Network security managers probably spend more time managing firewalls than on any other system component. Because it is a first line of defense, a firewall is critical to protect enterprise assets from corruption and compromise. Planning, implementing, and managing firewalls is a complex IT task involving firewall configuration, architecture, software, and policy.
My previous blog post, The Firewall is Primary to Network Security and Defense, outlined basic firewall architecture. Today, let’s look at firewall policies that dictate the handling of network traffic according to IP addresses and protocols, applications, user identity, and network identity. Before a firewall policy is established, a risk analysis should be done. It should identify what type of traffic is needed, as well as an evaluation of threats, vulnerabilities and countermeasures to be taken if enterprise systems or data are compromised.
IP Addresses and Protocols
Firewalls should block all traffic, both inbound and outbound, which has not been expressly permitted by the firewall policy. This is known as deny by default, and it decreases the risk of attack, while also reducing the volume of traffic carried on an enterprise’s network.
A firewall policy should only allow necessary IP protocols through. Some of the more common IP protocols are Internet Control Message Protocol (IICMP), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP). Other protocols such as Authentication Header (AH) and Encapsulating Security Payload (ESP) may at times need to pass through a network firewall. Whenever possible, necessary protocols should be restricted on a need-to-use basis to specific hosts and networks within an enterprise.
Inbound traffic with invalid source or destination IP addresses should be blocked at the network perimeter. This type of traffic is often caused by malware, IP spoofing or denial of service attacks (DOS). Outbound traffic with invalid source addresses should also be blocked (egress filtering) because systems that have been compromised by hackers can be used to attack other networks.
Other types of traffic that should be blocked at the perimeter include traffic containing source routing information, and traffic from outside the network with broadcast addresses directed inside the network. Hackers sometimes use these methods to create huge “storms” of network traffic for DNS attacks.
Blocking unwanted or suspicious traffic at the network boundary is one firewall policy. Another firewall approach uses inbound applications or application proxies that let traffic into a network then captures unwanted traffic in a specific server. This provides an additional layer of security by validating traffic before it reaches the main server.
Application proxies can be problematic if they are not fast enough to handle the traffic destined for the server. For this reason, it is important to consider the server’s resources. Is the server sufficiently protected by existing firewalls? Can the main server remove malicious content as effectively as the application firewall or proxy? If not, then an application firewall or proxy could be an effective shield against intruders.
Policies Based in User Identity
Many firewall technologies can see user identities and enact policies based on user authentication. Some of the techniques used to identify users are provisioned on a user-by-user basis. These may include cryptographic tokens protected by personal identification numbers (PINs), or with digital certificates controlled by each user. Network Admission Control (NAC) has become a popular method for firewalls to allow or deny access.
Firewalls that enforce user identity based policies should also have logging capabilities that record both the users IP address and identity. This is definitely recommended with user-specific firewall policies.
Network Activity Firewall Policies
Many firewalls allow administrators to block established connections after a certain period of inactivity, say 15 minutes. Time-based policies can be useful in thwarting attacks involving a team of hackers working in shifts. This can sometimes be a problem for legitimate network users who make connections but use them infrequently. Therefore, some enterprise IT departments may have mandates on when firewalls should block connections that appear to be inactive.
Firewall policy should, of course, be integrated with an enterprise’s overall security policy as well as other network elements that will interact with the firewall.
Is your network fully protected from threats? A thorough Managed Services assessment of your technology environment can provide insight about your network's security, and find areas that need improvement. Click here to request an assessment today.