510 likes | 622 Views
ISA 3200 Network Security . Chapter 8: Firewall Configuration and Administration. Learning Objectives. Set up firewall rules that reflect an organization’s overall security approach Identify and implement different firewall configuration strategies
E N D
ISA 3200Network Security Chapter 8: Firewall Configuration and Administration
Learning Objectives • Set up firewall rules that reflect an organization’s overall security approach • Identify and implement different firewall configuration strategies • Update a firewall to meet new needs and threats • Adhere to proven security principles to help the firewall protect network resources IS 3200, Summer 2010
Learning Objectives (continued) • Use a remote management interface • Track firewall log files and follow the basic initial steps in responding to security incidents • Understand the nature of advanced firewall functions IS 3200, Summer 2010
Establishing Firewall Rules and Restrictions • Rules give firewalls specific criteria for making decisions about whether to allow packets through or drop them • All firewalls have a rules file—the most important configuration file on the firewall IS 3200, Summer 2010
The Role of the Rules File • Establishes the order the firewall should follow • Tells the firewall which packets should be blocked and which should be allowed • Requirements • Need for scalability • Importance of enabling productivity of end users while maintaining adequate security IS 3200, Summer 2010
Restrictive Firewalls • Block all access by default; permit only specific types of traffic to pass through IS 3200, Summer 2010
Restrictive Firewalls (continued) • Follow the concept of least privilege • Spell out services that employees cannot use • Use and maintain passwords • Choose an approach • Open • Optimistic • Cautious • Strict • Paranoid IS 3200, Summer 2010
Connectivity-Based Firewalls • Have fewer rules; primary orientation is to let all traffic pass through and then block specific types of traffic IS 3200, Summer 2010
Firewall Configuration Strategies • Criteria • Scalable • Take communication needs of individual employees into account • Deal with IP address needs of the organization IS 3200, Summer 2010
Scalability • Provide for the firewall’s growth by recommending a periodic review and upgrading software and hardware as needed IS 3200, Summer 2010
Productivity • The stronger and more elaborate the firewall, the slower the data transmissions • Important features of firewall: processing and memory resources available to the bastion host IS 3200, Summer 2010
Dealing with IP Address Issues • If service network needs to be privately rather than publicly accessible, which DNS will its component systems use? • If you mix public and private addresses, how will Web server and DNS servers communicate? • Let the proxy server do the IP forwarding (it’s the security device) IS 3200, Summer 2010
Approaches That Add Functionality to Your Firewall • Network Address Translation (NAT) • Port Address Translation (PAT) • Encryption • Application proxies • VPNs • Intrusion Detection and Prevention Systems (IDPSs) IS 3200, Summer 2010
NAT/PAT • NAT and PAT convert publicly accessible IP addresses to private ones and vice versa; shields IP addresses of computers on the protected network from those on the outside • Where NAT converts these addresses on a one-to-one association—internal to external—PAT allows one external address to map to multiple internal addresses IS 3200, Summer 2010
Encryption • Takes a request and turns it into gibberish using a private key; exchanges the public key with the recipient firewall or router • Recipient decrypts the message and presents it to the end user in understandable form IS 3200, Summer 2010
Encryption (continued) IS 3200, Summer 2010
Application Proxies • Act on behalf of a host; receive requests, rebuild them from scratch, and forward them to the intended location as though the request originated with it (the proxy) • Can be set up with either a dual-homed host or a screened host system IS 3200, Summer 2010
Application Proxies (continued) • Dual-homed setup • Host that contains the firewall or proxy server software has two interfaces, one to the Internet and one to the internal network being protected • Screened subnet system • Host that holds proxy server software has a single network interface • Packet filters on either side of the host filter out all traffic except that destined for proxy server software IS 3200, Summer 2010
Application Proxies on aDual-Homed Host IS 3200, Summer 2010
VPNs • Connect internal hosts with specific clients in other organizations • Connections are encrypted and limited only to machines with specific IP addresses • VPN gateway can: • Go on a DMZ • Bypass the firewall and connect directly to the internal LAN IS 3200, Summer 2010
VPN Gateway Bypassing the Firewall IS 3200, Summer 2010
Intrusion Detection and Prevention Systems • Can be installed in external and/or internal routers at the perimeter of the network • Built into many popular firewall packages IS 3200, Summer 2010
IDPS Integrated into Perimeter Routers IS 3200, Summer 2010
IDPS Positioned between Firewall and Internet IS 3200, Summer 2010
Enabling a Firewall to Meet New Needs • Throughput • Scalability • Security • Recoverability • Manageability IS 3200, Summer 2010
Verifying Resources Needed by the Firewall • Ways to track memory and system resources • Use the formula:MemoryUsage = ((ConcurrentConnections)/ (AverageLifetime))*(AverageLifetime + 50 seconds)*120 • Use software’s own monitoring feature IS 3200, Summer 2010
Identifying New Risks • Monitor activities and review log files • Check Web sites to keep informed of latest dangers; install patches and updates IS 3200, Summer 2010
Adding Software Updates and Patches • Test updates and patches as soon as you install them • Ask vendors (of firewall, VPN appliance, routers, etc.) for notification when security patches are available • Check manufacturer’s Web site for security patches and software updates IS 3200, Summer 2010
Adding Hardware • Identify network hardware so firewall can include it in routing and protection services • Different ways for different firewalls • List workstations, routers, VPN appliances, and other gateways you add as the network grows • Choose good passwords that you guard closely IS 3200, Summer 2010
Dealing with Complexity on the Network • Distributed firewalls • Installed at endpoints of the network, including remote computers that connect to network through VPNs • Add complexity • Require that you install and/or maintain a variety of firewalls located on your network and in remote locations • Add security • Protect network from viruses or other attacks that can originate from machines that use VPNs to connect (e.g., remote laptops) IS 3200, Summer 2010
Adhering to Proven Security Principles • Generally Accepted System Security Principles (GASSP) apply to ongoing firewall management • Secure physical environment where firewall-related equipment is housed • Importance of locking software so that unauthorized users cannot access it IS 3200, Summer 2010
Environmental Management • Measures taken to reduce risks to physical environment where resources are stored • Back-up power systems overcome power outages • Back-up hardware and software help recover network data and services in case of equipment failure • Sprinkler/alarm systems reduce damage from fire • Locks guard against theft IS 3200, Summer 2010
BIOS, Boot, and Screen Locks • BIOS and boot-up passwords • Supervisor passwords • Screen saver passwords IS 3200, Summer 2010
Remote Management Interface • Software that enables you to configure and monitor firewall(s) that are located at different network locations • Used to start/stop the firewall or change rule base from locations other than the primary computer IS 3200, Summer 2010
Why Remote Management Tools Are Important • Reduce time and make the job easier for the security administrator • Reduce chance of configuration errors that might result if the same changes were made manually for each firewall on the network IS 3200, Summer 2010
Security Concerns • Can use a Security Information Management (SIM) device to prevent unauthorized users from circumventing security systems • Offers strong security controls (e.g., multi-factor authentication and encryption) • Should have an auditing feature • Should use tunneling to connect to the firewall or use certificates for authentication • Evaluate SIM software to ensure it does not introduce new vulnerabilities IS 3200, Summer 2010
Basic Features of Remote Management Tools • Ability to monitor and configure firewalls from a single centralized location • View and change firewall status • View firewall’s current activity • View any firewall event or alert messages • Ability to start and stop firewalls as needed IS 3200, Summer 2010
Automating Security Checks • Outsource firewall management IS 3200, Summer 2010
Configuring Advanced Firewall Functions • Ultimate goal • High availability • Scalability • Advanced firewall functions • Data caching • Redundancy • Load balancing • Content filtering IS 3200, Summer 2010
Data Caching • Set up a server that will: • Receive requests for URLs • Filter those requests against different criteria • Options • No caching • URI Filtering Protocol (UFP) server • VPN & Firewall (one request) • VPN & Firewall (two requests) IS 3200, Summer 2010
Hot Standby Redundancy • Secondary or failover firewall is configured to take over traffic duties in case primary firewall fails • Usually involves two firewalls; only one operates at any given time • The two firewalls are connected in a heartbeat network IS 3200, Summer 2010
Hot Standby Redundancy (continued) IS 3200, Summer 2010
Hot Standby Redundancy (continued) • Advantages • Ease and economy of setup and quick backup system it provides for the network • One firewall can be stopped for maintenance without stopping network traffic • Disadvantages • Does not improve network performance • VPN connections may or may not be included in the failover system IS 3200, Summer 2010
Load Balancing • Practice of balancing the load placed on the firewall so that it is handled by two or more firewall systems • Load sharing • Practice of configuring two or more firewalls to share the total traffic load • Traffic between firewalls is distributed by routers using special routing protocols • Open Shortest Path First (OSPF) • Border Gateway Protocol (BGP) IS 3200, Summer 2010
Load Balancing (continued) IS 3200, Summer 2010
Load Sharing • Advantages • Improves total network performance • Maintenance can be performed on one firewall without disrupting total network traffic • Disadvantages • Load usually distributed unevenly (can be remedied by using layer four switches) • Configuration can be complex to administer IS 3200, Summer 2010
Filtering Content • Firewalls don’t scan for viruses but can work with third-party applications to scan for viruses or other functions • Open Platform for Security (OPSEC) model • Content Vectoring Protocol (CVP) IS 3200, Summer 2010
Filtering Content (continued) • Install anti-virus software on SMTP gateway in addition to providing desktop anti-virus protection for each computer • Choose an anti-virus gateway product that: • Provides for content filtering • Can be updated regularly to account for recent viruses • Can scan the system in real time • Has detailed logging capabilities IS 3200, Summer 2010
Chapter Summary • After establishing a security policy, implement the strategies that policy specifies • If primary goal of planned firewall is to block unauthorized access, you must emphasize restricting rather than enabling connectivity • A firewall must be scalable so it can grow with the network it protects • The stronger and more elaborate your firewall, the slower data transmissions are likely to be • The more complex a network becomes, the more IP-addressing complications arise IS 3200, Summer 2010
Chapter Summary (continued) • Network security setups can become more complex when specific functions are added • Firewalls must be maintained regularly to assure critical measures of success are kept within acceptable levels of performance • Successful firewall management requires adherence to principles that have been put forth by reputable organizations to ensure that firewalls and network security configurations are maintained correctly IS 3200, Summer 2010