When you consider the amount of technology that works on an organization’s network – from workstations to automation tools to wireless resources – there are a number of ways that breaches can occur. Protecting the network – and the data stored there – requires actionable steps and best practices to help strengthen endpoint security. That’s where the implementation of a firewall can come into play.
What is a firewall?
A firewall is a “network security device that monitors incoming and outgoing network traffic and decides whether to allow or block traffic based on a defined set of security rules,” according to Cisco. A firewall is also the first line of defense on protecting your internal network from the Internet. The firewall’s configuration, updates, and maintenance are critical to keeping your network protected.
Next-generation firewall features
The new firewalls on the market today are classified as Next-Generation Firewalls (NGFW), which Gartner defines as a “deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.” NGFWs can perform the following:
- Basic access list rules that permit or block traffic on source and destination based on port/s.
- Stateful traffic analysis, which monitors (in-line) the full state of active network connections, constantly analyzing the complete context of traffic and data packets.
- Layer 7 firewalls provide protocol-specific details of the traffic and allow you to configure more granular rules based on application categories.
- Intrusion Prevention System (IPS) continuously monitors network traffic looking for possible malicious content and takes automated actions.
- Threat intelligence service feeds, typically vendor-specific or third party, provide an updated list of known malicious IPs, URLs, and DNS. It’s a best practice to automate the firewall to provide a threat intelligence update as frequently as possible, roughly two or three times per day.
Next-generation firewall best practices
As firewall features are identified and implemented, setting up a firewall should follow some best practices to ensure proper configuration and protection for the network, including:
Documentation. Keep a list of your rules and what each rule function is. This will be helpful when reviewing new requests or changes. When doing so, it’s important to make sure there are no overlapping rules.
Establish a change control process. This process should include the following: Change Request form, review, and approval of the request. Schedule change at a time that will have the lowest amount of impact on production, schedule and apply and test changes, and plan to roll back changes if there are any issues or disruptions to production. The change control documentation will serve as an ongoing record for your firewall configuration and changes.
Block traffic by default. Start blocking all traffic by default and only allow specific traffic. This will give you control and visibility into what traffic goes through your firewall. As you need to open more traffic, you will have it documented.
Rule order. Place your most explicit rules at the top of your rule list. This will save firewall resources, as the rule match is more quickly found. This will result in less wasted resources, as the firewall looks for a match through the entire list of rules.
Explicitly block traffic. Explicitly deny all traffic at the end of your rule list. This will help protect your network if there is a misconfiguration somewhere on your rule list.
Firewall updates. It is critical to keep your firewall firmware and software current. Enable auto-updates for threat intelligence feeds. Establish a regular update schedule to apply changes. And don’t forget to make a firewall backup before applying any updates.
Audit logs. Your firewall logging features are extensive and important. You should:
- Enable firewall hardware logging to review hardware health.
- Enable firewall rules logging for audit and troubleshooting of traffic.
- Review logs regularly.
- Enable SMTP to receive alerts via email based on thresholds.
Enable multi-factor authentication(MFA) limit admin access. MFA is one of the most critical ZAG Standards – and this is for a good reason. Implementing MFA on an organization’s firewall creates an additional authentication step aimed at limiting access by a third party that is not authorized to change settings or allow additional configuration changes. Additionally, limiting administrative access to the firewall adds additional protection against unauthorized access – especially where significant changes can be made.
Building a firewall is a crucial step in protecting incoming and outgoing network traffic in an effort to protect an organization from unauthorized access. It should be a core part of your technology strategy. Click here to find out how ZAG can help.