Guide to Firewalls and Network Security with Intrusion Detection and ...

slurpslapoutNetworking and Communications

Nov 20, 2013 (3 years and 4 months ago)

95 views

Ongoing Administration

Chapter 11

Learning Objectives

Learn how to evolve a firewall to meet new
needs and threats

Adhere to proven security principles to help
the firewall protect network resources

Use a remote management interface

Track log files for security

continued

Learning Objectives

Follow basic initial steps in responding to
security incidents

Take advanced firewall functions into
account when administering a firewall

Making Your Firewall Meet New
Needs

Throughput

Scalability

Security

Recoverability

Manageability

Verifying Resources Needed by
the Firewall

Ways to track memory and system
resources


Use the formula:

MemoryUsage = ((ConcurrentConnections)/
(AverageLifetime))*(AverageLifetime + 50
seconds)*120


Use software’s own monitoring feature

Verifying Resources Needed by
the Firewall

Allocating More Memory

Identifying New Risks

Monitor activities and review log files

Check Web sites to keep informed of latest
dangers; install patches and updates

Adding Software Updates and
Patches

Test updates and patches as soon as you
install them

Ask vendors (of firewall, VPN appliance,
routers, etc) for notification when security
patches are available

Check manufacturer’s Web site for security
patches and software updates

Using an Automated Update
Feature

Obtaining Updates from the
Vendor’s Web Site

Adding Hardware

Identify network hardware so firewall can
include it in routing and protection services


Different ways for different firewalls

List workstations, routers, VPN appliances,
and other gateways you add as the network
grows

Choose good passwords that you guard
closely

Dealing with Complexity on the
Network

Distributed firewalls


Installed at endpoints of the network, including remote
computers that connect to network through VPNs


Add complexity


Require that you install and/or maintain a variety of firewalls
located on your network and in remote locations


Add security


Protect network from viruses or other attacks that can originate
from machines that use VPNs to connect (eg, remote laptops)

Dealing with Complexity on the
Network

Adhering to Proven Security
Principles

Generally Accepted System Security
Principles (GASSP) apply to ongoing
firewall management


Secure physical environment where firewall
-
related equipment is housed


Importance of locking software so that
unauthorized users cannot access it

Environmental Management

Measures taken to reduce risks to physical
environment where resources are stored


Back
-
up power systems overcome power outages


Back
-
up hardware and software help recover network
data and services in case of equipment failure


Sprinkler/alarm systems reduce damage from fire


Locks guard against theft

BIOS, Boot, and Screen Locks

BIOS and boot
-
up passwords

Supervisor passwords

Screen saver passwords

Using Remote Management
Interface

Software that enables you to configure and
monitor firewall(s) that are located on
different network locations

Used to start/stop the firewall or change
rulebase from locations other than the
primary computer

Why Remote Management Tools
Are Important

Reduce time and make the job easier for the
security administrator

Reduce chance of configuration errors that
might result if the same changes were made
manually for each firewall on the network

Security Concerns with Remote
Management Tools

Can use a Security Information Management
(SIM) device to prevent unauthorized users from
circumventing security systems


Offers strong security controls (eg, multi
-
factor
authentication and encryption)


Should have an auditing feature


Should use tunneling to connect to the firewall or use
certificates for authentication

Evaluate SIM software to ensure it does not
introduce new vulnerabilities

Basic Features Required of
Remote Management Tools

Ability to monitor and configure firewalls
from a single centralized location


View and change firewall status


View firewall’s current activity


View any firewall event or alert messages

Ability to start and stop firewalls as needed

Tracking Contents of Log Files
for Security

Reviewing log files can help detect break
-
ins that have occurred and possibly help
track down intruders

Tips for managing log files


Prepare usage reports


Watch for suspicious events


Automate security checks

Preparing Usage Reports

Sort logs by time of day and per hour

Check logs to learn when peak traffic times
are on the network

Identify services that consume the largest
part of available bandwidth

Preparing Usage Reports

Suspicious Events to Watch For

Rejected connection attempts

Denied connections

Error messages

Dropped packets

Successful logons to critical resources

Responding to Suspicious Events

Firewall options


Block only this connection


Block access of this source


Block access to this destination

Track the attacks

Locate and prosecute the offenders

Tools for Tracking Attacks

Sam Spade

Netstat

NetCat

Compiling Legal Evidence

1.
Identify which computer or media may
contain evidence

2.
Shut down computer and isolate work area
until computer forensic specialist arrives

3.
Write protect removable media

4.
Preserve evidence (make a mirror image)
so it is not manipulated

continued

Compiling Legal Evidence

5.
Examine the mirror image, not the original

6.
Review log files and other data; report
findings to management

7.
Preserve evidence by making a
“forensically sound” copy

Compiling Legal Evidence

Observe the three As of computer forensics


Acquire


Authenticate


Analyze

Automating Security Checks

Outsource firewall management

Security Breaches Will Happen!

Use software designed to detect attacks and
send alert notifications

Take countermeasures to minimize damage

Take steps to prevent future attacks

Using an Intrusion Detection
System (IDS)

Detects whether network or server has
experienced an unauthorized access attempt

Sends notification to appropriate network
administrators

Considerations when choosing


Location


Intrusion events to be gathered

Network
-
based versus host
-
based IDS

Signature
-
based versus heuristic IDS

Network
-
Based IDS

Tracks traffic patterns on entire network segment

Collects raw network packets; looks at packet
headers; determines presence of known signatures
that match common intrusion attempts; takes
action based on contents

Good choice if network has been subject to
malicious activity (eg, port scanning)

Usually OS
-
independent

Minimal impact on network performance

Host
-
Based IDS

Collects data from individual computer on which
it resides

Reviews audit and system logs, looking for
signatures

Can perform intrusion detection in a network
where traffic is usually encrypted

Needs no additional hardware

Cannot detect port scans or other intrusion
attempts that target entire network

Signature
-
Based IDS

Stores signature information in a database


Database requires periodic updating

Can work with either host
-
based or
network
-
based IDS

Often closely tied to specific hardware and
operating system

Provides fewer false alarms than heuristic
IDS

Heuristic IDS

Compares traffic patterns against “normal
activity” and sets off an alarm if pattern
deviates

Can identify any possible attack

Generates high rate of false alarms

Receiving Security Alerts

A good IDS system:


Notifies appropriate individuals (eg, via e
-
mail,
alert, pager, or log)


Provides information about the type of event


Provides information about where in the
network the intrusion attempt took place

When an Intrusion Occurs

React rationally; don’t panic

Use alerts to begin assessment

Analyze what resources were hit and what damage
occurred


Perform real
-
time analysis of network traffic to detect
unusual patterns


Check to see if any ports that are normally unused have
been accessed

Use a network auditing tool (eg, Tripwire)

During and After Intrusion

Document the existence of:


Executables that were added to the system


Files that were


Placed on the computer


Deleted


Accessed by unauthorized users


Web pages that were defaced


E
-
mail messages that were sent as a result of the attack

Document your response to the intrusion

Configuring Advanced Firewall
Functions

Ultimate goal


High availability


Scalability

Advanced firewall functions


Data caching


Redundancy


Load balancing


Content filtering

Data Caching

Set up a server that will


Receive requests for URLs


Filter those requests against different criteria

Options


No caching


URI Filtering Protocol (UFP) server


VPN & Firewall (one request)


VPN & Firewall (two requests)

Hot Standby Redundancy

Secondary or failover firewall is configured
to take over traffic duties in case primary
firewall fails

Usually involves two firewalls; only one
operates at any given time

The two firewalls are connected in a
heartbeat network

Hot Standby Redundancy

Hot Standby Redundancy

Advantages


Ease and economy of set up and quick back
-
up
system it provides for the network


One firewall can be stopped for maintenance
without stopping network traffic

Disadvantages


Does not improve network performance


VPN connections may or may not be included
in the failover system

Load Balancing

Practice of balancing the load placed on the
firewall so that it is handled by two or more
firewall systems

Load sharing


Practice of configuring two or more firewalls to share
the total traffic load

Traffic between firewalls is distributed by routers
using special routing protocols


Open Shortest Path First (OSPF)


Border Gateway Protocol (BGP)

Load Balancing

Load Sharing

Advantages


Improves total network performance


Maintenance can be performed on one firewall
without disrupting total network traffic

Disadvantages


Load usually distributed unevenly (can be
remedied by using layer four switches)


Configuration can be complex to administer

Filtering Content

Firewalls don’t scan for viruses but can
work with third
-
party applications to scan
for viruses or other functions


Open Platform for Security (OPSEC) model


Content Vectoring Protocol (CVP)

Filtering Content

Filtering Content Guidelines

Install anti
-
virus software on SMTP gateway in
addition to providing desktop anti
-
virus protection
for each computer

Choose an anti
-
virus gateway product that:


Provides for content filtering


Can be updated regularly to account for recent viruses


Can scan the system in real time


Has detailed logging capabilities

Chapter Summary

How to expand a firewall to meet new needs

Importance of observing fundamental principles of
network security when maintaining the firewall

Importance of being able to manage the firewall
remotely and having log files for review

Responding to security incidents

Advanced firewall functions