Firewall Best Practices

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:01
>> Let's go ahead and wrap up our little section here
00:01
>> on firewalls by closing with some best practices.
00:01
>> There are just some things that
00:01
firewalls are expected to do.
00:01
We have some basic best practices for firewalls,
00:01
and that's what we're going to look at.
00:01
First and foremost, block ICMP.
00:01
Rarely is there a good business
00:01
need for a ping to come through a firewall.
00:01
ICMP, because it's such
00:01
>> a frequently exploited protocol,
00:01
>> generally firewalls do not forward on ICMP requests.
00:01
Now I'm not saying that's never necessary,
00:01
but as a general rule,
00:01
we don't let ICMP through our firewall.
00:01
Another rule, firewalls are made up of
00:01
rule sets called access control lists or ACLs.
00:01
Keep those simple.
00:01
If you're trying to create this elaborate complex ACL,
00:01
really, you're missing the point that
00:01
security is best accomplished through simplicity.
00:01
I would rather have to protect one door than 35 doors.
00:01
Keep it simple.
00:01
Your access control lists should be
00:01
very specific and very particular.
00:01
You'd like as few access control lists
00:01
>> or entries to make sure you do
00:01
>> what you need to do without having any excess
00:01
>> or anything that's not specifically necessary.
00:01
>> Now another important rule for firewalls is
00:01
>> to have an implicit deny,
00:01
>> and firewalls can have that by default.
00:01
The idea is all traffic is blocked
00:01
except what we specifically say is allowed through.
00:01
That's something known as whitelisting.
00:01
The idea is everything is blocked,
00:01
no traffic is allowed.
00:01
None shall pass except
00:01
what we expressly allow on the whitelist.
00:01
You don't have to close out
00:01
your firewall with the statement like deny all
00:01
>> because that's automatically implied.
00:01
>> Now another thing we want to do on our firewalls,
00:01
we want to block directed broadcast.
00:01
A directed broadcast is when someone outside
00:01
your network tries to hit
00:01
the broadcast address inside your network.
00:01
That's how a lot of
00:01
distributed denial-of-service attacks
00:01
>> have been launched in the past.
00:01
>> We want to make sure that that doesn't happen.
00:01
We're going to block broadcasts
00:01
>> from coming through our firewall.
00:01
>> Another rule is that we want to perform
00:01
both ingress and egress filtering.
00:01
I'm not just worried about
00:01
>> what's coming into my network,
00:01
>> I'm concerned about what's going out as well.
00:01
As far as traffic leaving the network,
00:01
if I have internal traffic,
00:01
that traffic should have an internal address.
00:01
For instance, my networks on the 10 network,
00:01
any host trying to get out should
00:01
have a source address of the 10 network.
00:01
If for some reason I'm seeing
00:01
an internal host trying to get out to the Internet
00:01
>> with an external public address,
00:01
>> it may mean that software has been
00:01
uploaded to that system
00:01
>> or has been installed on that system,
00:01
>> and it's being triggered to
00:01
act in a denial-of-service attack.
00:01
That might be one explanation
00:01
for it having a public IP address.
00:01
If it's internal,
00:01
>> it should have an internal IP address,
00:01
>> just like external traffic
00:01
should have an external IP address.
00:01
If someone on the outside of my network
00:01
>> is trying to get inside with an IP address
00:01
>> on the 10 network or something like that,
00:01
that should tell me, "Hey,
00:01
somebody is trying to spoof
00:01
>> and pretend that they belong on my network."
00:01
>> Remember the rules of the Internet anyway,
00:01
you shouldn't be able to impersonate
00:01
an internal host if I'm using that specific set,
00:01
one of those ranges of IP addresses that we've
00:01
said is going to be reserved for internal use only.
00:01
Then certainly, enable logging.
00:01
You want to know what traffic is going through,
00:01
as well as which traffic is being blocked.
00:01
I want to see which traffic is
00:01
unsuccessful at getting through
00:01
>> because that might be an indicator of
00:01
>> a certain type of attack that's on the horizon.
00:01
Fragmented packets
00:01
>> shouldn't be coming through fragments.
00:01
>> Sometimes your internal hosts don't know
00:01
what to do with fragments
00:01
>> if they're not following the proper protocol format
00:01
>> for your packets,
00:01
so those should just be dropped at your routers
00:01
>> or if possible, reassembled.
00:01
>> Then this last one,
00:01
I could see this coming up on the test.
00:01
Firewalls,
00:01
process access control entries or lists in order.
00:01
For every connection,
00:01
every connection is matched up against the first rule,
00:01
and the first rule where the conditions are met,
00:01
then that rule is applied.
00:01
If the first rule doesn't meet the right criteria,
00:01
then the second rule is evaluated.
00:01
Do I meet the criteria for the second rule?
00:01
No.
00:01
>> Go to the third.
00:01
>> Do I meet the criteria for the third rule?
00:01
Yes.
00:01
>> Then the third rule is processed and nothing else.
00:01
>> Here's why that's significant.
00:01
Let's say I want to allow everybody
00:01
>> but Carl to connect to the network.
00:01
>> I set up an access control list that says,
00:01
allow everybody, deny Carl.
00:01
Carl's going to connect in,
00:01
and the first rule says, allow everybody.
00:01
Carl meets the criteria of being an everybody,
00:01
so Carl is allowed into the network
00:01
>> and the second rule is never processed.
00:01
>> You always want your most specific rule
00:01
>> to go at the top.
00:01
>> I would say, deny Carl,
00:01
he meets that criteria.
00:01
>> He's denied.
00:01
>> Everyone else doesn't meet the criteria of being Carl,
00:01
so they go to the next rule that says allow everyone,
00:01
and they're allowed to access.
00:01
Hope that makes sense because
00:01
>> that's important when you're configuring firewalls,
00:01
>> is to make sure your most
00:01
specific firewall rules are at the top.
00:01
In this section, we talked about some
00:01
of the best practices for firewalls,
00:01
just the rules that we would
00:01
assume even the most basic firewall would follow.
00:01
Blocking ICMP packets, avoiding directed-broadcasts,
00:01
monitoring for incoming and outgoing traffic,
00:01
and all the other rules that we've looked at.
Up Next