Firewall Operations - Protecting a Critical System
By Gideon T. Rasmussen - CISSP, CFSO, CFSA, SCSA

Security teams must ensure that firewalls are installed, configured and maintained in accordance with mission requirements and the best interests of the organization. There are many reasons why firewall administration must be tightly controlled. Firewalls are inherently complex. Employee turnover can result in a lack of continuity. Firewall logs may be called as evidence in a court case. Many organizations must also meet auditing requirements.

Before installing a firewall, its administrators should become intimately familiar with its features and operations. While there is no substitute for formal training, other resources include system manuals, on-line documentation, manual pages, knowledge base entries and technical support.

If an organization does not have experienced personnel, administrators should engage a consultant to properly install and configure the system. Ensure that administrators are available to participate in the installation and obtain knowledge transfer. Test disaster recovery by reinstalling the firewall software and restoring from backup.

Thoroughly document how each firewall should be installed in a formal configuration standard. Installation must be in strict compliance with system manuals to help ensure stability and compliance with support agreements. A standard should also provide step-by-step instructions. Consider the following topics:

Proxies: Use proxies to limit traffic to designated protocols. Proxies can block file sharing programs such as Kazaa and iMesh. They can also defeat hacking tools. Proxies give administrators granular control over a protocol. For example, CyberGuard's FTP proxy can be configured to permit download and deny upload. The HTTP proxy makes it possible to run multiple Web sites on one system. You’ll find more information about CyberGuard’s proxies here: (

Comments: Include comment entries in the packet filter rules file. Firewall rules grow quickly. It is important to retain the purpose of each rule. Adopt the following format as a standard: "rationale, mm/dd/yy, ticket #, your name."

Grouping: Grouping is very powerful and should be used whenever possible. Grouping reduces the complexity of firewall rules and minimizes the potential for human error. If you have several systems with the same service requirements, create hosts and services groups. The utility of grouping becomes more apparent as the number of systems increases.

Accounts: Create individual accounts for each administrator. Delete the common administrative account. This configuration enhances accountability.

Roles: Use duty roles to grant specific accesses. For example, an auditor should have read-only permissions. Support staff only requires the ability to stop and start the system.

Configuration Tracking: Configuration tracking records changes made during a login session. Its database enables administrators to compare the differences between an older configuration file and the current version. Configuration tracking can also record a user-supplied ticket number.

DNAT: Enable Dynamic Network Address Translation (DNAT) on each external interface. DNAT changes internal IP addresses to the external IP of the firewall with a unique source port. The outside world sees the external address. Upon return the firewall knows which IP to switch back to from the originating source port.

Passwords: Enforce strong password elements. Configure passwords to expire every three months. Password elements should include alpha, numeric and special characters.

Auditing: By default, binary logging is enabled. More than 300 events are logged. Configure activity logging to record security events and the services enabled on the firewall.

Logs: Schedule an export of binary audit logs to an FTP server. Copy system logs to a central syslog server. Configure log management to prevent the system disk from filling up.

Alerts: Configure the firewall to send notification of suspicious events. You can choose from a variety of notification methods including: file, window, e-mail, SNMP trap, pager, syslog and shell command.

Before granting production status to a system, confirm that a scheduled backup has successfully completed. Ensure the system is properly configured by conducting a security vulnerability scan. Also remember to monitor the firewall from a remote location.

Implement a formal change process and incorporate your firewalls into the system development life cycle. In particular, ensure that firewall rules are not left in place when a system is decommissioned. This can represent a serious vulnerability if a system is repurposed or its IP address reissued while firewall rules still provide access from the outside.

Apply new versions and product support updates as they are issued. The operating system’s multi-level security and hardened kernel are the foundation of the cyberGuard “zero vulnerabilities” solution CyberGuard firewalls have achieved Common Criteria EAL4+ certification and maintain that certification through participation in the Assurance Maintenance program. That means that new versions and updates maintain their original certification.

Create an operations guide to ensure continuity. At a minimum it should detail how to stop and start the firewall and restore from backup.

Finally, include firewalls in disaster recovery planning. Store installation media and firewall backups off-site. Confirm that the recovery site has firewall hardware available.

Copyright © 2005 CyberGuard Corporation All Rights Reserved.
Reprinted with Permission