Sergey Nivens - Fotolia
Firewalls are among the oldest security tools, and when properly used, they are a foundation for IT security overall. Given that, few enterprises understand how best to use firewalls, where they should be installed and whether they are doing what they're supposed to do.
A recent CIMI Corp. survey on enterprise security found more than 90% of all security issues come from throwing point security tools at problems rather than addressing security at the IT ecosystem level. Nowhere is this more important than with how firewalls are deployed and maintained, which means understanding firewall management best practices.
What do firewalls do?
A firewall is a hardware- or software-based selective forwarding tool designed to limit traffic across a network connection according to a set of policies on valid communications exchanges. The goal is to lower the risk and filter out malicious data before it can harm a private network. Firewalls may block incoming traffic, outgoing traffic or both, and nearly all firewalls have general and exception policies that apply to each type of traffic. They are incorporated into a variety of networked devices and can operate based on IP address and port number and by application, protocol type or any combination of these and other factors.
Given how firewalls operate, they should be deployed where security policies change, which is usually at a physical network boundary point, which can be a workgroup, office, network segment or public/private network. One such boundary exists on every desk, in every data center and where every WAN service terminates. Firewalls work with physical network segmentation to enforce a security zone concept.
The link between physical network boundaries and security zone boundaries makes firewall management critical. Given the assumption that not all traffic can be permitted to access a given boundary point, firewalls should be deployed at every network point where traffic might cross.
A typical corporate network is made up of a group of employees' computers collected into workgroups or subnets that assign IP addresses to users from a pool of addresses. These often represent a workgroup address in a network segment that might include an entire branch office, a headquarters building or a community of remote workers. In addition to the workgroup, data centers typically assign fixed addresses to servers and other resources. But VM and container deployments often use virtual addresses where applications or groups of related applications have their own subnetworks. The set of subnetworks created by applications deployed on VMs and containers is the structure firewalls should protect, and each point where a firewall could or should be inserted has its own special value.
Firewall management best practices
Firewalls installed on employees' computers have the following three roles:
- To limit specific employees' abilities to gain access to all of a workgroup's applications or resources. The workgroup firewall would pass on the traffic, but individual firewalls could stop unauthorized users from gaining access.
- To limit employees' access to other computers or resources within the same workgroup, where no other firewalls stand in the path of connection. Individual firewalls work best to limit individual workgroup members' access to local resources.
- To limit the impact of planted malware.
An existing firewall can often be defeated by bad practices. It's important to use a product that can be centrally administered and ensures workers can't just allow any connection attempt. This level of protection is often the most critical in firewall management but the easiest to breach.
Firewalls should also be installed at the gateway to the workgroup. To get the most out of a firewall here, it is best to assign people who need access to the same information into a single workgroup. It may be necessary to break up current physical subnets into smaller ones to get everyone in the ideal workgroup network. If workgroups have been well organized, members should have all the access they need. Individual requirements can be customized as needed, using per-system firewalls to fine-tune connectivity.
In firewall management, the same principles can be applied further up the chain from workgroups. Facilities like branch offices or headquarters departments can have their own firewalls. To optimize the use of second-level firewalls, it's best to assign these facilities a group of IP addresses and designate a single gateway router for connectivity. The firewall would then be installed behind that gateway router.
Workgroup firewalls aren't the only application of firewall technology. Data centers and servers also need to be protected with firewalls that limit the range of IP addresses allowed to access them. If both workgroups and facilities have separate IP addresses assigned from a range of addresses that have been defined for a facility, group or application, the number of entries in the firewall will be smaller and more manageable. But server-side firewalls also require some discipline in addressing assignment for applications.
The best practice is to assign a group of connected applications with common rules for access control to an IP subnet. The subnet would then have a gateway router and the firewall placed adjacent to that router. Since container applications and DevOps best practices both mandate each application deploy in its own subnet, the application group subnet would be a higher-level subnet containing the workgroup subnets for all the applications in the group.
Using both worker- and server-side firewalls protects information and applications at both sides of a connection from worker to resource. That means that, if access rules change, it's critical to change the rules in all the firewalls in the path, or connections won't be permitted.