You wouldn't leave your front door open - so why would you your firewall?

L7 Applicator

You'd be amazed at how simple it can be to make your environment more secure, you may also be amazed at how many administrators skip the 'hardening the operating system' part of the firewall deployment.

In my years working for support, I was amazed at how many times I was able to log into a customer's firewall without asking for credentials: the default password was never changed!

 

The worst scenario I ever encountered (well maybe not worst, but still pretty bad) was an administrator that was still using the good old admin/admin that had an enterprising user that discovered the management interface, had been able to log in and created security policies for himself so he could access all the things he wanted to be able to from his work computer.

 

Suffice to say many of the newly acquired privileges were not work appropriate.

 

A couple of checkboxes that need to be on every administrator's 'to-do before go-live':

 

- Change the admin password, create personalized admin accounts

 

First, set up every administrator with a personalized account. This will come in handy when a change in the configuration needs to be back-traced in case something is unclear or was not documented properly

 

Next, change the default administrator account:

A good practice is to have 2 administrators create 2 halves of a long and complex password, have each write his part on a piece of paper that goes into a sealed envelope and is stored for emergencies, then have each admin type his part separately so neither is aware of the full password.

Simply deleting the default account is also an option but the abovementioned method ensures a backup is available in case of emergency. 

Web interface in Administrators Device tab.

 

- Leverage administrator roles to limit access

 

Some admins require less access, the operations team may only need to have monitoring up on a big screen or may only need to review certain settings. Some admins may not be allowed access to private data like usernames or IP addresses. All this can be controlled through an admin role that's attached to the admin's account: Web interface for Admin Roles Device Tab with Admin Role Profile window open.

Web interface for Admin Roles Device Tab with Admin Role Profile window open.

 

- Limit exposure of the management interface

 

 

If possible, make sure the management interface is in an isolated network segment not accessible to unauthorized persons. If a traditional 'oob' network is not possible, consider adding an access list to the management configuration to limit access to administrator's subnet or individual IP addresses. 

 

Web interface for Setup Device tab with Management Interface Settings window open.

 

 

 

Please share if you know an admin that could use a quick refresher!

 

 

Reaper out

 

4,633 Views
Ask Questions Get Answers Join the Live Community
Labels