Firewall rulebases often contain hundreds or even thousands of rules, so one of the most important responsibilities of a firewall administrator is to manage that rulebase, paying particular attention to configuration errors. Learn about common firewall configuration errors and proper firewall management techniques.
- [Instructor] Network firewalls play an important role in an organization's overall security posture. They protect the parameter of the network, blocking any traffic that is not explicitly authorized on that network. Firewalls keep potential attackers at bay, limiting the possibility that attackers will gain unauthorized access to a protected network. The basic function of a firewall is actually quite simple, each time someone outside the protected network attempts a new connection into the protected network the firewall consults a list of rules maintained by the administrator.
If it finds a rule that matches the description of the attempted connection it then follows the action specified by that rule. If the firewall doesn't have explicit instructions for the situation it finds itself in the firewall follows the default Deny principle and blocks the traffic. For example, we might have a firewall rule-base for a simple network that contains these three rules: allow web traffic to a web server on Port 80, allow SMTP email traffic to the email server on Port 25, and block everything else.
When a packet arrives to firewall from an external source the firewall checks it against these rules. For example, if a packet arrives headed to the email server on Port 25 the firewall checks the rules in order from top to bottom. It first checks rule one and neither the Port nor the Destination match so it moves on to rule two and finds that it does match. The firewall then carries out the specified action which in this case is to allow the traffic.
Now, let's suppose that someone attempts to connect to the web server using a secure HTTPS connection on Port 443, when that packet arrives the firewall checks its rules and finds that it does not match rule one because the Ports are different. It also doesn't match rule two so the firewall denies this connection according to rule three, the default Deny rule. Real firewall rule-bases often contain hundreds or even thousands of rules so one of the most important responsibilities of a firewall administrator is to manage that rule-base, paying particular attention to configuration errors.
Let's take a look at some common configuration errors. The first error you might find in a firewall rule-base is called a Shadowed Rule. Shadowed Rules occur when a rule-base contains a rule that will never be executed because of its placement in the rule-base. Suppose we have a set of rules where we want to allow access from the Internal Network to all websites except a known malicious site with the IP address 18.104.22.168 we might write our rules like this, adding the rule to block access to the malicious site to the bottom of the rule list.
Unfortunately, this rule will never be executed. When someone attempts to access the malicious site the firewall will check its rule-base in top-down order. It will first find this rule that Allows access to any website and execute it without ever checking our more specific rule because the specific rule is shadowed by the general rule. We can easily fix this error by rearranging the rule-base so that the more specific rule appears first. Now, when someone tries to access the malicious site the firewall will find this rule first and execute it, blocking the access.
The second common firewall error is promiscuous rules or rules that allow too much access. This may be the result of laziness when writing the rules, a lack of understanding of how a system functions, or even a simple typo. Promiscuous rules violate the principle of least privileged and can jeopardize system security. Orphaned rules are another type of firewall configuration error. They occur when a system or service is decommissioned but the rules are never removed from the firewall.
Orphaned rules present a security challenge because the IP address used by the decommissioned server may be reused in the future, reactivating the orphaned rule and unintentionally allowing external access to an internal system. Firewall administrators should regularly conduct firewall rule reviews to check for these common errors and maintain a clean, healthy firewall rule-base.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security