« How to Avoid Skype Spam | Main | Annual Verizon Data Breach Report »

Wednesday, 23 June 2010

5 Best Firewall Practices and How to Implement Them

Linda Musthaler's Network World article identifies a Top 5 best practices for firewall administrators. From the article, these are:
 

  1. Document all firewall rule changes
  2. Install all access rules with minimal access rights
  3. Verify every firewall change against compliance policies and change requests
  4. Remove unused rules from the firewall rule bases when services are decommissioned
  5. Perform a complete firewall rule review at least twice per year

These are generally good advice.
 
Linda’s article tells you what practices to implement, but not how. I’ve seen “how” discussed many times on firewall mailing lists, and I’ve described how in earlier articles, but repetition is the key to learning, so let's consider how to implement these five practices again.

How do I document firewall rule changes?

The answer is not quite as simple as recording rule changes in written or electronic forms. Firewall rule changes, a.k.a. Firewall policy life cycle management, should match security policy changes. Documenting security policy and firewall rule change are both elements of a change control process or workflow. As I mention in earlier articles (Blog 511, Blog 461), every firewall rule change must be proposed and approved as a security policy change. The change must then be implemented (entered into the firewall configuration), tested (confirmed by verifying that the traffic is allowed or blocked as intended by the policy). Log firewall events (blocked and allowed traffic) regularly. Periodically audit your firewall log files to assert that the rules you assert in your security policy are being enforced. 

Install all access rules with minimal access rights

I’ve covered the outbound traffic side of this critical aspect of firewall rule composition in my article, Firewall Best Practices – Egress Traffic Filtering.  Configuring firewalls with minimal inbound access controls follows essentially the same logic as outbound: decide upon a security policy regarding the services you will allow, then implement firewall rule changes to allow traffic only to those services that you intend to make accessible. Where appropriate or practical, apply granular constraints as well (i.e, the addresses or users who are permitted access and the directions of traffic flow between security policy boundaries such as guest, DMZ, internal, and public). 

Verify every firewall change against compliance policies and change requests

Matters of compliance must be reflected in your security policy. Your change control process must include checks that ensure you do not alter a firewall rule that will cause your security enforcement to fall out of compliance. With these measures in place, your firewall life cycle management should continue to serve your organization well.

Remove unused rules from the firewall rule bases when services are deprecated

 

Firewall policy life cycle management covers adds, drops, and changes. Decommissioning a service can be a policy action. A change in your regulatory obligations might require that you migrate from one service to another, or your assessment team may conclude that continuing to support a certain service exposes you to unacceptable risk. Decommissioning a service may be an end of life action. Managing unused rules is essentially no different from managing new rules or revising existing rules. The basic mechanisms are covered in Skeptic Blog 511 and Blog 461

Perform a complete firewall rule review at least twice per year

Firewall rule review (auditing) ought to be done more regularly than twice per year. Firewall rule review is an ongoing activity. Confirm that the firewall configuration, deployment, and operation enforce the intended security policy and cannot be circumvented. This often involves more than firewall testing and may include modem “war-dialing”; managing WLAN frequency, range and security configuration; and testing to confirm your virtual and physical LAN configurations separate internal, DMZ, and guest subnets according to the policy you intend to enforce. This is a non-trivial activity. Consider whether your review is best accomplished by means of a bi-annual audit or by combination of auditing and real time monitoring, and whether you may be better served by outsourcing this activity to a trusted provider.

Thanks to Linda for identifying a Top 5 best firewall practices to implement and providing me an opportunity to write again on a favorite subject.

 

Posted at 01:56 PM in Firewalls, Intrusion Detection, UTM |

Tags: firewall, Piscitello, Security Policy, Sheng

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Hi,
Many thanks For such informative post.Its really time saving stuff you mentioned above in Firewall.I am happy to knew about it.

Posted by: srinisha | Friday, 10 December 2010 at 12:51 AM

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...
  • Interisle's Phishing Landscape 2024 is here
    Our Interisle team today announced the publication of an industry report, Phishing Landscape 2024, A Study of the Scope and Distribution of Phishing. Interisle’s fourth annual study examines nearly four million phishing reports collected from May 2023 to April 2024 and provides historical measurements using over 15 million phishing reports collected at the Cybercrime Information Center over a four year period. Findings from the study: • The total number of phishing attacks grew to ~1.9 million incidents worldwide. • Phishing attacks hosted at subdomain providers increased by 450,000+ reported names, representing 24% of all phishing attacks. • The use of...
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....

Search

My Photo

Categories