Preventing unauthorised access to corporate networks is a major priority for most network managers. A firewall is an essential brick in the wall against hackers, and network managers need to pay close attention to it. Changes in network organisation, updates to existing systems and introduction of new applications can all change the optimal configuration of the firewall.
A misconfigured firewall can bring all sorts of problems with it, traffic can be misrouted, blocked or allowed in when it shouldn’t. Often, it is difficult and time-consuming to track the error(s) down and rectify them.
Misconfiguration can occur because of many things apart from user error, including applications systems changes following an update or upgrade, the introduction of new applications or changes in network configuration.
In short firewall configuration is not a one-off exercise, more a continuous programme of management.
All systems changes must go through change control, including an assessment of implications for firewall configuration.
In most organisations, there is a change control process run by a change control committee, usually headed by a non-IT person. The purpose of this function is to ensure that no unintended consequences will follow the implementation of a change and that there is an adequate budget for the change. It may also involve assessing the risk profile associated with the change.
An assessment of any firewall changes must be included in the change control process and included in the implementation budget and risk analysis.
Any usage policies and any other operational policies may also need consideration.
Document all changes.
Block everything by default. Allow only that which is explicitly allowed.
There are two basic default firewall configurations, allow everything that is not specifically blocked, or block everything that is not specifically allowed.
The second is probably the better one in respect of network security. It ensures that only valid traffic goes where it should and prevents unauthorised access for unauthorised traffic.
It is most easily implemented by making the final rule in an access control list a rule to deny all traffic.
Rule management is made up of several related activities:
- Clean Up Unused and Outdated Rules
A firewall in a large organisation will have many rules, a few of which will be complex. Some of these will be outdated or unused and refer to requirements that are no longer valid. They can allow a malicious attack. One example is an application that is no longer used but required an open Http:// or Https:// port to transfer traffic. If a malicious hacker discovers this open but idle and unmonitored port, it could be used to mount an attack or transfer data from the organisation.
Removing unused and outdated rules will make firewall management a lot simpler, improve the security profile and probably improve firewall performance.
- Clean Up Duplicate and Conflicting Rules
Access control lists can be large and complex and an administrator is sometimes in a rush to implement a new rule and takes a chance that it doesn’t duplicate or conflict with an existing rule.
Most firewalls work on the principle of “first match”. If a new rule is further down the access control list than an existing rule, the older higher up rule will be applied first and the new rule is ignored.
It is probably better to use an automated tool to scan the ACL and identify potential duplicate or conflicting rules. In a large organisation, it can be a lengthy and tedious task.
- Document your rules and change requests
Because of the work involved, and it’s perceived low priority, rules and rule changes are often not properly and completely documented.
This has several implications: (1) It can be difficult to determine who owns a rule from a business point of view. (2) It can be difficult to demonstrate compliance with regulations.
A business process is required, perhaps linked to the change control process to ensure that all rules are properly documented. This may take the form of a request from the business owner of the process needing the firewall rule, formal approval by IT and a record of the network admin implementing the request.
Sometimes development and implementation of new systems or system upgrades need firewall changes. This implies communication between the requestor and network admin in language that both can understand.
Clear and concise documentation can help.
- Clean Up Unused and Outdated Rules
Review everything four times a year.
As discussed above, the firewall is not a static entity. Changes will be needed from time to time, driven by operational requirements. Changes may also be needed to implement countermeasures against new malware threats and attack vectors.
Regular reviews of the firewall operation and configuration should happen at least twice, and preferably four times a year.