ISMS

Firewall Configuration for SMEs: Rules, Zones and Best Practices

TL;DR
  • A firewall without a well-thought-out rule set offers no effective protection. The default configuration of most vendors is too permissive for secure operation.
  • The zone model divides the network into security areas: WAN, LAN, DMZ, servers, guest Wi-Fi, OT/IoT. Firewall rules govern the permitted traffic between zones.
  • Core principle: everything is denied unless explicitly allowed (default deny). Every rule must have a documented business purpose.
  • Next-generation firewalls extend the rule set with application control, intrusion prevention, SSL inspection and content filtering. These features must be activated and configured.
  • Regular rule set reviews (at least semi-annually) are mandatory. Unused, outdated or overly broad rules are the most common security risk.

Why firewall configuration matters

Every company has a firewall. But a startlingly high number have a firewall that barely protects better than none at all. The reason: the default configuration of many firewall products allows outbound traffic almost unrestricted, logging is disabled or set to minimal, and advanced security features (IPS, application control, SSL inspection) are not enabled.

A firewall is not a device you plug in once and then forget. It is a tool that must be continuously configured, monitored and adjusted. The configuration must reflect your company's specific requirements: Which services are needed? Which systems must communicate with each other? Which communication is unnecessary and can be blocked?

ISO 27001 explicitly requires network protection and traffic control in Annex A.8.20 (Network security) and A.8.22 (Segregation of networks). Firewall configuration is one of the key technical controls for meeting these requirements.

Firewall types: What you need

Packet filter firewall

The simplest form of firewall. It inspects each data packet based on source IP, destination IP, source port, destination port and protocol, and decides based on static rules whether the packet is allowed or blocked. Packet filters are fast but blind to the content of communication. An allowed HTTP request on port 443 could just as easily be a legitimate website visit as a command-and-control channel for malware.

Stateful inspection firewall

Extends the packet filter with a state table that understands the context of a connection. It knows whether an incoming packet belongs to an existing, permitted connection or whether it initiates a new, unauthorised connection. This is the minimum requirement for any enterprise firewall.

Next-generation firewall (NGFW)

The current generation of enterprise firewalls combines stateful inspection with several additional security features:

  • Application control: Identifies and controls applications regardless of port. The firewall detects whether port 443 is actually carrying HTTPS or whether another application is using the port.
  • Intrusion Prevention System (IPS): Detects and blocks known attack patterns in network traffic.
  • SSL/TLS inspection: Decrypts and inspects encrypted traffic to detect malware and attacks within HTTPS connections.
  • URL/content filtering: Blocks websites by category (malware, phishing, gambling, adult content).
  • Sandboxing: Suspicious files are executed in an isolated environment to analyse their behaviour.
  • DNS filtering: Blocks DNS queries to known malicious domains.

For SMEs with 20 or more employees, an NGFW is the recommended choice. Prices have dropped significantly in recent years, and most features can be activated incrementally.

Well-known vendors for SMEs

These vendors have established themselves for mid-market companies: Fortinet FortiGate, Sophos XGS, WatchGuard Firebox, Palo Alto Networks PA-Series, Barracuda CloudGen Firewall. For smaller budgets, pfSense (open source) and OPNsense (open source) are also suitable but require more configuration effort.

The zone model: dividing the network into security areas

A zone model divides the network into areas with different security levels. The firewall sits at the boundaries between zones and controls traffic.

Typical zones for SMEs

WAN (Internet). The internet. Highest threat level. All communication to and from the internet passes through the firewall.

DMZ (Demilitarized Zone). An isolated zone for systems that must be reachable from the internet: web servers, email gateways, reverse proxies, VPN gateways. Systems in the DMZ must not establish direct connections to the internal LAN. If a system in the DMZ is compromised, the damage remains contained within the DMZ.

Server zone. Internal servers: domain controllers, file servers, database servers, ERP systems, backup servers. Only defined ports and protocols are accessible from the LAN. The server zone is assigned a higher protection level than the client LAN.

Client LAN. Employee workstations. By default, clients have access to the server zone (defined ports) and to the internet (via the firewall), but not to the DMZ or the OT zone.

Guest Wi-Fi. Fully isolated from the internal network. Guests have internet access but no access to internal resources. This zone is typically configured as a separate VLAN and routed through the firewall.

OT/IoT zone. Production systems, building technology, printers, IP cameras, smart devices. These devices often run outdated software and are particularly vulnerable (see OT security). They belong in a dedicated zone with strict firewall rules.

Management zone. Access to the management interface of the firewall, switches, access points and other network components. Only authorised administrators may access this zone. No regular user traffic.

Defining zone rules

For each zone combination, you define which traffic is permitted. The core principle is: default deny. Everything is forbidden unless explicitly allowed.

Example rules for an SME with 80 employees:

From To Allowed Purpose
Client LAN Server zone TCP 445, 389, 636, 88, 3389 (admins only) File access, AD, RDP
Client LAN Internet TCP 443, TCP 80 Web access (via proxy/NGFW)
Client LAN DMZ Not allowed No direct access
Server zone Internet TCP 443 (defined servers only) Updates, cloud connectivity
DMZ Server zone Not allowed (exception: defined ports to mail server) Isolation
DMZ Internet TCP 443, TCP 25 Web server, email
Internet DMZ TCP 443 (HTTPS) Access to web server
Internet All other zones Not allowed Protection
Guest Wi-Fi Internet TCP 443, TCP 80 Internet access only
Guest Wi-Fi All internal zones Not allowed Full isolation
OT/IoT Internet Not allowed (exception: update servers) Isolation
OT/IoT Server zone Defined ports only Minimal access

Firewall rules: best practices

Structuring the rule set

A firewall rule set quickly becomes unwieldy. Structure it from the outset:

Mind the order. Firewall rules are processed from top to bottom. The first matching rule is applied. This means: specific rules before general rules. Block rules for known threats at the very top. The default deny rule at the very bottom.

Logical grouping. Group rules by zone, department or functional area. Most firewalls support rule groups or sections. Use this feature.

Comments and documentation. Every rule needs a comment describing its business purpose: "Marketing team: access to social media management tool Hootsuite". Without comments, nobody can trace why a rule exists after a year.

Set expiry dates. For temporary rules (project work, external contractors), set an expiry date. Many firewalls support this natively. If not, document the expiry date in the comment.

Essential rules every firewall should have

Default deny at the end. The last rule in the rule set blocks all traffic not explicitly allowed by a preceding rule. This rule must be logged so you can see what is being blocked.

Outbound DNS control. DNS queries may only go to defined DNS servers (your internal DNS server or defined external servers like Quad9 or Cloudflare). Direct DNS traffic from clients to the internet is blocked. This prevents DNS exfiltration and DNS tunnelling.

Outbound SMTP control. Only your email server may send SMTP traffic (port 25/587) to the internet. No other system may send emails directly. This prevents compromised systems from sending spam or phishing emails.

Geo-blocking. Block inbound traffic from countries with which you have no business relationships. This significantly reduces the attack surface, especially for brute-force attacks and automated scans.

Bogon filtering. Block traffic from and to IP addresses that should not be routed on the internet (bogon addresses): private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16) and reserved ranges. This traffic on the WAN interface is always illegitimate.

Activating next-generation features

An NGFW whose advanced features are not activated is just an expensive stateful inspection firewall. Activate at minimum:

Application control. Allow only known, business-relevant applications. Block peer-to-peer traffic, anonymous proxies (Tor), unknown applications.

IPS. Activate intrusion prevention with current signatures. Configure the action to "block" for critical and high severity levels, "alert" for medium.

SSL inspection. Activate inspection of HTTPS traffic. Without SSL inspection, the firewall is blind to more than 90% of web traffic. Note: you must distribute an internal CA certificate to all clients, and certain connections (banking, healthcare) should be exempted from inspection.

DNS filtering. Block DNS queries to known malware domains, phishing domains and C2 servers.

Logging and monitoring

A firewall that does not log is like an alarm system without a siren. Configure logging so you can trace what happened in an emergency.

What you should log:

  • All blocked connections (default deny)
  • All connections to and from the DMZ
  • All connections to the management zone
  • IPS alerts and blocks
  • VPN connections (establishment and teardown)
  • Administrative access to firewall management
  • Rule set changes

Where to log? Not only on the firewall itself. Forward logs to a central syslog server or a SIEM -- a well-thought-out logging and monitoring strategy is indispensable. If an attacker compromises the firewall, they can delete local logs but not the externally stored ones.

How long to retain? At least 90 days, preferably 180 days. Many attacks are only discovered weeks after the initial compromise. Without historical logs, you cannot reconstruct the attack timeline.

Rule set review: the underestimated obligation

The firewall rule set grows over time. New rules are added, old ones are not removed. After two years, you have a rule set with 200 rules, of which 50 nobody understands any more and 30 are no longer needed. Every superfluous rule is a potential security risk.

Semi-annual review. Go through all rules and check:

  • Is the rule still needed? (Check the hit counters: rules with zero hits in six months are candidates for deletion.)
  • Is the rule as narrowly scoped as possible? (A rule with "any" as source or destination is almost always too broad.)
  • Is the comment up to date?
  • Does the rule have an expiry date that has passed?

Documenting reviews. Record who reviewed which rules when, what changes were made and why. In ISMS Lite, rule set reviews can be set up as recurring controls with an assigned owner and evidence trail. You need this documentation for internal audits and certifications.

Change management. Every change to the firewall rule set should follow a change management process: request, review, approval, implementation, documentation. It sounds bureaucratic but prevents undocumented changes that nobody can trace later.

Common configuration mistakes

Not filtering outbound traffic. Most SMEs carefully filter inbound traffic but let outbound traffic through almost unrestricted. This is fatal because compromised systems communicate with the attacker via outbound connections (C2 channel), exfiltrate data or send spam.

"Any/any" rules. Rules with "any" as source, "any" as destination and "any" as service are open barn doors. They often enter the configuration as a "temporary fix" and are never removed.

Management interface on the WAN. The firewall management interface must never be reachable from the internet. Restrict access to the management zone or to defined internal IP addresses.

No firmware updates. Firewalls have vulnerabilities like any other software. Keep the firmware up to date and apply security patches promptly. The exploitation of vulnerability CVE-2023-27997 in FortiGate firewalls demonstrated that unpatched firewalls are a preferred attack target.

Default passwords not changed. It sounds trivial, but it happens: the default credentials for the firewall (admin/admin, admin/password) were never changed. Check this first with every new installation.

VPN access without MFA. VPN access through the firewall is protected with a username and password but without multi-factor authentication. Compromised credentials (phishing, credential stuffing) then enable direct access to the internal network.

Further reading

The firewall remains the backbone of network security. But it only protects effectively when you configure it, monitor it and review it regularly. A well-thought-out zone model, a lean rule set based on the least-privilege principle, and the activation of next-generation features are the three levers that make the difference between a firewall that protects and a firewall that merely consumes electricity.

Document firewall rules in your ISMS

ISMS Lite helps you document your firewall zone model, manage rule set changes traceably, and anchor the firewall configuration as a control in your risk management.

Install now