The Meridian Blog: Tech News, Tips & More for SMB and Enterprise Environments

Does Your Firewall Policy Extinguish Network Threats?

Robert Bruce

Posted by Robert Bruce
Tue, Feb 04, 2014

fire wall, antivirus, antispywareNetwork security managers probably spend more time managing firewalls than on any other system component. Because it is a first line of defense, a firewall is critical to protect enterprise assets from corruption and compromise. Planning, implementing, and managing firewalls is a complex IT task involving firewall configuration, architecture, software, and policy.

My previous blog post, The Firewall is Primary to Network Security and Defense, outlined basic firewall architecture. Today, let’s look at firewall policies that dictate the handling of network traffic according to IP addresses and protocols, applications, user identity, and network identity. Before a firewall policy is established, a risk analysis should be done. It should identify what type of traffic is needed, as well as an evaluation of threats, vulnerabilities and countermeasures to be taken if enterprise systems or data are compromised.

IP Addresses and Protocols

Firewalls should block all traffic, both inbound and outbound, which has not been expressly permitted by the firewall policy. This is known as deny by default, and it decreases the risk of attack, while also reducing the volume of traffic carried on an enterprise’s network.

A firewall policy should only allow necessary IP protocols through. Some of the more common IP protocols are Internet Control Message Protocol (IICMP), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP). Other protocols such as Authentication Header (AH) and Encapsulating Security Payload (ESP) may at times need to pass through a network firewall. Whenever possible, necessary protocols should be restricted on a need-to-use basis to specific hosts and networks within an enterprise.

Inbound traffic with invalid source or destination IP addresses should be blocked at the network perimeter. This type of traffic is often caused by malware, IP spoofing or denial of service attacks (DOS). Outbound traffic with invalid source addresses should also be blocked (egress filtering) because systems that have been compromised by hackers can be used to attack other networks.

Other types of traffic that should be blocked at the perimeter include traffic containing source routing information, and traffic from outside the network with broadcast addresses directed inside the network. Hackers sometimes use these methods to create huge “storms” of network traffic for DNS attacks.

Applications

Blocking unwanted or suspicious traffic at the network boundary is one firewall policy. Another firewall approach uses inbound applications or application proxies that let traffic into a network then captures unwanted traffic in a specific server. This provides an additional layer of security by validating traffic before it reaches the main server.

Application proxies can be problematic if they are not fast enough to handle the traffic destined for the server. For this reason, it is important to consider the server’s resources. Is the server sufficiently protected by existing firewalls? Can the main server remove malicious content as effectively as the application firewall or proxy? If not, then an application firewall or proxy could be an effective shield against intruders.

Policies Based in User Identity

Many firewall technologies can see user identities and enact policies based on user authentication. Some of the techniques used to identify users are provisioned on a user-by-user basis.  These may include cryptographic tokens protected by personal identification numbers (PINs), or with digital certificates controlled by each user. Network Admission Control (NAC) has become a popular method for firewalls to allow or deny access.

Firewalls that enforce user identity based policies should also have logging capabilities that record both the users IP address and identity. This is definitely recommended with user-specific firewall policies.

Network Activity Firewall Policies

Many firewalls allow administrators to block established connections after a certain period of inactivity, say 15 minutes. Time-based policies can be useful in thwarting attacks involving a team of hackers working in shifts. This can sometimes be a problem for legitimate network users who make connections but use them infrequently. Therefore, some enterprise IT departments may have mandates on when firewalls should block connections that appear to be inactive.

Firewall policy should, of course, be integrated with an enterprise’s overall security policy as well as other network elements that will interact with the firewall.

Is your network fully protected from threats? A thorough Managed Services assessment of your technology environment can provide insight about your network's security, and find areas that need improvement. Click here to request an assessment today.

Ready to get started? A thorough assessment of your technology environment and business processes can improve system reliability, streamline business processes, and improve focus on core competencies. Click here to request an assessment.

Robert Bruce

Ready to Become a Pro?

 Our White Paper can help.

whitepaper-4-key-elements-for-building-your-technology-road-map-thumbnail-3Subscribe to our blog and get your copy of "4 Key Elements to Consider When Building Your Technology Road Map"

You'll learn:

  • What role people play in determining your road map
  • How to build a plan in a multi-device world
  • What types of applications need to be considered
  • How data plays a key role in success

 

Subscribe to get your copy

Leave A Comment

About this blog

News, best practices and more to help you get the most out of your office technology. Whether you're an SMB owner who wears a lot of hats, or an enterprise IT director, facilities manager or just someone who wants to work smarter — this blog has the resources you need to maximize the business impact of all your tech investments. Be sure to subscribe to receive email updates about new posts!

Download our eBook

 
DM_Workbook_Cover_Page.jpg

Download

Sort Posts by Topic

see all