firewall rules

Why you should check your firewall configuration … now.

Posted by

0

When was the last time you checked your firewall configuration? Well … that’s too long.

If you are a firewall administrator, you probably live in your configuration files. Everyone else looks at them when they need to make a change.  This leads to the ever common problem of “Why is that there?

Every time I start a new job, I eventually have to look into the firewall and see what lives there and why. Many of the rules make sense. Here is one for an email server. Here is another for remote access to some application. Here is one for some system … to do something … for some reason. Firewall rules without a documented purpose are a problem waiting to happen.

Imagine finding rules in firewalls that allow access for vendors that were fired years ago or  administrators long departed. Firewall configurations never seem to shrink. We add new rules when we need them but deleting a rule … well … that’s terrifying.

Do I delete the rule? What will break? How long will it take to break? Do I risk it?

Manage your firewall

Managing the firewall is a process that never ends. It is also very easy to forget to do. Here’s a program that works well for most companies without a dedicated firewall administrator:

  1. Backup your config file. Seriously, back it up to a secure location where you can store it for at least a year.
  2. Change your password. It should be changed once a year.
  3. Go through your rules. Most firewalls have a hit counter that shows how many times a rule is used. Reset the counter and wait a day or so. You will quickly see which rules are important.
  4. Delete any disabled rules unless you just disabled them. No reason to keep old disabled rules in the config file for a decade or more.
  5. Label everything. Don’t use rules like “Allow 25 to 10.0.0.1 from 0.0.0.0.” Try to use names when you can. Rules should be human readable if possible. “Allow  SMTP (email) to CorpSpamFilter from TheInternet” is much easier to read.
  6. If you don’t know what it is and nobody else does either, disable the rule. You can always enable it within seconds but it would be better to know why a rule is there than to let unknown traffic through. In all fairness, be very careful. Do lots of research. Just turning a rule off can be a disaster so cross your Ts and dot your Is before disabling a rule.  Do NOT delete the rules yet.
  7. Schedule your next firewall audit. If you rarely make rule changes, you may only need to check the firewall every year. If you are on the firewall every week, you may need monthly audits. Put this on your calendar even if it is a year away.
  8. Smile, you just made your network a safer place. Repeat this process every month, quarter, or year.

Know what you know and when to say NO!

I know my way around a firewall. I have been configuring them for 15 years. Access control lists are something I can do in my sleep. But on a Cisco firewall, I don’t touch the VPN settings. I call in an expert to keep me from breaking my own network.

I audit my VPN configuration at the same time as my firewall configuration. My Cisco consultant works across from me looking through VPN config files for things we no longer use or could use better. I look through the firewall rules. In the event I need help with something, I have help.

Since I am a generalist in my job, I cannot know everything there is to know about every system I manage. When I know I am over my head, I get an expert. Firewalls are too important to tinker with.

Save your work

Don’t forget that some firewalls have a running configuration that is lost every time you reboot. That’s great when you fry the config and need it back the way it was before you started. That’s terrible when all the changes you made last month got lost when you updated the firmware. Remember to save the running config to the startup config once you know everything works as it should. (Put an event on your calendar to remind you if you need to.)

Take you time but it does get easier

The first time you do this it will be a slow process. There will be lots of research and issues. The second time will be easier. You will remember why most of the rules are there. You will be able to read them. After a few years, firewall maintenance will be a simple task.