tactical perimeter defense managing a firewall
TRANSCRIPT
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
1/47
Guide to Tactical Perimeter Defense
Chapter 7Managing Firewalls to Improve Security
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
2/47
Tactical Perimeter Defense 2
Objectives
Explain how to edit a rule base
Describe how to manage log files
List measures for improving firewall performance and
security
Explain how to install and configure Microsoft ISA
Server 2006
Explain how to manage and configure Iptables for
Linux
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
3/47
Tactical Perimeter Defense 3
Editing the Rule Base
Place most important rules near top of the rule base
Dont make firewall do more logging than it has to
Reduce number of domain objects in the rule base
Domain objects increase possibility of security
breaches: DNS spoofing or zone transfer
Keep rules that cover domain objects near the
bottom of the rule base
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
4/47
Tactical Perimeter Defense 4
Reducing Rules
Check for duplicate or unnecessary entries
Consolidate rules
Table 7-1 Inefficient firewall rules
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
5/47
Tactical Perimeter Defense 5
Reducing Rules (cont.)
Table 7-2 More efficient firewall rules
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
6/47
Tactical Perimeter Defense 6
Reordering and Editing Rules
Place most frequently matched rules near the top of
the list
Scan log files to find commonly used services
Examples: SMTP server, DNS server
Goal: reduce number of rules with Log as the action
to bare minimum
Log only events attempting to access restricted
resources
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
7/47
Tactical Perimeter Defense 7
Reordering and Editing Rules (cont.)
Activity 7-1: Improving a Rule Base
Objective: Review a sample rule and make
improvements
Which rules cover the same sort of communication?
Which rules are too far down the list and should be
moved up?
Which rules give the firewall more work to do than is
necessary?
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
8/47
Tactical Perimeter Defense 8
Managing Log Files
Configure firewall to generate log files moreefficiently
Use third-party software to get more information
from log files Increase firewall effectiveness by:
Modifying log file format
Preparing log file summaries
Generating reports Be aware of too many administrators
Keep change management record accessible
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
9/47
Tactical Perimeter Defense 9
Deciding What to Log
Some firewalls log only packets subject to a rule
with a Deny action
Types of log files offered by firewalls
Security log: specific security events
System log: when firewall was started or stopped
Traffic log: each packet entering/leaving firewall
Firewalls may include a GUI interface to customizelog file display
Firewalls offer many types of logging data
First seven types in Table 7-4 are must-haves
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
10/47
Tactical Perimeter Defense 10
Deciding What to Log (cont.)
Table 7-4 Types of log file data
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
11/47
Tactical Perimeter Defense 11
Configuring the Log File Format
Log file formats
Text editor: tedious and difficult to view
Native format: view in firewalls interface
Open Database Connectivity (ODBC) format: view inODBC-compliant database format
W3C Extended format: view in text editor; choose
fields; tools generate summaries
Edit and configure log file formats for greater
efficiency
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
12/47
Tactical Perimeter Defense 12
Configuring the Log File Format
(cont.)
Review log files
View summary of recent log file events
Display raw data in form of report
Review data and identify traffic patterns
Adjust rules accordingly
Review subsequent log file data to ensure
unnecessary log file entries have been reduced
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
13/47
Tactical Perimeter Defense 13
Preparing Log File Summaries and
Generating Reports
Log file summaries
List totals of how many events occurred and whattype
Log file analyzers can be built into firewall or add-ons
ZoneLog Analyser: add-on analyzer
Known port lists
Filters Custom reports
IP address resolution
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
14/47
Tactical Perimeter Defense 14
Preparing Log File Summaries and
Generating Reports (cont.)
Figure 7-2 Using ZoneLog Analysers log import filters
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
15/47
Tactical Perimeter Defense 15
Preparing Log File Summaries and
Generating Reports (cont.)
Figure 7-5 An activity summary in different formats
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
16/47
Tactical Perimeter Defense 16
Preparing Log File Summaries and
Generating Reports (cont.)
Figure 7-7 Address lookup details
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
17/47
Tactical Perimeter Defense 17
Improving Firewall Performance
and Security
Make sure firewall uses internal host file
Consider using an internal DNS server
Do not log noncritical events
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
18/47
Tactical Perimeter Defense 18
Calculating Resource Requirements
Invest in equipment that can support multiple
processors
Use load-balancing when possible
Purchase the fastest processor chip your budgetcan handle
Ensure that firewall has enough RAM (over 512 MB)
Set aside enough storage space to cache Webpages and other files
100 MB + (0.5 MB x number of users)
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
19/47
Tactical Perimeter Defense 19
Testing the Firewall
Test before and after the firewall goes online
Test before installing on network
Inexpensive option: two client computers for internal
and external interface Large enterprise: test cell (dedicated test lab)
mirroring network architecture
Expensive, but ensures network availability
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
20/47
Tactical Perimeter Defense 20
Configuring Advanced
Firewall Functions
Data caching
Remote management
Application content filtering
Voice protocol support
Authentication
Time-based access scheduling
Load-sharing
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
21/47
Tactical Perimeter Defense 21
Configuring Advanced
Firewall Functions (cont.)
Activity 7-2: Configuring Windows Firewall
Objective: Configure the Windows XP built-in firewall,
Windows Firewall, and set up logging
Windows Firewall is active by default when ServicePack 2 is installed
Use Exceptions tab to configure requests
Add or edit Programs and Services list
Edit Security Logging section to log dropped packetsand successful connections
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
22/47
Tactical Perimeter Defense 22
Configuring Advanced
Firewall Functions (cont.)
Figure 7-8 The Advanced Tab and the Log Settings dialog box
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
23/47
Tactical Perimeter Defense 23
Installing and Configuring
Microsoft ISA Server 2006
Microsoft ISA Server 2006
Security, connectivity, and management functions in
one product
Handles traditional firewall functions Filters at application level
Caches Web pages
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
24/47
Tactical Perimeter Defense 24
Installing and Configuring
Microsoft ISA Server 2006 (cont.)
Table 7-5 ISA Server 2006 Standard and Enterprise versions
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
25/47
Tactical Perimeter Defense 25
Installing and Configuring
Microsoft ISA Server 2006 (cont.)
Table 7-6 Minimum hardware requirements for ISA Server 2006
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
26/47
Tactical Perimeter Defense 26
Licensing ISA Server 2006
Licensed on a per-processor basis
Severe penalties for inadequate licensing
Legal; loss of certification and/or job
Security policy should state software licensing
requirements explicitly
Enforce requirements
Include licensing issues and requirements insecurity training
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
27/47
Tactical Perimeter Defense 27
Reviewing ISA Server 2006
Components
Configuration Storage server: configuration
information for all array members
ISA Server services: firewall, VPN, and caching
functions
Array: group of ISA servers that are connected
physically, share common configuration, and run
ISA server services ISA server management: management through
connecting to Configuration Storage server
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
28/47
Tactical Perimeter Defense 28
Installing ISA Server 2006
Installation order
Install Configuration Storage server
Create array and enterprise network rules and
policies on Configuration Storage server
Install ISA Server services on one or more computers
Virtual version: VHD format
Runs on Windows 2000, XP, Vista, and Server 2003 Evaluation software: helpful for Windows Server
2003 installation
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
29/47
Tactical Perimeter Defense 29
Installing ISA Server 2006 (cont.)
Activity 7-3: Installing ISA Server 2006 Evaluation
Software
Objective: Download and install ISA Server 2006
evaluation software
Use Windows Server 2003 as your OS
Follow installation instructions
After installation, start the server and examine the
management console
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
30/47
Tactical Perimeter Defense 30
Installing ISA Server 2006 (cont.)
Figure 7-9 The ISA Server management console
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
31/47
Tactical Perimeter Defense 31
Installing ISA Server 2006 (cont.)
ISA Server management console provides guidance
on configuration tasks
Assign administrative roles
Define your networks
Define enterprise policies
Default policy denies all traffic
Configure array settings Defines how array members communicate with each
other and the Configuration Storage server
Specifies how network is designed
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
32/47
Tactical Perimeter Defense 32
Installing ISA Server 2006 (cont.)
Figure 7-12 Defining networks in ISA Server arrays
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
33/47
Tactical Perimeter Defense 33
Installing ISA Server 2006 (cont.)
Activity 7-4: Configuring ISA Server 2006
Objective: Configure ISA Server 2006 settings
Assign administrative roles
Define networks
Enter enterprise policy rules
Set up basic firewall policies
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
34/47
Tactical Perimeter Defense 34
Installing ISA Server 2006 (cont.)
Figure 7-14 Configuring enterprise policy rules
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
35/47
Tactical Perimeter Defense 35
Installing ISA Server 2006 (cont.)
Activity 7-5: Configuring Advanced Security
Features in ISA Server 2006
Objective: Configure ISA Server 2006 security
features
Examine and configure security filters
Create firewall policies
Configure caching
Edit scheduling
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
36/47
Tactical Perimeter Defense 36
Installing ISA Server 2006 (cont.)
Figure 7-19 The firewall policy rule base
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
37/47
Tactical Perimeter Defense 37
Monitoring Servers
Monitoring integrated into ISA Server management
console
Connectivity
Alerts Sessions
System performance
Customized report generation
Logging
Configuration of array members
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
38/47
Tactical Perimeter Defense 38
Monitoring Servers (cont.)
Figure 7-20 The ISA Server Monitoring window
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
39/47
Tactical Perimeter Defense 39
Managing and Configuring Iptables
Iptables: used to configure packet-filtering rules for
Netfilter
Stateful filtering
Based on full set of TCP flags Command-line tool
Rules are grouped in chains
Multiple rule bases/chains
Rule in one chain can activate rule in another chain
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
40/47
Tactical Perimeter Defense 40
Built-in Chains
Types of built-in chains
Output: packet received inside network has
destination address on external network
Input: packets from external network has destinationaddress on internal network
Forward: packet need to be routed to another location
A match is handled by one of four methods:
Accept, drop, queue, or return
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
41/47
Tactical Perimeter Defense 41
Built-in Chains (cont.)
Examples
Accept default action for packets from internal
network to Internet
iptablesP OUTPUT ACCEPT
Blocks all incoming connection attempts by default
iptables P INPUT DROP
Rejects all forwarded packets by default
iptablesP FORWARD DROP
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
42/47
Tactical Perimeter Defense 42
Figure 7-21 Built-in chains of packet-filtering rules in Iptables
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
43/47
Tactical Perimeter Defense 43
User-Defined Chains
Some commands for configuring rules
-A chain rule: adds a new rule to the chain
-I chain rulenumber rule: places a new rule in a specific
location-R chain rulenumber rule: replaces a rule with a new
rule in the specified location
-D chain rulenumber: deleted a rule at the position
specified by rulenumber-D chain rule: deletes a rule
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
44/47
Tactical Perimeter Defense 44
User-Defined Chains (cont.)
Some commands for creating rules
-s source: identifies source IP address
-d destination: identifies destination IP address
-pprotocol: identifies protocol used in rule
-i interface: identifies network interface rule uses
-j target: identifies action associated with rule
!: negates whatever follows it
-l: activated logging if a packet matches a rule
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
45/47
Tactical Perimeter Defense 45
User-Defined Chains (cont.)
Example
Enable all users on the 10.0.20.0/24 network to
access the Web server at 10.0.20.2 by using the
World Wide Wed service
iptables A OUTPUT s 10.0.20.0/24 d 10.0.20.2
www j ACCEPT
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
46/47
Tactical Perimeter Defense 46
Summary
Improving a firewall configuration
Optimize rule base and fine-tune logging
Log files
Text-based, ODBS, W3C Extended, firewall interface Fine-tune log files to log only essential information
Analysis tools: summaries of raw data, generation of
reports
Hosts processor speed has greatest impact onfirewall performance
-
7/29/2019 Tactical Perimeter Defense Managing a Firewall
47/47
Summary (cont.)
Testing a firewall
Before and after it goes online
Before installing on network
Configuring a firewall Advanced features: data caching, remote management,application filtering, load balancing, etc.
Microsoft ISA Server 2006
Firewall and caching functions
Security, connectivity, and management features
Iptables: command-line tool for packet-filtering rules
Includes three built-in chain of rules