Firewall configuration within the corporate must comply with the firewall security standards, whether it is an external firewall or internal firewall. External firewall configuration by default must deny all traffic not specifically permitted by the firewall security policy. This is to ensure that maximum network security is enforced against all un-trusted and unauthorized networks. In order to protect against Internet based attacks all external facing firewall configuration must deny all traffic which is not explicitly permitted.
If deploying an internal firewall, the internal firewall configuration must not restrict the corporate services. This is done to ensure the smooth operation of the corporate Active Directory and Exchange messaging systems within the corporate global environment.
Minimum and recommended external and internal firewall configuration in the firewall security guidelines are as follows.
External firewall configuration
External firewall configuration, by default must deny all traffic, unless explicitly permitted. External facing firewalls must protect internal assets from Internet (eg. any public or un-trusted network) based security risks. This includes providing firewall connections on all external connections to the global corporate network.
An external facing firewall is required when connecting any part of the corporate network (business unit) to a public or un-trusted network, such as the Internet. It is critical for the operational success of the corporate network that all external network access points are appropriately secured with a suitable defense system. This consists of suitable firewall enforcing a strong configured security policy.
Ensuring that a correctly firewall configuration is paramount to the security of the network. For this reason it is critical that all the corporate firewall configuration changes are made by authorized security personnel and are routinely reviewed to ensure maximum security.
External facing firewall systems must use certain security features to defend against Internet attacks. Firewall configuration must deny all traffic, unless the traffic has been explicitly allowed (granted).
Authorized traffic must be granted based on traffic characteristics and is defined in the firewalls security policy. These firewall configurations must also defend against common Internet hacking techniques, such as address masquerading (IP-spoofing).
Firewalls must also hide corporate internal addresses and DNS configurations from the Internet. This information if discovered (via reconnaissance) can be used by intruders to generate a specifically constructed DDOS attack. The process of hiding IP addresses is done via Network Address Translation (NAT).
Firewall systems must not be built on-line in such a manner to expose the internal corporate network to the Internet. Firewall systems should be built offline with an air-gap protecting the internal corporate network from the Internet. Firewalls must also be located in a physically secured location to defend against system tampering which may circumvent corporate network security.
By not adhering to the External Facing Firewall configuration and connections guidelines, a business unit risks exposing multiple security holes which could compromise network security within corporate internally trusted network.
Internal firewall configuration
An internal network is defined as a network internal to the corporate and/or its associated business units. This consists of trusted networks either between or within a registered corporate business unit. An internal firewall (optional) may be used to protect assets within and between the corporate business units. If an internal firewall is used, its security policy must not impede critical (core) services used within the corporate. This is a mandatory requirement so as not to block corporate Active Directory traffic (AD, DNS, DHCP, WINS, and NTP etc.), Terminal Services and Exchange messaging. These services are fundamental to the operations of the global network.
Other background services such as Windows NetBIOS RPC (Remote Procedure Calls) and routing protocols must not be filtered by an internal firewall. This to ensure that full IP-network connectivity exists as well as providing support for the corporate services.
By not adhering to the Internal Firewall configuration guideline, business risks crippling multiple (inter-related) corporate network services. This includes both corporate Active Directory and Exchange messaging systems. Care must also be taken to ensure that internal firewalls are configured correctly to permit access to core services, whilst still serving the business unit security policy requirements.
- Business firewalls,
- firewall ports,
- sample risk assessment,
- and business continuity and disaster recovery plan.
- Cisco RV220 Small business firewall router
- Edimax multi wan router – Enduralink ER-1088
- Sonicwall NSA2400 network security appliances
Recent Comments