Modern firewalls offer a wide range of advanced protections beyond the standard access control rules. Versatility, however, comes at a cost; one incorrectly-applied firewall access rule can open your network to a variety of attack vectors. Sometimes, those errors can be dear.
In Cisco’s 2017 Security Capabilities Benchmark Study: 45% of organizational breaches led to 1-8 hours of downtime, and 49% had to manage public scrutiny for those breaches. This is reasonable justification of why it’s important to have the most efficient and effective policies in place to protect not only your users, but also your data.
Creating a comprehensive firewall policy that can serve as an aid of defense against today’s modern intrusion attacks can be complex, but manageable if approached strategically. Therefore, with all the advanced firewall protections out there, how can you ensure that you are protecting your infrastructure and applying the most effective practices available?
Although firewall management has evolved tremendously over the last decade, Smoothwall has a few suggestive measures that can help get your environment up to speed with conventional standards.
Define your object-oriented rules based on categorization and application level, rather than an arbitrary network IP address.
Your firewall policy should always be organized with the most specific rules first, leaving general rules for last, with the final rule serving as a “Cleanup” rule that drops all traffic that has not been explicitly allowed. An easy approach to achieving this, would be to take inventory of your infrastructure and any required services for those networks as a whole. Instead of defining firewall rules individually, you can group similar networks and services together when they serve the same purpose. This will improve manageability of your policy, comprehension while troubleshooting, and accuracy during an audit.
For higher-level management, we suggest using Internal Server Networks, Web Server DMZ, and Guest Wireless Networks as categories for easy organization.
Logical groups that are created to support internal users can be grouped together in an object named Internal User Networks. Applying service groups in the same manner will not only provide the similar increase in organization and comprehension, but it also establishes a unified approach to your firewall management.
Some examples of how you could separate and define your service groups, would be:
Internal Domain = Works best with Active Directory and Google as a directory service for username integration
Internet Services = Best practice regarding commonly used ports & protocol utilized for internet connectivity
Absolute Blocked Services = catch all / rule-based filtering that allows compilation of all unwanted content into a “Blanket Policy” to protect users from illicit content or other potential threats
Apply the relative network and service groups into policies within your firewall.
Since our first area of focus was network-related access, these rules will fall further down within your firewall policy, as they are not specific to individuals, but focus on groups. Try to ensure the groups with less defined networks and/or services are higher in the policy than those with more defined networks.Just like the objects themselves, it’s important to record the rule with it’s purpose.
At this point, you can look at the more granular rules that do not fit within the network-related ones. In the firewall policy, these rules will be placed above the network-related policy rules, because they focus on a more specific area of access. Review any required access not currently defined — these rules should only be server-specific.
Do some testing
Below are a few ways to test/troubleshoot whether policies defined within Smoothwall are suitable for your network.
Here at Smoothwall, we will continue to provide feedback to questions that administrative users may have regarding best practices, filtering methods, and how to protect users/data from the ever-changing world we live in today. Let us emphasize that these guidelines are useful information that could be suitable for any firewall.
If you run into any issues while troubleshooting, please see our video series about troubleshooting a firewall rules on our Smoothwall YouTube Channel.
Our specially developed technologies deliver real-time Dynamic Content Analysis™ of web pages, all without impacting on the users’ experience.