Review the NIST Framework document at https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
Then, create a list of best practices for firewall and VPN man

Response#1 (Leburu)

 
Best Practices for Firewall Rules:
In a firewall rule, the action component decides if it will permit or block traffic. It has an action on match feature. For example, if the traffic matches the components of a rule, then it will be permitted to connect to the network. It is essential to consider the potential security risks when modifying a firewall rule to avoid future issues.      (Agatsuma, S. (2020)
Types of Best Practices: 
formal change procedure:
Firewall rules must be updated for new services and new devices. Before  add or modify any firewall rules, each change that  create requires that  apply the change.
Block traffic by default:
By default, start blocking all traffic, only allowing specific services for the selected services. This approach ensures that the quality of traffic is controlled and reduces the risk of infringement. This behavior is achieved by setting the last rule in the access control list to deny all traffic. This can be done explicitly and indirectly depending on the platform.
Set all explicit firewall rules first:
At the top of the rule base, set the most explicit firewall rules. This is the starting point where traffic is matched. A rule base is established rules that manage what is and what is not permitted through a firewall. Rule bases typically work on a top-down protocol in which the first rule in the list performs its action first. This action is done, so that the traffic permitted by the first rule, will never be assessed by the remainder of the rules.
Set explicit drop rules (Cleanup Rule):
The main purpose of firewalls is to drop all traffic that is not explicitly permitted. As a safeguard to stop uninvited traffic from passing through the firewall, place an any-any-any drop rule Cleanup Rule at the bottom of each security zone context.
Best practices for VPN :
Authentication:
First, if a VPN is the gateway between the network and the Internet, the network is as secure as a VPN. Well-known VPN providers provide security as they wish in the future, but they are just as secure as authentication methods Of course, not only VPN networks.
Latency: 
When properly configured, the VPN can run smoothly without affecting the end user experience. After authentication, employees do not notice its existence. However, diverting all traffic through a third party broker will lead to unavoidable results.
Split Tunneling:
Employees usually have two ways to configure VPN clients. These are complete tunnels and broken tunnels. Throughout the tunnel, all network traffic is forced to pass through the VPN provider, regardless of the destination of the traffic. In a shared tunnel, VPN traffic can only be enforced if the destination is within a private enterprise network. In this way, a shared tunnel separates corporate intranet traffic from private Internet access.

Response#2(Rallabandi)

 
Best practices for firewall
Security:
 Start with Security collect personal information that hold on to information only as long as  have a legitimate business need. Don’t use personal information when it’s not necessary. Make sure  service providers implement reasonable security measures. Insist that appropriate security standards are part of  contracts, and verify compliance, including through cyber security audits of third-party providers.   ( Chaudhary, M. 2020).
Identify:
An organizational understanding to manage cyber security risks to systems, assets, data, and capabilities. This includes understanding the organization’s computer systems and network; the personal information it collects; potential vulnerabilities of the organization’s systems; and the degree of harm that customers may suffer by disclosure of their personal information. By understanding and weighing these risks, an organization can focus and prioritize its cyber security efforts in relation to risk management strategy and business requirements.
Protect:
Implement appropriate safeguards to ensure delivery of critical infrastructure services. This includes providing training to employees regarding cyber security risks and protection; limiting access to systems, data, and assets; using technology to secure data; and maintaining cyber security policies and procedures. Control access to data sensibly, and restrict access to sensitive data. Limit administrative access to non-public information. Require secure passwords and authentication, and insist on complex and unique passwords. This will help guard against brute force attacks. Store passwords securely, e.g., not in plain text in personal email accounts.
Detect:
Implement the appropriate activities to identify when a cyber security event occurred. This includes the monitoring of information systems frequently and testing processes to detect irregular activity. Use industry-tested and accepted methods for cyber security.
Respond:
Develop and implement the appropriate activities to take regarding a detected cyber security event. This includes executing the organization’s processes and procedures concerning a response; coordinating and communicating with internal and external stakeholders regarding the cyber security incident, as well as applicable law enforcement authorities; controlling and mitigating the cyber security incident in an adequate response time; and revisiting the organization’s processes and procedures to incorporate lessons learned from the cyber security incident. Review the law of each state in which  company does business and in which it has customers, as  will need to comply with each state’s various cyber security notification laws.
Recover:
Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were affected due to the cyber security incident. The goal is to help an organization timely recover to normal operations and to minimize the impact of the cyber security incident on the organization’s internal and external stakeholders.
Best Practices for VPN’s
•Only use VPN access when there is a business need. According to NIST (2018), as specified under subcategory PR.AC-3, remote access is to be managed.
•Use MFA. Devices that connect to  networks can be used for great harm. MFA should be required for all VPN connections to ensure that only authorized users and devices are connected.
•Use only modern and robust VPN protocols. Use of insecure protocols such as PPTP put  network at risk.
•Allow only authorized devices to connect via a VPN. Don’t let  user connect with their home PC, issue them a company laptop instead. This way the device can still be controlled and protected by the company’s IT department.