Simply put a rule-set for a firewall specifies what services to let through, and which ones to keep out. A rule defines the parameters against which each connection is compared, resulting in a decision on what action to take for each connection. There are two types of rules, ACCEPT and REJECT. ACCEPT rules define packet types that will be accepted by the firewall and REJECT rules define packet types to be reject. You can think of these rules as exceptions to the default policy. Since a REJECT default policy is being used the type of rules that will be needed are ACCEPT rules. The first step in creating firewall rules is to list the services that should be allowed with their sources and destinations. Some examples of these rules are
• Allow incoming packets from the administrator\'s host to the firewall and internal network.
• Allow incoming SSH packets from one specific host to the internal network.
• Allow outgoing HTTP(S), FTP, SSH and NTP packets from the internal network.
• Allow outgoing SMTP packets only from the internal mail server.
• Allow outgoing DNS packets only from the internal name server.
Managing Firewall Configuration
Once you setup your firewall, you will get numerous requests from people in your organization to add “just one more service”. Before you know it you end up with additional set of rules that affect your policies beyond comprehension. To overcome these problems you can put a process in place to avoid indiscriminate changes to the firewall rule-set and imp
So, What Is Our Policy?
As a network administrator when you start out to define the firewall policy, you always want to keep it simple to understand and manage. You describe group of people you want to service, describe what service each group needs, define how each of these services will be kept secure and finally write some rules which will make all other types of access a violation. Over the years a number of rules are added to the original rule-set which keeps making your policies more complex. While most of the standard firewalls will not have more than a few hundred rules, there are known cases where a firewall has as many as 50000 rules.
The first and foremost problem with managing firewalls with that many rules is, these rules are processed top down. So while you may define a new rule to allow certain services, there may be a generic rule that blocks such service from being allowed across all destinations. The proper configuration of such firewalls demands significant network administration skills as well as level of understanding of organizational infrastructure. But beyond a certain level, understanding and interpretation of resultant policies is beyond human comprehension. This is where a tool like Athena FirePAC becomes a network administrator’s best friend.
Visit resources page on http://www.athenasecurity.net for more information about the types of reports the tool can generate for you.
