Once you have determined what the basic components of your firewall are, an unfortunate number of details still have to be determined. You need to figure out how you're actually going to assemble the pieces, and how you're going to provide the support services that will keep them functioning.
Logging is extremely important for a firewall. The logs are your best hope of detecting attacks against your site and your best source of information about what happened when an attack succeeds. You will need to keep logs separate from the firewall, where an intruder can't destroy the logs as soon as he or she compromises the firewall. If you have a firewall composed of multiple machines, or you have multiple firewalls, you'll also want to bring all of the logs together to simplify the process of using them. Logging is discussed further in Chapter 10, and Chapter 26.
You will need to keep backups of all the parts of your firewalls. These will let you rebuild systems in an emergency, and they will also give you evidence when you discover an attack, allowing you to compare before and after states.
Unfortunately, when you do backups between two machines, they become vulnerable to each other. The machine that you use for backing up your firewall is part of the firewall and needs to be treated appropriately. You may find it more appropriate to do local backups, with a device that's attached to each computer that makes up part of the firewall (be sure to use removable media and remove it; otherwise, a disaster or compromise will take the backups along with the originals). If you have a large and complex firewall, you may want to add a dedicated backup system to the firewall. This system should be part of the firewall system, treated like any other bastion host. It should not have access to internal networks or data, and it should be secured like other bastion hosts.
You should carefully examine all cases where the firewall is getting information from external machines, get rid of as many dependencies as possible, and move other services into the firewall wherever possible.
For instance, is the firewall dependent on other machines for name service? If so, interfering with the name service may cause problems with the firewall (even if the firewall only uses name service to write hostnames into logs, problems with the name service can make it unusably slow). If you can, configure firewall machines so that they never use name service for any purpose; if you can't, protect your name server as part of your firewall (though you will still be vulnerable to forged name service packets).
Similarly, if you are using a time service to synchronize clocks on firewall machines, it should use authentication and come from a protected source. Firewall machines should not require or accept routing updates unless they can be authenticated and their sources protected.
You will need to do some routine maintenance tasks on the machines (upgrade them, change configurations, add or remove user accounts, reboot them). Are you going to physically go to the machines to do this, or will you use some kind of remote access? If you're going to do it remotely, how are you going to do it securely? Chapter 11, and Chapter 12, discuss remote administration options for Unix and Windows NT.
You will need some sort of reporting on the machine, so that you know it's still functioning normally. Exactly what you need will depend on the administration infrastructure that you have in place, but you will need some way of getting regular log summaries and reports from security auditing systems. You may also want to use a monitoring system that will show you status on a regular basis.
When things go wrong, the firewall should send emergency notifications. The mechanism that is used should be one that attackers can't easily interfere with. For instance, if the firewall machines need to send network traffic to provide emergency notification, it's easy for an attacker to simply take down the network interface. (In some configurations, this may also remove the attacker's access, but if the attack is a denial of service, that isn't important.) Either machines should have ways of sending alarms that are not dependent on the network (for instance, by using a modem), or alarms should be generated by independent monitoring machines that are not on the same network and will produce alarms if they lose contact.