Previous month:
May 2010
Next month:
August 2010

June 2010

5 Best Firewall Practices and How to Implement Them

Linda Musthaler's Network World article identifies a Top 5 best practices for firewall administrators. From the article, these are:

  1. Document all firewall rule changes
  2. Install all access rules with minimal access rights
  3. Verify every firewall change against compliance policies and change requests
  4. Remove unused rules from the firewall rule bases when services are decommissioned
  5. Perform a complete firewall rule review at least twice per year

These are generally good advice.
Linda’s article tells you what practices to implement, but not how. I’ve seen “how” discussed many times on firewall mailing lists, and I’ve described how in earlier articles, but repetition is the key to learning, so let's consider how to implement these five practices again.

How do I document firewall rule changes?

The answer is not quite as simple as recording rule changes in written or electronic forms. Firewall rule changes, a.k.a. Firewall policy life cycle management, should match security policy changes. Documenting security policy and firewall rule change are both elements of a change control process or workflow. As I mention in earlier articles (Blog 511, Blog 461), every firewall rule change must be proposed and approved as a security policy change. The change must then be implemented (entered into the firewall configuration), tested (confirmed by verifying that the traffic is allowed or blocked as intended by the policy). Log firewall events (blocked and allowed traffic) regularly. Periodically audit your firewall log files to assert that the rules you assert in your security policy are being enforced. 

Install all access rules with minimal access rights

I’ve covered the outbound traffic side of this critical aspect of firewall rule composition in my article, Firewall Best Practices – Egress Traffic Filtering.  Configuring firewalls with minimal inbound access controls follows essentially the same logic as outbound: decide upon a security policy regarding the services you will allow, then implement firewall rule changes to allow traffic only to those services that you intend to make accessible. Where appropriate or practical, apply granular constraints as well (i.e, the addresses or users who are permitted access and the directions of traffic flow between security policy boundaries such as guest, DMZ, internal, and public). 

Verify every firewall change against compliance policies and change requests

Matters of compliance must be reflected in your security policy. Your change control process must include checks that ensure you do not alter a firewall rule that will cause your security enforcement to fall out of compliance. With these measures in place, your firewall life cycle management should continue to serve your organization well.

Remove unused rules from the firewall rule bases when services are deprecated


Firewall policy life cycle management covers adds, drops, and changes. Decommissioning a service can be a policy action. A change in your regulatory obligations might require that you migrate from one service to another, or your assessment team may conclude that continuing to support a certain service exposes you to unacceptable risk. Decommissioning a service may be an end of life action. Managing unused rules is essentially no different from managing new rules or revising existing rules. The basic mechanisms are covered in Skeptic Blog 511 and Blog 461

Perform a complete firewall rule review at least twice per year

Firewall rule review (auditing) ought to be done more regularly than twice per year. Firewall rule review is an ongoing activity. Confirm that the firewall configuration, deployment, and operation enforce the intended security policy and cannot be circumvented. This often involves more than firewall testing and may include modem “war-dialing”; managing WLAN frequency, range and security configuration; and testing to confirm your virtual and physical LAN configurations separate internal, DMZ, and guest subnets according to the policy you intend to enforce. This is a non-trivial activity. Consider whether your review is best accomplished by means of a bi-annual audit or by combination of auditing and real time monitoring, and whether you may be better served by outsourcing this activity to a trusted provider.

Thanks to Linda for identifying a Top 5 best firewall practices to implement and providing me an opportunity to write again on a favorite subject.