Upload
drusilla-hensley
View
218
Download
1
Tags:
Embed Size (px)
Citation preview
Guide to Network Defense and CountermeasuresSecond Edition
Chapter 11Strengthening and Managing Firewalls
Guide to Network Defense and Countermeasures, Second Edition 2
Objectives
• Manage firewalls to improve security
• Describe the most important issues in managing firewalls
• Know how to install and configure Check Point NG
• Know how to install and configure Microsoft ISA Server 2000
• Know how to manage and configure Iptables for Linux
Guide to Network Defense and Countermeasures, Second Edition 3
Managing Firewalls to Improve Security
• Poor management affects network– Security– Throughput– Disaster recovery
• Administrative tasks– Editing rule base according to the security policy– Managing firewall log files– Improving firewall performance– Configuring advanced firewall functions
Guide to Network Defense and Countermeasures, Second Edition 4
Editing the Rule Base
• One of the best ways to improve security and performance
• Keep the following guidelines in mind– Make sure most important rules are near the top of
the rule base– Make sure you don’t make the firewall do more
logging than it has to– Reduce number of domain objects in the rule base– Keep rules that cover domain objects near the bottom
of the rule base
Guide to Network Defense and Countermeasures, Second Edition 5
Editing the Rule Base (continued)
• Reducing rules– Remove unnecessary rules– Keep number of rules to a minimum
• Reordering and editing rules– Keep most frequently matched rules near the top– Scan log files to find commonly used services– Reduce number of rules with Log as the action
Guide to Network Defense and Countermeasures, Second Edition 6
Guide to Network Defense and Countermeasures, Second Edition 7
Guide to Network Defense and Countermeasures, Second Edition 8
Managing Log Files
• Deciding what to log– Some firewalls log only packets subject to a rule with
a Deny action– Kind of log files
• Security log
• System log
• Traffic log
• Active log (Check Point NG)
• Audit log (Check Point NG)
– Some firewalls have GUI interface to manage log files
Guide to Network Defense and Countermeasures, Second Edition 9
Guide to Network Defense and Countermeasures, Second Edition 10
Guide to Network Defense and Countermeasures, Second Edition 11
Managing Log Files (continued)
• Configuring the log file format– Many firewalls generate log files in plain text– Sophisticated firewalls save log files in different
formats• Native format
• Open Database Connectivity (ODBC) format
• W3C Extended format
– Edit and reconfiguring log file formats improves firewall efficiency
Guide to Network Defense and Countermeasures, Second Edition 12
Managing Log Files (continued)
• Configuring the log file format– Review log files regularly– General steps for reviewing log files
• Review summary of recent log file events
• Display raw data in the form of a report
• Review data and identify traffic patterns that point to problems with the firewall rules
• Adjust the rules accordingly
• Review subsequent log file data
– Log files can indicate signatures of attack attempts
Guide to Network Defense and Countermeasures, Second Edition 13
Managing Log Files (continued)
• Preparing log file summaries and generating reports– Log summary
• Shows major events over a period of time
• Summaries are not reports
• Contain raw data that can be used to create reports
– Some firewalls contain log file analysis tools• Viewing raw data can be tedious and prone to errors
– Reports• Display data in an easy-to-read format
• Help you sorting your data
Guide to Network Defense and Countermeasures, Second Edition 14
Guide to Network Defense and Countermeasures, Second Edition 15
Guide to Network Defense and Countermeasures, Second Edition 16
Guide to Network Defense and Countermeasures, Second Edition 17
Improving Firewall Performance
• Might be performing unnecessary operations– Host lookups– Decryption– Logging
• Choose a machine with the fastest CPU for firewall
• Calculating memory requirements– 512 MB to 1 GB of available RAM is preferred– Cache memory: [100 MB + (0.5 x number of users)]
Guide to Network Defense and Countermeasures, Second Edition 18
Improving Firewall Performance (continued)
• Testing the firewall– Test it before and after it goes online– Ideal testing environment
• Lab with two computers
– One connected to external interface
– Another connected to internal interface
Guide to Network Defense and Countermeasures, Second Edition 19
Configuring Advanced Firewall Functions
• Advanced features– Data caching– Remote management– Application filtering– Voice protocol support– Authentication– Time-based access scheduling
• Load sharing– Configure firewalls to share the total traffic load
Guide to Network Defense and Countermeasures, Second Edition 20
Guide to Network Defense and Countermeasures, Second Edition 21
Installing and Configuring Check Point NG
• Check Point NG– An enterprise-level firewall
• To plan for the installation, answer these questions– Is the firewall on the outside of the DMZ, or does it
protect one part of the internal network from another part?
– How important is it to monitor employees’ activities on the network?
Guide to Network Defense and Countermeasures, Second Edition 22
Installing Check Point Modules
• OS requirements– Windows 2000 Professional or Server or Later– Windows NT with Service Pack 4 or later– Sun Solaris 7 or later– Red Hat Linux 6.2 or later
• Component– Part of an application that performs a specific range of
functions
Guide to Network Defense and Countermeasures, Second Edition 23
Installing Check Point Modules (continued)
• Check Point components– Check Point Management Server– Policy Editor– VPN/FireWall– Log Viewer– Inspection
• Open Platform for Security (OPSEC)– Protocol used by Check Point NG to integrate with
other security products
Guide to Network Defense and Countermeasures, Second Edition 24
Installing Check Point Modules (continued)
• Step 1: Preparing to install Check Point NG– Determine where the program will be installed– Pick a directory on a standalone server
• C:\WINNT is the default location
• If different directory, include a FWDIR variable
– Enable IP forwarding on the host computer– Go to the Check Point User Center
• Obtain a license key to use the software
• Add the license in Check Point NG
Guide to Network Defense and Countermeasures, Second Edition 25
Guide to Network Defense and Countermeasures, Second Edition 26
Installing Check Point Modules (continued)
• Step 2: Select Check Point modules to install– Choose between
• Server/Gateway Components
• Mobile/Desktop Components
– Decide what product to install• Enterprise Primary Management or Enterprise
Secondary Management
• Enforcement Module & Primary Management
• Enforcement Module
– Select which Management Client you want to install
Guide to Network Defense and Countermeasures, Second Edition 27
Installing Check Point Modules (continued)
• Step 3: Configuring Network Objects– Firewall will protect these objects– Smart management interfaces
• SmartDashboard
• SmartView Tracker
– Network Objects Manager• GUI tool included in SmartDashboard
• Easiest way to define network objects
– Objects you most likely use• Check Point Gateway and Node
Guide to Network Defense and Countermeasures, Second Edition 28
Guide to Network Defense and Countermeasures, Second Edition 29
Guide to Network Defense and Countermeasures, Second Edition 30
Installing Check Point Modules (continued)
• Step 4: Creating filter rules– Develop a set of packet-filtering rules
• Called “Policy Packages” in Check Point
– Create separate rules for different parts of network
Guide to Network Defense and Countermeasures, Second Edition 31
Guide to Network Defense and Countermeasures, Second Edition 32
What’s New in Check Point NGX
• Includes improved security and management capabilities– Centralized management for an organization’s
perimeter, internal, and Web security needs– Enforces VPN rules by direction (inbound or
outbound)– Support for backup links
• Backward compatibility for older authentication schemes
Guide to Network Defense and Countermeasures, Second Edition 33
Installing and Configuring Microsoft ISA Server 2000
• Microsoft ISA Server 2000– Firewall designed to protect business networks– Performs a variety of proxy server functions
• Select the version of ISA Sever 2000 you want– Standard Edition– Enterprise Edition
Guide to Network Defense and Countermeasures, Second Edition 34
Guide to Network Defense and Countermeasures, Second Edition 35
Licensing ISA Server 2000
• Obtain a license to use ISA Server 2000 on a permanent basis
• It is licensed on a per-processor basis– Need to purchase license for each processor on host– Can use as many clients as needed
Guide to Network Defense and Countermeasures, Second Edition 36
Installing ISA Server 2000
• Step 1: Choosing a server mode– Determines the features the firewall offers– Modes
• Firewall
• Cache
• Integrated
Guide to Network Defense and Countermeasures, Second Edition 37
Guide to Network Defense and Countermeasures, Second Edition 38
Installing ISA Server 2000(continued)
• Step 2: Configuring cache locations and setting addresses– Cached Web pages need to be stored on an NTFS-
formatted drive– Create a local address table (LAT)
• Defines your network’s internal addressing scheme
– Identify the network adapter of the host computer
Guide to Network Defense and Countermeasures, Second Edition 39
Guide to Network Defense and Countermeasures, Second Edition 40
Guide to Network Defense and Countermeasures, Second Edition 41
Configuring ISA Server 2000
• Step 3: Creating a rule base from your security policy– ISA Server 2000’s Getting Started Wizard
• Helps you creating the rule base derived from your security policy
• Runs in the ISA Management Console
– ISA Server is designed to integrate with Microsoft Active Directory
Guide to Network Defense and Countermeasures, Second Edition 42
Guide to Network Defense and Countermeasures, Second Edition 43
Configuring ISA Server 2000 (continued)
• Step 4: Selecting policy elements– Types of policy elements
• Schedules
• Bandwidth priorities
• Destination sets
• Client address sets
• Protocol definitions
• Content groups
• Dial-up entries
Guide to Network Defense and Countermeasures, Second Edition 44
Guide to Network Defense and Countermeasures, Second Edition 45
Monitoring the Server
• ISA Server Performance Monitor– Used for real-time monitoring of the server– Allows you to view alerts as soon as they are issued– Need to set up counters
• Keep track of the number of active connections currently forwarding data on the network
Guide to Network Defense and Countermeasures, Second Edition 46
Guide to Network Defense and Countermeasures, Second Edition 47
What is New in ISA Server 2004
Guide to Network Defense and Countermeasures, Second Edition 48
Managing and Configuring Iptables
• Iptables– Configure packet filter rules for Linux firewall Netfilter– Replaces Ipchain– Enables Netfilter to perform stateful packet filtering– Can filter packets based on a full set of TCP option
flags– Iptables is a command-line tool
• Rules are grouped in the form of chains– A rule in one chain can activate a specific rule in
another chain
Guide to Network Defense and Countermeasures, Second Edition 49
Built-in Chains
• Iptables comes with three built-in chains– Output– Input– Forward
• Handling packets decisions– Accept– Drop– Queue– Return
Guide to Network Defense and Countermeasures, Second Edition 50
Guide to Network Defense and Countermeasures, Second Edition 51
Built-in Chains (continued)
• Configure the default action for a chain with –P• Example
iptables –P OUTPUT ACCESS• You can configure more specific actions on a case-
by-case basis
Guide to Network Defense and Countermeasures, Second Edition 52
Guide to Network Defense and Countermeasures, Second Edition 53
User-Defined Chains
• Commands for configuring individual rules– -A chain rule—Adds a new rule to the chain– -I chain rule-number rule—Enables you to place a
new rule in a specific location in the chain– -R chain rule-number rule—Enables you to replace a
rule– -D chain rule-number—Deletes the rule at the position
specified by [rule-number]– -D chain rule—Deletes a rule
Guide to Network Defense and Countermeasures, Second Edition 54
User-Defined Chains (continued)
• Commands used to create rules– -s source—Identifies the source IP address– -d destination—Identifies the destination IP address– -p protocol—Identifies the protocol to be used in the
rule (such as TCP, UDP, ICMP)– -i interface—Identifies the network interface the rule
uses– -j target—Identifies the action associated with the rule– !—Negates whatever follows it– -l—Activates logging if a packet matches the rule
Guide to Network Defense and Countermeasures, Second Edition 55
Summary
• Improving firewall configuration involves optimizing– Rule base– Log files
• Log files provide critical information– Network traffic– Attempts to attack
• Firewalls can generate log files in different formats
• Fine-tune your firewall to log only information you actually need
• Some firewalls include log file analysis tools
Guide to Network Defense and Countermeasures, Second Edition 56
Summary (continued)
• Basic firewall functions– Host lookup– Encryption/decryption– Logging
• Machine hosting the firewall should have– Fastest processor available– At least the minimum required RAM– Cache memory
• Test your firewall before it goes online
Guide to Network Defense and Countermeasures, Second Edition 57
Summary (continued)
• Check Point NG– Suite of firewall modules– Used to implement a security policy
• Microsoft ISA Server 2000– Improves network security through traditional filtering
and NAT
• Iptables– Linux command-line tool for creating packet filtering
rules