Fine-tuning Firewall Rules: 10 Best Practices

SHARE
Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Email  

When it comes to network firewall configuration, security administrators face the tough challenge of balancing the need for strong security with business users' need for fast performance.

The stakes couldn't be higher. According to Gartner, 99 percent of firewall breaches are caused by errors in configuration. Breaches, then, are almost always caused by human error, not technology failure.

A recent HSB survey found that nearly a third (29 percent) of U.S. businesses suffered a data breach last year. And with high-profile, expensive breaches in the news seemingly every day, IT security staff are under intense pressure to tighten up any potential holes in network defenses.

At the same time, the business is demanding faster performance from its networks. Users are accessing more cloud-based services, particularly software as a service (SaaS) applications. In fact, Gartner recently said that SaaS usage was growing much more quickly than anticipated, and SaaS revenues could top $71.2 billion in 2018, a 22 percent increase over 2017. All that traffic needs to pass through network firewalls — and pass through quickly — in order for the business to remain competitive.

Experts say that to address those competing pressures, it's a good idea to revisit your firewall setup from time to time. Finetuning and optimizing your firewall rules can help ensure that your firewall is providing the ideal balance between speed and security.

The exact procedures for adjusting your firewall settings will vary depending on the make and model of your firewall(s) and whether you are using hardware- or software-based solutions. But no matter what kind of technology you are using, following the firewall rules best practices below can help you maximize the effectiveness of your solution.

1. Document your firewall rules

Anyone who works on your IT security team should be able to tell very quickly what each of your firewall rules was intended to do by looking at your documentation. At a minimum, you need to keep track of the following data:

  • The purpose of the firewall rule
  • The service(s) it affects
  • The users and devices it affects
  • The date the rule was added
  • When the rule should expire (if it is temporary)
  • The name of the person who added the rule

Some experts also recommend that you use categories or section titles to group similar rules together. That can be especially helpful when it comes to determining the best order for your rules (more on that below).

As you begin the process of fine-tuning and optimizing your firewall rules, you should take the time to revisit your existing rules and make sure you have all the necessary documentation for each of them. You may find that you are following some rules that were installed by default without anyone really understanding why you have them.

2. Establish and follow a change procedure for firewall configuration

Before you begin changing any of your existing firewall rules, you should establish a formal process that you will use for any modifications, if you don't already have such a process. A typical change procedure might involve the following steps:

  1. A change request process that business users can use to ask for alterations to the firewall configuration
  2. An assessment process with which the firewall team analyzes the risk and determines the best course of action to balance the business users' needs with security needs
  3. A testing process that ensures that any changes to firewall rules will have the desired effect
  4. A deployment process for moving the new rule into production after it has been tested
  5. A validation process to ensure that the new firewall settings are operating as intended
  6. A documentation process to track the changes that have been made

If you have a small security team, it might be tempting to implement changes less formally. But experts say that following the process strictly can help avoid lapses in security caused by poor firewall configuration.

In the market for a network firewall? See our reviews of top next-generation firewall vendors.

3. Use automation to update firewall settings

One way to make sure that you are following your change procedures is to use an automation solution for any firewall configuration updates.

Automation can also help prevent mistakes in the firewall setup process. As 99 percent of firewall breaches are caused by errors in configuration, breaches aren't caused by flaws in the technology, but by flaws in the humans using it.

These same automation tools can also help in configuring other network equipment, such as routers and switches.

Examples of security automation tools include Tufin, AlgoSec, FireMon, Anomali, Microsoft Hexadite, Cybersponse, Tripwire, Illumio, Swimlane and many others.

4. Review firewall rules regularly

Your network is always changing. You are gaining new users and new devices. Those users and devices are accessing new applications and new services. And applications and devices that once accounted for a high percentage of network traffic may become far less popular over time.

All those changes may mean that you need new firewall rules or that you can delete some firewall rules that are no longer necessary.

It's human nature to delay fixing something until it becomes critically important. But your firewalls are far too important for a reactive approach. You don't want to be updating your firewall rules under pressure because you have suffered a breach or because users are complaining that the network is too slow. It's far better to set up a regular maintenance schedule — perhaps quarterly or at least annually — so that you can make changes proactively.

5. Remove unused or overlapping firewall rules

As you go through your list of firewall rules and update your documentation, you may find that you have more than one rule serving the same purpose. If you can eliminate one of those rules or combine some rules to be more effective, that can speed up your network.

Similarly, you may find that some of your rules are never applied because none of your traffic meets the specific criteria outlined in the rules. Consider whether the rule is really necessary. If not, deleting it could lead to performance improvements.

6. Audit your logs

Every firewall comes with built-in reporting tools that provide details about your traffic. Another firewall rules best practice is to audit those logs regularly to look for changes or anomalies that might suggest modifications to your firewall settings.

This log data will be a critical source of information about which firewall rules are being invoked most frequently — and which aren't ever being used at all. Both types of information are critical for optimizing your firewall.

Log data can also help you find "false positives," traffic that shouldn't trigger security rules but is doing so any way. Changing your firewall rules may help you cut down on these false positives and improve service to end users.

If you have a particularly large or active network, you may find that you need additional log analysis tools beyond those provided by the firewall manufacturer to make sense of your log data. Some of the most advanced tools include artificial intelligence or machine learning capabilities that can help you spot important details that you might otherwise have missed.

7. Organize your firewall rules to maximize speed

It isn't true of every firewall, but most apply rules in the order that they are listed in your firewall configuration software or rule base. In other words, the firewall will start at the top of the list and keep going down until it reaches rule that would require it to block the traffic in question. If none of the rules apply, the traffic will pass through.

Firewall vendor Check Point Software notes, "Having the same rules, but putting them in a different order, can radically alter the effectiveness of the firewall. Always place more specific rules first and the more general rules last to prevent a general rule from being applied before a more specific rule."

Another good rule of thumb is to put rules that are invoked more often higher in the order than rules that are invoked less often. That speeds performance.

In its Firewall Checklist, SANS Institute recommends the following order for rules:

  1. Anti-spoofing filters (blocked private addresses, internal addresses appearing from the outside)
  2. User permit rules (e.g. allow HTTP to public web server)
  3. Management permit rules (e.g. SNMP traps to network management server)
  4. Noise drops (e.g. discard OSPF and HSRP chatter)
  5. Deny and Alert (alert systems administrator about traffic that is suspicious)
  6. Deny and log (log remaining traffic for analysis)

8. Move some traffic blocking upstream

Another way to improve the performance of your firewall is to use your routers to handle some of the traffic-blocking activities. By offloading some work from your firewall, you may be able to eliminate some firewall rules and improve throughput for your network.

But as with all network changes, you'll need to test and monitor this approach carefully to make sure that it is having the results you hoped to see.

9. Upgrade your firewall software and firmware

It goes without saying, but as you update your firewall rules, it's also a good time to make sure that you have installed all the latest patches to your firewall. The greatest list of firewall rules in the world won't stop an attack if your firewall has a known vulnerability that hasn't been patched.

10. Communicate with the business

Last but not least, make sure that you are communicating with business leaders and end users about any changes to your firewall rules. Getting input from the business can help make sure that your firewall configuration is meeting end users' needs.

Having open lines of communication can also help users understand the multiple steps and risks involved when they make a request for a change. By working together, IT and the business side can help make sure they are meeting the dual goals of security and fast performance.

JOIN THE DISCUSSION

Loading Comments...