Ensure proper firewall setup.
The specifics of firewall deployment may differ depending on your vendor, but there are a few general best practices that apply to every type of hardware. These recommendations from PCI compliance partner Security Metrics are a good place to start:
Secure your firewall.
Delete or disable any default accounts and passwords, and set new passwords that are complex. Then, disable simple network management protocol to minimize security risks.
Architect your firewall zones and IP addresses.
Structure your network so similar assets are grouped together based on sensitivity level and function. All servers accessed directly from the internet should be grouped together and separated from internal servers. While having more zones generally improves security, keep in mind that they also require time and effort to manage.
Set firewall rules.
Determine which network traffic needs to flow in and out of each zone using an access control list. Disable firewall administration interfaces from public access and all unencrypted protocols, including HTTP connections.
Configure other firewall services.
If your firewall has other capabilities (such as acting as a dynamic host configuration protocol), configure the services you want to use and disable any extra services you don’t want.
Test firewall configuration.
Ensure your firewall is blocking inbound and outbound traffic according to your firewall rules, and scan for vulnerabilities.
Use network automation to reduce manual tasks.
Maintaining firewalls and other network devices involves many tedious, time-consuming tasks. If you have more than a few firewalls, you potentially have dozens of firewall licenses that are set to expire at any given time. You also may need to enable and disable various features to deploy new services, validate configuration and maintain high availability. Keeping up with all these firewall maintenance activities not only keeps you from other important projects, but they also introduce a greater potential for human error.
Network automation replaces many of these manual tasks with automated scripts. They can run commands without the need to type them in, identify issues and assess the health of your devices. An effective network automation system reduces costs and errors while offering deeper insights into performance.
Install required hotfixes and remove redundant ones.
To prevent network downtime and security breaches, it’s critical to make sure your devices are patched with the latest versions and hotfixes. You can type in manual commands to find currently installed hotfixes, install new ones and remove redundant ones. However, this requires knowing when and where to look. A network automation platform can identify which hotfixes should be installed on your specific firewalls and which ones you don’t need.
Use an in-depth firewall monitoring system to track performance.
As your organization grows, managing firewall capacity becomes increasingly important. You need to constantly monitor your device load metrics, including packets accepted, dropped, logged and rejected per second.
A network monitoring system checks for slowdowns and other issues 24 hours a day, seven days a week. Advanced network monitoring can also check network response time and availability, notify you when you are close to reaching capacity limits and more.
Conduct a regular audit of the firewall’s configurations.
As we’ve seen in our own research, nearly 1 in 5 firewall issues are related to configuration drift. This could be as simple as a lack of clock synchronization between devices, or it could be a more serious issue — such as an open port that isn’t documented in your security policy.
That’s why it’s so important to check configurations regularly, especially those related to redundancy and failover to ensure that no firewall becomes a single point of failure.
These issues are also easier to detect if you’re using a network monitoring system.