Pre-Deployment Tips For Successful Firewall Management

As a managed services provider (MSP), you can learn everything you need to know about securing your client’s business from a thorough pre-deployment interview.

Firewall management is one of the most important duties of any effective MSP. And that process starts with an effective pre-deployment client interview, during which we gather information such as where their clients and business associates are geographically, how to handle wireless access, who needs remote access to what and from where, and more. This interview process is for our benefit, but it also benefits the client by helping with necessary information gathering and providing them insight into the complexities of securing their business. In addition, it really starts the relationship off on the right foot.

Scanning and Content Filtering.  It goes without saying that we have to configure zones, setup the WAN and configure deep packet inspection (scanning of traffic) appropriately.  Don’t overlook content filtering while you’re at it.  Some clients will be far more permissive here than others, but never skip content filtering entirely. Be sure to enable Geo IP and Botnet filtering, but first, work through how and where the client does business. You may find your client’s traffic is more international than you expected (Akamai and Office 365 hosts come to mind), so be prepared to tune Geo IP filtering after the fact.

Wireless Setup.  Many sites rely upon wireless integrated into the firewall, while some use the firewall to manage distributed access points. Just about any modern firewall can competently deliver and manage an effective wireless solution and often provides more comprehensive security monitoring and reporting solutions than basic, discreet wireless options. Whether wireless is managed by the firewall or through a discrete solution, you’ll want to carefully evaluate your client’s wireless needs. One major advantage of integrated (or firewall managed) wireless is the ability to collect and review logs of wireless traffic.

Remote Access.  We also need to take the time to learn how they plan to connect remotely to what and from where. Will they be using SSLVPN clients? Do they need “connect from anywhere” capabilities through a portal? We need to know what they will do with that connection (access files, run apps, RDS or Citrix sessions). Work with your clients to determine their remote access needs and be sure to secure them. Along those lines, OTP (one-time passwords) is available in most firewalls (or dedicated SSL VPN devices), providing a free extra layer of protection for their remote access.

Heuristics.  Another defense we enable is heuristic traffic analysis. Unlike every other firewall traffic scanning service, heuristic analysis does not rely on a signature set. With millions of new attacks monthly, signature-based scanning is struggling to keep up. Heuristic analysis uses cloud-based “sandboxing” where these files are “detonated” and their behavior is observed. Traffic then flows only after it is verified as benign. This is an invaluable extra layer of protection, is easy to configure and manage, though there is a bit of a learning curve when you initially enable this feature.

Ongoing Maintenance.  Don’t overlook ongoing firewall maintenance. Start with the basics, like firmware updates that provide crucial patches and updated functionality and can be performed quickly and remotely. Next, use your QBRs or annual meetings to identify ways to improve security and further harden the firewall. Finally, work with your clients to sell them on the value of having a SOC/SIEM that does firewall log reading and response so that you have someone watching your back and digesting the information your firewall gathers.  Locks are great; having a bouncer is even better. 

If you perform a good initial interview and execute on all of these points, you’ll have a solid firewall installation that provides routing, wireless, remote access and more. And you’ll have a single point of control that will put you well ahead in the race to secure your networks. But don’t forget that effective firewall management is an ongoing commitment. Firmware updates, security reviews and devices hardening are all part of the process. Sell them firewall log and response services, you’ll sleep much easier at night knowing that someone is watching your back as well.  

About The ASCII Group, Inc.
The ASCII Group is the premier community of North American MSPs, VARs and solution providers. The group has over 1,300 members located throughout the U.S. and Canada, and membership encompasses everyone from credentialed MSPs serving the SMB community to multi-location solution providers with a national reach. Founded in 1984, ASCII provides services to members including leveraged purchasing programs, education and training, marketing assistance, extensive peer interaction and more.  ASCII works with a vibrant ecosystem of major technology vendors that complement the ASCII community and support the mission of helping MSPs and VARs to grow their businesses. For more information, please visit www.ascii.com.