Simple Firewall Best Practices for Small and Midsize Businesses
Published: April 19, 2011
Author: Miha Pihler, Microsoft MVP - Enterprise Security: Engineering
All servers require regular maintenance, and their firewalls are no exception. In regard to firewalls, there are daily maintenance tasks such as reviewing logs, checking for any alerts, and changing policies. Then there are less frequent tasks such as reviewing policies, which I would recommend doing at least twice a year, especially in environments with more complex firewall deployments. Below, I’ve discussed several important considerations and suggested best practices for effectively maintaining firewalls.
Review firewall policies regularly
- Over time, firewall policies become outdated. Servers that were published to the Internet get decommissioned, and services get moved to new servers. But firewall policies tied to decommissioned servers often are not removed or updated. The danger here is that IP addresses of decommissioned servers get reused on new servers, and new servers can then easily be published for unintended services.
- Regular overview of the policies is even more important if there is more than one firewall administrator. In such environments, it is likely that, for example, two administrators created two different policies for same network traffic specifications. When conducting policy reviews, see if you can consolidate any of the policies.
- Review rules that clients use to connect to different services on the Internet. An application that required a specific port to communicate with the Internet might have been updated with a new application that uses a different port. Talk to the application/resource owner to determine if a specific policy is still required.
- Firewall logs can help in your policy review. You can search the logs to discover the last time a specific policy was used. If you feel uncomfortable removing the policy, try to disable it first and remove it at a later time, e.g. at the next firewall review.
- When possible, allow someone else to review the policies. Someone who has knowledge of and experience with managing firewalls but who is not involved in the day-to-day operations of your network.
Close all unnecessary ports
- You should only open the ports that clients and servers need to communicate with other networks and the Internet. While this is sometimes easier said than done, it is still a good practice.
- One of the ports that you should pay special attention when opening to the internet is TCP port 25 (SMTP port). Whenever possible, close this port for all clients and servers except the mail server. All clients and servers should relay their email to the Internet through central SMTP servers. Doing this will go a long way toward helping prevent infected clients on corporate networks from distributing unsolicited emails.
- If your firewall allows only central SMTP servers to relay email to the Internet, you can review your firewall logs for denied SMTP traffic. What you will find is clients attempting to connect to the Internet. More often than not, these clients will be infected computers trying to distribute unsolicited emails.
Back up your firewall regularly
- Having a recent backup of your firewall configuration can save a lot of time and trouble. Whenever possible, make a backup of firewall policies and configurations before performing any policy changes. With a backup, if you run into any problems with new policy configuration, it is easy to revert back to the previous, working configuration.
- Consider what else is needed to restore your firewall if disaster recovery is necessary. Are there any specific routes that are not included in the firewall configuration backup, but are required for complete restore? How about certificates and their corresponding private keys that might be used for SSL session termination on the firewall?
- Practice firewall recovery in test environment. Testing should point out any missing components in the backup and, therefore, give administrators the opportunity to learn the necessary skills to perform a quick and reliable restore when necessary.
Update the firewall
- Regardless of the make and model of your firewall, you should regularly update your firewalls. All firewall manufacturers release updates for their products. These updates often include bug fixes and new features that can help mitigate new types of threats, thereby minimizing risk.
- When possible, also update network card drivers. These updates often solve problematic behaviors, including those that might, at first, seem to be related to an unreliable firewall.
Following these best practices and conducting regular maintenance work can make the life of a firewall administrator less stressful and help better protect your network.