Creating a reliable rule set is a critical step for a successful and secure firewall. In security audit, it is often seen that a firewall purchased with a huge amount of money exposes organizations to great risks due to misconfiguration of rules. This article describes how to design, establish, and maintain a reliable and secure firewall rule set with the DS2000 firewall of Gaoyang xin'an as an example. No matter which type of firewall you use, the basic principles of designing rule sets are the same.
Key to Success
The first thing to emphasize is that a simple rule set is the key to building a secure firewall. The number one enemy of your network is misconfiguration. Why when you accidentally expose the Message Access Protocol (IMAP), those bad guys will try to quietly carry fraudulent information packets through your firewall? Keeping the firewall rule set concise and concise reduces the possibility of incorrect configuration and makes it easier to understand and maintain. At the same time, you can analyze only a few rules and improve the performance. A good rule is that there should be no more than 30 rules. There are 30 rules to understand what is going to happen. When there are 30 to 50 rules, things become messy, and the probability of misconfiguration increases exponentially.
How can we establish a secure rule set? We designed and developed a firewall rule set from a fictitious enterprise's security policy.
Security Policy
The management layer specifies the security policies to be implemented, and the firewall is a technical tool for implementing the policies. Therefore, before creating a rule set, we must understand the security policy. This document uses a simple security policy as an example to describe how to create a rule set. The management layer describes this policy as follows:
• Internal employees are not restricted from accessing the Internet;
• Stipulates that the Internet has the right to use the company's Web server and Internet Email;
• Any access to the public internal network must be securely authenticated and encrypted.
Security Architecture
As an administrator, our first step is to transform security policies into a security architecture. Now we will discuss how to transform the core of each security policy into technical implementation.
• The first item is easy. Everything in the internal network can be output to the Internet.
• The core of the second security policy is subtle. We want to build Web and e-mail servers for our company. We put them into a DMZ to implement the core of this policy. DMZ (Demilitarized Zone) is an isolated network where you place untrusted systems. Since anyone can access our Web and e-mail servers, we cannot trust them.
• The only call from the Internet to the internal network is remote management. We must allow system administrators to remotely access their systems by allowing only the encryption service to access the internal network.
• We must add DNS. As a security administrator, you must implement the Split DNS. Split DNS refers to the function of separating DNS on two different servers. We can achieve this by using an external DNS server and an internal DNS server that maps internal network information. The external DNS server can be put together with the Web and e-mail servers in a protected DMZ. The internal DNS server is placed in the internal network to prevent the Internet from endangering the security of the internal DNS.
Rule Order
Before creating a rule set, you must determine the Rule Order. You will soon be aware of which rule is very critical. The same rule may be placed in different order, which may completely change the operation of the firewall. Many firewalls check information packets in sequence. When it finds a matching rule, it stops checking and applies the rule. Understanding that the first matching rule, rather than the best matching rule, applies to information packets is critical. On this basis, more special rules come first, and more common rules come later, to prevent matching with common rules before finding a special rule. This will prevent your firewall from configuration errors.
Rule Set
When configuring a firewall, follow these steps to design a rule set to meet the preceding security policy. Let's briefly outline each rule, why this rule is selected, and its importance.
• Default performance: This is the product's factory settings when a firewall is deployed. Before designing a rule set, you must first disable the default performance to clear the original rules and configure new rules.
• Internal outbound: the first rule is to allow anyone in the internal network to outbound.
• Lock: Add a lock rule to block any access to the firewall. No one except the firewall administrator can access the firewall.
• Administrator access: No one can connect to the firewall, including the administrator. You must create a rule to allow the Administrator to access the firewall.
• Discard all: by default, all information packages that cannot match any rules are discarded.
• Not recorded: In general, a large number of communications calls discarded by the firewall and recorded on the network will soon fill up the logs, creating a rule to discard/reject such calls but not record them.
• DNS access: allows Internet users to access the DNS server.
• Email access: You want Internet and internal users to access the email server through SMTP, and internal users to access the email server through POP.
• Web Access: We want Internet and internal users to access the Web server over HTTP.
• Blocking DMZ: internal users must be prevented from publicly accessing our DMZ.
• DMZ rules: DMZ should never start a connection to the internal network. As long as there is a call from DMZ to an internal user, it will reject, record, and issue a warning.
• Administrator access to internal network: we allow the Administrator (limited by special resource IP addresses) to access the internal network encrypted.
• Performance: Move the most common rules to the top of the rule set to improve performance.
• Intrusion Detection: helps people who like scanning and detection.
• Additional Rules: You can add some additional rules, such as blocking any connection from advertisers Based on IP addresses, which saves user time and improves performance.
Update rules
After the rules are organized, it is recommended that you write comments after the rules and update them frequently. Annotations help you understand which rule is used. The better understanding of the rules, the less likely the error configuration will be. For large organizations with multiple firewalls, we recommend that you add the name, date and time of the rule change, and the reasons for the rule change to the comment when the rule is modified, this will help track who modified the rule and the reasons for the modification.