Firewalls are a network's first line of defence no matter how many expensive resources enterprises install. Firewalls have experienced massive technological upgrades recently, but still pose security risks if configured incorrectly.
Here are four configuration steps every enterprise must execute when setting up its firewall.
1. Assume least privilege
Enterprise networks consistently face various threats, and monitoring each threat is challenging. There are only so many resources a company can employ to monitor and filter traffic after all. Least privilege access is a great security philosophy in this environment since it eliminates one of the most common time sinks in security monitoring: False positives.
For instance, a traffic source might have legitimate motives but behave like malicious traffic by accessing several datasets at once. In the modern CI/CD environment, traffic patterns like these occur all the time, and flagging all of them as potentially malicious only distracts security teams from reviewing genuinely malicious traffic.
Least privilege works on two levels. First, it prescribes blocking all unknown traffic by default, preventing malicious actors from accessing the system. Second, it ensures every user receives only the tools and access they need at a minimum to complete their job.
For example, a third-party supplier delivering goods to a company only needs access to invoicing portals and order information. It doesn't need access to other financial or customer data. Removing third-party access to those systems reduces the chances of a malicious actor using the supplier's connection to compromise the company's networks.
These policies reduce network monitoring scope and help security teams focus on the most pressing issues. The result is full network coverage, with a firewall that automatically filters out the majority of malicious traffic. Filtering traffic out like this reduces the number of malicious patterns enterprise security teams must monitor, allowing them to quickly react to events and take corrective action.
2. Specify source IPs as much as possible
Source IPs are a great way of filtering out unwanted traffic and employing least privilege principles. Some parts of an enterprise's network don't need to be exposed to every user out there. In some cases, even the enterprise's homepage might not warrant "ANY" access.
Specifying source IPs might seem highly reductive to some security professionals but it does reduce the number of incidents a team has to combat. Some teams might choose to limit access to a few specific geographical areas.
Others might open access to every IP except a few, and so on. When determining the scope of restricted IPs, security teams must understand business goals and determine how stringent their policies ought to be. Another option is to open access to every user but install backup monitoring tools to ensure malicious actors don't infiltrate the system and compromise data.
Despite the presence of robust tools that achieve this goal, specifying IPs remains a tried-and-tested tactic. Its benefits outweigh the risks and make security teams more efficient.
3. Specify destination ports for connected services
Third-party services sometimes need access to secure data when executing jobs. While most security monitoring tools do a good job of restricting malicious activity, configuring firewalls is still a good way to add another secure layer.
In this case, specifying destination ports is a great way to ensure connected services stay within bounds and are not exploited by malicious actors. By specifying destination ports, enterprises can ensure that only authorised services connect to a data source.
When combined with the policy of least privilege, security teams can use their firewalls to filter out the majority of malicious traffic. In a similar vein, enterprise security teams must designate specific IP address destinations.
Specifying IP addresses prevents denial of service attacks, a very common form of cybercrime these days. Typically, malicious actors take over a network and lock legitimate traffic sources out of it, holding a company hostage.
Designating IP addresses limits access only to authorised traffic and secures enterprise firewalls from malicious attacks.
4. Open expected ports
Enterprise security teams must prioritise policies that give them more time to focus on complex network threats. In this context, opening ports users expect to find open when they access networks makes a lot of sense. While this is a time-consuming task, the time this action saves, in the long run, makes it a worthwhile effort.
To choose which ports to open, security teams must analyse their traffic for patterns and pick the most common connection ports. Teams must also account for the server types and databases users in their organisation use before drawing up a list.
A lot of work in this task is front-loaded. That is, once teams conduct the work of identifying which ports to open, they won't have much else to do in this regard. In turn, this task limits malicious traffic or the potential of a malicious actor using a least-opened port to infiltrate the network.
Security begins with firewalls
Firewalls are a company's first line of defence and security teams must spend time configuring them correctly. Fail to do so, and even the most sophisticated security tools will not prevent malicious actors from compromising networks.
Copyright 2023. Featured post made possible by Jeff Broth.