Perimeter Firewall Best Practices

Author: Martin Voelk
April 16, 2015

A lot of businesses have perimeter firewalls these days, which is a good thing. However, they must be configured appropriately to provide effective threat protection. Regardless whether you have a Cisco ASA, Juniper SRX, SonicWall, PaloAlto or any other vendor in there – a few best practices apply to them all. Here a 15 bullet point cheat sheet for Firewall Best Practice:

15 Best Practices for Firewalls

  • Software versions checked and up to date.
  • Configuration kept off-line, backed up, access to is limited.
  • Configuration is well-documented, commented.
  • Users and passwords configured and maintained (AAA) and Password encryption in use
  • Access restrictions imposed on Console, Aux, VTYs. Unneeded network servers and facilities disabled. Necessary network services configured correctly (e.g. DNS) Unused interfaces and VTYs shut down or disabled.
  • Risky interface services disabled.
  • Port and protocol needs of the network identified and checked. Access lists limit traffic to identified ports and protocols.
  • Rules block reserved and inappropriate addresses.
  • Static routes configured where necessary.
  • Routing protocols configured to use integrity mechanisms.
  • Logging enabled and log recipient hosts identified and configured.
  • Firewall’s time of day set accurately, maintained with NTP.
  • Logging set to include consistent time information.
  • Logs checked, reviewed, archived in accordance with local policy.
  • SNMP disabled or enabled with good community strings and ACLs. -> or SNMPv3