Performance-test your firewalls
Don’t judge your firewall just by how it performs in its default state. A lot of the applications and services that used to be hosted in the data centre are SaaS and cloud-based these days. The packets of traffic generated by mobile devices such as smartphones and tablets that need network access have added to the volume of traffic that must be vetted at the network edge.
Security devices that are ill-equipped to handle the volume and the somewhat unpredictable nature of the traffic can end up seriously increasing latency and degrading the performance of critical applications and services. Firewalls these days have a much bigger load to handle than before. Consider how your policies impact performance.
Make sure policies are written in such a way they don’t slow down performance. Test the performance capabilities of your firewall when all rules are configured, not when it’s in its default state.
Inspect the encrypted stuff
Make sure you can inspect all traffic including the encrypted stuff. A lot of the traffic entering and exiting a network use Secure Sockets Layer (SSL) and Secure Shell (SSH) encryption to protect data in transit. While that’s generally a good thing, the problem is that threat actors also use encryption to hide malicious activity and to conceal communications with compromised systems.
By some estimates, more than one-third of all traffic that hits a corporate network is encrypted. Without a way to decrypt the traffic, your firewalls are going to be blind to any attacks that a threat actor might slip in via encrypted traffic or to any data extraction that might be going on the same way as well, she says. While some newer firewalls are able to decrypt and inspect encrypted traffic, many do not. If your firewalls fall into the latter category, it’s a good idea to have a way to intercept the SSL traffic before it hits your firewall so it can be inspected before being re-encrypted and sent to its destination.
Several vendors sell proxy servers that do the interception at a high enough speed there is no degradation in performance. If you don’t want to, or cannot inspect all encrypted traffic that is entering or exiting your network, you instead can specify traffic the traffic you do want to look at by source or by destination.
Review your rules
Make sure to audit and review your firewall rules periodically. You might have started with a relatively clean set of rules and strict policies for blocking things at the network edge. But over time rules have a way of becoming obsolete, redundant and conflicting. They also have a way of becoming a lot more permissive than the original rules set. It is not unusual at all for firewall administrators to start adding rules to accommodate requests from internal users about rules that might be preventing access to resources they legitimately need.
Over time, such requests can make your rules base a lot less clean than it was when you started out and before you know it you are allowing in traffic that you previously would have restricted. Conflicting rules and misconfigurations are bad enough when you have just a handful of firewalls to manage. But they become a lot harder to catch in organisations that have numerous firewalls and administrators.
Generally, it is a good idea to review your rule sets every six months. Remove the obsolete, the unused, and expired rules. When adding new rules, make sure to look at existing rules first so they don’t duplicate or conflict with something that might already be in place.
In order to ensure the security of your organisation, it is important to put the above processes into practice.