Firewall Hardening Guidelines

Sno 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16.

Hardening Dont assume your firewall is the answer to your network security Install the latest IOS and Update properly Firewall shall have the Hostname. Ensure that the memory has appropriate requirements to install the new IOS The password shall be used as per the password policy Ensure that the console port is password protected Ensure that the console has appropriate time out Ensure that the console has Authentication reentries Ensure that the Auxiliary port is password protected (where ever required) Shutdown the other Ethernet ports which is not in use. Other unwanted or non business related ports should be closed Disable Telnet access instead use SSh Version 2 Disable HTTP access instead use HTTPS Disable SNMP Version 1 instead use SNMP Version 2 or 3 SNMP community string should be strong ACLs should not Permit Packets From Any Source To Any Destination And Any Service

17. 18. 19. 20.

All ACL rules have a rule ID assigned VPN shall configured with strong encryption ciphers Ensure that there is a rule blocking ICMP echo requests and replies. Ensure that there is a rule blocking outgoing time exceeded and unreachable messages.

21. 22. 23. 24. 25. 26. 27.

Unwanted Rules should be deleted Use SSL version 3 only NTP Authentication should be enabled Warning Login Banner should be configured Sys logging should be configured with encryption Proxy arp should be disabled Use of user exec mode(which will be used by the normal users) and config mode(which will be used by the administrators) should be used in the firewall to differentiate the authentication.

28. 29.

User shall access with their individual name and password with Privilege level The entire logs shall be sent to the appropriate person and it should be reviewed periodically

30. 31.

Periodical checkup is required for the backup Firewall is working properly or not. Check whether the Vulnerability Assessment is periodically carried out to ensure that the firewall is secured.

32. 33.

Ensure that the ruleset complies with the organization security policy

Ensure that the following spoofed, private (RFC 1918) and illegal addresses are blocked: Standard unroutables 255.255.255.255 127.0.0.0 Private (RFC 1918) addresses 10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255

192.168.0.0 - 192.168.255.255 Reserved addresses 240.0.0.0 Illegal addresses 0.0.0.0 UDP echo ICMP broadcast (RFC 2644) Ensure that traffic from the above addresses is not transmitted by the interface.
34.

If FTP is a requirement, ensure that the server which supports FTP, is placed in a different subnet than the internal protected network

35.

Ensure that there is a rule specifying that only traffic originating from IPs within the internal network be allowed. Traffic with IPs other than from the Internal network are to be dropped.

36.

Ensure that there is a deny rule for traffic destined to critical internal addresses from external sources.

37.

Anti-spoofing filters shall blocked private addresses and internal addresses appearing from the outside

38.

No Internet access from the Inside Zone and all public exposed server should be placed in DMZ with Restricted access

39. 40. 41. 42. 43.

Generating Complex Password for Pre-shared over the Site to Site VPN Configure NAT Table and Connection table time out Allowing Specific IP/Subnet access for remote Login (SSH) to Firewall Reviewing the all NAT and ACL entry for validating unused entry Reviewing/Deleting the RVPN Username validation

44. 45.

Remote VPN access with the restricted Server IP with Port access Configuring IPS for Inline mode for inspect all Traffic through the Firewall including the VPN Traffic (Binding the Policy on Each interface)

46. 47. 48.

Regular/Automatic IPS Signature update The Backup should be taken whenever the changes happened in the firewall Default username and password shall be removed from firewall.