Firewall Environments. Name



Similar documents
Name. Description. Rationale

8. Firewall Design & Implementation

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Network Security Topologies. Chapter 11

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Chapter 9 Firewalls and Intrusion Prevention Systems

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Security Technology: Firewalls and VPNs

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Firewall Security. Presented by: Daminda Perera

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

The Bomgar Appliance in the Network

FIREWALLS & CBAC. philip.heimer@hh.se

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Firewall Audit Techniques. K.S.Narayanan HCL Technologies Limited

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Chapter 2 TOPOLOGY SELECTION. SYS-ED/ Computer Education Techniques, Inc.

Overview. Firewall Security. Perimeter Security Devices. Routers

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Architecture Overview

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Cornerstones of Security

Figure 41-1 IP Filter Rules

Building Your Firewall Rulebase Lance Spitzner Last Modified: January 26, 2000

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

INTRUSION DETECTION SYSTEMS and Network Security

IPCOM S Series Functions Overview

ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0

CMPT 471 Networking II

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Voice Over IP and Firewalls

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Altus UC Security Overview

Polycom. RealPresence Ready Firewall Traversal Tips

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

SCADA/Business Network Separation: Securing an Integrated SCADA System

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Chapter 15. Firewalls, IDS and IPS

GlobalSCAPE DMZ Gateway, v1. User Guide

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Using Skybox Solutions to Achieve PCI Compliance

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Introduction. Cyber Security for Industrial Applications

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

Network Access Security. Lesson 10

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Chapter 11 Cloud Application Development

U06 IT Infrastructure Policy

Securing SIP Trunks APPLICATION NOTE.

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Information Technology Security Guideline. Network Security Zoning

Internet infrastructure. Prof. dr. ir. André Mariën

Network Security. Outlines: Introduction to Network Security Dfii Defining Security Zones DMZ. July Network Security 08

NEFSIS DEDICATED SERVER

Firewalls. Ahmad Almulhem March 10, 2012

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

CCNA Security 1.1 Instructional Resource

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Network Configuration Settings

SECURING SAP NETWEAVER DEPLOYMENTS WITH SAFE-T RSACCESS

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

A Model Design of Network Security for Private and Public Data Transmission

How To Pass A Credit Course At Florida State College At Jacksonville

McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course

How To Protect Your Network From Attack

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Guideline on Firewall

Who Moved My Firewall. Clinton Thomson Derivco (PTY) Ltd

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

INTRODUCTION TO FIREWALL SECURITY

Recommended IP Telephony Architecture

Commercial Practices in IA Testing Panel

Firewalls CSCI 454/554

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

Introduction of Intrusion Detection Systems

FIREWALL POLICY DOCUMENT

Top-Down Network Design

Firewalls. Chapter 3

Firewalls, Tunnels, and Network Intrusion Detection

Transcription:

Complliiance Componentt DEEFFI INITION Description Rationale Firewall Environments Firewall Environment is a term used to describe the set of systems and components that are involved in providing or supporting the complete firewall functionality at a given point on a network. Firewall Environments are made up of firewall devices and associated systems and applications designed to work together. The Firewall Environment provides adequate protection for the organization s networks while minimizing complexity and management. Benefits List the Domain Creates defense in depth with layer security Coordinates security between firewalls, intrusion detection systems, and other network security devices Restricts connectivity between networks Provides a buffer zone for transactions with outside parties Secures remote access ASSSSOCI IATEED ARCHITEECTUREE LLEEVEELLSS Security List the Discipline List the Technology Area Technical Controls Secure Gateways and Firewalls List Product Component Document the Compliance Component Type Component Sub-type Guideline COMPPLLI IANCEE COMPPONEENT TYPPEE COMPPLLI IANCEE DEETAI ILL State the Guideline, Standard or Legislation Firewall Environments may consist of: Firewall(s) Demilitarized Zones (DMZs) Virtual Private Networks (VPNs) Intranets Extranets Hubs and switches Intrusion Detection Systems (IDS) Domain Server (DNS) Server placement A simple firewall environment may consist of a packet filter firewall and nothing else. In a more complex and secure environment, it may consist of several firewalls, proxies, and specific topologies for supporting the systems and security.

Building Firewall Environments A firewall shall be used between any agency-controlled equipment and equipment not controlled by the agency such as that owned by other agencies, contractors, business partners or public service providers. The environment configuration should be simple. The more simple the firewall solution, the more secure it will likely be and the easier to manage. Complexity in design and function can lead to errors in configuration. Do not make firewalls out of equipment not intended to be firewalls. For example, network switches used as firewalls can be susceptible to attack. A router should not be used as a firewall unless special firewall software is installed on it. Create defense in depth by creating layers of security as opposed to one layer. Where several firewalls can be used, they should be. Where routers can be configured to provide some access control or filtering, they should be. Internal firewalls should be used to protect important systems from internal threats. Examples include internal web and email servers, and financial systems. DMZs A DMZ is created by network switches that sit between an internal and external firewall, or between an internal firewall and a boundary router. Agencies should not use just one firewall to create a DMZ since the firewall would be subject to service degradation during denial of service attacks. DMZs shall serve as connection points for systems that require or support external connectivity, or between internal systems with different levels of access control. Agencies shall place remote access servers and external VPN endpoints within DMZs. VPNs External VPN appliances shall be installed in the DMZ. Placing it behind the firewall would require that encrypted VPN traffic be passed outbound through the firewall, and the firewall would then be unable to inspect the inbound or outbound traffic, or perform access control or logging. Intranets An intranet is a network that employs HTTP for internal information dissemination. An intranet must be behind the firewall. An internal firewall should be used to separate intranets.

Extranets An extranet is two or more networks that are joined via the Internet. The agency shall implement a firewall, controlled by the agency, on its side of the extranet. Hubs and Switches Network hubs shall not be used to build DMZs or firewall environments. Network switches should be used for implementing DMZs and firewall environments. Network switches shall not be used to provide any firewall or traffic isolation capability outside of a firewall environment. IDS Host-based intrusion detection systems shall be placed on all systems in the DMZ and any internal systems that can be accessed by external entities. Network-based intrusion detection systems shall be placed on the private side of the firewall. Network-based intrusion detection systems should also be placed on the public side of the firewall and may be in the DMZ. DNS Internal Domain Servers (DNS) shall be kept separate from external domain name servers. This practice, known as split DNS, ensures that private internal systems are never identified to external organizations. Access to external DNS shall only be allowed through port 53 (the standard port for DNS). Agencies should configure computers to use specific DNS servers by IP address, and should not allow blind zone transfers. Firewall Failover Strategies If the firewall environment does not have redundancy, the connection must be automatically severed if the firewall fails. Redundancy and failover services should be provided for firewall environments. This can be done using: o specially designed network switches that shift all traffic over to a backup firewall in the event of a failure, o a customized "heartbeat" mechanism that typically involves a network interface to notify the backup firewall of the primary firewall s functionality, or o a manually initiated backup firewall. Network switches that provide load balancing and failover capabilities allow seamless failover and, in many cases, established sessions through the firewall are not impacted by a production system failure. The network switch-based failover

Document Source Reference # Contact Information Contact Information solution is generally the most expensive solution. Heartbeat-based solutions almost always lose established sessions traversing the production firewall in the transition from production to backup resources. A manually initiated backup firewall is the least desirable, but also the least expensive. Placement of Servers in Firewall Environments Where to place servers in a firewall environment depends on many factors. The following guidelines can be used to make the determination: o Place internal servers behind internal firewalls as their sensitivity and access require. o Isolate servers such that attacks on the servers do not impair the rest of the network. Externally accessible servers shall be placed in the DMZ. The boundary router can provide some access control and filtering for the servers, and the main firewall can restrict connections from the servers to internal systems, which could occur if the servers are penetrated. External VPN and Dial-In Servers shall be placed in the DMZ. This enables outbound traffic to be encrypted after it has been filtered (e.g., by an HTTP proxy) and allows inbound traffic to be decrypted and filtered by the firewall. Internally accessible web servers, email servers, and directory servers should be placed in the DMZ. This provides defense in depth protection from external threats, and well as protection from internal threats. Web mail servers shall be set to only accept SMTP connections through the firewall. To access web mail from an external network, an SSL proxy shall run on the main firewall. Using a web browser, external users authenticate to the main firewall. The main firewall forwards the SSL connection to the internal proxy/email server for a second authentication. This solution prevents direct external access to the mail server, yet still permits external access through the firewall. Standard Organization NIST SP 800-41, Guideline for Firewalls and Website Firewall Policy Government Body National Institute of Standards and Technology Website (NIST) www.csrc.nist.gov/publications/ Intpubs http://csrc.nist.gov/

KEEYWORDSS Contractor, partner, DMZ, VPN, DNS, extranet, intranet, heartbeat, List all Keywords failover, failsafe, blind zone, IDS, packet filter, dial-in COMPPONEENT CLLASSSSI IFFI ICATION Provide the Classification Emerging Current Twilight Sunset Document the Rationale for Component Classification Document the Conditional Use Restrictions Document the Migration Strategy Document the Position Statement on Impact Rationale for Component Classification Conditional Use Restrictions Migration Strategy Impact Position Statement CURREENT SSTATUSS Provide the Current Status) In Development Under Review Approved Rejected AUDIT TRAILL Creation Date 06/08/2004 Date Accepted / Rejected 06/08/2004 Reason for Rejection Last Date Reviewed Last Date Updated Reason for Update

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information