Sunday, May 25, 2008

Firewall best practices

Q: Checkpoint firewall R62 & Nokia IP 560 Hardware based appliance best practices
We have Checkpoint firewall R62 & Nokia I 560 Hardware based appliance , we do audit of rules on quarterly basis but still i feel that lot of tuning to be done on Nokia IP 560 and Checkpoint .Can some one please help me in getting best practices for firewall.

A: Hi ...,
Best practices can be classified in 2 main areas:
1- Information Security
2- Operational

For information security, make sure that you follow a higher level information security framework with integrated risk management. Firewalls must be a part of the bigger picture, not standalone devices.
ISO 27001, NIST, COBIT or FFIEC can be a good start.
There are several guidelines by FFIEC if you are operating at financial services industry.
http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html

You can also check firewall specific guidelines from NIST
http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf

Once you make sure that you address governance, risk and compliance (GRC) related concerns you can dive into operational issues such as reliability, high availability, performance, scalability, manageability.

We have been managing thousands of Check Point systems under Nokia platform. It is difficult to cover best practices in single post (from change management to patching, from backup policy to cluster optimization) There are several good recommendations in other posts as well; here is a quick view from my side.

1- Optimize rulebase (most used rules at the top, use logging intelligently, avoid duplicate objects, check unused objects rules, make sure that overlaps do no exist, use network object, decrease NAT usage etc)
2- Upgrade to R65 for Check Point. It is more stable and you will get all the new fixes faster.(when compared with R62)
3- IPSO 4.2 will bring you more features with SecureXL, QOS etc. but go over the release notes carefully. Make sure that SecureXL is enabled within the current deployment.
4- If you have performance issues and you are not planning to upgrade platform check the new ADP cards from Nokia.
5- Architecture-wise avoid running non-firewall features such as SmartCenter, AV, filtering on your Nokia unless you need them.
6- If you have site-to-site VPNs check the route based VPN feature with dynamic routing for better redundancy

I also recommend using 3rd party test services which include DDOS.

For automation, you can use firewall audit, change management tools such as Tufin, Algosec and Firemon (we work with Tufin). These tools will give you a lot of input on audit. On the security risk management side if you have budget, you can check SkyboxSecurity and RedSeal. They will be really helpful.

If you have any specific questions please let me know,

cheers,
- yinal

Add this post to:

DiggIt!| Reddit| Technorati|

Posted by yinal at

Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)