Date Published August 24, 2022 - Last Updated January 20, 2023
This article appeared in No Jitter, a partner publication.
Is your firewall infrastructure coming up for a hardware refresh? More importantly, do you even know if it is time to upgrade? If you answered "no" to those two questions, then it might be time for a security review conducted by outside experts. These experts can advise on current threats and on whether your current implementation provides sufficient protection. If an upgrade is recommended, you should then use the opportunity to advance the level of your IT security.
As you plan for that firewall infrastructure refresh, you should keep the following guidelines in mind.
Review Firewall Locations
You should take advantage of the upgrade to reexamine your overall firewall security design. Examine where your firewalls are located and identify places where additional firewalls are needed. Transition to a micro-segmentation architecture could be desirable if you wish to implement procedures to limit malware’s lateral spread.
Embrace Modern Security Techniques
You should also be looking at the most modern security techniques like Zero-Trust, a data-centric approach to security that works by identifying the data assets that need protection and creating a data classification policy. Security consultants shouldn’t be overlooked — they bring a wealth of knowledge about the current best practices and identify vendors that provide the best products for your situation.
Review and Purge Old Rulesets
It is important to use the hardware refresh as an opportunity to review and update the firewall rulesets. The problem for many organizations is that there may be little or no documentation on the existing rules. This makes the review a time consuming activity, which makes it very tempting to just copy the existing security rulesets and call it done. However, if you do that, you will miss out on new firewall technology and more efficient systems that improve security.
One technique for reviewing the firewall rulesets is to enable logging on the existing firewall rules. You’ll want to look for the rules that garner the most use and the rules that are not being hit. Work with your new firewall vendor to find out if there are ways to optimize the most frequently used rules.
You can also take the step of hiring a security consulting firm or the firewall vendor’s professional services team to help review the existing rules. Look for an organization that has knowledge of your type of business and the applications that you use. They should have tools to identify rule sets that provide the best protection of your applications and data.
During the review, watch out for rules that circumvent your intended security. It isn’t surprising to find a rule that was temporarily added to circumvent security during an outage troubleshooting event, then was subsequently forgotten. These rules will often become apparent in the logging analysis phase.
Transition to Allow-Listing
If your existing firewall is using a deny-list ruleset (defaults to permit-all with entries to deny traffic), then consider switching to an allow-list ruleset (defaults to deny-all with entries to permit specific traffic). This means that you have to know all the applications and their network connectivity requirements.
It is tempting to start with a single Permit-ANY-to-ANY rule (the default for a deny-list firewall) and add allow-list rules over time, with the intent to eventually remove the Permit-ANY-to-ANY rule. This often backfires, however, in that the allow-list rules may not be exercised, depending on the rule set construction and firewall processing system. You’re still left with the flag-day exercise of removing the Permit-ANY-to-ANY rule and all the diagnosis that goes with it when any application has a problem. Judicious use of logging might help with that transition, but it may have been better to just start with the allow-list approach and handle one application at a time.
Use Group Names to Manage Rules
Modern firewalls will support the ability to group rules together, allowing you to collect all the rules for each application into a group. This mechanism is useful for the allow-listing approach. The default mode is to deny traffic, and the groups of rules identify traffic to allow. An added benefit of using good group names is that the rule groups are like a self-documenting configuration. Therefore, it is important to use group names that mean something to the security administrators.
Add and Update Documentation
You shouldn’t miss the opportunity to document what you learn as you make the conversion and examine the rules. Most tech folks don’t like to create documentation, but it’s necessary to have a record of what you did and why you did it. It helps to assist in the continuity of operations.
Anything that is accurate is better than nothing, even if it is no more than a simple text file containing notes about what you discover every day. Record anything that you discover about applications, lists of potential holes in the existing rules, and notes for things that need more investigation.
Part of the documentation will be a to-do list, which you can use to prioritize tasks, create service tickets, and track the project’s progress. This can be a simple text file, a spreadsheet, or tasks in a ticketing system. The main criteria is to select a system that you’ll use.
You’ll want to document anything that will help you through the project. I like to use a logbook style for recording progress in big projects. Note the date and what transpired. In the future, you’ll thank yourself for keeping good notes about the implementation.
Use a Scanning Service
Security scanning services like Security Scorecard are very useful for examining your security implementation. These services are available for both external scanning and internal security analysis. The internet-based service identifies holes in your external security implementation and often produces surprising results. They are good for scanning your SaaS services, as well. Internal security isn’t left out because most services offer scanning services for use within an enterprise.
Network security continues to grow in importance, making it increasingly important to not pass up the opportunity to review and improve your firewall design and implementation. You should make it a fundamental component of the periodic network refresh implementation.
This is an area in which skimping on the review could have significant negative consequences. Make sure you allocate the necessary resources to make it successful and keep your IT systems secure.
Terry Slattery is a Principal Architect at NetCraftsmen, an advanced network consulting firm that specializes in high-profile and challenging network consulting jobs. Terry works on network management, SDN, network automation, business strategy consulting, and network technology legal cases. He is the founder of Netcordia, inventor of NetMRI, has been a successful technology innovator in networking during the past 20 years, and is co-inventor on two patents.