1. The firewall has implemented your security policy.
The firewall reinforces some security policies. If you don't have a security strategy before you put the firewall in place, now is the time to make it. It may not be written in writing, but it can also be used as a security policy. Installing a firewall is the best thing you can do to protect your site if you don't have a clear idea of what the security policy should do, and it's not easy to maintain it at all times. To have a good firewall, you need a good security strategy---written and accepted.
2. A firewall is not a single device in many cases.
Unless in a particularly simple case, a firewall is rarely a single device, but a set of devices. Even if you buy a commercial "All-in-one" Firewall application, you also have to configure other machines (such as your Web server) to run with them. These other machines are considered to be part of the firewall, which includes how they are configured and managed, what they trust, what they are trusted for, and so on. You can't simply choose a device called a "firewall" and expect it to assume all the security responsibilities.
3. Firewalls are not readily available products.
Choosing a firewall is more like buying a house than choosing where to go on vacation. Firewalls are similar to houses, you have to stay with it every day, and you use it for more than a two-week period. All need to be maintained or else they will break down. Building a firewall requires careful selection and configuration of a solution to meet your needs, and then continue to maintain it. A lot of decisions need to be made, and the right solution for a site is often wrong for another site.
4. The firewall does not solve all your problems.
And don't expect firewalls to be able to give you security on their own. Firewalls protect you from the threat of a class of attacks, and people try to attack the interior directly from the outside. But it doesn't prevent attacks from within the LAN, and it doesn't even protect you from all the attacks that it detects.
5. Use the default policy.
Normally your means is to reject any service other than the service you know necessary and secure. But new vulnerabilities appear every day, and shutting down unsafe services means a continuing war.
6. A conditional compromise, not an easy one.
People like to do things that are unsafe. If you allow all the requests, your network will be very insecure. If you reject all requests, your network is also unsafe, and you will not know where the unsafe items are hidden. Those who can't work with you will be bad for you. You need to find a way to meet the needs of your users, although these approaches can lead to a certain amount of risk.
7. Use layering tools.
and a single device since the site. Use multiple layers of security to prevent a failure from causing a problem that concerns you.
8. Install only what you need.
The firewall machine cannot install all the software distributions provided by the vendor like a normal computer. A machine that is part of a firewall must have minimal installation. Even if you think something is safe, don't install it when you don't need it.
9. Use all available resources.
Do not create firewalls based on information from a single source, especially if the resource is not from a vendor. There are many resources available: such as vendor information, the books we write, mail groups, and websites.
10. Only believe that you can be certain.
Do not trust the manual and dialog boxes of the graphical interface or the manufacturer's statements about how certain things are to be run, and detection to determine which connections should be rejected. Detection to determine which connections should be allowed.
11. Ongoing evaluation decisions.
The house you bought five years ago may not be right for you today. Similarly, the firewalls you installed a year ago are not the best solution for your current situation. For firewalls you should regularly evaluate your decisions and confirm that you still have a reasonable solution. Changing your firewall, like moving to a new home, requires obvious effort and careful planning.
12. Be psychologically prepared for failure.
Prepare for the worst. The machine may stop running, the motivated user may do the wrong thing, the malicious user may do bad things and beat you successfully. But it must be understood that this is not a complete disaster when these things happen.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
