Whilst reviewing my teams implementation plan I came across some ACL’s and Firewall Rules which I assume had been created some time ago and thence continually added too (by another group) as even from a quick glance it was clear that a lot of the rules didn’t where redundant, or blatantly incorrect.
It made me recall a simple document I had written a few years back which described my thoughts on guidelines or principles for firewall rule management thus thought it worth repeating here…
- Access should be specifically permitted.
- IP address ranges and ports, defined in rules should be as restrictive as practical to match source and destination hosts and ports.
- Sequential IP addresses that match CDIR boundaries should be combined into as few rules as possible.
- Rules should be ordered, descending from most frequently to least frequently hit rules.
- At a minimum rules should be applied to traffic that ingress the Firewall.
The use of NAT should be considered a form of routing, not a type of firewall. - The last rule in every ACL should be an explicit deny to all traffic with logging enabled.
- All rules should be routinely checked for adequacy and removed if not required.
In addition to the above guidelines, the following guidelines should be considered and adhered too for firewalls that intersect the public Internet and the organizations network:
- Organizations should deny inbound traffic that does uses a source or destination IP addresses from the RFC1918 range (Private IP addresses).
- Organizations should deny outbound traffic that does not uses the source IP addresses in use by the organization.
- Organizations should deny inbound traffic that does uses the source IP addresses in use by the organization.
The following depicts how a firewall rule life-cycle may be managed:
My Recommendations:
Firewalls (yes even the ones which call themselves next gen firewalls) provide very course protection and thus should not be viewed as a complete security solution, especially those which are deployed at the boundary to the Internet.
Ideally they are coupled with other security controls to provide a more complete protection layer.
It is perhaps preferable to separate the more in-depth protocol analysis into another device to ensure that the firewall is not impacted by this function and to simplify its management as not all traffic that traverses it will require such in-depth analysis.
It is also recommended that the firewall rules are validated and tested periodically, preferably every quarter to ensure integrity, protection and adherence to the known state of configuration.
Finally it is recommended that the guidelines and firewall rule life-cycle described in this document above are implemented into change management and service life-cycle processes and policies.
