Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect...
-
date post
19-Dec-2015 -
Category
Documents
-
view
216 -
download
1
Transcript of Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect...
![Page 1: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/1.jpg)
Firewall Configuration and Administration
![Page 2: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/2.jpg)
2
Learning Objectives
• Set up firewall rules that reflect an organization’s overall security approach
• Identify and implement different firewall configuration strategies
• Update a firewall to meet new needs and threats
• Adhere to proven security principles to help the firewall protect network resources
![Page 3: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/3.jpg)
3
Learning Objectives (continued)
• Use a remote management interface• Track firewall log files and follow the basic
initial steps in responding to security incidents
• Understand the nature of advanced firewall functions
![Page 4: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/4.jpg)
4
Establishing Firewall Rules and Restrictions
• Rules give firewalls specific criteria for making decisions about whether to allow packets through or drop them
• All firewalls have a rules file—the most important configuration file on the firewall
![Page 5: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/5.jpg)
5
The Role of the Rules File
• Establishes the order the firewall should follow
• Tells the firewall which packets should be blocked and which should be allowed
• Requirements– Need for scalability– Importance of enabling productivity of end
users while maintaining adequate security
![Page 6: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/6.jpg)
6
Restrictive Firewalls
• Block all access by default; permit only specific types of traffic to pass through
![Page 7: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/7.jpg)
7
Restrictive Firewalls (continued)
• Follow the concept of least privilege• Spell out services that employees cannot use• Use and maintain passwords• Choose an approach
– Open– Optimistic– Cautious– Strict– Paranoid
![Page 8: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/8.jpg)
8
Connectivity-Based Firewalls
• Have fewer rules; primary orientation is to let all traffic pass through and then block specific types of traffic
![Page 9: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/9.jpg)
9
Firewall Configuration Strategies
• Criteria– Scalable– Take communication needs of individual
employees into account– Deal with IP address needs of the
organization
![Page 10: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/10.jpg)
10
Scalability
• Provide for the firewall’s growth by recommending a periodic review and upgrading software and hardware as needed
![Page 11: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/11.jpg)
11
Productivity
• The stronger and more elaborate the firewall, the slower the data transmissions
• Important features of firewall: processing and memory resources available to the bastion host
![Page 12: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/12.jpg)
12
Dealing with IP Address Issues
• If service network needs to be privately rather than publicly accessible, which DNS will its component systems use?
• If you mix public and private addresses, how will Web server and DNS servers communicate?
• Let the proxy server do the IP forwarding (it’s the security device)
![Page 13: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/13.jpg)
13
Approaches That Add Functionality to Your Firewall
• Network Address Translation (NAT)
• Port Address Translation (PAT)
• Encryption
• Application proxies
• VPNs
• Intrusion Detection and Prevention Systems (IDPSs)
![Page 14: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/14.jpg)
14
NAT/PAT
• NAT and PAT convert publicly accessible IP addresses to private ones and vice versa; shields IP addresses of computers on the protected network from those on the outside
• Where NAT converts these addresses on a one-to-one association—internal to external—PAT allows one external address to map to multiple internal addresses
![Page 15: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/15.jpg)
15
Encryption
• Takes a request and turns it into gibberish using a private key; exchanges the public key with the recipient firewall or router
• Recipient decrypts the message and presents it to the end user in understandable form
![Page 16: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/16.jpg)
16
Encryption (continued)
![Page 17: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/17.jpg)
17
Application Proxies
• Act on behalf of a host; receive requests, rebuild them from scratch, and forward them to the intended location as though the request originated with it (the proxy)
• Can be set up with either a dual-homed host or a screened host system
![Page 18: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/18.jpg)
18
Application Proxies (continued)
• Dual-homed setup– Host that contains the firewall or proxy server
software has two interfaces, one to the Internet and one to the internal network being protected
• Screened subnet system– Host that holds proxy server software has a single
network interface– Packet filters on either side of the host filter out all
traffic except that destined for proxy server software
![Page 19: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/19.jpg)
19
Application Proxies on aDual-Homed Host
![Page 20: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/20.jpg)
20
VPNs
• Connect internal hosts with specific clients in other organizations
• Connections are encrypted and limited only to machines with specific IP addresses
• VPN gateway can:– Go on a DMZ– Bypass the firewall and connect directly to the
internal LAN
![Page 21: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/21.jpg)
21
VPN Gateway Bypassing the Firewall
![Page 22: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/22.jpg)
22
Intrusion Detection and Prevention Systems
• Can be installed in external and/or internal routers at the perimeter of the network
• Built into many popular firewall packages
![Page 23: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/23.jpg)
23
IDPS Integrated into Perimeter Routers
![Page 24: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/24.jpg)
24
IDPS Positioned between Firewall and Internet
![Page 25: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/25.jpg)
25
Enabling a Firewall to Meet New Needs
• Throughput
• Scalability
• Security
• Recoverability
• Manageability
![Page 26: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/26.jpg)
26
Verifying Resources Needed by the Firewall
• Ways to track memory and system resources– Use the formula:
MemoryUsage = ((ConcurrentConnections)/ (AverageLifetime))*(AverageLifetime + 50 seconds)*120
– Use software’s own monitoring feature
![Page 27: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/27.jpg)
27
Identifying New Risks
• Monitor activities and review log files
• Check Web sites to keep informed of latest dangers; install patches and updates
![Page 28: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/28.jpg)
28
Adding Software Updates and Patches
• Test updates and patches as soon as you install them
• Ask vendors (of firewall, VPN appliance, routers, etc.) for notification when security patches are available
• Check manufacturer’s Web site for security patches and software updates
![Page 29: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/29.jpg)
29
Adding Hardware
• Identify network hardware so firewall can include it in routing and protection services– Different ways for different firewalls
• List workstations, routers, VPN appliances, and other gateways you add as the network grows
• Choose good passwords that you guard closely
![Page 30: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/30.jpg)
30
Dealing with Complexity on the Network
• Distributed firewalls– Installed at endpoints of the network,
including remote computers that connect to network through VPNs
– Add complexity• Require that you install and/or maintain a variety of
firewalls located on your network and in remote locations
– Add security• Protect network from viruses or other attacks that
can originate from machines that use VPNs to connect (e.g., remote laptops)
![Page 31: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/31.jpg)
31
Adhering to Proven Security Principles
• Generally Accepted System Security Principles (GASSP) apply to ongoing firewall management– Secure physical environment where firewall-
related equipment is housed– Importance of locking software so that
unauthorized users cannot access it
![Page 32: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/32.jpg)
32
Environmental Management
• Measures taken to reduce risks to physical environment where resources are stored– Back-up power systems overcome power
outages– Back-up hardware and software help recover
network data and services in case of equipment failure
– Sprinkler/alarm systems reduce damage from fire
– Locks guard against theft
![Page 33: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/33.jpg)
33
BIOS, Boot, and Screen Locks
• BIOS and boot-up passwords
• Supervisor passwords
• Screen saver passwords
![Page 34: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/34.jpg)
34
Remote Management Interface
• Software that enables you to configure and monitor firewall(s) that are located at different network locations
• Used to start/stop the firewall or change rule base from locations other than the primary computer
![Page 35: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/35.jpg)
35
Why Remote Management Tools Are Important
• Reduce time and make the job easier for the security administrator
• Reduce chance of configuration errors that might result if the same changes were made manually for each firewall on the network
![Page 36: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/36.jpg)
36
Security Concerns
• Can use a Security Information Management (SIM) device to prevent unauthorized users from circumventing security systems– Offers strong security controls (e.g., multi-factor
authentication and encryption)– Should have an auditing feature– Should use tunneling to connect to the firewall or
use certificates for authentication
• Evaluate SIM software to ensure it does not introduce new vulnerabilities
![Page 37: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/37.jpg)
37
Basic Features of Remote Management Tools
• Ability to monitor and configure firewalls from a single centralized location– View and change firewall status– View firewall’s current activity– View any firewall event or alert messages
• Ability to start and stop firewalls as needed
![Page 38: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/38.jpg)
38
Automating Security Checks
• Outsource firewall management
![Page 39: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/39.jpg)
39
Configuring Advanced Firewall Functions
• Ultimate goal– High availability– Scalability
• Advanced firewall functions– Data caching– Redundancy– Load balancing– Content filtering
![Page 40: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/40.jpg)
40
Data Caching
• Set up a server that will:– Receive requests for URLs– Filter those requests against different criteria
• Options– No caching– URI Filtering Protocol (UFP) server– VPN & Firewall (one request)– VPN & Firewall (two requests)
![Page 41: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/41.jpg)
41
Hot Standby Redundancy
• Secondary or failover firewall is configured to take over traffic duties in case primary firewall fails
• Usually involves two firewalls; only one operates at any given time
• The two firewalls are connected in a heartbeat network
![Page 42: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/42.jpg)
42
Hot Standby Redundancy (continued)
![Page 43: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/43.jpg)
43
Hot Standby Redundancy (continued)
• Advantages– Ease and economy of setup and quick backup
system it provides for the network– One firewall can be stopped for maintenance
without stopping network traffic
• Disadvantages– Does not improve network performance– VPN connections may or may not be included
in the failover system
![Page 44: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/44.jpg)
44
Load Balancing
• Practice of balancing the load placed on the firewall so that it is handled by two or more firewall systems
• Load sharing– Practice of configuring two or more firewalls to
share the total traffic load
• Traffic between firewalls is distributed by routers using special routing protocols– Open Shortest Path First (OSPF)– Border Gateway Protocol (BGP)
![Page 45: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/45.jpg)
45
Load Balancing (continued)
![Page 46: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/46.jpg)
46
Load Sharing
• Advantages– Improves total network performance– Maintenance can be performed on one
firewall without disrupting total network traffic
• Disadvantages– Load usually distributed unevenly (can be
remedied by using layer four switches)– Configuration can be complex to administer
![Page 47: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/47.jpg)
47
Filtering Content
• Firewalls don’t scan for viruses but can work with third-party applications to scan for viruses or other functions– Open Platform for Security (OPSEC) model– Content Vectoring Protocol (CVP)
![Page 48: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/48.jpg)
48
Filtering Content (continued)
• Install anti-virus software on SMTP gateway in addition to providing desktop anti-virus protection for each computer
• Choose an anti-virus gateway product that:– Provides for content filtering– Can be updated regularly to account for recent
viruses– Can scan the system in real time– Has detailed logging capabilities
![Page 49: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/49.jpg)
49
Chapter Summary
• After establishing a security policy, implement the strategies that policy specifies
• If primary goal of planned firewall is to block unauthorized access, you must emphasize restricting rather than enabling connectivity
• A firewall must be scalable so it can grow with the network it protects
![Page 50: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/50.jpg)
50
Chapter Summary (continued)
• The stronger and more elaborate your firewall, the slower data transmissions are likely to be
• The more complex a network becomes, the more IP-addressing complications arise
• Network security setups can become more complex when specific functions are added
![Page 51: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/51.jpg)
51
Chapter Summary (continued)
• Firewalls must be maintained regularly to assure critical measures of success are kept within acceptable levels of performance
• Successful firewall management requires adherence to principles that have been put forth by reputable organizations to ensure that firewalls and network security configurations are maintained correctly
![Page 52: Firewall Configuration and Administration. 2 Learning Objectives Set up firewall rules that reflect an organization’s overall security approach Identify.](https://reader035.fdocuments.us/reader035/viewer/2022062516/56649d395503460f94a13649/html5/thumbnails/52.jpg)
52
Chapter Summary (continued)
• Remote management allows configuration and monitoring of one or more firewalls that are located at different network locations
• Ultimate goal for many organizations is the development of a high-performance firewall configuration that has high availability and that can be scaled as the organization grows; accomplished by using data caching, redundancy, load balancing, and content filtering