Post on 19-Dec-2015
Firewall Configuration and Administration
2
Learning Objectives
• Set up firewall rules that reflect an organization’s overall security approach
• Identify and implement different firewall configuration strategies
• Update a firewall to meet new needs and threats
• Adhere to proven security principles to help the firewall protect network resources
3
Learning Objectives (continued)
• Use a remote management interface• Track firewall log files and follow the basic
initial steps in responding to security incidents
• Understand the nature of advanced firewall functions
4
Establishing Firewall Rules and Restrictions
• Rules give firewalls specific criteria for making decisions about whether to allow packets through or drop them
• All firewalls have a rules file—the most important configuration file on the firewall
5
The Role of the Rules File
• Establishes the order the firewall should follow
• Tells the firewall which packets should be blocked and which should be allowed
• Requirements– Need for scalability– Importance of enabling productivity of end
users while maintaining adequate security
6
Restrictive Firewalls
• Block all access by default; permit only specific types of traffic to pass through
7
Restrictive Firewalls (continued)
• Follow the concept of least privilege• Spell out services that employees cannot use• Use and maintain passwords• Choose an approach
– Open– Optimistic– Cautious– Strict– Paranoid
8
Connectivity-Based Firewalls
• Have fewer rules; primary orientation is to let all traffic pass through and then block specific types of traffic
9
Firewall Configuration Strategies
• Criteria– Scalable– Take communication needs of individual
employees into account– Deal with IP address needs of the
organization
10
Scalability
• Provide for the firewall’s growth by recommending a periodic review and upgrading software and hardware as needed
11
Productivity
• The stronger and more elaborate the firewall, the slower the data transmissions
• Important features of firewall: processing and memory resources available to the bastion host
12
Dealing with IP Address Issues
• If service network needs to be privately rather than publicly accessible, which DNS will its component systems use?
• If you mix public and private addresses, how will Web server and DNS servers communicate?
• Let the proxy server do the IP forwarding (it’s the security device)
13
Approaches That Add Functionality to Your Firewall
• Network Address Translation (NAT)
• Port Address Translation (PAT)
• Encryption
• Application proxies
• VPNs
• Intrusion Detection and Prevention Systems (IDPSs)
14
NAT/PAT
• NAT and PAT convert publicly accessible IP addresses to private ones and vice versa; shields IP addresses of computers on the protected network from those on the outside
• Where NAT converts these addresses on a one-to-one association—internal to external—PAT allows one external address to map to multiple internal addresses
15
Encryption
• Takes a request and turns it into gibberish using a private key; exchanges the public key with the recipient firewall or router
• Recipient decrypts the message and presents it to the end user in understandable form
16
Encryption (continued)
17
Application Proxies
• Act on behalf of a host; receive requests, rebuild them from scratch, and forward them to the intended location as though the request originated with it (the proxy)
• Can be set up with either a dual-homed host or a screened host system
18
Application Proxies (continued)
• Dual-homed setup– Host that contains the firewall or proxy server
software has two interfaces, one to the Internet and one to the internal network being protected
• Screened subnet system– Host that holds proxy server software has a single
network interface– Packet filters on either side of the host filter out all
traffic except that destined for proxy server software
19
Application Proxies on aDual-Homed Host
20
VPNs
• Connect internal hosts with specific clients in other organizations
• Connections are encrypted and limited only to machines with specific IP addresses
• VPN gateway can:– Go on a DMZ– Bypass the firewall and connect directly to the
internal LAN
21
VPN Gateway Bypassing the Firewall
22
Intrusion Detection and Prevention Systems
• Can be installed in external and/or internal routers at the perimeter of the network
• Built into many popular firewall packages
23
IDPS Integrated into Perimeter Routers
24
IDPS Positioned between Firewall and Internet
25
Enabling a Firewall to Meet New Needs
• Throughput
• Scalability
• Security
• Recoverability
• Manageability
26
Verifying Resources Needed by the Firewall
• Ways to track memory and system resources– Use the formula:
MemoryUsage = ((ConcurrentConnections)/ (AverageLifetime))*(AverageLifetime + 50 seconds)*120
– Use software’s own monitoring feature
27
Identifying New Risks
• Monitor activities and review log files
• Check Web sites to keep informed of latest dangers; install patches and updates
28
Adding Software Updates and Patches
• Test updates and patches as soon as you install them
• Ask vendors (of firewall, VPN appliance, routers, etc.) for notification when security patches are available
• Check manufacturer’s Web site for security patches and software updates
29
Adding Hardware
• Identify network hardware so firewall can include it in routing and protection services– Different ways for different firewalls
• List workstations, routers, VPN appliances, and other gateways you add as the network grows
• Choose good passwords that you guard closely
30
Dealing with Complexity on the Network
• Distributed firewalls– Installed at endpoints of the network,
including remote computers that connect to network through VPNs
– Add complexity• Require that you install and/or maintain a variety of
firewalls located on your network and in remote locations
– Add security• Protect network from viruses or other attacks that
can originate from machines that use VPNs to connect (e.g., remote laptops)
31
Adhering to Proven Security Principles
• Generally Accepted System Security Principles (GASSP) apply to ongoing firewall management– Secure physical environment where firewall-
related equipment is housed– Importance of locking software so that
unauthorized users cannot access it
32
Environmental Management
• Measures taken to reduce risks to physical environment where resources are stored– Back-up power systems overcome power
outages– Back-up hardware and software help recover
network data and services in case of equipment failure
– Sprinkler/alarm systems reduce damage from fire
– Locks guard against theft
33
BIOS, Boot, and Screen Locks
• BIOS and boot-up passwords
• Supervisor passwords
• Screen saver passwords
34
Remote Management Interface
• Software that enables you to configure and monitor firewall(s) that are located at different network locations
• Used to start/stop the firewall or change rule base from locations other than the primary computer
35
Why Remote Management Tools Are Important
• Reduce time and make the job easier for the security administrator
• Reduce chance of configuration errors that might result if the same changes were made manually for each firewall on the network
36
Security Concerns
• Can use a Security Information Management (SIM) device to prevent unauthorized users from circumventing security systems– Offers strong security controls (e.g., multi-factor
authentication and encryption)– Should have an auditing feature– Should use tunneling to connect to the firewall or
use certificates for authentication
• Evaluate SIM software to ensure it does not introduce new vulnerabilities
37
Basic Features of Remote Management Tools
• Ability to monitor and configure firewalls from a single centralized location– View and change firewall status– View firewall’s current activity– View any firewall event or alert messages
• Ability to start and stop firewalls as needed
38
Automating Security Checks
• Outsource firewall management
39
Configuring Advanced Firewall Functions
• Ultimate goal– High availability– Scalability
• Advanced firewall functions– Data caching– Redundancy– Load balancing– Content filtering
40
Data Caching
• Set up a server that will:– Receive requests for URLs– Filter those requests against different criteria
• Options– No caching– URI Filtering Protocol (UFP) server– VPN & Firewall (one request)– VPN & Firewall (two requests)
41
Hot Standby Redundancy
• Secondary or failover firewall is configured to take over traffic duties in case primary firewall fails
• Usually involves two firewalls; only one operates at any given time
• The two firewalls are connected in a heartbeat network
42
Hot Standby Redundancy (continued)
43
Hot Standby Redundancy (continued)
• Advantages– Ease and economy of setup and quick backup
system it provides for the network– One firewall can be stopped for maintenance
without stopping network traffic
• Disadvantages– Does not improve network performance– VPN connections may or may not be included
in the failover system
44
Load Balancing
• Practice of balancing the load placed on the firewall so that it is handled by two or more firewall systems
• Load sharing– Practice of configuring two or more firewalls to
share the total traffic load
• Traffic between firewalls is distributed by routers using special routing protocols– Open Shortest Path First (OSPF)– Border Gateway Protocol (BGP)
45
Load Balancing (continued)
46
Load Sharing
• Advantages– Improves total network performance– Maintenance can be performed on one
firewall without disrupting total network traffic
• Disadvantages– Load usually distributed unevenly (can be
remedied by using layer four switches)– Configuration can be complex to administer
47
Filtering Content
• Firewalls don’t scan for viruses but can work with third-party applications to scan for viruses or other functions– Open Platform for Security (OPSEC) model– Content Vectoring Protocol (CVP)
48
Filtering Content (continued)
• Install anti-virus software on SMTP gateway in addition to providing desktop anti-virus protection for each computer
• Choose an anti-virus gateway product that:– Provides for content filtering– Can be updated regularly to account for recent
viruses– Can scan the system in real time– Has detailed logging capabilities
49
Chapter Summary
• After establishing a security policy, implement the strategies that policy specifies
• If primary goal of planned firewall is to block unauthorized access, you must emphasize restricting rather than enabling connectivity
• A firewall must be scalable so it can grow with the network it protects
50
Chapter Summary (continued)
• The stronger and more elaborate your firewall, the slower data transmissions are likely to be
• The more complex a network becomes, the more IP-addressing complications arise
• Network security setups can become more complex when specific functions are added
51
Chapter Summary (continued)
• Firewalls must be maintained regularly to assure critical measures of success are kept within acceptable levels of performance
• Successful firewall management requires adherence to principles that have been put forth by reputable organizations to ensure that firewalls and network security configurations are maintained correctly
52
Chapter Summary (continued)
• Remote management allows configuration and monitoring of one or more firewalls that are located at different network locations
• Ultimate goal for many organizations is the development of a high-performance firewall configuration that has high availability and that can be scaled as the organization grows; accomplished by using data caching, redundancy, load balancing, and content filtering