A simple 5-step guide for configuring a firewall: defining zones, configuring settings, and reviewing firewall rules.
Your firewall is a vital part of your network security, as the first line of protection against online attackers. It can be an overwhelming job to configure a firewall but breaking down the work into simpler tasks can make the work far more manageable. The following instructions will guide you through the main steps involved in configuring your firewall.
To secure your network, there are several suitable firewall models that can be used. To learn more about your choices, you can consult with your system administrator or a managed IT services provider. Regardless of firewall that you select, the following measures are important. This guide assumes that you are using an enterprise-grade firewall that can support multiple internal networks and carries out dynamic packet inspection.
Please be aware that this guide is only designed to give you an overview of the steps required to set up a firewall. It is recommended that you have a qualified systems administrator, or a managed IT services professional configure your firewall for you.
Step 1: Firewall Security
If an attacker can obtain administrative access to your firewall, your network security is functionally worthless. Therefore, the first and most important stage of this process is to secure your firewall. Never use a firewall that is not properly protected by the following configurations at a minimum:
- Make sure you firewall is updated to the latest available firmware.
- Remove any default user accounts and passwords and replace them.
- Be sure to use strong alphanumeric passwords.
- Do not share administrator accounts, if you have three system admins, each should have their own account with only the relevant permissions assigned.
Step 2: Configure Your Firewall’s “Zones” & IP Addresses
You should first define what your network’s valuable assets (for instance, credit and debit card data or client records) are in order to secure the them. Then design your network structure so that, based on similar sensitivity level and purpose, these assets can be grouped together and put into networks (or zones).
For example, all the internet services (web servers, email servers, virtual private network (VPN) servers, etc.) should be located in a dedicated zone that allows for restricted internet inbound traffic (this region is often referred to as a demilitarised zone or DMZ). Instead, servers that should not be directly available from the internet, such as database servers, must instead be located in internal server zones. Workstations, POS devices, and VoIP systems should typically located in internal network zones as well.
In general, the more zones you make, the safer the network will be. But be aware that it takes more time and energy to handle more zones. Consider the best balance between resources and network security firewall.
Step 3: Configure Your Access Control Lists
Once they are set up, you can decide precisely which traffic needs to be able to flow into and out of each zone.
Using firewall rules called access control lists (ACLs), which are implemented on each of the firewall’s interface or sub-interface, this traffic is permitted.
Whenever practicable, make your ACLs specific to the source and/or destination IP addresses and port numbers. Ensure there is a “deny all” rule at the end of every access control list to screen out all unauthorised traffic.
Implement both inbound and outbound ACLs for each firewall interface and sub-interface to allow only permit traffic to and from each zone.
Step 4: Set Up Your Remaining Firewall Services
If your firewall also has the capability for dynamic host configuration protocol (DHCP), intrusion prevention systems (IPS), network time protocol (NTP) , then now is the time to go ahead and configure these services is you wish to use them. If there are services you do not wish to use, deactivate them to make the future management of your firewall simpler.
Step 5: Test & Double-Check Your Firewall
Check that your firewall is functioning as expected in a test setting. Don’t forget to check that traffic that should be restricted via your ACL settings is correctly blocked by your firewall. Both vulnerability scanning and penetration testing should be carried out when testing the firewall.
Now you have finished testing, be sure to keep a backup of your firewall configuration in case you ever need to reconfigure it from scratch.
Ongoing Management Of Your Firewall
The work does not end once the firewall is configured. Detailed logs, reporting of blocked connections, firmware updates, regular testing – these are all required to make sure your firewall stay effective. If you do not have your own in-house IT department, it is recommended that you consult with a managed IT services provider. When it comes to network firewall security, a managed firewall is always more secure than an unmanaged firewall.