You’ve graduated from setting up that new wireless router and are ready for your next adventure: setting up a firewall. Gulp. We know, seems really intimidating. But breathe easy, because we’ve broken it down to 6 simple steps that should help you on your way to network-security nirvana. And off we go…
Step 2: Architect firewall zones and IP addresses (No heavy lifting required.)
To best protect your network’s assets, you should first identify them. Plan out a structure where assets are grouped based on business and application need similar sensitivity level and function, and combined into networks (or zones). Don’t take the easy way out and make it all one flat network. Easy for you is easy for attackers!
All your servers that provide web-based services (ie.g. email, VPN) should be organized into a dedicated zone that limits inbound traffic from the internet—often called a demilitarized zone, or DMZ. Alternatively, servers that are not accessed directly from the internet should be placed in internal server zones. These zones usually include database servers, workstations, and any point of sale (POS) or voice over internet protocol (VoIP) devices.
If you are using IP version 4, internal IP addresses should be used for all your internal networks. Network address translation (NAT) must be configured to allow internal devices to communicate on the internet when necessary.
After you have designed your network zone structure and established the corresponding IP address scheme, you are ready to create your firewall zones and assign them to your firewall interfaces or sub-interfaces. As you build out your network infrastructure, switches that support virtual LANs (VLANs) should be used to maintain level-2 separation between the networks.
Step 3: Configure access control lists (It’s your party, invite who you want.)
Once network zones are established and assigned to interfaces, you will start with creating firewall rules called access control lists, or ACLs. ACLs determine which traffic needs permission to flow into and out of each zone. ACLs are the building blocks of who can talk to what and block the rest. Applied to each firewall interface or sub-interface, your ACLs should be made specific as possible to the exact source and/or destination IP addresses and port numbers whenever possible. To filter out unapproved traffic, create a “deny all” rule at the end of every ACL. Next, apply both inbound and outbound ACLs to each interface. If possible, disable your firewall administration interfaces from public access. Remember, be as detailed as possible in this phase; not only test out that your applications are working as intended, but also make sure to test out what should not be allowed. Make sure to look into the firewalls ability to control next generation level flows; can it block traffic based on web categories? Can you turn on advanced scanning of files? Does it contain some level of IPS functionality. You paid for these advanced features, so don’t forget to take those "next steps"
Step 4: Configure your other firewall services and logging (Your non-vinyl record collection.)
If desired, enable your firewall to act as a dynamic host configuration protocol (DHCP) server, network time protocol (NTP) server, intrusion prevention system (IPS), etc. Disable any services you don’t intend to use.
To fulfill PCI DSS (Payment Card Industry Data Security Standard) requirements, configure your firewall to report to your logging server, and make sure that enough detail is included to satisfy requirement 10.2 through 10.3 of the PCI DSS.
Step 5: Test your firewall configuration (Don’t worry, it’s an open-book test.)
First, verify that your firewall is blocking traffic that should be blocked according to your ACL configurations. This should include both vulnerability scanning and penetration testing. Be sure to keep a secure backup of your firewall configuration in case of any failures. If everything checks out, your firewall is ready for production. TEST TEST TEST the process of reverting back to a configuration. Before making any changes, document and test your recovering procedure.
Step 6: Firewall management (All fires need stoking.)
Once your firewall is configured and running, you will need to maintain it so it functions optimally. Be sure to update firmware, monitor logs, perform vulnerability scans, and review your configuration rules every six months.
