You'd be amazed at how simple it can be to make your environment more secure, you may also be amazed at how many administrators skip the 'hardening the operating system' part of the firewall deployment.
In my years working for support I was amazed at how many times I was able to log into a customer's firewall without asking for credentials: the default password was never changed!
The worst scenario I ever encountered (well maybe not worst, but still pretty bad) was an administrator that was still using the good old admin/admin that had an enterprising user that discovered the management interface, had been able to log in and created security policies for himself so he could access all the things he wanted to be able to from his work computer.
Suffice to say many of the newly acquired privileges were not work appropriate...
A couple of checkboxes that need to be on every administrator's 'to-do before go-live':
- Change the admin password, create personalized admin accounts
First, set up every administrator with a personalized account. This will come in handy when a change in the configuration needs to be backtraced in case something is unclear or was not diocumented properly
Next, change the default administrator account:
A good practice is to have 2 administrators create 2 halves of a long and complex password, have each write his part on a piece of paper that goes into a sealed envelope and is stored for emergencies, then have each admin type his part separately so neither is aware of the full password.
Simply deleting the default account is also an option but the abovementioned method ensures a backup is available in case of emergency.
- Leverage administrator roles to limit access
Some admins require less access, the operations team may only need to have monitoring up on a big screen or may only need to review certain settings. Some admins may not be allowed access to private data like usernames or IP addresses. All this can be controlled through an admin role that's attached to the admin's account:
- Limit exposure of the management interface
If possible, make sure the management interface is in an isolated network segment not accessible to unauthorized persons. If a traditional 'oob' network is not possible, consider adding an access list to the menagement configuration to limit access to administrator's subnet or individual IP addresses.
Please share if you know an admin that could use a quick refresher! :)