Firewall Configuration and Administration

1
Firewall Configuration and Administration
2
Learning Objectives

• Set up firewall rules that reflect an
  organizations overall security approach
• Identify and implement different firewall
  configuration strategies
• Update a firewall to meet new needs and threats
• Adhere to proven security principles to help the
  firewall protect network resources

3
Learning Objectives (continued)

• Use a remote management interface
• Track firewall log files and follow the basic
  initial steps in responding to security incidents
• Understand the nature of advanced firewall
  functions

4
Establishing Firewall Rules and Restrictions

• Rules give firewalls specific criteria for making
  decisions about whether to allow packets through
  or drop them
• All firewalls have a rules filethe most
  important configuration file on the firewall

5
The Role of the Rules File

• Establishes the order the firewall should follow
• Tells the firewall which packets should be
  blocked and which should be allowed
• Requirements
• Need for scalability
• Importance of enabling productivity of end users
  while maintaining adequate security

6
Restrictive Firewalls

• Block all access by default permit only specific
  types of traffic to pass through

7
Restrictive Firewalls (continued)

• Follow the concept of least privilege
• Spell out services that employees cannot use
• Use and maintain passwords
• Choose an approach
• Open
• Optimistic
• Cautious
• Strict
• Paranoid

8
Connectivity-Based Firewalls

• Have fewer rules primary orientation is to let
  all traffic pass through and then block specific
  types of traffic

9
Firewall Configuration Strategies

• Criteria
• Scalable
• Take communication needs of individual employees
  into account
• Deal with IP address needs of the organization

10
Scalability

• Provide for the firewalls growth by recommending
  a periodic review and upgrading software and
  hardware as needed

11
Productivity

• The stronger and more elaborate the firewall, the
  slower the data transmissions
• Important features of firewall processing and
  memory resources available to the bastion host

12
Dealing with IP Address Issues

• If service network needs to be privately rather
  than publicly accessible, which DNS will its
  component systems use?
• If you mix public and private addresses, how will
  Web server and DNS servers communicate?
• Let the proxy server do the IP forwarding (its
  the security device)

13
Approaches That Add Functionality to Your Firewall

• Network Address Translation (NAT)
• Port Address Translation (PAT)
• Encryption
• Application proxies
• VPNs
• Intrusion Detection and Prevention Systems (IDPSs)

14
NAT/PAT

• NAT and PAT convert publicly accessible IP
  addresses to private ones and vice versa shields
  IP addresses of computers on the protected
  network from those on the outside
• Where NAT converts these addresses on a
  one-to-one associationinternal to externalPAT
  allows one external address to map to multiple
  internal addresses

15
Encryption

• Takes a request and turns it into gibberish using
  a private key exchanges the public key with the
  recipient firewall or router
• Recipient decrypts the message and presents it to
  the end user in understandable form

16
Encryption (continued)
17
Application Proxies

• Act on behalf of a host receive requests,
  rebuild them from scratch, and forward them to
  the intended location as though the request
  originated with it (the proxy)
• Can be set up with either a dual-homed host or a
  screened host system

18
Application Proxies (continued)

• Dual-homed setup
• Host that contains the firewall or proxy server
  software has two interfaces, one to the Internet
  and one to the internal network being protected
• Screened subnet system
• Host that holds proxy server software has a
  single network interface
• Packet filters on either side of the host filter
  out all traffic except that destined for proxy
  server software

19
Application Proxies on aDual-Homed Host
20
VPNs

• Connect internal hosts with specific clients in
  other organizations
• Connections are encrypted and limited only to
  machines with specific IP addresses
• VPN gateway can
• Go on a DMZ
• Bypass the firewall and connect directly to the
  internal LAN

21
VPN Gateway Bypassing the Firewall
22
Intrusion Detection and Prevention Systems

• Can be installed in external and/or internal
  routers at the perimeter of the network
• Built into many popular firewall packages

23
IDPS Integrated into Perimeter Routers
24
IDPS Positioned between Firewall and Internet
25
Enabling a Firewall to Meet New Needs

• Throughput
• Scalability
• Security
• Recoverability
• Manageability

26
Verifying Resources Needed by the Firewall

• Ways to track memory and system resources
• Use the formulaMemoryUsage ((ConcurrentConnect
  ions)/ (AverageLifetime))(AverageLifetime 50
  seconds)120
• Use softwares own monitoring feature

27
Identifying New Risks

• Monitor activities and review log files
• Check Web sites to keep informed of latest
  dangers install patches and updates

28
Adding Software Updates and Patches

• Test updates and patches as soon as you install
  them
• Ask vendors (of firewall, VPN appliance, routers,
  etc.) for notification when security patches are
  available
• Check manufacturers Web site for security
  patches and software updates

29
Adding Hardware

• Identify network hardware so firewall can include
  it in routing and protection services
• Different ways for different firewalls
• List workstations, routers, VPN appliances, and
  other gateways you add as the network grows
• Choose good passwords that you guard closely

30
Dealing with Complexity on the Network

• Distributed firewalls
• Installed at endpoints of the network, including
  remote computers that connect to network through
  VPNs
• Add complexity
• Require that you install and/or maintain a
  variety of firewalls located on your network and
  in remote locations
• Add security
• Protect network from viruses or other attacks
  that can originate from machines that use VPNs to
  connect (e.g., remote laptops)

31
Adhering to Proven Security Principles

• Generally Accepted System Security Principles
  (GASSP) apply to ongoing firewall management
• Secure physical environment where
  firewall-related equipment is housed
• Importance of locking software so that
  unauthorized users cannot access it

32
Environmental Management

• Measures taken to reduce risks to physical
  environment where resources are stored
• Back-up power systems overcome power outages
• Back-up hardware and software help recover
  network data and services in case of equipment
  failure
• Sprinkler/alarm systems reduce damage from fire
• Locks guard against theft

33
BIOS, Boot, and Screen Locks

• BIOS and boot-up passwords
• Supervisor passwords
• Screen saver passwords

34
Remote Management Interface

• Software that enables you to configure and
  monitor firewall(s) that are located at different
  network locations
• Used to start/stop the firewall or change rule
  base from locations other than the primary
  computer

35
Why Remote Management Tools Are Important

• Reduce time and make the job easier for the
  security administrator
• Reduce chance of configuration errors that might
  result if the same changes were made manually for
  each firewall on the network

36
Security Concerns

• Can use a Security Information Management (SIM)
  device to prevent unauthorized users from
  circumventing security systems
• Offers strong security controls (e.g.,
  multi-factor authentication and encryption)
• Should have an auditing feature
• Should use tunneling to connect to the firewall
  or use certificates for authentication
• Evaluate SIM software to ensure it does not
  introduce new vulnerabilities

37
Basic Features of Remote Management Tools

• Ability to monitor and configure firewalls from a
  single centralized location
• View and change firewall status
• View firewalls current activity
• View any firewall event or alert messages
• Ability to start and stop firewalls as needed

38
Automating Security Checks

• Outsource firewall management

39
Configuring Advanced Firewall Functions

• Ultimate goal
• High availability
• Scalability
• Advanced firewall functions
• Data caching
• Redundancy
• Load balancing
• Content filtering

40
Data Caching

• Set up a server that will
• Receive requests for URLs
• Filter those requests against different criteria
• Options
• No caching
• URI Filtering Protocol (UFP) server
• VPN Firewall (one request)
• VPN Firewall (two requests)

41
Hot Standby Redundancy

• Secondary or failover firewall is configured to
  take over traffic duties in case primary firewall
  fails
• Usually involves two firewalls only one operates
  at any given time
• The two firewalls are connected in a heartbeat
  network

42
Hot Standby Redundancy (continued)
43
Hot Standby Redundancy (continued)

• Advantages
• Ease and economy of setup and quick backup system
  it provides for the network
• One firewall can be stopped for maintenance
  without stopping network traffic
• Disadvantages
• Does not improve network performance
• VPN connections may or may not be included in the
  failover system

44
Load Balancing

• Practice of balancing the load placed on the
  firewall so that it is handled by two or more
  firewall systems
• Load sharing
• Practice of configuring two or more firewalls to
  share the total traffic load
• Traffic between firewalls is distributed by
  routers using special routing protocols
• Open Shortest Path First (OSPF)
• Border Gateway Protocol (BGP)

45
Load Balancing (continued)
46
Load Sharing

• Advantages
• Improves total network performance
• Maintenance can be performed on one firewall
  without disrupting total network traffic
• Disadvantages
• Load usually distributed unevenly (can be
  remedied by using layer four switches)
• Configuration can be complex to administer

47
Filtering Content

• Firewalls dont scan for viruses but can work
  with third-party applications to scan for viruses
  or other functions
• Open Platform for Security (OPSEC) model
• Content Vectoring Protocol (CVP)

48
Filtering Content (continued)

• Install anti-virus software on SMTP gateway in
  addition to providing desktop anti-virus
  protection for each computer
• Choose an anti-virus gateway product that
• Provides for content filtering
• Can be updated regularly to account for recent
  viruses
• Can scan the system in real time
• Has detailed logging capabilities

49
Chapter Summary

• After establishing a security policy, implement
  the strategies that policy specifies
• If primary goal of planned firewall is to block
  unauthorized access, you must emphasize
  restricting rather than enabling connectivity
• A firewall must be scalable so it can grow with
  the network it protects

50
Chapter Summary (continued)

• The stronger and more elaborate your firewall,
  the slower data transmissions are likely to be
• The more complex a network becomes, the more
  IP-addressing complications arise
• Network security setups can become more complex
  when specific functions are added

51
Chapter Summary (continued)

• Firewalls must be maintained regularly to assure
  critical measures of success are kept within
  acceptable levels of performance
• Successful firewall management requires adherence
  to principles that have been put forth by
  reputable organizations to ensure that firewalls
  and network security configurations are
  maintained correctly

52
Chapter Summary (continued)

• Remote management allows configuration and
  monitoring of one or more firewalls that are
  located at different network locations
• Ultimate goal for many organizations is the
  development of a high-performance firewall
  configuration that has high availability and that
  can be scaled as the organization grows
  accomplished by using data caching, redundancy,
  load balancing, and content filtering