Everybody loves a good list, and we’re no different! Here’s a list of the TOP 7 things we like to do first when we secure a Firewall. So, without further ado…
1. Establish a written information security policy (WISP) and ensure that the firewall configuration is consistent with that policy.
Let’s start with the basics. An Information Security Policy (ISP) is:
“A set of rules enacted by an organization to ensure that all users or networks of the IT structure within the organization’s domain abide by the prescriptions regarding the security of data stored digitally within the boundaries the organization stretches its authority.”
– The InfoSec Institute
To break that down a bit and make things more consumable, an ISP or a WISP, in this case, set the rules and guidelines regarding what people can and cannot do on your network. Simple.
The point of writing out your ISP is to create a document of record. Once posted a WISP should become the law of the land. A WISP should be a point of reference to everyone who needs it to help clarify the proper steps to take when a potentially nebulous security situation pops up.
2. Create individual administrative accounts, never use the built-in or common administrator account names e.g. admin, administrator, root etc. and always use some form of multi-factor authentication.
We’ve talked a little bit about the Principal of Least Privileges before but we’ll get into it again. The least-privilege principle says that every module (in this case a user or application) must be able to access ONLY the information and resources that are necessary for its legitimate purpose.
In this instance, though it’s all about accountability. If all of your administrators have their own accounts and own sets of privileges you create a safer, more stable environment.
By eliminating commonly used account names you eliminate an easy avenue of attack. Isn’t rocket science to think attackers might try to access your firewall leveraging commonly used account names and passwords first, is it?
Same goes for multi-factor authentication. Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).
It’s pretty self explanatory why you’d want to enable mutli-factor authentication on your firewall.
3. Control physical access to the firewall.
This is self-explanatory. Think about it this way. Would you want somebody poking around your house while you’re not there? No? Well, then you probably don’t want somebody poking around your stack unsupervised either.
4. Restrict logical administrative access to the firewall by only accepting encrypted connections from trusted sources.
Some firewalls allow you to manage them through clear text protocols but we don’t recommend it. You should ALWAYS use encrypted channels and limit the number of people and sources who have access to the device .
5. When creating firewall rules, apply the Principal of Least Privilege and avoid the lure of the Principle of Least Resistance.
See, there it is again. That Principal of Least Privilege keeps popping up. And it should. Using shared accounts or the Principle of Least Resistance is just a bad, bad idea. Using one shared account not only makes a network or computer system insecure, but it also strips out any user accountability. If everyone is using the same credentials how would you be able to determine who might have changed a setting or caused a problem on your system?
The rules that you use to define network access should be as specific as possible. This strategy is referred to as the principle of least privilege, and it forces control over network traffic. Specify as many parameters as possible in the rules.
A layer 4 firewall uses the following parameters for an access rule:
- Source IP address (or range of IP addresses)
- Destination IP address (or range of IP addresses)
- Destination port (or range of ports)
As many parameters as possible should be specified in the rule used to define network access. There are limited scenarios where
any is used in any of these fields.
6. Maintain an understandable and simple configuration; create objects using commonly understood names and eliminate redundant rules. Wherever possible, limit the use of groups as they tend to obfuscate policy readability.
Don’t get too carried away when you’re creating configurations. Call things out explicitly. Often times people get carried when they start naming things.
Using obscure references or difficult to remember names makes everybody miserable. For instance, your System Guy might have given your server a specific easy to remember the name but your Firewall Guy might refer to the system by its IP address instead. Don’t be Firewall Guy.
7. Perform regular vulnerability scans against all public IP addresses that are managed by the firewall. Verify the results against the firewall rule-base and WISP.
A vulnerability scanner will scan, from an outside source, a list of IP address for all listening ports (TCP/UDP). Once it discovers those ports it will perform further probes to determine what service is running on those ports.
For example, it might find IIS running on Port 80. The scanner will then discern what version of IIS software is running and then look to a list of known vulnerabilities associated with that version of the software.
You want to make certain the scan results match your expectations in terms of exposed services.
If you’ve got any questions regarding our list or want to find out a bit more regarding Managed Information Security Services (firewalls included) from Integris just click this link.