How To Configure a Firewall
Proper configuration is essential to supporting internal networks andstateful packet inspection. Here is how to configure a firewall securely:
1. Secure the firewall
Securing a firewall is the vital first step to ensure only authorized administrators have access to it. This includes actions such as:
- Update with the latest firmware
- Never putting firewalls into production without appropriate configurations in place
- Deleting, disabling, or renaming default accounts and changing default passwords
- Use unique, secure passwords
- Never using shared user accounts. If a firewall will be managed by multiple administrators, additional admin accounts must have limited privileges based on individual responsibilities
- Disabling the Simple Network Management Protocol (SNMP), which collects and organizes information about devices on IP networks, or configuring it for secure usage
- Restricting outgoing and incoming network traffic for specific applications or the Transmission Control Protocol (TCP)
2. Establish firewall zones and an IP address structure
It is important to identify network assets and resources that must be protected. This includes creating a structure that groups corporate assets into zones based on similar functions and the level of risk.
A good example of this is servers—such as email servers, virtual private network (VPN) servers, and web servers—placed in a dedicated zone that limits inbound internet traffic, often referred to as ademilitarized zone (DMZ). A general rule is that the more zones created, the more secure the network is.
However, having more zones also demands more time to manage them. With a network zone structure established, it is also important to establish a corresponding IP address structure that assigns zones to firewall interfaces and subinterfaces.
3. Configure access control lists (ACLs)
Access control lists (ACLs) enable organizations to determine which traffic is allowed to flow in and out of each zone. ACLs act as firewall rules, which organizations can apply to each firewall interface and subinterface.
ACLs must be made specific to the exact source and destination port numbers and IP addresses. Each ACL should have a “deny all” rule created at the end of it, which enables organizations to filter out unapproved traffic. Each interface and subinterface also needs an inbound and outbound ACL to ensure only approved traffic can reach each zone. It is also advisable to disable firewall administration interfaces from public access to protect the configuration and disable unencrypted firewall management protocols.
4. Configure other firewall services and logging
Some firewalls can be configured to support other services, such as a Dynamic Host Configuration Protocol (DHCP) server, intrusion prevention system (IPS), and Network Time Protocol (NTP) server. It is important to also disable the extra services that will not be used.
Further, firewalls must be configured to report to a logging service to comply with and fulfill Payment Card Industry Data Security Standard (PCI DSS) requirements.
5. Test the firewall configuration
With the configurations made, it is critical to test them to ensure the correct traffic is being blocked and that the firewall performs as intended. The configuration can be tested through techniques like penetration testing and vulnerability scanning. Remember to back up the configuration in a secure location in case of any failures during the testing process.
6. Manage firewall continually
Firewall management and monitoring are critical to ensuring that the firewall continues to function as intended. This includes monitoring logs, performing vulnerability scans, and regularly reviewing rules. It is also important to document processes and manage the configuration continually and diligently to ensure ongoing protection of the network.