Is your firewall infrastructure coming up for a hardware refresh? More importantly, do you even know if it is time to upgrade? If you answered "no" to those two questions, then it might be time for a security review conducted by outside experts. These experts can advise on current threats and if your current implementation provides sufficient protection. If an upgrade is recommended, you should then use the opportunity to advance the level of your IT security.
As you plan for that firewall infrastructure refresh, you should keep the following guidelines in mind.
1. Review Firewall Locations
You should take advantage of the upgrade to re-examine your overall firewall security design. Examine where your firewalls are located and identify places where additional firewalls are needed. Transition to a micro-segmentation architecture could be desirable if you wish to implement procedures to limit malware’s lateral spread.
Embrace Modern Security Techniques
You should also be looking at the most modern security techniques like Zero-Trust, a data-centric approach to security that works by identifying the data assets that need protection and creating a data classification policy. (For more, see Managing Security in the Age of Zero-Trust
). Zero-Trust is the phase in which you should be engaging vendors, identifying new threats, and implementing best practices. Security consultants shouldn’t be overlooked — they bring a wealth of knowledge about the current best practices and identify vendors that provide the best products for your situation.
2. Review and Purge Old Rulesets
It is important to use the hardware refresh an opportunity to review and update the firewall rulesets. The problem for many organizations is that there may be little or no documentation on the existing rules. This makes the review time consuming, which makes it very tempting to just copy the existing security rulesets and call it done. However, you will miss out on new firewall technology and more efficient systems that improve security.
One technique for reviewing the firewall rulesets is to enable logging on the existing firewall rules. You’ll want to look for the rules that garner the most use and the rules that are not being hit. Work with your new firewall vendor to find out if there are ways to optimize the most frequently used rules. Obviously, the rules that are not hit are the candidates to be removed. You can be pretty sure that a rule can be removed if it has had no activity in a year. That handles the case where a rule is in place for an application that communicates once a year — like during the year-end financial close and reporting functions. If you’re still concerned about removing these rules, work with your firewall vendor to determine the best way to handle them so that logging can continue to be collected.
You can also take the step of hiring a security consulting firm or the firewall vendor’s professional services team to help review the existing rules. Look for an organization that has knowledge of your type of business and the applications that you use. They should have tools to identify rule sets that provide the best protection of your applications and data.
During the review, watch out for rules that circumvent your intended security. It isn’t surprising to find a rule that was temporarily added to circumvent security during an outage troubleshooting event, then was subsequently forgotten. These rules will often become apparent in the logging analysis phase.
3. Transition to Allow-Listing
If your existing firewall is using a deny-list ruleset (defaults to permit-all with entries to deny traffic), then consider switching to an allow-list ruleset (defaults to deny-all with entries to permit specific traffic). This means that you have to know all the applications and their network connectivity requirements.
It is tempting to start with a single Permit-ANY-to-ANY rule (the default for a deny-list firewall) and add allow-list rules over time, with the intent to eventually remove the Permit-ANY-to-ANY rule. This often backfires in that the allow-list rules may not be exercised, depending on the rule set construction and firewall processing system. You’re still left with the flag-day exercise of removing the Permit-ANY-to-ANY rule and all the diagnosis that goes with it when any application has a problem. Judicious use of logging might help with that transition, but it may have been better to just start with the allow-list approach and handle one application at a time.
4. Use Group Names to Manage Rules
Modern firewalls will support the ability to group rules together, allowing you to collect all the rules for each application into a group. This mechanism is useful for the allow-listing approach. The default mode is to deny traffic, and the groups of rules identify traffic to allow. An added benefit of using good group names is that the rule groups are like a self-documenting configuration. Therefore, it is important to use group names that mean something to the security administrators.
5. Add and Update Documentation
You shouldn’t miss the opportunity to document what you learn as you make the conversion and examine the rules. Most tech folks don’t like to create documentation, but it’s necessary to have a record of what you did and why you did it. It helps to assist in the continuity of operations.
Anything that is accurate is better than nothing, even if it is no more than a simple text file containing notes about what you discover every day. Record anything that you discover about applications, lists of potential holes in the existing rules, and notes for things that need more investigation.
Part of the documentation will be a to-do list, which you can use to prioritize tasks, create service tickets, and track the project’s progress. This can be a simple text file, a spreadsheet, or tasks in a ticketing system. The main criteria is to select a system that you’ll use.
You’ll want to document anything that will help you through the project. I like to use a logbook style for recording progress in big projects. Note the date and what transpired. In the future, you’ll thank yourself for keeping good notes about the implementation.
6. Use a Scanning Service
Security scanning services like Security Scorecard are very useful for examining your security implementation. These services are available for both external scanning as well as internal security analysis. The internet-based service identifies holes in your external security implementation and often produces surprising results. They are good for scanning your SaaS services as well. Internal security isn’t left out because most services offer scanning services for use within an enterprise.
Network security continues to grow in importance, making it increasingly important to not pass up the opportunity to review and improve your firewall design and implementation. You should make it a fundamental component of the periodic network refresh implementation. This is an area in which skimping on the review could have significant negative consequences. Make sure you allocate the necessary resources to make it successful and keep your IT systems secure.