Pre-Deployment Tips For Successful Firewall Management

You can learn everything you need to know about securing your client’s business from a thorough pre-deployment interview.

Firewall management is one of the most essential duties of any MSP. And that process starts with an effective pre-deployment client interview. We gather information such as where their clients and business associates are geographically, how to handle wireless access, who needs remote access to what and from where, and more. Of course, this interview process is for our benefit. Still, it also benefits the client by helping with necessary information gathering and providing insight into the complexities of securing their business. In addition, it starts the relationship off on the right foot.

Scanning and Content Filtering. MSPs must configure zones, set up the WAN and configure deep packet inspection (scanning of traffic) appropriately. Don’t overlook content filtering while you’re at it. Some clients will be far more permissive here than others but never skip content filtering entirely. Be sure to enable Geo IP and Botnet filtering, but first, work through how and where the client does business. You may find your client’s traffic is more international than you expected (Akamai and Office 365 hosts come to mind), so be prepared to tune Geo IP filtering after the fact.

Wireless Setup. Many sites rely upon wireless integrated into the firewall, while some use the firewall to manage distributed access points. Just about any modern firewall can competently deliver and manage an effective wireless solution and often provides more comprehensive security monitoring and reporting solutions than basic, discreet wireless options. Whether wireless is governed by the firewall or through a discrete solution, you’ll want to evaluate your client’s wireless needs carefully. One significant advantage of integrated (or firewall-managed) wireless is collecting and reviewing logs of wireless traffic.

Remote Access. We also need to take the time to learn how they plan to connect remotely to what and from where. Will they be using SSLVPN clients? Do they need “connect from anywhere” capabilities through a portal? We need to know what they will do with that connection (access files, run apps, RDS or Citrix sessions). Work with your clients to determine their remote access needs and be sure to secure them. Along those lines, OTP (one-time passwords) is available in most firewalls (or dedicated SSL VPN devices), providing a free extra layer of protection for remote access.

Heuristics. Another defense we enable is heuristic traffic analysis. Unlike other firewall traffic scanning services, the heuristic analysis does not rely on a signature set. With millions of new attacks monthly, signature-based scanning struggles to keep up. So instead, the heuristic analysis uses cloud-based “sandboxing,” where these files are “detonated,” and their behavior is observed. Traffic then flows only after it is verified as benign. This is an invaluable extra layer of protection and is easy to configure and manage, though there is a bit of a learning curve when you initially enable this feature.

Ongoing Maintenance. Don’t overlook ongoing firewall maintenance. Start with the basics, like firmware updates that provide crucial patches and updated functionality and can be performed quickly and remotely. Next, use your QBRs or annual meetings to identify ways to improve security and further harden the firewall. Finally, work with your clients to sell them on the value of having a SOC/SIEM that does firewall log reading and response so that you have someone watching your back and digesting the information your firewall gathers. Locks are great; having a bouncer is even better. 

If you perform a good initial interview and execute on all these points, you’ll have a solid firewall installation that provides routing, wireless, remote access and more. And you’ll have a single point of control that will put you well ahead in the race to secure your networks. But don’t forget that effective firewall management is an ongoing commitment. Firmware updates, security reviews and device hardening are all part of the process. Sell them firewall log and response services, and you’ll sleep much easier at night knowing that someone is also watching your back.

About The ASCII Group, Inc.
The ASCII Group is the premier community of North American MSPs, VARs and solution providers. The group has over 1,300 members throughout the U.S. and Canada, and membership encompasses everyone from credentialed MSPs serving the SMB community to multi-location solution providers with a national reach. Founded in 1984, ASCII provides services to members, including leveraged purchasing programs, education and training, marketing assistance, extensive peer interaction and more. In addition, ASCII works with a vibrant ecosystem of major technology vendors that complement the ASCII community and support the mission of helping MSPs and VARs to grow their businesses. For more information, please visit www.ascii.com.