A firewall won’t secure your environment like it should if you don’t properly configure its ports and policies. But which ports should you block? It’s a question that every sysadmin has asked themselves at one time or another.
Depending on the environment, where firewalls are placed in the flow of data, and probably on your staffing and timeline, there are a good foundation of steps that you should complete when securing down new or existing firewall rules. The order of the steps depends on whether you’re replacing hardware or spinning up a new environment from scratch.
Best Practices For Configuring Firewall Rules
In general, you should follow the best practice of least privilege when configuring a firewall, which just means to block literally everything that you aren’t using for a dedicated and approved business function. This reduces your risk, gives you more control over your traffic, and limits your communication between networks.
Granted, there are times when the CEO might want to allow his staff to play WoW on the corporate network. Is that technically tied to the business? Nope, but it’s something that you’ll definitely still need to open if you want to keep your job. However, there are still ways to do these things securely!
1. Monitor Mode
Monitor current traffic for which IP addresses and ports are used — and validate that they are needed; not everything requires internet access. If you are replacing a firewall, you can create a span port or look at the old firewall logs to determine this. Compile a list of the source IP, destination IP, and destination port and start to group them into categories for easier firewall rule creation.
2. Deny Any/Any
Create a deny all, inbound and outbound as the first created and last firewall rule processed. Also known as a ‘Default Deny,’ it ensures that all rules created after these initial denies are purposeful.
3. Be Specific and Purposeful With Rules
If possible, create different groups of IPs and ports that make sense, which allows you to create a set of firewall rules, and primarily use groups where you can add/remove individual components. Ensure your rules specify the destination and source IP addresses — or sometimes ranges — and destination port whenever possible. For example:
- Int-db-app-servers – inbound from int-sccm-servers, inbound 1433 int-mycoolapp-servers
- Int-db-app-servers is a group with 10.10.10.1/30 and 10.10.22.40
- These devices are not allowed to the internet.
- They get all of their updates via SCCM and third party patching tools.
- They are accessed via port 1433 (MS-SQL) from the specific application that writes to it’s database.
- This group of IP addresses can be added to another group in a rule such as ‘Explicit-Deny’. When you want to ensure certain devices don’t have internet access, even if they are accidentally added to other groups.
- Int-finance-desktops – outbound to 443 only to financial websites in the ext-finance-services group
- Financial systems and wire transfer endpoints are high value targets. Opening up only needed ports to only needed external websites and IP addresses makes it more difficult for these endpoints to be attacked.
- Grouping the external finance services will allow that group to be used elsewhere if other desktops or groups may need specific access.
- Restricting to port 443 ensures that if something on the external service changes to a less secure protocol, that you’ll be able to plan accordingly and be aware of the change.
- CEO’s kid’s WoW desktop
- Definitely only allow that box to communicate directly to the internet and not the rest of your network!
- Don’t forget Active Directory ports when needed!
- Endpoints that are joined to an Active Directory domain have their own needed ports if they transverse the firewall.
- Should every host be using your internal DNS? Probably yes. Whatever DNS solution you decide to use, hosts should use that and not be permitted to use another random internet DNS server. The default deny should take care of this, as you will only allow port 53 to a group of DNS servers.
4. Protect The Perimeter
- Never leave open remote management from the internet directly. Specify down to IP addresses and use centralized authentication with MFA when possible.
- Regularly check for your public IP addresses on Shodan.io. This internet scanner will provide you with free invaluable information of what is exposed to the internet for attackers to see.
Which Ports Should You Block On Your Firewall?
For those of you that came looking for a list of ports to block, here is at minimum the SANS Institute recommends blocking outbound traffic that uses the following ports:
|Service||Port Type||Port Number|
|MS RPC||TCP, UDP||135|
|Trivial File Transfer Protocol (TFTP)||UDP||69|
|Simple Network Management Protocol (SNMP)||UDP||161-162|
|Internet Relay Chat (IRC)||TCP||6660-6669|
Protection Beyond The Firewall
A firewall is an important component of a security stack, but deploying a firewall isn’t enough protection for a business. Threat actors can easily circumvent a firewall using a variety of techniques, such as social engineering and taking advantage of application vulnerabilities.
Blumira integrates with many firewalls, including Cisco Meraki and ASA, F5 Big-IP, Fortinet Fortigate, Sophos XG, and more. Blumira detects suspicious behaviors that can lead to cyberattacks without overwhelming IT teams with alerts. Our platform also provides automated workflows and playbooks to give you guidance on remediation steps. Our team of security experts act as an extension of your team, ready to answer any questions about a finding or how to move forward.
Try Blumira for free today; deployment takes a matter of hours, and it’s easy to start getting immediate security value in your organization.