We had a recent firewall failure that resulted in a few hours of downtime, but fortunately we had a backup device we could swap in. However, to manage any future incidents properly, do you have a checklist or set of firewall best practices for managing a firewall failure?
Ask the Expert
Perplexed about network security? Send your network security-related questions today! (All questions are anonymous.)
Redundancy: This involves more than simply having a spare lying around to install in the event of a firewall failure. Rather, you must ensure that some sort of automatic failover is in place.
For example, in a Cisco PIX environment, you should have one PIX device configured as the active device and another configured as the standby device. The only additional infrastructure needed in most cases is the failover cable, which is nothing more than a modified serial link cable that connects both PIX devices. In this configuration, the communication between the two devices is conducted via ACK messages sent every three seconds. If a message is not acknowledged, a retransmission is sent. If after five retransmissions there is no accompanying ACK, a failover condition is assumed and the standby device will take over as the active device.
Monitoring: It is desirable to accompany your firewall infrastructure with some sort of inline monitoring device to ensure that your firewall is blocking what it is configured to block. This process can be completely passive so long as some sort of alerting mechanism is in place in the event that your monitoring device detects an anomaly.
For example, if your organization is under a serious budget constraint and you can't afford to purchase a monitoring device, you could configure a monitor port on or behind your firewall and conduct a Wireshark capture of all traffic that traverses your firewall. While this is not a firewall failure management mechanism, it will help you determine whether or not certain aspects of your firewall are failing.
Dig deeper on Network Firewalls, Routers and Switches
Related Q&A from Brad Casey, Contributor
Can Project Sonar, an Internet-scanning project, benefit enterprise network security? Expert Brad Casey discusses.continue reading
Does your enterprise track eliminated firewall rules? It's one of the change management best practices suggested by expert Brad Casey.continue reading
The Department of Defense is using a converged network security architecture to simplify security management. Learn about the security benefits.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.