Security Basics: Firewalls
This post is one in a series of blog posts on the fundamentals of an information security program. You can see the complete list of posts in this series here.
If anti-virus is the most basic control people think of in securing a computer, then firewalls serve the same role in network security. To many laypersons, “firewall” is synonymous with network security. But it was not until the late 1980s that practical network packet filters were introduced, allowing organizations to connect two networks while controlling what types of traffic were allowed, to which endpoints, and in which directions.
Firewalls these days have evolved into “next-generation firewalls” or even “unified threat management devices.” These names denote two trends in the evolution of firewalls: the ability to filter traffic based on more detailed traffic properties, and the incorporation of other security functions (such as intrusio detection/prevention) that were traditionally provided by other devices. The former is simply a logical extension of the original firewall concept, but the other added capabilities are beyond the scope of this post (we will talk about IDS/IPS in another post soon).
There are many firewalls available today from many vendors, with different feature sets and advantages (and disadvantages). But in the end, a firewall is only as good as its configuration. Ensuring that you know what you want to protect, what you want to allow, and what you want to block is the essential groundwork for a successful and secure firewall deployment.
Key considerations for deploying and configuring a firewall include:
1. Configure all rules that “allow” traffic to be as specific as possible in what they allow — a firewall is only as good as its ruleset. Be especially suspicious of any rule that incorporates an “any” into it. Do you really want to allow ALL of your internal hosts to get out to ANY host on the Internet on ANY port? Perhaps some of your internal hosts (e.g. internal file servers) need little or not access out to the Internet. Perhaps you should allow just HTTP and HTTPS, since that’s all that most hosts need to reach the Internet on. Perhaps you want to blacklist destinations based on some criteria. Rarely is “any” the right answer to what is needed.
2. Ensure that the firewall itself is securely configured. You don’t want an attacker or an ill-intentioned insider to gain control of this key security device. Ensure that it is managed via secure, encrypted channels (SSH or HTTPS, not Telnet or HTTP), and preferably only managed from the inside interface, not outside. Implement multi-factor authentication to the firewall if possible. Ensure users have unique accounts, not just one shared account (people should log in as “jsmith” not “firewalladmin”).
3. Ensure that detailed logs of traffic allowed and disallowed by the firewall are maintained, and retain them for a sufficient amount of time. Firewall logs are a key source of information in the event of a security incident. Proactively checking on these logs may also help you uncover an otherwise undetected incident. Log retention guidelines vary, but 90 days is probably an absolute minimum.
4. Take advantage of advanced traffic filtering capabilities. The newer firewalls are “application aware,” which is important today when virtually every sort of network capability can be tunneled over HTTP. Chat, file transfer, proxy/VPN services, and many more services can come in right over good old port 80/443. A good modern firewall can tell the difference and allow you to allow or disallow specific capabilities. You can allow users to read their Facebook accounts, but not post. You can allow them to read and post to Facebook, but not to chat or play games. You can prevent the use of file synchronization, music streaming, and proxy/VPN services over HTTP/HTTPS.
Firewalls these days have evolved into “next-generation firewalls” or even “unified threat management devices.” These names denote two trends in the evolution of firewalls: the ability to filter traffic based on more detailed traffic properties, and the incorporation of other security functions (such as intrusio detection/prevention) that were traditionally provided by other devices. The former is simply a logical extension of the original firewall concept, but the other added capabilities are beyond the scope of this post (we will talk about IDS/IPS in another post soon).
There are many firewalls available today from many vendors, with different feature sets and advantages (and disadvantages). But in the end, a firewall is only as good as its configuration. Ensuring that you know what you want to protect, what you want to allow, and what you want to block is the essential groundwork for a successful and secure firewall deployment.
Key considerations for deploying and configuring a firewall include:
1. Configure all rules that “allow” traffic to be as specific as possible in what they allow — a firewall is only as good as its ruleset. Be especially suspicious of any rule that incorporates an “any” into it. Do you really want to allow ALL of your internal hosts to get out to ANY host on the Internet on ANY port? Perhaps some of your internal hosts (e.g. internal file servers) need little or not access out to the Internet. Perhaps you should allow just HTTP and HTTPS, since that’s all that most hosts need to reach the Internet on. Perhaps you want to blacklist destinations based on some criteria. Rarely is “any” the right answer to what is needed.
2. Ensure that the firewall itself is securely configured. You don’t want an attacker or an ill-intentioned insider to gain control of this key security device. Ensure that it is managed via secure, encrypted channels (SSH or HTTPS, not Telnet or HTTP), and preferably only managed from the inside interface, not outside. Implement multi-factor authentication to the firewall if possible. Ensure users have unique accounts, not just one shared account (people should log in as “jsmith” not “firewalladmin”).
3. Ensure that detailed logs of traffic allowed and disallowed by the firewall are maintained, and retain them for a sufficient amount of time. Firewall logs are a key source of information in the event of a security incident. Proactively checking on these logs may also help you uncover an otherwise undetected incident. Log retention guidelines vary, but 90 days is probably an absolute minimum.
4. Take advantage of advanced traffic filtering capabilities. The newer firewalls are “application aware,” which is important today when virtually every sort of network capability can be tunneled over HTTP. Chat, file transfer, proxy/VPN services, and many more services can come in right over good old port 80/443. A good modern firewall can tell the difference and allow you to allow or disallow specific capabilities. You can allow users to read their Facebook accounts, but not post. You can allow them to read and post to Facebook, but not to chat or play games. You can prevent the use of file synchronization, music streaming, and proxy/VPN services over HTTP/HTTPS.
Comments
Post a Comment