Firewalls can provide immediate protection out of the box. Is the level of protection sufficient for your business? Probably not. To achieve an acceptable level of protection, you still have to configure your firewall properly. You also have to plan security audits, establish change management plans, and implement security measures for it. We’ll cover all this as we talk about firewall best practices in this post.
Before we dive into each of the firewall best practices outlined below, let’s review why you would need a firewall in the first place. Knowing the purpose of a firewall can help you understand the reasoning behind each of those firewall best practices we’re about to discuss.
Why your business needs a firewall
Firewalls keep unwanted traffic from passing through. It prevents external threats from reaching your network and internal threats from making contact with their command-and-control (C2) server (see FAQ below for more details).
Some firewalls have spam filters that block spam email and/or web filters that prevent users from visiting malicious sites. Some modern firewalls even have Data Loss Prevention (DLP) features that detect sensitive data and prevent them from leaking out of your organization.
By leveraging these firewall capabilities, you can significantly improve your security posture and prevent malware infections, hacking attempts, data breaches, and (in some cases) even DDoS attacks (see FAQ below for more details).
The use of firewalls is also sometimes prescribed, whether explicitly or implicitly, by data privacy/protection laws and regulations. Examples of which include the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA). Thus, having a properly configured firewall would increase your chances of achieving compliance with these regulatory mandates.
Let’s now proceed with the first of our firewall best practices.
1. Develop a firewall deployment plan
To achieve maximum effectiveness of your firewall deployment, start with a well-thought-out plan. A firewall deployment plan will not only help you achieve optimal security, it will also enable you to reduce costs. Here are some of the things you’ll want to consider.
- Understand that there are different types of firewalls. They differ in capabilities and cost, so it’s wise to leverage their strengths accordingly. For instance, you may deploy low-cost packet-filters to non-critical assets, but assign high-end application level gateways to protect your most critical hosts, applications, and data.
- In most cases, you will need more than one firewall, which you may strategically deploy to create firewall zones. For example, you can have external, demilitarized zone (DMZ), and internal zones that would consist of public-facing hosts, DMZ-residing hosts, and LAN-based devices and hosts. Determine which hosts/devices should belong to which zone and separate each zone with a firewall.
- There may be cases when you’ll want to add a WiFi or guest zone. This is to accommodate visitors (e.g., employee family members, third parties, customers, etc.) who may want or need internet access while onsite. Ensure that this zone is logically or physically separate from your other zones.
- Don’t expose internal services to remote users unless they’re using a company-managed VPN. With the increased adoption of remote and hybrid work, you can’t avoid situations wherein remote users will need access to internally deployed hosts. If you really need to provide inbound access to those hosts, then do it through a VPN. Needless to say, your firewall should readily support VPNs.
Once you’ve deployed your firewall(s), the next step would be to configure them. Let’s talk about that part now.
2. Implement proper firewall configuration
Firewalls won’t give you the protection you need unless you configure them properly. Firewall configuration best practices always include the principle of least privilege. In the context of a firewall, this principle means restricting access to a network to those users or applications that need that access to fulfill their duties. Otherwise, access must be denied.
One way to apply this principle in a firewall is by denying all traffic by default and then explicitly allowing only those connections that are absolutely necessary. Here’s a simple example. Let’s say you have a multi-protocol file transfer server behind your firewall, but, for security reasons, the only protocols you want to allow are SFTP and FTPS. You can deny all traffic and then explicitly allow only SFTP and FTPS to pass through.
When specifying firewall rules, try to be as specific as possible. For instance, specify destination or source IP addresses or port numbers whenever applicable. Continuing with our example, it’s not enough to just allow SFTP and FTPS. You need to specify the specific IP addresses of your SFTP and FTPS servers. If you have to specify the port numbers, that would be 22 (for SFTP) and 21 (for FTPS) by default.
Firewall configuration best practices like these can significantly improve the security of your network. However, you need to make sure they’re really implemented on your firewall(s) and not just left as printed provisions in your security policy document. You can do that by instituting periodic firewall security audits.
3. Institute periodic firewall security audits
There’s a reason why compliance audits are conducted on a regular basis. For example, PCI DSS audits are typically done once a year. That’s because, generally speaking, compliance only holds true at a point in time. There’s no guarantee that a device such as a firewall can be compliant today and remain compliant forever.
For all you know, admins might tweak firewall rules to accommodate certain applications or, worse, temporarily disable the Deny-All rule to test a new application and then forget to enable it again. These oversights can put your network at risk and may result in regulatory compliance violations. However, you can catch and rectify these problems if you conduct routine firewall audits.
Firewall audits typically involve the following:
- Gathering relevant information such as previous audit reports, firewall/network security policies, network diagrams, legitimate applications in your internal network, etc.
- Checking firewall access control policies and making sure they are being followed. Note that this refers to access to the firewall and not to your network. Only authorized admins should have access to your firewall.
- Checking your firewall change management plan and seeing to it that it is being followed. See next section for more details about this plan.
- Reviewing your firewall monitoring process. It’s not enough to just deploy a firewall. Ideally, someone must monitor the firewall logs to see if there are issues (e.g., potential threats or faulty rules) that require attention.
- Reviewing firewall rules and access control lists. Make sure they are still suitable for the current makeup of your network.
Audits can also ensure newly acquired or newly migrated firewalls adhere to your firewall policies. By pairing your firewall configuration best practices with regular firewall security audits, you can shift from being compliant at only a point in time to staying compliant and secure at all times.
We briefly mentioned something about a firewall change management plan earlier. Here’s what it is and why you need it.
4. Establish a firewall change management plan
Changes that impact your IT infrastructure happen every single day. You might install new applications, deploy additional network equipment, grow your user base, adopt non-traditional work practices, and so on. As all this happens, your IT infrastructure’s attack surface will also evolve.
Sure, you can make your firewall evolve with it. However, making changes to your firewall is not something that can be taken lightly. A simple mistake can take some services offline and disrupt critical business processes. Similarly, you could also expose ports that aren’t supposed to be reachable from outside.
Before you make any changes to your firewall, you need to have a change management plan to minimize any adverse impact to your business when changes have to be made.
The plan should specify the changes you intend to implement and what you hope to achieve with it. Moreover, the change management plan must include anticipated risks as well as measures to mitigate those risks.
When carrying out the plan, you must record all pertinent details. Indicate who implemented the change, what was changed, why it was changed, and when it was changed. This will ensure you have a clear audit trail that can easily be reviewed if something goes wrong.
5. Secure your firewall
As your first line of defense, your firewall plays a critical role in your network’s security. If it’s compromised, e.g., firewall rules get tampered, threats can pass through unhindered. Worse, if you’re completely unaware of the unauthorized changes, that false sense of security will allow whoever tampered with it to conduct a prolonged attack inside your network.
To preserve the integrity of your firewall, you must implement measures to secure it. Here are some firewall hardening best practices you can apply:
- Keep your firewall software/firmware patched. This will ensure all known vulnerabilities of your firewall can no longer be exploited.
- Replace the default factory password. Replace it with a long password consisting of alphanumeric and non-alphanumeric characters as well as uppercase and lowercase characters.
- Apply the principle of least privilege to firewall access. Only authorized admins should be allowed to login and make changes to your firewall.
- Avoid insecure protocols such as HTTP, Telnet, TFTP, SNMP. These protocols are unencrypted. If they’re intercepted, it wouldn’t take much to obtain sensitive information (e.g., usernames and passwords) from them.
This is by no means an extensive list of firewall hardening best practices. What I want to emphasize here is that even though your firewall is a security device, it needs to be secured as well.
Final Words
Poorly configured firewalls are sometimes worse than having no firewall at all because it gives you a false sense of security. The same holds true with unaudited firewalls or firewalls that were deployed with no proper planning whatsoever. However, many businesses are prone to these missteps, resulting in weak network security and a failed investment.
In this post, we discussed 5 firewall best practices that can help you avoid those pitfalls, improve your security posture, and maximize the ROI of your firewall investment. We talked about best practices for deployment, configurations, auditing, applying changes, and firewall security.