Tufin Technologies is offering some useful recommendations to make sure organizations don’t become a victim over the Christmas and New Year break – a time when people relax and many organizations run on a skeleton staff.
Document all firewall rule changes: Firewalls do not have a change management process built into them, so documenting changes has never become a best, or even standard practice. If a firewall administrator makes a change because of an emergency or some other form of business disruption, chances are they are under the gun to make it happen as quickly as possible, and process goes out the window.
Install all access rules with minimal access rights: Another common firewall security issue is overly permissive rules. A firewall rule is made up of three fields – source (IP address or), destination (network/subnet), and service (application or other destination). In order to make sure the there are enough open ports for everyone to access the systems they need, common practice has been to assign a wide range of options in one or more of those fields. When you allow a wide range of IP addresses to access a large groups networks for the sake of business continuity, these rules become overly permissive, and as a result, insecure.
Verify every firewall change against compliance policies and change requests: Firewalls are the part of the physical implementation of corporate security policy. Every rule should be reviewed to understand that it meets the spirit and intent of the security policy and any compliance policies, not just the letter of the law.
Remove unused rules from the firewall rule bases when services are decommissioned: AKA: avoid rule bloat. Rule bloat is a very common occurrence with firewalls because most operations teams have no process for deleting rules. Getting into the loop on server decommissioning, network decommissioning, and application upgrade cycles is a good start for understanding when rules need to come out. Running reports on unused rules is another step. Hackers like the fact that firewall teams never remove rules. In fact, this is how many compromises occur.
Perform a complete firewall review at least twice per year: If you are a merchant with significant credit card activity, then this one is not just a best practice but a requirement. PCI requirement 1.1.6 call for reviews at least every 6 months. Firewall reviews are also a critical part of the maintenance of your firewall rule base. Networks and services are not static so your firewall rule base should not be either. As corporate policies evolve and compliance standards change you need to review how you are enforcing traffic on the firewalls.