Firewall Best Practices for Small Business

Firewalls are not the complete solution for information security. However, they are a vital component of an effective information security infrastructure. Here is a list of IT security best practices to consider to ensure your firewall is configured for optimal effectiveness.

1. Deny all traffic by default and only enable those ports, protocols, and services that are needed.
2. Disable or uninstall any unnecessary services and software on the firewall that are not specifically required.
3. Limit the number of applications that run on the firewall in order to let the firewall do what it’s best at doing. Consider running anti-virus, content filtering, VPN, DHCP, and authentication software on other dedicated systems behind the firewall.
4. If possible, run the firewall service as a unique user ID instead of administrator or root.
5. Set or change the default firewall administrator or root password before you ever connect it to the public Internet. It sounds too obvious, but it’s true — many firewall passwords are never set or changed from their default. Make it a long complex phrase that’d be very difficult to guess and ideally easy to remember. Change the password every 6-12 months or if it’s ever suspected to have been compromised.
6. Do not rely on packet filtering alone. Use stateful inspection and application proxies if possible.
7. If your firewall allows it, ensure that you’re filtering packets for correct source and destination addresses to keep malicious traffic from entering and leaving your network.
8. If a malicious user can obtain physical access to the firewall, anything can happen. Ensure that physical access to the firewall is controlled.
9. A lot of times, firewalls are doing less (or more) than what they should be doing based on your business needs and information flow requirements. Keep your firewall configuration as simple as possible and eliminate unneeded or redundant rules to ensure that the firewall is configured to support your specific needs.
10. Make sure the security rule set on the firewall remains consistent with the organizations written information security policy. Also, be sure not to confuse your firewall rule-base with your internal “security policy.” They’re not the same. The former is for the firewall and the latter is for internal dos and don’ts outlining “this is how we do things here.” You do have a security policy, don’t you?
11. Run the firewall on a hardened and routinely patched operating system. An insecure and non-hardened operating system can and will render the firewall useless.
12. Perform regular security tests against your firewall including any VPNs it’s hosting. Plug the holes when they’re discovered and must be tested on a consistent basis. In addition, the slightest firewall system or rule set modifications can completely change the firewall’s security capabilities. Perform system or rule set modifications can completely change the firewall’s security capabilities. Perform these tests on every interface of the firewall in all directions. Also, perform these tests with and without the firewall rules enabled to determine how vulnerable you will be when the firewall is not functioning properly.
13. Patch the firewall’s operating system and application software with the latest code on a regular basis. However, make sure you test these updates in a controlled, non-production timeframe or environment whenever possible.
14. Use firewalls internally to segment networks and permit access control based upon business needs.
15. Enable firewall logging and alerting if possible.
16. Use a secure remote syslog server that makes log modification and manipulation more difficult for a malicious attacker.
17. Regularly monitor the firewall logs. Treat the logs as business records and include them in your information retention policy.
18. Note any firewall log entries that don’t look right and investigate them immediately.
19. Periodically backup the firewall logs(preferably onto write-once media such as CD-R) and store for future reference and/or legal protection in the case of a breach that must be investigated.
20. Consider outsourcing your firewall management to a Managed Security Service Provider (MSSP) so analysis and intelligence, and also to save time and money focusing on your core business needs.
21. Use change-management practices for the firewall to approve changes needed, assess the reason(s) for the changes, document the changes made, and describe the necessary back-out procedures in case the changes fail.
22. Perform ongoing audits, at least yearly, on the firewall to compare what you say you’re doing in your security policy with what’s actually being done and to ensure adherence to any government regulations that pertain to your organization. This can be done manually, or ideally, using a tool such as Karalon’s TrafficIQ Pro (www.karalon.com).
23. Require that all remote computers run personal firewall/intrusion prevention software. Firewalls can be easily circumvented if using wireless network systems internally, so it pays to have another layer of defense on your hosts. Make this something that cannot be easily disabled by users. No exceptions.
24. Constantly monitor (or subscribe to) your firewall vendor’s security bulletins.
25. Regularly backup the firewall configuration files and keep the backup offsite.
26. Remember that firewalls most likely won’t be able to prevent attacks that originate from inside your network. An acceptable usage policy, personal firewalls/intrusion prevention software, network monitoring, content filtering, and access controls on all hosts can help lower these risks.

NOTICE: The information contained herein is considered best practices for securing firewalls but may not constitute a secure firewall if implemented. Each firewall and its associated information systems are unique; therefore, these recommendations may not be completely suitable for your situation. Like any changes should be handled, please test these in a non-production environment first to ensure interoperability within your network.

About the Author

As founder and principal consultant of Principle Logic, LLC, Kevin Beaver has over 18 years of experience in IT and specializes in information security. Before starting his own information security services business in 2001, Kevin served in various information technology and security roles for several healthcare, e-commerce, financial, and educational institutions. As an independent information security consultant, noted author, public speaker, and expert witness, Kevin focuses his work solely on performing information security assessments.

The post Firewall Best Practices for Small Business appeared first on All Covered Learning Center.