5 Best Practices for Your Firewall Deployment Architecture
When most people think of firewalls, they think of the software that comes installed on their computer that is supposed to keep “bad” traffic out. For businesses, the firewalls that inspect traffic coming into the network are a basic, but important, protection layer that helps to prevent cyber attacks from succeeding.
There are many ways to set up a business’s firewall deployment architecture based on things like what kind of firewalls you use, where those firewalls “sit” on the network (between different servers, on individual endpoints, at your network perimeter, etc.), and how firewalls are configured. Getting the most out of your firewalls requires knowing how to deploy them for the best effect.
With this in mind, here are a few tips for getting more out of your company’s firewall deployment architecture:
1) Regularly Check and Update Your Firewall Configuration Settings
Over time, your company will probably have a lot of custom settings for the various firewalls it employs at the network perimeter, and that can be a problem if those settings create conflicting rules.
Because of this, it’s important to periodically review all of your firewall architecture’s security rules to make sure there aren’t any conflicts that could impede performance.
2) Make Sure There Aren’t ANY Modems in Your Internal Network
Here’s a tip from the SANS Institute. As a preliminary step for checking firewall configurations, they recommend that “the auditor should ensure that there are no modems within the internal network.” They further state that “it is senseless performing an audit on the firewall when an even bigger threat exists via the modem.”
The issue is that these internal modems can be used to subvert your firewalls almost entirely, making them convenient attack points. Removing these modems from the internal network can help to minimize the risk of an attacker sidestepping your firewall protections.
3) Use Defense in Depth
Should you use a perimeter firewall, endpoint firewalls, or application-based firewalls? Why limit yourself to just one of these firewall types?
As the SANS Institute publication points out, there are ways to completely circumvent firewalls to get into the system—and not just internal modems, either. For example, an employee could bring in a compromised laptop or USB loaded with malware and let it spread throughout the system. To counter such risks, it may be necessary to create defense in depth using multiple firewalls.
While having multiple firewalls may be a bit more challenging to set up for your network, doing so can help you create stronger defense in depth. This, in turn, slows down any attacks that successfully make their way past one firewall—because there’s another server, endpoint, or application-specific firewall to contend with just beyond the first.
However, when using multiple firewalls, it is important to check for rules conflicts and other issues that can negatively impact network performance.
4) Using Deep Packet Inspection
One of the issues with using firewalls is that many malware programs use spoofing to trick the firewalls into allowing bad traffic through. These data packets will have falsified origin and destination tags, which is enough to trick simpler firewalls.
Think of it this way: If you have a border crossing, and the firewall is a gate guard, then malware using spoofing would be a smuggler using fake papers to get through the crossing. If all the guard does is perform a cursory check of the papers they’re given, they aren’t likely to notice that they’re letting a criminal through.
However, some firewalls can perform deep packet inspection to look at the contents of a data packet to make sure it’s safe before allowing the data packet through.
To return to the border crossing analogy: With deep packet inspection, the guard is now inspecting the vehicle and popping the trunk to take a look inside before allowing the smuggler through—massively increasing the likelihood of the guard noticing that something’s up and stopping the smuggler.
While there are some tradeoffs, the more thorough deep packet inspection methodology can do a much better job of catching and preventing cyber attacks than less intensive packet filtering firewall methods can.
5) Don’t Just Rely on Firewalls!
While firewalls can do a lot to prevent attacks against your business’ network from the outside, they shouldn’t be your only line of defense—no matter how powerful they are.
Even with the most advanced anti-spoofing capabilities, best-managed rules configurations, and defense in depth arrangements, firewalls can’t stop every attack on their own. You still need antivirus programs, data backup/disaster recovery, strong passwords, multifactor authentication, periodic penetration testing, and many more cybersecurity solutions if you’re going to minimize your company’s exposure to risk.
Additionally, even with all of the above technologies, it’s absolutely vital to ensure that your employees know the basics of good cybersecurity and that you have a strong set of cybersecurity policies in place for them to follow.