As you plan your
ccie security policies and configure your firewall, you should keep several things in mind. Rather than presenting a long treatise on security policies and how to protect against vulnerabilities and attacks, this small section provides a short list of rules of thumb. If you follow these suggestions, you should be able to configure a firewall to provide the best possible protection.
a: Gather and review firewall logs regularly.
After a firewall is configured, you can easily test to see if it is blocking or permitting access to secured resources according to the correct security policies. However, there is no easy way to watch a denial-of-service or worm attack without seeing a record of traffic being permitted or denied.
A firewall can generate a wealth (and a deluge) of logging information. This data should be collected by a Syslog
ccie service provider that is properly sized for the task. You should also review the Syslog data on a regular basis so that you can spot new malicious activity or expose the use of a vulnerable port you forgot to close.
If you experience an attack or a misuse of network resources, you can rely on the Syslog record as evidence.
b: Make inbound ACLs very specific.
You should tightly control traffic coming into your secured network from the public or unsecured side. If you offer public access to a corporate web or e-mail server, for example, be sure to permit only those specific protocols and ports. Otherwise, if you leave the inbound access too broad or open, you increase the chances that someone will find a way to exploit an unexpected protocol or
ccie service provider. In addition, best practices suggest that any inbound access should terminate only on hosts that are located on a demilitarized zone (DMZ) firewall interfacenot on the inside network.
As for outbound traffic control, the internal (protected) users are usually well-known and trusted. You can leave the outbound access open, but best practices suggest that you configure outbound access lists to prevent hosts on the inside network from participating in worms or attacks aimed at DMZ or outside networks.
