Firewall management encompasses the configuration, maintenance, and monitoring of firewalls that control traffic between the organization's network and the internet, as well as between internal network segments. Firewalls are the most fundamental network security control, enforcing rules that permit or deny traffic based on source, destination, port, and protocol.
A well-configured firewall follows the principle of default deny, all traffic is blocked unless explicitly permitted by a rule. Rules should be specific, permitting only the minimum traffic necessary for business operations. Over time, firewall rule sets tend to accumulate permissive rules that are no longer needed, a condition known as rule bloat. Regular rule reviews are essential to maintain the firewall's effectiveness.
Modern next-generation firewalls (NGFWs) provide capabilities beyond basic packet filtering. Application-layer inspection identifies traffic by the application generating it rather than just the port number. Intrusion prevention (IPS) signatures detect and block known attack patterns. SSL/TLS inspection decrypts and inspects encrypted traffic to detect threats that would otherwise be invisible. These features should be enabled and tuned appropriately.
Firewall management also includes maintaining firmware updates, monitoring logs for suspicious activity, and ensuring that administrative access to the firewall is restricted and secured with MFA. The firewall is a critical security device, if it is compromised or misconfigured, the entire network's security posture is undermined. Changes to firewall rules should follow a formal change management process with documentation and approval.
Firewalls are a foundational security control expected by every cyber insurer. Applications ask about the type of firewall deployed, whether it is a next-generation firewall, and how it is managed. Insurers view unmanaged or default-configured firewalls as a significant risk indicator.
Organizations with managed firewall services, where a security provider handles configuration, monitoring, and updates, are viewed favorably by underwriters. Demonstrating a formal rule review process, change management procedures, and current firmware reduces the risk of misconfigurations that lead to breaches.
Healthcare networks must protect ePHI with properly configured firewalls as part of HIPAA's technical safeguards. Firewalls should restrict access to EHR systems and medical device networks. OCR has cited firewall misconfigurations as contributing factors in breach investigations involving unauthorized access to patient data.
Law firms must protect their network perimeters to prevent unauthorized access to privileged client information. Firewall rules should restrict inbound access to only necessary services and monitor outbound traffic for data exfiltration indicators. Managed firewall services help firms without dedicated IT security staff.
PCI-DSS Requirement 1 mandates installation and maintenance of firewalls to protect cardholder data. Firewall rules must be reviewed at least every six months. FFIEC guidance requires financial institutions to implement firewalls with intrusion detection and prevention capabilities.
PCI-DSS Requirement 1 is the most prescriptive firewall requirement in any compliance framework, detailing specific configuration requirements for protecting the cardholder data environment. Multi-location retailers must ensure consistent firewall management across all sites, including small stores with limited IT support.
NIST 800-171 control SC.L2-3.13.1 requires boundary protection, and SC.L2-3.13.6 requires denial of communications by default. Government contractors must implement firewalls that restrict traffic to only that which is necessary for CUI-related business functions. CMMC assessors examine firewall configurations and rule sets.
Deploy a next-generation firewall with application-layer inspection and intrusion prevention capabilities
Configure the firewall with a default-deny policy, explicitly permitting only required traffic
Enable SSL/TLS inspection for outbound traffic to detect threats in encrypted communications
Establish a formal change management process for all firewall rule modifications
Review firewall rules quarterly, removing rules that are no longer necessary
Restrict administrative access to the firewall to designated personnel using MFA and dedicated management networks
Want to know how your organization measures up on this control?
Take the free assessment →