When it comes to firewall rules, there are a number of things I follow as best practice. To start with, you need to make sure you have all the necessary information in place before writing your firewall rules.
Ask yourself the following questions… If you don’t have the answers, go back to the drawing board and get all the necessary information.
- Do you have all the necessary ports required for the firewall?
- Do you have all the IP/Subnet information?
Make the ACLs short and sweet
It is always a best practice to avoid using IP addresses in ACLs.
- Make sure that the ACLs are intuitive to anyone who is not familiar with your network.
- You should be able to understand how the firewalling is done by reading the ACLs.
To achieve this, we could create name statements on the firewall, but I prefer to add each hosts to it’s own object and if more than one object is going to be mentioned in the ACL, then it is time to put them into an object-group and group-object etc.
Plan your ACL accordingly
One rule of thumb I follow when it comes to writing ACL is that, if you are adding Host(s)/Port(s) to an already implemented ACL, you should always add it to the corresponding object-group(s) rather than writing a fresh ACL.
Is there a wide range of ports needs to be open?
If you are opening up a wide range of Ports, then I suggest you to narrow down the hosts which are going to be communicating on the range of ports.
While using IP statement is a valid point but try and keep your ACLs to Layer 4, this means TCP/UDP etc…
Avoid any rule unless it is absolutely necessary. An example being web traffic.
Web traffic ACL
object-group service WEB-PORTS tcp port-object eq www port-object eq https access-list ACL_in extended permit tcp object-group NETWORK any object-group WEB-PORTS
Do not allow unnecessary traffic
Only allow traffic to specific hosts and Deny RFC3330 at the end of the ACL. You can find more about RFC3330 firewalling Here.