Guidelines for configuring your firewall rule-set

You've just installed a new firewall. Congratulations on taking a big step in protecting your organization. Now you're ready for the next step: configuring the firewall rule-set, or policy file.

A rule-set specifies what services to let through your firewall, and which ones to keep out. A rule defines the parameters against which each connection is compared, resulting in a decision on what action to take for each connection.

No matter what type of firewall you install, a rule consists of--at the very minimum--a source address, a destination address, a service, and an associated action. Most firewalls display rule files in configurable tabular form (See Figure 1).

Most firewalls come with their ports open by default. Some, including Symantec's VelociRaptor firewall, come with their ports closed by default--this is called automatic port blocking. If your firewall comes with all the ports and services open, the best way to start the rule-set configuration process is to close everything, then go back and open up just the services that you specifically require. This will ensure that you are not letting any more services through than is absolutely necessary which is the ultimate goal in configuring a firewall. The standard services to take into consideration are the following:

• HTTP (Web surfing)
• HTTPS (secure HTTP)
• FTP (file transfers)
• SMTP (e-mail)
• ICMP (reporting services; ping)
• Telnet (bi-directional communication sessions)

You can let other kinds of traffic onto your network--in fact, you'll almost certainly need to--but keep in mind that each additional service you allow through your firewall increases your risk of having your network and systems compromised by security exploits. The more restrictive rules should be listed first, and the least restrictive rules should follow. Otherwise, if the firewall administrator places a less restrictive rule before a more restrictive rule, the checking is stopped at the first rule. The traffic is allowed through, even though the administrator meant it to be prevented by the later, more restrictive rule.

Laura Taylor is the Chief Technology Officer and founder of Relevant Technologies.Here is a list of standard best-practice firewall rules that have stood the test of time:

• Anything from inside the network is allowed out. This empowers employees to have full control to use whatever services they might need.

• All access to the firewall itself is blocked from the Internet. Almost all access to the firewall is blocked from inside the network. The only people with access to the firewall should be the firewall administrators, and this should be done through some secure authentication mechanism such as two-factor identification tokens, smart cards, and finger-print scanners.

• Allow SMTP messaging services for both Internet and internal users to pass through your firewall--this is required for you to receive and send e-mail.

• ICMP services should be turned off to prevent utilities such as ping to pass through your firewall. Many hacker and scanning programs use ping.

• You should block Telnet access to all internal servers from the Internet. At the very least, be sure to block Telnet access to your DNS server to prevent illegal zone transfers, and to prevent hackers from taking down your entire network. If your internal users need to come in to your network from outside the firewall, you should be using a VPN client, or other secure authentication system.

• If your Web server is outside the firewall, consider blocking HTTP from reaching your internal networks. That way, if any employees are running Web servers for internal use on their desktops, the services will not be visible to the outside Internet. If your Web server is behind the firewall, you need to allow HTTP or HTTPS through for the Internet at large to view it. Therefore, I'd generally recommend putting Web servers outside the firewall.

Once you set up your firewall, you will undoubtedly receive frequent requests from your users to poke a hole in it and let through "just one more service." To keep the most restrictive policies in place, do everything you can to resist these requests. That may be tough to do on your own, so you should have an approval process set up for allowing new services through your firewall. Someone on your executive management team, your network engineering team, and the requester's manager should all be required to approve a request to open up new services in the firewall.

Keep in mind that even the most restrictive firewall policies do not guarantee that your systems and networks will not be attacked and compromised. There are numerous ways that savvy hackers can penetrate firewalls, but a properly configured firewall will certainly reduce the risk of a potentially debilitating security compromise.

You've just installed a new firewall. Congratulations on taking a big step in protecting your organization. Now you're ready for the next step: configuring the firewall rule-set, or policy file.

A rule-set specifies what services to let through your firewall, and which ones to keep out. A rule defines the parameters against which each connection is compared, resulting in a decision on what action to take for each connection.

No matter what type of firewall you install, a rule consists of--at the very minimum--a source address, a destination address, a service, and an associated action. Most firewalls display rule files in configurable tabular form (See Figure 1).

Most firewalls come with their ports open by default. Some, including Symantec's VelociRaptor firewall, come with their ports closed by default--this is called automatic port blocking. If your firewall comes with all the ports and services open, the best way to start the rule-set configuration process is to close everything, then go back and open up just the services that you specifically require. This will ensure that you are not letting any more services through than is absolutely necessary which is the ultimate goal in configuring a firewall. The standard services to take into consideration are the following:

• HTTP (Web surfing)
• HTTPS (secure HTTP)
• FTP (file transfers)
• SMTP (e-mail)
• ICMP (reporting services; ping)
• Telnet (bi-directional communication sessions)

You can let other kinds of traffic onto your network--in fact, you'll almost certainly need to--but keep in mind that each additional service you allow through your firewall increases your risk of having your network and systems compromised by security exploits. The more restrictive rules should be listed first, and the least restrictive rules should follow. Otherwise, if the firewall administrator places a less restrictive rule before a more restrictive rule, the checking is stopped at the first rule. The traffic is allowed through, even though the administrator meant it to be prevented by the later, more restrictive rule.

Here is a list of standard best-practice firewall rules that have stood the test of time:

• Anything from inside the network is allowed out. This empowers employees to have full control to use whatever services they might need.

• All access to the firewall itself is blocked from the Internet. Almost all access to the firewall is blocked from inside the network. The only people with access to the firewall should be the firewall administrators, and this should be done through some secure authentication mechanism such as two-factor identification tokens, smart cards, and finger-print scanners.

• Allow SMTP messaging services for both Internet and internal users to pass through your firewall--this is required for you to receive and send e-mail.

• ICMP services should be turned off to prevent utilities such as ping to pass through your firewall. Many hacker and scanning programs use ping.

• You should block Telnet access to all internal servers from the Internet. At the very least, be sure to block Telnet access to your DNS server to prevent illegal zone transfers, and to prevent hackers from taking down your entire network. If your internal users need to come in to your network from outside the firewall, you should be using a VPN client, or other secure authentication system.

• If your Web server is outside the firewall, consider blocking HTTP from reaching your internal networks. That way, if any employees are running Web servers for internal use on their desktops, the services will not be visible to the outside Internet. If your Web server is behind the firewall, you need to allow HTTP or HTTPS through for the Internet at large to view it. Therefore, I'd generally recommend putting Web servers outside the firewall.

Once you set up your firewall, you will undoubtedly receive frequent requests from your users to poke a hole in it and let through "just one more service." To keep the most restrictive policies in place, do everything you can to resist these requests. That may be tough to do on your own, so you should have an approval process set up for allowing new services through your firewall. Someone on your executive management team, your network engineering team, and the requester's manager should all be required to approve a request to open up new services in the firewall.

Keep in mind that even the most restrictive firewall policies do not guarantee that your systems and networks will not be attacked and compromised. There are numerous ways that savvy hackers can penetrate firewalls, but a properly configured firewall will certainly reduce the risk of a potentially debilitating security compromise.

Laura Taylor is the Chief Technology Officer and founder of Relevant Technologies. Ms. Taylor has 17 years of experience in IT operations with a focus in information security. She has worked as Director of Information Security at Navisite and as CIO of Schafer Corp., a weapons development contractor for the Department of Defense.