The methodology. Interne. 1 Introduction



Similar documents
Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

F-SECURE MESSAGING SECURITY GATEWAY

Building Your Firewall Rulebase Lance Spitzner Last Modified: January 26, 2000

ΕΠΛ 674: Εργαστήριο 5 Firewalls

74% 96 Action Items. Compliance

UMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY

Introduction of Intrusion Detection Systems

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Firewall Tips & Tricks. Paul Asadoorian Network Security Engineer Brown University November 20, 2002

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

allow all such packets? While outgoing communications request information from a

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Firewall Firewall August, 2003

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

10 Configuring Packet Filtering and Routing Rules

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Firewalls, Tunnels, and Network Intrusion Detection

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

12. Firewalls Content

Firewalls and Intrusion Detection

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewalls (IPTABLES)

Firewalls CSCI 454/554

CSCI Firewalls and Packet Filtering

Potential Targets - Field Devices

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Technical Note. ForeScout CounterACT: Virtual Firewall

Deploying ACLs to Manage Network Security

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

How To Protect Your Network From Attack From Outside From Inside And Outside

The Bomgar Appliance in the Network

8. Firewall Design & Implementation

Network Security Policy: Best Practices White Paper

Intro to Firewalls. Summary

Security threats and network. Software firewall. Hardware firewall. Firewalls

Firewalls. Chapter 3

freesshd SFTP Server on Windows

INTRODUCTION TO FIREWALL SECURITY

Packet filtering and other firewall functions

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Guideline on Firewall

What communication protocols are used to discover Tesira servers on a network?

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Automating Server Firewalls

Firewall Audit Techniques. K.S.Narayanan HCL Technologies Limited

Cisco PIX vs. Checkpoint Firewall

Overview. Firewall Security. Perimeter Security Devices. Routers

Implementing Network Address Translation and Port Redirection in epipe

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

CMPT 471 Networking II

Figure 41-1 IP Filter Rules

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Application Firewalls

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

OLD DOMINION UNIVERSITY Router-Switch Best Practices. (last updated : )

FIREWALL AND NAT Lecture 7a

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

Introduction TELE 301. Routers. Firewalls

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Workload Firewall Management

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Firewall Security. Presented by: Daminda Perera

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC

Firewalls and Network Defence

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Inbound Load Balance. User Manual

1 Log visualization at CNES (Part II)

Intrusion Detection Systems (IDS)

Firewalls. Mahalingam Ramkumar

Firewalls, IDS and IPS

Technical Support Information

Chapter 4 Firewall Protection and Content Filtering

TS-301 Case Project Shaun DeRosa

vcloud Director User's Guide

- Introduction to Firewalls -

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Lab Objectives & Turn In

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Timing,... in Firewall Testing

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

IBM. Vulnerability scanning and best practices

PROFESSIONAL SECURITY SYSTEMS

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Transcription:

1 Introduction The methodology In an ideal world, firewall infrastructures are designed by people with experience, people who have the experience to intuitively know what they are doing. Ideally, these same people will work with the project team to produce a set of firewall rules. In practice often people less experienced may have to produce them. Having been the latter (hopefully now the former) I produced this simple methodology to help the novice. Nobody would expect a certified firewall expert to do go through all these stages but if you have to document your processes or produce anomalous IDS patterns, this can be useful. Example configuration DNS IDS Mail server Interne Fw2 Console Router Fw1 Web Server User PC

2 Stage 1 - Identifying active components define inventory The purpose of this stage is to inventorise the components in the configuration. This allows an asset register of all objects to be built. Typically the list of components will include: Database server Crypto server LDAP Server For our example we use only DNS server Mail server user Machines Maintenance machines Front-end router web server Intrusion detection monitor 2 nd firewall 1st firewall 2.1 Order & group active components - define chokepoints Working from the outside of the configuration, re-order the list of components in the configuration. Calculate how many chokes or control points in the configuration. Typical examples of these are perimeter router, external firewall, internal firewall and internal router. Group the object list by their relative inter-choke position. Group 1 Group 1 Group 1 Customer PC Internet Primary dns server

Group 1 Group 2 Group 2 Group 3 Group 3 Group 3 Primary dns Front-end router Intrusion detection monitor Front firewall web server mail server,,,,,,.,,,

2.2 Recording the traffic flows- n 2 matrix An example of the n 2 matrix is shown below. Group1 Group 2 Group 3 TO User PC dns router User PC dns Router I DS 1 st fw web mail 2nd fw tcp80 tcp25 Cons IDS Udp161 Udp69 1st fw web server mail server 2 nd fw MGT Cons udp53 tcp25 udp53 x Tcp22 Tcp22 Tcp22 Tcp22 Tcp22 Tcp22 Udp161 Create a matrix as above with every network object in your inventory. After each choke point (i.e. firewall and router), put a shaded row or column. This represents the perimeter enforced by the device.

Once the matrix is complete it will need to be populated. Working from the last item on the vertical, record the traffic(from vertical) to destination on the horizontal by placing ports in the appropriate cell i.e ( mail server will have to resolve dns names udp53 & send email tcp25). Obviously, this is a long-winded method of recording communications. But it does force you to examine the communication between every object. It also gives you the opportunity to research the behaviour of less known protocols. 2.3 Creating access rules Having created a matrix, it is necessary to document the access list for each choke point. To do this create a table for each choke-point. If the device is stateful, you will only have to record the out going communication the state engine of the device will take care of the return connection. If it isn t stateful, you will have to insert the appropriate return connection quite a problem for RPC or H323 rule From Address From port 1 (rtn) 2 (rtn) 3 To Address To port Action comment Populate it as follow -Starting from the last row on the vertical. Read along the row, when you find a port, record the destination. Each time the line crosses a shaded control point it will require a logical accesses rule in that control point table. See example

User dns Router I DS PC User PC dns router IDS 1st fw web udp53 server mail server 2 nd fw tcp25 udp53 2.4 Designing access logging rules This is dependant on the capability of the device. But it is important to actively design the logging option on the rule table and record in the comment section. Define too much logging and you will swap the logs and ruin the performance. Log too little and you ll hide evidence of a hack. This very device dependant, consider logging Explicit deny rule

Administrative access Important transactions Stealth rule Anti Spoofing rules 2.5 Designing intrusion detection alerts Some firewalls have the ability to define alerts. It is a good practice to place such alerts on rules which should never happen. For example, I personally never allow ssh to a firewall through the frontend router. Therefore, if a session is attempted from the internet through the router, something has been compromised. This would warrant an alert. rule From From port To Address To port Action comment Address 1 User PC ANY 1 st FW SSh DENY Alert 2.6 Add anti-spoofing Define anti-spoofing to prevent spoofed access. For example on the external routers external interface rule From From port To Address To port Action comment Address 1 internal ANY internal Any DENY Inward direction This blocks any one attempt to be one of my addresses.

2.7 Add Stealth rule No external access to cokes should be allowed. For example on the external routers external interface we drop any packets as it is obviously a scan attempt. rule From From port To Address To port Action comment Address 1 external ANY internal Any Drop Inward direction 3 Test and enhance for performance Enhancing for performance is simple. Follow these basic rules: Keep the number of rules down Keep the most used rules at the top as most devices check them sequentia lly Drop unauthorised traffic early Use networks or CIDR groups rather than groups Avoid negatives

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information