AntiOnline Spotlight: Essential Firewall Hardening Guide
By Enterprise IT Planet Staff
April 1, 2005
If you're looking for ways to boost the effectiveness of the software firewall on your home PC, look elsewhere. This week's spotlight thread is for serious security professionals and those that aspire to be.
And just in time too.
|How would you like to explain to the CEO that customer records are floating freely on the Internet for all to see?
Never has there been such scrutiny placed on the security of corporate networks. With the dawn of new compliance measures and a rash of misplaced and mishandled personal information, companies are being forced to take a serious look at just how good their systems are at keeping sensitive information under wraps.
AntiOnline newcomer aciscorouter posted a handy reference guide on protecting your enterprise-grade network, or any large-scale network for that matter. So handy, in fact, that it's worthy of the trip to the nearest laser printer to fetch a hard copy.
All it takes is a small 27KB download (446KB when expanded) to get started. The HTML-based guide was originally crafted for an honest-to-goodness company, but has been cleaned up and cleared for public consumption and the good of network admins everywhere.
In case there are any doubts as to the seriousness of this tutorial, here's a clip from the guide:
This guide was written for security analysts and network administrators whose day-to-day jobs includes installation, configuration and maintenance of network firewalls. This document will supplement their skill sets and provide guidance for operational hardening of an already configured firewall.
Feeling adequately professional yet? Good. Now comes the fun part...
Note: The opinions expressed below are solely those of the individual posters on the AntiOnline forums.
This Week's Spotlight Forum:
Essential Firewall Hardening Guide
* Download the guide zip file (rename by adding a .zip extension when download completes).
Pasting a huge tutorial to an online forum can be a little counterproductive, particularly if it's preformatted. Instead, aciscorouter provides a downloadable file along with a word or two about its contents.
A colleague and I put together a mandatory hardening guide for Network Firewalls for our company. With permission, we stripped out all references to the business and I now I'm making it available online. I was always looking for something like this and I know others could really use some guidelines, especially with compliance and auditing being so rampant lately.
Doubt the seriousness of this document? Our author follows up on some of the questions raised...
Our intent with this document at a corporate level was to address the firewall base protection rules to ensure the integrity of the firewall themselves. I did make mention of outbound rules but limited them since every one of our environments have different needs.
As an example, fragmentation over VPN is common and will exhaust the re-assembly buffers in a default configuration. Also, in a VPN block, we allow any RPC or NetBIOS protocol between our VPN clients and the corporate network. I didn't want to address these "content" rules as a basis for every configuration, rather we have been developing a Content Rule Guideline to address what are acceptable protocols and traffic patterns ingress and egress of our corporate infrastructure. I included the "Content Rules" section with the disclaimer that it was merely an example of how these protocols would be implemented.
Still unsure? Let's take a look at the overview:
- Base Firewall Filters - these are the firewall stealth and cleanup rules. These should be the minimum rules that are applied to every pre-production firewall.
- Firewall Protection Rules - These rules are intended to protect the firewall operation and administration from attacks, excessive floods, spoofing and other malicious behavior targeting firewalls or the networks they protect.
- Firewall Management Rules - The very first set of permit rules that allow administrators to connect to the firewall.
- Firewall Monitoring Rules - These rules allow network management devices to monitor the firewalls and allow management traffic to pass through the firewalls.
- ICMP Message Rules - These rules control the ICMP protocol which is a common requirement in the operation and troubleshooting of TCP/IP networks.
- Blocking Outbound LAN Protocols - These rules detail the common LAN protocols that should not be leaving the corporate network.
- Summary of Standard Firewall Rules - This is a final summary of all of the mandatory firewall rules.
More in-depth and technical details await
the intrepid downloader (virus free, worry not).