Manage Learn to apply best practices and optimize your operations.

Preparing for a firewall failure: Firewall best practices

Is your enterprise ready for a firewall failure? Uncover firewall best practices to help you prepare.

We had a recent firewall failure that resulted in a few hours of downtime, but fortunately we had a backup device...

we could swap in. However, to manage any future incidents properly, do you have a checklist or set of firewall best practices for managing a firewall failure?

Ask the Expert

Perplexed about network security? Send your network security-related questions today! (All questions are anonymous.)

My suggestions on preparing for a firewall failure can be summed up in two words: redundancy and monitoring.

Redundancy: This involves more than simply having a spare lying around to install in the event of a firewall failure. Rather, you must ensure that some sort of automatic failover is in place.

For example, in a Cisco PIX environment, you should have one PIX device configured as the active device and another configured as the standby device. The only additional infrastructure needed in most cases is the failover cable, which is nothing more than a modified serial link cable that connects both PIX devices. In this configuration, the communication between the two devices is conducted via ACK messages sent every three seconds. If a message is not acknowledged, a retransmission is sent. If after five retransmissions there is no accompanying ACK, a failover condition is assumed and the standby device will take over as the active device.

Monitoring: It is desirable to accompany your firewall infrastructure with some sort of inline monitoring device to ensure that your firewall is blocking what it is configured to block. This process can be completely passive so long as some sort of alerting mechanism is in place in the event that your monitoring device detects an anomaly.

For example, if your organization is under a serious budget constraint and you can't afford to purchase a monitoring device, you could configure a monitor port on or behind your firewall and conduct a Wireshark capture of all traffic that traverses your firewall. While this is not a firewall failure management mechanism, it will help you determine whether or not certain aspects of your firewall are failing.

This was last published in April 2014

Dig Deeper on Network device security: Appliances, firewalls and switches