Managing your firewall policy remains a critical cybersecurity task, but the challenges are more complex than ever. With users accessing a slew of cloud-hosted SaaS apps and other cloud services, facilitating user productivity while managing security risks calls for a delicate balance of firewall rules and configurations to carefully control traffic flows in and out of your network. This article offers a primer on firewall policy management for modern businesses.
Firewall policy management establishes a set of risk-based rules and configurations that dictate which traffic is allowed to flow into and out of your trusted network. Any approach to managing firewall policy should be dynamic enough to adapt the policy to changes in cyberattack methods, vulnerabilities and how your users access applications.
It’s this latter point on application access that is arguably most salient in the context of modern firewall policy management. When firewalls emerged as an important security tool, IT networks were far simpler. There was a clear boundary between what was inside and outside the network and what was good and bad.
Port-based or stateful inspection firewalls could easily protect internal systems, apps and assets from malicious external traffic based on a castle and moat approach to security. This model worked pretty well on the whole (except for the tendency of users to get frustrated when firewall rules blocked necessary internet access for different apps).
However, the days in which users accessed apps that were hosted on-premises are nearly over. The emergence of cloud computing sees a myriad of applications and other computing services accessible only via an internet connection. A 2020 report into SaaS usage projected that by 2025, 85% of the apps companies use will be SaaS-based.
Wholesale changes in the way users access resources for their daily work have rendered the traditional castle and moat approach to network security obsolete. Modern apps are evasive, often deploying tactics like port-hopping or using non-standard ports to function. Some companies tried to gain back control and visibility over firewall management by using intrusion prevention systems, URL filtering, bolted-on deep packet inspection and complex security appliances alongside their traditional firewalls, but the difficulty remained in discerning between good and bad.
This complexity led to companies taking one of two common approaches to firewall management, both of which failed for different reasons:
Next-generation firewalls emerged to help provide more granular control over application traffic, but the problem of complexity never really went away. Large firewall rule sets make it hard to identify misconfigurations or gauge how permissive/restrictive a policy is.
Here are some tips and practices to improve firewall policy management and achieve the right balance between enough bandwidth and access for a good user experience while not compromising on security.
The least privilege principle should serve as the foundation for any firewall’s policy. This principle creates firewall rules based on the idea of blocking everything that doesn’t serve a legitimate business purpose or function. This principle reduces the firewall’s attack surface while allowing you to build up a ruleset based on authorized traffic for only the services you want and that your users need.
Address the low-hanging fruit by following established guidelines on blocking certain ports. A firewall checklist from the SANS Institute offers recommendations on a list of port numbers to block due to their security risks. A simple nmap scan can quickly show you whether these ports are currently open.
Formalizing the change management process makes it easier and safer to adapt your firewall policy to dynamic changes in the services that users access. Instead of changing rules ad hoc, establish a process that involves:
As new users and devices get added to your IT ecosystem and application usage varies, your network is in constant flux. It’s important to regularly perform firewall reviews to ensure the rules remain reflective of current traffic patterns. Firewall logs can be a valuable source of this kind of information.
You may well find that some rules are no longer needed while in other cases, you need to create a new rule. If you uncover risky rules with “Any” set in the source, destination or port, try to make them specific to reduce risks where possible.
One common problem encountered when reviewing large rulesets is that you’ll find rules that seem to serve the same purpose. Sometimes these conflicts can cause network slowdowns that impact application performance for end users. If you can, find ways to merge different rules to make them more effective or simply remove one of the redundant rules.
It’s vital to test your firewalls for vulnerable configurations and rules regularly. Vulnerability scans allow you to send packets to firewalls and collect the responses from them to uncover weaknesses. You also need to check whether your firewall’s software is up to date because the patches available for software might address security weaknesses.
A security audit differs from a regular review in that this is a formal process for checking that your firewall complies with both the internal information security policy at your organization and with any external regulations. For example, PCI DSS, which protects cardholder data, has specific requirements for firewalls that you should regularly audit to avoid non-compliance.
Effective firewall policy management is still a critical component of network security. While these tips can help better balance security with productivity, the truth is that companies struggle to find the budget and resources for optimal firewall management, which leaves gaps in rules and configurations.
Services like Nuspire’s managed gateway provide experts to help you streamline firewall configurations while managing secure network access for vendors, employees and remote locations. Connect everything to a SIEM, including your firewall, to help refine rules and strengthen security.