Firewalls are not the end-all, be-all solution to information security. They are, however, a necessary component of an effective information security infrastructure. The following list is a set of best practices, in no particular order, that you should consider to ensure that your firewall is configured for optimal performance and effectiveness.
Deny all traffic by default, and only enable those services that are needed.
Disable or uninstall any unnecessary services and software on the firewall that are not specifically required.
Limit the number of applications that run on the firewall in order to let the firewall do what it's best at doing. Consider running antivirus, content filtering, VPN, DHCP and authentication software on other dedicated systems behind the firewall.
If possible, run the firewall service as a unique user ID instead of administrator or root.
Change the default firewall administrator or root password. The password should not be found in a dictionary and should be a minimum of eight characters long using a combination of uppercase and lowercase letters, numbers and other characters such as $, % and @, and it needs to be changed frequently.
Do not rely on packet filtering alone. Use stateful inspection and application proxies if possible.
Ensure that you're filtering packets for correct addresses based upon the SANS Top 20 Vulnerabilities List section titled Not filtering packets for correct incoming and outgoing addresses.
Ensure that you're filtering or disabling all unnecessary ports and common vulnerable ports based upon the SANS Top 20 Vulnerabilities List sections titled Large number of open ports and Common Vulnerable Ports.
If a malicious user can obtain physical access to the firewall, anything can happen. Ensure that physical access to the firewall is controlled.
A lot of times, firewalls are doing less (or more) than what they should be doing based on your business needs and information flow requirements. Keep your firewall configuration as simple as possible, and eliminate unneeded or redundant rules to ensure that the firewall is configured to support your specific needs.
Make sure the security rule set on the firewall remains consistent with the organization's written information security policy. You do have a security policy, don't you?
Consider using the following in conjunction with a firewall:
Network-based intrusion-detection system (IDS)
Hosted-based personal firewall/intrusion-prevention products to protect workstations and servers from malicious traffic coming in over the allowed ports on the firewall
Antivirus software that is regularly updated
E-mail and Web content-filtering software
URL filtering software
Third-party authentication systems
Run the firewall on a hardened and routinely patched operating system. An insecure and non-hardened operating system can render the firewall completely useless.
If possible, use a firewall in conjunction with a router when connecting to the Internet to help prevent denial-of-service attacks and successful penetrations.
Patch the firewall's operating system and application software with the latest code on a regular basis. However, make sure you test these updates in a controlled, non-production environment whenever possible.
Use firewalls internally to segment networks and permit access control based upon business needs.
Enable firewall logging and alerting if possible.
Use a secure remote syslog server that makes log modification and manipulation more difficult for a malicious user.
Regularly monitor the firewall logs. Treat the logs as business records and include them in your data retention policy.
Note any firewall log entries that don't look right, and investigate them immediately.
Periodically backup the firewall logs (preferably onto write-once media such as CD-R) and store for future reference and/or legal protection in the case of an intrusion that must be investigated.
Consider outsourcing your firewall management to leverage the managed security service providers' aggregation of expertise, network trending analysis and intelligence, and to save time and money.
Use change-management practices for the firewall to approve changes needed, assess the reason(s) for the changes, document the changes made and describe the necessary back-out procedures in case the changes fail.
Perform vulnerability assessments on your firewall on an ongoing basis to test for known software flaws and weaknesses. New exploits are continuously discovered and must be tested for on a consistent basis. In addition, the slightest firewall system or rule set modifications can completely change the firewall's security capabilities. Perform these tests on every interface of the firewall in all directions. Also, perform these tests with and without the firewall rules enabled to determine how vulnerable you will be when the firewall is not functioning properly.
Perform ongoing audits, at least yearly, on the firewall to compare what you say you're doing in your security policy with what's actually being done and to ensure adherence to any government regulations that pertain to your organization.
Require users to run antivirus and personal firewall/intrusion-prevention software on all remote computers. This will help prevent malicious code or an attacker from penetrating the corporate network in the event that the remote computer is compromised. Make this something that cannot be easily disabled. No exceptions.
Constantly monitor (or subscribe to) your firewall vendor's security bulletins.
Regularly backup the firewall configuration files, and keep the backups offsite.
Firewalls can be easily circumvented if using wireless network systems internally. Again, use personal firewalls/intrusion-prevention software on all internal hosts whenever possible.
Remember that firewalls won't prevent attacks that originate from inside your network. An acceptable usage policy, personal firewalls/intrusion-prevention software, network monitoring, content filtering and access controls on all hosts can help lower these risks.
NOTICE: The information contained herein is considered best practices for securing firewalls but may not constitute a secure firewall if implemented. Each firewall and its associated information systems are unique; therefore, these recommendations may not be completely suitable for your situation. Like any changes should be handled, please test these in a non-production environment first to ensure interoperability within your network.
About the author
Kevin Beaver has authored many articles and taught numerous workshops on information security and HIPAA compliance. He is the founder of Principle Logic, LLC; an information security consulting firm based in Atlanta, GA. Kevin can be reached at firstname.lastname@example.org.
What do you think of these best practices? Is there something Kevin missed? Share your thoughts in our forum.