firewall, router and switch configuration review
DESCRIPTION
The presentation provides a topical overview of the areas to be looked at when conducting a Firewall, Router, or Switch configuration review. This presentation is based on a slide deck I prepared for an internal Learning & Growth session in March of 2014. More detailed material is available from the "References" slide.TRANSCRIPT
![Page 1: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/1.jpg)
Helping You Ensure Your Infrastructure is Secure
Firewall Router Switch Configuration Reviews
![Page 2: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/2.jpg)
Agenda
• Overview & Functions
• What to Protect & Why
• Firewalls
• Routers & Switches
• Definitions
![Page 3: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/3.jpg)
1
Trad i t iona l Corporate Network Overv iew
& Funct ions
![Page 4: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/4.jpg)
Tr a d i t i o n a l C o r p o r a t e N e t w o r k O v e r v i e w
![Page 5: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/5.jpg)
Network Functions• Let people do the things they need to for work.
• Provide security for users and resources.
– Ensure network traffic is legitimate and not malicious
– Take action against malicious traffic
– Log actions taken
![Page 6: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/6.jpg)
2What to Protec t
& why
![Page 7: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/7.jpg)
What to Protect• What are the Crown Jewels for the company?
– PCI, PII, Proprietary Resources• PCI is often NOT the most sensitive data stored• PCI is often emphasized because of financial penalties for non-compliance
– Examples of non-PCI data that would be critical to protect:• Company that invents, manufactures, sells surgical devices
– Schematics, drawings, plans, research & development, financials• Software company
– Code repositories, plans, research & development, financials• Social Media Company
– Usernames, passwords, personal information
![Page 8: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/8.jpg)
Why is This Important?• Helps determine if configuration of devices permits flow of data while protecting
resources
• Questions you should ask yourself:
– What resources need protection?• Defining what resources need protection helps you decide how to control
traffic
– Are they adequately protected by device configurations?• Your firewall, router, and switch policies and configurations should protect
your important assets
– Are there concentric rings of security surrounding high value resources?• From the external firewall inward, your network devices should control and
monitor traffic to and from your resources
![Page 9: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/9.jpg)
3
Firewalls
![Page 10: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/10.jpg)
Firewalls
![Page 11: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/11.jpg)
Firewalls• Usually secure by default
• Must provide Stateful Packet Inspection at a minimum
– Application Layer control is desired and available on most modern firewalls
• Take careful note of any “any” rules
– Where, if anywhere, are “any” rules OK?
• Ensure management is conducted over secure channel (SSH or HTTPS)
• Many vendors – (examples: Checkpoint, Cisco, Juniper, PFSense)
• Could have integrated IDS/IPS
![Page 12: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/12.jpg)
Bad Example
![Page 13: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/13.jpg)
Good Example
![Page 14: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/14.jpg)
4
Routers & Swi tches
![Page 15: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/15.jpg)
Routers• Unlike Firewalls, NOT secure by default
• Control flow of traffic with ACL’s at a minimum or Stateful Packet Inspection
• Control access to the device
– Secure (SSH or HTTPS, not Telnet or HTTP)
– Only from management subnet if possible
• Disable unneeded services
– Finger, CDP, Telnet
• Enable good services
– TCP Keepalives
• Configuration management
• Change management
– Most outages are caused by human error during changes
![Page 16: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/16.jpg)
Routing Example
![Page 17: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/17.jpg)
Switches• Also NOT secure by default
• Similar to routers slide above, but additionally:
– Disable “Default VLAN”
– Use separate VLAN for device management if possible
![Page 18: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/18.jpg)
Additional Considerations
Virtual Private Network (VPN) Users?• Must be properly authenticated and controlled• Access for VPN users should be restricted based on
business needAuthentication to Management Interfaces
• Uses secure channels (SSH, HTTPS)• Uses Enterprise authentication (LDAP, RADIUS)• Activity is logged externally (syslog)• Watch for back doors
If back doors are in place for device management (such as local authentication that bypasses RADIUS) ensure that they are allowed by policy and secured properly
![Page 19: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/19.jpg)
Commonalities• All devices have the following security concerns in common:
– Control and permit access to resources for authorized users
– Deny access to unauthorized users
• Additionally, the network infrastructure should
– Detect, Deter, Prevent, Log malicious activity
– Provide Admins with a secure means of managing devices
![Page 20: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/20.jpg)
5
Defi nitions
![Page 21: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/21.jpg)
Defi nitions• DMZ – Demilitarized Zone – An untrusted area between the outside (Internet) and
inside (Corporate LAN) networks where devices that have to be accessed by Internet
users reside.
• ACL – Access Control List – Basic method for controlling network traffic flow.
• SPI - Stateful Packet Inspection – Goes beyond what ACL’s can do and tracks traffic
based on state.
• Deep Packet Inspection – Does some level of reconstructing traffic up to the
Application Layer to ensure it is secure. Application layer firewalls.
![Page 22: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/22.jpg)
Defi nitions• BOGON – Bogus IP addresses (public IP space that has not been issued by
IANA).
• Martian – Addresses that are private or reserved for testing or special use
cases (ex. 127.0.0.0/8, 192.168.0.0/16).
![Page 23: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/23.jpg)
Templates, References
• NSA SNAC Guides• Vendor Documentation
-Cisco IOS Security Configuration Guidehttp://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html
• Open source / volunteer-Cymru.com Secure IOS Template
https://www.cymru.com/Documents/secure-ios-template.html
• For Routing reviews, Border Router Security Toolhttp://borderroutersec.org/
![Page 24: Firewall, Router and Switch Configuration Review](https://reader038.vdocument.in/reader038/viewer/2022102621/5496ad4eb4795992558b461b/html5/thumbnails/24.jpg)
Contact UsTed LeRoy, Security [email protected]
Security Compass
http://www.securitycompass.com
SD Elements
http://www.sdelements.com