A basic guide to configuring your firewall in 5 steps: creating zones, configuring settings, and reviewing firewall rules.
As the first line of defense against online attackers, a firewall is an important part of network security. Configuring a firewall can be a deter project, but breaking the task into simpler tasks can make it much easier to manage. The following guidelines will help you understand the key steps involved in configuring your firewall.
There are many suitable firewall models that you can use to secure your network. You can learn more about your options by contacting a HIPAA security expert or PCI security expert. Regardless of the firewall model you choose, the following steps are important.
However, in order to help you understand how to configure your firewall in 5 steps, here are some guidelines to help explain the process.
STEP 1: SECURE YOUR FIREWALL
If an attacker can gain administrative access to your firewall, it’s “game over” for your network security. Therefore, firewall security is the first and most important step in this process. At a minimum, do not put a firewall in production that is not adequately protected with the following configuration tasks:
UPDATE YOUR FIREWALL TO THE LATEST FIRMWARE.
- Delete, disable or rename the default user account and change all default passwords. Use only complex and secure passwords.
- If various administrators administer the firewall, create additional administrator accounts with limited advantages based on their responsibilities. Do not use shared user accounts.
- Disable Simple Network Management Protocol (SNMP) or configure it to use a protect community string.
STEP 2: ARCHITECT YOUR FIREWALL ZONES AND IP ADDRESSES
To protect your network’s valuable assets, you must first identify what it is (such as payment card data or patient data). Then plan your network structure so that you can group these assets and place them into networks (or zones) based on similar sensitivity levels and capabilities.
For example, any server that provides services over the Internet (web servers, email servers, virtual private network (VPN) servers, etc.) is a dedicated zone that allows limited inbound traffic from the Internet (this zone is often referred to as a demilitarized zone (DMZ)). Servers that should not be accessed directly from the Internet, such as database servers, should instead be placed in the internal server zone, similarly, workstations, POS devices, and Voice over Internet Protocol (VOIP) systems can typically be located in the internal network zone.
In general, the more zones you create, the more secure your network becomes. However, be careful when deciding how many network zones to use, as managing more zones requires additional time and resources.
If you are using IP version 4, you must use internal IP addresses for all internal networks. Network Address Translation (NAT) must be configured so that internal devices can communicate over the Internet when needed.
After you have designed your network zone structure and set up its IP address scheme, you are ready to create your firewall zones and assign them to firewall interfaces or sub-interfaces. When building your network infrastructure, you must maintain level 2 isolation between networks by using switches that support virtual LANs (VLANs).
STEP 3: CONFIGURE ACCESS CONTROL LISTS
Now that you have set up your network zones and assigned them to interfaces, you need to determine exactly what traffic is required to enter and exit each zone.
This traffic is allowed using firewall rules called access control lists (ACLs) that are applied to each interface or sub-interface of the firewall. If possible, create ACLs for the correct source and/or destination IP addresses and port numbers. Make sure you have a “deny all” rule at the end of every access control list that filters out all unauthorized traffic. Apply both inbound and outbound ACLs to each interface and sub-interface of the firewall to ensure that only authorized traffic is allowed into and out of each zone.
We recommend disabling the firewall management interfaces (both Secure Shell (SSH) and web interfaces) from public access when possible, in general. This will help protect your firewall configuration from external threats. All unencrypted protocols must be disabled for firewall management, including Telnet and HTTP connections.
STEP 4: CONFIGURE YOUR OTHER FIREWALL SERVICES AND LOGGING
If your firewall can also act as a Dynamic Host Configuration Protocol (DHCP) server, NTP (Network Time Protocol) server, Intrusion Prevention System (IPS), etc., configure the services you want to use. Disable any additional services you will not be using.
To meet PCI DSS requirements, configure your firewall to report to the logging server and ensure that it contains sufficient details to meet PCI DSS requirements 10.2 to 10.3.
STEP 5: TEST YOUR FIREWALL CONFIGURATION
In a test environment, verify that the firewall is working as intended. Don’t forget to make sure your firewall is blocking the traffic that should be blocked according to your ACL configuration. Firewall testing should include both vulnerability scanning and penetration testing.
After testing the firewall, the firewall is ready for production. Always remember to store a backup of your firewall configuration in a safe place so that all your efforts are not lost in the event of a hardware failure.
Now, this is just an overview to help you understand the key steps in firewall configuration.
FIREWALL MANAGEMENT
You have finished configuring your firewall with a firewall in your production environment, but managing your firewall is just beginning. You should monitor logs, update firmware, perform vulnerability scans, and review firewall rules at least every six months. Finally, be diligent on these ongoing tasks to document your processes and ensure that your firewall continues to protect your network.