Firewall rules & requirements (inbound vs. outbound)

The cybersecurity landscape is increasingly volatile, with a massive rise in cyberattacks. Malicious cyber actors are relentlessly scouring the internet for vulnerable networks. Any company that wants to keep its network secure must implement a network security solution – a firewall.

Cyber attackers keep evolving and finding ways to compromise security systems. As a result, companies need to implement and maintain security best practices. Installing a firewall is not enough; you have to take a step further to ensure the firewall rules are up-to-date and properly managed.

If you want to learn how firewall rules work and secure your network from threats, keep reading! This article covers everything you need to know, including types of firewall rules, examples of firewall rules, and firewall rule best practices.

Firewall rules are the major components of firewall policies that determine which types of traffic your firewall allows in and out of your network, and which are blocked. They are access control mechanisms that firewalls use to protect your network from being infiltrated by malicious or unauthorized traffic.

Firewall rules examine the control information in individual packets, and either block or allow them based on a set of rules or predetermined criteria. These predetermined criteria or rule components include a source IP address, a destination IP address, ports, protocol type (TCP, UDP, or ICMP), and services.

Firewall rules control how the firewalls prevent malicious programs and unauthorized traffic from compromising your network. So properly managing your firewall rules across your infrastructures is instrumental to securing your network from threats.

A firewall examines each incoming and outgoing data packet and matches it against the firewall rules. A packet is allowed to go through to its destination if it matches one of the rules that allow traffic. If a packet matches none of the rulesor hit a rule with deny, it is rejected. The rejection or mismatch is reported if the firewall is configured to do so.

Firewalls are programmed to work with access control lists (ACLs). ACLs contain lists of permissions that determine network traffic that is allowed or blocked. An access control list details the conditions a data packet must meet before the ACL action (allow, deny, or reject) can be executed.

To help you understand how firewall rules work, here’s a practical example: if a firewall rule states that traffic to destination N should be allowed only if it is from IP address M, the firewall will check the packet source and destination of incoming packets, and allow packets that meet the M & N rule to go through. If its packet’s destination is N but its source is unidentified or different from M, it is blocked.

Packets are checked against firewall rules from top to bottom, and the first rule that matches the packet overrides the other rules below. The last rule is Deny Rest. This means that all packets not expressly permitted by the rules are blocked.

You can create a firewall rule in pfSense. pfSense is an open-source firewall and router with unified threat management, load balancing, multi-WAN, a DNS Resolver, and a VPN. It supports a wide range of network technologies, including IPv4 & IPv6 addresses and pfBlockerNG.

Other firewalls you can use to create firewall rules include Zenarmor, Windows Defender, and iptables.

Firewall rules help network administrators to regulate access to networks. With firewall rules, you can determine what is allowed in and out of your network. For example, they prevent dangerous files like worms and viruses from accessing your network and consuming bandwidth.

When it comes to protecting devices that operate within your network, firewall rules establish an essential line of defense. Firewalls (and other security measures like endpoint protection and security certifications) prevent malicious actors from accessing and compromising devices connected to your network or operating inside your network’s environment.

Firewall rules help you comply with regulatory standards. Depending on your industry, relevant regulatory agencies expect your company to maintain a certain level of security. For example, if your business is located in the EU region or collects personal data of EU citizens, it is mandated to comply with GDPR.

There are various types of firewall rules. They are categorized based on the type of security architecture under consideration. That being said, here are some of the major types of firewall rules:

1.    Access rule

As the name implies, this firewall rule blocks or grants access to inbound and outbound traffic based on certain conditions. The source address, destination address, port number, and protocol are key information that the access rule evaluates to determine whether access should be given or denied.

2.    Network address translation (NAT) rule

NAT helps you hide the original IP address of a private network – enabling you to protect your network. It makes traffic routing easier and smoothens the inflow & outflow of traffic to and from your network.

3.    Application level gateways

This type of firewall rule enables network administrators to implement policies that protect your internal network. Application-level gateways function as shields or gatekeepers between your internal network and the public internet.

Administrators use them to regulate access to public networks, block some sites, limit access to certain content, and regulate devices allowed to access your network.

4.    Stateful packet filtering

This rule evaluates data packets and filters them against preset conditions. The traffic is denied access if it fails to meet the requirements outlined by the predetermined security criteria.

5.    Circle-level gateways

Circle-level gateways do not filter individual packets but rather monitor TCP handshakes to determine whether a session is legitimate and the remote system is considered trusted. Consequently, these gateways provide anonymity to your internal network.

Firewall rules frequently consist of a source address, source port, destination address, destination port, and an action that determines whether to Allow or Deny the packet.

In the following firewall ruleset example, the firewall is never directly accessed from the public network. This is because hackers who can directly access the firewall, can modify or delete rules and allow unwanted travel.

Source addressSource portDestination addressDestination portActionAnyAny10.10.10.1AnyDenyAnyAny10.10.10.2AnyDeny10.10.10.1AnyAnyAnyDeny10.10.10.2AnyAnyAnyDeny

In the following firewall ruleset example, all traffic from the trusted network is allowed out. This ruleset should be placed below the ruleset above. Since firewall rules are checked from top to bottom, specific rules should be placed before rules that are more general.

Source addressSource portDestination addressDestination portAction10.10.10.0AnyAnyAnyAllow

Effective management of firewall rules is necessary to avoid conflicting configurations and ensure your security infrastructure is powerful enough to ward off malicious attacks. To manage firewall rules better, do the following:

●      Maintain proper documentation

Properly document policies, rules, and workflows. It’s difficult for your network administrators to stay organized and manage firewall rules without proper documentation. Implement a strict documentation policy that mandates administrators to document policies and configuration changes. This improves visibility and ensures seamless continuity even if a key network operator leaves the company.

●      Assign tasks with caution

Ensure that only well-trained network operators have the privilege to assign and alter firewall rules. Allowing everyone on your security team to assign and change firewall rules increases the chances of misconfiguration. Giving such a privilege to a select few does the opposite and makes containing mismanagement easier.

●      Use a standardized naming convention

It’s easy to get confused about which configuration does what. This is more likely to happen where there is no naming convention. To avoid conflicting configurations, name each rule to clarify its purpose. By clearly defining the rules, conflicts can be easily resolved.

●      Flag temporary rules

Some rules are created to function just for a while – temporary rules. To keep things simple and ‘neat,’ flag temporary rules so they can be eliminated when they are no longer required.

●      Order your rules

Order rules in a specific pattern. For example, begin with global rules and narrow down to user-specific rules.

●      Use a firewall management solution

Many administrators use a firewall management and orchestration solution to streamline the firewall rule management process. The solution integrates with your firewall and uses built-in automation for managing firewall settings and configurations from a single dashboard.

A firewall management tool helps you automate activities, gain visibility on all firewall rules, optimize firewall rules, remove rule anomalies, generate reports, etc.

To ensure your firewall works properly and offers the best security possible, there are some key best practices you have to follow when configuring and managing firewall rules:

Review the firewall rules regularly

The cyber threat landscape is always changing. Therefore, you must regularly review the firewall rules to ensure they provide optimal security against threats. Reviewing firewall rules helps you to be several steps ahead of malicious cyber actors, remove rule anomalies, and maintain compliance.

Cyber attackers are relentlessly devising new ways to compromise security systems, infiltrate networks & subnets, and wreak havoc. You need to update the firewall rules regularly to counter new attacks. Obsolete rules can be maneuvered and the firewall compromised. You have to keep evolving the rules to stay ahead of malicious actors.

Remove ineffective, redundant firewall rules. Are there rules that are no longer needed? Are there overlapping rules that are taking up space and confusing your network administrators? Look out for unnecessary configurations and remove them to free up the system and avoid confusion.

In addition to helping you keep your network safe, reviewing firewall rules regularly also allows you to maintain compliance with regulatory standards such as HIPAA and GDPR.

Keep tabs on firewall logs

Keeping an eye on the firewall log helps administrators to monitor traffic flow, identify suspicious activities, and proactively fix challenges. Monitoring firewall logs gives you visibility into your infrastructure, enabling you to get to know your network users and the nature of their activities.

Reduce complexity by categorizing firewall rules

Make firewall rule structure simple and easy to manage by grouping rules with similar characteristics. This approach reduces configuration complexity, improves ease of administration, and optimizes firewall performance.

Implement least-privileged access

Do not grant users more privileges than necessary to perform their tasks. This ensures that only an authorized user can create a new rule, change a security policy, or gain access to specific resources.

Block high-risk ports

Blocking some ports can significantly decrease the risk of a network breach. The following table outlines the ports you should block as recommended by the SANS Institute. The table features services, TCP port, UDP port, port number, and port range.

ServicePortPort numberNetBIOS in Windows NTTCP and UDP135NetBIOS in Windows NTUDP137 and 138TFTP daemonUDP69HTTP (except to external web services)TCP80SSL (except to external web servers)TCP443Lockd (Linux DoS vulnerability)TCP & UDP4045Common high-order HTTP portsTCP8000, 8080, 8888LDAPTCP & UDP389IMAPTCP143SOCKSTCP1080SNMPUDP161 & 162SyslogUDP514Cisco AUX port (binary)TCP6001NFSTCP & UDP2049X WindowsTCP & UDP6000 – 6255

Managing firewall rules manually can be overwhelming and time-consuming – especially when dealing with multiple firewall solutions. With the help of a firewall management solution, you easily configure firewall rules and manage configurations from a single dashboard. This is where AlgoSec comes in!

AlgoSec’s powerful firewall management solution integrates with your firewalls to deliver unified firewall policy management from a single location, thus streamlining the entire process. With AlgoSec, you can maintain clear visibility of your firewall ruleset, automate the management process, assess risk & optimize rulesets, streamline audit preparation & ensure compliance, and use APIs to access many features through web services.