When you embark on the journey to build a company there are a number of startup items you spend money on at the outset. One of the items you should focus on are:Firewalls. Buy the best and start with a plan because all projects start with security and Firewalls keep you safe!
The early development of your application is your focus. You want to show investors the value that you are going to deliver. Behind those fancy HTML5 windows and various other code levels, you need to establish the firewall rules at the beginning. Your firewall rules need to start with the most restrictive setup you can think of. The key term you should focus on is micro-segmentation.
The implementation of a firewall should exist between the web, application and database layer. You could choose to allow the common protocols between them and then deny everything else. Your firewalls need to be facing the internet and severely restrict outbound access to the users. In one extreme example, I am still aware of a company that does not allow access to the internet from the user desktop. While allowing access to the internet from the desktop is a normal use case, it is imperative to restrict access to inappropriate web sites and other malicious content. The restriction should also include preventing downloads.
Firewalls are sold as physical appliances or virtual. The VMware NSX platform is one technology to review as part of your evaluation. The selection of the firewall should be addressed based on your performance characteristics. The deployment of the firewall should use the S-T-R-A-F model for installation.
The physical deployment of the firewalls needs to be combined with the operations process for making a firewall request. Early in your company establish the turnaround time for firewall requests. Firewalls are complicated and your team that manages them is responsible for the security of your infrastructure. Requests can’t be rushed because one wrong change could expose your entire network. Each firewall request should be tracked in your ticketing system and include a workflow consisting of two reviewers. The request should include the following fields: Who is making the request? Is the request temporary or permanent? What is the source location and ports? What are the destination and ports? Who will test the change when it is made? What are the expected test results?
Your firewall team is NOT responsible for tracking the ports that applications use. Your application teams need to know what ports to request. In the lab environment, the application team should track the ports that are passing the requests. It is UNFAIR to your firewall team for them to know every application and the ports that are used. It bears repeating that your application team needs to know the ports they use and keep track of them. These ports are important for audit and firewall upgrades that will take place.
Prioritizing the deployment of firewalls at your startup company will keep you secure and will allow you to grow your company.