Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Transcription

1 Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure Security studies back up this fact: It takes less than 20 minutes for an unprotected computer to be attacked once it s connected to a broadband connection. Imagine what would happen if you connected your corporate network to the Internet without a security measure in place? Digital intruders could swarm your opened ports, infect machines and even abscond with your intellectual property. Faced with this scenario, many businesses have come to rely on the protection of a network firewall to monitor traffic that flows between the corporate network and the Internet. Firewalls serve as gatekeepers, deciding which data is allowed in and out of the network, and under what circumstances. Buying a firewall is the first key step toward securing your network, but it s just as important to make sure that it s configured according to industry best practices. How you set up your firewall will make a big difference in how it performs, so it pays to learn from the experts. You can tune up your firewall and boost your security by following these 10 expert tips: 1. Harden Your System Hardening is the practice of reducing the vulnerabilities in your hardware. Before you even install a firewall, you ll want to harden your host machine by closing any unused ports and disabling any protocols or user accounts you won t use. Ideally, firewalls should complement the security you ve already built into your systems. Hardware firewall vendors often tout their devices as pre-hardened, but if you ve purchased a software solution, you ll have to do it yourself. Fortunately, there are plenty of resources available on how to harden different machines, and your hardware vendor should also be able to help. 2. Keep it Simple A firewall is used to enforce network security policies, so you ll want a clear set of organizational guidelines before you start writing rule sets. Once you have a written security policy, try to keep the configuration as simple as possible while staying Copyright 2007 Tippit, Inc. 1

2 consistent to the policy. If you re working off of a legacy security manual, this is the perfect time to pare it down to the essentials. The firewall will be more efficient and easier to manage if you eliminate unneeded and redundant rules. 3. Organize Your Rule Elements for Quick Evaluation Firewalls process rules in the order you set for them, so you want to make sure that the most easily processed rules are at the top of your list. If a request matches one of your first few rules, the firewall won t have to bother with subsequent time-consuming rules. Easily processed rules include source port information, protocol definitions, Internet protocol (IP) addresses and schedules. Rules that are more complicated to process include domain-name and URL sets, as well as content type and users. 4. Deny, Deny, Deny Because you want only approved traffic to flow on your network, you should deny all traffic by default, then enable the necessary services. You can do this using globalallow and global-denial rules. Global-allow rules give specific access to all users while global-denial rules restrict specific access to all users. You might set an allow rule for access using a DNS (Domain Name Server) protocol, for example, and a denial rule for users trying to use a peer-to-peer protocol. These rule types will narrow down the traffic that a firewall has to process using subsequent rules and easily enforce certain access policies. 5. Monitor Outbound Traffic We usually think of network security as protecting our systems from outside threats such as viruses and worms, but attacks can just as easily be initiated from inside the network. That s why you should set up your firewall to filter outbound traffic, as well as incoming traffic. This kind of filtering, also known as egress filtering, keeps unauthorized traffic from leaving company computers and servers. It also prevents internal machines from being used to launch zombie attacks on other servers. Use egress filtering to block all traffic by default, then allow only certain kinds of traffic for specific servers, such as , Web and DNS traffic. 2

3 6. Set Up a DMZ (Demilitarized Zone) A DMZ is a small network that sits between the internal (corporate) network and the Internet. The DMZ prevents outside users from getting direct access to company computers. In a typical setup, the DMZ would receive requests from corporate users to access Web sites and other information on the external network. The DMZ initiates requests for the information and forwards the packets back to the requesting machine. Companies often place Web servers on their DMZ so that external users can access their Web site but not the private data hosted on the corporate network. There are two types of DMZs. The first is called a three-homed perimeter network. In this setup, the firewall has three connections: one for the internal network, one for the Internet and a third for the DMZ. The second type of DMZ is called a back-to-back perimeter network, and it uses two firewalls. One firewall has a connection to the Internet and the DMZ, while the second has connections to your internal network and the DMZ. This way, the DMZ sits between the internal and external networks. In both setups, you want to configure the firewall to restrict traffic in and out of each network. 7. Configure NTP (Network Time Protocol) NTP is the name for a protocol and a client/server program that allows you to synchronize computer clock times on a network. Synchronized time is important for implementing distributed procedures over a network and for delivering file-system updates. Even a small difference in computer clock times can wreak havoc when you are distributing procedures in sequences. NTP uses UTC (Coordinated Universal Time) to synchronize times down to the millisecond. NTP is especially important for ensuring that your firewall log records events accurately. You may want to investigate an attack on your network by examining the traffic log, and timing will be critical to finding out what occurred. 8. Configure the Firewall as an IDS (Intrusion Detection System) IDSs are sometimes sold as stand-alone devices that detect attacks on a network or a computer, but you can also configure your firewall to act as an IDS. The key is to closely examine your firewall log for port scanning, hacking attempts or any other suspicious events. Pay particular attention to the traffic leaving your DMZ because that s where you ll often see the first sign of a compromise. Once you have that data, you can graph it and look for trends that will help you write tighter rules. You can also install an active log-file-monitoring tool to alert you to suspicious activity. 3

4 9. Test for Vulnerabilities Once you have your firewall up and running, you ll want to test it for known vulnerabilities. To be thorough, you should test on every firewall interface, in all directions. You might also want to try testing it with the rules disabled to see how vulnerable your system would be in the case of a firewall failure. New exploits are constantly being discovered, so it s best to get into the practice of testing and auditing your firewall on a regular basis. 10. Log On A firewall s log records information about the traffic flowing on your network and can be invaluable when you re trying to investigate suspicious traffic and attacks. Logs are also essential when you want to write rules against new threats since they allow you to identify and track new traffic patterns. Make sure that logging is enabled on your firewall as well as alerting, if the product has the latter feature. If you have multiple firewalls, you may also be interested in investing in a remote system-log server. The advantages are centralized management of logs, easier access to logs for auditing purposes and more secure retention. A remote server will also make it more difficult for malicious parties to alter or manipulate logs. 4

5 Tippit, Inc. 514 Bryant Street, San Francisco, CA Phone: / Fax: publishers@tippit.com 5