These five best practices can help fine-tune your network firewalls.
A couple of years ago, Andrew Hoffman, director of infrastructure and operations at Denver-based Westwood College, knew it was time for a change. He realized that because of the rapid growth of his student population, the college's existing firewalls would not handle the increasing load much longer and needed to be replaced.
Over the years, the college has grown into a nationwide operation serving more than 17,000 students at 17 campuses in six states: California, Colorado, Georgia, Illinois, Texas and Virginia. Westwood's students and faculty needed the advanced capabilities and flexibility offered by technologies such as VoIP, distance learning and video conferencing, and Hoffman intended to give it to them.
One important step was to provision a nationwide Multiprotocol Label Switching private WAN that served up the necessary bandwidth and quality-of-service capabilities these advanced technologies require. The next step was to deploy roughly 40 SonicWall firewalls to secure the network and manage student consumption of network bandwidth.
"Our top priority is the student's satisfaction with the educational experience."
Derek Christensen, Westwood College
Today, all locations have two SonicWall firewalls, one for education and one for administration. And for redundancy and high availability, a pair of SonicWall 5060 firewalls are in operation at the college's two data centers. All the units are full multifunction firewalls that provide intruder detection/prevention, content-blocking and antivirus scanning.
Derek Christensen, Westwood's enterprise LAN/WAN manager, says the IT staff also liked that the firewalls supported VLAN trunking, which provides the college much greater flexibility in configuring campus network services.
“The ability to do trunking and run VLANs allows us to adjust the network as requirements change and segment the network as we see fit,” Christensen adds.
Although the project took several months and was an expensive undertaking, Hoffman says the time and money is well spent. The solution has provided the students, staff and faculty with reliable, secure and high-performance access to the Internet and data center hosted applications.
“As a technology professional, your guiding principle should be: â€˜Who is the customer that you are trying to service, and how do you implement technology that will positively impact their experience?'” poses Hoffman.
“Our top priority is the student's satisfaction with the educational experience, and if there's a way to make the student's experience better and more secure, then I am going to do it,” he says.
With that in mind, Hoffman and Christensen, along with fellow IT managers from other colleges and universities and an industry analyst, offer the following best practices.
Purchase a development firewall and develop a scorecard. Westwood's Hoffman says before moving too far ahead with any one manufacturer, ask them to provide test units and have in mind specific requirements and systems benchmarks to measure. Westwood's general technical requirements include Active Directory integration for authentication and authorization, fault tolerant capabilities and support for SQL reporting. They also test for how much downtime is involved when patching or upgrading a system. And Westwood takes a hard look at manufacturers' financial stability, market presence, support and maintenance policies, and training methods. Hoffman also says that having development units on which to test configuration and code changes before implementation is very important.
If, like many institutions, you are on a tight budget, Eric Weakland, director of information security at American University in Washington, D.C., advises buying a less costly firewall.
In lab tests, 97% of network firewalls and 80% of web application firewalls experienced at least one logging problem.
Source: ICSA Labs
“In a perfect world, I'd have a mirrored test environment,” says Weakland, who runs Cisco ASA 5540 firewalls. “But very often you can buy a less
expensive device with the same code base and it will offer the resources you need for a successful test environment.”
Focus your firewalls on managing traffic and security. Kevin Beaver, an independent information security consultant with Principle Logic, says while he understands that the latest multifunction firewalls appeal to IT managers for reasons of cost and convenience, he still believes that firewalls are best at securing the network by blocking unwanted traffic and for follow-up reporting. He recommends not running too many applications on the firewall to maximize CPU cycles and network throughput. For example, he suggests running DHCP and DNS servers, content filtering, VPN endpoints and perimeter antivirus software behind the firewall instead of on the firewall itself.
“The idea is to let the firewall do what it's best at doing,” says Beaver, who adds that Westwood College's approach of having redundant firewalls at two separate data centers makes good sense.
“Even if you opt for a multifunction firewall, what you want to try and avoid is a single point of failure,” Beaver explains.
Change the default firewall password before you connect it to the Internet. Beaver says this may sound like a no-brainer, but just like those who don't change the SSID on a wireless router, there are many IT shops that keep the factory settings on firewalls. “What happens a lot is that the manufacturers and systems integrators come in to set everything up and end up leaving the defaults or other weak settings,” Beaver explains.
Mike Briggs, director of IT at George Washington University Law School in Washington, D.C., says one good approach is to deny users administrative access from the WAN side of the network.
“The best policy is to not let them have access from the outside – it reduces your risk considerably,” he says, adding that his SonicWall firewalls include such an option.
Communicate your change management practices across the organization. American University's Weakland says more damage can result from a configuration change that is not communicated properly than from unwanted malware or hacking attacks.
“When we do changes, we make sure all the right people in our organization know about it and that management has signed off,” he says.
Beaver says he had an experience with an administrator at a client who made changes to its e-commerce application but didn't test it and failed to communicate the changes to his team properly. The result was that the application failed under the change and all e-commerce traffic stopped for roughly four hours – and nobody knew why.
“This had nothing to do with malware or hackers. It was a procedural problem within IT,” Beaver says. “Sometimes we are our own worst enemies.”
Switch the port on Hypertext Protocol Secure to something less obvious. In today's mobile workplace, most colleges and universities need the firewall to be accessed from outside the main campus. David Marley, assistant director for infrastructure services at California Baptist University in Riverside, says one way to add an extra layer of security is to set the port for HTTPS to something other than its default port of 443.
“The most obvious port is 443, so it just makes sense to set the port at 400 or 500, or something other than 443,” says Marley, who uses Fortinet firewalls. “It creates a bit of extra security, and it's something that someone who's not a network guru could understand and actually implement.”
Five More Firewall Tips
- Deny all traffic by default and enable only the necessary ports, protocols and services.
- Don't rely on packet filtering alone. Use stateful inspection to keep track of network connections.
- Keep your firewall configuration as simple as possible and eliminate unneeded or redundant rules.
- Run frequent patches to the firewall's operating system.
- Use firewalls internally to segment networks and permit access control based on operations needs
Source: Principle Logic