Having a firewall security best practice guide for securing the network can communicate to security stakeholders your company’s security policy goals, ensure compliance with industry regulations and improve your company’s overall security posture.
Below, we dive into some resources and eight firewall security best practices to begin your journey to a better security posture.
Most all-in-one firewall solution operating systems are hardened by the vendor. If you are deploying a software firewall solution, ensure the OS is first patched and hardened.
In addition to starting with a hardened OS, security admins will want to ensure the firewall is configured securely. Guides are available from vendors and third parties like the Center for Internet Security (CIS), which publishes the CIS Benchmarks Network Devices. Also, see the SANS Firewall Checklist.
Firewalls are a vital tool for applying zero trust security principles. They monitor and control inbound and outbound access across network boundaries in a macro-segmented network. This applies to both layer 3 routed firewall deployments (where the firewall acts as a gateway connecting multiple networks) and to layer 2 bridge firewall deployments (where the firewall connects and isolates devices within a single network).
When deploying a firewall, the network interfaces of the firewall get connected to these networks or zones. These zones can then be used to simplify the firewall policy. For example, a perimeter firewall will have an external zone connected to the Internet, one or more internal interfaces connected to internal networks, and maybe a DMZ network connection. The firewall policy can then be customized as needed to add more granular control.
The firewall will need to be managed. An important question is, “Will the firewall also need a dedicated management interface?” Lights-out Management and serial console access should only be accessible from dedicated, secure networks.
Finally, one firewall is a single point of failure (SPOF). Deploying two or more in a High Availability (HA) cluster ensures security continues if one fails. A better option that continuously uses the resources of each cluster member is a hyperscale network security solution. This also should be considered for networks where the traffic load experiences seasonal peaks.
A firewall is a vital component of an organization’s security infrastructure, and it needs to be protected against exploitation. To secure your firewall, take the following steps:
Account takeover is a common technique used by cyber threat actors. To secure user accounts on your firewall, do the following:
The primary function of a firewall is to enforce and monitor access for network segmentation.
Firewalls can inspect and control north/south traffic across a network boundary. In this macro-segmentation use case, the zones are broad groups like external, internal, DMZ, and guest Wi-Fi. They may also be business groups on separate internal networks like data center, HR, and finance or a production floor in a manufacturing plant that uses Industrial Control Systems (ICS).
Firewalls deployed in virtualized private or public clouds can inspect traffic between individual servers or applications that change dynamically as instances are spun up. In this micro-segmentation use case, the zones may be defined by applications like web apps or databases. The function of the virtual server may be set by a tag and used in a firewall policy dynamically without human intervention, reducing the chances of manual configuration errors.
In both deployments, macro and micro, firewalls control access by setting a firewall policy rule, which broadly defines access based on traffic source and destination. The service or port used by the application can also be defined. For instance, ports 80 and 443 are default ports for web traffic. On a web server, only access to these ports should be allowed and all other ports blocked. This is a case where whitelisting the allowed traffic is possible.
Egress traffic from an organization to the Internet is more problematic for a whitelisting security policy because it’s nearly impossible to say which ports are needed for Internet access. A more common approach for an egress security policy is blacklisting, where known bad traffic is blocked and everything else is allowed via an “accept all” firewall policy rule.
To detect known bad sites, additional security features can be enabled on the next-generation firewall (NGFW) in addition to IP and port controls. These include URL filtering and application control. For instance, this can be used to allow access to Facebook but block Facebook games.
Regulations have specific requirements for firewalls. Any security best practice must comply with these requirements and may require adding additional security controls to any deployed firewall. Example requirements include using virtual private networks (VPNs) to encrypt data in transit, antivirus to prevent known malware, and intrusion detection and prevention systems (IDS/IPS) to detect any network intrusion attempts.
For instance, PCI DSS requires firewall zone-based controls between trusted and untrusted zones. This includes using a DMZ and perimeter firewalls between all wireless networks and the cardholder data environments. Some additional PCI DSS requirements include:
With a larger security policy, it can be difficult to visualize how it would process a new connection. Tools exist to perform path analysis and may exist in the security management system to search and find rules.
Also, some security management systems warn when a duplicate object is created or won’t install a policy that has a rule that hides another. Regularly test your policy to verify it performs as designed to find unused and duplicate objects.
Firewall policies are typically applied in top-down order and can be optimized by moving top hit rules further up in the inspection order. Regularly inspect the policy to optimize your firewall performance.
Finally, perform regular penetration testing to identify any risks additional security measures that may be needed in addition to the firewall to secure your organization.
Regular audits are essential to ensuring that software and firmware are correct and up-to-date and that logs are correctly configured and operational. Some best practices for these audits include:
Check Point provides a number of resources to help with configuring your Check Point NGFW. For a preliminary discussion of the Check Point firewall policy, review this support article on Rulebase Construction and Optimization. Also, if you’re new to Check Point, check out the CheckMates Community Check Point for Beginners.