How to correctly test and maintain the firewall?
Eric Cole, a technical expert in this article, describes how to solve the problem of low firewall performance and fault through proper maintenance and testing. Most enterprises think that firewall is a mature technology, and usually security experts do not think too much about it. When auditing or evaluating a firewall, enterprises simply select the option indicating that the firewall is protecting the network. However, I have recently noticed a trend in which the firewall does not provide all the protections it can provide because they are not upgraded or properly maintained. I don't mean that firewall alone can block all attacks, which is unlikely, but I think they can be more effective than now. When considering maintenance and testing and checking firewall rules, enterprises should raise the following questions: 1. When is the last full verification of the firewall rule set? 2. When will the firewall rule set be updated? 3. When was the last full test of the firewall? 4. When was the last time I optimized the firewall rule set? For most enterprises, firewalls are most likely to be deployed a few years ago and have not been improved much over the years. This is the case for many of my customers. This is why I chose firewall as the topic of this article. Firewall design and configuration are two important tasks for Firewalls: they must be correctly designed and configured. For the design, the golden principle is that "all connections must pass through the firewall ". The question is, how much percentage of traffic passes through the firewall? Some may say that 100% of network traffic must pass through the firewall, but the actual situation is that encrypted links, wireless network traffic, modem and external network connections usually bypass the firewall. Many people claim that 100% of the traffic passes through the firewall, but the rate may be very low. As the network becomes more open, many firewalls only monitor less than 60% of the traffic, which greatly reduces the effectiveness of the firewall. After all, the firewall cannot protect what it cannot see. From the configuration aspect, the effectiveness of the firewall depends on the rule set. In many cases, a company allows technicians to configure rule sets in front of the console. Moreover, there are no firewall policies or requirements documents to promote the creation of rule sets. If there is no file, there is no way to verify whether it is correct. When there is another fundamental problem, enterprises seldom perform appropriate firewall tests. After the rule set is created or updated, the enterprise tests and ensures that everything passes the firewall normally. Although the test is normal, the problem is that everything passes normally and things that should be blocked will be allowed to pass. Therefore, enterprises should take advantage of the required documents and test exceptions, which will ensure that things that should be blocked are blocked correctly. Test the effectiveness of the firewall to prevent faults. The final test is to measure the overall efficiency of the firewall. The only way to understand the effectiveness of the firewall is to view the number of discarded packets. After all, the reason for deploying a firewall is to prevent traffic that should be blocked. Based on this evaluation, enterprises need to answer this question: "How many discarded packets does the firewall have every day? Can the firewall detect exceptions ?" One of my clients is very satisfied with the firewall because it has 237 unique rule sets. The problem is that when we check the number of packet loss, the result is 0. This means that 237 rules are equivalent to "completely allowed to pass", and the customer's firewall is just an expensive passthrough device. By checking the number of packet loss, enterprises can better understand whether devices allow too many items to pass through, and ultimately impede the effectiveness of the firewall. Finally, the firewall's success is based on the number of data packets it discards. The key to measuring the effectiveness of a firewall is to track the number of packet loss to ensure that it conforms to the business type of the enterprise and seeks to change. Every enterprise is different, but generally thousands or more of discarded packets should be dropped every day. Some enterprises may have thousands of discarded packets every hour. However, if an enterprise has only one hundred discarded packets every day, it is either the security part of the firewall that is inserted into the Internet (which is unlikely ), or the firewall rule set is not correctly configured. It is also important to check the number of dropped packets after making changes to the rule set to ensure that the enterprise understands the impact of rules on its security. All in all, firewalls exist in most enterprises, but they may have become ineffective over time and fail to play their due role. Checking the traffic percentage through the firewall and checking the number of packet loss can help increase the value of the firewall.