Zone-based firewall

This is another layer-7 firewall that can perform deep-packet inspection. But, its added functionality is the capacity of this firewall to bundle some common interfaces under the zone and define a policy for a zone pair:

For example, if there are two LAN and one WAN connections, the firewall could bundle the two local interfaces under a zone called inside zone and map the WAN link to a zone called outside zone. The traffic can be classified using a class map. The policy is defined using a policy map. This policy will then be applied on the zone pair from the inside to outside zone or the outside to inside zone. 

Here are the best practices for designing a sound firewall policy:

• Trust no one: It is always advisable to enable all the key services and deny the rest of the traffic. Analyze the privilege levels of the user and, based on the report, assign those services to them. You need to deploy the least-privilege principle, this concept gives a user access to only what is needed and nothing more.
• Deny physical access to firewall: It is always a good practice to keep any kind of physical access to a firewall controlled or deny it completely. For example, place the firewall inside a server farm/data center.
• Allow only necessary protocols: It's always good to have a prepared list of protocols, including those that should be allowed and those that need to be blocked.
• Use logs and alerts: A logging strategy must be followed to ensure the level and type of logging, and you need to be sure to monitor all those logs on a regular basis.
• Segment security zone: Create internal zones and explicitly define a policy for incoming traffic from the internet. Create a DMZ if public servers have to be placed.
• Do not use a firewall as a server: A firewall should never be used in server incorporation design. We should always uninstall or disable any unwanted software, as per the company requirement. Management tools are important ones that need to be removed.
• Never use a firewall as a workstation: In general, a user's system depends on a lot of client applications, such as Microsoft and Oracle, which can create vulnerability that viruses and worms may exploit.
• Restrict access to firewalls: Access to firewalls should be highly restricted. Only an administrator should be allowed to log in into strong password assigned to them. This can use OTP cards for better security.
• Combine firewall technologies: Packet filtering should not be done only for the line of defense. It can be incorporated with some inspections using protocols, stateful mechanisms, and applications.
• Use a firewall as part of comprehensive security solutions: A firewall should be positioned facing the internet directly for any incoming network traffic. A firewall should be used with other security appliances and applications to provide a defense in depth strategy.
• Maintain the installation: Software and patches should be kept updated. The updating of a firewall configuration, as per application and business requirements, might change.