Best Practices For Firewall Rules Configuration
Best Practices For Firewall Rules Configuration
When you change a firewall configuration, it’s important to consider potential security risks to
avoid future issues. Security is a complex topic and can vary from case to case, but this article
describes best practices for configuring perimeter firewall rules.
Block by default
Block all traffic by default and explicitly enable only specific traffic to known services. This
strategy provides good control over the traffic and reduces the possibility of a breach because
of service misconfiguration.
You achieve this behavior by configuring the last rule in an access control list to deny all traffic.
You can do this explicitly or implicitly, depending on the platform.
o Linux®SSH : Port 22
o Windows® RDP: Port 3389
Database ports:
Be specific about who can reach these ports. When it is impractical to define source IP
addresses for network management, you might consider another solution like a remote access
VPN as a compensating control to allow the access required and protect your network.
permit ip any any WEB-SERVER1 - Allows all traffic from any source to a web server. Only specific
ports should be allowed; in the case of a web server, ports 80 (HTTP) and 443 (HTTPS).
Otherwise, the management of the server is vulnerable. A good rule would be permit ip any
WEB-SERVER1 http .
permit tcp any WEB-SERVER1 3389 - Allows RDP access from any source to the web server. It is a
dangerous practice to allow everyone access to your management ports. Be specific about who
can access the server management. A good rule would be permit tcp 12.34.56.78 3389 WEB-
SERVER1 (where 12.34.56.78 is the IP address of the administrator’s computer on the Internet).
permit tcp any DB-SERVER1 3306 - Allows MySQL access from any source to the database.
Database servers should never be exposed to the whole Internet. If you need database queries
to run across the public Internet, specify the exact source IP address. A good rule would
be permit tcp 23.45.67.89 DB-SERVER1 3306 (where 23.45.67.89 is the IP address of the host on the
Internet that needs access to the database). A best practice would be to allow database traffic
over a VPN and not in clear text across the public Internet.