Modern firewalls offer a wide range of advanced protections beyond the standard access control rules. Versatility, however, comes at a cost; one incorrectly-applied firewall access rule can open your network to a wide variety of attack vectors, errors which can sometimes prove damaging.
In Cisco’s 2017 Security Capabilities Benchmark Study: 45% of organisational breaches led to 1-8 hours of downtime, and 49% had to manage public scrutiny for those breaches. This is reasonable justification of why it’s important to have the most efficient and effective policies in place to protect not only your users, but also your data.
Creating a comprehensive firewall policy that can serve as an aid of defense against today’s modern intrusion attacks can be complex, yet manageable if approached strategically. Therefore, with all the advanced firewall protections out there, how can you ensure that you are protecting your infrastructure and applying the most effective practices available? Although firewall management has evolved tremendously over the last decade, Smoothwall has a few suggestive measures that can help get your environment up to speed with conventional standards:
Define your object-oriented rules based on categorisation and application level, rather than an arbitrary network IP address.
Your firewall policy should always be organised with the most specific rules first, leaving general rules for last, with the final rule serving as a “Cleanup” rule that drops all traffic that has not been explicitly allowed. An easy approach to achieving this, would be to take inventory of your infrastructure and any required services for those networks as a whole. Instead of defining firewall rules individually, you can group similar networks and services together when they serve the same purpose. This will improve manageability of your policy, comprehension while troubleshooting, and accuracy during an audit.
For higher-level management, we suggest using Internal Server Networks, Web Server DMZ, and Guest Wireless Networks as categories for easy organisation.
Logical groups that are created to support internal users can be grouped together in an object named Internal User Networks. Applying service groups in the same manner will not only provide the similar increase in organisation and comprehension, but it also establishes a unified approach to your firewall management.
Some examples of how you could separate and define your service groups, would be:
Internal Domain = Works best with Active Directory and Google as a directory service for username integration
Internet Services = Best practice regarding commonly used ports & protocol utilized for internet connectivity
Absolute Blocked Services = catch all / rule-based filtering that allows compilation of all unwanted content into a “Blanket Policy” to protect users from illicit content or other potential threats
Apply the relative network and service groups into policies within your firewall.
Since our first area of focus was network-related access, these rules will fall further down within your firewall policy, as they are not specific to individuals, but focus on groups. Try to ensure the groups with less defined networks and/or services are higher in the policy than those with more defined networks. Just like the objects themselves, it’s important to record the rule with it’s purpose.
At this point, you can look at the more granular rules that do not fit within the network-related ones. In the firewall policy, these rules will be placed above the network-related policy rules, because they focus on a more specific area of access. Review any required access not currently defined — these rules should only be server-specific.
Do some testing
Below are a few ways to test/troubleshoot whether policies defined within Smoothwall are suitable for your network:
- Use Smoothwall’s functionality / diagnostics section to verify that Smoothwall can reach each subnet/VLan/BYOD device within the network
- Make use of Smoothwall’s user activity segment where admins track active logins of integration service users / groups synced to Smoothwall
- Verify that DNS settings are configured to match those of your primary & secondary domain controllers in order for Smoothwall to conjure records for group affiliation, etc
- Make use of Smoothwall’s exclusive “Realtime” section where administrators can view live metrics of: Firewall traffic, various system analytics, blocked/allowed search terms, etc
At Smoothwall, we will continue to provide feedback to questions that administrative users may have regarding best practices, filtering methods, and how to protect users/data from the ever-changing world we live in today. The guidelines which have been provided are useful information that could be suitable for any firewall.
Don’t forget, guides to troubleshooting the firewall and more can be found on our Smoothwall YouTube Channel.