Firewall security devices, including routers and Intrusion detection and/or prevention systems, play a critical role in system of controls to prevent and detect unauthorized access to data and information-related assets. Firewall security devices represent the logical perimeter security for electronic information assets. In this article, I will answer some common questions around firewall security and share with you the most common firewall security best practices that I’ve learned over the years.
What is a firewall?
A firewall is a device or collection of devices and software that securely connects a trusted network with an untrusted or public network. Packets must flow past the firewall and be controlled by the firewall by a set of rules that authorize packets to pass between the two networks. Rules are set up at the firewall to enforce the site’s security policy.
How important is a firewall?
Like most organizations, the organization has connected their private local area networks (LANs) to the Internet so that management and staff can have convenient access to internet services. Since the internet as a whole is not trustworthy, private systems can be vulnerable to misuse and attack. Firewall security controls are a safeguard used to control access between a trusted network (internal) and a less trusted one (external).
How does firewall provide security?
Firewalls provides security by restricting inbound and outbound traffic to the minimum necessary. Firewall security configuration standards should protect against known and unknown threats through a combination of a thorough understanding of information risks, best-practice security configurations, and an alignment with business requirements.
Firewalls are capable of enforcing security policies, configurable to filter traffic between domains, and blocking unauthorized access. Firewalls are used to maintain segregation between internal wired, internal wireless, and external network segments (the Internet) including DMZ’s. Firewalls should enforce access control policies for each of the domains.
What are some common firewall security best practices?
As a best practice, firewalls from at least two (2) different vendors should be utilized that employ stateful packet inspection (also known as dynamic packet filtering). Firewalls should be configured to deny or control any traffic from the internet into the internal network and/or sensitive environment.
Network administrators should follow and maintain a configuration management standard for network devices that identify all key aspects of the standard and its management.
At a minimum, the standard should encompass both firewalls and routers, and include exact documentation of:
- The current network topography (in diagram form, representing logical and physical composition) that includes all connections to and from confidential networks. Network administrators are responsible for maintaining a set of logical and physical network diagrams that fully documents all connections to sensitive data, including any wireless networks.
- A list of all ports and services used for business connections to and from segments carrying confidential data.
- Business justification for all insecure ports in use between confidential networks and public/untrusted networks (e.g., FTP, Telnet). Mainframe systems have this constraint. Can you think of anything else?
- Roles and responsibilities for device management.
- The formal process for conducting and approving changes to firewall and router configuration.
Firewall, router and network connection changes should be approved and tested prior to implementing the changes to the production environment. Firewall and router configuration standards should be defined, implemented, and reviewed at least every six (6) months.
The security or compliance team should conduct periodic reviews of the firewall/router configuration program to ensure compliance to documented standards and completeness of documentation.
As previous discussed in the network security best practices article, all internet facing applications should be deployed in a Demilitarized Zone (DMZ). All VPN and other secure connections to partners and clients should be routed through the firewall to establish monitoring and logging controls.
All user LAN segments should be separated from production servers through the use of a firewall or an Access Control List (ACL) on the local switch/router. All servers storing, processing, or transmitting confidential data must be segmented away from both non-confidential servers and user segments by the use of internal routers or firewalls.
Active firewall and router configurations should comply with the firewall configuration standard approved by management. Tools should be deployed to alert security personnel if the “running” configuration of any device does not align to the approved “stored” configuration.
All external network connections and firewall rules should be approved and reviewed by management. Changes to the firewall rule set should not be implemented until written approval from management is obtained.
The firewall should restrict connections between publicly accessible servers and any system component storing sensitive data, including any connections from wireless networks. As part of the firewall configuration standard, all connections between the DMZ and internal networks should be fully documented.
The DMZ should be considered a semi-public network. As such, all connections carrying confidential data within the DMZ (including those originating from trusted, internal networks) should be encrypted.
The firewall should restrict inbound Internet traffic to IP addresses within the DMZ. No direct routes from the internet to the internal network are permitted. The firewall should be configured so that internal addresses cannot pass from the Internet into the DMZ. Additionally, dynamic packet filtering should be performed to ensure that only established connections are allowed into the network.
Databases with sensitive information should be placed in an internal network zone, segregated from the DMZ. All inbound and outbound Internet traffic should be monitored.
All Internet traffic passing into the DMZ should be limited to HTTP and HTTPS. All other ports must include documented business justification that has been approved by the CISO or equivalent.
All wireless networks should be considered to be public networks. As such, perimeter firewalls should be installed between any wireless networks and the internal network. The configuration of these firewalls should be set up to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment.
Personal firewall software should be installed on any mobile, laptop, and/or desktop computers with direct connectivity to the Internet and are used to access the network.
The firewall should use network address translation (NAT) to mask internal addresses from the Internet.
How often should firewall rules be reviewed?
Firewall and router rule sets should be reviewed at least every six (6) months to verify appropriateness and continued business justification for permitted traffic.
Firewall Audit Readiness Checklist
- Evidence users are restricted to connect in accordance with the access control policy.
- Ensure network diagrams define network segments and segregation through firewalls.
- Evidence firewall configurations to ensure network traffic is controlled and restricted including the denial of traffic by default and permitted only by exception.
- Evidence firewall configurations to ensure appropriate validation of source/destination addresses, hide internal directory services and IP addresses, and restrict messaging, file transfer, interactive access, and common Windows applications.
- Evidence firewall, router, and network connection changes are documented, tested, and approved prior to implementation.
- Evidence firewall and router configuration standards have been reviewed/updated within the past six (6) months.
- Evidence metrics, reviews, tests, or audits have been performed.