1. Use the latest version of the OS software available for your particular firewall. Install the latest patches and if possible/applicable, the latest software version available.
2. Use a stealth Rule at the top of the rule base.
What is a stealth rule? A stealth rule is a rule which disallows any communication to the firewall itself from unauthorized networks/hosts. It is a rule to protect the firewall itself from attacks.
3. Place the most commonly used or accessed rules on the top of the rule base. When a packet reaches a firewall it gets checked against the rulebase of the firewall from top down. Once it matches a rule, it is either accepted, denied or acted upon depending on what the action defined is. So it is best to place the most accessed rules on top of the rule base so that it need not get matched against all the rules in rule base. This would decrease load on the firewall.
4. Keep the rulebase as simple as possible. Do not allow access to anything and everything. Give access only if it is needed or required.
5. Use object groups where possible and combine similar rules into one rule. This would keep the rule base short and simple and thus reduce the load on the firewall.
6. If your network is using VPN, then give preference to use AES 128 where ever possible. Some firewalls like the popular Checkpoint Firewall, recommend AES 128 over 3DES and AES 256, in terms of firewall load and performance issues. Check with your firewall manufacturer which encryption would provide best performance on the given make, taking into consideration that security is also one of your main priorities.
7. Keep logging to a minimum. Example: If you have a couple of busy web servers, then logging each and every http connection might bring in addition load onto the firewall and also fill up the log server quickly.
8. Try to implement High Availability if your budget would allow that. This would reduce the down time of your network considerably. If a firewall is down it would mean that pretty much most of your operations are down. If High Availability is implemented, then even if the primary were to fail, the secondary would take over. Firewall Clustering is something which can provide your firewall both redundancy and load sharing. Check with the manufacturer if it is available.
9. If there are too many VPN connections that need to connect to your network, then try to get a dedicated VPN device. How many connections are too many connections? Check the firewall manufacturer’s manual. Another way of doing it is checking the load on the firewall – memory, cpu utilization etc.
10. End your rule base with a clean up rule or a ANY ANY DENY rule. Try to also log this rule. This would assist you in analyzing the dropped connections in case you ever attacked or even while simple troubleshooting.