Firewall Policy...

Hi EEs,    

We have to install the network firewall, (Fortigate) for which I have to give a small check list to my vendors before starting the implementation,

Here with i am enclosing one small checklist for you experts to comments & advice me on it.

Kindly add if these are okay or if you experts can advice more...

thanks in advance...
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dxbdxb2009Author Commented:
Anyone pls advice...
There is nothing called an universal firewall rule. Rules are based on corporate policies usually some security audit guidelines. Seeing the list looks like it's an amalgamation from different sources. The points can go upto well beyond 100.

However, you might need to check the list of locked Ip's and services because they list many ports which we keep generally open. You blocked private range entirely, multicast IP's, FTP, ssh.telnet etc.  You should discuss with the vendor about your design and the required filtering of traffic.

It's looking too much formal and probably unworkable to me. If you apply your list, it will block everything.

Generally the vendors should be able to give you a small checklist to start with and gradually it should be built up as per the need.


Soulja53 6F 75 6C 6A 61 Commented:
The checklist looks good to me. I assume this firewall will be on the edge of your network so yes, you will want to block most of those ports for inbound traffic. Only allow the ones you need inbound such as http/https for web facing servers, ipsec for vpn, and possibly secure some management protocols i.e. SSH.

-Yes you will want to block the private and not routables from coming inbound to the firewall.

-Don't allow telnet, use SSH only.
-Don't allow FTP unless you are using SFTP.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

dxbdxb2009Author Commented:
@ surbabu140977 ;

"an universal firewall rule...." agreed, but can you share some link where i can see some example of such rule which can be opted for mine,

" You blocked private range entirely, multicast IP's, FTP, ssh.telnet etc......." what all i need to consider to be blocked....pls advice..


@ Soulja : thanks for your reply...

you are correct this is going to be at edge of this network...
Kindly share any good links of the port I must block for all incoming traffic ....would really appreciate...

i think we even no need of allowing http/https; as we don't have any web server at all,
for VPN, yes we must open for incoming traffice as we will have some VPN users,
good advice for SSH...will put one note for vendor to consider SSH, thanks,

-Yes you will want to block the private and not routables from coming inbound to the firewall = meaning non of incoming packate will be allowed from outside the network with private IPs (including...10x.x.x / 172.16.x.x / 192.168.x.x) Correct?

-Don't allow telnet, use SSH only = Noted, thanks
-Don't allow FTP unless you are using SFTP = Noted this as well,

Can you advice If I can just host SFTP directly on my SAN (NetApp FAS 2240)? so this way i will not have to keep additional windows FTP server,
You got the approach in a totally wrong way........ you are trying to generalize something which you think can be applied. Please do not "think". Firewall rules are a requirement and should by guided by a definite policy with a business requirement.

If you are a business guy, define your business goal and let the IT person design it for you.

If you are an IT guy, outline your IT business needs and let a security guy do it for you..

 You do not get a security config in any forum.

Below is a standard and accepted guideline from the NIST, USA that should help you a bit. Please note actual implementations may vary widely as per the requirement compared to what is defined in the guideline.

dxbdxb2009Author Commented:

I assume this firewall will be on the edge of your network = Yes it is
you will want to block most of those ports for inbound traffic = Yes; you are correct,

Anything specific to be consider for bocking & allowing...pls comment on it...

@ surbabu140977 : thanks for the above link...

would really appreciate if you can provide me some more like including some good templates/examples...

many thanks in advance..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.