|
What are the general best practices when it comes to securing a firewall?
(comments are locked)
|
|
Always work from a Incoming > Deny All start. This means if you didn't ask for it, it doesn't come through. Then, its recommended to get a proper firewall device that can perform UTM and set up IPS policies to scan your traffic for viruses and other potential exploits and hazards. Fortigate is my vendor of choice, we've got two running in a high availability cluster, and they're simply flawless. From there, simply create the forwards and policies needed to allow traffic to inbound services. Also, there are various precautions you should take, like making a policy so no outbound traffic for port 25 traffic can come from workstations (if you've got an exchange server) this keeps some viruses from using your systems as spamhosts and blasting out spam, getting your MTA record trashed. A free alternative to an appliance is Untangle, but its a lot more difficult to set up for a non-experienced user.
(comments are locked)
|
|
Only open ports needed for inbound access, such as email, to the servers that need that port. Same thing for outbound traffic. Don't allow any direct traffic from the internet to your main lan.
(comments are locked)
|
