Skylimit,
Your question is an extremely good one and surely there is no one 'right' answer for it. It all depends on what the requirements are and what the firewall needs to secure behind it. For example, banks and financial departments have a much more 'strict' minimum configuration requirement, while companies are usually less strict and in most cases there is no guideline
In general there are a few 'best practices' which I follow and seem to have served me well so far. I'll include a few below but also make some remarks regarding VPN:
- Restrict remote access to the Firewall from the Outside (Public) and inside (Private) network
- Avoid Port Forwarding from the public interface directly to internal hosts on the local LAN
- Try not to configure Public IP addresses directly on the Firewall. In most cases, the router in front of the Firewall appliance is configured with Public IP addresses (WAN/LAN interfaces) and the LAN interface connects to the Firewall device. Instead of configuring these interfaces with Public IP, I always advise to forward any necessary public protocol (e.g TCP port 80 - www) from the router's WAN interface to the Firewall. Port-forwarding specific services and ports increase security dramatically
- Enable any stateful packet filtering (ASA 'Fixup' command) . Stateful Packet Filtering ensures all sessions are tracked and firewall access-lists are generated automatically to allow returning traffic through the firewall.
- Enable strong & complex user passwords
Regarding VPNs well there are things I always make sure of:
1) Always ensure your IPSec tunnel is properly encrypted using AES encryption
2) Never reveal your ISAKMP keys used for negotiation between tunnel ends (two routers)
3) Always ensure a different ISAKMP key is used for each tunnel endpoint
4) Ensure the necessary access lists are applied on both end of the tunnels, so that only the necessary traffic is to pass over the VPN
5) Use complex usernames/passwords or group passwords
6) Disable telnet/SSH access to the router from the public interface
7) Backup your configuration!!
8) Never give others access to your router firewall!
The above are just a few things I could write at 2am in the morning - I hope they help.
Chris,