Typically, best firewall settings include action components that decide if a firewall will permit or block traffic based on a match feature. For instance, if the traffic meets the rules specifications, then it connects to the network. That way, organizations can leverage the firewall to block presumably malicious traffic in public networks from getting to internal networks.
It is vital to consider potential security threats when modifying firewall rules to prevent unforeseen issues. We have put together a list of the best practices for fine-tuning your firewall settings to help you maximize the security tool’s effectiveness. It is necessary to understand that the exact procedures for modifying your firewall settings differ based on the firewall make and model, as well as whether it is a software or hardware-based firewall tool. However, regardless of the firewall technology in use, following these best practices will help you get the best out of your solution.
1. Document the Firewall Rules
Unquestionably, an organization has thousands of firewall rules and policies crucial to its performance. Furthermore, not all rules are mutually exclusive, and some directly affect another set of rules. The simplest mistake can, in this case, trigger a massive security loophole that allows malicious traffic to sneak in while blocking legitimate traffic. In effect, it is vital to document all firewall rules for enhanced security and optimum performance.
Organizations need to document every firewall rule to establish the rule’s actions. Documenting existing and any new rule involves tracking information such as the rule’s purpose, the affected application and web server, the affected users and devices, the date the rule was created and the expiration date, if applicable, and the rule’s author.
2. Establish a Proper Firewall Rule Change Procedure
After documenting your firewall rules, it is crucial to create a formal change procedure. By and large, you will need to update your specific rules and overall firewall policy for any new services, servers, devices, or users added. Before making any changes, an organization should establish a formal change procedure that outlines the change request process for users or devices requiring modifications to specific configuration changes. PSI DSS Guide recommends that security administrators plan the process of adding, changing, or deleting firewall rules so that the performance of the existing ruleset is not adversely affected.
Additionally, the procedure should feature a formal review process for analyzing new modification requests and establishing the best course of action for security rules and practices. You can also add a way of testing the new change requests on the production firewall rules and default settings. On top of that, the security rules change document should provide detailed information on ways to deploy the tested now modifications into production and a process to validate that the new settings are operating fittingly. Finally, there needs to be a method to ensure you track and document all changes.
3. Ensure Your Firewall is Secure
Securing your firewall is a significant first line of defense in configuring and managing a secure firewall. Always ensure that your firewall is not performing unsafe actions properly. PSI DSS Guide lists the basis firewall security steps as follows:
- Disable the simple network management protocol (SNMP)
- Rename, disable or delete any default user account
- Change all default passwords
- Create additional administrator accounts based on responsibilities for multiple personnel who will manage the firewall
4. Default Block Behavior
Security experts recommend that you start by blocking all traffic and unauthorized access by default and only allow specific traffic to identified applications and servers. This default configuration sets a baseline control over the traffic and downplays the likelihood of a cyberattack. Markedly, you can achieve the default block rules behavior in firewalls by configuring the last rule in access control lists to block traffic. You can then add explicit firewall rules to modify the configurations based on the platform.
5. Set Explicit Firewall Rules after Default Block Behavior
Set the most explicit firewall rules at the top of the rule base. The rules act as a starting point for matching traffic by managing what the firewall permits or blocks. A rule base classically works on a top-down protocol, with the first rule in the list performing the initial action. In this case, if the first rule permits the traffic, the remaining rules will not assess it again.
In most cases, standard regulation authorities such as PCI DSS, NIST, ISO, SANS, and NERC guide security administrators to evaluate network security from a firewall configuration perspective. As an example, SANS Institute’s Security Consensus Operational Readiness Evaluation Firewall Checklist provides the following order that you can adopt during the firewall setup:
- Anti-spoofing filters – blocked private addresses and internal addresses appearing from the outside
- User permit rules – for example, allow HTTP to public webserver
- Management permit rules – for instance, SNMP traps to the network management server
- Noise drops – as an example, discard OSPF and HSRP chatter
- Deny and alert – alert systems administrator about suspicious traffic
- Deny and log – log remaining traffic for analysis
Since firewalls operate on a first-match basis, it is essential to follow a structure such as the one recommended by SANS to ensure that suspicious traffic is blocked instead of inadvertently allowing them in by failing to follow the correct rule order.
6. Set Cleanup Rule/ Explicit Drop Rules
Properly configured firewalls designedly drop all blocked traffic. You can place a cleanup rule at the bottom of each security zone context as a safeguard to stop unauthorized traffic from passing through the firewall. You can define the cleanup rule (any-any-any drop rule) that provides a catch-all mechanism as follows:
Source = ANY
Destination = ANY
Service/Application = ANY
Action = DROP
Logging = Enabled
7. Modify Accept All Rules
The “Accept All” rule can cause traffic to block a process or system from reaching its full productive potential. Therefore, it is essential to remove it from your firewall policy and only allow legitimate IP addresses to private networks connections.
8. Audit Logs
Customarily, security tools like Windows firewall come with built-in reporting tools that provide detailed information about your network traffic. So naturally, the tool generates firewall logs for auditing any changes or anomalies that might require modifications to firewall settings. Better yet, maintaining audit logs can also help in firewall optimization.
PSI DSS Guide states that firewall audit tools automate analyzing complex and bloated rule sets to validate and demonstrate enterprise access controls and configuration change management processes. eSecurity Planet also notes that some of the most advanced tools include artificial intelligence or machine learning capabilities that can help you spot essential details that you might have otherwise missed. In this case, logs provide data that show unused or activated firewall rules. Log data also reveals false positives on traffic that was not supposed to trigger an alert. Overall, audit logs present vital information that guides changing firewall rules to improve service and enhance security.
9. Maintaining Firewall Rules
Networks constantly change by gaining new services, devices, and users. Consequently, organizations need to add or review firewall rules to allow access to new services and applications. Sometimes the process involves deleting old firewall rules. All things considered, it is a best practice to establish a regular maintenance schedule to make updated changes to the firewall policy.
PCI DSS requests actions like deleting any unhelpful and unused firewall rules and expired ones to clean up your firewall policy. Additionally, the regulation recommends disabling unused connections and source/destination/service paths in firewall rules. Security administrators should also apply object naming conventions that make the rule base easier to understand.
10. Patching / Updating the Firewall
Always keep the firewall updated with the latest patches and firmware. Failure to update the security tool leaves it vulnerable to attacks and renders firewall rules useless. Next-generation firewall vendors regularly release software updates to address new potential security threats by making minor changes to the solution. Subsequently, it is essential to keep updating your firewall software to ensure your IT environment is secure with no potential security gaps.
11. Automating the Firewall
Organizations embrace new technologies that require constant updates to firewall rules. Apart from that, network administrators manage several applications, servers, devices, and users, requiring different new rules and modifications of existing ones. As a result, IT personnel may get flooded with many requests requiring time and resources to analyze and determine the best course of action. Such constraints can lead to outdated, unused, unaudited, and overly permissive firewall rules, which downgrades firewall performance and can result in increased cyberattacks.
Fortunately, an automation solution for firewall configuration updates can help follow the established firewall rule change procedures. In addition, eSecurity Planet reveals that automation typically enables you to prevent mistakes and avoid firewall failures. Better yet, the solution allows administrators to perform higher-level functions necessary for increased security.
Ultimately, these best practices for firewall configuration guide you in setting a security mindset and maintaining a secured network and system. In any business, firewall configuration changes are vital to network security, and it is indispensable to streamline rule changes and remove configuration gaps. Besides that, it is crucial to record all configuration changes in real-time and generate logs or trigger notifications whenever a security administrator modifies a rule.
In effect, security personnel must strike a balance between the need for enhanced security and the need for fast performance when configuring network firewalls. This article articulates steps they can take to fine-tune their firewall rules to achieve an ideal balance between security and speed.