520 likes | 623 Views
Ongoing Administration. Chapter 11. Learning Objectives. Learn how to evolve a firewall to meet new needs and threats Adhere to proven security principles to help the firewall protect network resources Use a remote management interface Track log files for security. continued.
E N D
Ongoing Administration Chapter 11
Learning Objectives • Learn how to evolve a firewall to meet new needs and threats • Adhere to proven security principles to help the firewall protect network resources • Use a remote management interface • Track log files for security continued
Learning Objectives • Follow basic initial steps in responding to security incidents • Take advanced firewall functions into account when administering a firewall
Making Your Firewall Meet New Needs • Throughput • Scalability • Security • Recoverability • Manageability
Verifying Resources Needed by the Firewall • Ways to track memory and system resources • Use the formula:MemoryUsage = ((ConcurrentConnections)/ (AverageLifetime))*(AverageLifetime + 50 seconds)*120 • Use software’s own monitoring feature
Identifying New Risks • Monitor activities and review log files • Check Web sites to keep informed of latest dangers; install patches and updates
Adding Software Updates and Patches • Test updates and patches as soon as you install them • Ask vendors (of firewall, VPN appliance, routers, etc) for notification when security patches are available • Check manufacturer’s Web site for security patches and software updates
Adding Hardware • Identify network hardware so firewall can include it in routing and protection services • Different ways for different firewalls • List workstations, routers, VPN appliances, and other gateways you add as the network grows • Choose good passwords that you guard closely
Dealing with Complexity on the Network • Distributed firewalls • Installed at endpoints of the network, including remote computers that connect to network through VPNs • Add complexity • Require that you install and/or maintain a variety of firewalls located on your network and in remote locations • Add security • Protect network from viruses or other attacks that can originate from machines that use VPNs to connect (eg, remote laptops)
Adhering to Proven Security Principles • Generally Accepted System Security Principles (GASSP) apply to ongoing firewall management • Secure physical environment where firewall-related equipment is housed • Importance of locking software so that unauthorized users cannot access it
Environmental Management • Measures taken to reduce risks to physical environment where resources are stored • Back-up power systems overcome power outages • Back-up hardware and software help recover network data and services in case of equipment failure • Sprinkler/alarm systems reduce damage from fire • Locks guard against theft
BIOS, Boot, and Screen Locks • BIOS and boot-up passwords • Supervisor passwords • Screen saver passwords
Using Remote Management Interface • Software that enables you to configure and monitor firewall(s) that are located on different network locations • Used to start/stop the firewall or change rulebase from locations other than the primary computer
Why Remote Management Tools Are Important • Reduce time and make the job easier for the security administrator • Reduce chance of configuration errors that might result if the same changes were made manually for each firewall on the network
Security Concerns with Remote Management Tools • Can use a Security Information Management (SIM) device to prevent unauthorized users from circumventing security systems • Offers strong security controls (eg, multi-factor authentication and encryption) • Should have an auditing feature • Should use tunneling to connect to the firewall or use certificates for authentication • Evaluate SIM software to ensure it does not introduce new vulnerabilities
Basic Features Required of Remote Management Tools • Ability to monitor and configure firewalls from a single centralized location • View and change firewall status • View firewall’s current activity • View any firewall event or alert messages • Ability to start and stop firewalls as needed
Tracking Contents of Log Files for Security • Reviewing log files can help detect break-ins that have occurred and possibly help track down intruders • Tips for managing log files • Prepare usage reports • Watch for suspicious events • Automate security checks
Preparing Usage Reports • Sort logs by time of day and per hour • Check logs to learn when peak traffic times are on the network • Identify services that consume the largest part of available bandwidth
Suspicious Events to Watch For • Rejected connection attempts • Denied connections • Error messages • Dropped packets • Successful logons to critical resources
Responding to Suspicious Events • Firewall options • Block only this connection • Block access of this source • Block access to this destination • Track the attacks • Locate and prosecute the offenders
Tools for Tracking Attacks • Sam Spade • Netstat • NetCat
Compiling Legal Evidence • Identify which computer or media may contain evidence • Shut down computer and isolate work area until computer forensic specialist arrives • Write protect removable media • Preserve evidence (make a mirror image) so it is not manipulated continued
Compiling Legal Evidence • Examine the mirror image, not the original • Review log files and other data; report findings to management • Preserve evidence by making a “forensically sound” copy
Compiling Legal Evidence • Observe the three As of computer forensics • Acquire • Authenticate • Analyze
Automating Security Checks • Outsource firewall management
Security Breaches Will Happen! • Use software designed to detect attacks and send alert notifications • Take countermeasures to minimize damage • Take steps to prevent future attacks
Using an Intrusion Detection System (IDS) • Detects whether network or server has experienced an unauthorized access attempt • Sends notification to appropriate network administrators • Considerations when choosing • Location • Intrusion events to be gathered • Network-based versus host-based IDS • Signature-based versus heuristic IDS
Network-Based IDS • Tracks traffic patterns on entire network segment • Collects raw network packets; looks at packet headers; determines presence of known signatures that match common intrusion attempts; takes action based on contents • Good choice if network has been subject to malicious activity (eg, port scanning) • Usually OS-independent • Minimal impact on network performance
Host-Based IDS • Collects data from individual computer on which it resides • Reviews audit and system logs, looking for signatures • Can perform intrusion detection in a network where traffic is usually encrypted • Needs no additional hardware • Cannot detect port scans or other intrusion attempts that target entire network
Signature-Based IDS • Stores signature information in a database • Database requires periodic updating • Can work with either host-based or network-based IDS • Often closely tied to specific hardware and operating system • Provides fewer false alarms than heuristic IDS
Heuristic IDS • Compares traffic patterns against “normal activity” and sets off an alarm if pattern deviates • Can identify any possible attack • Generates high rate of false alarms
Receiving Security Alerts • A good IDS system: • Notifies appropriate individuals (eg, via e-mail, alert, pager, or log) • Provides information about the type of event • Provides information about where in the network the intrusion attempt took place
When an Intrusion Occurs • React rationally; don’t panic • Use alerts to begin assessment • Analyze what resources were hit and what damage occurred • Perform real-time analysis of network traffic to detect unusual patterns • Check to see if any ports that are normally unused have been accessed • Use a network auditing tool (eg, Tripwire)
During and After Intrusion • Document the existence of: • Executables that were added to the system • Files that were • Placed on the computer • Deleted • Accessed by unauthorized users • Web pages that were defaced • E-mail messages that were sent as a result of the attack • Document your response to the intrusion
Configuring Advanced Firewall Functions • Ultimate goal • High availability • Scalability • Advanced firewall functions • Data caching • Redundancy • Load balancing • Content filtering
Data Caching • Set up a server that will • Receive requests for URLs • Filter those requests against different criteria • Options • No caching • URI Filtering Protocol (UFP) server • VPN & Firewall (one request) • VPN & Firewall (two requests)
Hot Standby Redundancy • Secondary or failover firewall is configured to take over traffic duties in case primary firewall fails • Usually involves two firewalls; only one operates at any given time • The two firewalls are connected in a heartbeat network
Hot Standby Redundancy • Advantages • Ease and economy of set up and quick back-up system it provides for the network • One firewall can be stopped for maintenance without stopping network traffic • Disadvantages • Does not improve network performance • VPN connections may or may not be included in the failover system
Load Balancing • Practice of balancing the load placed on the firewall so that it is handled by two or more firewall systems • Load sharing • Practice of configuring two or more firewalls to share the total traffic load • Traffic between firewalls is distributed by routers using special routing protocols • Open Shortest Path First (OSPF) • Border Gateway Protocol (BGP)
Load Sharing • Advantages • Improves total network performance • Maintenance can be performed on one firewall without disrupting total network traffic • Disadvantages • Load usually distributed unevenly (can be remedied by using layer four switches) • Configuration can be complex to administer
Filtering Content • Firewalls don’t scan for viruses but can work with third-party applications to scan for viruses or other functions • Open Platform for Security (OPSEC) model • Content Vectoring Protocol (CVP)