Chapter 8
Firewall Configuration and Administration
Establishing Rules and Restrictions for Your Firewall
1.
The firewall rules and the definitions that you set up tell the firewall what types of traffic to allow into and
out of your network. Note that all firewalls have a rules file, which is the most important configuration file
on your firewall.
The Role of the Rules File
1.
The specific packet-filtering rules that you set up for a firewall actually implement the security approach
specified in your security policy. A restrictive approach will be reflected in a set of rules that blocks all
access by default and then permits only specific types of traffic to pass through. A connectivity-based
approach will have fewer rules because its primary orientation is to let all traffic through and then block
specific types of traffic.
Restrictive Firewalls
1.
If the primary goal of your planned firewall is to block unauthorized access, the emphasis needs to be on
restricting rather than enabling connectivity. The table below describes some primarily restrictive
approaches.
Approach
Deny-All
In Order
(sometimes
called “first
fit”)
Best Fit
What It Does
Blocks all packets except
those specifically allowed
Processes firewall rules in
top-to-bottom order
Advantage
More secure; requires
fewer rules
Good security
Disadvantage
May result in user
complaints
Incorrect order can
cause chaos
The firewall determines
the order in which the
rules are processed;
usually it starts with the
most specific rules and
goes to the most general
Easy to manage; reduces
risk of operator error
Lack of control
Connectivity-Based Firewalls
1.
The following table lists the advantages and disadvantages of your firewall enforcing a restrictive policy or
one that emphasizes connectivity.
Approach
Allow-All
Port 80 / Except
Video
What It Does
Allows all packets to pass
through except those
specifically identified to
be blocked
Allows Web surfing
without restrictions,
except for video files
Advantage
Easy to implement
Disadvantage
Provides minimal
security; requires complex
rules
Lets users surf the Web
Opens network to Web
vulnerabilities
Page 2 of 7
Firewall Configuration Strategies
1.
A firewall must be scalable so it can grow with the network it protects. It needs to take into account the
communication needs of individual employees, who see Web surfing and e-mail as must-haves to be
productive. Because TCP/IP is the protocol of choice for internal networks as well as the Internet itself, the
firewall also needs to deal with the IP address needs of the organization—to enable port forwarding or
Network / Port Address Translation, for instance.
Scalability
1.
A firewall needs to adapt to the changing needs of the organization whose network it protects. Therefore,
you should provide for the firewall’s growth by recommending a periodic review and upgrading software
and hardware as needed.
Productivity
1.
Two important features of the firewall are the processing and memory resources available to the bastion
host. A bastion host, though it may not be the only hardware component in a firewall architecture, is of
central importance to the operation of the firewall software that it hosts. If the host machine runs too slowly
or does not have enough memory to handle the large number of packet-filtering decisions, proxy service
requests, and other traffic, the productivity of the entire organization can be adversely affected. That is
because the bastion host resides on the perimeter of the network and, unless other bastion hosts and
firewalls have been set up to provide the network with load balancing, the bastion host is the only gateway
through which inbound and outbound traffic can pass.
Dealing with IP Address Issues
1.
The more complex a network becomes, the more IP-addressing complications arise. It is important to plan
out the installation, including IP addressing, before you start purchasing or installing firewalls.
2.
IP forwarding enables a packet to get from one network’s OSI stack of interfaces to another. Most
operating systems are set up to perform IP forwarding. Proxy servers that handle the movement of data
from one external network to another perform the same function; however, if a proxy server is working, IP
forwarding should be disabled on routers and other devices that lie between the networks.
Approaches That Add Functionality to Your Firewall
1.
A router or firewall that performs NAT converts publicly accessible IP addresses to private ones and vice
versa, thus shielding the IP addresses of computers on the protected network from those on the outside.
NAT/PAT
1.
A router or firewall that performs Network Address Translation (NAT) or Port Address Translation
(PAT) converts publicly accessible IP addresses to private ones and vice versa, thus shielding the IP
addresses of computers on the protected network from those on the outside. For more on NAT and PAT,
you can review the relevant section in Chapter 5.
Page 3 of 7
Encryption
1.
A firewall or router that includes Secure Sockets Layer (SSL) or some other type of encryption takes a
request, turns it into gibberish using a private key, and exchanges the public key with the recipient firewall
or router. The recipient then decrypts the message and presents it to the end user in understandable form.
Application Proxies
1.
An application proxy is software that acts on behalf of a host, receiving requests, rebuilding them
completely from scratch, and forwarding them to the intended location as though the request originated
with it (the proxy). It can be set up with either a dual-homed host or a screened host system. In a dualhomed host setup, the host that contains the firewall or proxy server software has two interfaces, one to the
Internet and one to the internal network being protected.
VPNs
1. Many companies use the Internet to provide them with a VPN that connects internal hosts with specific
clients in other organizations. The advantage to a VPN over a conventional Internet-based connection is
that VPN connections are encrypted and limited only to machines with specific IP addresses.
Intrusion Detection and Prevention Systems
1.
An external router with an intrusion detection system (IDS) can notify you of intrusion attempts from the
Internet. An internal router with IDS can notify you when a host on the internal network attempts to access
the Internet through a suspicious port or by using an unusual service, which may be a sign of a Trojan
horse that has entered the system. An IDS might also be configured to look for a large number of TCP
connection requests (SYN) to many different ports on a target machine, thus discovering if someone is
attempting a TCP port scan. The IDS sends the alert so an administrator can either prevent it or cut the
attack short before too much damage occurs.
Enabling a Firewall to Meet New Needs
1.
You need to keep upgrading your firewall architecture and adding new components to keep your perimeter
protected and traffic running smoothly. Overall, you need to gain and maintain the following:
Firewall Maintenance
 Throughput
 Scalability
 Security
 Recoverability
 Manageability
Verifying Resources Needed by the Firewall
1.
You have to test how well the firewall is working and evaluate its performance so that you can make
network traffic move more efficiently. One of the factors that can be easily evaluated for software-only
firewalls is memory and CPU usage. Note that you can check just how much memory you need in one of
two ways. The first way is to use the following formula:
MemoryUsage = ((ConcurrentConnections)/(AverageLifetime)) *(AverageLifetime + 50 seconds)*120
2.
A second way to keep track of the memory and system resources being consumed is to use the software’s
own monitoring feature.
Page 4 of 7
Identifying New Risks
1. A firewall needs regular care and attention to keep up with the new threats that are constantly appearing. It
is a good idea, after you first get your firewall up and running, to monitor its activities for a month and
store all the data that accumulates in the form of log files. Then, go through the logs and analyze the traffic
that passes through the firewall, paying particular attention to suspicious activity that may arise.
Adding Software Updates and Patches
1.
The best way to combat the constant stream of new viruses and security threats is to install updated
software that is specifically designed to meet those threats. First, test updates and patches as soon as you
install them. Make sure the new software does not slow down your system, crash applications, or cause
other problems. Second, ask the vendors of your firewall, VPN appliance, routers, and other securityrelated hardware and software to notify you when security patches become available for their products.
Also check the manufacturer’s Web site for security patches and software updates.
Adding Hardware
1.
Whenever you add a piece of hardware to your network, you need to identify it in some way so your
firewall can include it in its routing and protection services. Different firewalls require you to identify
network hardware in different ways. With Microsoft Internet Security and Acceleration Server (ISA),
which functions as a proxy server, you record the IP addresses of hosts or gateways on a Local Address
Table. With Check Point FireWall-1, you “define” an object by giving it a name and recording its IP
address and other information.
2.
The need to list hardware as being part of your protected network applies not only to workstations that you
add to the network, but also to the routers, VPN appliances, and other gateways you add as the network
grows. This applies particularly to proxy servers such as ISA, which function as the default gateway for a
network and need to know exactly how to route traffic through your different hardware devices.
Dealing with Complexity on the Network
1. Firewall configurations can take many forms, and they can grow in complexity as a network grows. One
level of complexity you may need to manage comes from distributed firewalls, which are installed at all
endpoints of the network, including the remote computers that connect to the network through VPNs. They
add complexity because they require you to install and/or maintain a variety of firewalls that are located not
only in your own corporate network but in remote locations; however, distributed firewalls also add
security because they protect your network from viruses or other attacks that can originate from remote
laptops or other machines that use VPNs to connect.
Adhering To Proven Security Principles
1. The Generally Accepted System Security Principles (GASSP) is a set of security and information
management practices put forth by the International Information Security Foundation (I2SF). The GASSP
gives you some good guidelines to follow that help you to manage your firewall as well as the information
that passes through it.
Environmental Management
1. The GASSP recommends the environmental management of IT assets and resources: the measures taken to
reduce risks to the physical environment where the resources are stored. At the most basic level, this means
that you need to secure the building where your network resources are located to protect them from natural
disasters such as earthquakes, floods, hurricanes, tornadoes, and other catastrophic events.
Page 5 of 7
2. To prepare for environmental problems, an organization should consider installing the following:
Environmental Management
 Backup power systems to overcome power outages
 Backup hardware and software to help recover network data and services in case of equipment
failure
 Sprinkler and alarm systems to reduce damage from fire
 Locks to guard against theft
BIOS, Boot, and Screen Locks
1. The GASSP document related to this topic includes the suggestion that a public notice be included in the
company’s logon screen that advises anyone who uses the network of the existence of the organization’s
security policy. Such a notice might state the following: “Notice: Anyone who logs on to the [Company
Name] network is hereby notified that the files and databases they are about to access are valued assets and
that they include much proprietary information that is protected by copyright. Unauthorized access to such
resources is prohibited and violators will be prosecuted.”
BIOS and Boot-up Passwords
1. Most computers give you the chance to set a boot-up password, a password that must be entered to
complete the process of starting up a computer. Boot-up passwords (which are often called BIOS passwords
or CMOS passwords) are not perfect: they will not work when your computer is already on and is left
unattended, for instance. In addition, a thief who cannot crack your BIOS password can remove the hard
drive and attach it to a computer that does not have a BIOS password or remove the lithium battery from
the computer’s motherboard, thus erasing the BIOS password from memory.
2. Some systems only use a BIOS password to enable the computer to complete booting up. On others (such
as Windows NT and 2000), a second, higher-level password called a supervisor password is also used. In a
case where a supervisor password and a BIOS password are used, the supervisor password is used to gain
access to the BIOS set-up program or to change the BIOS password.
Supervisor Passwords
1. Some systems only use a BIOS password to enable the computer to complete booting up. On others (such
as Windows NT and 2000), a second, higher-level password called a supervisor password is also used.
Screen Saver Passwords
1. A screen saver is an image or design that appears on a Windows computer monitor when the machine is
idle. A screen saver password is one that you need to enter to make your screen saver vanish so that you can
return to your desktop and resume working. Configuring a screen saver password protects your computer
while you are not working on it.
Using Remote Management Interface
1. A Remote Management Interface is software that enables you to configure and monitor one or more
firewalls that are located on different network locations. You use it to start and stop the firewall or change
the rule base from locations other than your primary computer.
Why Remote Management Tools Are Important
1. A remote management system is important because it saves many hours of time and makes the security
administrator’s job much easier. Besides reducing time for the administrator, such remote management
Page 6 of 7
tools reduce the chance of configuration errors that might result if the same changes have to be made
manually for each firewall in the network.
Security Concerns with Remote Management Tools
1. A Security Information Management (SIM) device is a GUI program that can be used to remotely manage a
firewall. Because a SIM has access to all of the firewalls on your network, it needs to be as secure as
possible to prevent unauthorized users from circumventing your security systems. To begin with, the SIM
offers strong security controls such as multi-factor authentication and encryption. The SIM should also be
equipped with auditing features that keep track of who uses the software and when. The best remote
management tools will use tunneling to connect to the firewall or use certificates for authentication, rather
than establishing a weak connection like a Telnet interface.
Basic Features Required of Remote Management Tools
1. Any SIM or remote management program should enable you to monitor and configure firewalls from a
single centralized location. They should also enable you to start and stop firewalls as needed. Note that
starting and stopping a firewall is a drastic step because it can affect network communications. But it is an
option you need to have at your disposal in case you detect an intrusion.
Automating Security Checks
1. You can hire a service to do the ongoing checking and administration of a firewall for you. This is not
simply passing the buck; if your time as a network administrator is taken up with making sure the network
is up and running and adding or removing users as needed, it’s more efficient to consider outsourcing the
firewall administration. Be aware, though, that if you outsource your firewall management, you have to put
a high level of trust in the outsourcer to maintain your network security. You cannot always expect outside
companies to devote as high a level of attention to your log files as in-house employees would.
Configuring Advanced Firewall Functions
1. The ultimate goal for many organizations is the development of a high-performance firewall configuration
that has high availability (in other words, it operates on a 24/7 basis or close to it) and that can be scaled
(that can grow and maintain effectiveness) as the organization grows.
Data Caching
1. Caching, the practice of storing data in a part of disk storage space so that it can be retrieved as needed, is
one of the primary functions of proxy servers. Firewalls can be configured to work with external servers to
cache data, too. Caching of frequently accessed resources such as Web page text and image files can
dramatically speed up the performance of your network because it reduces the load on your Web servers.
The load on the servers is reduced when end users are able to call pages from disk cache rather than having
to send a request to the Web server itself.
2. Typically, you choose one of four options for how data is to be cached.
Caching Options
 No caching
 UFP server
 VPN & firewall (one request)
 VPN & firewall (two requests)
Page 7 of 7
Hot Standby Redundancy
1. One way to balance the load placed on a firewall is to set up a hot standby system in which one or more
auxiliary or failover firewalls are configured to take over all traffic if the primary firewall fails. Usually, hot
standby only involves two firewalls, the primary and the secondary systems. Only one firewall operates at
any given time. The two firewalls need to be connected in what is sometimes called a heartbeat network: a
network that monitors the operation of the primary firewall and synchronizes the state table connections so
the two firewalls have the same information at any given time.
Load Balancing
1. When a firewall becomes mission-critical—an integral, key part of the company’s core operations—
everything possible must be done to maximize the firewall’s uptime and smooth operation. One way to
accomplish this goal is load balancing: the practice of balancing the load placed on the firewall so that it is
handled by two or more firewall systems.
2. Another type of load balancing is load sharing: the practice of configuring two or more firewalls to share
the total traffic load. Each firewall in a load-sharing setup is active at the same time. Traffic between the
firewalls is distributed by routers using special routing protocols such as:


Open Shortest Path First (OSPF): This protocol can route traffic based on its IP type. It can also
divide traffic equally between two routers that are equally far apart or that have an equal load
already.
Border Gateway Protocol (BGP): This protocol uses TCP as its transport protocol to divide traffic
among available routers.
Filtering Content
1.
One of the most malicious and difficult to filter types of attacks on a network is the inclusion of harmful
code in e-mail messages. Firewalls, by themselves, do not conduct virus scanning, but their manufacturers
enable them to work with third-party applications to scan for viruses or other functions. Zone Alarm and
Check Point NG, for instance, have an Open Platform for Security (OPSEC) model that lets you extend its
functionality and integrate virus scanning into its set of abilities.
Page 8 of 7