Types of Firewall Rules
Firewall rules are defined based on the direction that traffic is traveling. The two types include:
Inbound Rules: Inbound rules are applied to incoming traffic attempting to enter the protected network. Typically, organizations deny inbound traffic by default and then define exceptions for permitted types of traffic. For example, many organizations permit HTTPS and DNS traffic to enter their networks to support employees’ web browsing.
Outbound Rules: Outbound rules specify the types of outgoing traffic permitted to leave the network and often default to allowing traffic out. Organizations then specify the types of traffic that should not be permitted to leave. For example, blocking ICMP traffic at the private network perimeter can help protect against network scanning and information leaks due to error messages.
Components of Firewall Rules
Firewall rules can identify permitted or denied traffic based on a few different features, including:
Source IP Address: The source IP address identifies the origin of the traffic. An organization may block traffic from certain known-bad IP addresses or IP ranges. Alternatively, particular computers or services may be only accessible from allowlisted IP addresses.
Destination IP Address: The destination IP address specifies where the traffic is going. For example, a company may specify that users can’t browse to certain domains that are known to be malicious or in violation of corporate policies.
Protocol Type: Firewall rules may also specify whether the traffic uses the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP). For example, organizations commonly block ICMP traffic at the network perimeter.
Port Range: TCP/UDP ports are used to specify which application is listening for network traffic, and firewall rules use these ports to specify the types of application traffic allowed to enter or leave the network. For example, a firewall rule allowing inbound HTTPS traffic would specify that TCP traffic to port 443 should be permitted to enter the network.
Firewall Rule Evaluation
A firewall will likely be configured with numerous different rules defining the various types of traffic that should be allowed into and out of the protected network.
Each firewall rule will have an associated priority value that instructs the firewall on the order in which the rules should be considered. Typically, firewalls work down through the prioritized rule list until they find a rule that matches. Then, they apply whatever action that rule specifies, such as allowing the traffic through, blocking it, or logging a potentially suspicious traffic flow.
Best Practices for Firewall Rules
A firewall is only as effective as the rules that it enforces. Some important considerations when defining firewall rules include:
Restrictive Rules vs. Permissive Rules: Firewall rules can be created to be more restrictive (default deny) or permissive (default allow) by default. In general, defaulting to denying traffic and then creating exceptions creates a more secure system, while default acceptance ensures that oversights don’t block legitimate traffic.
Customizing Firewall Rules: A firewall solution may come with a set of general “best practice” firewall rules. However, these rules are designed to be “one size fits all” and don’t match an organization’s unique needs. Companies should customize these rules to provide an optimal blend of network security and usability.
Logging and Monitoring Firewall Rules: Firewall rules should implement logging, which should be regularly monitored. This can help detect potential security threats and can aid in identifying incorrect firewall rules that need to be made more restrictive or permissive.
Security Considerations for Firewall Rules
When selecting firewall solutions and defining rules for them, some important security considerations include the following:
Protection Against Unauthorized Access: Inbound firewall rules help to prevent unauthorized access to corporate resources. For example, an organization may block inbound SSH traffic, allowing remote users to only connect to corporate devices via a VPN or other remote access solution.
Handling Unwanted Traffic: Inbound firewall rules can also be used to block unwanted traffic from reaching its intended destination. For example, an organization may block IP addresses known to send spam or be part of a DDoS botnet.
Firewall Rules in Cloud Environments: Cloud environments, such as Google Cloud, should also be protected by firewalls. These platforms have their own built-in firewall capabilities, which should be correctly configured to manage traffic to cloud resources.
Next-Generation Firewalls (NGFWs): NGFWs are firewalls that incorporate advanced security features, such as an intrusion prevention system (IPS) or data loss prevention (DLP). NGFWs are essential to protect against modern, advanced cyberattacks.
Application Level Gateways (ALGs): ALGs are firewalls that operate at the application layer of the OSI model. These firewalls act as proxies, providing additional security to an organization’s applications.
Quantum Force - AI-Powered Firewalls and Security Gateways
A firewall is an essential element of a corporate network security strategy, and NGFWs are vital to protect against modern cyber threats. To learn more about what to look for in an NGFW, check out this buyer’s guide to NGFWs.
Then, find out more about the benefits of an AI-powered NGFW with a free demo of Check Point’s Quantum Force NGFW.
Comentarios