FIREWALL BEST PRACTICES

Overview

A firewall is a combination of hardware and software used to implement a security policy governing the network traffic between two or more networks, some of which may be under your administrative control (e.g., your organization’s networks) and some of which may be out of your control (e.g., the Internet). A network firewall commonly serves as a primary line of defense against external threats to your organization's computer systems, networks, and critical information. Firewalls can also be used to partition your organization’s internal networks, reducing your risk from insider attacks.

Source: Computer Emergency Response Team (CERT^®) Resource Center

A frequently useful firewall architecture

Firewalls provide one of two types of protection. The first is a packet filter, which blocks traffic based on information founded on criteria such as a packet's source or destination. The second type of firewall is an application level gateway, which acts as an intermediary for a protected system. Application level gateways provide additional security by normalizing data sessions and ensuring that only normalized content is received by the protected system. Common applications for which such gateways are available include e-mail, file transfer, and Web. Because they provide additional functionality, application level gateways are more expensive than packet filters, and can also be more difficult to configure. However, they can provide more robust protection for a system.

However, neither type of firewall can properly protect improperly configured systems. In fact, it is a task firewalls are often incorrectly deployed to perform. Firewalls should not be treated as a mechanism for reducing or eliminating the need to "harden" systems against attack. For example, although an application layer gateway may provide extensive protection for a Web server, if that server's Web-based administration interface is enabled but not password-protected, that system will be as vulnerable as if it was not behind a firewall at all.

Some Best Practices

Firewalls should be deployed to create zones of allowable traffic types. For example, public systems such as Web servers and e-mail gateways should be placed in separate zones from the application, database, and internal e-mail servers that support them. Firewalls may also be beneficial when deployed internally, such as to protect data center systems from misuse by employees or to prevent communication links to business partners from being a source of malicious traffic.

Firewalls are only one element in a proper security strategy, and one should avoid over-zealous firewall deployments.

As with any system for which security is a concern, one must ensure that firewall security patches are installed as soon as possible after the respective vendors release them. However, because firewalls are not patched as frequently as other products, it may be more difficult to determine when a patch has been released. Network/System Administrators should contact product vendors to determine whether automatic notification and distribution channels are available for such patches.

If automatic update bulletins or distribution channels are not available, one should detail one or more individuals (primary and alternate where possible) to check with the vendor for product updates on at least a weekly basis, if not more frequently. Nearly all vendors provide Web-based support portals where these patches can be downloaded. One should ensure that a full inventory of deployed devices is provided to the individual(s) who perform this function to ensure that all relevant updates are retrieved.

Further, although most firewalls do not provide an extensive list of services, many do have the option of enabling or disabling at least a few items. One should ensure that only the minimal configurations required to address each security requirement are deployed on firewalls. For example, if simple network management protocol (SNMP) is not required for device management, it should be disabled because even such basic services can be targets for attack.

Firewalls should not be used to replace IDS products, but they can provide valuable information for identifying attack attempts and patterns, and even system problems, because their false positives rate is very low. For example, failed connection attempts may indicate either an attack probe or a failed system. Traffic types and directions can also yield interesting information. For example, outbound connection attempts from server systems are rarely authorized traffic, and thus should often lead to examinations for Trojan horses or other system back doors. Inbound connection attempts to proxies are also examples of traffic types with a very low rate of false positives.

Separating system types and responsibilities can help make these examinations more clear. If resources are available to do so, one should consider deploying separate systems to segregate e-mail traffic, client Web browsing proxy services, etc. This step will simplify firewall rule sets, and also have beneficial effects on other security layers, such as IDS products.

Finally, one should bear in mind that firewall deployments are only effective if they evolve alongside application requirements over time. Budgetary allowances should be made to ensure that this critical piece of the security infrastructure is kept up to date and continues to meet application requirements for security. Firewall deployments should be reviewed and re-evaluated on a yearly basis, or whenever application requirements change, whichever comes first.

Discussion

Please recognize that implementing a stand-alone firewall is a complex process that requires collaborative planning and coordination. Experience has demonstrated that even with planning sessions, most departments do not know the full range of TCP/UDP port numbers used by their various applications, and there is invariably an error/debug cycle.

Academic Computing Network Services, Office of Technology Integration, currently utilizes a series of filtering routers that enable the use of an Access Control List (ACL) to better manage traffic flow on the network and also subnets.

Although a packet-filtering router* is not, strictly speaking, a "firewall", there are three good arguments in favor of doing as much with these as possible:

1. Filtering packets on the basis of IP and/or ports numbers is 90% of what most firewalls do anyway.

2. We have an installed base of routers.

3. Costs savings

*What usually differentiates a filtering router from a "real firewall" is that the latter is "stateful", i.e., it maintains information regarding session flows, and can be used to permit one-way use of applications which can confuse simple filter lists (e.g., FTP).

Cisco's "Firewall Feature Set" (FFS) provides this "stateful" characteristic to the router, and there would be some benefit to this, particularly if implementing it can be done for no cost (average quote for a standalone firewall appears to be approximately $2,500 which does not include vendor consulting and installation fees). The FFS has not been implemented yet for a number of reasons, but it is on our list of things to do.

If we are going to significantly expand the number of locations where we deploy departmental firewalls, we recommend a number of things.

1) A vulnerability scan of the departmental net as a first step in the process. Not only would this reveal the full range of legitimate TCP/UDP port numbers in use (reducing the length of the debug cycle), but would reveal security vulnerabilities and expose the presence of trojan and worm-infected computers.

2) Manage this responsibility along the lines of the hostmaster/DNS arrangement, e.g., requests would be sent to something like "firewall@acns.fsu.edu", and when the person normally responsible for handling these is unavailable; another individual can assume the role.

3) A designated departmental contact from who request must come. This would also provide us with a contact for general security issues.

Other Areas/Resources.

The FSU Guide to Computing Resources (www.gtcr.fsu.edu) is designed to provide Students, Faculty and Staff with on-line, up to date information on a variety of topics. Specific recommendations are made regarding a desktop/user “firewall” program, with commercial software, or users may elect to install a free program, ZoneAlarm available from Zonelabs as well as an effective FREE anti-virus (AVG Anti-Virus) program which is available for download from Grisoft.

PC Security 101 http://gtcr.fsu.edu/pcsecurity101.html provides participants with personal computing information and hands on experiences on ways to protect their work/home computing resources at the desktop level.

CERT^® Security improvement approach
In addition to the best practices presented, there is also a need to have an approach of format to effectively deploy firewalls. We suggest you review the CERT? Security improvement model/tutorial that recommends a four-part approach. It requires implementing security practices in these areas:

• Preparing for firewall system deployment

• Configuring your firewall system to reflect your security policy

• Testing your firewall system to ensure it performs according to your specifications

• Deploying the correctly configured firewall system

A summary of CERT^® recommended practices (hyperlinked to provided additional guidance and information) includes: