The Robert Frances Group believes firewalls are crucial elements for the overall security architecture in the enterprise. IT executives should establish business application profiles (BAPs) describing the security requirements for each of their company's applications. IT executives should then use best practices to identify appropriate areas for firewall deployments and to ensure they are effectively deployed and managed.
- No two companies have identical application deployments and security requirements. IT executives should develop BAPs to determine the security requirements for each application or area. IT executives should include in these profiles risk factors such as communications links to business partners, customers, remote employees, and vendors.
- After end-to-end application security requirements and risk factors are identified, firewalls can be deployed as one component to help meet those security requirements. Firewalls should not be treated as a silver bullet. Instead, IT executives should view firewalls as one element in a comprehensive security strategy, and balance their use with the deployment of other technologies, including encryption mechanisms, intrusion detection systems (IDSs), virus protection software, etc.
- Best practices themselves are the result of user experiences in a given area, and are not intended to be a one-size-fits-all description for appropriate firewall deployments. IT executives should exercise their own judgment when identifying areas to deploy firewall devices. IT executives should also develop their own set of best practices for firewall deployments to ensure the best fit with their company's security requirements.
Fundamentally, firewalls provide critical filtering functionality for network traffic, protecting corporate resources from unauthorised access. However, although firewalls are generally straightforward appliances, deploying them properly is not always a straightforward matter.
IT executives should begin their evaluation process by developing business application profiles that describe the enterprise's security requirements. These profiles should cover applications including database, e-mail, file, and Web servers, as well as risk factors such as data centre security requirements, communications links to business partners and vendors, and so on.
To maximise the effectiveness of their firewall deployments, IT executives should observe the following best practices when deploying firewall devices at their companies:
Best Practices for Firewall Deployments
1) There are different types of firewalls, and each has its place in the enterprise. Packet filters are easier to deploy and less expensive, but application layer gateways provide more robust protection for critical systems.
2) Firewalls cannot protect against application mis-configuration.
3) One firewall is rarely sufficient protection. Firewalls should be deployed to create "zones" of authorised types of traffic, separating applications into groups of related security requirements.
4) Firewalls may be useful for protecting internal systems, such as those in the data center, from internal misuse, in addition to their traditional role of protecting public servers from the dangers of being accessible from the Internet.
5) While deploying multiple firewalls generally increases security levels, firewalls should not be over-deployed. As with other systems and devices, they have a point of diminishing returns where over-zealous deployments eventually fail to provide any return on investment.
6) Firewalls should be coupled with other technologies, such as intrusion detection system (IDS) products.
7) Security is only as good as the latest security patch, so system maintenance should be regular and timely.
8) Firewalls should be monitored on a regular basis, but should not be treated as an IDS.
9) When examining logs, failures are as important as successful connections, and outbound connections should be examined as well as inbound.
10) If alerts will be sent to administrators, they should be classified to control false positives.
11) Firewalls are not install-and-forget devices. As application requirements change, firewalls should be updated to match those changes.
12) As with other systems, unused services should be disabled.
Firewalls provide one of two types of protection for a business application. The first is a packet filter, which blocks traffic based on information founded on criteria such as a packet's source or destination. Some packet filters additionally provide "stateful inspection," which allows them to control traffic flow based on connection states. For example, a stateful packet filter might be used to protect client systems by preventing inbound traffic unless it is in response to a request made by a client.
The second type of firewall is an application level gateway, which acts as an intermediary for a protected system. Application level gateways provide additional security by normalising data sessions and ensuring that only normalised content is received by the protected system. Common applications for which such gateways are available include e-mail, file transfer, and Web. Because they provide additional functionality, application level gateways are more expensive than packet filters, and can also be more difficult to configure. However, they can provide more robust protection for a system.
However, neither type of firewall can properly protect improperly configured systems. In fact, it is a task firewalls are often incorrectly deployed to perform. Firewalls should not be treated as a mechanism for reducing or eliminating the need to "harden" systems against attack. For example, although an application layer gateway may provide extensive protection for a Web server, if that server's Web-based administration interface is enabled but not password-protected, that system will be as vulnerable as if it was not behind a firewall at all.
Most enterprises require more than one firewall, and IT executives should look for opportunities to deploy them wherever they are appropriate. Firewalls should be deployed to create zones of allowable traffic types. For example, public systems such as Web servers and e-mail gateways should be placed in separate zones from the application, database, and internal e-mail servers that support them. Firewalls may also be beneficial when deployed internally, such as to protect data centre systems from misuse by employees or to prevent communication links to business partners from being a source of malicious traffic.
However, firewalls are only one element in a proper security strategy, and IT executives should avoid over-zealous firewall deployments. IT executives should instead focus on spending limited budget dollars on firewalls where they will yield the highest return on investment, reserving remaining resources for administration education, intrusion detection systems, network security audits, and so forth.
As with any system for which security is a concern, IT executives should ensure that firewall security patches are installed as soon as possible after their manufacturers release them. However, because firewalls are not patched as frequently as other products, it may be more difficult to determine when a patch has been released. IT executives should contact product vendors to determine whether automatic notification and distribution channels are available for such patches.
If automatic update bulletins or distribution channels are not available, IT executives should detail one or more employees to check with the vendor for product updates on at least a weekly basis, if not more frequently. Nearly all vendors provide Web-based support portals where these patches can be downloaded. IT executives should ensure that a full inventory of deployed devices is provided to the employee(s) who perform this function to ensure that all relevant updates are retrieved.
Further, although most firewalls do not provide an extensive list of services, many do have the option of enabling or disabling at least a few items. IT executives should ensure that only the minimal configurations required to address each security requirement are deployed on firewalls. For example, if simple network management protocol (SNMP) is not required for device management, it should be disabled because even such basic services can be targets for attack.
Firewalls should not be used to replace IDS products, but they can provide valuable information for identifying attack attempts and patterns, and even system problems, because their false positives rate is very low. For example, failed connection attempts may indicate either an attack probe or a failed system. Traffic types and directions can also yield interesting information. For example, outbound connection attempts from server systems are rarely authorised traffic, and thus should often lead to examinations for Trojan horses or other system back doors. Inbound connection attempts to proxies are also examples of traffic types with a very low rate of false positives.
Separating system types and responsibilities can help make these examinations more clear. If resources are available to do so, IT executives should consider deploying separate systems to segregate e-mail traffic, client Web browsing proxy services, etc. This step will simplify firewall rule sets, and also have beneficial effects on other security layers, such as IDS products.
Finally, IT executives should bear in mind that firewall deployments are only effective if they evolve alongside application requirements over time. Budgetary allowances should be made to ensure that this critical piece of the corporate security infrastructure is kept up to date and continues to meet business application requirements for security. Firewall deployments should be reviewed and re-evaluated on a yearly basis, or whenever application requirements change, whichever comes first.
RFG believes firewalls can provide significant levels of protection for systems if they are properly deployed and configured. IT executives should develop BAPs to describe application security requirements and risk factors. IT executives should then follow best practices in identifying targets for firewall deployments, and ensure that their administrators follow best practices in monitoring and maintaining the devices once they are installed. Firewalls are an important component in the overall security architecture for the enterprise, and IT executives should verify they are properly configured, deployed, and managed.