Firewall Exceptions: Best Practices

TL;DR

Creating firewall exceptions is sometimes necessary, but it introduces risk. This guide shows you how to do it safely by being specific, documenting everything, and regularly reviewing your rules.

1. Understand Why You Need an Exception

Before creating any exception, ask yourself:

• Is this truly necessary? Can the application work without an exception (e.g., by using a different port or protocol)?
• What is the risk? Opening a port unnecessarily increases your attack surface.

If possible, explore alternatives like VPNs or SSH tunneling instead of opening firewall ports.

2. Be as Specific as Possible

Avoid broad exceptions that allow all traffic from/to an IP address or on a wide range of ports. The more specific you are, the less risk you introduce.

• Source and Destination IPs: Use exact IP addresses instead of ranges whenever possible.
• Ports: Specify only the necessary port(s). Avoid using ‘any’ or wide port ranges (e.g., 1-65535).
• Protocols: Limit exceptions to the required protocol (TCP, UDP, ICMP).
• Applications: If your firewall supports it, create rules based on application names instead of ports.

Example: Instead of allowing all traffic from 192.168.1.0/24 to the internet, allow only TCP port 443 (HTTPS) from a specific server at 192.168.1.10 to a known external IP address.

3. Document Everything

Keep a detailed record of every firewall exception you create. This documentation should include:

• Rule Name: A descriptive name that explains the purpose of the rule.
• Justification: Why the exception is needed (e.g., application requirements, business need).
• Source IP/Range: The source IP address(es) or range allowed to connect.
• Destination IP/Range: The destination IP address(es) or range the traffic is going to.
• Port(s): The port number(s) allowed.
• Protocol: TCP, UDP, ICMP, etc.
• Application: If applicable, the name of the application using the exception.
• Created By: Who created the rule.
• Creation Date: When the rule was created.
• Expiry Date (Optional): A date when the rule should be reviewed or removed.

Use a spreadsheet, database, or dedicated documentation tool to manage your exceptions.

4. Use Your Firewall’s Features

Most firewalls offer features that can help you create more secure exceptions:

• Stateful Inspection: Ensure your firewall tracks the state of connections and only allows return traffic for established sessions.
• Application Control: Use application control to allow specific applications instead of ports.
• Geo-IP Filtering: Block traffic from countries where you don’t expect legitimate connections.
• Time-Based Rules: Limit exceptions to specific times when they are needed.

Consult your firewall documentation for details on these features.

5. Regularly Review and Remove Unnecessary Exceptions

Firewall rules should be reviewed regularly (at least every 6 months) to ensure they are still necessary and appropriate.

• Identify unused exceptions: Look for rules that haven’t been triggered in a long time.
• Validate existing exceptions: Confirm the justification is still valid.
• Remove outdated or unnecessary rules: Delete any rule that is no longer needed.

Many firewalls provide logging and reporting tools to help you identify unused rules.

6. Testing

After creating an exception, test it thoroughly to ensure it works as expected without opening up unintended access.

• Verify connectivity: Confirm the application can connect using the new rule.
• Check logs: Ensure only authorized traffic is allowed through the firewall.
• Use security scanning tools: Scan your system to identify any potential vulnerabilities introduced by the exception.