ISA 3200 NETWORK SECURITY

thoughtlessskytopΔίκτυα και Επικοινωνίες

29 Οκτ 2013 (πριν από 4 χρόνια και 9 μέρες)

100 εμφανίσεις

ISA 3200

NETWORK SECURITY

Chapter 8:
Firewall Configuration

and Administration

Learning Objectives

7/12


Set up firewall rules that reflect an
organization’s overall security approach


Identify and implement different firewall
configuration strategies


Update a firewall to meet new needs and
threats


Adhere to proven security principles to
help the firewall protect network
resources

IS 3200, Summer 2010


2

Learning Objectives (continued)

7/12


Use a remote management interface


Track firewall log files and follow the
basic initial steps in responding to
security incidents


Understand the nature of advanced
firewall functions

IS 3200, Summer 2010


3

Establishing Firewall Rules and
Restrictions

7/12


Rules give firewalls specific criteria for
making decisions about whether to allow
packets through or drop them


All firewalls have a rules file

the most
important configuration file on the
firewall

IS 3200, Summer 2010


4

The Role of the Rules File

7/12


Establishes the order the firewall should
follow


Tells the firewall which packets should be
blocked and which should be allowed


Requirements


Need for scalability


Importance of enabling productivity of end
users while maintaining adequate security

IS 3200, Summer 2010


5

Restrictive Firewalls

7/12


Block all access by default; permit only
specific types of traffic to pass through

IS 3200, Summer 2010


6

Restrictive Firewalls (continued)

7/12


Follow the concept of least privilege


Spell out services that employees cannot
use


Use and maintain passwords


Choose an approach


Open


Optimistic


Cautious


Strict


Paranoid

IS 3200, Summer 2010


7

Connectivity
-
Based Firewalls

7/12


Have fewer rules; primary orientation is to
let all traffic pass through and then block
specific types of traffic

IS 3200, Summer 2010


8

Firewall Configuration Strategies

7/12


Criteria


Scalable


Take communication needs of individual
employees into account


Deal with IP address needs of the
organization

IS 3200, Summer 2010


9

Scalability

7/12


Provide for the firewall’s growth by
recommending a periodic review and
upgrading software and hardware as
needed

IS 3200, Summer 2010


10

Productivity

7/12


The stronger and more elaborate the
firewall, the slower the data transmissions


Important features of firewall: processing
and memory resources available to the
bastion host

IS 3200, Summer 2010


11

Dealing with IP Address Issues

7/12


If service network needs to be privately
rather than publicly accessible, which DNS
will its component systems use?


If you mix public and private addresses,
how will Web server and DNS servers
communicate?


Let the proxy server do the IP forwarding
(it’s the security device)

IS 3200, Summer 2010


12

Approaches That Add Functionality to
Your Firewall

7/12


Network Address Translation (NAT)


Port Address Translation (PAT)


Encryption


Application proxies


VPNs


Intrusion Detection and Prevention
Systems (IDPSs)

IS 3200, Summer 2010


13

NAT/PAT

7/12


NAT and PAT convert publicly accessible
IP addresses to private ones and vice
versa; shields IP addresses of computers
on the protected network from those on
the outside


Where NAT converts these addresses on a
one
-
to
-
one association

internal to
external

PAT allows one external address
to map to multiple internal addresses

IS 3200, Summer 2010


14

Encryption

7/12


Takes a request and turns it into gibberish
using a private key; exchanges the public
key with the recipient firewall or router


Recipient decrypts the message and
presents it to the end user in
understandable form

IS 3200, Summer 2010


15

Encryption (continued)

7/12

IS 3200, Summer 2010


16

Application Proxies

7/12


Act on behalf of a host; receive requests,
rebuild them from scratch, and forward
them to the intended location as though
the request originated with it (the proxy)


Can be set up with either a dual
-
homed
host or a screened host system

IS 3200, Summer 2010


17

Application Proxies (continued)

7/12


Dual
-
homed setup


Host that contains the firewall or proxy
server software has two interfaces, one to the
Internet and one to the internal network
being protected


Screened subnet system


Host that holds proxy server software has a
single network interface


Packet filters on either side of the host filter
out all traffic except that destined for proxy
server software

IS 3200, Summer 2010


18

Application Proxies on a

Dual
-
Homed Host

7/12

IS 3200, Summer 2010


19

VPNs

7/12


Connect internal hosts with specific
clients in other organizations


Connections are encrypted and limited
only to machines with specific IP
addresses


VPN gateway can:


Go on a DMZ


Bypass the firewall and connect directly to
the internal LAN

IS 3200, Summer 2010


20

VPN Gateway Bypassing the Firewall

7/12

IS 3200, Summer 2010


21

Intrusion Detection and Prevention
Systems

7/12


Can be installed in external and/or
internal routers at the perimeter of the
network


Built into many popular firewall packages

IS 3200, Summer 2010


22

IDPS Integrated into Perimeter Routers

7/12

IS 3200, Summer 2010


23

IDPS Positioned between Firewall and
Internet

7/12

IS 3200, Summer 2010


24

Enabling a Firewall to Meet New Needs

7/12


Throughput


Scalability


Security


Recoverability


Manageability

IS 3200, Summer 2010


25

Verifying Resources Needed by the
Firewall

7/12


Ways to track memory and system
resources


Use the formula:

MemoryUsage = ((ConcurrentConnections)/
(AverageLifetime))*(AverageLifetime + 50
seconds)*120


Use software’s own monitoring feature

IS 3200, Summer 2010


26

Identifying New Risks

7/12


Monitor activities and review log files


Check Web sites to keep informed of
latest dangers; install patches and
updates

IS 3200, Summer 2010


27

Adding Software Updates and Patches

7/12


Test updates and patches as soon as you
install them


Ask vendors (of firewall, VPN appliance,
routers, etc.) for notification when
security patches are available


Check manufacturer’s Web site for
security patches and software updates

IS 3200, Summer 2010


28

Adding Hardware

7/12


Identify network hardware so firewall can
include it in routing and protection
services


Different ways for different firewalls


List workstations, routers, VPN
appliances, and other gateways you add
as the network grows


Choose good passwords that you guard
closely

IS 3200, Summer 2010


29

Dealing with Complexity on the
Network

7/12


Distributed firewalls


Installed at endpoints of the network, including
remote computers that connect to network
through VPNs


Add complexity


Require that you install and/or maintain a variety of
firewalls located on your network and in remote
locations


Add security


Protect network from viruses or other attacks that
can originate from machines that use VPNs to connect
(e.g., remote laptops)

IS 3200, Summer 2010


30

Adhering to Proven Security Principles

7/12


Generally Accepted System Security
Principles (GASSP) apply to ongoing
firewall management


Secure physical environment where firewall
-
related equipment is housed


Importance of locking software so that
unauthorized users cannot access it

IS 3200, Summer 2010


31

Environmental Management

7/12


Measures taken to reduce risks to physical
environment where resources are stored


Back
-
up power systems overcome power
outages


Back
-
up hardware and software help recover
network data and services in case of
equipment failure


Sprinkler/alarm systems reduce damage
from fire


Locks guard against theft

IS 3200, Summer 2010


32

BIOS, Boot, and Screen Locks

7/12


BIOS and boot
-
up passwords


Supervisor passwords


Screen saver passwords

IS 3200, Summer 2010


33

Remote Management Interface

7/12


Software that enables you to configure
and monitor firewall(s) that are located at
different network locations


Used to start/stop the firewall or change
rule base from locations other than the
primary computer

IS 3200, Summer 2010


34

Why Remote Management Tools Are
Important

7/12


Reduce time and make the job easier for
the security administrator


Reduce chance of configuration errors
that might result if the same changes
were made manually for each firewall on
the network

IS 3200, Summer 2010


35

Security Concerns

7/12


Can use a Security Information
Management (SIM) device to prevent
unauthorized users from circumventing
security systems


Offers strong security controls (e.g., multi
-
factor authentication and encryption)


Should have an auditing feature


Should use tunneling to connect to the
firewall or use certificates for authentication


Evaluate SIM software to ensure it does
not introduce new vulnerabilities

IS 3200, Summer 2010


36

Basic Features of Remote Management
Tools

7/12


Ability to monitor and configure firewalls
from a single centralized location


View and change firewall status


View firewall’s current activity


View any firewall event or alert messages


Ability to start and stop firewalls as
needed

IS 3200, Summer 2010


37

Automating Security Checks

7/12


Outsource firewall management

IS 3200, Summer 2010


38

Configuring Advanced Firewall
Functions

7/12


Ultimate goal


High availability


Scalability


Advanced firewall functions


Data caching


Redundancy


Load balancing


Content filtering

IS 3200, Summer 2010


39

Data Caching

7/12


Set up a server that will:


Receive requests for URLs


Filter those requests against different criteria


Options


No caching


URI Filtering Protocol (UFP) server


VPN & Firewall (one request)


VPN & Firewall (two requests)

IS 3200, Summer 2010


40

Hot Standby Redundancy

7/12


Secondary or failover firewall is
configured to take over traffic duties in
case primary firewall fails


Usually involves two firewalls; only one
operates at any given time


The two firewalls are connected in a
heartbeat network

IS 3200, Summer 2010


41

Hot Standby Redundancy (continued)

7/12

IS 3200, Summer 2010


42

Hot Standby Redundancy (continued)

7/12


Advantages


Ease and economy of setup and quick backup
system it provides for the network


One firewall can be stopped for maintenance
without stopping network traffic


Disadvantages


Does not improve network performance


VPN connections may or may not be included
in the failover system

IS 3200, Summer 2010


43

Load Balancing

7/12


Practice of balancing the load placed on
the firewall so that it is handled by two or
more firewall systems


Load sharing


Practice of configuring two or more firewalls
to share the total traffic load


Traffic between firewalls is distributed by
routers using special routing protocols


Open Shortest Path First (OSPF)


Border Gateway Protocol (BGP)

IS 3200, Summer 2010


44

Load Balancing (continued)

7/12

IS 3200, Summer 2010


45

Load Sharing

7/12


Advantages


Improves total network performance


Maintenance can be performed on one
firewall without disrupting total network
traffic


Disadvantages


Load usually distributed unevenly (can be
remedied by using layer four switches)


Configuration can be complex to administer

IS 3200, Summer 2010


46

Filtering Content

7/12


Firewalls don’t scan for viruses but can
work with third
-
party applications to scan
for viruses or other functions


Open Platform for Security (OPSEC) model


Content Vectoring Protocol (CVP)

IS 3200, Summer 2010


47

Filtering Content (continued)

7/12


Install anti
-
virus software on SMTP
gateway in addition to providing desktop
anti
-
virus protection for each computer


Choose an anti
-
virus gateway product
that:


Provides for content filtering


Can be updated regularly to account for
recent viruses


Can scan the system in real time


Has detailed logging capabilities

IS 3200, Summer 2010


48

Chapter Summary

7/12


After establishing a security policy,
implement the strategies that policy specifies


If primary goal of planned firewall is to block
unauthorized access, you must emphasize
restricting rather than enabling connectivity


A firewall must be scalable so it can grow
with the network it protects


The stronger and more elaborate your
firewall, the slower data transmissions are
likely to be


The more complex a network becomes, the
more IP
-
addressing complications arise

IS 3200, Summer 2010


49

Chapter Summary (continued)

7/12


Network security setups can become more
complex when specific functions are added


Firewalls must be maintained regularly to
assure critical measures of success are kept
within acceptable levels of performance


Successful firewall management requires
adherence to principles that have been put
forth by reputable organizations to ensure
that firewalls and network security
configurations are maintained correctly

IS 3200, Summer 2010


50

Chapter Summary (continued)

7/12


Remote management allows configuration
and monitoring of one or more firewalls that
are located at different network locations


Ultimate goal for many organizations is the
development of a high
-
performance firewall
configuration that has high availability and
that can be scaled as the organization grows;
accomplished by using data caching,
redundancy, load balancing, and content
filtering

IS 3200, Summer 2010


51