Firewall ruleset examples & policy best practices

Cyberattacks continue to rise globally as malicious actors tirelessly develop sophisticated tools and techniques to break through networks and security systems.

With the digitalization of operations today and the increasing adoption of remote working, crucial business activities such as communication, data storage, and data transmission are now primarily done digitally.

While this brings numerous advantages – allowing easy usability and scalability, enhancing collaboration, and reducing the risks of data loss – businesses have to deal with various security risks, such as data breaches and cyberattacks from hackers.

Organizations must provide adequate network security to keep sensitive data safe and ensure their network is usable, trustworthy, and optimized for maximum productivity across all channels.

Your network and systems (software and hardware) comprise the IT infrastructure through which you operate and manage your enterprise’s IT services. Every IT system regularly receives and transmits internet traffic, and businesses must ensure that only trusted and authorized traffic penetrates their network to maintain security.

All unwanted traffic must be prevented from accessing your operating system as it poses a huge risk to network security. Malicious actors attempting to penetrate your system often send virus-carrying inbound traffic to your network.

However, with an effective firewall, you can filter all traffic and block unwanted and harmful traffic from penetrating your network. A firewall serves as a barrier between computers, networks, and other systems in your IT landscape, preventing unauthorized traffic from penetrating.

The firewall is your first line of defense in network security against hackers, malware, and other threats. Firewall rules refer to access control mechanisms that stipulate how a firewall device should handle incoming and outgoing traffic in your network. They are instructions given to firewalls to help them know when to block or allow communication in your network.

These instructions include destination or source IP addresses, protocols, port numbers, and services. A firewall ruleset is formed from a set of rules and it defines a unit of execution and sharing for the rules.

Firewall rulesets typically include:

• A source address

• A source port

• A destination address

• A destination port

• A decision on whether to block or permit network traffic meeting those address and port criteria

There are thousands of rulesets that can be used to control how a firewall deals with network traffic. Some firewall rules are more common than others, as they tend to be fundamental when building a secure network. Here are some examples of firewall rules for common use cases:

• Enable internet access for only one computer in the local network and block access for all others

This rule gives only one computer in the local network access to the internet, and blocks all others from accessing the internet. This example requires obtaining the IP address of the computer being granted access (i.e., source IP address) and the TCP protocol type.

Two rules will be created: a Permit rule and a Deny rule. The permit rule allows the chosen computer the required access, while the deny rule blocks all other computers in the local network from internet access.

• Prevent direct access from the public network to the firewall

This rule blocks access to your firewall from any public network, to protect it from hackers who can modify or delete your rules if they access your firewall directly. Once hackers manipulate your rules, unwanted traffic will penetrate your network, leading to data breaches or an interruption in operation.

A Deny rule for any attempt to access the firewall from public networks will be created and enabled.

• Block internet access for only one computer in the local network

This rule comes in handy if you do not want a specific computer in the local network to access the internet. You will need to create a Deny rule in which you set the IP address of the computer you wish to block from the internet, and the TCP protocol type.

• Block access to a specific website from a local network

In this scenario we want to configure our firewall to deny access to a particular website from a local network. We first obtain the IP address or addresses of the website we wish to deny access to, and then create a Deny rule.

One way to obtain a website’s IP address is by running the special command ‘nslookup <web site name>’ in your operating system’s command line (Windows, Linux, or others).

Since websites can run on HTTP and HTTPS, we must create a Deny rule for each protocol type and indicate the destination IP address(es). Thus, the local network will be unable to access both the HTTP and HTTPS versions of the website.

• Allow a particular LAN computer to access only one specific website

This example gives a local computer access to only one specified website. We obtain the IP address of the destination website and the source IP address (of the local computer).

We create a Permit rule for the source IP address and the destination website, and a Deny rule for the source IP address and other websites, taking the TCP protocol types into account.

• Allow internet access to and from the local network using specific protocols (services) only

This example allows your LAN computer to access the internet using specific protocols, such as SMTP, FTP, IPv6, SSH, IPv4, POP3, DNS, and IMAP; and blocks all other traffic

Here we first create an “Allow” rule for the “Home segment,” where we use the value “Any” for the Source and Destination IP addresses. In the Protocol field provided, we choose the protocols through which our local computer can access the internet.

Lastly, we create Deny rules where we enter the value “Any” for the Source and Destination IP addresses. In the Protocol field, we set the values TCP and UDP, thus blocking internet access for unspecified protocols.

• Allow remote control of your router

This rule enables you to access, view, or change your Router Settings remotely (over the internet). Typically, access to routers from the internet is blocked by default. To set this rule, you need specific data such as your router username, WAN IP address, and password.

It is crucial to note that this setting is unsafe for individuals who use public IP addresses.

A similar use case is a rule enabling users to check a device’s availability on their network by allowing ICMP ping requests.

• Block access from a defined internet subnet or an external network

You can set a rule that blocks access to your network from a defined internet subnet or an external network. This rule is especially important if you observed repeated attempts to access your router from unknown IP addresses within the same subnet.

In this case, set a Deny rule for IP addresses of the subnet attempting to access your WAN port.

It is expedient to follow best practices during firewall configuration to protect your network from intruders and hackers. Deploying industry-standard rules when setting up firewalls can improve the security of your network and system components.

Below are examples of the best practices for setting up firewall rules.

• Document firewall rules across multiple devices

Documenting all firewall rule configurations and updating them frequently across various devices is one of the best practices for staying ahead of attacks. New rules should be included based on security needs, and irrelevant rules should be deactivated to reduce the possibility of a loophole in your network.

With documentation, administrators can review the rules frequently and make any required changes whenever a vulnerability is detected.

• Configure your firewall to block traffic by default

Using a block or deny-by-default policy is the safest way to deal with suspicious traffic. Enterprises must be sure that all types of traffic entering their network are identified and trusted to avoid security threats.

In addition, whenever a vulnerability arises in the system, blocking by default helps prevent hackers from taking advantage of loopholes before administrators can respond.

• Monitor firewall logs

Monitoring firewall logs on a regular basis helps maintain network security. Administrators can quickly and easily track traffic flow across your network, identify suspicious activity, and implement effective solutions in a timely manner.

Organizations with highly sophisticated infrastructure can aggregate logs from routers, servers, switches, and other components to a centralized platform for monitoring.

• Group firewall rules to minimize complexity and enhance performance

Depending on the complexity of your network, you may need thousands of rules to achieve effective network security. This complicates your firewall rules and can be a huge challenge for administrators.

However, by grouping rules based on similar characteristics like protocols, TCP ports, IP addresses, etc., you simplify them and boost overall performance.

• Implement least-privileged access

In any organization, employees have various roles and may require different data to execute their tasks efficiently. As part of network security practices, it’s important to ensure each employee’s access to the network is restricted to the minimum privileges needed to execute their tasks.

Only users who require access to a particular service or resource should have it, thus preventing unnecessary exposure of data. This practice significantly minimizes the risk of intentional and accidental unauthorized access to sensitive data.

A network security policy outlines the overall rules, principles, and procedures for maintaining security on a computer network. The policy sets out the basic architecture of an organization’s network security environment, including details of how the security policies are implemented.

The overall objective of network security policy is to protect a computer network against internal and external threats.

Firewall policies are a sub-group of network security policies, and refer to policies that relate specifically to firewalls. Firewall policies have to do with rules for how firewalls should handle inbound and outbound traffic to ensure that malicious actors do not penetrate the network.

A firewall policy determines the types of traffic that should flow through your network based on your organization’s network and information security policies.

Proper firewall configuration with effective rules and practices is crucial to building a formidable network security policy. Organizations must follow industry standards in configuring firewall rules and protecting their IT landscape from intruders and malicious actors.

Firewall rules require regular review and update to maintain maximum protection against evolving threats and changing security demands. For many organizations, keeping up with these fast-paced security demands can be challenging, and that’s where AlgoSec comes in.

AlgoSec helps with managing your firewall rules to ensure your network enjoys round-the-clock protection against internal and external security threats. From installation to maintenance, we assist you in setting up a resilient firewall that operates on the safest rulesets to keep your network safe against harmful traffic.

We have dedicated tools that take away the burden of aggregating and analyzing logs from the components in your network, including computers, routers, web servers, switches, etc.

We determine which new rules are needed for effective firewall network security policy management based on data from your firewall devices and security trends.

AlgoSec will ensure your firewall stays compliant with best practices by applying our automated auditing solution, which identifies gaps in your firewall rules and enables you to remediate them before hackers take advantage of such loopholes.