tactical perimeter defense managing a firewall

7/29/2019 Tactical Perimeter Defense Managing a Firewall

1/47

Guide to Tactical Perimeter Defense

Chapter 7Managing Firewalls to Improve Security


2/47

Tactical Perimeter Defense 2

Objectives

Explain how to edit a rule base

Describe how to manage log files

List measures for improving firewall performance and

security

Explain how to install and configure Microsoft ISA

Server 2006

Explain how to manage and configure Iptables for

Linux


3/47


Editing the Rule Base

Place most important rules near top of the rule base

Dont make firewall do more logging than it has to

Reduce number of domain objects in the rule base

Domain objects increase possibility of security

breaches: DNS spoofing or zone transfer

Keep rules that cover domain objects near the

bottom of the rule base


4/47


Reducing Rules

Check for duplicate or unnecessary entries

Consolidate rules

Table 7-1 Inefficient firewall rules


5/47


Reducing Rules (cont.)

Table 7-2 More efficient firewall rules


6/47


Reordering and Editing Rules

Place most frequently matched rules near the top of

the list

Scan log files to find commonly used services

Examples: SMTP server, DNS server

Goal: reduce number of rules with Log as the action

to bare minimum

Log only events attempting to access restricted

resources


7/47


Reordering and Editing Rules (cont.)

Activity 7-1: Improving a Rule Base

Objective: Review a sample rule and make

improvements

Which rules cover the same sort of communication?

Which rules are too far down the list and should be

moved up?

Which rules give the firewall more work to do than is

necessary?


8/47


Managing Log Files

Configure firewall to generate log files moreefficiently

Use third-party software to get more information

from log files Increase firewall effectiveness by:

Modifying log file format

Preparing log file summaries

Generating reports Be aware of too many administrators

Keep change management record accessible


9/47


Deciding What to Log

Some firewalls log only packets subject to a rule

with a Deny action

Types of log files offered by firewalls

Security log: specific security events

System log: when firewall was started or stopped

Traffic log: each packet entering/leaving firewall

Firewalls may include a GUI interface to customizelog file display

Firewalls offer many types of logging data

First seven types in Table 7-4 are must-haves


10/47


Deciding What to Log (cont.)

Table 7-4 Types of log file data


11/47


Configuring the Log File Format

Log file formats

Text editor: tedious and difficult to view

Native format: view in firewalls interface

Open Database Connectivity (ODBC) format: view inODBC-compliant database format

W3C Extended format: view in text editor; choose

fields; tools generate summaries

Edit and configure log file formats for greater

efficiency


12/47


Configuring the Log File Format

(cont.)

Review log files

View summary of recent log file events

Display raw data in form of report

Review data and identify traffic patterns

Adjust rules accordingly

Review subsequent log file data to ensure

unnecessary log file entries have been reduced


13/47


Preparing Log File Summaries and

Generating Reports

Log file summaries

List totals of how many events occurred and whattype

Log file analyzers can be built into firewall or add-ons

ZoneLog Analyser: add-on analyzer

Known port lists

Filters Custom reports

IP address resolution


14/47



Generating Reports (cont.)

Figure 7-2 Using ZoneLog Analysers log import filters


15/47




Figure 7-5 An activity summary in different formats


16/47




Figure 7-7 Address lookup details


17/47


Improving Firewall Performance

and Security

Make sure firewall uses internal host file

Consider using an internal DNS server

Do not log noncritical events


18/47


Calculating Resource Requirements

Invest in equipment that can support multiple

processors

Use load-balancing when possible

Purchase the fastest processor chip your budgetcan handle

Ensure that firewall has enough RAM (over 512 MB)

Set aside enough storage space to cache Webpages and other files

100 MB + (0.5 MB x number of users)


19/47


Testing the Firewall

Test before and after the firewall goes online

Test before installing on network

Inexpensive option: two client computers for internal

and external interface Large enterprise: test cell (dedicated test lab)

mirroring network architecture

Expensive, but ensures network availability


20/47


Configuring Advanced

Firewall Functions

Data caching

Remote management

Application content filtering

Voice protocol support

Authentication

Time-based access scheduling

Load-sharing


21/47



Firewall Functions (cont.)

Activity 7-2: Configuring Windows Firewall

Objective: Configure the Windows XP built-in firewall,

Windows Firewall, and set up logging

Windows Firewall is active by default when ServicePack 2 is installed

Use Exceptions tab to configure requests

Add or edit Programs and Services list

Edit Security Logging section to log dropped packetsand successful connections


22/47



Firewall Functions (cont.)

Figure 7-8 The Advanced Tab and the Log Settings dialog box


23/47


Installing and Configuring

Microsoft ISA Server 2006


Security, connectivity, and management functions in

one product

Handles traditional firewall functions Filters at application level

Caches Web pages


24/47



Microsoft ISA Server 2006 (cont.)

Table 7-5 ISA Server 2006 Standard and Enterprise versions


25/47



Microsoft ISA Server 2006 (cont.)

Table 7-6 Minimum hardware requirements for ISA Server 2006


26/47


Licensing ISA Server 2006

Licensed on a per-processor basis

Severe penalties for inadequate licensing

Legal; loss of certification and/or job

Security policy should state software licensing

requirements explicitly

Enforce requirements

Include licensing issues and requirements insecurity training


27/47


Reviewing ISA Server 2006

Components

Configuration Storage server: configuration

information for all array members

ISA Server services: firewall, VPN, and caching

functions

Array: group of ISA servers that are connected

physically, share common configuration, and run

ISA server services ISA server management: management through

connecting to Configuration Storage server


28/47


Installing ISA Server 2006

Installation order

Install Configuration Storage server

Create array and enterprise network rules and

policies on Configuration Storage server

Install ISA Server services on one or more computers

Virtual version: VHD format

Runs on Windows 2000, XP, Vista, and Server 2003 Evaluation software: helpful for Windows Server

2003 installation


29/47


Installing ISA Server 2006 (cont.)

Activity 7-3: Installing ISA Server 2006 Evaluation

Software

Objective: Download and install ISA Server 2006

evaluation software

Use Windows Server 2003 as your OS

Follow installation instructions

After installation, start the server and examine the

management console


30/47



Figure 7-9 The ISA Server management console


31/47



ISA Server management console provides guidance

on configuration tasks

Assign administrative roles

Define your networks

Define enterprise policies

Default policy denies all traffic

Configure array settings Defines how array members communicate with each

other and the Configuration Storage server

Specifies how network is designed


32/47



Figure 7-12 Defining networks in ISA Server arrays


33/47



Activity 7-4: Configuring ISA Server 2006

Objective: Configure ISA Server 2006 settings

Assign administrative roles

Define networks

Enter enterprise policy rules

Set up basic firewall policies


34/47



Figure 7-14 Configuring enterprise policy rules


35/47



Activity 7-5: Configuring Advanced Security

Features in ISA Server 2006

Objective: Configure ISA Server 2006 security

features

Examine and configure security filters

Create firewall policies

Configure caching

Edit scheduling


36/47



Figure 7-19 The firewall policy rule base


37/47


Monitoring Servers

Monitoring integrated into ISA Server management

console

Connectivity

Alerts Sessions

System performance

Customized report generation

Logging

Configuration of array members


38/47


Monitoring Servers (cont.)

Figure 7-20 The ISA Server Monitoring window


39/47


Managing and Configuring Iptables

Iptables: used to configure packet-filtering rules for

Netfilter

Stateful filtering

Based on full set of TCP flags Command-line tool

Rules are grouped in chains

Multiple rule bases/chains

Rule in one chain can activate rule in another chain


40/47


Built-in Chains

Types of built-in chains

Output: packet received inside network has

destination address on external network

Input: packets from external network has destinationaddress on internal network

Forward: packet need to be routed to another location

A match is handled by one of four methods:

Accept, drop, queue, or return


41/47


Built-in Chains (cont.)

Examples

Accept default action for packets from internal

network to Internet

iptablesP OUTPUT ACCEPT

Blocks all incoming connection attempts by default

iptables P INPUT DROP

Rejects all forwarded packets by default

iptablesP FORWARD DROP


42/47


Figure 7-21 Built-in chains of packet-filtering rules in Iptables


43/47


User-Defined Chains

Some commands for configuring rules

-A chain rule: adds a new rule to the chain

-I chain rulenumber rule: places a new rule in a specific

location-R chain rulenumber rule: replaces a rule with a new

rule in the specified location

-D chain rulenumber: deleted a rule at the position

specified by rulenumber-D chain rule: deletes a rule


44/47


User-Defined Chains (cont.)

Some commands for creating rules

-s source: identifies source IP address

-d destination: identifies destination IP address

-pprotocol: identifies protocol used in rule

-i interface: identifies network interface rule uses

-j target: identifies action associated with rule

!: negates whatever follows it

-l: activated logging if a packet matches a rule


45/47


User-Defined Chains (cont.)

Example

Enable all users on the 10.0.20.0/24 network to

access the Web server at 10.0.20.2 by using the

World Wide Wed service

iptables A OUTPUT s 10.0.20.0/24 d 10.0.20.2

www j ACCEPT


46/47


Summary

Improving a firewall configuration

Optimize rule base and fine-tune logging

Log files

Text-based, ODBS, W3C Extended, firewall interface Fine-tune log files to log only essential information

Analysis tools: summaries of raw data, generation of

reports

Hosts processor speed has greatest impact onfirewall performance


47/47

Summary (cont.)

Testing a firewall

Before and after it goes online

Before installing on network

Configuring a firewall Advanced features: data caching, remote management,application filtering, load balancing, etc.


Firewall and caching functions

Security, connectivity, and management features

Iptables: command-line tool for packet-filtering rules

Includes three built-in chain of rules

tactical perimeter defense managing a firewall

Documents