Firewall Management Best Practices

Questions and Answers

What is a primary consideration when exposing a service through a firewall?

• Exposing a large range of ports to simplify management
• Allowing access to the entire host for easier connectivity
• Ignoring inbound traffic in favor of outbound concerns
• Ensuring only required services are allowed through (correct)

What should be done to verify the effectiveness of firewall changes?

• Perform scanning of the firewall before and after making changes (correct)
• Conduct regular audits without prior scans
• Only assess the firewall after major updates are complete
• Ignore past configurations as they are no longer relevant

Why is it important to refer to documentation when configuring a firewall?

• To avoid making guesses that could lead to vulnerabilities (correct)
• Documentation can often mislead administrators
• Documentation only provides unnecessary information about aesthetics
• Documentation is not necessary for simple configurations

What type of assessments should be performed regularly on firewalls?

Vulnerability assessments to detect inadvertent changes (B)

What is a common resource provided by firewall vendors to assist in configuration?

Network diagrams illustrating traffic flow and port requirements (D)

What should be done before implementing changes to a firewall?

Test the changes in a test network (B)

Why is it important to have a backout plan for firewall changes?

To ensure changes can be reversed if they do not work as intended (C)

What is the purpose of regularly reviewing firewall rules and exceptions?

To reduce the network attack surface by removing unnecessary rules (D)

What should be done after troubleshooting if additional ports were opened?

Revert any unnecessary changes to the firewall (C)

How can logs be effectively used in firewall management?

Logs should be reviewed and preserved for forensics (B)

What is the primary function of a firewall in a network?

To filter traffic based on security policies (B)

Which of the following is not considered a best practice for firewall administration?

Allowing broad administrative access to all users (B)

What does the Principle of Least Privilege entail in the context of firewalls?

Restricting users to only the access necessary for their roles (B)

Before implementing a firewall, which of the following should be considered?

Best practices in security control (B)

Which of the following represents a best practice when setting firewall traffic rules?

Only allowing necessary ports, hosts, and applications (D)

What type of firewall consists of both hardware and software solutions?

Hybrid firewall (B)

According to firewall best practices, which of the following is a critical factor to increase security and reduce risk?

Implementation of strict access controls (D)

What is a likely result of not adhering to firewall best practices?

Higher risk of security breaches (D)

What additional filtering capability does a Next Generation Firewall (NGFW) have compared to traditional firewalls?

Filtering based on applications and users (B)

Which of the following features is NOT typically associated with Next Generation Firewalls (NGFWs)?

Antivirus for individual workstations (A)

What does the term Unified Threat Management (UTM) refer to in the context of NGFWs?

A single device that integrates multiple security features (D)

Which function of the NGFW helps prevent data breaches involving sensitive information?

Data Loss Prevention (DLP) (B)

What limitation may affect the performance of an NGFW?

Throughput based on enabled security features (A)

In the context of NGFWs, what is the role of an Intrusion Detection System (IDS)?

To detect and log malicious behaviors in traffic (B)

Which of the following represents a scenario that NGFW can enforce?

Blocking all peer-to-peer file sharing applications (B)

What is a potential drawback regarding the costs associated with NGFWs?

They can be very expensive depending on hardware and licensing. (A)

What type of attacks does a Web Application Firewall (WAF) primarily protect against?

Cross Site Scripting (XSS) (D)

Which of the following best describes the Zero Trust Security Model?

Inspects all traffic regardless of source (C)

What is a key characteristic of a Next Generation Firewall (NGFW)?

Integrates application-level inspection (A)

Which practice is NOT considered a best practice for firewall management?

Ignoring routine patching (D)

What is the primary function of a Web Application Firewall (WAF)?

To protect web applications from specific attacks (D)

What does the principle of 'never trust, always verify' signify in the Zero Trust Security Model?

Validation of every access request regardless of location (B)

In the context of firewall types, what is a static packet filter primarily used for?

Allowing or blocking packets based solely on predefined rules (C)

Which traffic patterns does a perimeter-centric firewall primarily monitor?

Only North-South traffic (B)

What is a primary function of static packet filtering firewalls?

Control traffic entering and exiting network interfaces. (B)

Which method is recommended to prevent alert fatigue in incident responses?

Tune alerting configurations to balance vigilance and noise. (B)

Why is it crucial to use encrypted protocols for remote management of firewalls?

To prevent unauthorized access during remote sessions. (B)

What should be done regarding software vulnerabilities in firewalls?

Stay informed about disclosed vulnerabilities through vendor updates. (B)

What is an important precaution when exposing remote administration interfaces?

Restrict access to trusted networks only. (A)

How do static packet filtering firewalls determine whether to allow or deny a packet?

Using predefined rules based solely on packet header information. (B)

What should those responsible for risk management define regarding firewall changes?

High-level information security risk tolerances. (A)

Which feature of static packet filtering contributes to its efficiency?

Evaluates packets one at a time based on specific criteria. (D)

Flashcards

Firewall Documentation

Guidelines outlining the specifications for firewall configuration and implications of exposing services.

Minimum Exposure Principle

Only allow necessary services and ports through a firewall to enhance security.

Inbound and Outbound Traffic

Traffic going into (inbound) and out of (outbound) the network that firewalls must manage.

Regular Risk Assessments

Periodic evaluations to identify vulnerabilities related to firewall configurations and changes.

Nmap Scanning

A tool used to scan networks to verify firewall rules and configurations before/after changes.

Firewall

A system that protects a network from intrusions by filtering communication.

Types of Firewalls

Firewalls can be hardware, software, or both to secure networks.

Firewall Best Practices

Well-defined procedures that enhance firewall security and reduce risks.

Principle of Least Privilege

Users are granted the minimum access necessary for their roles.

Firewall Administration

Managing firewalls with varying access levels for security purposes.

Access Control

Rules that determine who can use certain network resources.

ISO 27002

A reference for best practices in implementing security controls.

Traffic Rules

Regulations set by firewalls to control network access for specific needs.

Change Management

A formal process to manage modifications to IT services, reducing risks.

Best Practices for Firewall Changes

Guidelines ensuring changes are reviewed, tested, and documented.

Rule Cleanup

Regular review and removal of unnecessary firewall rules to reduce risk.

Backout Plan

A strategy to safely revert changes that did not work as intended.

Firewall Logging

Enabling logs to monitor activity and preserve data for investigations.

SYSLOG

A protocol used for sending logs to external servers for monitoring.

Alerting

Configuring notifications for suspicious traffic to improve security response times.

Alert Fatigue

Desensitization due to excessive alerts reducing response effectiveness.

Secure Remote Management

Using encrypted protocols and two-factor authentication for managing firewalls remotely.

Static Packet Filtering

Basic firewall method that checks packets one at a time based on header information.

Header Information

Data in packet headers used for evaluating access rules (like IP addresses, ports).

Allow/Deny Decisions

Choices made by firewalls to permit or block traffic based on rules.

Patches and Updates

Regular repairs and improvements to firewall software to fix vulnerabilities.

Next Generation Firewall (NGFW)

An advanced firewall that filters traffic based on applications, protocols, and users, not just IP addresses.

Unified Threat Management (UTM)

A single gateway device that combines multiple security controls for comprehensive threat protection.

Intrusion Detection System (IDS)

A system that detects malicious activity in traffic by recognizing known patterns or signatures.

Intrusion Prevention System (IPS)

Similar to IDS but actively prevents attacks by blocking suspicious activity or resetting connections.

Data Loss Prevention (DLP)

Technology that prevents sensitive information from being leaked or exfiltrated from a network.

Inline Antivirus

A feature that scans and blocks malware from files traversing the firewall before they reach users.

Web Proxy and Web Content Filtering

Controls access to websites by allowing or blocking based on predetermined categories.

Email Filtering

A gateway that filters incoming and outgoing emails to reduce spam and malicious content.

Web Application Firewall (WAF)

A firewall that specifically protects web applications by inspecting HTTP traffic.

Buffer Overflow

A type of attack where excess data overwrites memory, potentially allowing malicious code to execute.

Cross-Site Scripting (XSS)

An attack that injects malicious scripts into trusted websites viewed by users.

SQL Injection (SQLi)

An attack that executes malicious SQL statements to manipulate databases.

Zero Trust Security Model

A security model that assumes no trust; verifies every request as if it originates from an open network.

North-South Traffic

Traffic moving in and out of a network, typically between users and external services.

East-West Traffic

Traffic that occurs internally within a network, between devices or servers.

Study Notes

Introduction to Firewalls

• Firewalls are critical for protecting networks when connecting to the internet.
• They prevent unauthorized intrusion.
• Firewalls can be hardware, software, or a combination.
• They are configured according to an organization's security needs.
• Firewalls ensure all communication between the organization's network and the internet complies with the organization's security policy.

Learning Outcomes

• Firewall Best Practices
• Types of Firewalls

Concept of a Firewall

• Protecting a network against intrusion is crucial.
• Effective internet security involves placing a Firewall between the local network and the internet.

Firewall Best Practices

• Labs will cover common best practices.
• Best practices are defined procedures for optimal results.
• Firewall best practices focus on increasing security and reducing risk.
• Consider best practices before implementing a firewall.
• ISO 27002 provides a reference for best practices in implementing security controls.

Firewall Best Practices - While Working with Firewalls

• Be aware of the principle of Least Privilege for firewall administration.
• Firewalls allow for multiple admins with varying access levels.
• Grant only necessary privileges to admins.
• Example: Helpdesk users need read-only access to DHCP logs for troubleshooting.
• Solution: Create a user role with limited access.

Firewall Best Practices - Principle of Least Privilege

• Firewall traffic rules and exceptions should be implemented with the principle of Least Privilege.
• Allow only necessary hosts, ports, and applications for a specific business requirement.
• Consult application/system documentation for complete understanding of service implications.
• Allow only necessary traffic for higher security.
• Consider incoming and outgoing traffic.

Firewall Best Practices - Example: Windows Server, Certificate Services

• Example: Windows Server, Certificate Services, and ports.
• Application protocol (RPC, SMB), TCP, Ports (ex. 135, 445/239).

Applications

• By reviewing documentation, proper firewalling requirements can be understood.
• Avoid guesswork or mistakes to prevent vulnerabilities.

Firewall Best Practices - Often Software and Hardware Vendors

• Vendors often provide network diagrams showing traffic flow and port requirements.
• Example: Microsoft Office Communication Server 2007, external user access.
• More on DMZs later in the course.
• Firewall vendors provide requirements documentation.

Firewall Best Practices - FortiGate open ports

• Various services and their associated ports used by FortiGate products.

Firewall Best Practices - Outgoing ports

• FortiAnalyzer, FortiAuthenticator, FortiCloud, FortiGate, and their associated outgoing ports.

Firewall Best Practices - Perform regular risk assessments

• Attackers exploit mistakes and oversights in firewall changes.
• Scanning the firewall before and after changes ensures they work as intended.
• Regular vulnerability assessments should also be conducted for changes.
• Use nmap (in labs) to scan before/after changes to verify expected outcome.

Firewall Best Practices - Change Management

• Firewall changes can increase risk to organizations.
• A formal change management process can manage these risks while allowing necessary changes.
• Changes involve addition, modifications, or removals of services impacting IT services.

Firewall Best Practices - Best Practices for Firewall Changes

• Leadership, security, and service stakeholders; and auditors should evaluate the changes.
• Testing in a test network verifies change effectiveness.
• A backout plan for unexpected outcomes is required.
• Confirm safe rollback procedures.
• Document all changes and details (comments/notes in the firewall itself).

Firewall Best Practices - Rule Cleanup

• Firewall exceptions accumulate over time.
• Regularly review and remove unnecessary rules to reduce attack surface.
• Clean up ports opened during troubleshooting and revert unused changes.

Firewall Best Practices - Logging

• Ensure firewall logging is enabled and logs are reviewed.
• Preserve logs to facilitate forensic investigations of potential attacks.
• Logs are often sent externally (e.g., using SYSLOG).

Firewall Best Practices - Alerting

• Configure alerts for suspicious traffic or patterns for quick investigation.
• Tune alerts to avoid "alert fatigue" for incident responders.

Firewall Best Practices - Patches and Updates

• Security devices (like firewalls) can have vulnerabilities in their software.
• Stay updated on disclosed/patched vulnerabilities.
• Subscribe to vendor security email lists.

Firewall Best Practices - Palo Alto Networks Security Advisories

• Palo Alto Networks provides security advisories on vulnerabilities and mitigations.
• Specific advisories mentioned include vulnerabilities (memory corruption, mitigation bypass) in PAN-OS for various versions.
• Details about fixed versions, affected versions, and associated CVE numbers are provided for each advisory.

Firewall Best Practices - Secure remote management

• Ensure remote management is only possible over encrypted protocols (HTTPS or SSH).
• Require two-factor authentication for remote admin interfaces.
• Only expose remote admin interfaces to trusted networks such as internal IT network segments or a VPN.

Next Generation Firewall (NGFW)

• NGFWs are part of the third generation of firewall technology.
• They serve the same purpose as traditional firewalls, acting as network gateways.
• NGFWs are stateful for TCP connections and can operate at multiple OSI layers to apply security.
• NGFWs often include application awareness.

Next Generation Firewall (NGFW) - Filtering decisions

• NGFWs make filtering decisions using source/destination IP, source/destination port, applications, protocols, and users.
• Specific examples of how NGFWs filter traffic are given (e.g., block peer-to-peer, allow only HTTP/HTTPS, block TLS without valid certificates).

Next Generation Firewall (NGFW) - Resources

• NGFWs typically require more resources for their functions, security features affecting performance.
• Hardware tiers and software licensing can limit throughput.
• High cost for specific hardware and licensing options

Next Generation Firewall (NGFW) - Unified Threat Management (UTM)

• A single gateway device combining multiple security controls is called UTM.
• Features like Intrusion Detection Systems (IDS) which detect malicious behavior, Intrusion Prevention Systems (IPS) which take action, and inline antivirus for file inspection.

Next Generation Firewall (NGFW) - Additional Features

• DLP (Data Loss Prevention) prevents sensitive data breaches
• Web proxy and web content filtering for categorized websites; including blocking inappropriate web sites.
• Email filtering for removing spam/malicious attachments and DoS attacks.

Next Generation Firewall (NGFW) - Palo Alto Networks Single-Pass Architecture

• Palo Alto Networks' firewall architecture (single-pass design) is detailed.
• The policy engine, content-ID, app-ID, and user-ID features, in conjunction with traffic classification and user/group mapping.

Web Application Firewall (WAF)

• Web Application Firewall (WAF) is a firewall designed to protect web applications.
• WAFs examine HTTP traffic for attacks like buffer overflows, XSS, and SQL injection.
• Often deployed as a reverse proxy.

Zero Trust Security Model

• Zero Trust security shifts away from perimeter security towards a more comprehensive approach where every resource and interaction is evaluated and authorized.
• It inspects all possible traffic, identifies users and applications, and keeps trust close to the resources.
• Traffic from North to South and East to West is monitored.
• Internal resources are protected against lateral attacks.

Summary - Firewall Best practices

• Principle of least privilege
• Trust but verify security
• Rule cleanup
• Change management
• Logging and alerting.
• Patches and updates.
• Secure remote management.

Summary - Types of Firewalls

• Static Packet filtering describes a very basic firewall functionality.
• State full Packet Inspection (SPI) is an advanced approach tracking the state of network connections..
• Next Generation Firewall (NGFW) extends functionality beyond traditional traffic control.
• Web Application Firewall (WAF) protects web applications by filtering specific web traffic.
• The Zero Trust security approach emphasizes always verifying/authenticating.

Lab 1

• Download, configure, and power on the VM for Lab1.
• This lab is cumulative.
• VM LAN segments will be used in subsequent labs.
• The VMware LAN segment is a private network shared for lab network simulation.

Lab 1 - Branch Office

• Information on the LAN, and the corresponding Devices used in the given lab. IPv4 addresses IP, DNS, and DHCP client information are given.