How to Protect Your Network: Firewall Best Practices

How to Protect Your Network: Firewall Best PracticesThis article is the first of a series in which we discuss protecting your network using  network monitoring and firewall management. In the other articles in this series we’ll discuss:

– Popular Firewall Products
– ISA Server Best Practices & Performance Monitoring
– Monitoring ISA Server with Monitis

While the last two articles focus on Microsoft ISA Server specifically, in this article we’ll talk about some common best practices for managing network security and setting up and managing your network firewall.
How to Protect Your Network: Firewall Best Practices

Of course we don’t have to explain what a network firewall is and what it does, do we? A firewall examines all network traffic routed between a private and a public network to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A firewall filters both inbound and outbound traffic. It can also manage public access to private networked resources such as host applications. It can be used to log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted. Firewalls can filter packets based on their source and destination addresses and port numbers. This is known as address filtering. Firewalls can also filter specific types of network traffic. This is also known as protocol filtering because the decision to forward or reject traffic is dependant upon the protocol used, for example HTTP, ftp or telnet. Firewalls can also filter traffic by packet attribute or state. But you already knew all of this, correct?

Popular Firewall Products

Let’s take a brief look at some of the most popular network security management solutions available. There are too many firewall products available to discuss all of them in this article, so we’ll touch on some of the most popular products, including hardware appliance and software-only solutions.

Cisco 5500 Series ASA Firewall

The CiscoASA 5500 Series is a firewall and anti-malware security appliance combining security and VPN services with Cisco’s Adaptive Identification and Mitigation architecture. The basic 5500 includes a policy based firewall and VPN, however you can add optional modules for Content Security and Intrusion Prevention the functionality can be extended.

CheckPoint VPN-1 Power

Check Point VPN-1 Power is an integrated stateful firewall, VPN and intrusion prevention solution. VPN-1 Power delivers protection for new technologies, such as VoIP or instant messaging by inspecting the application layer.

ForeScout CounterACT

ForeScout CounterACT is an appliance-based security solution that installs out of band, not in-line with traffic which means there is no latency or a single point of failure. CounterACT also supports VLAN firewall capability based on policies.

Trend Micro InterScan Web Security

Trend Micro InterScan Web Security is a virtual appliance that handles security risks, such as malware, viruses and spyware.  It allows administrators to create web policies that are transparent to the user.

Microsoft ISA Server

ISA Server is a software-only proxy firewall solution, providing application layer filtering as well as stateful packet filtering which makes for a flexible, yet sophisticated and secure type of firewall.

Out of the products we listed, ISA Server offers the most flexibility. Trend Micro’s virtual appliance is somewhere in between a hardware and software solution; we’ll talk more about this in a follow-up article. CheckPoint VPN-1 Power, Cisco and ForeScout’s products are appliance based solutions. ISA Server has an edge (no pun intended) over the other products by combining a Web Proxy Service and a Firewall Engine in the same product. We’ll go into more detail about each of these firewalls in a follow-up article. Let’s continue and look at some common network firewall best practices.

Firewall Management Best Practices

Although not the ‘end all, be all’ answer to information security, firewalls are a necessary component of an effective network security infrastructure. There are a number of best practice policies to be considered to ensure your firewall is configured effectively. The list below is a good starting point, but should not be considered a ‘one size fits all’ solution. Each company has unique requirements and priorities that should be taken into account as well. A more detailed article will follow in which we focus on best practices for Microsoft ISA Server.

  • Your firewall by itself is not the only answer to manage your network security. Security is a complicated subject and there are other risks to consider.
  • Start by denying all traffic (ports) and only enable the ports, services, and protocols you need. For example if you operate an SSL secured website, you want to open port 443 in addition to 80,  or if you manage a mail server and want to allow IMAP traffic, you should open port 143.
  • Have a written information security policy and make sure your firewall configuration is consistent with that policy.
  • Don’t run other applications (virus scanning, content filtering, VPN, and authentication software) on the same system your firewall is running on. Leave those tasks to other dedicated systems that you setup behind the firewall.
  • Run the firewall service as a unique user id. Avoid using ‘administrator’ or ‘root’, and configure it before connecting the firewall to the public network or Internet.
  • In addition to standard packet filtering, use stateful inspection, proxies, and application level inspection where possible.
  • Filter packets for correct source and destination addresses. This keeps malicious traffic from your network and will help prevent Denial Of Service attacks.
  • Control physical access to the firewall.
  • Maintain a simple configuration, eliminating redundant rules.
  • Perform auditing and regular security tests against your firewall. Make sure to test your firewall in all directions and run separate tests with the rules enabled, but also with the rules disabled.
  • Enable managed firewall logging and alerting. If logging and alerting is not managed it is a waste of processor cycles.

There are a few other best practice guidelines, such as; outsourcing your firewall management to a service provider, implementing change-management practices, requiring remote computers to run personal firewall software, backing up the firewall rules, etc. Cisco provides a good whitepaper if you want to read more about network policies best practices:

In our next article ‘ISA Server Best Practices & Performance Monitoring‘, we’ll discuss Microsoft ISA Server in more detail and touch on best practices and monitoring for ISA server.