Story image

How to configure your firewall for maximum effectiveness

14 Nov 18

Article by ManageEngine marketing analyst Mouli Srinivasan

Your firewall is the first line of defence against security threats; but simply adding firewall devices to your network doesn't ensure your network is secure.

You need to regularly analyse your firewall's syslog and configuration, and optimise its performance in order to protect your network.

The heart of any firewall's performance is its rules and policies.

If not managed properly, these can leave your network vulnerable to attacks.

Gartner predicts that 99% of exploited vulnerabilities will continue to be ones known by security and IT professionals for at least one year.

Gartner concludes that the best and cheapest way to mitigate cyber attacks caused by known vulnerabilities is by removing them altogether with regular patching.

For many security admins, maintaining optimal rule performance is a daunting task.  

Businesses are demanding that networks perform faster, leaving security admins balancing on the thin line separating speed and security.

With these challenges in mind, here are some firewall best practices that can help security admins handle the conundrum of speed vs security.

1. Document firewall rules, and add comments to explain special rules.

It's critical for everyone in an IT team to have visibility over all the rules that have been written.

Along with the list of rules, it's important to record:

  1. The purpose of a rule.

  2. The name of the security admin who wrote the rule along with date of creation.

  3. The users/services affected by the rule.

  4. The devices/interfaces affected by the rule.

You can record this information as comments when creating a new rule or modifying an existing rule. The first thing you should do, if you haven't already, is review all the existing rules, and document the above information wherever possible.

Though this might be a time-consuming task, you'll only have to do it once, and it'll end up saving security admins a lot of time when auditing and adding new rules in the long run.

2. Reduce over permissive rules and include "deny all" on top.

It's better to be safe than sorry. It's good practice to start off writing firewall rules with a "deny all" rule. This helps protect the network from manual errors.

You'll want to avoid using over-permissive rules like "allow any" as this can put the network at risk.

Permissive rules give users more freedom, which can translate into giving users access to more resources than they need to perform business-related functions. This leads to two types of problems:

  1. Under or overutilised network bandwidth.

  2. Increased exposure to potentially malicious sites.

Restrict over-permissive rules, and avoid these issues altogether.

3. Review firewall rules regularly, and optimise firewall performance.

As years go by and new policies are defined by different security admins, the number of rules tends to pile up.

When new rules are defined without analysing the old ones, these rules become redundant and can contradict each other, causing anomalies that negatively affect your firewall's performance.

Cleaning up unused rules on a regular basis helps avoid clogging up your firewall's processor, so it's important to periodically audit rules as well as remove duplicate rules, anomalies, and unwanted policies.

4. Organise firewall rules to maximise speed.

Placing the most used rules on top and moving the lesser-used rules to the bottom helps improve the processing capacity of your firewall.

This is an activity that should be performed periodically, as different types of rules are used at different times.

5. Penetration test to check the health of your rules.

A penetration test is a simulated cyber attack against your computer system to check for exploitable vulnerabilities.

Just like how cars undergo crash tests to detect holes in the safety design, periodic penetration tests on your firewall will help you identify areas in your network's security that are vulnerable.

6. Automate security audits on a regular basis.

A security audit is a manual or systematic measurable technical assessment of the firewall.

Given that it consists of a combination of manual and automatable tasks, auditing and recording the results of these tasks on a regular basis is essential.

You need a tool that can both automate tasks, and record results from manual tasks.

This will help track how configuration changes impact the firewall.

7. Have an end-to-end change management tool.

The key to efficient policy management is an end-to-end change management tool that can track and record requests from start to finish.

A typical change procedure might involve the following steps:

  1. A user raises a request for a particular change.

  2. The request is approved by the firewall/network security team, and all the details on who approves the request are recorded for future reference.

  3. After approval, the configuration is tested to confirm whether changes in the firewall will have the desired effect without causing any threat to the existing setup.

  4. Once the changes are tested, the new rule is deployed into production.

  5. A validation process is performed to ensure that the new firewall settings are operating as intended.

  6. All changes, reasons for changes, timestamps, and personnel involved are recorded.

An end-to-end change monitoring system helps ensure complete cohesion in managing changes in your network.

8. Lay out an extensive, real-time alert management plan.

A real-time alert management system is critical for efficient firewall management. You need to:

  1. Monitor the availability of the firewall in real time. If a firewall goes down, an alternate firewall needs to immediately go up so all traffic can be routed through this firewall for the time being.

  2. Trigger alarms when the system encounters an attack so that the issue can be quickly rectified.

  3. Set alert notifications for all the changes that are made. This will help security admins keep a close eye on every change as it happens.

9. Retain logs as per regulations.

You need to retain logs for a stipulated amount of time depending on which regulations you need to comply with.

Different countries have different regulations for how long logs need to be stored for legal purposes. You should check with your legal team on which regulations your business needs to comply with.

10. Periodically check for security compliance.

Regular internal audits combined with compliance checks for different security standards are important aspects of maintaining a healthy network.

Every company will follow different compliance standards based on the industry that business is in; you can automate compliance checks and audits to run on a regular basis to ensure you're meeting industry standards.

11. Upgrade your firewall software and firmware.

No network or firewall is perfect, and hackers are working around the clock to find any loopholes they can.

Regular software and firmware updates to your firewall help eliminate known vulnerabilities in your system.

Not even the best set of firewall rules can stop an attack if a known vulnerability hasn't been patched.

A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.
Gartner names newcomer Exabeam a leader in SIEM
The vendor landscape for SIEM is evolving, with recent entrants bringing technologies optimised for analytics use cases.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.