D Security sales representative and schedule a firewall review.

Authored by: Mike Smith, AWS CCP