12 Tips on Building Firewalls

1. A firewall implements your security policy. A firewall enforces some security policy. If you didn't have a security policy before you put the firewall in place, you do now. It may be unwritten, but it's still a security policy. If you haven't made explicit decisions about what you want the security policy to be, it's probably not the best policy for your site, and it will certainly be difficult for you to maintain it over time. In order to have a good firewall, you need a good security policy--one that is written down and widely agreed to.



2. A firewall is not usually a single device. Except in the most simple of cases, a firewall is seldom a single device; it is usually a collection of devices acting in concert. Even if you buy a commercial "all-in-one" firewall appliance, you'll still have to configure other machines (your public web server, for example) to work along with it. And these other machines should really be regarded as part of the firewall. This has all sorts of implications for how you configure and manage these machines, what they trust, what trusts them, and so on. You cannot simply choose one box, call it "the firewall," and expect it to assume all responsibility for security.



3. Firewalls are not off-the-shelf items. Selecting a firewall is more like buying a house than choosing where to go on vacation. Firewalls and houses are complicated, you have to live with them every day, and you use them for more than just a week or two. Both need to be maintained, otherwise the weather gets to them or they fall apart. Building a firewall requires carefully selecting and configuring a solution that meets your needs, and then consistently maintaining it over time. There are a lot of decisions to be made, and the answer that's right for one site may be completely wrong for another.



4. A firewall will not solve all your problems. Don't expect a firewall to give you security all by itself. A firewall protects you from a certain class of threats, where people on the outside attempt to attack the inside directly. It won't protect you from people on the inside; it won't even protect you from every attack from the outside; just those it can detect.



5. Use a default deny policy. Your normal approach should be to deny everything and only allow things you know are both necessary and safe. New vulnerabilities arise every day; trying to shut out just what's unsafe means fighting a constant battle to keep up.



6. Give in gracefully, but not easily. People will always want to do unsafe things. If you allow every request, you will end up with an insecure network. If you deny every request, you will still end up with an insecure network; you just won't know where the insecurities are because people will have hidden them from you. People who cannot work with you will work around you every time. You need to find ways to meet people's needs, even if those ways involve some amount of controlled risk.



7. Use a layered approach. Don't depend on a single device in a single place. Instead, put together multiple layers of security, so that no single failure will immediately compromise what you care most about.



8. Only install what you need. Firewall machines should not be configured with a vendor's complete software distribution like normal computers. Any machine that is part of a firewall should be stripped to a bare minimum. Even if you think something is safe, don't install it unless you actually need it.



9. Use all available resources. Don't build a firewall based on information from a single source, particularly if that source is not a vendor. There are a large number of resources available: vendor information, our book, mailing lists, and web sites, for examples.



10. Trust only what you verify. Don't trust the manual, the check boxes in the graphical user interface, or the vendor's statements about the way something works. Test to make sure connections that should be denied are denied. And test to make sure connections that should be allowed are allowed.



11. Reevaluate decisions over time. The house you bought five years ago may not be the one that suits your needs today. Similarly, the firewall you installed a year ago may no longer be the best solution for your situation today. With a firewall you should regularly reevaluate your decisions and needs to make sure you still have an appropriate solution. Changing your firewall, like moving to a new house, will require significant effort and careful planning.



12. Expect failure. Plan for the worst. Machines will go down, well-intentioned people will do the wrong thing, evil-intentioned people will succeed in damaging you. But make sure it's not a total catastrophe when these things happen.

Elizabeth D. Zwicky is a director at Counterpane Internet Security, a managed security services company. She has been doing large-scale Unix system administration and related work for 15 years, and was a founding board member of both the System Administrators Guild (SAGE) and BayLISA (the San Francisco Bay Area system administrators group), as well as a nonvoting member of the first board of the Australian system administration group, SAGE-AU. She has been involuntarily involved in Internet security since before the 1988 Morris Internet worm.

Simon Cooper is a computer professional currently working in Silicon Valley. He has worked in different computer-related fields ranging from hardware through operating systems and device drivers to application software and systems support in both commercial and educational environments. He has an interest in the activities of the Internet Engineering Task Force (IETF) and USENIX, is a member of the British Computer Conservation Society, and is a founding member of the Computer Museum History Center.

D. Brent Chapman is a networking professional in Silicon Valley. He has designed and built Internet firewall systems for a wide range of organizations, using a variety of techniques and technologies. He is the founder of the Firewalls Internet mailing list, and creator of the Majordomo mailing list management package. He is the founder, principal, and technical lead of Great Circle Associates, Inc., a highly regarded strategic consulting and training firm specializing in Internet networking and security.

Related Reading Building Internet Firewalls By Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman

Copyright © 2009 O'Reilly Media, Inc.