There is often a thought that, if something is included by default, it must be necessary. This is something we run across quite a lot when it comes to firewall policies. When you receive your new WatchGuard firewall, there are several policies already configured on it. So, if they are then when we begin, they should always exist, right?
The issue is that, when it comes to security, there are often a lot of gaps in default configurations. Defaults are typically designed for easy access or simplified use, but this doesn’t always mean security is at the forefront. However, if you know what to look for, securing the device becomes much easier. In this post we want to outline the default policies, why they exist, and what you need to do to secure them.
FTP
The first policy you find in a default WatchGuard policy is “FTP.” This policy is built to allow outbound traffic over TCP port 21 from any Trusted or Optional network to any External source.
The Problem:
The problem with this policy is that is does nothing to inspect or restrict FTP traffic. It is simply allowed out, and we will not be able to put any filtering in place because it is a packet filter.
The Solution:
To correct this issue, we first need to ask ourselves if we actually want to allow outbound FTP traffic. If this is not something we need, then this policy should be deleted. We will further secure it when we review our Outgoing policy (below). If we do want to allow outbound FTP traffic, this policy should be deleted and an FTP-proxy should be added. The proxy will allow us to implement security standards like scanning for viruses and even limiting the file types that are allowed through.
WatchGuard WebUI and Watchguard
These two policies are built to allow access to the firewall. The WatchGuard WebUI policy allows access to the firewall through its web interface, while the WatchGuard policy allows access through Policy Manager.
The Problem:
By default, these policies allow access from all Trusted and Optional network. In many cases, there may be networks configured on the firewall that should not have access to the firewall itself. For example, a guest network that is configure as an Optional interface should not be able to access the firewall. If it can, an attacker could have easy access into the device.
The Solution:
To correct the issue, these policies need to be restricted to only the networks or IPs that need access to the firewall. The ultimate recommendation is to allow access through authentication groups, so that only I.T. administrators can gain access. At the very least, Any-Optional should always be removed from these policies.
Ping
This policy is simple enough. It is set to allow ping on the network.
The Problem:
The issue with this policy is that it allows ping between networks, because its destination is set to Any. This includes not only external resources, but internal resources as well. So with the default settings, anyone on an Optional guest network could ping an internal Trusted device. While ping itself is not necessarily malicious, we want to ensure devices can’t be discovered by unauthorized sources.
The Solution:
The fix to this is to treat it as an outbound policy. “Any” should be removed from the To field and replaced with “Any-External.”
Outgoing
This policy is designed with ease-of-setup in mind. Its purpose is to ensure we can pass traffic out of the firewall on any TCP or UDP port.
The Problem:
To put it simply, this policy completely undermines all security when it comes to outbound traffic. Since it allows all TCP or UDP traffic out of the firewall, there is no way for us to fully restrict what our users can get to. We can build the policies we need for things like HTTP, HTTPS and DNS, but ultimately we have a way for all other ports to get out.
The Solution:
The ultimate solution is to get rid of this policy completely, specifically for any internal networks. There should never be a way for all ports to be available or open when sending traffic out of environment. However, we don’t want to simply turn this off without adding in some extra access. At a minimum, we need a way to pass HTTP, HTTPS and DNS traffic out of firewall. There may be other ports that we need, which we will need to monitor for. Once we have our policy built with the specific outbound ports needed for our network, this policy can be removed.
For more information on the Outgoing policy, check out our video Here
Firewall Configuration
The biggest thing to keep in mind is that your firewall’s configuration will make or break the security of your environment. If you are not taking the time to ensure it is properly set up, there are numerous ways attacks and threats can pass through unnoticed. If you would ever like assistance in reviewing your current configuration or if you need help setting up a new firewall, don’t hesitate to Contact JSCM Group!