Firewall-Hardening Basic Checklist

Firewall Hardening Guidelines

Sno

Hardening

1.

Don’t assume your firewall is the answer to your network security

2.

Install the latest IOS and Update properly

3.

Firewall shall have the Hostname.

4.

Ensure that the memory has appropriate requirements to install the new IOS

5.

The password shall be used as per the password policy

6.

Ensure that the console port is password protected

7.

Ensure that the console has appropriate time out

8.

Ensure that the console has Authentication reentries

9.

Ensure that the Auxiliary port is password protected (where ever required)

10.

Shutdown the other Ethernet ports which is not in use.

11.

Other unwanted or non business related ports should be closed

12.

Disable Telnet access instead use SSh Version 2

13.

Disable HTTP access instead use HTTPS

14.

Disable SNMP Version 1 instead use SNMP Version 2 or 3

15.

SNMP community string should be strong

16.

ACLs should not Permit Packets From Any Source To Any Destination And Any Service

17.

All ACL rules have a rule ID assigned

18.

VPN shall configured with strong encryption ciphers

19.

Ensure that there is a rule blocking ICMP echo requests and replies.

20.

Ensure that there is a rule blocking outgoing time exceeded and unreachable messages.

21.

Unwanted Rules should be deleted

22.

Use SSL version 3 only

23.

NTP Authentication should be enabled

24.

Warning Login Banner should be configured

25.

Sys logging should be configured with encryption

26.

Proxy arp should be disabled

27.

Use of user exec mode(which will be used by the normal users) and config mode(which will be used by the administrators) should be used in the firewall to differentiate the authentication.

28.

User shall access with their individual name and password with Privilege level

29.

The entire logs shall be sent to the appropriate person and it should be reviewed periodically

30.

Periodical checkup is required for the backup Firewall is working properly or not.

31.

Check whether the Vulnerability Assessment is periodically carried out to ensure that the firewall is secured.

32.

Ensure that the ruleset complies with the organization security policy

33.

Ensure that the following spoofed, private (RFC 1918) and illegal addresses are blocked: Standard unroutables 255.255.255.255 127.0.0.0 Private (RFC 1918) addresses 10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255

192.168.0.0 - 192.168.255.255 Reserved addresses 240.0.0.0 Illegal addresses 0.0.0.0 UDP echo ICMP broadcast (RFC 2644) Ensure that traffic from the above addresses is not transmitted by the interface. 34.

If FTP is a requirement, ensure that the server which supports FTP, is placed in a different subnet than the internal protected network

35.

Ensure that there is a rule specifying that only traffic originating from IP’s within the internal network be allowed. Traffic with IP’s other than from the Internal network are to

be dropped. 36.

Ensure that there is a deny rule for traffic destined to critical internal addresses from external sources.

37.

Anti-spoofing filters shall blocked private addresses and internal addresses appearing from the outside

38.

No Internet access from the Inside Zone and all public exposed server should be placed in DMZ with Restricted access

39.

Generating Complex Password for Pre-shared over the Site to Site VPN

40.

Configure NAT Table and Connection table time out

41.

Allowing Specific IP/Subnet access for remote Login (SSH) to Firewall

42.

Reviewing the all NAT and ACL entry for validating unused entry

43.

Reviewing/Deleting the RVPN Username validation

44.

Remote VPN access with the restricted Server IP with Port access

45.

Configuring IPS for Inline mode for inspect all Traffic through the Firewall including the VPN Traffic (Binding the Policy on Each interface)

46.

Regular/Automatic IPS Signature update

47.

The Backup should be taken whenever the changes happened in the firewall

48.

Default username and password shall be removed from firewall.