Guide to Network Defense and Countermeasures Second Edition Chapter 11 Strengthening and Managing Firewalls

Guide to Network Defense and CountermeasuresSecond Edition

Chapter 11Strengthening and Managing Firewalls

Guide to Network Defense and Countermeasures, Second Edition 2

Objectives

• Manage firewalls to improve security

• Describe the most important issues in managing firewalls

• Know how to install and configure Check Point NG

• Know how to install and configure Microsoft ISA Server 2000

• Know how to manage and configure Iptables for Linux


Managing Firewalls to Improve Security

• Poor management affects network– Security– Throughput– Disaster recovery

• Administrative tasks– Editing rule base according to the security policy– Managing firewall log files– Improving firewall performance– Configuring advanced firewall functions


Editing the Rule Base

• One of the best ways to improve security and performance

• Keep the following guidelines in mind– Make sure most important rules are near the top of

the rule base– Make sure you don’t make the firewall do more

logging than it has to– Reduce number of domain objects in the rule base– Keep rules that cover domain objects near the bottom

of the rule base


Editing the Rule Base (continued)

• Reducing rules– Remove unnecessary rules– Keep number of rules to a minimum

• Reordering and editing rules– Keep most frequently matched rules near the top– Scan log files to find commonly used services– Reduce number of rules with Log as the action




Managing Log Files

• Deciding what to log– Some firewalls log only packets subject to a rule with

a Deny action– Kind of log files

• Security log

• System log

• Traffic log

• Active log (Check Point NG)

• Audit log (Check Point NG)

– Some firewalls have GUI interface to manage log files




Managing Log Files (continued)

• Configuring the log file format– Many firewalls generate log files in plain text– Sophisticated firewalls save log files in different

formats• Native format

• Open Database Connectivity (ODBC) format

• W3C Extended format

– Edit and reconfiguring log file formats improves firewall efficiency



• Configuring the log file format– Review log files regularly– General steps for reviewing log files

• Review summary of recent log file events

• Display raw data in the form of a report

• Review data and identify traffic patterns that point to problems with the firewall rules

• Adjust the rules accordingly

• Review subsequent log file data

– Log files can indicate signatures of attack attempts



• Preparing log file summaries and generating reports– Log summary

• Shows major events over a period of time

• Summaries are not reports

• Contain raw data that can be used to create reports

– Some firewalls contain log file analysis tools• Viewing raw data can be tedious and prone to errors

– Reports• Display data in an easy-to-read format

• Help you sorting your data





Improving Firewall Performance

• Might be performing unnecessary operations– Host lookups– Decryption– Logging

• Choose a machine with the fastest CPU for firewall

• Calculating memory requirements– 512 MB to 1 GB of available RAM is preferred– Cache memory: [100 MB + (0.5 x number of users)]


Improving Firewall Performance (continued)

• Testing the firewall– Test it before and after it goes online– Ideal testing environment

• Lab with two computers

– One connected to external interface

– Another connected to internal interface


Configuring Advanced Firewall Functions

• Advanced features– Data caching– Remote management– Application filtering– Voice protocol support– Authentication– Time-based access scheduling

• Load sharing– Configure firewalls to share the total traffic load



Installing and Configuring Check Point NG

• Check Point NG– An enterprise-level firewall

• To plan for the installation, answer these questions– Is the firewall on the outside of the DMZ, or does it

protect one part of the internal network from another part?

– How important is it to monitor employees’ activities on the network?


Installing Check Point Modules

• OS requirements– Windows 2000 Professional or Server or Later– Windows NT with Service Pack 4 or later– Sun Solaris 7 or later– Red Hat Linux 6.2 or later

• Component– Part of an application that performs a specific range of

functions


Installing Check Point Modules (continued)

• Check Point components– Check Point Management Server– Policy Editor– VPN/FireWall– Log Viewer– Inspection

• Open Platform for Security (OPSEC)– Protocol used by Check Point NG to integrate with

other security products



• Step 1: Preparing to install Check Point NG– Determine where the program will be installed– Pick a directory on a standalone server

• C:\WINNT is the default location

• If different directory, include a FWDIR variable

– Enable IP forwarding on the host computer– Go to the Check Point User Center

• Obtain a license key to use the software

• Add the license in Check Point NG




• Step 2: Select Check Point modules to install– Choose between

• Server/Gateway Components

• Mobile/Desktop Components

– Decide what product to install• Enterprise Primary Management or Enterprise

Secondary Management

• Enforcement Module & Primary Management

• Enforcement Module

– Select which Management Client you want to install



• Step 3: Configuring Network Objects– Firewall will protect these objects– Smart management interfaces

• SmartDashboard

• SmartView Tracker

– Network Objects Manager• GUI tool included in SmartDashboard

• Easiest way to define network objects

– Objects you most likely use• Check Point Gateway and Node





• Step 4: Creating filter rules– Develop a set of packet-filtering rules

• Called “Policy Packages” in Check Point

– Create separate rules for different parts of network



What’s New in Check Point NGX

• Includes improved security and management capabilities– Centralized management for an organization’s

perimeter, internal, and Web security needs– Enforces VPN rules by direction (inbound or

outbound)– Support for backup links

• Backward compatibility for older authentication schemes


Installing and Configuring Microsoft ISA Server 2000

• Microsoft ISA Server 2000– Firewall designed to protect business networks– Performs a variety of proxy server functions

• Select the version of ISA Sever 2000 you want– Standard Edition– Enterprise Edition



Licensing ISA Server 2000

• Obtain a license to use ISA Server 2000 on a permanent basis

• It is licensed on a per-processor basis– Need to purchase license for each processor on host– Can use as many clients as needed


Installing ISA Server 2000

• Step 1: Choosing a server mode– Determines the features the firewall offers– Modes

• Firewall

• Cache

• Integrated



Installing ISA Server 2000(continued)

• Step 2: Configuring cache locations and setting addresses– Cached Web pages need to be stored on an NTFS-

formatted drive– Create a local address table (LAT)

• Defines your network’s internal addressing scheme

– Identify the network adapter of the host computer




Configuring ISA Server 2000

• Step 3: Creating a rule base from your security policy– ISA Server 2000’s Getting Started Wizard

• Helps you creating the rule base derived from your security policy

• Runs in the ISA Management Console

– ISA Server is designed to integrate with Microsoft Active Directory



Configuring ISA Server 2000 (continued)

• Step 4: Selecting policy elements– Types of policy elements

• Schedules

• Bandwidth priorities

• Destination sets

• Client address sets

• Protocol definitions

• Content groups

• Dial-up entries



Monitoring the Server

• ISA Server Performance Monitor– Used for real-time monitoring of the server– Allows you to view alerts as soon as they are issued– Need to set up counters

• Keep track of the number of active connections currently forwarding data on the network



What is New in ISA Server 2004


Managing and Configuring Iptables

• Iptables– Configure packet filter rules for Linux firewall Netfilter– Replaces Ipchain– Enables Netfilter to perform stateful packet filtering– Can filter packets based on a full set of TCP option

flags– Iptables is a command-line tool

• Rules are grouped in the form of chains– A rule in one chain can activate a specific rule in

another chain


Built-in Chains

• Iptables comes with three built-in chains– Output– Input– Forward

• Handling packets decisions– Accept– Drop– Queue– Return



Built-in Chains (continued)

• Configure the default action for a chain with –P• Example

iptables –P OUTPUT ACCESS• You can configure more specific actions on a case-

by-case basis



User-Defined Chains

• Commands for configuring individual rules– -A chain rule—Adds a new rule to the chain– -I chain rule-number rule—Enables you to place a

new rule in a specific location in the chain– -R chain rule-number rule—Enables you to replace a

rule– -D chain rule-number—Deletes the rule at the position

specified by [rule-number]– -D chain rule—Deletes a rule


User-Defined Chains (continued)

• Commands used to create rules– -s source—Identifies the source IP address– -d destination—Identifies the destination IP address– -p protocol—Identifies the protocol to be used in the

rule (such as TCP, UDP, ICMP)– -i interface—Identifies the network interface the rule

uses– -j target—Identifies the action associated with the rule– !—Negates whatever follows it– -l—Activates logging if a packet matches the rule


Summary

• Improving firewall configuration involves optimizing– Rule base– Log files

• Log files provide critical information– Network traffic– Attempts to attack

• Firewalls can generate log files in different formats

• Fine-tune your firewall to log only information you actually need

• Some firewalls include log file analysis tools


Summary (continued)

• Basic firewall functions– Host lookup– Encryption/decryption– Logging

• Machine hosting the firewall should have– Fastest processor available– At least the minimum required RAM– Cache memory

• Test your firewall before it goes online


Summary (continued)

• Check Point NG– Suite of firewall modules– Used to implement a security policy

• Microsoft ISA Server 2000– Improves network security through traditional filtering

and NAT

• Iptables– Linux command-line tool for creating packet filtering

rules

Documents

Guide to Network Defense and Countermeasures Second Edition Chapter 11 Strengthening and Managing Firewalls