Firewall Rules Review – Best Practices

Firewall Rules Review – Best Practices

  • Firewall Rule Change Control Form should be used for each firewall rule addition or modification.
  • Details to be captured:
  • Requesting Department
  • Requestor from the Requesting Department
  • Approver from the Requesting Department
  • Source IP, Hostnames and Ownership Information
  • Destination IP, Hostnames and Ownership Information
  • Destination Port that needs to be Opened in the Firewall
  • Business Justification for the Firewall Rule
  • The width of the rule (source, destination and ports being allowed) should be as minimum as possible.
  • Duration of Applicability (As minimum as possible)
  • Approver from Reviewing Department
  • Unique ID to identify the Firewall Rule
  • Date of Request of Firewall Rule
  • Date of Final Approval of Firewall Rule
  • Quarterly review should be performed on firewall rules.  Expired rules should be removed after confirmation from the Requestor Department Manager.
  • Annual review should be performed on non-expiring firewall rules.  Rules should be removed unless approved by the Requestor Department Manager.

References

https://www.giac.org/paper/gsec/3037/firewall-rule-review/102017

http://cdn.swcdn.net/creative/v9.3/pdf/Whitepapers/Best_Practices_for_Effective_Firewall_Management.pdf

Firewall Rules Review – Best Practices

Port Scanning – Firewall Best Practices

Port Scanning

Use GRC’s ShieldsUP Port Scanning tool to find out if any ports have been opened through your firewall or NAT Router.  If it is indeed opened, make sure that it is for a legitimate purpose and is secured.  If you do not know why a port is open, you are better-of by closing it – this could be performed at the NAT Router / Firewall level.

Other Resources:

http://lifehacker.com/5511734/shieldsup-tests-your-firewall-for-vulnerabilities

Port Scanning – Firewall Best Practices

Denial Of Service (DoS) Attack – Protection

Firewalls – DoS Protection Profile

Firewalls can provide a certain level of protection against Denial Of Service (DoS) Attacks, where the traffic threshold is not very high.  Certain brand of firewalls (ex: Palo Alto) provide DoS Protection Profiles to be setup which allows to control the number of sessions between interfaces, zones, addresses, and countries based on aggregate sessions or source and/or destination IP addresses.  But when the traffic size becomes huge, firewalls start to fail.

Limitations of Firewalls and Intrusion Prevention Systems (IPS)

Firewalls and IPS are stateful devices.  As stateful devices, firewalls and IPS track all connections for inspection and store them in a connection table. Every packet is matched against the connection table to verify that it was transmitted over an established, legitimate connection.

The typical connection table can store tens of thousands of active connections, which is sufficient for normal network activity. However, a Distributed DoS (DDoS) attack may include thousands of packets per second. As the first device in the organizational network to handle the traffic, the firewall or IPS will open a new connection in its connection table for each malicious packet, resulting in the quick exhaustion of the connection table. Once the connection table reaches its maximum capacity, it will not allow additional connections to be opened, ultimately blocking legitimate users from establishing connections.

Clean Pipe solutions, on the other hand, include a stateless protection mechanism that can handle millions of connection attempts without requiring connection table entries or exhausting other system resources.

Clean Pipe Solutions

Clean Pipe solution providers have large networks which work as “Scrubbing Centers” of network traffic to detect and drop bad traffic.  When a DDoS attack is detected, the traffic to the client company is routed to the Clean Pipe network for “scrubbing”.  Only legitimate traffic is allowed to reach the client company’s network.

Clean Pipe solution providers include Prolexic  Technologies, Verizon, Incapsula, etc.

References:

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/dos-protection-profile.html

http://www.corero.com/blog/609-the-ddos-myth-about-the-firewall-and-the-ips.html

http://blog.radware.com/security/2013/05/can-firewall-and-ips-block-ddos-attacks/

https://en.wikipedia.org/wiki/Denial-of-service_attack

 

Denial Of Service (DoS) Attack – Protection