Basic Firewall RulesIn a firewall rule, the action component decides if it will permit or block traffic. It has an action on match feature. For example, if the traffic matches the components of a rule, then it will be permitted to connect to the network. It is essential to consider the potential security risks when modifying a firewall rule to avoid future issues. Following best practices for configuring firewalls can help you maximize the effectiveness of your solution.
Types of Best Practices
Each firewall rule should be documented to know what action the rule was intended to do. The following data, at least, should be tracked:
- The firewall rule’s purpose
- The affected service(s) or application(s)
- The affected users and devices
- The date when the rule was added
- The rule’s expiration date, if applicable
- The name of the person who added the rule
Establish a formal change procedureFirewall rules will need to be updated for any new services and new devices that are added. Before adding or changing any firewall rules, a formal change procedure should be established for any new modifications. The following steps are some guidelines for a change procedure process:
- Have in place a change request process for users to request modifications to a specific firewall configuration
- Have a review process to analyze these new modification requests and determine the best course of action for any security practices.
- A process to test the new modification requests on the production firewall rules
- A process for deployment of the tested new modification requests into production
- A process to validate the new firewall settings to ensure proper operating
- A process to document all changes have been tracked
Block traffic by defaultStart blocking all traffic by default and only allow specific traffic to identified services. This approach provides quality control over the traffic and decreases the possibility of a breach. This behavior can be achieved by configuring the last rule in an access control list to deny all traffic. This can be done explicitly or implicitly, depending on the platform.
Set all explicit firewall rules firstAt the top of the rule base, set the most explicit firewall rules. This is the starting point where traffic is matched. A rule base is established rules that manage what is and what is not permitted through a firewall. Rule bases typically work on a top-down protocol in which the first rule in the list performs its action first. This action is done, so that the traffic permitted by the first rule, will never be assessed by the remainder of the rules. SANS Institute’s Firewall Checklist, under Security Elements, recommends the following order for firewall rules to be applied:
- Anti-spoofing filters (blocked private addresses, internal addresses appearing from the outside)
- User permit rules (e.g. allow HTTP to public web server)
- Management permit rules (e.g. SNMP traps to network management server)
- Noise drops (e.g. discard OSPF and HSRP chatter)
- Deny and Alert (alert systems administrator about traffic that is suspicious)
- Deny and log (log remaining traffic for analysis)
Set explicit drop rules (Cleanup Rule)The main purpose of firewalls is to drop all traffic that is not explicitly permitted. As a safeguard to stop uninvited traffic from passing through the firewall, place an any-any-any drop rule (Cleanup Rule) at the bottom of each security zone context. This will provide a catch-all mechanism for capturing traffic.
The firewall cleanup rule is defined as:
Source = ANY Destination = ANY Service / Application = ANY Action = DROP Logging = Enabled