6 Best Practices for Secure Network Firewall Configuration
A firewall is a network security structure that can help protect your network by monitoring network traffic and blocking outsiders from acquiring unauthorized access to private data on your computer system based on premeditated rules. A network firewall establishes a barrier between a trusted network and an untrusted network.
Moreover, a network firewall does not only block untrusted traffic, but it also blocks malicious software that can infect your computer, while allowing legitimate traffic through. Network firewalls usually serve as the first line of defense in your home network security.
8 Types of firewalls
There are different types of firewalls; however, they are normally categorized as either a host-based system or a network-based system. Likewise, network firewall security appliances can offer non-firewall functions, including virtual private network (VPN) or dynamic host configuration protocol (DHCP). The following are the most common types of firewalls.
Packet-filtering firewalls
This is the oldest and most basic
type that creates a checkpoint for packets transferred between computers. Packets are filtered by source and destination protocol, IP address, destination ports, and other surface-level information without opening up the packet to inspect its contents.
If the information packet does not meet the inspection standard, it is dropped. These types of firewalls aren’t extremely resource-intensive. However, they are relatively easy to bypass when compared to firewalls with a more robust inspection competence.
Circuit-level gateways
Unlike packet filtering firewalls, circuit-level gateways are extremely resource-intensive. This firewall type works by verifying the TCP (Transmission Control Protocol) handshake. The TCP handshake is a check designed to ensure that the session packet is from an authentic source.
Circuit-level gateways are simplistic types of firewalls intended to speedily and simply deny or approve traffic without consuming significant computing resources. Nevertheless, this firewall type doesn’t inspect the packet itself. If a packet has malware but includes the right TCP handshake, it would pass through.
Application-level gateways/ Layer 7
Proxy firewalls run at the application-level layer to filter incoming traffic between the network source and your network. These firewall types are delivered through a cloud-based solution or other proxy systems. Proxy firewalls look at both the packet and the TCP handshake protocol. Although, it may also conduct deep-layer packet inspections to validate that it doesn’t have any malware.
The major advantage of application-layer filtering is that it can understand specific applications and protocols, including Hyper-Text Transfer Protocol (HTTP), Domain Name System (DNS), or File Transfer Protocol (FTP).
Stateful inspection firewalls
Stateful inspection firewalls merge both TCP handshake authentication and packet inspection to establish network security than what packet-filtering firewalls or circuit-level gateways can guarantee alone. Although, this firewall type slows down the transfer of authentic packets, unlike the other two architectures.
Cloud firewalls
The key advantage of cloud-based firewalls is that it is amazingly easy to scale with your organization. Cloud firewalls are also called firewall-as-a-service (FaaS). Cloud firewalls are considered similar to proxy firewalls because cloud servers are often deployed in a firewall setup.
Hardware firewalls
This type of firewall implements a physical device that behaves similarly to a traffic router to check traffic requests and data packets before being connected to the network’s server.
Software firewalls
This includes any firewall installed on a local system instead of a distinct piece of hardware or cloud-based solution. Software firewalls are extremely beneficial when establishing defense-in-depth by separating distinct network endpoints from one another.
Next-gen firewalls
‘Next-generation’ firewalls include most of the newly-released firewall products. While there isn’t much consensus on what characterizes a next-gen firewall, some common features include TCP handshake inspection, deep-packet inspection, and surface-level inspection packet.
How to Configure and Manage a Secure Firewall?
There are several appropriate firewall standards that you can deploy to ensure computer network defense. Notwithstanding, the following steps are crucial irrespective of the firewall platform you select.
1. Ensure your firewall is secure
Securing your firewall is the first step to configure and manage a secure firewall. Never allow your firewall to perform actions that are not properly secured, instead:
- Disable simple network management protocol (SNMP)
- Rename, disable, or delete any default user account and modify all your default passwords
- Establish additional administrator accounts based on responsibilities, particularly if multiple administrators will manage your firewall.
2. Create your firewall zones and corresponding IP addresses
The more zones you establish, the more secure your network will become. Before you proceed to defend your valuable assets, you must identify what these assets are and then plan out your network structure to position networks based on their functionality and sensitivity.
After you’ve designed a secure structure and created the equivalent IP address structure, you’re fully prepared to architecture your firewall zones and allocate them to the firewall interfaces and/or sub-interfaces.
3. Have a configured access control list (ACLs)
After establishing your network zones and allocating them to their firewall interfaces, the next step is to determine which traffic needs to flow in and out of each zone. This would be made possible through access control lists (ACLs). Use both outbound and inbound ACLs to each interface and sub-interface on your network firewall to allow only approved traffic in and out of each zone.
4. Configure other firewall services to the required standards
Depending on your firewall’s ability to act as an intrusion prevention system (IPS), network time protocol (NTP), DHCP, and so on, you can configure the services you require and disable all the additional services that are not relevant to you.
You need to consult PCI DSS requirements and satisfy the requirements for 10.2 through 10.3 of the PCI DSS to configure your firewall to report to your logging server properly.
5. Conduct network firewall configuration tests
You need to test your firewall to verify that your firewall is working as expected. You should include both penetration testing and vulnerability scanning to test your firewall configuration. Remember always to back up your firewall configuration.
6. Constant Firewall management
After your firewall configuration is completed, you need to ensure secure firewall management. To do this effectively, you must
- Perform vulnerability scans
- Monitor logs
- Regularly review firewall rules
- Keep firmware updated
- Document progress
Additional tips for configuring a firewall securely
- Fulfill standard regulatory mandates such as NIST, PCI DSS, ISO, and NERC
- Conduct frequent firewall configuration changes
- Block traffic by default and monitor user access
- Establish and use only a secure connection
- Streamline the configuration changes and eliminate configuration loopholes
- Constantly test your firewall configuration
- Record all configuration changes in real-time
Additional tips for managing a firewall securely
- Have a clearly defined firewall change management plan
- Test the impact of the firewall policy change
- Clean up and optimize the firewall rule base
- Regularly update firewall software
- Centralize firewall management for multi-vendor firewalls
Learn more about creating a secure network firewall
The Certified Network Defender (CND) is a certification program that creates savvy network administrators who are well-trained in identifying, defending, responding, and mitigating all network-related vulnerabilities and attacks. The CND certification program involves hands-on labs constructed through notable network security software, tools, and techniques that will provide the certified network administrator with real-world and up-to-date proficiencies about network security technologies and operations. Click here for more information on EC-Council’s CND program.