One of the most dangerous things administrators can think is that because the device they are implementing is a firewall, it must already be hardened by the vendor and therefore they don t need to do anything else to further protect the firewall from being compromised. This is patently incorrect. Every firewall can be hardened beyond what the vendors do to protect the system against being compromised. As you saw in this chapter, a basic template for hardening your firewalls consists of the following steps:
Harden remote administration. Prevent remote administration where possible, and permit only secure remote administration if you must allow it.
Implement authentication and authorization. Implement unique usernames and hard-to-guess passwords, and only allow users to run the commands required.
Harden the operating system. If you are using a software-based firewall, you must harden the underlying operating system because it is the biggest vulnerability to your firewall.
Harden firewall services and protocols. Allow only the services that are required, encrypt insecure traffic by encapsulating it with IPsec, and only allow specific hosts to connect to any services.
Implement syslog. syslog is critical for auditing, forensics, and troubleshooting purposes. Protect your syslog traffic by encapsulating it with IPsec.
Provide redundancy and fault tolerance. A firewall is only effective if it is running. Providing redundancy allows your company to continue to function in the event of a hardware failure.
Harden routing protocols. If possible, use only static routes. If you must use dynamic routing protocols, only use those protocols that provide for some kind of authentication mechanism.