It seems like security and maintenance are a direct tradeoff, are there some known best practices?
There is a difference between the policies that govern a firewall and the technical rules that implement those policies. Good policy doesn't change much from a tiny network - even a single system - to the largest multinational.
Policy comes from management. You, the SME (Subject Matter Expert) have to assist management in developing good policy, but make no mistake - you can't do it for them. Fortunately you seem to have a pretty good grasp on the needs: Simple, secure, supportable.
Determine first what the purpose is. This is bigger than you might think, because it ties into what the network is for, and your acceptable use policy. Don't have one? Stop right now and put one together. It's not possible to proceed without determining what you will, and will not allow on your network.
Next, figure out what you are protecting, your assets. Sounds too simple, but I have talked with many network engineers who dismiss the need to protect, for example their printers, which then become a potential jump host. Or dismiss cell phones as 'toys', ignoring the common practice of pugging into a USB port for power or data transfer. Normally this will be all of your computing equipment, and of course your data - but everything does not have the same value. A Kiosk with public information doesn't need the same protection that the company financials or HIPPA data.
Then determine what you are protecting from. It's not enough to say 'all viruses' or 'hackers'; determine what you can stop, where the greatest threats are for today and tomorrow. Like all policies keep it general or you'll be rewriting it every 3 months with no time left for adapting the rules. You might want to state, for example that general use web sites are allowed but gaming during business hours is not. If you allow social media (one of the quickest wars IT ever lost) make sure that excessive use will be handled by the manager, and that all Internet traffic is monitored.
That's about it. Demonstrate how applying the policy with the available technology protects the business, get sign off by upper management and you're done. Well, almost. You still have to apply policy to your firewall, but that is a separate task. reviewer144966 above makes some particularly good points about config and change management, but there are some hints I can provide:
Work from the most general to the specific, also known as managing by exception. So, packet filtering first, then proxy. Allow all web traffic in the first filter, but block sites and applications by reputation filters. Small, site-specific protocols and ports can then be handled as exceptions to the blanket deny on any ruleset. Send any allowed traffic through a malware scanner whenever possible. Make logging decisions carefully, it is easy to overwhelm the system by 'checking all'.
How you apply these general rules to a specific situation and firewall platform can vary greatly, but if you apply the rules as stated you won't go too far wrong.
Managing a firewall properly boils down to good configuration and change management policies. Unfortunately, configuration management is difficult to maintain as firewall products do not seem to have a good way to export their settings in a human readable form. Consequently, the more firewalls you have, and the more application requirements for custom firewall rules, the more likely it is that you will lose visibility into the current state of the firewall(s).
I lean towards IT being a business enabler, so firewall changes should be accommodated as much as possible. On the flip side, the company should commit to providing IT the tools to manage and track the firewall changes to reduce the maintenance overhead and minimize the security risks.
As part of a policy, I would recommend requiring a formal process for requesting a change to the firewall configuration. This will provide a means to properly review the request and see if there is truly a business requirement for the change. One should periodically review all the approved changes to see if the rationale still applies. Perhaps, after a few years, you have moved over to a new system which does not require the same firewall configuration.
The formal request also provides traceability. In theory, the firewall configuration should match up to all the approved requests.
The firewall policy should be a subset of overall server security, since the computers which will be receiving the traffic allowed through the firewall need to be hardened to prevent attacks coming in from the internet. Several companies can run periodic intrusion testing and report on any vulnerabilities they find on the servers, as well as report on all the open ports on the firewall.
I Agree wirh M r Ankit, it totally depends on the structure and the environment. For us we seperate the traffic into core and perimeter and DMZ zone, it easy to maintain and route the traffic. Each module has its own policies and UTM features...For Outbound web access we use Proxy ..Block everything and give the required access and make into groups according to access type, schedules..
What firewall is the client using?
Example: Fortinet, Watchguard, Gateprotect
Response from one of our Senior Network Architects:
It's more a function of what needs to be allowed in and out and how dynamic that is; if it's very static and has little traversal (in other words, they aren't hosting too much i.e.: web servers, email). A basic policy would be allow http and https in and out and block everything else. Set up the device for all UTM functions and you're done, the only maintenance would be occasionally updating the firmware if and when flaws in the OS needed to be patched
It entirely depends upon the requirement. Best way to create individual policies or group / network based access to desired resources.
This will eliminate un-necessary access to users for whom it was not intended to, thus ensuring security best practice.
Yes this will demand one time effort, but once created then that will work like anything.
Also you need to keep in mind that never ever allow everything to everyone, that will create another type of security issue for you. So best way to create is what has been asked for create that only.
For Outbound access, try to restrict application filtration on Firewall with http & https access, otherwise people start using open internet access from those server.
For Inbound access open only desired services, for webservers try to enforce http with https conversion with public certificate.
Thanks & Regards
Should one go for a URL Filtering as an add-on to NGFW or just deploy a Web proxy, instead?I am one who advocates that firewalls with URL Filtering can't serve better than Web security solutions (i.e., a Web proxy).
What's your opinion?