Firewalls are just tools. You have to configure firewalls properly to provide maximum security. This article talks about implementing basic best practices.
A firewall can only help protect you if:
- You have it block traffic/apps/users
- You have it inspect all traffic
- It sees traffic beyond just at the edges
- It has settings to protect itself from DoS and volumetric attacks
In the early days of firewalls, I was working in education and an auditor indicated we should have a firewall, I immediately agreed and applauded him for supporting the cause. However, when asking management for policy decisions, it was to allow everything but have the firewall protect us. We went around in circles... In order to do its job, a firewall needs to deny stuff!
Here's a list of basic tasks to do:
- Make sure certain inter-zone traffic is block (e.g. Untrust to trust should be blocked). DMZ to Trust better be blocked too (seen my share of mistakes there).
- Bad applications need to be block, use dynamic filters to make sure new applications in a certain category are blocked.
- Make sure that inspection is done on all policies that should have it (.e.g. IDS/IDP, url, vulnerability, file types, etc.)
- Make sure to use on-premise and/or cloud inspection for vulnerable files (e.g. executables, PDF, MS Office docs, etc.)
- A firewall can only inspect what it sees, encrypted traffic is easily 40% or more of the traffic these days, decryption is essential for increased visibility.
- If all your internal networks are routed and don't traverse a firewall or you only have a single security zone (e.g. Trust), you are not inspecting internal traffic. You are not protected from the all to common lateral attacks.
- Enable interface protection for volumetric and common threats.
- Enable zone protection too.
- Consider using other firewall(s) to inspect key high value servers via virtual wire or inline layer 2 capabilities.
- Consider using other firewalls to inspect network taps on key internal VLANs or networks.
- Consider mixing up firewalls or using a firewall sandwich.