Firewall Configuration and Administration

2

Learning Objectives

• Set up firewall rules that reflect an organization’s overall security approach

• Identify and implement different firewall configuration strategies

• Update a firewall to meet new needs and threats

• Adhere to proven security principles to help the firewall protect network resources

3

Learning Objectives (continued)

• Use a remote management interface• Track firewall log files and follow the basic

initial steps in responding to security incidents

• Understand the nature of advanced firewall functions

4

Establishing Firewall Rules and Restrictions

• Rules give firewalls specific criteria for making decisions about whether to allow packets through or drop them

• All firewalls have a rules file—the most important configuration file on the firewall

5

The Role of the Rules File

• Establishes the order the firewall should follow

• Tells the firewall which packets should be blocked and which should be allowed

• Requirements– Need for scalability– Importance of enabling productivity of end

users while maintaining adequate security

6

Restrictive Firewalls

• Block all access by default; permit only specific types of traffic to pass through

7

Restrictive Firewalls (continued)

• Follow the concept of least privilege• Spell out services that employees cannot use• Use and maintain passwords• Choose an approach

– Open– Optimistic– Cautious– Strict– Paranoid

8

Connectivity-Based Firewalls

• Have fewer rules; primary orientation is to let all traffic pass through and then block specific types of traffic

9

Firewall Configuration Strategies

• Criteria– Scalable– Take communication needs of individual

employees into account– Deal with IP address needs of the

organization

10

Scalability

• Provide for the firewall’s growth by recommending a periodic review and upgrading software and hardware as needed

11

Productivity

• The stronger and more elaborate the firewall, the slower the data transmissions

• Important features of firewall: processing and memory resources available to the bastion host

12

Dealing with IP Address Issues

• If service network needs to be privately rather than publicly accessible, which DNS will its component systems use?

• If you mix public and private addresses, how will Web server and DNS servers communicate?

• Let the proxy server do the IP forwarding (it’s the security device)

13

Approaches That Add Functionality to Your Firewall

• Network Address Translation (NAT)

• Port Address Translation (PAT)

• Encryption

• Application proxies

• VPNs

• Intrusion Detection and Prevention Systems (IDPSs)

14

NAT/PAT

• NAT and PAT convert publicly accessible IP addresses to private ones and vice versa; shields IP addresses of computers on the protected network from those on the outside

• Where NAT converts these addresses on a one-to-one association—internal to external—PAT allows one external address to map to multiple internal addresses

15

Encryption

• Takes a request and turns it into gibberish using a private key; exchanges the public key with the recipient firewall or router

• Recipient decrypts the message and presents it to the end user in understandable form

16

Encryption (continued)

17

Application Proxies

• Act on behalf of a host; receive requests, rebuild them from scratch, and forward them to the intended location as though the request originated with it (the proxy)

• Can be set up with either a dual-homed host or a screened host system

18

Application Proxies (continued)

• Dual-homed setup– Host that contains the firewall or proxy server

software has two interfaces, one to the Internet and one to the internal network being protected

• Screened subnet system– Host that holds proxy server software has a single

network interface– Packet filters on either side of the host filter out all

traffic except that destined for proxy server software

19

Application Proxies on aDual-Homed Host

20

VPNs

• Connect internal hosts with specific clients in other organizations

• Connections are encrypted and limited only to machines with specific IP addresses

• VPN gateway can:– Go on a DMZ– Bypass the firewall and connect directly to the

internal LAN

21

VPN Gateway Bypassing the Firewall

22

Intrusion Detection and Prevention Systems

• Can be installed in external and/or internal routers at the perimeter of the network

• Built into many popular firewall packages

23

IDPS Integrated into Perimeter Routers

24

IDPS Positioned between Firewall and Internet

25

Enabling a Firewall to Meet New Needs

• Throughput

• Scalability

• Security

• Recoverability

• Manageability

26

Verifying Resources Needed by the Firewall

• Ways to track memory and system resources– Use the formula:

MemoryUsage = ((ConcurrentConnections)/ (AverageLifetime))*(AverageLifetime + 50 seconds)*120

– Use software’s own monitoring feature

27

Identifying New Risks

• Monitor activities and review log files

• Check Web sites to keep informed of latest dangers; install patches and updates

28

Adding Software Updates and Patches

• Test updates and patches as soon as you install them

• Ask vendors (of firewall, VPN appliance, routers, etc.) for notification when security patches are available

• Check manufacturer’s Web site for security patches and software updates

29

Adding Hardware

• Identify network hardware so firewall can include it in routing and protection services– Different ways for different firewalls

• List workstations, routers, VPN appliances, and other gateways you add as the network grows

• Choose good passwords that you guard closely

30

Dealing with Complexity on the Network

• Distributed firewalls– Installed at endpoints of the network,

including remote computers that connect to network through VPNs

– Add complexity• Require that you install and/or maintain a variety of

firewalls located on your network and in remote locations

– Add security• Protect network from viruses or other attacks that

can originate from machines that use VPNs to connect (e.g., remote laptops)

31

Adhering to Proven Security Principles

• Generally Accepted System Security Principles (GASSP) apply to ongoing firewall management– Secure physical environment where firewall-

related equipment is housed– Importance of locking software so that

unauthorized users cannot access it

32

Environmental Management

• Measures taken to reduce risks to physical environment where resources are stored– Back-up power systems overcome power

outages– Back-up hardware and software help recover

network data and services in case of equipment failure

– Sprinkler/alarm systems reduce damage from fire

– Locks guard against theft

33

BIOS, Boot, and Screen Locks

• BIOS and boot-up passwords

• Supervisor passwords

• Screen saver passwords

34

Remote Management Interface

• Software that enables you to configure and monitor firewall(s) that are located at different network locations

• Used to start/stop the firewall or change rule base from locations other than the primary computer

35

Why Remote Management Tools Are Important

• Reduce time and make the job easier for the security administrator

• Reduce chance of configuration errors that might result if the same changes were made manually for each firewall on the network

36

Security Concerns

• Can use a Security Information Management (SIM) device to prevent unauthorized users from circumventing security systems– Offers strong security controls (e.g., multi-factor

authentication and encryption)– Should have an auditing feature– Should use tunneling to connect to the firewall or

use certificates for authentication

• Evaluate SIM software to ensure it does not introduce new vulnerabilities

37

Basic Features of Remote Management Tools

• Ability to monitor and configure firewalls from a single centralized location– View and change firewall status– View firewall’s current activity– View any firewall event or alert messages

• Ability to start and stop firewalls as needed

38

Automating Security Checks

• Outsource firewall management

39

Configuring Advanced Firewall Functions

• Ultimate goal– High availability– Scalability

• Advanced firewall functions– Data caching– Redundancy– Load balancing– Content filtering

40

Data Caching

• Set up a server that will:– Receive requests for URLs– Filter those requests against different criteria

• Options– No caching– URI Filtering Protocol (UFP) server– VPN & Firewall (one request)– VPN & Firewall (two requests)

41

Hot Standby Redundancy

• Secondary or failover firewall is configured to take over traffic duties in case primary firewall fails

• Usually involves two firewalls; only one operates at any given time

• The two firewalls are connected in a heartbeat network

42

Hot Standby Redundancy (continued)

43

Hot Standby Redundancy (continued)

• Advantages– Ease and economy of setup and quick backup

system it provides for the network– One firewall can be stopped for maintenance

without stopping network traffic

• Disadvantages– Does not improve network performance– VPN connections may or may not be included

in the failover system

44

Load Balancing

• Practice of balancing the load placed on the firewall so that it is handled by two or more firewall systems

• Load sharing– Practice of configuring two or more firewalls to

share the total traffic load

• Traffic between firewalls is distributed by routers using special routing protocols– Open Shortest Path First (OSPF)– Border Gateway Protocol (BGP)

45

Load Balancing (continued)

46

Load Sharing

• Advantages– Improves total network performance– Maintenance can be performed on one

firewall without disrupting total network traffic

• Disadvantages– Load usually distributed unevenly (can be

remedied by using layer four switches)– Configuration can be complex to administer

47

Filtering Content

• Firewalls don’t scan for viruses but can work with third-party applications to scan for viruses or other functions– Open Platform for Security (OPSEC) model– Content Vectoring Protocol (CVP)

48

Filtering Content (continued)

• Install anti-virus software on SMTP gateway in addition to providing desktop anti-virus protection for each computer

• Choose an anti-virus gateway product that:– Provides for content filtering– Can be updated regularly to account for recent

viruses– Can scan the system in real time– Has detailed logging capabilities

49

Chapter Summary

• After establishing a security policy, implement the strategies that policy specifies

• If primary goal of planned firewall is to block unauthorized access, you must emphasize restricting rather than enabling connectivity

• A firewall must be scalable so it can grow with the network it protects

50

Chapter Summary (continued)

• The stronger and more elaborate your firewall, the slower data transmissions are likely to be

• The more complex a network becomes, the more IP-addressing complications arise

• Network security setups can become more complex when specific functions are added

51

Chapter Summary (continued)

• Firewalls must be maintained regularly to assure critical measures of success are kept within acceptable levels of performance

• Successful firewall management requires adherence to principles that have been put forth by reputable organizations to ensure that firewalls and network security configurations are maintained correctly

52

Chapter Summary (continued)

• Remote management allows configuration and monitoring of one or more firewalls that are located at different network locations

• Ultimate goal for many organizations is the development of a high-performance firewall configuration that has high availability and that can be scaled as the organization grows; accomplished by using data caching, redundancy, load balancing, and content filtering