Best Practices for Firewall Rules

Basic Firewall Rules

In a firewall rule, the action component decides if it will permit or block traffic. It has an action on match feature. For example, if the traffic matches the components of a rule, then it will be permitted to connect to the network. It is essential to consider the potential security risks when modifying a firewall rule to avoid future issues. Following best practices for configuring firewalls can help you maximize the effectiveness of your solution.

Types of Best Practices

Each firewall rule should be documented to know what action the rule was intended to do. The following data, at least, should be tracked:

• The firewall rule’s purpose
• The affected service(s) or application(s)
• The affected users and devices
• The date when the rule was added
• The rule’s expiration date, if applicable
• The name of the person who added the rule

Establish a Formal Change Procedure

Firewall rules will need to be updated for any new services and new devices that are added. Before adding or changing any firewall rules, a formal change procedure should be established for any new modifications. The following steps are some guidelines for a change procedure process:

• Have in place a change request process for users to request modifications to a specific firewall configuration
• Have a review process to analyze these new modification requests and determine the best course of action for any security practices.
• A procedure to test the new modification requests on the production firewall rules
• A method for deployment of the tested new modification requests into production
• A process to validate the new firewall settings to ensure proper operating
• An operation to document all changes have been tracked

Block Traffic by Default

Start blocking all traffic by default and only allow specific traffic to identified services. This approach provides quality control over the traffic and decreases the possibility of a breach. This behavior can also be achieved by configuring the last rule in an access control list to deny all traffic. Modifications can be done explicitly or implicitly, depending on the platform.

Set Explicit Firewall Rules First

At the top of the rule base, set the most explicit firewall rules. This is the starting point where traffic is matched. A rule base is established rules that manage what is and what is not permitted through a firewall. Rule bases typically work on a top-down protocol in which the first rule in the list performs its action first. This action is done, so that the traffic permitted by the first rule, will never be assessed by the remainder of the rules.

SANS Institute’s Firewall Checklist, under Security Elements, recommends the following order for firewall rules to be applied:

1. Anti-spoofing filters (blocked private addresses, internal addresses appearing from the outside)
2. User permit rules (e.g. allow HTTP to public web server)
3. Management permit rules (e.g. SNMP traps to network management server)
4. Noise drops (e.g. discard OSPF and HSRP chatter)
5. Deny and Alert (alert systems administrator about traffic that is suspicious)
6. Deny and log (log remaining traffic for analysis)

Set Explicit Drop Rules (Cleanup Rule)

The main purpose of firewalls is to drop all traffic that is not explicitly permitted. As a safeguard to stop uninvited traffic from passing through the firewall, place an any-any-any drop rule (Cleanup Rule) at the bottom of each security zone context. This will provide a catch-all mechanism for capturing traffic.

The firewall cleanup rule is defined as:

Source = ANY
Destination = ANY
Service / Application = ANY
Action = DROP
Logging = Enabled

Remove “Accept All” Rules

This rule can cause the traffic to bottleneck (Bottleneck is a constraining element that prevents a process or system from reaching its full productive potential.) This rule should not be a firewall policy.

Audit Logs

A built-in reporting tool is incorporated in every firewall with detailed information about your traffic. This tool will help with auditing logs looking for any changes or anomalies that might insinuate modifications to your firewall settings. In optimizing your firewall, the logs’ data will show which firewall rules are not being used and which are being activated. The logs’ data will also show you any "false positives" on traffic that was not supposed to trigger security rules, but it is doing so any way. You can change the firewall rules based off this information to reduce the false positives and improve service.

Firewall Rule Maintenance

Networks are constantly changing by gaining new users and new devices. New services and new applications are being accessed which means new firewall rules will need to be added. The old firewall rules will need to be reviewed and deleted if necessary. It is a best practice to set up a regular maintenance schedule to make updated changes to the firewall rules.

Update Firewall

The firewall device should always be up to date with patches and firmware. If it is not, then it is vulnerable to attacks and the firewall rules will be useless.

Firewall Automation

As time passes, new technologies are created which require constant updates to the firewalls rules. As a result of new technologies becoming available, firewall administrators will be flooded with new firewall modifications. The administrators will need time and resources to analyze these new modification requests and determine the best course of action for any security practices. This time constraint and lack of resources can lead up to outdated, unused or overly permissive rules. The firewall performance can be degraded which can lead to increased malicious attacks.

An automation solution for firewall configuration updates is to help follow the change procedures. This can help prevent mistakes to avoid the production system failures. The automation process can help with time to perform higher level functions to increase overall security.

Conclusion

Following best practices for firewall configurations will help guide you in having a security mindset as well as having a secured network. Visit this link to learn more about Liquid Web’s firewalls.

Our Support Teams are filled with experienced Linux technicians and talented system administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article.

Should you have any questions regarding this information, we are always available to answer any inquiries with issues related to this article, 24 hours a day, 7 days a week 365 days a year.

If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server, Managed Cloud Servers, or a Dedicated server owner and you are uncomfortable with performing any of the steps outlined, we can be reached via phone at @800.580.4985, a chat or support ticket to assisting you with this process.