3: Network Firewall
[Original article by: KC Lai]
Setting up the network firewall
[This is a part of a series on self-hosting OSCAR. Start by reading the first article.]
The network firewall is the most important piece of your router. This acts as a gateway to protect your clinic from outside bad-actors that try to infiltrate and enter your network infrastructure and do damage. Although the firewall is not the only thing that protects you, it is an important piece of the overall security practice. The firewall essentially blocks outside requests to enter the office network, and only allows “authorized connections”. However, anything inside the network can request to access something outside the network (ie. a webpage), and then that connection can be considered an “authorized connection”. Even with the best firewall, social engineering techniques can trick you and your staff in to allowing malware to infiltrate your system. Therefore, safe security practices not only include hardware and software, but also policies & procedures that are adhered to, and adequate training of all your computer users.
Depending on what kind of firewall you use (whether built-in to the router, or a separate appliance), it can go from simple to very complicated to setup and manage. There are probably manuals written on how to set up a firewall. Ask your IT person, computer-savvy friend, or Google for how to do it properly.
Here are some settings you should consider configuring:
- Turn on Stateful Packet Inspection (SPI)
- Disable external SSH management of the router
- Disable external web management of the router
- Disable external telnet management of the router
- Disable WPS
- Disable UPnP
- Block anonymous WAN requests (ping)
- Block WAN SNMP acccess
- Block all ports (by default) from accessing the network from the outside and only enabling the ones you want and know should be allowed to enter without being requested from inside the network. Only open the ports when you need them, for specific applications within your clinic.
- “Open ports” and use “port forwarding” to redirect external access requests to the internal IP address of your device/server application:
- 80: if you have a webserver that serves web pages
- 443: if you have a SSL encrypted webserver
- 8443 (or whatever port your want): if you plan on using this for your OSCAR server
- 1194: OpenVPN server
- 25, 143, 587, 993, 995: if you have a email server
- You do NOT need to open ports if all you want to do is surf the web.
Read Next: Choosing Server Hardware