The below mentioned are the best practices to be followed for firewall hardening. The consolidation is done through personal experience as well as through research on various articles from the internet. The information mentioned can be varied according to one’s organizational needs. This is a generic list and can be used to audit firewalls. To improvise this checklist, please feel free to contribute by writing to us at firstname.lastname@example.org
- Review the rule sets to ensure that they follow the order as follows:
- Anti-spoofing filters (blocked private addresses, internal addresses appearing from the outside)
- User permit rules (e.g. allow HTTP to public webserver)
- Manage permit rules (e.g. SNMP traps to network management server)
- Noise drops (e.g. discard OSPF and HSRP chatter)
- Deny and Alert (alert systems administrator about traffic that is suspicious)
- Deny and log (log remaining traffic for analysis) Firewalls operate on a first match basis, thus the above sequence structure is important to ensure that suspicious traffic is kept out instead of inadvertently allowing them in by not following the proper order.
- Physical Security
Hardware firewall device must be places in a physical location that is restricted for authorized personnel. Role based access control (RBAC) must be implemented.
- Leverage Authentication, Authorization and Accounting (AAA).
Management sessions must be authenticated. Users and administrators must be limited to use only specific commands. Least privilege principle must be implemented in which every user of the system must operate on least set of privileges necessary to complete the job.
- Centralize Log Collection and Monitoring.
- Logs generated from all network devices must be collected and correlated.
- Central logging when implemented, proper log analysis and incident tracking must follow.
- Based on the organization need, advanced rule based analysis can be performed.
- Logs must be reviewed periodically to identify any potential patterns that could indicate an attack.
- Enable firewall logging and alerting.
- Make note of suspicious log entries of the firewall and investigate them.
- Use of Secure Protocols.
- Secure protocols must be used to carry sensitive information.
- SSH must be preferred over Telnet so that data is authenticated and information is encrypted.
- Secure Copy Protocol (SCP) must be preferred rather thanFTP or TFTP for secure file transfer
- Password Management
- Password must be set to firewall systems to give privileged admin access.
- The firewall configuration file that consists of passwords must be treated with care.
- Login Password Retry Lockout- after a certain number of unsuccessful login attempts account is lockout.
- Disable the Password Recovery feature of firewall.
- Disabling unused services such as the services that use UDP can also be used to launch DOS and other attacks that are otherwise prevented by packet filtering.
- Network Time Protocol
A trusted time source and proper authentication must be carried out when using NTP. Accurate and reliable time is required for syslog purposes and VPN connectivity.
- ICMP Packet Filtering
ICMP pings should face only to firewall internal interface. Troubleshooting tools such as ping and traceroute use ICMP.
- Securing Routing Protocols
Authentication of routing protocol must be performed to prevent spoofing and routing attacks on firewalls. Example- EIGRP routing protocol uses MD5 authentication.
- Filtering Transit Traffic with Transit ACL’s
Access Control List must be configured and bound to a firewall interface to filter traffic. Access Control Entries can classify packets by inspecting from Layer 2 to Layer 4. It will filter packets in both inbound and outbound direction on an interface.
- Unicast Reverse Path Forwarding (uRPF)
Network admins can use this to limit malicious traffic on the network. This feature works by enabling a router to verify the packet’s reachability by checking the source address. This helps identify the packet has originated from a valid IP or not. uRPF protects from IP spoofing attack.
- Data Plane Hardening
- Data plane is responsible for processing and forwarding traffic, so protecting the firewall data plane is an important aspect of firewall hardening.
- Always keep firewall software version updated.
- Backup firewall rulebase and configuration files regularly, such that backups can be used in case of system failure and help reduce the downtime.
- ACL’s to Block Private and Bogon Addresses
Unallocated IP addresses, IP addresses for private internet and special use IP addresses create problems when used to route packets over the internet. Filtering these addresses at network boundary would provide another layer of security.
- Best practices for various types of firewalls:
- Application based firewall
At the application layer administrators must monitor various security policies using logs generated by the firewall. Application firewalls sometimes have functionality to log into the intrusion detection systems. A procedure must be followed in which the software would be updated with the latest signatures.
The following commands should be blocked for SMTP at the application level firewall:
- EXPN (expand)
- VRFY (verify)
- WIZARDThe following command should be blocked for FTP.
The denied URL’s must be reviewed for e.g. any URL to malicious sites must be blocked. The URL’s to deny must be updated as and when released by sites that warn of harmful sites. Only authorized users must be authenticated by the application firewall.
- Personal firewall
Laptop users must be given training and guidelines on operation of firewall.This element is essential, since often personal firewalls rely on user prompt to respond to attacks e.g. whether to accept/deny a request from a specific address.
- Distributed Firewall
- The security policy must be consistently distributed to all hosts especially when there are changes to the policy.
- Ensure that there are adequate controls to ensure the integrity of the policy during transfer e.g. IPSec to encrypt the policy when in transfer.
- Ensure that there are adequate controls to authenticate the appropriate host. e.g. Again IPSec can be used for authentication with cryptographic certificates.
- Stealth firewall
- Stealth firewall does not have presence on network such that the attacker does not know which firewall is being used and the version and topology of it.
- Reset default users and passwords of the fireawall.
- Configure ACL’s to make sure appropriate traffic is routed to appropriate area.
- Application based firewall
- Stateful inspection.
- Appropriate rule sets must be defined such as source and destination IP’s, source and destination ports and timeouts.
- Ensure that the timeouts are appropriate so as not to give the hacker too much time to launch a successful attack.
- For URL’s: URL’s must be defined clearly in firewall software, if URL filtering is used.
- If the filtering server is external to the organization ensure that it is a trusted source.
- If filtering on MAC addresses is allowed, review the filters to ensure that it is restricted to the appropriate MAC’s as defined in the security policy.
- IPv6 Traffic Filtering
IPv6 ACL can be configured to control the traffic passing through the firewall.
- Patches and updates.
- Latest patches and updates relating to the firewall product be tested and installed.
- Run the firewall on an updated operating system.
- If patches and updates are automatically downloaded from the vendors’ websites, ensure that the update is received from a trusted site.
- If the patches and updates are e-mailed to the systems administrator the digital signatures must be used to verify the vendor and ensure that the information has not been modified.
- Location – DMZ
- Ensure that there are two firewalls – one to connect the web server to the internet and the other to connect the web server to the internal network.
- While implementing two firewalls ensure that it is of different types and that dual NIC’s are used as this would increase security, since a hacker would need to have knowledge of the strengths, weaknesses and bugs of both firewalls.
- The rule sets for both firewalls would vary based on their location e.g. between web server and the internet and between web server and the internal network.
- Vulnerability Assessments/ Testing
A procedure must be followed in which open ports must be tested using nmap or netcat commands, to check if the unnecessary ports are closed.
A procedure to test rule sets must be created to avoid any denial of service on an organization or any such vulnerability must not undetected.
- Compliance with security policy
Ensure that the ruleset complies with the organisation security policy.
- Ensure that the following spoofed, private (RFC 1918) and illegal addresses are blocked:
127.0.0.0 Private (RFC 1918) addresses
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255 Reserved addresses
240.0.0.0 Illegal addresses
0.0.0.0 UDP echo ICMP broadcast (RFC 2644) Ensure that traffic from the above addresses is not transmitted by the interface.
- Ensure that loose source routing and strict source routing (lsrsr & ssrr) are blocked and logged by the firewall.
- Best practices for various protocols are as follows:
- For remote access, SSH protocol (port 22) must be used instead of telnet.
- A rule should block ICMP echo requests and replies. Also, a rule blocking outgoing time exceeded and unreachable messages.
- Restrict HTTP Access to Certain Addresses.
- Restrict SSH Access to Certain Addresses.
- Restrict Telnet Access to Certain Addresses.
- Authenticate NTP updates.
- Define SNMP server host- used in network management systems to monitor network-attached devices for conditions that need administrative attention.
- Disable SNMP if not used- If used, SNMP service should be protected using mechanisms like ACL’s.
- Disable HTTP session replication.
- Limit ICMP responses on interfaces- Prefer to disable ICMP on outside interfaces at a minimum.
- Specify rules by MIME type only for HTTP traffic.
- Disable Proxy ARP’s- Proxy ARP’s have an inherent security weakness, proxy ARP allows hosts from different segments to function as if they were on same subnet and it is only safe between trusted LANs. Attackers can use proxy ARP by spoofing a trusted host and accepting packets.
- File Transfers.
If FTP is a requirement, ensure that the server, which supports FTP, is placed in a different subnet than the internal protected network.
- Mail Traffic
Ascertain which protocol is used for mail and ensure that there is a rule to block incoming mail traffic except to internal mail.
- IP Readdressing/IP Masquerading
Ensure that the firewall rules have the readdressing option enabled such that internal IP addresses are not displayed to the external untrusted networks.
- Zone Transfers.
- For stateful firewall, ensure packet filtering for UDP/TCP 53.
- The packets from UDP 53 from Internet are limited to authorized replies from internal network, if there is no reply then, the firewall denies the request.
- IP packets from TCP 54 are denied on internal DNS server, to prevent unauthorized zone transfers.
- Egress Filtering.
- Ensure that there is a rule specifying that only traffic originating from IP’s within the internal network be allowed.
- Traffic with IP’s other than from the internal network should be dropped.
- Ensure that any traffic originating from IP’s other than from the internal network are logged.
- Critical servers
- Ensure that there is a deny rule for traffic destined to critical internal addresses from external sources.
- This rule is based on the organizational requirements, since some organizations may allow traffic via a web application to be routed via a DMZ.
- Ensure that ACK bit monitoring is established to ensure that a remote system cannot initiate a TCP connection, but can only respond to packets sent to it.
- Continued availability of Firewalls Ensure that there is a hot standby for the primary firewall.
- Set suitable console timeout for software based firewalls
- Use warning banner messages
- The best way to configure filters is to use a ‘deny’ filter and then sent separate filters for special cases. Example: Block all ports, allow port 80. Placing ‘allow’ rules at a less priority than the ‘deny’ rule offers more security.
- Create relevant documents by commenting and making detailed note of every rule, it is easier to know the reason for each rule when they need to be changed.
- Change-control policy must be followed so that certain rules may be reversed if giving unwanted outcomes.
- Use products that automate firewall rule management such as CiscoWork’s Management Center, McAfee’s Inc.’s Firewall Enterprise Control Center and more.
- Deny all traffic by default; enable only those services that are needed.
- Limit the number of applications that run on the firewall. Consider running content filtering, antivirus, DHCP, VPN and authentication software on systems behind the firewall.
- Try running the firewall with a unique user ID rather than the root.
- Do not rely completely on packet filtering, use stateful inspection and application proxies wherever possible.
- Perform filtering and disable unnecessary ports based on the latest listed vulnerabilities.
- Keep firewall configuration simple and remove unnecessary or redundant rules.
- The firewall rules must match the organizations security policy.
- Perform vulnerability assessment on the firewall on regular basis.
- Perform regular audits.
- Use IP addresses rather than DNS names in firewall policies for better performance.
- Fully Qualified Domain Names (FQDN) must be used for URL sets and Domain Name Sets