Cloud Firewall

A firewall is a requirement in any situation where servers or networks are to be protected. It is a specialized piece of hardware or software used to filter and protect network communication.

A firewall can be considered as a set of rules that allows the smallest volume of network traffic possible without preventing the expected behavior and communication between two or more network endpoints.

The set of rules is divided into inbound and outbound isolated sets of rules.

There are several types of firewall which we will not cover in this Security Guide: stateless vs. stateful firewalls; network-based vs. host-based firewalls. All types of firewall have their own specific uses.

Common Practices and Rules

Always configure both inbound and outbound filter rules. Inbound rules are used to protect against external attacks. Outbound rules protect against unwanted leaks of communication.

Typical rule setup:

  • allow HTTP (80) and HTTPS (443) from all (or wide range of) IP addresses.
  • allow RDP (3389) and/or SSH (22) from some selected IP addresses or sub-network.
  • deny all other protocols.

Sometimes the allow rule is used for DB access (such as 1433 for MS-SQL Server). However, it is not recommended. DB access is typically only allowed inside of a private network.

Never use 0.0.0.0/0 to allow all protocols/ports. The only exceptions are HTTP (80) and HTTPS (443). These protocols are protected by web application firewalls.

Firewall Justification Document

If we are thinking about running our installation, it is generally a good idea to think about the firewall justification document.

Maintaining a firewall justification document is an important resource for both the internal security team and for the auditor in order to see exactly how a firewall's rules are structured. It also helps us keep track if there are unsolicited rules added to the firewall that were not justified and approved. The firewall justification document should contain separate sections for inbound and outbound rules, and the responsible persons (reviewed by and approved by). Each rule contains the logical name, protocol, port ranges, source/destination and justification comment.