>

Most Viewed Networking Devices:

  1. Small business firewalls
  2. Computer networking hardware
  3. High speed gigabit PCI adapter
  4. USB 3.0 PCI Card for Super Speed Data Transfer Rate
  5. Small Business Computer Network with Apple Mac Mini Server
  6. NSA 240 Sonicwall Small Business Network Security
  7. Cisco WRVS4400N Wireless Security Router
  8. Cisco RV 120W Wireless-N VPN Firewall and VLAN Router
  9. Cisco RV016 Multi WAN Router For Small Business
  10. Cisco RV220W Small Business Router
  11. Cisco RV082 Dual WAN VPN Router
  12. Edimax EnduraLINK ER-1088 Multi WAN Routers
  13. TL-R4299G Dual WAN Router for Internet Café
  14. New WNDR4500 N900 Vs Tew-692GR N900 Routers
  15. Netgear WNDR4000 and WNDR3800 Dual Band Routers
  16. Linksys E2500 Advanced Dual Band Router Vs E2000
  17. Linksys E-4200 Dual Band Gigabit Router

Most viewed Security Management:

  1. Information security management
  2. Firewalls Security Guidelines
  3. Business Continuity and Disaster Recovery Planning
  4. An Example of LAN Network Risk Assessment
  5. Information security policy guidelines
  6. Network Security Best Practices
  7. IT Security Risk Assessment

Most Viewed Networking Concepts:

  1. Local area network topology
  2. LAN Cable - standard deployment
  3. Easy way to calculate subnet mask
  4. VLAN tutorial
  5. WAN technologies
  6. Route summarization
  7. Understanding firewall with DMZ

 
«  
  »

Secure Firewall Best Practices


Each of the entry point from the internet to the internal (private) network must be protected securely by a firewall. A Secure firewall should be able to control the flow of traffic between protected and un-trusted networks. All connections between protected and un-trusted networks must be forced to pass through a single concentrated checkpoint which will control, authenticate, filter and log all traffic according to the policies set. See also definition about firewall.

Each organization should deploy a secure firewall in each of the internet entry point to the private network. The following standards are defined to provide a baseline for establishment and standardizations of the firewall security based on the best practice approach.

Firewall Topology

To ensure a secure firewall in protecting against any types of network security attacks, the use of suitable firewall, firewall topology, and security policy is critical. To provide a security boundary if needed, network segmentation must be created by means of DMZ (demilitarize zone). The minimum requirements regarding the firewall standards as follows:

  • Must use a suitable for all external connections to the internet
  • Segmentation and protection with a firewall is needed for networks with differing security requirements.
  • To provide public resources, a DMZ is a mandatory. All public resources must not be placed on internal networks
  • For multiple security segmentations, multiple DMZs must be deployed.
  • Labeling to physical firewall must be provided appropriately and physical firewall must be placed in a secure location.
  • Configuration for all external facing firewall must be “deny all” traffic unless explicitly permitted.

Default Firewall Configurations

Firewalls that face the external internet must be configured by default to deny all traffic not specifically permitted by the firewall security policy to ensure maximum security. The following list the requirements for default firewall connections:

Secure Firewall System - diagram with DMZ

  • All external facing firewall must be configured with DENY all traffic unless explicitly permitted. This is to ensure that all un-trusted traffic is automatically denied from entering the private network.
  • All perimeter routers (external router in front of a firewall) shall be configured to provide basic packet filtering using extended access-lists to provide a front-line defense mechanism against Internet based attacks.
  • All traffic must be individually allowed / permitted based on traffic classification parameters including Application type (protocol and port), direction (source /destination), Action (Permit or Deny), Authentication requirements, Virus Scanning (Content Filtering), and Logging Level.
  • Internal components (such as inside private IP address and DNS) must not be exposed in the external firewalls. Network Address Translation (NAT) must be used to hide private network.
  • External facing firewalls must be configured for anti-spoofing (IP masquerading) to defend against common IP based security attacks.
  • Only trained and security conscious personnel should managed secure firewall.

Firewall Access Privileges

Only authorized security personnel who are proficient in managing the firewall system should have the privileges to modify the firewall configuration. All firewall configuration changes must have a roll-back strategy in place. As a best practice, there should be two administrators who are proficient in managing and maintaining the firewall that should have firewall access privileges. A standard operating procedure must be developed for managing the firewalls.

Configuration management of any firewall is critical in maintaining security of the firewall system. A configuration change made by any unauthorized or untrained personnel would most likely result in a security hole in the firewall system.

Reference: www.sans.org


See also:

Share
June 8th, 2010 | Tags: | Category: Network Security

1 comment to Secure Firewall Best Practices

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>