Following the Principle of Least Privilege

By default, a firewall denies all interzone traffic, and all traffic that is not explicitly permitted is denied. This is the basis for implementing the principle of least privilege on the firewall. On this basis, security policies are configured to permit authorized traffic only to minimize the attack surface.

First, exercise caution when using any as the matching condition in a security policy that permits authorized traffic. You are advised to set accurate matching conditions, which involves the following aspects:

• Specify source and destination IP addresses and services.
• Specify matching conditions as many as possible, including users and applications.

If an organization needs to open some services (for example, web services) to the Internet, the source IP address can be set to Any in the security policy. The destination IP address must be specified as the IP address of the server or server group that is open to external systems, and the service or port must be specified. If all services or ports are open, attackers may use dictionary attacks to perform brute force cracking.

For non-public services, the source IP address range must be specified for accessing key information assets such as database servers and sensitive services such as SSH and Remote Desktop Protocol (RDP). You are advised to specify users who can access the service.

Application identification is a key capability of firewalls. It can implement refined management and control. It is complicated to analyze network traffic and identify authorized applications. You can set the matching conditions of a security policy to an application type or application label, for example, the enterprise application label so that applications can be identified.

Second, set a validity period for a temporary security policy. For example, if a third-party partner needs to access a service, you need to set the validity period of the security policy in addition to specifying the destination IP address and service. When the validity period expires, the security policy automatically becomes invalid. An invalid security policy is marked with . In addition, an organization will not affect service running for security purposes. Therefore, even if matching conditions of services cannot be determined, temporary security policies may be configured to permit specified service traffic. If a validity period is set in the security policy, ensure that the system time is correct. NTP is recommended for time synchronization.

Third, pay attention to the direction of the security policy. Huawei firewalls are stateful inspection firewalls. The return traffic can pass through the firewalls as long as the firewalls allow the service initiator to set up connections. Bidirectional security policies need to be configured only when both communication parties need to initiate connections. Take a web server as an example. Generally, the web server only needs to respond to connection requests from the Internet, and does not need to proactively access the Internet. The system and software updates of the server should be obtained through the unified central server, and the domain name or application (such as WindowsUpdate) must be specified in the security policy.

The minimum authorization principle is the most important security principle. You may not be able to achieve absolute minimum authorization, but you can endeavor to achieve it.