Firewalls are among the oldest security tools, and when properly used, they are a foundation for IT security overall. Given that, few enterprises understand how best to use firewalls, where they should be installed and whether they are doing what they’re supposed to do.
A recent CIMI Corp. survey on enterprise security found more than 90% of all security issues come from throwing point security tools at problems rather than addressing security at the IT ecosystem level. Nowhere is this more important than with how firewalls are deployed and maintained, which means understanding firewall management best practices.
What do firewalls do?
A firewall is a hardware- or software-based selective forwarding tool designed to limit traffic across a network connection according to a set of policies on valid communications exchanges. The goal is to lower the risk and filter out malicious data before it can harm a private network. Firewalls may block incoming traffic, outgoing traffic or both, and nearly all firewalls have general and exception policies that apply to each type of traffic. They are incorporated into a variety of networked devices and can operate based on IP address and port number and by application, protocol type or any combination of these and other factors.
Firewall management best practices
Firewalls installed on employees’ computers have the following three roles:
- To limit specific employees’ abilities to gain access to all of a workgroup’s applications or resources. The workgroup firewall would pass on the traffic, but individual firewalls could stop unauthorized users from gaining access.
- To limit employees’ access to other computers or resources within the same workgroup, where no other firewalls stand in the path of connection. Individual firewalls work best to limit individual workgroup members’ access to local resources.
- To limit the impact of planted malware.
An existing firewall can often be defeated by bad practices. It’s important to use a product that can be centrally administered and ensures workers can’t just allow any connection attempt. This level of protection is often the most critical in firewall management but the easiest to breach.
Firewalls should also be installed at the gateway to the workgroup. To get the most out of a firewall here, it is best to assign people who need access to the same information into a single workgroup. It may be necessary to break up current physical subnets into smaller ones to get everyone in the ideal workgroup network. If workgroups have been well organized, members should have all the access they need. Individual requirements can be customized as needed, using per-system firewalls to fine-tune connectivity.
In firewall management, the same principles can be applied further up the chain from workgroups. Facilities like branch offices or headquarters departments can have their own firewalls. To optimize the use of second-level firewalls, it’s best to assign these facilities a group of IP addresses and designate a single gateway router for connectivity. The firewall would then be installed behind that gateway router.
Workgroup firewalls aren’t the only application of firewall technology. Data centers and servers also need to be protected with firewalls that limit the range of IP addresses allowed to access them. If both workgroups and facilities have separate IP addresses assigned from a range of addresses that have been defined for a facility, group or application, the number of entries in the firewall will be smaller and more manageable. But server-side firewalls also require some discipline in addressing assignment for applications.
The best practice is to assign a group of connected applications with common rules for access control to an IP subnet. The subnet would then have a gateway router and the firewall placed adjacent to that router. Since container applications and DevOps best practices both mandate each application deploy in its own subnet, the application group subnet would be a higher-level subnet containing the workgroup subnets for all the applications in the group.
Using both worker- and server-side firewalls protects information and applications at both sides of a connection from worker to resource. That means that, if access rules change, it’s critical to change the rules in all the firewalls in the path, or connections won’t be permitted.