Security

5 ways to create a secure firewall

Firewall management can be a complicated and risky process if not performed carefully. Here are five tips to help you build a successful strategy.

Firewalls represent the technological gateways into and out of companies, as well as serving to compartmentalize internal systems and networks to segregate them from one another. Network traffic flowing through, or blocked by, firewalls does so based upon specific permissions intended to secure systems, services and users from unauthorized access or malicious threats.

A properly maintained firewall is one of the keys to business and operational success. Troubleshooting firewall-related problems and mishaps can be challenging as well as stressful. Therefore, it's important to proceed carefully when making firewall changes since one wrong move can shut down critical access, causing business processes to fail or endangering company reputation and customer loyalty. Here are five tips every firewall administrator should rely on for operational (and career) stability.

1. Have an official request system

Firewall requests (and changes) should not be made willy-nilly through email, instant messaging, voicemails, verbal requests, and so forth. It's too hard to keep track, they may not always be seen or followed on a timely basis, and the chance for inappropriate requests looms large. Instead, requests should originate via an official channel such as a helpdesk ticket, Salesforce case, or an email to a dedicated group or Outlook public folder. This allows requests to be processed on a first-come, first-served basis and you can easily record these requests over time.

Using this method you can not only evaluate the frequency of requests from an individual or organization but also streamline the process by establishing the daily workload involved and developing a standard routine. You can also refer back to requests if an incident occurs due to human error or ignorance (in other words, CYA).

2. Utilize an approval process

It may make sense to include an approval process for firewall changes, either via the requester's manager, the IT department, or the security department. These approvals should be either included in the request or added on after the fact (such as a follow-up email authorizing the change, or an update to the help desk ticket by the approver stating the request is authorized). This can help reduce the risk of error or providing unnecessary access.

Security might not need to be consulted for every single firewall change, but could perhaps establish a set of standard approved changes, such as allowing new customers to access a specific set of systems or networks via an agreed-upon range of ports or protocols. This will develop a baseline for acceptable changes and make the environment more predictable and easier to administer.

SEE: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF) (TechRepublic)

3. Establish a consistent change schedule

Except for emergency situations, firewall change requests should be batched and implemented at the same time each day, such as 9-10 am. It's advisable to conduct them as early as possible in the day so that requests can be met rapidly and staff will be available to troubleshoot any problems that may arise in the aftermath.

Multiple change timeframes might also be suitable, such as 9 am and 4 pm, to ensure the necessary access is provided within a sufficient time period to those who require it.

Late night production firewall changes for non-emergency situations are not recommended (unless you have a reputation for excessive meticulousness) due to the fatigue factor involved with after-hours work and the potential for difficult troubleshooting due to insufficient available staff. In short, updating the firewall then going to bed is a recipe for disaster.

When making the actual changes, using the copy and paste function to enter in new IP addresses is a good idea, since it reduces the potential for error, such as typing the IP address 64.29.30.103 when the request was for 64.29.30.130.

4. Rely on redundancy

A two-person firewall review strategy makes sense for especially critical environments. In this scenario, a second person examines the changes which are to be implemented before they are actually saved in order to compare them with the request. Any errors can then be detected and corrected before they go into effect.

This doesn't necessarily have to mean one person literally watches the other one work. Some firewall products such as Checkpoint allow you to save proposed changes then push out the associated policies so that they then go live. If you follow this process and use a type of firewall that operates in a similar fashion, the review can take place between saving the settings and enacting them.

It's also a wise move to have a backup firewall in place where merited, so that if one device fails or has a connectivity problem the other can take over as needed. This should be set up to do so automatically (such as if the primary firewall fails to respond for 60 seconds or longer and therefore the secondary device takes over) rather than via human intervention so issues can be more easily resolved.

SEE: The Four Volume Cyber Security Bundle (TechRepublic Academy)

5. Utilize the ability to roll undo changes rapidly

If something goes wrong even despite your best efforts over the previous four steps, the "undo" option can be a real life saver. If possible, implement a plan to revert your firewall(s) to a previously known good configuration, depending on the capabilities of your environment. With many firewalls, configurations can be backed up automatically on a daily basis and restored fairly easily either by the GUI or the command line.

If your firewall doesn't permit this, it's a good idea to record details before making a change to the existing configuration - even just using plain old screenshots. For instance, if a customer requests the removal of several of their IP addresses from your firewall, take note of those IPs and the access provided to each before you take the plunge. If it turns out they submitted the wrong IP addresses and now they can't connect to your systems you will at least have a workable life preserver. Worst case scenario, even if you can't roll back to the prior configuration, you can manually enter the IPs back in and provide the necessary access rather than having to get this information from the customer. This allows a quicker recovery time and also demonstrates professionalism and good sense.

Also see:

istock-808155410.jpg
Image: iStock/gorodenkoff

About Scott Matteson

Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.

Editor's Picks

Free Newsletters, In your Inbox