Best Practices for Firewalls in 2016
Over the past couple of decades, the firewall has evolved from the port-based guardian of the Internet into a next generation firewall that is application aware. Whether as a stand-alone network appliance or a multi-purpose tool packed into a router, firewalls have proved to be a vital piece of enterprise security stacks for one simple reason: nothing’s come along to replace them.
Rather than fading away, firewalls remain a strong first line of defence against an array of threats. Despite some experts thinking that perimeter technologies have become useless against modern malware, firewalls do block a lot of clutter that would otherwise swamp today’s enterprise networks. Let’s be completely honest, there is no such thing as being 100% secure in any aspect of life. If an attacker really wants to get into your particular network, they will find a way. So by mitigating vulnerabilities and segmenting your network [firewall], unauthorized access to your network won’t become a single point of failure. If a cyber-criminal should happen to break your network, then segmentation or “zoning” can provide effective controls to diminish any further attempts of network intrusion.
This is why Firewalls and the administers to them play a crucial role on the front line of defence. By ensuring that only the right kind of traffic gets through when it needs to and the bad guys get blocked. Unfortunately, each year the Verizon Data Breach Investigations Report shows that device misconfigurations are the biggest source of vulnerabilities that open the door to data breaches from corporations that ignore basic network protection. The risks are high and businesses can no longer afford to operate this way.
With that in mind, we offer some best practices to address some of the most common firewall challenges:
Implement multiple layers of security within your network structure
The more layers you can add at each level (e.g. data, applications, etc.), the harder it is to gain unauthorized access by cyber-criminals. Of course, you need to balance security against bringing business to a grinding halt due to your security level. The business still needs to be manageable from an operations standpoint.
Limit external users
A third party vendor may need access to your network, but most likely doesn’t need access to your entire net. Close all zones and regulate those users to areas that are absolutely required.
Segment based on your security requirements
As with the previous example, define your zones based on where you store sensitive information. Review your network structure for unnecessary access or conversely too restrictive access in other areas.
White hat approach
Instead of trying to block everything that is perceived as a threat, (a nightmare scenario that could lose business) define what you know to be acceptable communication paths and block everything else.
Perhaps the better question is if your company even has a network security manager? In the best of worlds, the security policy manager and the firewall manager are the same person for your enterprise business. Setting the organization’s overall policies [without conflicting corporate policies] as well as ensuring compliance are vital to your network.
Clean-up your Network Rules
It’s not unusual to see a firewall with hundreds of rules of which many have become obsolete or no longer serve its original purpose. This lends to latency issues on the firewall [and network] as well as a neglectful mind-set towards your firewall security as unused rules can potentially lead to malicious attacks. For instance, if a port was opened to allow HTTPS traffic to flow between a business and a cloud application, but then later that branch of the business or application was abandoned. What becomes of that open port? A malicious attacker could discover the opening and use it to download data out of the organization.
Fortunately, many of today’s firewall tools easily monitor network traffic and notify managers if there are open connections that haven’t been used for a specified period of time and shut them down if they no longer serve a business purpose. Purging unused rules not only improves the organization’s security posture but improves firewall performance as well.
Sometimes firewalls come with an extremely complex rule base built where ordinarily an administrator may not realize they are implementing a new rule that conflicts with an existing one. This example could effectively negate the new rule and create dysfunction within the rule as the firewall implements instructions based on the principle of first match in network traffic. Thankfully, there are tools out there that can facilitate these scenarios as engaging these conflicts manually is inadvisable
Document Changes to your Firewalls
Firewall rules are quite often not properly documented. Without good documentation, it can prove difficult to tell why or who requested a rule; thus making optimization near impossible. From a business perspective, if there is traffic over that connection, it can be a challenge to know who owns it and for what purpose. Reconciliation requires that any time a firewall rule is implemented, then the administrator needs to document the new rule. Documentation should include: access request, review and approval, and finally the actual implementation from the firewall administrator. In future firewall optimizations, the administrator now has context and knows who to call for any outdated rules.
App developers and Network Security in harmony
Many times the development team [app] speak their own brand of technical jargon that unless there is a network security within the development team, that language isn’t well understood by firewall administrators, and vice versa. Again, there are tools on the market that can facilitate this communication. The dev team can specify business rules for their application and the firewall tool will use various analytics about the underlying integration to translate that into technical implementation which can be either manually implemented by the firewall administrator or even automatically implemented by the system. This “translation” from a development team to the firewall administer can help eliminate misconfigurations thus saving time in getting the application up and running.
The concept of software-defined networking (SDN) holds great potential in the future of networking segmentation. As business networking slowly moves from the relics of “hard-coded” boxes to software stacks, the idea of “micro-segmentation”, where network traffic between any two endpoints can be analysed and filtered based on a set policy will soon become a reality. Though it can be a bear to manage, Micro-segmentation presents a wave of possibilities for your network security. In the end however, trends like SDNs will not usher in the demise of the firewall but are expected to reemphasize our need for them. As we said at the start, firewalls may not be sexy, but they remain the pillar of all IT security infrastructure–and that’s not changing anytime soon.