Firewall Configuration and Administrationmawelton.people.ysu.edu/CSIS3755/CSIS 3755 - Chapter 8.pdf · Firewall Configuration and Administration . ... Your Firewall Network Address

FIREWALLS & NETWORK SECURITY with

Intrusion Detection and VPNs, 2nd ed.

Chapter 8 Firewall Configuration

and Administration

Learning Objectives

Set up firewall rules that reflect an organization’s overall security approach

Identify and implement different firewall configuration strategies

Update a firewall to meet new needs and threats

Adhere to proven security principles to help the firewall protect network resources

Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 2

Learning Objectives (continued)

Use a remote management interface

Track firewall log files and follow the basic initial steps in responding to security incidents

Understand the nature of advanced firewall functions


Establishing Firewall Rules and

Restrictions

Rules give firewalls specific criteria for making

decisions about whether to allow packets

through or drop them

All firewalls have a rules file—the most

important configuration file on the firewall


The Role of the Rules File

Establishes the order the firewall should follow

Tells the firewall which packets should be blocked and which should be allowed

Requirements

– Need for scalability

– Importance of enabling productivity of end users while maintaining adequate security


Restrictive Firewalls

Block all access by default; permit only specific

types of traffic to pass through


Restrictive Firewalls (continued)

Follow the concept of least privilege

Spell out services that employees cannot use

Use and maintain passwords

Choose an approach

– Open

– Optimistic

– Cautious

– Strict

– Paranoid


Connectivity-Based Firewalls

Have fewer rules; primary orientation is to let all

traffic pass through and then block specific

types of traffic


Firewall Configuration Strategies

Criteria

– Scalable

– Take communication needs of individual

employees into account

– Deal with IP address needs of the organization


Scalability

Provide for the firewall’s growth by

recommending a periodic review and upgrading

software and hardware as needed


Productivity

The stronger and more elaborate the firewall,

the slower the data transmissions

Important features of firewall: processing and

memory resources available to the bastion host


Dealing with IP Address Issues

If service network needs to be privately rather than publicly accessible, which DNS will its component systems use?

If you mix public and private addresses, how will Web server and DNS servers communicate?

Let the proxy server do the IP forwarding (it’s the security device)


Approaches That Add Functionality to

Your Firewall

Network Address Translation (NAT)

Port Address Translation (PAT)

Encryption

Application proxies

VPNs

Intrusion Detection and Prevention Systems

(IDPSs)


NAT/PAT

NAT and PAT convert publicly accessible IP

addresses to private ones and vice versa;

shields IP addresses of computers on the

protected network from those on the outside

Where NAT converts these addresses on a one-

to-one association—internal to external—PAT

allows one external address to map to multiple

internal addresses


Encryption

Takes a request and turns it into gibberish using

a private key; exchanges the public key with the

recipient firewall or router

Recipient decrypts the message and presents it

to the end user in understandable form


Encryption (continued)


Application Proxies

Act on behalf of a host; receive requests, rebuild

them from scratch, and forward them to the

intended location as though the request

originated with it (the proxy)

Can be set up with either a dual-homed host or

a screened host system


Application Proxies (continued)

Dual-homed setup

– Host that contains the firewall or proxy server

software has two interfaces, one to the Internet

and one to the internal network being protected

Screened subnet system

– Host that holds proxy server software has a

single network interface

– Packet filters on either side of the host filter out

all traffic except that destined for proxy server

software


Application Proxies on a

Dual-Homed Host


VPNs

Connect internal hosts with specific clients in other organizations

Connections are encrypted and limited only to machines with specific IP addresses

VPN gateway can:

– Go on a DMZ

– Bypass the firewall and connect directly to the internal LAN


VPN Gateway Bypassing the Firewall


Intrusion Detection and Prevention

Systems

Can be installed in external and/or internal

routers at the perimeter of the network

Built into many popular firewall packages


IDPS Integrated into Perimeter Routers


IDPS Positioned between Firewall and

Internet


Enabling a Firewall to Meet New

Needs

Throughput

Scalability

Security

Recoverability

Manageability


Verifying Resources Needed by the

Firewall

Ways to track memory and system resources

– Use the formula:

MemoryUsage = ((ConcurrentConnections)/

(AverageLifetime))*(AverageLifetime + 50

seconds)*120

– Use software’s own monitoring feature


Identifying New Risks

Monitor activities and review log files

Check Web sites to keep informed of latest

dangers; install patches and updates


Adding Software Updates and Patches

Test updates and patches as soon as you install

them

Ask vendors (of firewall, VPN appliance,

routers, etc.) for notification when security

patches are available

Check manufacturer’s Web site for security

patches and software updates


Adding Hardware

Identify network hardware so firewall can include it in routing and protection services

– Different ways for different firewalls

List workstations, routers, VPN appliances, and other gateways you add as the network grows

Choose good passwords that you guard closely


Dealing with Complexity on the

Network

Distributed firewalls

– Installed at endpoints of the network, including

remote computers that connect to network

through VPNs

– Add complexity

• Require that you install and/or maintain a variety

of firewalls located on your network and in remote

locations

– Add security

• Protect network from viruses or other attacks that

can originate from machines that use VPNs to

connect (e.g., remote laptops) Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 30

Adhering to Proven Security Principles

Generally Accepted System Security Principles

(GASSP) apply to ongoing firewall management

– Secure physical environment where firewall-

related equipment is housed

– Importance of locking software so that

unauthorized users cannot access it


Environmental Management

Measures taken to reduce risks to physical

environment where resources are stored

– Back-up power systems overcome power

outages

– Back-up hardware and software help recover

network data and services in case of equipment

failure

– Sprinkler/alarm systems reduce damage from fire

– Locks guard against theft


BIOS, Boot, and Screen Locks

BIOS and boot-up passwords

Supervisor passwords

Screen saver passwords


Remote Management Interface

Software that enables you to configure and

monitor firewall(s) that are located at different

network locations

Used to start/stop the firewall or change rule

base from locations other than the primary

computer


Why Remote Management Tools Are

Important

Reduce time and make the job easier for the

security administrator

Reduce chance of configuration errors that

might result if the same changes were made

manually for each firewall on the network


Security Concerns

Can use a Security Information Management (SIM) device to prevent unauthorized users from circumventing security systems

– Offers strong security controls (e.g., multi-factor authentication and encryption)

– Should have an auditing feature

– Should use tunneling to connect to the firewall or use certificates for authentication

Evaluate SIM software to ensure it does not introduce new vulnerabilities


Basic Features of Remote

Management Tools

Ability to monitor and configure firewalls from a

single centralized location

– View and change firewall status

– View firewall’s current activity

– View any firewall event or alert messages

Ability to start and stop firewalls as needed


Automating Security Checks

Outsource firewall management


Configuring Advanced Firewall

Functions

Ultimate goal

– High availability

– Scalability

Advanced firewall functions

– Data caching

– Redundancy

– Load balancing

– Content filtering


Data Caching

Set up a server that will:

– Receive requests for URLs

– Filter those requests against different criteria

Options

– No caching

– URI Filtering Protocol (UFP) server

– VPN & Firewall (one request)

– VPN & Firewall (two requests)


Hot Standby Redundancy

Secondary or failover firewall is configured to

take over traffic duties in case primary firewall

fails

Usually involves two firewalls; only one operates

at any given time

The two firewalls are connected in a heartbeat

network


Hot Standby Redundancy (continued)


Hot Standby Redundancy (continued)

Advantages

– Ease and economy of setup and quick backup system it provides for the network

– One firewall can be stopped for maintenance without stopping network traffic

Disadvantages

– Does not improve network performance

– VPN connections may or may not be included in the failover system


Load Balancing

Practice of balancing the load placed on the firewall so that it is handled by two or more firewall systems

Load sharing

– Practice of configuring two or more firewalls to share the total traffic load

Traffic between firewalls is distributed by routers using special routing protocols

– Open Shortest Path First (OSPF)

– Border Gateway Protocol (BGP)


Load Balancing (continued)


Load Sharing

Advantages

– Improves total network performance

– Maintenance can be performed on one firewall

without disrupting total network traffic

Disadvantages

– Load usually distributed unevenly (can be

remedied by using layer four switches)

– Configuration can be complex to administer


Filtering Content

Firewalls don’t scan for viruses but can work

with third-party applications to scan for viruses

or other functions

– Open Platform for Security (OPSEC) model

– Content Vectoring Protocol (CVP)


Filtering Content (continued)

Install anti-virus software on SMTP gateway in

addition to providing desktop anti-virus

protection for each computer

Choose an anti-virus gateway product that:

– Provides for content filtering

– Can be updated regularly to account for recent

viruses

– Can scan the system in real time

– Has detailed logging capabilities


Chapter Summary

After establishing a security policy, implement

the strategies that policy specifies

If primary goal of planned firewall is to block

unauthorized access, you must emphasize

restricting rather than enabling connectivity

A firewall must be scalable so it can grow with

the network it protects

The stronger and more elaborate your firewall,

the slower data transmissions are likely to be

The more complex a network becomes, the

more IP-addressing complications arise Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 49

Chapter Summary (continued)

Network security setups can become more

complex when specific functions are added

Firewalls must be maintained regularly to

assure critical measures of success are kept

within acceptable levels of performance

Successful firewall management requires

adherence to principles that have been put forth

by reputable organizations to ensure that

firewalls and network security configurations are

maintained correctly


Chapter Summary (continued)

Remote management allows configuration and

monitoring of one or more firewalls that are

located at different network locations

Ultimate goal for many organizations is the

development of a high-performance firewall

configuration that has high availability and that

can be scaled as the organization grows;

accomplished by using data caching,

redundancy, load balancing, and content

filtering


Documents

Firewall Configuration and Administrationmawelton.people.ysu.edu/CSIS3755/CSIS 3755 - Chapter 8.pdf · Firewall Configuration and Administration . ... Your Firewall Network Address