You’re ready to use Firewall as a Service to take granular control of your network access, but where should you start?
Based on feedback from our many customers using FWaaS, we’ve compiled a list of suggestions to keep in mind as you create your network cloud firewall.
When defining your firewall rules, always keep Zero Trust and the “least privilege” principle in mind. Employees should only have access to what they need for their job, and resources and networks should only be open to those employees who need them.
Maintaining “least privilege” with the Perimeter 81 Firewall is easy. When adding rules, ensure that your network default is “Deny”:
When you set your network default to “Deny”, you are blocking network access from the start. Any rules you add to the network will be exceptions allowing access for specific users and resources.
By setting your network to “Deny” and using network firewall rules to grant access to specific users and groups, you dramatically reduce your attack surface and ensure that hackers breaching a single user will not have access to your entire network. To further ensure that your network remains secure, you should also refrain from creating overly permissive rules, such as rules that unnecessarily allow all services or all addresses. Such rules increase your attack surface and may create security risks, as they can expose vulnerabilities which otherwise could not have been exploited.
Remember that the mistake of most hacked organizations was to allow too much access. The fewer privileges, the smaller the attack surface, and the less vulnerable the organization.
With the “least privilege” principle in mind, you may still wish to allow more universal access to resources or services that do not compromise your organization, such as Zoom or general Internet access.
Beyond general services that everyone identified in the Perimeter 81 platform can access, you will also want to set up access for specific groups to the resources they need to do their jobs – for example, the software development team may need access to the MongoDB server on a regular basis, while the marketing department does not.
Keep in mind that you may have particularly sensitive resources that should only be allowed to specific users rather than groups – for example, specific financial resources or applications that should not be accessible to the entire finance department.
In addition, you may wish to use firewall rules more widely as a preventive measure against the spread of malware by restricting employees to HTTP/HTTPS access. Such a rule isolates viruses on the infected computer so that action can be taken before the virus can spread to other computers, resources, or the corporate network.
How you set up your rules is not written in stone, but you should choose a specific approach and then remain consistent. This will allow for easier management as your network grows and your network policies expand.
Three approaches are favored by those Perimeter 81 customers who are the heaviest users of Firewall as a Service:
We recommend that you choose either the first or second approach listed above as your foundation, and then add specific “group to service” rules if necessary. For maximum scalability, you should ensure that your naming convention is consistent, with your preferred approach determining the element that appears first in the network rule name.
So, if you have chosen to create rules by resource but sometimes wish to add a specific group-to-resource rule, rule names might look something like this:
In this way, if you add additional network rules regarding access to the financial database, they will appear next to your specific rule for the CFO, allowing you to prevent errors and redundancy.
If you had chosen the “group approach” instead, your rules might look like this:
Again, what is important here is consistency, so that you can easily manage your rules as you scale up.
We hope that this overview will help you begin your journey to more granular control of your network. We value your feedback, and we’d love to hear from you regarding your own recommended best practices and how we can improve the Perimeter 81 Firewall as a Service!