Additional Firewall Controls

The following are additional controls for firewalls. Note that some of these controls might be handled by a router in conjunction with a firewall, but a router by itself is a poor firewall for the perimeter of a corporate network.

1 Verify that all packets are denied by default.

All packets on a firewall should be denied except for packets coming from and headed to addresses and ports that are all explicitly defined. This is a much stronger defensive position than trying to keep track of what rules you have set up to block each specific address or service. For example, external SNMP queries from outside your network targeted to a router inside your network would be denied by default if the only traffic you allowed into your DMZ was to a web server.

How

Verify with the firewall administrator that all packets are denied by default. Ask the administrator to show you in the configuration how this is set up.

2 Ensure that inappropriate internal and external IP addresses are filtered.

Traffic coming from the internal address space should not have external addresses. Likewise, traffic coming from outside the network should not have as the source address your internal network.

How

Verify with the help of the firewall administrator that all packets entering from the exterior with source IP addresses set up for internal networks are denied. Likewise, all packets coming from the interior with source IP addresses not set up for the interior should be denied. Additionally, firewalls should hide internal Domain Naming Service (DNS) information from external networks.