1 / 51

Guide to Tactical Perimeter Defense

Guide to Tactical Perimeter Defense. Configuring Firewalls Presented by Hossein Pour Taheri. Objectives. Design common firewall configurations Establish a set of rules and restrictions for a firewall Decide when to use user, session, or client authentication.

latif
Download Presentation

Guide to Tactical Perimeter Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Guide to Tactical Perimeter Defense Configuring Firewalls Presented by Hossein Pour Taheri

  2. Objectives • Design common firewall configurations • Establish a set of rules and restrictions for a firewall • Decide when to use user, session, or client authentication Tactical Perimeter Defense

  3. Designing Firewall Configurations • Provide adequate access without jeopardizing confidential or mission-critical areas • Deploy firewalls in different ways • Screening host • Dual-homed host • Screened host • Screened subnet DMZ • Multiple DMZs • Multiple firewalls • Reverse firewall setup Tactical Perimeter Defense

  4. Screening Routers • Single router on network perimeter configured to filter packets • Simplest kind of firewall • Filters on source/destination IP addresses or other information in header • Should be combined with firewall or proxy server for added protection Tactical Perimeter Defense

  5. Screening Routers (con’t.) Figure 6-1 A screening router Tactical Perimeter Defense

  6. Dual-Homed Hosts • Configured on more than one network interface • Only firewall software can forward traffic from one interface to another • Firewall placed between network and Internet • Disadvantage: host serves as single point of entry to network • Multilayered DiD arrangement is important • Multi-homed hosts • Connected to more than two network interfaces Tactical Perimeter Defense

  7. Dualed-Homed Hosts (con’t.) Figure 6-2 A dual-homed host firewall configuration Tactical Perimeter Defense

  8. Screened Hosts • Like dual-homed host, but with added router between host and Internet to filter packets • Blends dual-homed host and screening router configurations for added security • Useful for perimeter security on corporate network • Screened host can function as application gateway or proxy server Tactical Perimeter Defense

  9. Screened Hosts (con’t.) Figure 6-3 A screened host Tactical Perimeter Defense

  10. Screened Subnet DMZs • Protects publicly accessible DMZ servers • Servers are subset of firewall • Three-pronged firewall: firewall connected to Internet and internal network • Useful when providing FTP, e-mail or Web services • Subnet attached to firewall and contained in DMZ • Also called service network or perimeter network Tactical Perimeter Defense

  11. Screened Subnet DMZs (con’t.) Figure 6-4 A screened subnet DMZ Tactical Perimeter Defense

  12. Multiple DMZ/Firewall Configurations • For large corporations or businesses • Prevents overload • Each DMZ is a server farm • Group of servers that handle request together with load balancing software • Load balancing software • Prioritizes, schedules, and distributes requests to servers based on current load and processing power • Each farm protected by own firewall or router • May incorporate service network and additional firewalls Tactical Perimeter Defense

  13. Figure 6-5 Multiple DMZs protected by multiple firewalls Tactical Perimeter Defense

  14. Multiple Firewall Configurations • Protecting a DMZ with multiple firewalls • Must be configured identically and use the same firewall software • Firewalls can control traffic between DMZ and Internet or between DMZ and internal network • One can function as failover firewall: backup to ensure uninterrupted service • Controls traffic in three areas • External network outside DMZ • External network within DMZ • Internal network behind DMZ Tactical Perimeter Defense

  15. Figure 6-6 Two firewalls used for load balancing Tactical Perimeter Defense

  16. Multiple Firewall Configurations (con’t.) • Activity 1: Designing a Failover Firewall • Objective: Analyze a set of requirements and design a configuration to meet those requirements • Sample requirements • Web site online 95% to 100% of the time, even during firewall failure • Solution: two firewalls • What are the requirements for this setup? • How might you configure the two firewalls? Tactical Perimeter Defense

  17. Multiple Firewall Configurations (con’t.) • Main office develops security policy and deploys it through centralized firewall with security workstation Figure 6-7 Multiple firewalls protecting branch offices Tactical Perimeter Defense

  18. Reverse Firewalls • Monitors outgoing connections instead of blocking incoming traffic • Restricts application access to internal users • Logs connections to Web sites and blocks unsuitable sites • Can detect DoS/DDoS attacks by logging several unexpected packets • Protects segments of internal network from other segments • Proxy servers can also monitor outbound traffic Tactical Perimeter Defense

  19. Reverse Firewalls (con’t.) • Activity 2: Monitoring Outbound Network Traffic • Objective: Analyze a problem scenario to determine a solution • Problem: monitor, track, and possibly block outbound traffic from internal hosts • How would you do this with a firewall? Tactical Perimeter Defense

  20. Choosing a Firewall Configuration • Many customized options and capabilities available Table 6-1 Firewall configuration advantages and disadvantages Tactical Perimeter Defense

  21. Establishing Rules and Restrictions • All firewalls depend on a good rule base • Based on organization’s security policy • Includes a firewall policy on how applications access the Internet • Simple and short as possible • Restricts access to ports and subnets on the internal network from the Internet • Controls Internet services Tactical Perimeter Defense

  22. Base the Rule Base on Your Security Policy • Important elements of packet filtering • Logging and auditing • Tracking • Filtering • NAT • Quality of service • Desktop security policy Tactical Perimeter Defense

  23. Base the Rule Base on Your Security Policy (con’t.) • Common guidelines • Employees have access to Internet with restrictions • Public can access company’s Web and e-mail server • Only authenticated traffic can access internal network • Employees cannot use instant messaging outside internal network • Traffic allowed from company’s ISP • No external traffic can connect by instant messaging • Only network administrator can access internal network directly from Internet Tactical Perimeter Defense

  24. Creating a Firewall for Application Traffic • Describes how firewalls should handle application traffic • Steps • Identify needed network applications and their vulnerabilities • Conduct a cost-benefit analysis and develop a traffic matrix • Develop firewall rule base • Three options: allow, block, ask or prompt Tactical Perimeter Defense

  25. Creating a Firewall for Application Traffic Table 6-2 Application traffic matrix Tactical Perimeter Defense

  26. Keep the Rule Base Simple • The more complex the rule base, the higher the chance of misconfiguring it • Professionals suggest no more than 30 rules • Rules are processed in order • Last rule should be a cleanup rule: handles packets that have not been addressed in previous rules • When rule match is found for packet, corresponding action is taken: allow or deny • No notification is sent for deny action Tactical Perimeter Defense

  27. Restrict Subnets, Ports, and Protocols • Filtering by IP addresses • Identify trusted IP address ranges • Filtering by ports • Complicated: source/destination ports are different; destination port is determined dynamically • Block unneeded ports and allow necessary ports • Filtering by service • Blocks by service name, TCP control flags, or IP options in header Tactical Perimeter Defense

  28. Restrict Subnets, Ports, and Protocols (con’t.) Figure 6-8 Identify trusted subnets and IP addresses Figure 6-9 Port numbers direct packets to the client or server that needs them Tactical Perimeter Defense

  29. Restrict Subnets, Ports, and Protocols (con’t.) • Activity 6-3: Adding Computers to a Trusted Zone • Objective: Specify trusted IP address ranges in ZoneAlarm • By default, ZoneAlarm blocks all addresses • Display list in Zones tab • If one computer is listed, add the IP ranges of your network Tactical Perimeter Defense

  30. Restrict Subnets, Ports, and Protocols (con’t.) • General practices of rule bases • A “deny all” security policy should allow services selectively as needed and block all other traffic • Only network administrators should be allowed to connect to the firewall • All inbound traffic should be filtered first • Access to public servers in DMZ and access to Internet should be permitted Tactical Perimeter Defense

  31. Restrict Subnets, Ports, and Protocols (con’t.) Table 6-5 A typical packet-filtering rule base Tactical Perimeter Defense

  32. Restrict Subnets, Ports, and Protocols (con’t.) • Activity 6-4: Tracing a Blocked IP Address • Objective: Determine the source of packets logged by ZoneAlarm • ZoneAlarm can create alert messages and log file entries for each blocked connection attempt • Use the Tracert utility to determine whether the blocked packet is coming from your network or from an unrecognized server • Evaluate alert messages and look for connection attempts to suspicious ports Tactical Perimeter Defense

  33. Control Internet Services • Web service rules • Allow Web surfing and e-mail exchange Table 6-6 Outbound Web access Tactical Perimeter Defense

  34. Control Internet Services (con’t.) • DNS resolution • Allow resolution of domain names and external user access with TCP/UDP port 53 Table 6-7 DNS resolution rules Tactical Perimeter Defense

  35. Control Internet Services (con’t.) • E-mail configuration • Allow POP3 and SMTP protocols and SSL encryption Table 6-8 E-mail rules Tactical Perimeter Defense

  36. Control Internet Services (con’t.) • FTP transactions • Can be active or passive • Uses separate control port (21) and data port (20) Table 6-9 FTP rules Tactical Perimeter Defense

  37. Control Internet Services (con’t.) • ICMP message type • No authentication method for recipient; filters on type Table 6-10 Filtering ICMP message types Tactical Perimeter Defense

  38. Control Internet Services (con’t.) • Activity 6-5: Designing a Rule Base • Objective: Create a basic rule base for packet filtering • Allow internal hosts to access external network • Prevent any access to firewall • Allow internal and external access to e-mail and Web server • Allow internal access to DNS server • What rule involving the firewall could you add? Tactical Perimeter Defense

  39. Authenticating Users • Identify users who are authorized to use Internet • Exchanges information for recognition of user • Password • Key: encrypted block of code • Checksum: formula verifying digital information • Physical object: smart card • Biometric information: fingerprints, retina scans, voiceprints Tactical Perimeter Defense

  40. Step 1: Deciding What to Authenticate • User authentication • Define users, groups, and time-based restrictions • Manual or automatic • Client authentication • Based on source IP address, MAC address, or computer name • Manual or automatic • Session authentication • Per-connection basis between client computer and firewall • User must enter password Tactical Perimeter Defense

  41. Step 1: Deciding What to Authenticate (con’t.) Table 6-11 User, client, and session authentication Tactical Perimeter Defense

  42. Step 2: Deciding How to Authenticate (con’t.) • Password security • OS password: simple; not for standalone firewalls • Firewall password: own system of passwords • S/Key password: one-time encrypted password • Types: password lists, challenge-response system • SecurID: two-factor authentication • Combination of password and token • Token generates random number every 60 seconds Tactical Perimeter Defense

  43. Step 2: Deciding How to Authenticate (con’t.) • Smart cards and tokens • Two-factor authentication: object and password • Smart cards: user’s computer needs card reader • Handheld or key fob electronic devices • Generate random numbers periodically • Example: RSA Security’s SecurID system Tactical Perimeter Defense

  44. Step 2: Deciding How to Authenticate (con’t.) • Public and private keys • Authentication by using or codes (keys) • Longer codes and more complex formulas result in more secure authentication • Keys: blocks of encrypted code generated by algorithms • Public key cryptography: authenticates through the exchange of public and private keys Tactical Perimeter Defense

  45. Step 2: Deciding How to Authenticate (con’t.) • How public key cryptography works • Data encrypted with public key can only be decrypted with private key Figure 6-11 Public key cryptography involves exchanging a public key created with a private key Tactical Perimeter Defense

  46. Step 2: Deciding How to Authenticate (con’t.) • Digital signatures • Attachment to e-mail/message that enables recipient to verify sender’s identity • Provides tamper detection • Message digest: mathematical function • Unique one-way hashed value • Content of hashed data cannot be deduced from hash • Private key encrypts hash; public key decrypts hash • New hash is computed/matched against original hash • Most secure algorithm: SHA-2 Tactical Perimeter Defense

  47. Step 3: Putting it All Together • Common authentication methods of firewalls • Secure Hypertext Transfer Protocol (S-HTTP) • Uses security protocol such as Secure Socket Layer (SSL) to encrypt communication between Web server and Web browser • SSL: uses public/private keys and digital signatures but does not provide user authentication • Internet protocol security (IPSec): encrypts communication at network layer of OSI model • For e-mail, Web traffic, and FTP transfers • Can conflict with NAT Tactical Perimeter Defense

  48. Step 3: Putting it All Together (con’t.) • Common authentication methods of firewalls (con’t.) • Internet Key Exchange (IKE) • Provided with IPSec to exchange public and private keys • Internet Security Association Key Management Protocol (ISAKMP) • Allows agreement on security settings and secure exchange of security keys Tactical Perimeter Defense

  49. Step 3: Putting it All Together (con’t.) • Common authentication methods of firewalls (con’t.) • Dial-in authentication • Terminal Access Controller Access Control System (TACACS+): Cisco protocol that uses TCP and the MD5 algorithm; separate authentication/authorization processes • Remote Authentication Dial-in User Service (RADIUS): less secure than TACACS+; combines authentication/authorization • Wireless users ideally should use VPNs for access Tactical Perimeter Defense

  50. Summary • Firewall configurations • Screening routers • Dual-homed hosts • Multiple firewalls: load balancing; protects branch networks • Reverse firewalls: monitor outbound communications • An effective firewall rule base • Based on organization’s security policy • Provides rules on application access to Internet • Restricts access to ports and subnets on internal network • Simple and short as possible Tactical Perimeter Defense

More Related