As the first line of online attacker defense, your firewall is a critical part of your network security. Firewall configuration can be an intimidating project, but breaking down the work into more straightforward tasks can make the work much more manageable. The following guidelines will help you to understand the critical steps involved in the configuration of firewalls.
Many appropriate firewall models can be used to protect your network. You can consult a HIPAA security expert or a PCI security expert to find out more about your options. The following steps are critical, regardless of the type of firewall you choose. This guide assumes that you are using a business-grade firewall that supports multiple internal networks (or zones) and performs state-of-the-art packet inspection.
As a result of firewalls' technical nature, a detailed step-by-step guide is beyond the scope of this blog post. However, I will provide some guidance to help illustrate the process to understand how to configure a firewall in 5 steps.
Step one: Secure your firewall
If an attacker can access your firewall administratively, it is "game over" for your network security. Securing your firewall is, therefore, the first and most crucial step in this process. Never put a firewall in production that is not adequately secured by at least the following configuration actions:
Update the firewall to the latest firmware.
-Delete, disable, or rename any default user account and change all default passwords. Make sure you only use complex and secure passwords.
-If multiple administrators manage a firewall, create additional administrator accounts with limited privileges based on responsibilities. Never use a shared user account.
-Disable or configure a simple network management protocol (SNMP) to use a secure community string.
Step two: Architect your firewall zones and IP addresses
To protect valuable assets on your network, you should first identify what assets (e.g., payment card data or patient data) are. Then plan your network structure so that these assets can be grouped and placed in networks (or zones) based on a similar level of sensitivity and function.
For example, all servers that provide services over the internet (web servers, email servers, virtual private network (VPN) servers, etc.) should be placed in a dedicated area that allows limited inbound traffic from the internet (this zone is often called a demilitarized zone or DMZ).
Generally speaking, the more zones you create, the more secure your network is. But keep in mind that managing more zones requires extra time and resources, so you need to be careful when deciding how many network zones you want to use.
If you are using IP version 4, you should use internal IP addresses for your internal networks. Network Address Translation (NAT) must be configured to allow internal devices to communicate on the Internet where necessary.
Once your network zone structure has been designed, and the corresponding IP address scheme has been established, you are ready to create your firewall zones and assign them to your firewall interfaces or subinterfaces. As you build up your network infrastructure, switches that support virtual LANs (VLANs) should be used to maintain a level-2 separation between networks.
Step three: Configure access control lists
Now that you have established your network zones and assigned them to interfaces, you should determine precisely what traffic needs to flow into and out of each zone.
The use of firewall rules will enable this traffic called access control lists (ACLs) applied to each interface or subinterface on the firewall. Whenever possible, make your ACLs unique to the exact source and destination IP addresses and port numbers.
At the end of each access control list, make sure that there is a "deny all" rule to screen out all unauthorized traffic. Apply both inbound and outbound ACLs to each interface and subinterface on your firewall so that only permitted traffic is allowed in and out of each zone.
It is usually recommended to disable the firewall management interfaces (including both protected shell (SSH) and web interfaces) from public access wherever possible. This will help protect your firewall setup from external threats. Make sure you disable all unencrypted firewall management protocols, including Telnet and HTTP connections.
Step four: Configure your other firewall services and logging
If your firewall is also capable of serving as a Dynamic Host Configuration Protocol (DHCP) server, Network Time Protocol (NTP) server, Intrusion Prevention System (IPS), etc., then go ahead and configure the services you want to use. Disable all extra programs that you do not wish to use.
To meet PCI DSS requirements, configure your firewall to report to your logging server and ensure that adequate detail is included to meet PCI DSS requirements of 10.2 through 10.3.
Step five: Test your firewall configuration
Check that your firewall works as expected in a test set. Don't forget to confirm that your firewall is blocking traffic that should be blocked according to your ACL configuration. Testing the firewall should involve both vulnerability scanning and penetration checks.
If you've done checking your firewall, your firewall should be ready for output. Always remember to keep your firewall setup backup stored in a safe location so that all your hard work is not lost in the event of hardware failure.
Now note, this is just an outline to help you understand the main steps in the firewall setup. When using tutorials, or even when you plan to configure your firewall, be sure to get a security expert analysis of your configuration to make sure it is set up to keep your data as secure as possible.
With your firewall in development, you have finished setting up your firewall, but you've just started handling your firewall. Logs must be tracked, firmware must be upgraded, bugs must be scanned, and firewall rules must be reviewed at least every six months.