Firewall Configuration and Administration
advertisement
Firewall Configuration and Administration Learning Objectives • Set up firewall rules that reflect an organization’s overall security approach • Identify and implement different firewall configuration strategies • Update a firewall to meet new needs and threats • Adhere to proven security principles to help the firewall protect network resources 2 Learning Objectives (continued) • Use a remote management interface • Track firewall log files and follow the basic initial steps in responding to security incidents • Understand the nature of advanced firewall functions 3 Establishing Firewall Rules and Restrictions • Rules give firewalls specific criteria for making decisions about whether to allow packets through or drop them • All firewalls have a rules file—the most important configuration file on the firewall 4 The Role of the Rules File • Establishes the order the firewall should follow • Tells the firewall which packets should be blocked and which should be allowed • Requirements – Need for scalability – Importance of enabling productivity of end users while maintaining adequate security 5 Restrictive Firewalls • Block all access by default; permit only specific types of traffic to pass through 6 Restrictive Firewalls (continued) • Follow the concept of least privilege • Spell out services that employees cannot use • Use and maintain passwords • Choose an approach – Open – Optimistic – Cautious – Strict – Paranoid 7 Connectivity-Based Firewalls • Have fewer rules; primary orientation is to let all traffic pass through and then block specific types of traffic 8 Firewall Configuration Strategies • Criteria – Scalable – Take communication needs of individual employees into account – Deal with IP address needs of the organization 9 Scalability • Provide for the firewall’s growth by recommending a periodic review and upgrading software and hardware as needed 10 Productivity • The stronger and more elaborate the firewall, the slower the data transmissions • Important features of firewall: processing and memory resources available to the bastion host 11 Dealing with IP Address Issues • If service network needs to be privately rather than publicly accessible, which DNS will its component systems use? • If you mix public and private addresses, how will Web server and DNS servers communicate? • Let the proxy server do the IP forwarding (it’s the security device) 12 Approaches That Add Functionality to Your Firewall • • • • • • Network Address Translation (NAT) Port Address Translation (PAT) Encryption Application proxies VPNs Intrusion Detection and Prevention Systems (IDPSs) 13 NAT/PAT • NAT and PAT convert publicly accessible IP addresses to private ones and vice versa; shields IP addresses of computers on the protected network from those on the outside • Where NAT converts these addresses on a one-to-one association—internal to external—PAT allows one external address to map to multiple internal 14 addresses Encryption • Takes a request and turns it into gibberish using a private key; exchanges the public key with the recipient firewall or router • Recipient decrypts the message and presents it to the end user in understandable form 15 Encryption (continued) 16 Application Proxies • Act on behalf of a host; receive requests, rebuild them from scratch, and forward them to the intended location as though the request originated with it (the proxy) • Can be set up with either a dual-homed host or a screened host system 17 Application Proxies (continued) • Dual-homed setup – Host that contains the firewall or proxy server software has two interfaces, one to the Internet and one to the internal network being protected • Screened subnet system – Host that holds proxy server software has a single network interface – Packet filters on either side of the host filter out all traffic except that destined for proxy server software 18 Application Proxies on a Dual-Homed Host 19 VPNs • Connect internal hosts with specific clients in other organizations • Connections are encrypted and limited only to machines with specific IP addresses • VPN gateway can: – Go on a DMZ – Bypass the firewall and connect directly to the internal LAN 20 VPN Gateway Bypassing the Firewall 21 Intrusion Detection and Prevention Systems • Can be installed in external and/or internal routers at the perimeter of the network • Built into many popular firewall packages 22 IDPS Integrated into Perimeter Routers 23 IDPS Positioned between Firewall and Internet 24 Enabling a Firewall to Meet New Needs • • • • • Throughput Scalability Security Recoverability Manageability 25 Verifying Resources Needed by the Firewall • Ways to track memory and system resources – Use the formula: MemoryUsage = ((ConcurrentConnections)/ (AverageLifetime))*(AverageLifetime + 50 seconds)*120 – Use software’s own monitoring feature 26 Identifying New Risks • Monitor activities and review log files • Check Web sites to keep informed of latest dangers; install patches and updates 27 Adding Software Updates and Patches • Test updates and patches as soon as you install them • Ask vendors (of firewall, VPN appliance, routers, etc.) for notification when security patches are available • Check manufacturer’s Web site for security patches and software updates 28 Adding Hardware • Identify network hardware so firewall can include it in routing and protection services – Different ways for different firewalls • List workstations, routers, VPN appliances, and other gateways you add as the network grows • Choose good passwords that you guard closely 29 Dealing with Complexity on the Network • Distributed firewalls – Installed at endpoints of the network, including remote computers that connect to network through VPNs – Add complexity • Require that you install and/or maintain a variety of firewalls located on your network and in remote locations – Add security • Protect network from viruses or other attacks that can originate from machines that use VPNs to 30 connect (e.g., remote laptops) Adhering to Proven Security Principles • Generally Accepted System Security Principles (GASSP) apply to ongoing firewall management – Secure physical environment where firewallrelated equipment is housed – Importance of locking software so that unauthorized users cannot access it 31 Environmental Management • Measures taken to reduce risks to physical environment where resources are stored – Back-up power systems overcome power outages – Back-up hardware and software help recover network data and services in case of equipment failure – Sprinkler/alarm systems reduce damage from fire – Locks guard against theft 32 BIOS, Boot, and Screen Locks • BIOS and boot-up passwords • Supervisor passwords • Screen saver passwords 33 Remote Management Interface • Software that enables you to configure and monitor firewall(s) that are located at different network locations • Used to start/stop the firewall or change rule base from locations other than the primary computer 34 Why Remote Management Tools Are Important • Reduce time and make the job easier for the security administrator • Reduce chance of configuration errors that might result if the same changes were made manually for each firewall on the network 35 Security Concerns • Can use a Security Information Management (SIM) device to prevent unauthorized users from circumventing security systems – Offers strong security controls (e.g., multifactor authentication and encryption) – Should have an auditing feature – Should use tunneling to connect to the firewall or use certificates for authentication • Evaluate SIM software to ensure it does not introduce new vulnerabilities 36 Basic Features of Remote Management Tools • Ability to monitor and configure firewalls from a single centralized location – View and change firewall status – View firewall’s current activity – View any firewall event or alert messages • Ability to start and stop firewalls as needed 37 Automating Security Checks • Outsource firewall management 38 Configuring Advanced Firewall Functions • Ultimate goal – High availability – Scalability • Advanced firewall functions – Data caching – Redundancy – Load balancing – Content filtering 39 Data Caching • Set up a server that will: – Receive requests for URLs – Filter those requests against different criteria • Options – No caching – URI Filtering Protocol (UFP) server – VPN & Firewall (one request) – VPN & Firewall (two requests) 40 Hot Standby Redundancy • Secondary or failover firewall is configured to take over traffic duties in case primary firewall fails • Usually involves two firewalls; only one operates at any given time • The two firewalls are connected in a heartbeat network 41 Hot Standby Redundancy (continued) 42 Hot Standby Redundancy (continued) • Advantages – Ease and economy of setup and quick backup system it provides for the network – One firewall can be stopped for maintenance without stopping network traffic • Disadvantages – Does not improve network performance – VPN connections may or may not be included in the failover system 43 Load Balancing • Practice of balancing the load placed on the firewall so that it is handled by two or more firewall systems • Load sharing – Practice of configuring two or more firewalls to share the total traffic load • Traffic between firewalls is distributed by routers using special routing protocols – Open Shortest Path First (OSPF) – Border Gateway Protocol (BGP) 44 Load Balancing (continued) 45 Load Sharing • Advantages – Improves total network performance – Maintenance can be performed on one firewall without disrupting total network traffic • Disadvantages – Load usually distributed unevenly (can be remedied by using layer four switches) – Configuration can be complex to administer 46 Filtering Content • Firewalls don’t scan for viruses but can work with third-party applications to scan for viruses or other functions – Open Platform for Security (OPSEC) model – Content Vectoring Protocol (CVP) 47 Filtering Content (continued) • Install anti-virus software on SMTP gateway in addition to providing desktop anti-virus protection for each computer • Choose an anti-virus gateway product that: – Provides for content filtering – Can be updated regularly to account for recent viruses – Can scan the system in real time – Has detailed logging capabilities 48 Chapter Summary • After establishing a security policy, implement the strategies that policy specifies • If primary goal of planned firewall is to block unauthorized access, you must emphasize restricting rather than enabling connectivity • A firewall must be scalable so it can grow with the network it protects 49 Chapter Summary (continued) • The stronger and more elaborate your firewall, the slower data transmissions are likely to be • The more complex a network becomes, the more IP-addressing complications arise • Network security setups can become more complex when specific functions are added 50 Chapter Summary (continued) • Firewalls must be maintained regularly to assure critical measures of success are kept within acceptable levels of performance • Successful firewall management requires adherence to principles that have been put forth by reputable organizations to ensure that firewalls and network security configurations are maintained correctly 51 Chapter Summary (continued) • Remote management allows configuration and monitoring of one or more firewalls that are located at different network locations • Ultimate goal for many organizations is the development of a high-performance firewall configuration that has high availability and that can be scaled as the organization grows; accomplished by using data caching, redundancy, load balancing, and content filtering 52
