Firewall rule management

- [Instructor] Network firewalls play an important role in an organization's overall security posture. They protect the parameter of the network, blocking any traffic that is not explicitly authorized on that network. Firewalls keep potential attackers at bay, limiting the possibility that attackers will gain unauthorized access to a protected network. The basic function of a firewall is actually quite simple. Each time someone outside the protected network attempts a new connection into the protected network, the firewall consults a list of rules maintained by the administrator.

If it finds a rule that matches the description of the attempted connection, it then follows the action specified by that rule. If the firewall doesn't have explicit instructions for the situation it finds itself in, the firewall follows the default deny principle and blocks the traffic. For example, we might have a firewall rule base for a simple network that contains these three rules. Allow web traffic to a web server on port 80, allow SMTP e-mail traffic to the e-mail server on port 25, and block everything else.

When a packet arrives at the firewall from an external source, the firewall checks it against these rules. For example, if a packet arrives headed to the e-mail server on port 25, the firewall checks the rules in order from top to bottom. It first checks rule one, and neither the port nor the destination match, so it moves on to rule two, and finds that it does match. The firewall then carries out the specified action, which in this case, is to allow the traffic.

Now let's suppose that someone attempts to connect to the web server using a secure https connection on port 443. When that packet arrives, the firewall checks its rules and finds that it does not match rule one, because the ports are different. It also doesn't match rule two, so the firewall denies this connection according to rule three, the default deny rule. Real firewall rule bases often contain hundreds or even thousands of rules, so one of the most important responsibilities of a firewall administrator is to manage that rule base, paying particular attention to configuration errors.

Let's take a look at some common configuration errors. The first error you might find in a firewall rule base is called a shadowed rule. Shadowed rules occur when a rule base contains a rule that will never be executed because of its placement in a rule base. Suppose we have a set of rules, where we want to allow access from the internal network to all websites except a known malicious site with the IP address 1.2.3.4. We might write our rules like this, adding a rule to block access to the malicious site to the bottom of the rule list.

Unfortunately this rule will never be executed. When someone attempts to access the malicious site, the firewall will check its rule base in top down order. It will first find this rule that allows access to any website, and execute it without ever checking our more specific rule, because the specific rule is shadowed by the general rule. We can easily fix this error by rearranging the rule base so that the more specific rule appears first. Now, when someone tries to access the malicious site, the firewall will find this rule first and execute it, blocking the access.

The second common firewall error is promiscuous rules, or rules that allow too much access. This may be the result of laziness when writing the rules, a lack of understanding of how a system functions, or even a simple typo.. Promiscuous rules violate the principle of least privilege and jeopardize system security. Orphaned rules are another type of firewall configuration error. They occur when a system or service is decommissioned, but the rules are never removed from the firewall.

Orphaned rules present a security challenge because the IP address used by the decommissioned server may be reused in the future. Reactivating the orphaned rule, and unintentionally allowing external access to an internal system. Firewall administrators should regularly conduct firewall rule reviews to check for these common errors and maintain a clean, healthy firewall rule base.