Creating firewall rules for a network can be a painful process. The ruleset must be secure enough to only allow access to required resources. Unfortunately, what you as a security administrator think is a required resource and what the users of the network feel is a required resource can differ wildly. For example, many users believe instant-messenger programs are required for day-to-day communications and business processes. Instant-messaging programs may be great enablers of enhanced business communication, but they are also a prime vector for viruses and worms to invade your network. You must come to an agreement with the users and owners of the network when creating firewall rules, or else you will fight a never-ending battle.

Once everyone agrees on a policy, you must still verify your firewall is protecting you as you expect. Build your ruleset and deploy your firewall. Then examine your log files and verify you are dropping the packets you expect to and accepting the valid packets. It is advisable to portscan your network from a host facing each interface. Make sure you are not allowing traffic through that you do not want. Given how complicated a ruleset can become on a firewall with three or more interfaces, take your time and examine each interface. You may find that you are protecting yourself from wireless attacks effectively but, due to a misconfiguration, are allowing the entire Internet through to all services on your DMZ. If you discover ...