Firewalls, as the first line of defense in an organization’s network security infrastructure, play a pivotal role in protecting sensitive data and maintaining system integrity. However, merely having a firewall isn’t sufficient. It’s the strategic deployment, ongoing management, and continuous updating of these firewalls that ultimately determine their efficacy.
These insights offer valuable guidance for organizations seeking to bolster their cybersecurity posture, from the principles of layered security and least privilege to the critical practices of regular auditing and swift response to security alerts.

Implement a layered security approach (Defense in Depth): One firewall, no matter how robust, is not enough to protect against all types of threats. It’s recommended to use a combination of firewalls, intrusion prevention systems (IPS), antivirus software, secure web gateways, and more to form a multi-layered defense. This aligns with the principle of Defense in Depth, advocated by the National Institute of Standards and Technology (NIST) in their 800 Series publications.
This relates to multiple tactics in the MITRE framework, such as “Defense Evasion” and “Credential Access”. By implementing layered security measures, organizations can protect themselves against various attack techniques categorized under these tactics.

Use least privilege rule: Only allow traffic that’s necessary for your business processes and block the rest by default. This maps to the Principle of Least Privilege (PoLP), a computer security concept in which a user is given the minimum levels of access necessary to complete their tasks.
This primarily relates to the “Privilege Escalation” tactic from the MITRE framework, where an adversary may try to gain higher-level permissions.

Regularly update and patch your firewall: Vulnerabilities are continually discovered in firewall software. Regular updates and patches are critical to maintaining a strong defense. This aligns with the maintenance aspect of the ISO 27001 Standard, which emphasizes regular updates to maintain the effectiveness of the ISMS (Information Security Management System).

Incorporate Threat Intelligence: Threat intelligence involves gathering, analyzing, and applying information about potential or current cyber threats. It involves understanding the tactics, techniques, and procedures (TTPs) of potential attackers, and then using this information to prepare defenses, such as firewall rules, against them. For example, if a certain IP address is identified as being part of a botnet in a threat intelligence feed, a firewall rule could be added to block traffic from this IP. Advanced firewall technologies and SIEM solutions often integrate threat intelligence feeds, automatically updating rules and signatures based on the latest threat data.

Regularly audit and review firewall rules: Over time, firewall rules can become outdated or irrelevant. Regularly reviewing these rules ensures that the firewall continues to function as intended. For example, a company may have opened a port to allow a certain service, but if this service is no longer in use, the open port could become a security vulnerability. Auditing could involve examining each rule, determining its necessity, and disabling or modifying it as needed. There are also automated tools that can help with this process, such as firewall rule analyzers, which can identify overly permissive rules, conflicting rules, or unused rules.
In context of MITRE, this can help detect “Persistence” and “Lateral Movement” techniques used by adversaries to maintain access and traverse through a network.

Implement secure zones and segmentation: This involves breaking up the network into different zones based on the level of trust or the sensitivity of the information contained. This can be done using VLANs, subnetting, or with firewall rules themselves. For example, you may have a “trusted” zone for internal company traffic, a “semi-trusted” zone for external but authenticated traffic, and an “untrusted” zone for all other traffic. This way, if a system in the untrusted zone gets compromised, it would not have direct access to systems in the trusted zone. Similarly, a firewall could enforce rules between different segments, such as blocking direct traffic between the development and production environments, to reduce the risk of a rogue developer deploying untested code or a compromised development machine affecting the production environment.
This falls under “Lateral Movement” from MITRE as it can limit an attacker’s ability to move across the network.

Monitor and respond to alerts promptly: Having a firewall isn’t enough; the team must promptly respond to its alerts. This is consistent with the incident response and management aspects of many security standards and frameworks such as ISO 27001 and the NIST Cybersecurity Framework.
 This is related to the “Command and Control” tactic from MITRE, as prompt response to alerts could interrupt an attacker’s communication with a compromised system.

Test your firewall: Regular penetration testing, vulnerability scanning, and validation of your firewall rules and configurations is a critical practice. It aligns with the “Detect” and “Respond” functions in the NIST Cybersecurity Framework.

Train staff on best security practices: Firewalls are part of a larger security landscape, and their effectiveness depends on the security awareness of the users. Regular staff training is recommended by several security standards, including ISO 27001 and PCI DSS.

Prepare for the worst-case scenario: Always have an incident response plan ready in case of a security breach. This recommendation is part of the NIST SP 800-61 guideline on Computer Security Incident Handling.

Understanding firewall logs: Firewall logs provide crucial data about network traffic, attempted attacks, and other security events. However, these logs can be voluminous and difficult to understand. Experienced firewall engineers stress the importance of becoming familiar with log entries and understanding how to interpret them. For example, a sudden surge in traffic from a particular IP address could be an indication of a potential attack. Other suspicious log entries could include repeated attempts to connect to a particular port or multiple connection attempts to a secure server within a short period. Using a Security Information and Event Management (SIEM) system can help to aggregate, correlate, and analyze these logs, turning raw data into actionable security intelligence.

Dealing with DDoS attacks: Distributed Denial of Service (DDoS) attacks are common and can overwhelm a network with massive amounts of traffic, leading to service disruptions. Firewalls can mitigate some DDoS attacks but might not be sufficient on their own for larger scale attacks. Engineers often recommend a multi-layered approach: over-provisioning bandwidth to handle sudden influxes of traffic, using intrusion prevention systems (IPS) to identify and block DDoS traffic, and engaging with a DDoS mitigation service that can reroute traffic through a network of servers (typically a content distribution network or CDN), filtering out malicious traffic. Some more advanced firewalls also include rate-limiting features that can help prevent a single source from flooding the network. However, due to the distributed nature of DDoS attacks, it’s typically best to engage with a specialized DDoS mitigation service for comprehensive protection.
Although DDoS attacks primarily aim to disrupt services (mapped to the “Impact” tactic in the ATT&CK framework), they can also be used as a distraction for other malicious activities.

By integrating these lessons, organizations can create a robust and resilient security infrastructure that proactively counters threats, adapts to evolving risk landscapes, and supports secure business operations.