Best Practices for Firewall Rules
Basic Firewall Rules
In a firewall rule, the action component decides if it will permit or block traffic. It has an action on match feature. For example, if the traffic matches the components of a rule, then it will be permitted to connect to the network. It is essential to consider the potential security risks when modifying a firewall rule to avoid future issues. Following best practices for configuring firewalls can help you maximize the effectiveness of your solution.
Types of Best Practices
Each firewall rule should be documented to know what action the rule was intended to do. The following data, at least, should be tracked:
- The firewall rule’s purpose
- The affected service(s) or application(s)
- The affected users and devices
- The date when the rule was added
- The rule’s expiration date, if applicable
- The name of the person who added the rule
Establish a formal change procedure
Firewall rules will need to be updated for any new services and new devices that are added. Before adding or changing any firewall rules, a formal change procedure should be established for any new modifications. The following steps are some guidelines for a change procedure process:
- Have in place a change request process for users to request modifications to a specific firewall configuration
- Have a review process to analyze these new modification requests and determine the best course of action for any security practices.
- A process to test the new modification requests on the production firewall rules
- A process for deployment of the tested new modification requests into production
- A process to validate the new firewall settings to ensure proper operating
- A process to document all changes have been tracked
Block traffic by default
Start blocking all traffic by default and only allow specific traffic to identified services. This approach provides quality control over the traffic and decreases the possibility of a breach. This behavior can be achieved by configuring the last rule in an access control list to deny all traffic. This can be done explicitly or implicitly, depending on the platform.
Set all explicit firewall rules first
At the top of the rule base, set the most explicit firewall rules. This is the starting point where traffic is matched. A rule base is established rules that manage what is and what is not permitted through a firewall. Rule bases typically work on a top-down protocol in which the first rule in the list performs its action first. This action is done, so that the traffic permitted by the first rule, will never be assessed by the remainder of the rules.
SANS Institute’s Firewall Checklist, under Security Elements, recommends the following order for firewall rules to be applied:
- Anti-spoofing filters (blocked private addresses, internal addresses appearing from the outside)
- User permit rules (e.g. allow HTTP to public web server)
- Management permit rules (e.g. SNMP traps to network management server)
- Noise drops (e.g. discard OSPF and HSRP chatter)
- Deny and Alert (alert systems administrator about traffic that is suspicious)
- Deny and log (log remaining traffic for analysis)
Set explicit drop rules (Cleanup Rule)
The main purpose of firewalls is to drop all traffic that is not explicitly permitted. As a safeguard to stop uninvited traffic from passing through the firewall, place an any-any-any drop rule (Cleanup Rule) at the bottom of each security zone context. This will provide a catch-all mechanism for capturing traffic.
The firewall cleanup rule is defined as:
Source = ANY
Destination = ANY
Service / Application = ANY
Action = DROP
Logging = Enabled
Remove “Accept All” rules
This rule can cause the traffic to bottleneck (Bottleneck is a constraining element that prevents a process or system from reaching its full productive potential.) This rule should not be a firewall policy.
A built-in reporting tool is incorporated in every firewall with detailed information about your traffic. This tool will help with auditing logs looking for any changes or anomalies that might insinuate modifications to your firewall settings. In optimizing your firewall, the logs’ data will show which firewall rules are not being used and which are being activated. The logs’ data will also show you any “false positives” on traffic that was not supposed to trigger security rules, but it is doing so any way. You can change the firewall rules based off this information to reduce the false positives and improve service.
Firewall rules need reviewing
Networks are constantly changing by gaining new users and new devices. New services and new applications are being accessed which means new firewall rules will need to be added. The old firewall rules will need to be reviewed and deleted if necessary. It is a best practice to set up a regular maintenance schedule to make updated changes to the firewall rules.
Make sure the firewall device is up to date
The firewall device should always be up to date with patches and firmware. If it is not, then it is vulnerable to attacks and the firewall rules will be useless.
Automation is the key to update any firewall settings
As time passes, new technologies are created which require constant updates to the firewalls rules. As a result of new technologies becoming available, firewall administrators will be flooded with new firewall modifications. The administrators will need time and resources to analyze these new modification requests and determine the best course of action for any security practices. This time constraint and lack of resources can lead up to outdated, unused or overly permissive rules. The firewall performance can be degraded which can lead to increased malicious attacks.
An automation solution for firewall configuration updates is to help follow the change procedures. This can help prevent mistakes to avoid the production system failures. The automation process can help with time to perform higher level functions to increase overall security.
Following best practices for firewall configurations will help guide you in having a security mindset as well as having a secured network. To learn more about Liquid Web’s firewalls, visit https://fairmoon.net/firewall-protection/.