Firewall Policy...

Posted on 2013-09-02
Medium Priority
Last Modified: 2014-06-16
Hi EEs,    

We have to install the network firewall, (Fortigate) for which I have to give a small check list to my vendors before starting the implementation,

Here with i am enclosing one small checklist for you experts to comments & advice me on it.

Kindly add if these are okay or if you experts can advice more...

thanks in advance...
Question by:dxbdxb2009
  • 3
  • 2

Author Comment

ID: 39457931
Anyone pls advice...
LVL 17

Expert Comment

ID: 39458466
There is nothing called an universal firewall rule. Rules are based on corporate policies usually some security audit guidelines. Seeing the list looks like it's an amalgamation from different sources. The points can go upto well beyond 100.

However, you might need to check the list of locked Ip's and services because they list many ports which we keep generally open. You blocked private range entirely, multicast IP's, FTP, ssh.telnet etc.  You should discuss with the vendor about your design and the required filtering of traffic.

It's looking too much formal and probably unworkable to me. If you apply your list, it will block everything.

Generally the vendors should be able to give you a small checklist to start with and gradually it should be built up as per the need.


LVL 26

Accepted Solution

Soulja earned 2000 total points
ID: 39474467
The checklist looks good to me. I assume this firewall will be on the edge of your network so yes, you will want to block most of those ports for inbound traffic. Only allow the ones you need inbound such as http/https for web facing servers, ipsec for vpn, and possibly secure some management protocols i.e. SSH.

-Yes you will want to block the private and not routables from coming inbound to the firewall.

-Don't allow telnet, use SSH only.
-Don't allow FTP unless you are using SFTP.
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.


Author Comment

ID: 39502035
@ surbabu140977 ;

"an universal firewall rule...." agreed, but can you share some link where i can see some example of such rule which can be opted for mine,

" You blocked private range entirely, multicast IP's, FTP, ssh.telnet etc......." what all i need to consider to be blocked....pls advice..


@ Soulja : thanks for your reply...

you are correct this is going to be at edge of this network...
Kindly share any good links of the port I must block for all incoming traffic ....would really appreciate...

i think we even no need of allowing http/https; as we don't have any web server at all,
for VPN, yes we must open for incoming traffice as we will have some VPN users,
good advice for SSH...will put one note for vendor to consider SSH, thanks,

-Yes you will want to block the private and not routables from coming inbound to the firewall = meaning non of incoming packate will be allowed from outside the network with private IPs (including...10x.x.x / 172.16.x.x / 192.168.x.x) Correct?

-Don't allow telnet, use SSH only = Noted, thanks
-Don't allow FTP unless you are using SFTP = Noted this as well,

Can you advice If I can just host SFTP directly on my SAN (NetApp FAS 2240)? so this way i will not have to keep additional windows FTP server,
LVL 17

Expert Comment

ID: 39502506
You got the approach in a totally wrong way........ you are trying to generalize something which you think can be applied. Please do not "think". Firewall rules are a requirement and should by guided by a definite policy with a business requirement.

If you are a business guy, define your business goal and let the IT person design it for you.

If you are an IT guy, outline your IT business needs and let a security guy do it for you..

 You do not get a security config in any forum.

Below is a standard and accepted guideline from the NIST, USA that should help you a bit. Please note actual implementations may vary widely as per the requirement compared to what is defined in the guideline.



Author Comment

ID: 39550493

I assume this firewall will be on the edge of your network = Yes it is
you will want to block most of those ports for inbound traffic = Yes; you are correct,

Anything specific to be consider for bocking & allowing...pls comment on it...

@ surbabu140977 : thanks for the above link...

would really appreciate if you can provide me some more like including some good templates/examples...

many thanks in advance..

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

587 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question