Asher Benbenisty
Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam.
Tags
Share this article
10/29/23
Published
Firewalls are one of the most important cybersecurity solutions in the enterprise tech stack. They can also be the most demanding. Firewall management is one of the most time-consuming tasks that security teams and network administrators regularly perform.
The more complex and time-consuming a task is, the easier it is for mistakes to creep in. Few organizations have established secure network workflows that include comprehensive firewall change management plans and standardized firewall best practices. This makes implementing policy changes and optimizing firewall performance riskier than it needs to be.
According to the 2023 Verizon Data Breach Investigation Report, security misconfigurations are responsible for one out of every ten data breaches. (*) This includes everything from undetected exceptions in the firewall rule base to outright policy violations by IT security teams. It includes bad firewall configuration changes, routing issues, and non-compliance with access control policies.
Security management leaders need to pay close attention to the way their teams update firewall rules, manipulate firewall logs, and establish audit trails. Organizations that clean up their firewall management policies will be better equipped to automate policy enforcement, troubleshooting, and firewall migration.
20 Firewall Management Best Practices Right Now
1. Understand how you arrived at your current firewall policies:
Most security leaders inherit someone else’s cybersecurity tech stack the moment they accept the job. One of the first challenges is discovering the network and cataloging connected assets.
Instead of simply mapping network architecture and cataloging assets, go deeper. Try to understand the reasoning behind the current rule set. What cyber threats and vulnerabilities was the organization’s previous security leader preparing for? What has changed since then?
2. Implement multiple firewall layers:
Layer your defenses by using multiple types of firewalls to create a robust security posture. Configure firewalls to address specific malware risks and cyberattacks according to the risk profile of individual private networks and subnetworks in your environment.
This might require adding new firewall solutions, or adding new rules to existing ones. You may need to deploy and manage perimeter, internal, and application-level firewalls separately, and centralize control over them using a firewall management tool.
3. Regularly update firewall rules:
Review and update firewall rules regularly to ensure they align with your organization’s needs. Remove outdated or unnecessary rules to reduce potential attack surfaces.
Pay special attention to areas where firewall rules may overlap. Certain apps and interfaces may be protected by multiple firewalls with conflicting rules. At best, this reduces the efficiency of your firewall fleet. At worst, it can introduce security vulnerabilities that enable attackers to bypass firewall rules.
4. Apply the principle of least privilege:
Apply the principle of least privilege when creating firewall rules. Only grant access to resources that are necessary for specific roles or functions. Remember to remove access from users who no longer need it.
This is difficult to achieve with simple firewall tools. You may need policies that can follow users and network assets even as their IP addresses change. Next-generation firewalls are capable of enforcing identity-based policies like this.
If your organization’s firewall configuration is managed by an outside firm, that doesn’t mean it automatically applies this principle correctly. Take time to review your policies and ensure no users have unjustified access to critical network resources. .
5. Use network segmentation to build a multi-layered defense:
Use network segmentation to isolate different parts of your network. This will make it easier to build and enforce policies that apply the principle of least privilege. If attackers compromise one segment of the network, you can easily isolate that segment and keep the rest secure.
Pay close attention to the inbound and outbound traffic flows. Some network segments need to accept flows going in both directions, but many do not. Properly segmented networks deny network traffic traveling along unnecessary routes.
You may even decide to build two entirely separate networks – one for normal operations and one for management purposes. If the networks are served by different ISPs, an attack against one may not lead to an attack against the other. Administrators may be able to use the other network to thwart an active cyberattack.
6. Log and monitor firewall activity:
Enable firewall logging and regularly review logs for suspicious activities. Implement automated alerts for critical events. Make sure you store firewall logs in an accessible low-cost storage space while still retaining easy access to them when needed. You should be able to pull records like source IP addresses on an as-needed basis.
Consider implementing a more comprehensive security information and event management (SIEM) platform. This allows you to capture and analyze log data from throughout your organization in a single place. Analysts can detect and respond to threats more effectively in a SIEM-enabled environment.
Consider enabling logging on all permit/deny rules. This will provide you with evidence of network intrusion and help with troubleshooting. It also allows you to use automated tools to optimize firewall configuration based on historical traffic.
7. Regularly test and audit firewall performance:
Conduct regular security assessments and penetration tests to identify vulnerabilities. Perform security audits to ensure firewall configurations are in compliance with your organization’s policies. Make sure to preview the results of any changes you plan on making to your organization’s firewall rules.
This can be a very complex and time-consuming task. Growing organizations will quickly run out of time and resources to effectively test firewall configuration changes over time. Consider using a firewall change management platform to automate the process.
8. Patch and update firewall software frequently:
Keep firewall firmware and software up to date with security patches. Vulnerabilities in outdated software can be exploited, and many hackers actively read update changelogs looking for new exploits. Even a few days’ delay can be enough for enterprising cybercriminals to launch an attack.
Like most software updates, firewall updates may cause compatibility issues. Consider implementing a firewall management tool that allows you to preview changes and proactively troubleshoot compatibility issues before downloading updates.
9. Make sure you have a reliable backup configuration:
Regularly backup firewall configurations. This ensures you can quickly restore settings in case of a failure or compromise. If attackers exploit a vulnerability that allows them to disable your firewall system, restoring an earlier version may be the fastest way to remediate the attack.
When scheduling backups, pay special attention to Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO). RPO is the amount of time you can afford to let pass between backups. RTO is the amount of time it takes to fully restore the compromised system.
10. Deploy a structured change management process:
Implement a rigorous change management process for firewall rule modifications. Instead of allowing network administrators and IT security teams to enact ad-hoc changes, establish a proper approval process that includes documenting all changes implemented.
This can slow down the process of implementing firewall policy changes and enforcing new rules. However, it makes it much easier to analyze firewall performance over time and generate audit trails after attacks occur. Organizations that automate the process can enjoy both well-documented changes and rapid implementation.
11. Implement intrusion detection and prevention systems (IDPS):
Use IDPS in conjunction with firewalls to detect and prevent suspicious or malicious traffic. IDPS works in conjunction with properly configured firewalls to improve enterprise-wide security and enable security teams to detect malicious behavior.
Some NGFW solutions include built-in intrusion and detection features as part of their advanced firewall technology. This gives security leaders the ability to leverage both prevention and detection-based security from a single device.
12. Invest in user training and awareness:
Train employees on safe browsing habits and educate them about the importance of firewall security. Make sure they understand the cyber threats that firewalls are designed to keep out, and how firewall rules contribute to their own security and safety.
Most firewalls can’t prevent attacks that exploit employee negligence. Use firewall training to cultivate a security-oriented office culture that keeps employees vigilant against identity theft, phishing attacks, social engineering, and other cyberattack vectors. Encourage employees to report unusual behavior to IT security team members even if they don’t suspect an attack is underway.
13. Configure firewalls for redundancy and high availability:
Design your network with redundancy and failover mechanisms to ensure continuous protection in case of hardware or software failures. Multiple firewalls can work together to seamlessly take over when one goes offline, making it much harder for attackers to capitalize on firewall downtime.
Designate high availability firewalls – or firewall clusters – to handle high volume traffic subject to a wide range of security threats. Public-facing servers handling high amounts of inbound traffic typically need extra protection compared to internal assets.
Rule-based traffic counters can provide valuable insight into which rules activate the most often. This can help prioritize the most important rules in high-volume usage scenarios.
14. Develop a comprehensive incident response plan:
Develop and regularly update an incident response plan that includes firewall-specific procedures for handling security incidents. Plan for multiple different scenarios and run drills to make sure your team is prepared to respond to the real thing when it comes.
Consider using security orchestration, automation, and response (SOAR) solutions to create and run automatic incident response playbooks. These playbooks can execute with a single click, instantly engaging additional protections in response to security threats when detected.
Be ready for employees and leaders to scrutinize firewall deployments when incidents occur. It’s not always clear whether the source of the issue was the firewall or not. Get ahead of the problem by using a packet analyzer to find out if firewall misconfiguration led to the incident or not early on.
15. Stay ahead of compliance and security regulations:
Stay compliant with relevant industry regulations and standards, such as GDPR, HIPAA, or PCI DSS, which may have specific firewall requirements. Be aware of changes and updates to regulatory compliance needs.
In an acquisition-oriented enterprise environment, managing compliance can be very difficult. Consider implementing a firewall management platform that provides a centralized view of your entire network environment so you can quickly identify underprotected networks.
16. Don’t forget about documentation:
Maintain detailed documentation of firewall configurations, network diagrams, and security policies for reference and auditing purposes. Keep these documents up-to-date so that new and existing team members can use them for reference whenever they need to interact with the organization’s firewall solutions.
Network administrators and IT security team members aren’t always the most conscientious documentation creators. Consider automating the process and designating a special role for maintaining and updating firewall documentation throughout the organization.
17. Regularly review and improve firewall performance:
Continuously evaluate and improve your firewall management practices based on evolving threats and changing business needs. Formalize an approach to reviewing, updating, and enforcing new rules using data gathered by your current deployment.
This process requires the ability to preview policy changes and create complex “what-if” scenarios. Without a powerful firewall change management platform in place, manually conducting this research may be very difficult. Consider using automation to optimize firewall performance over time.
18. Deploy comprehensive backup connectivity:
In case of a network failure, ensure there’s a backup connectivity plan in place to maintain essential services. Make sure the plan includes business continuity solutions for mission-critical services as well as security controls that maintain compliance.
Consider multiple disaster scenarios that could impact business continuity. Security professionals typically focus on cyberattacks, but power outages, floods, earthquakes, and other natural phenomena can just as easily lead to data loss. Opportunistic hackers may take advantage of these events to strike when they think the organization’s guard is down.
19. Make sure secure remote access is guaranteed:
If remote access to your network is required, use secure methods like VPNs and multi-factor authentication (MFA) for added protection. Make sure your firewall policies reflect the organization’s remote-enabled capabilities, and provide a secure environment for remote users to operate in.
Consider implementing NGFW solutions that can reliably identify and manage inbound VPN connections without triggering false positives. Be especially wary of firewall rules that automatically deny connections without conducting deeper analysis to find out whether it was for legitimate user access.
20. Use group objects to simplify firewall rules:
Your firewall analyzer allows you to create general rules and apply them to group objects, applying the rule to any asset in the group. This allows you to use the same rule set for similar policies impacting different network segments. You can even create a global policy that applies to the whole network and then refine that policy further as you go through each subnetwork.
Be careful about nesting object groups inside one another. This might look like clean firewall management, but it can also create problems when the organization grows, and it can complicate change management. You may end up enforcing contradictory rules if your documentation practices can’t keep up.