Article by ManageEngine marketing analyst Mouli Srinivasan
Your firewall is the first line of defence against security threats; but simply adding firewall devices to your network doesn't ensure your network is secure.
You need to regularly analyse your firewall's syslog and configuration, and optimise its performance in order to protect your network.
The heart of any firewall's performance is its rules and policies.
If not managed properly, these can leave your network vulnerable to attacks.
Gartner predicts that 99% of exploited vulnerabilities will continue to be ones known by security and IT professionals for at least one year.
Gartner concludes that the best and cheapest way to mitigate cyber attacks caused by known vulnerabilities is by removing them altogether with regular patching.
For many security admins, maintaining optimal rule performance is a daunting task.
Businesses are demanding that networks perform faster, leaving security admins balancing on the thin line separating speed and security.
With these challenges in mind, here are some firewall best practices that can help security admins handle the conundrum of speed vs security.
It's critical for everyone in an IT team to have visibility over all the rules that have been written.
Along with the list of rules, it's important to record:
The purpose of a rule.
The name of the security admin who wrote the rule along with date of creation.
The users/services affected by the rule.
The devices/interfaces affected by the rule.
You can record this information as comments when creating a new rule or modifying an existing rule. The first thing you should do, if you haven't already, is review all the existing rules, and document the above information wherever possible.
Though this might be a time-consuming task, you'll only have to do it once, and it'll end up saving security admins a lot of time when auditing and adding new rules in the long run.
It's better to be safe than sorry. It's good practice to start off writing firewall rules with a "deny all" rule. This helps protect the network from manual errors.
You'll want to avoid using over-permissive rules like "allow any" as this can put the network at risk.
Permissive rules give users more freedom, which can translate into giving users access to more resources than they need to perform business-related functions. This leads to two types of problems:
Under or overutilised network bandwidth.
Increased exposure to potentially malicious sites.
Restrict over-permissive rules, and avoid these issues altogether.
As years go by and new policies are defined by different security admins, the number of rules tends to pile up.
When new rules are defined without analysing the old ones, these rules become redundant and can contradict each other, causing anomalies that negatively affect your firewall's performance.
Cleaning up unused rules on a regular basis helps avoid clogging up your firewall's processor, so it's important to periodically audit rules as well as remove duplicate rules, anomalies, and unwanted policies.
Placing the most used rules on top and moving the lesser-used rules to the bottom helps improve the processing capacity of your firewall.
This is an activity that should be performed periodically, as different types of rules are used at different times.
A penetration test is a simulated cyber attack against your computer system to check for exploitable vulnerabilities.
Just like how cars undergo crash tests to detect holes in the safety design, periodic penetration tests on your firewall will help you identify areas in your network's security that are vulnerable.
A security audit is a manual or systematic measurable technical assessment of the firewall.
Given that it consists of a combination of manual and automatable tasks, auditing and recording the results of these tasks on a regular basis is essential.
You need a tool that can both automate tasks, and record results from manual tasks.
This will help track how configuration changes impact the firewall.
The key to efficient policy management is an end-to-end change management tool that can track and record requests from start to finish.
A typical change procedure might involve the following steps:
A user raises a request for a particular change.
The request is approved by the firewall/network security team, and all the details on who approves the request are recorded for future reference.
After approval, the configuration is tested to confirm whether changes in the firewall will have the desired effect without causing any threat to the existing setup.
Once the changes are tested, the new rule is deployed into production.
A validation process is performed to ensure that the new firewall settings are operating as intended.
All changes, reasons for changes, timestamps, and personnel involved are recorded.
An end-to-end change monitoring system helps ensure complete cohesion in managing changes in your network.
A real-time alert management system is critical for efficient firewall management. You need to:
Monitor the availability of the firewall in real time. If a firewall goes down, an alternate firewall needs to immediately go up so all traffic can be routed through this firewall for the time being.
Trigger alarms when the system encounters an attack so that the issue can be quickly rectified.
Set alert notifications for all the changes that are made. This will help security admins keep a close eye on every change as it happens.
You need to retain logs for a stipulated amount of time depending on which regulations you need to comply with.
Different countries have different regulations for how long logs need to be stored for legal purposes. You should check with your legal team on which regulations your business needs to comply with.
Regular internal audits combined with compliance checks for different security standards are important aspects of maintaining a healthy network.
Every company will follow different compliance standards based on the industry that business is in; you can automate compliance checks and audits to run on a regular basis to ensure you're meeting industry standards.
No network or firewall is perfect, and hackers are working around the clock to find any loopholes they can.
Regular software and firmware updates to your firewall help eliminate known vulnerabilities in your system.
Not even the best set of firewall rules can stop an attack if a known vulnerability hasn't been patched.