The next generation of firewalls go further than simply filtering traffic through ports 80 and 443, they provide controls that allow for type and user filtering alongside traditional firewall filtering features. More control does however lead to increased numbers of misconfigurations, the most common fault leading to firewall compromises. Setting policies at application level requires a more in depth knowledge of the individual programs.
Ask yourself the following questions and follow the below guidelines to ensure your next generation firewall is performing to its full potential and keeping your network secure –
• How many change requests should you expect to process on a weekly basis?
• Can your current resources manage the additional load while still meeting turn around targets?
• What impact do policies such as ‘block social networks, file sharing and video streaming’ or ‘allow all web traffic’ have?
Keep your policies up to date
Run regular audits to assess any new applications that have been added to your network. This will allow you to report trends and identify where and when rules need to be created/amended.
Improve performance through organisation
Order your rules with the most used on-top to reduce throughput and strain on your firewall. This will maximise performance and reduce delays.
Remove any duplicate or non-applicable rules that have been forgotten about over time
Run regular risk queries
There are a number of well-known risks and configuration controls that can help to identify vulnerabilities and remedy any rule compromises. You should action this by running queries from either specified or internal applications to your DMZ network.
Ensure your network is compliant with regulations including SOX, DSS and PCI.
Automate change requests
Next generation firewalls have the options to automate requests on source, destination, port as well as users and applications. This gives more freedom to set automatic firewall change requests.
Remember to ensure policies are applied to the entire network, and not just the next generation firewalls. Uniform your policies in order to maintain security across your whole network environment.