Having learned about the various kinds of the Firewall, we must understand the various do's and don’ts of a firewall. This is not an exhaustive checklist. However, this is more from a guideline perspective as different environments demand a different set of strategies.
- The default action of any firewall should be to implicitly deny any packets not explicitly allowed. This means that if no Rule states that the packet can be accepted, that packet should be denied, no questions asked - Default DENY. If you are not on the guest list, you can’t meet the president.
- Any packet entering the network that has a source address of an internal host should be denied. If you receive a letter from an outsider, how can the FROM address be your own address? There is no reason a packet coming from the Internet should have an internal source network address, so the firewall should deny it.
- No traffic should be allowed to leave a network that does not have an internal source address. If there is no internal source address, this means there is something going on. This happens only in the case of zombies or some malicious software.
- “Open it & Use It” is a big NO NO. All firewalls are configured with a default username and password that needs to be changed. Did you buy the right kind of the firewall that suits your organization's’ needs?
Common firewall rules that are to be kept in mind:
The main purpose of firewalls is to drop all traffic that is not explicitly permitted. As a safeguard to stop uninvited traffic from passing through the firewall, place an any-any-any drop rule (Cleanup Rule) at the bottom of each security zone context. This will provide a catch-all mechanism for capturing traffic.
The firewall cleanup rule is defined as:
Source = ANY
Destination = ANY
Service / Application = ANY
Action = DROP
Logging = Enabled
Silent rule - Firewall receives a lot of packets. If it responds to all the packets, it will be highly unproductive. In case it logs all the traffic, it will lead to huge log size. Hence, it is recommended to drop “noisy traffic”.
Stealth Rule - Disallows access to firewall software from unauthorized systems.
Firewall rules need reviewing
Networks are constantly changing by gaining new users and new devices. New services and new applications are being accessed which means new Firewall Rules will need to be added. The old firewall rules will need to be reviewed and deleted if necessary. It is a best practice to set up a regular maintenance schedule to make updated changes to the firewall rules.
Make sure the firewall device is up to date
The firewall device should always be up to date with patches and firmware. If it is not, then it is vulnerable to attacks and the firewall rules will be useless.
The real exam tests you on the firewall in multiple aspects. Let us look at an example here
Divya has set up a firewall. One of the employees has raised a change request with the following details. Since Divya is the firewall administrator, she has to take a decision to approve or reject the CR. She can also suggest changes in the firewall. You are a CISSP and you have to suggest as to what decision should Divya take basis the details given below:
Source IP Address: Unknown
Destination IP Address: 192.168.1.23
Port Number: 23
Logging: Enabled
Port opening - Bidirectional
A. Accept the change request
B. Reject the change request
The firewall needs to configured by an expert. Any security gaps are an invitation for attackers. What other rules do you think should be kept in mind for a firewall?
