Security

Reply
Frequent Contributor I
Posts: 126
Registered: ‎07-06-2010

Firewall Policies best practices?

OK so we have been using FW policies for quite a while now, but was wondering what the consensus was for best practice?

 

Should we create a bunch of individual deny rules, create a larger single deny rule for the entire policy, create only allow policies and then deny all ?  I know there are a couple more ways to do this as well, but was wondering what the best practice is or if there is one.

 

We currently have all our services/servers/destinations setup in aliases, and have some things grouped (DNS servers, ActiveDirectory servers, etc...)  this makes rule creation quite easy.

 

On another note is there any way to change the name of a rule after its been created (we want to use a different naming convention...).

 

Thanks,

Dan

 

 

MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: Firewall Policies best practices?

Well for firewall rules

you should always create

the most specific rules first and the most general rules at the end

 

Let sa you have 5 rules

You create the most specifc rule in number one

the second most specific rule in number to and so on

 

Yes alway use aliases thats a good practice.... as like you well said its easy to manage it that way

 

If you got many servers to deny no dont do many rules for that with just one alias which contain all the servers thats the way... if you want to add another server just add them on the alias... and thats it... always use aliases when you can, which are like a group of firewall objects

If you can build one rule instead of 5 individual rules for each server denying it do so... don t do 5 rules deneying one by one the servers...

I dont know if that asnwer your questions if not please revert me and try to explain it to me easier my native language is not english but im willing to help if i can

 

Cheers

CArlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Frequent Contributor I
Posts: 126
Registered: ‎07-06-2010

Re: Firewall Policies best practices?

[ Edited ]

That sounds like I am thinking about this the correct way.  This is what I am currently doingfor one of our more restrictive roles (in this order):

 

[permit]

dhcpd-acl

local dns servers (dns ports only udp/tcp)

Active Directory

File/print server

local https/http services (2 servers)

Wsus service

 

[drop]

All local networks (every private IP range)

 

[permit]

Allow all

 

 

MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: Firewall Policies best practices?

Just 3 rules and the most specific to the most general rule... looks good to me.

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Frequent Contributor I
Posts: 126
Registered: ‎07-06-2010

Re: Firewall Policies best practices?

Just an interesting tid-bit.

 

After implementing these policies for our students we have seen a noticeable positive impact on performance.  We were suspecting that we had a bit of traffic from student machines that were related to IP issues from their home networks, and or networked printers or other devices at home.  Since we started restricting traffic and explicitly blocking all private IP ranges we are seeing better performance than ever... (we are also seeing a TON of blocked ip traffic to private IP ranges... )

 

-Dan

MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: Firewall Policies best practices?

Good to know its working better!!


Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: