Firewall Tips & Tricks. Paul Asadoorian Network Security Engineer Brown University November 20, 2002

Transcription

1 Firewall Tips & Tricks Paul Asadoorian Network Security Engineer Brown University November 20, 2002

2 Holy Firewall Batman! Your Network Evil Hackers Firewall

3 Defense in Depth Firewalls mitigate risk Blocking MOST threats They have vulnerabilities as well Improper configuration is the largest threat

4 Tips & Tricks Outline Using the DMZ to your advantage Firewalls as Intrusion Detection devices Configure VPN s for management

5 The DMZ Configuration Separate area off the firewall Usually a different subnet Commonly used to house Internet facing machines (i.e. Web Servers) Has its own firewall policy

6 The DMZ Configuration Place web servers in the DMZ network Only allow web ports (TCP ports 80 and 443) Internet Allow 80/443 from anywhere Firewall Web Server Your Network

7 The DMZ Configuration Don t allow web servers access to your network Allow local network to manage web servers (SSH) Allow 22 from Your Network Firewall Deny all to Your Network Web Server Your Network

8 The DMZ Configuration Don t allow servers to connect to the Internet Patching is not convenient Internet Deny all to Internet Firewall Web Server

9 The DMZ Configuration Allow 80/443 from all Internet Allow 22 from Your Network Firewall Deny all to Your Network Deny all to Internet Web Server Your Network

10 Firewalls as IDS Collect log information from the deny rules Find Portscanning, hacking attempts, etc Isolate traffic with deny rules helps cut down the information overload

11 Firewalls as IDS What to do with ALL that data..graph It! Shows trends, what people are looking for Helps prioritize security tasks Occasionally you may want to block portscans

12 Firewalls as IDS Telenet 23 SubSeven dtspcd 6112 FTP 21 MS SQL 1433 unknown 8000 NetBIOS 139 Web Proxy 1080 GNUTella 6346 Backdoor 1524 Portscanning Statistics HTTP SSH 22 HTTP NetBIOS 1433 MS SQL 21 FTP 22 SSH SubSeven 23 Telenet 6112 dtspcd 8000 unknown 1080 Web Proxy 6346 GNUTella 1524 Backdoor Data collected from July August 2002, Brown University Network

13 Firewalls as IDS NetBIOS 139 Proxy 8080 SMTP 25 unknown 8000 RPC 135 Proxy 3128 SSH 22 Portscanning Statistics HTTPS HTTP 445 SMB FTP 21 HTTP SQL 21 FTP 443 HTTPS 139 NetBIOS 25 SMTP 8080 Proxy SQL unknown 135 RPC 3128 Proxy 22 SSH SMB 445 Data collected from October November 2002, Brown University Network

14 Firewall as IDS Pay close attention to traffic leaving DMZ Often the first sign of a compromise Low traffic rules, so logs aren t as enormous is nice, provided you re the only one reading it

15 Firewalls as IDS Ways to accomplish alerting: Swatch Logsentry Alert.sh (Firewall-1)

16 Firewall as IDS Date: Wed, 31 Dec :40: (CST) From: To: Subject: #### Firewall ALERT #### You have received this message because someone is potentially scanning your systems. The information below is the packet that was denied and logged by the Firewall. This is alert number 3, with a limit of 5 from evil.example.org CRITICAL INFORMATION Date: 31Dec1997 Time: 15:39:59 Source: evil.example.org Destination: ns1 Service: domain-tcp ACTUAL LOGENTRY Dec :39:59 drop fw1 >elx0 mail proto tcp src evil.example.org dst ns1 service domain-tcp s_port len 44 rule 6

17 Configuring VPN For Management VPN is far more secure than other management methods: SSL and SSH are vulnerable to Man-In-The Middle Attacks Telnet and SNMP are clear text There are no known MIM attacks against IPSEC (Yet)

18 Configuring VPN For Management VPN clients are supported on most platforms Most firewalls will work with most clients Netscreen now officially supports FreeSwan Mac OS X is now supporting VPN

19 Useful Links - Lance Spitzner s Web Site - Guide to blocking ports - All sorts of good stuff