Our organization has a solid, reputable firewall in place, but we also have various business needs that require us to have a high number of ports open. I don't believe that firewalls are dead by any means, but should we block by ports and IP addresses instead? Can you offer advice for protecting the network most effectively while keeping our ports open?
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
Firewalls are not dead, and people who say this are swapping out a traditional firewall with another type of network filtering device that offers more capability, often a "next-generation" firewall. If you're using a traditional firewall, which is what it sounds like, you're using a 5-tuple firewall. What this means is that you're able to create a rule in your firewall that filters on five attributes:
- Source IP address (the address you're coming from)
- Source port (usually any, but could be changed if needed)
- Destination IP address (the address you're going to)
- Destination port (typically 80, 443 or 25, but could be anything)
- Destination protocol (TCP or UDP)
Many people think of their firewall in terms of what it blocks, but a better way of thinking about your firewall is in terms of what it allows. A good firewall will block data out of the box; you must create and manage rules that allow data through it. So, in a way, a firewall is a device that allows traffic into a network, and that traffic needs to be defined properly.
Without knowing your specific infrastructure or business requirements, I can tell you that the mentality of least privileges should still apply to your firewalls. Verify what ports need to be open, and open them and nothing more. I've seen many administrators blow open their rule set, creating holes in their network because they can't figure out what needs to be open. Use the attributes above to limit the traffic by source, destination IP and protocols whenever possible.
Firewall policy management is the best way to do this. Review your rule base frequently, and determine if rules can be consolidated or if they should be kept separate. There are many instances where certain firewall rules are created that were meant for a particular system, network or service, but other systems piggyback through it. This is due to lax firewall rule creation. Create each rule with a purpose as efficiently as possible, otherwise there will be confusion and, most likely, a hole in the network.
Lastly, if there is a certain access rule that's only used on an as-needed basis, disable the rule until it's needed. As an example, if you had a support agreement that allowed a certain vendor to enter into your network over a certain rule, disable it until that vendor needs access. Don't leave it open.
Firewall exceptions will always be needed for various business reasons, but diligent firewall rules management -- reviewing default policies and exceptions on a regular basis -- helps avoid having more open ports than are absolutely needed.
This was first published in January 2013