Firewall Best Practices
- 1
Know what every rule does
- 1.1
Be sure you know exactly what every single rule does
- 1.2
Know your ports, both TCP and UDP, by number and by application
- 1.3
Know the ICMP types (0,3,4,8 and 11 are normally considered
safe)
- 1.4
Be aware of additional IP types (unless you block non-UDP/TCP/ICMP
traffic)
- 1.5
Pay careful attention to rule dependencies and ordering
- 1.6
Don't confuse incoming and outgoing filters
- 2
If you cannot figure out what a rule does delete it (and monitor
the resulting traffic)
- 2.1
Never violate rule #2
- 3
Know your applications and their risks (Active-X for example)
- 3.1
Get management buy-in for any controversial or potentially
disruptive filtering
- 3.2
If you cannot get management buy-in be sure to CYA by
documenting the risk (assigning dollar values if possible)
- 3.3
If you have to CYA be sure the risk analysis is adequately
distributed, beyond your direct manager (as feasible)
- 4
Know what the firewall is protecting
- 4.1
Partition and encrypt valuable data, for example by
establishing internal firewalls for legal and accounting
departments
- 5
Always log and read the syslogs regularly
- 5.1
Consider increased rule-specific logging (at least temporarily)
when changing rules
- 5.2
Use Intrusion Detection Software (NIDS, HIDS, AIDS) wherever
the business case permits
- 5.3
Configure IDS alerts and alarms carefully
- 6
Keep all configurations backed-up and check-in all changes using
open-standards-based revision control software (RCS, CVS, SVN, GIT, ...)
- 6.1
Comment your revision check-ins if the rational is not
self-evident
- 7
Audit thoroughly and often
- 7.1
Have someone else perform audits periodically
- 7.2
Use the most experienced and knowledgeable auditors /
consultants / engineers possible (this is not a task for
low bidders)
- 8
Read several security newsgroups and mailing lists daily
- 8.1
Evaluate new exploits carefully
http://www.roble.com/docs/firewall_best_practices.html