TO PARAPHRASE THAT WINNING EXPRESSION from the 1992 U.S. presidential campaign, “It’s the data, stupid.” Both the sophistication and the breadth of cyberattacks are growing at a dizzying pace today. From hardware design flaws to ever more sophisticated exploits, clients and their data are in great peril, with their firewall standing sentry. Here’s how to configure that firewall for maximum effectiveness.
Most of us can apply a subnet to a firewall, set up a couple of zones, and configure a WPA2 passphrase and even a quick site-to-site VPN about as fast as we can eat lunch. With the time and money pressures clients place upon us, this is often as far as we go. That’s a big mistake, though, that not only shortchanges our clients, but potentially leaves big holes that we’ll have to plug sooner or later.
A more thorough configuration process begins with a predeployment client interview. We use that time to gather information such as where the client’s customers and business associates are geographically, what they expect of their wireless (for those that use integrated or firewall-managed wireless), who needs remote access, to what and from which devices, and more. This process not only identifies crucial details but alerts our clients to some of the complexities of securing their site(s) and the policies they must enact to stay secure.
The Basics: Scanning, Content Filtering
It goes without saying that we have to configure zones, set up the subnet on the WAN, and configure deep packet inspection. While you’re at it, don’t overlook content filtering. Be sure to enable GeoIP and botnet filtering as well, but work through how and where the client does business first. You may find the client has more international traffic (from Akamai and Office 365 hosts, for example) than you expected.
The modus operandi here is to start with the most restrictive policy and work your way back from there. Using hosted email makes this much simpler, as you don’t need to open the customer’s SMTP ports to the world.
Though not strictly speaking a firewall configuration issue, setting up DNS filtering here is very important as well. Using a DNS filtering service that blocks traffic to known “bad actors” (such as malware command and control servers) can spell the difference between another day at work and a real disaster for your client.