In this blog, we will explore three steps you can take to make your firewall more secure. Your perimeter firewall is your first line of defense against attacks. And while it is not a silver bullet, making sure it is as secure as possible should be a top priority for your security team. Having performed hundreds of firewall audits against almost every type of firewall technology there is, there are a few common themes that I have noticed that are reducing the effectiveness of this critical security device. Let’s look at the top 3 things I have noticed, and discuss some of the ways you can make your firewall more secure.
1. What Does This Rule Even Do?
The first and most prevalent thing I see during firewall configuration reviews is a lack of comments. For example, I will come across a firewall rule that looks like this:
This rule is pretty decent. It is specific, not overly permissive, and seems to only allow one source host to access one destination host over a single port. Great, lets move on! But wait, not so fast. What is this rule even doing? What function does host 220.127.116.11 perform? What service uses that non-standard port and who needs to access it? Is the IP 18.104.22.168 owned by one of my vendors? Is this rule even necessary any more or was it temporary?
The fact is, without a description, unless the firewall admin has an incredible memory and is the only person looking at this, this rule cannot be analyzed effectively. Each rule should have a comment and each comment should consist of the following, as appropriate:
- What is the rule doing?
- What is the business justification?
- Who is the owner of this rule?
- What date was it added?
- If temporary, when does this rule expire so that it can be removed?
- Can it be tied to a particular ticket number or change request?
With that information, reviewing your firewall will be much easier and you will be able to identify rules that can be removed or changed to make your firewall more secure on an ongoing basis. With a quick glance, you should be able to see what each rule is doing and if it is even necessary any more. Further, many requirement bodies (PCI DSS, for example) requires firewall policies that spell out what each rule is doing.
2. Not ANY ANY More
The word “any” should be a red flag in your firewall. It should be your firewall administrator’s sworn nemesis. Getting rid of “any” wherever possible is one of the best things you can do to make your firewall more secure. Sure, there are sometimes where there is no way around it. For example, your public-facing marketing website. You need to allow any system on the Internet to get to your website over port 80 and 443. So it’s OK if that rule has an “any” for the source. But those instances should be very few and well documented. Far too often I see overly permissive rules all over the place.
One common use of “any” is in the port field. Even if the source and destination are defined, the port needs to be defined as well. When interviewing security teams about this, I commonly hear, “Well, that source is our vendor, and they do X, Y, Z for us, so I don’t know what ports they need.” To which my response is always, now is a good time to ask! Not knowing what ports they need to access is a good indication to me that you don’t know what they are doing on your network. How are you able to protect your network when you don’t know what outside organizations are doing on your network?
3. Change Management…Change Management…Change Management
This one typically applies to small- and medium-sized businesses where the IT team members are wearing multiple hats and focused on simply keeping things running smoothly. The fact is, everyone needs a change management process in place, with someone appointed to review and approve all changes to the firewall. If you are an IT Administrator, you should be pushing for this change, in part because it covers you in case something breaks or goes wrong. If you are a CISO or small business owner, you should be pushing for this, because the ultimate responsibility for security and keeping your business afloat is yours. 60% of small businesses that experience a breach close their door within 6 months, according to the Verizon DBIR. Therefore, if you are an owner, no matter how busy you are, you cannot afford to ignore aspects of your internal security program.
The common place where this falls apart is emergency changes. When something breaks and you are losing revenue by not having your e-commerce site available, emergency changes have to happen. But that doesn’t mean there can’t be a process that defines that. For example, it could just be an email to the change management team stating what you are doing and why. Then a week later a meeting to do post-change analysis, add justifications and comments to the rules, make sure the rules implemented are still necessary, and ensure the rules are as restrictive as possible. This way, those emergency changes become approved changes and there aren’t holes in the firewall that persist.
Hopefully this blog is a helpful guide to make your firewall more secure. For more information about what we look for when performing a firewall audit, check out this blog. As always, let us know what you think, we would love to hear from you.