Firewall Policy Best Practices for Security Engineers

Firewalls are often viewed as the first line of defense in an organization’s cybersecurity posture, so designing and implementing an effective firewall policy is a critical skill set. INE recently released the Check Point Certified Security Administrator (CCSA) Learning Path to help Check Point Firewall administrators and system/support engineers upskill and improve their organization’s network security.

Whether you work with Check Point’s Next Generation Firewall or one of its competitors, you can use this Firewall Policy Best Practices Guide from Security Instructor Piotr Kaluzny to drive how you design and implement your firewall policy. 

General Firewall Policy Best Practices

1. Develop a comprehensive understanding of your organization's network

The first step in developing a firewall policy is fully mapping and understanding the network infrastructure. Step one is identifying all network resources, devices, and applications that are part of the network. Creating documentation like diagrams and flowcharts of how these parts of the infrastructure interact will be critical to the final policies. With a complete picture of the infrastructure, a security engineer can assess all possible traffic patterns and flows and begin to identify potential vulnerabilities.

1. Define clear security objectives

Once you’ve completed mapping and documentation, you should define clear security objectives, based not just on findings from the initial process, but also aligning with the overall security policy and goals your organization has in place. Have you considered what types of traffic should be allowed versus blocked? Which users or groups should have access and what permissions should be allowed for specific resources? The Role-Based Access Control model (RBAC) is a helpful structure for many organizations.

1. Harden and properly configure the firewall

If using an all-in-one firewall solution operating system, it has most likely been hardened by the vendor. But don’t count on it. When deploying any software firewall solution, verify the OS is patched and hardened.

1. Implement the principle of least privilege

What is the Principle of Least Privilege (POLP)? Essentially, it’s only giving keys to the doors people really need access to. It’s a fundamental security principle, and it applies to firewall policies, too. Firewalls from vendors like Check Point allow administrators to easily break the policy down into sections where rules can be grouped according to the user role/function/department, etc.

1. Use a default deny policy

A default deny policy is a firewall policy that essentially acts as a doorman to your exclusive club. If someone isn’t on the list, they don’t get in. This best practice reduces the risk of unauthorized access. This rule is known as the “Cleanup Rule” in the Check Point’s nomenclature.

1. Regularly review and update firewall policies

Like all security policies, firewall policies are not set-it-and-forget-it. As part of your firewall policy, create a regular cadence for review and updates. Network infrastructures evolve over time to meet business objectives, so your firewall policy must constantly align to prevent vulnerabilities. Are you staying updated on new security threats? Those should be considered as they are exposed, rather than waiting for the next regularly scheduled policy review. An outdated security policy is an ineffective security policy.

1. Implement segmentation

Segmentation is the practice of dividing a network into smaller, isolated segments to reduce the attack surface and limit the spread of attacks. Network security engineers can implement segmentation in their firewall policies to reduce the risk of lateral movement in the event of a security breach. 

1. Use advanced threat detection technologies

Your firewall should not be alone in the fight and ask its wingmen for help.  In standard organizations, you probably already use Application Control, Threat Prevention & SSL Inspection policies. Implement advanced threat detection technologies, such as intrusion detection and prevention systems (IDPS), to detect and prevent advanced threats that may bypass traditional firewall policies.

Firewall Policy in the Future

As the future becomes right now, network security engineers should always be considering what to do next. Threats increase exponentially every day, so the IT community embracing a zero-trust network architecture is no surprise. What may be more surprising is implementing automation and orchestrations. Network security engineers may be tempted to do everything manually so they can assess it all themselves, but automation tools for firewall policy management can simplify the process and reduce risk of human error. Check Point offers a variety of APIs to quickly integrate the firewall with different automation tools.

As organizations increasingly adopt cloud-based services, network security engineers must adapt their firewall policies to address the unique security challenges of the cloud. Cloud-native security solutions, such as cloud access security brokers (CASB), can help organizations protect their cloud-based assets and enforce security policies.

Regardless of whether you’re just getting started in firewall policy implementation or you’re a seasoned pro, you need to take the time to assess the policy you have in place and ensure it is aligned with today AND tomorrow’s technology and threat landscape. To learn more specifically about Check Point Next Generation Firewall, check out Check Point Certified Security Administrator (CCSA) Learning Path today!