500 likes | 810 Views
Firewall Configuration Strategies. Chapter 3. Learning Objectives. Set up firewall rules that reflect an organization’s overall security approach Understand the goals that underlie a firewall’s configuration Identify and implement different firewall configuration strategies
E N D
Firewall Configuration Strategies Chapter 3
Learning Objectives • Set up firewall rules that reflect an organization’s overall security approach • Understand the goals that underlie a firewall’s configuration • Identify and implement different firewall configuration strategies • Employ methods of adding functionality to your firewall
Establishing Rules and Restrictions for Your Firewall • Rules give firewalls specific criteria for making decisions about whether to allow packets through or drop them • All firewalls have a rules file—the most important configuration file on the firewall
The Role of the Rules File • Establishes the order the firewall should follow • Tells the firewall which packets should be blocked and which should be allowed • Requirements • Need for scalability • Importance of enabling productivity of end users while maintaining adequate security
Restrictive Firewalls • Block all access by default; permit only specific types of traffic to pass through
Strategies for Implementing a Security Policy • Follow the concept of least privilege • Spell out services that employees cannot use • Use and maintain passwords • Choose an approach • Open • Optimistic • Cautious • Strict • Paranoid
Connectivity-Based Firewalls • Have fewer rules; primary orientation is to let all traffic pass through, then block specific types of traffic
Overview to Firewall Configuration Strategies • Criteria • Scalable • Take communication needs of individual employees into account • Deal with IP address needs of the organization
Scalability • Provide for the firewall’s growth by recommending a periodic review and upgrading software and hardware as needed
Productivity • The stronger and more elaborate the firewall, the slower the data transmissions • Important features of firewall: processing and memory resources available to the bastion host
Dealing with IP Address Issues • If service network needs to be privately rather than publicly accessible, which DNS will its component systems use? • If you mix public and private addresses, how will Web server and DNS servers communicate? • Let the proxy server do the IP forwarding (it’s the security device)
Firewall Configuration Strategies • Settle on general approaches; establish rules for them • Deploy firewalls, routers, VPN tunnels, and other tools in a way that will implement rules • Use security components to defend against common attacks
Screening Router • Filters traffic passing between one network and another • Simple, minimally secure • Two interfaces—external and internal—each with its own unique IP address • Performs IP forwarding, based on an access control list (ACL)
Dual-Homed Host • A workstation with an internal interface and an external interface to the Internet • Disadvantage • Host serves as a single point of entry to the organization
Screened Host • Similar to dual-homed host, but the host is dedicated to performing security functions • Sits exposed on the perimeter of the network rather than behind the firewall • Requires two network connections • Also called a dual-homed gateway or bastion host
Two Routers, One Firewall • Router positioned on the outside • Performs initial, static packet filtering • Router positioned just inside the network • Routes traffic to appropriate computers in the LAN being protected • Can do stateful packet filtering
DMZ Screened Subnet • Screened subnet • Network exposed to external network, but partially protected by a firewall • Three-pronged firewall • Three network interfaces connect it to: • External network • DMZ • Protected LAN • Service network • Screened subnet that contains an organization’s publicly accessible server
Three-Pronged Firewall with Only One Firewall • Advantages • Simplification • Lower cost • Disadvantages • Complexity • Vulnerability • Performance
Common Service Network Systems • Those that contain Web and mail servers • Those that contain DNS servers • Those that contain tunneling servers
Multiple-Firewall DMZs • Achieve the most effective Defense in Depth • Help achieve load distribution • Added security offsets slowdown in performance • Two or more firewalls can be used to protect • Internal network • One DMZ • Two DMZs • Branch offices that need to connect to main office’s internal network
Two Firewalls, One DMZ • Two firewalls used to set up three separate networks (tri-homed firewall) • Internal protected network (behind DMZ) • External private network or service network (within DMZ) • External network (outside DMZ) • Advantage • Enables control of traffic in the three networks
Two Firewalls, Two DMZs • Setting up separate DMZs for different parts of the organization helps balance the traffic load between them
Reverse Firewalls • Inspect and monitor traffic going out of a network rather than trying to block what’s coming in • Help block Distributed Denial of Service (DDoS) attacks
Specialty Firewalls • Protect specific types of network communications (eg, e-mail, instant-messaging) • Examples • Mail Marshal and WebMarshal by Marshal Software • OpenReach includes a small-scale packet-filtering firewall for its VPN • VOISS Proxy Firewall (VF-1) by VocalData • Speedware Corporation sells its own firewall software
Approaches That Add Functionality to a Firewall • Network Address Translation (NAT) • Encryption • Application proxies • VPNs • Intrusion detection systems (IDSs)
NAT • Converts publicly accessible IP addresses to private ones and vice versa; shields IP addresses of computers on the protected network from those on the outside
Encryption • Takes a request, turns it into gibberish using a private key; exchanges the public key with the recipient firewall or router • Recipient decrypts the message and presents it to the end user in understandable form
Application Proxies • Act on behalf of a host; receive requests, rebuild them from scratch, and forward them to the intended location as though the request originated with it (the proxy) • Can be set up with either a dual-homed host or a screened host system
Application Proxies • Dual-homed setup • Host that contains the firewall or proxy server software has two interfaces, one to the Internet and one to the internal network being protected • Screened subnet system • Host that holds proxy server software has a single network interface • Packet filters on either side of the host filter out all traffic except that destined for proxy server software
VPNs • Connect internal hosts with specific clients in other organizations • Connections are encrypted and limited only to machines with specific IP addresses • VPN gateway can: • Go on a DMZ • Bypass the firewall and connect directly to the internal LAN
Intrusion Detection Systems • Can be installed in external and/or internal routers at the perimeter of the network • Built into many popular firewall packages
Chapter Summary • How to design perimeter security for a network that integrates firewalls with a variety of other software and hardware components • Rules and restrictions that influence configuration of a security perimeter • Security configurations that either perform firewall functions or that use firewalls to create protected areas