Security Simplified

Firewall Best Practices

As your first line of defense, you firewalls should be your first and primary concern in validating that your policy is correct, procedures are established for permitting access, and that audits are performed on a regular basis. But how do you go about doing that? Let's start from the basics and work our way through it.

First off, you should harden both the policy and the device itself. Disable any unnecessary services on the firewall, and configure strong authentication on the device itself. Patch it so that it has the current software on it, and validate that all of your logs are leaving the device and going to a central repository such as Arcsight Logger or Splunk. Also make sure that you are running stateful inspection, and that antispoofing is configured properly. These are basic functions of a firewall that, if not running, can cause you to fail compliance and regulation for many certifications, such as PCI. Your policy should then be set to the principle of "least privilege," which means that a server or person gets the necessary access that they need to perform their role and that is it. This will take investigative work within your organization to verify you know your organization's roles and it's applications.

Now that we have hardened the device and the policy that's on it, we now need to work on the maintenance of the policy and procedures for how to make changes so that no unauthorized access can be installed. This requires a review at your change process and verifying that you are recording all changes and include a separation of duties for all access requests. This means that someone who is requesting access should not implement that access, and vice-versa. This keeps one person from taking ownership of submitting and implementing the change, giving the capability to install access that might be against company policy.

And finally, you should perform periodic audits to verify that all of the access that is in place, is required. This requires that you need to keep detailed records of what specific roles within your company require specific access, as well as how applications talk to each other (otherwise known as data flow documents - DFD). With the proper documentation that is kept up to date, the audits should be fairly simple and allow you to verify that all the appropriate access is in place and that each connection has a specific purpose for it's existence.

Performing these tasks will help you breath easy knowing that your first line of defense is installed properly, patched, logging, and with the required access for your business to function. None of these are easy to start, as some policies can grow overtime to include quite a substantial amount of additional access that is not necessary. But if you are diligent in completing your first review and creating the documentation, and then keeping it up to date after the fact, you will be able to pass audits more easily.

References