Best Practices for Firewall Configuration: A Technical Guide

This article focuses on best practices for firewall configuration. It will guide you from the beginning point until your firewall is up and running. If you follow the steps discussed in the article, you can easily implement the basic firewall configuration.

Network firewalls can be seen in action everywhere, from enterprise networks to government institutions and homes.

Modern or next-generation firewalls also do the work of routers and provide additional security and control features. So, why buy a router when a firewall can do the job? It is a common question today and can be confusing as well.

Routers are dedicated to routing tasks with no support for application control, customizations, and threat prevention characteristics. In comparison, the network firewalls possess all the routing functionalities alongside security, application control, customization as needed, and integration with third-party software, services, and devices.

Understanding Network Firewalls

In simple words, a network firewall is a security device or technology that allows/denies, monitors, and filters the outgoing and incoming traffic in a network. It allows or blocks traffic entry based on preset access/security rules. It is a barrier between internal and external networks (Internet) from different threats and malicious traffic. A firewall also logs the network traffic, which can assist administrators in detecting threats and managing the network more effectively.

Traditional Firewalls vs. Next-Generation Firewalls (NGFWs)

The NGFW or next-gen firewalls are more secure, reliable, fast-processing software and hardware appliances.

Extensive research and a strategy for dealing with the world's growing cyber chaos have resulted in the next generation of firewalls. Traditional port-based firewalls fell short in detecting and preventing advanced threats and malware, causing massive business losses and uncertainty. The world required an advanced solution with multiple feature stacks to defend and protect against rising threats landscape and cyber criminals.

If you want to gain in-depth knowledge on the evolution of firewalls, you can read our article by CLICKING HERE.

Step-by-Step Firewall Configuration

Although organizations should configure the firewall according to their infrastructure and Firewall vendor brand, the basic configuration of every firewall is the same. Here, you will learn how to configure a new firewall by following some generic procedures.

Getting Started

When you buy a new firewall, it comes completely wrapped inside a box. It contains the necessary equipment, such as:

· A power module and power cable

· Mounting kits

· Rails

· Configuration guide

· Console cables

· Ethernet cables

The equipment count varies on different brands.

Step 1: Power on the appliance

Please take out the firewall and keep it on a flat surface. Power on the device and let it boot properly. Always use a reliable or redundant power source. The device may crash if the power goes down during the boot process.

Step 2: Access WEB UI or CLI

Based on the brand and model, the number of interfaces may vary. You will find the console and management ports for managing and accessing the devices by default on all firewall appliances. The console port is used for CLI access, whereas the management (MGMT) port is used for WEB or GUI access. A default management IP and user credentials will be used to manage the firewall and access the first-time configuration wizard.

Connect one end of the ethernet cable to the MGMT port of the firewall and the other end of the ethernet cable to the ethernet port of the PC. Configure the PC to be on the same broadcast domain (same subnet) and enter the IP address of the MGMT in the web browser. For example, https://10.10.10.1 and enter the port numbers, if any, like:

https://10.10.10.1:4040

During the first-time boot, there will be some interaction between the administrator and the basic firewall settings, such as:

· Root/Admin user password configuration

· Setting up time zone

· MGMT IP (you can change the MGMT IP or keep it the same as per the requirement)

· Creating a hostname

The steps can differ slightly according to the firewall's brand, but they are simple and easily understood.

Step 3: Configure the interfaces and security zones

Start the firewall configuration by setting up the interfaces. Configuring interfaces is one of the essential aspects of firewall configuration. All the interfaces must be properly configured and attached to their respective security zones. You must at least have two interfaces configured beside the MGMT network.

Again, different organizations can have other requirements and use various interfaces or ports. One interface must be assigned as an external zone because it represents the external or internet traffic. The other can be designated as the internal zone because it represents the internal networks or LANs.

Security zones are assigned to interfaces that represent different networks with similar functionality. Like all the internal LANs can be assigned to the Internal Zone, the public-facing interface can be part of the external zone. Also, the services reachable from the internet can be assigned to DMZs.

These zones are different from each other and cannot communicate until you specify a security policy or access rule to allow communication between them. It is crucial to correctly assign networks to different security zones as you configure the firewall policy using the security zones.

Step 4: Setting up default gateway and DNS

The firewall must have internet access to connect internal networks to the internet. There can be multiple scenarios while deploying a firewall. It can be at the perimeter, core, or user, or it can also be used as a third-party firewall.

While configuring the firewall at the edge, where public or routable IP (provided by the ISP) is terminated, you simply use the IP address and default gateway provided by the ISP, i.e., IP address, Subnet Mask, and Default gateway.

While configuring the firewall at the core, you use the point-to-point IP address as the default gateway. If you configure the firewall as discussed in the article until now, you have successfully connected your firewall to the internet.

You can ping the google DNS, i.e., 8.8.8.8. But if you try to ping "google.com" at this point, you won't be able to ping "google.com." This is because you have not specified DNS in the firewall.

Domain Name Server (DNS) maps an IP address to the domain name. If you have local DNS, then you can use it. If you do not, use Google DNS (8.8.8.8) or even the firewall brand DNS. 

If the firewall is configured with the proper IP address, default gateway, and DNS, it will connect to the internet successfully.

You must create a firewall policy for any service to work; even for PING service, you must specify the rule.

Step 5: Registering the firewall and activating licenses

Once the firewall is connected to the internet, it is essential to register the appliance to the OEM account portal. Registering the device allows administrators to get RMA verifications and license renewals. It also binds the device with the organization's email or ID.

After successful registration, a license must be activated, either an evaluation license or a subscription-based purchased license. Because:

Without a proper license, users can not open support tickets in case of issues at the hardware or software level. 

A valid license ensures that all the security features are available without hassle, such as App & URL filtering, IPS, SSL Decryption, and other essential updates.

Without a valid license, a firewall will just act as a router and can only be used for routing purposes.

Step 6: Install patches and updates (Optional)

By default, most firewalls come with an old software (OS) version installed. You can install the latest OS version or patch/hotfix to enjoy extra features, performance, and stability.

Step 7: Internal networks

After successfully connecting the firewall to the internet, you must move to the next step, i.e., configuring the internal network. You must carefully segment the network and create a DHCP server if needed.

Most firewalls can work as a DHCP server, and each port can act as a different DHCP server. Configuring an interface for the internal network is easy. You need to specify the appropriate IP address for the interface and enable the DHCP server feature. All the end devices connected to that interface will automatically get the DHCP IP address.

Step 8: NAT and Route

Network Address Translation (NAT) is a method of converting private IPs to public addresses. You need to convert Private IP to Public IP because private IP is not routable and cannot be used to connect to the internet. NAT provides scalability for IPv4 addresses.

In most firewalls, NAT is simple. In NextGeneration Firewall, NAT can be configured with just a click of a button. Mostly, it can be configured only by enabling the feature in the firewall.

The route is an essential concept in networking. It is a path that you tell your traffic to take to reach the destination.

There are different types of routes, such as static routes, default routes, and policy-based routing (PBR). You can provide a default route for your internal network to reach the internet or use a static route. The route is configured according to organization requirements.

Step 9: Security Policy and User Creation

Policy Creation is an integral part of configuring the firewall. Policy decides how a firewall processes internal and external traffic. A firewall does all the traffic processing work by looking into the policy.

A firewall is a barrier between external and internal networks. It provides security to your internal networks, but securing the firewall is equally essential.

Firstly, you must create the necessary users to access the firewall. The root/admin user is the default, but a different account should be created and given a root privilege. All the users must have strong passwords, and unwanted users must be deleted or disabled.

Key Considerations for Security Policy Configuration:

1. Unwanted access to the firewall would be a dangerous threat to the organization.

2. Necessary policies must be implied for proper administrative access.

3. All the policies created should be zone-based, which provides an advantage over traditional firewall policies without zones.

4. If servers inside the network are reachable from the internet, a proper NAT/PAT with HTTPS Inspection or SSL Decryption must be configured.

5. Unwanted services and ports must be disabled, and both incoming and outgoing traffic must be inspected.

6. Application control and URL filtering should be enabled and implemented for internal users or networks.

7. IPS, Anti-Virus, and Anti-Bot policies must be appropriately configured to ensure an organization's safety.

8. If any VPN services are running, then resources reachable through the VPN must be properly managed and configured.

9. Configuring the cleanup/drop rule is a must. The cleanup rule drops all the packets that do not match any implicit or explicit rules.

Conclusion

Configuring a firewall is a never-ending process. As security administrators, you must continuously upgrade software, install hotfixes, update policies, and delete old policies. Policy and configuration optimization is a regular task for firewall administrators. However, with the help of AI/ML technologies integrated with NGFW firewalls, the process has become automated and less time-consuming.