CyberArm partners with Neustar Security Services to offer best-in-class DNS, application, and network security CyberArm and Neustar Security Services are pleased to announce our entrance into a strategic partnership, combining CyberARM’s industry leading Managed Security & Consulting Services with Neustar Security’s cloud-delivered security services to enable businesses to thrive online. [...]
Firewalls are critical components of your enterprise network and comes in various shapes and sizes, from basic statefull firewall, to full “Next-Generation” with threat prevention and sandboxing. Firewalls have evolved to protect even your cloud services and assets. If misconfigured, your network will be vulnerable to cyber attacks.
By their very nature, Firewalls should be blocking more traffic than they permit, and it is very important to follow some best practices when configuring the firewalls to avoid future issues and potential security risks.
As a result, organizations can rush through the process, sending applications live with rules in place that are designed as a quick fix, rather than a long-standing solution.
In order to correctly onboard clients to NOC services, CyberArms’ Network experts can help you in examining the integrity of your firewall and its setup to ensure the basics are in place. In this post, we’ll take a look at some basics of properly configuring firewall policies.
Starting with essential firewall configuration
When creating an effective firewall policies, the following configuration must be taken into consideration –
Disable all unnecessary and unsecure network services such as Telnet
Dedicate a network workstation that has no internet access for firewall management and configure your management interface to only accept connection from this workstation. Then, test that access from other networks is not possible.
Make sure that the management access is only accessible from internal interfaces and restricted on public ones
Use only secure protocols to manage your firewall – SSH and HTTPs
Enter the number of the maximum allowed failed login attempts that the firewalls allows for the web interface and CLI before locking out the user account
Enable Anti-spoofing on network interfaces and make sure that the network groups in that configuration match the static routes using those interface
Properly Configure your Firewall Rules or Security Policies
As a Network Engineer or Network Administrator, here is a list of best practices to consider when configurating your firewall security policies or rules:
Start by blocking all traffic by default. You can achieve this by configuring it as a last rule in the rules list. You can do this explicitly or implicitly, depending on the platform.
Avoid using a “deny” action unless there is explicit reason for it, and use “drop” action instead. “Deny” reveals too much information to the sending party, where “drop” will not tell anyone about it and just silently drop the traffic.
Enable logging for drop all events at the end of the policy and insert a broadcast drop with no logs if applicable, just to preserve space and sanity.
Create tags with the names of network interfaces. Enable Color Coded tags which enable the categorization of many types of objects to be visually distinguishable. Administrators can easily determine if their policy was created correctly by scanning a policy and confirming that the color coding of their objects follows their desired scheme.
Place the global blacklisted IP Addresses or URLs at the top #1
Place the global whitelisted IP addresses or URLs at the top under the global blacklist rules #2
Place the global business violating URL categories below the global whitelist rules # 3 (i.e. Porn and gaming URL category)
Now start gathering information about what devices, networks and users require access to what and create relevant policy rules based on least permission.
Use “application” layer control when creating policy rules i.e. allow your DNS server to communicate to external DNS servers by allowing only “DNS” as an application instead of port 53 UDP. This will provide additional security.
Integrate your firewall with third party user directories such as Microsoft Active Directory. Dynamic, identity-based policy provides granular visibility and control of users, groups and machines and is easier to manage than static, IP-based policy.
Threat prevention capabilities are a natural extension of next-gen firewalls deep packet inspection capabilities. Enable the inspection of the traffic for known exploits of existing vulnerabilities (IPS).
Enable the media filtering to block executable and malicious files from entering your network where not needed. This requires enabling the SSL inspection.
Working with a pre-existing firewall configuration policy?
Looking at existing policies, there’s a common challenge – IT environments change, and with these changes come rule changes on the Firewall – usually to open up access to new services, either inbound or outbound.
However, the legacy rules remain in place, and over time this presents a risk that services may become exposed. This is something we commonly see in our Firewall reviews and is actually not that challenging to fix, it just requires time and patience. Most Firewalls use hit counters to highlight the busiest rules – these can be reset and monitored, and unused rules can be marked for deletion, disabled, and then finally removed.
The reverse is true for overly permissive rules like an “any any”. CyberArm’s consultants have experienced this many times – ‘how to remove this rule without causing a risk to the business application that is relying on it?’.
The approach is not one large encompassing one to try and implement all the rules that we think are required and then remove the “any any”. By far the easiest method to approach this is to implement the application rules above the “any any”, reset the hit count and monitor over a time period of days or weeks. This can be repeated as more rules are identified and implemented.
Eventually the only hits on the “any any” rule should be traffic that should be dropped, and the rule can be removed – all with appropriate testing of course! This approach broadly holds true over generally permissive rule-bases.
Further Firewall policy implementation considerations
The vast majority of network traffic is now encrypted, Firewall hardware and resources should be sized to allow for SSL decryption, if the Firewall isn’t inspecting the majority of traffic then all the advanced Threat Preventions are rendered useless and it’s essentially back to being a stateful packet filter.
Is the Firewall being monitored?
Either for availability and performance or log analysis via a SIEM tool which may highlight suspicious activity. If it is being monitored via SNMP ensure that appropriate strength community strings and authentication are used.
Is the Firewall close to performance capacity?
If the Firewall is close to performance capacity then placing the heavily used rules at the top of the policy can be beneficial, rules are checked sequentially and having the heaviest rules at the end means the Firewall is working unnecessarily hard to process traffic.
This is not an exhaustive list. CyberArm’s Consultants go into much more depth when performing reviews and building configuration as each environment is different; but the underlying principals remain the same.
Even in this “perimeter-less” world, a properly configured Firewall plays an important role in an organisation’s cybersecurity strategy. For more information on implementing your firewall policy,
How to ensure having an effective DLP implementation? Protecting digital assets and intellectual property (IP) is becoming increasingly challenging for organizations. Recent studies describe external hacking as the primary cause ...