Ongoing Administration

Chapter 11

Learning Objectives

Learn how to evolve a firewall to meet new needs and threats

Adhere to proven security principles to help the firewall protect network resources

Use a remote management interface

Track log files for security

continued

Learning Objectives

Follow basic initial steps in responding to security incidents

Take advanced firewall functions into account when administering a firewall

Making Your Firewall Meet New Needs

Throughput

Scalability

Security

Recoverability

Manageability

Verifying Resources Needed by the Firewall

Ways to track memory and system resources Use the formula:

MemoryUsage = ((ConcurrentConnections)/ (AverageLifetime))*(AverageLifetime + 50 seconds)*120

Use software’s own monitoring feature

Verifying Resources Needed by the Firewall

Allocating More Memory

Identifying New Risks

Monitor activities and review log files

Check Web sites to keep informed of latest dangers; install patches and updates

Adding Software Updates and Patches

Test updates and patches as soon as you install them

Ask vendors (of firewall, VPN appliance, routers, etc) for notification when security patches are available

Check manufacturer’s Web site for security patches and software updates

Using an Automated Update Feature

Obtaining Updates from the Vendor’s Web Site

Adding Hardware

Identify network hardware so firewall can include it in routing and protection services Different ways for different firewalls

List workstations, routers, VPN appliances, and other gateways you add as the network growsChoose good passwords that you guard closely

Dealing with Complexity on the Network

Distributed firewalls Installed at endpoints of the network, including remote

computers that connect to network through VPNs Add complexity

Require that you install and/or maintain a variety of firewalls located on your network and in remote locations

Add security Protect network from viruses or other attacks that can originate

from machines that use VPNs to connect (eg, remote laptops)

Dealing with Complexity on the Network

Adhering to Proven Security Principles

Generally Accepted System Security Principles (GASSP) apply to ongoing firewall management Secure physical environment where firewall-

related equipment is housed Importance of locking software so that

unauthorized users cannot access it

Environmental Management

Measures taken to reduce risks to physical environment where resources are stored Back-up power systems overcome power outages Back-up hardware and software help recover network

data and services in case of equipment failure Sprinkler/alarm systems reduce damage from fire Locks guard against theft

BIOS, Boot, and Screen Locks

BIOS and boot-up passwords

Supervisor passwords

Screen saver passwords

Using Remote Management Interface

Software that enables you to configure and monitor firewall(s) that are located on different network locations

Used to start/stop the firewall or change rulebase from locations other than the primary computer

Why Remote Management Tools Are Important

Reduce time and make the job easier for the security administrator

Reduce chance of configuration errors that might result if the same changes were made manually for each firewall on the network

Security Concerns with Remote Management Tools

Can use a Security Information Management (SIM) device to prevent unauthorized users from circumventing security systems Offers strong security controls (eg, multi-factor

authentication and encryption) Should have an auditing feature Should use tunneling to connect to the firewall or use

certificates for authentication

Evaluate SIM software to ensure it does not introduce new vulnerabilities

Basic Features Required of Remote Management Tools

Ability to monitor and configure firewalls from a single centralized location View and change firewall status View firewall’s current activity View any firewall event or alert messages

Ability to start and stop firewalls as needed

Tracking Contents of Log Files for Security

Reviewing log files can help detect break-ins that have occurred and possibly help track down intruders

Tips for managing log files Prepare usage reports Watch for suspicious events Automate security checks

Preparing Usage Reports

Sort logs by time of day and per hour

Check logs to learn when peak traffic times are on the network

Identify services that consume the largest part of available bandwidth

Preparing Usage Reports

Suspicious Events to Watch For

Rejected connection attempts

Denied connections

Error messages

Dropped packets

Successful logons to critical resources

Responding to Suspicious Events

Firewall options Block only this connection Block access of this source Block access to this destination

Track the attacks

Locate and prosecute the offenders

Tools for Tracking Attacks

Sam Spade

Netstat

NetCat

Compiling Legal Evidence

1. Identify which computer or media may contain evidence

2. Shut down computer and isolate work area until computer forensic specialist arrives

3. Write protect removable media

4. Preserve evidence (make a mirror image) so it is not manipulated

continued

Compiling Legal Evidence

5. Examine the mirror image, not the original

6. Review log files and other data; report findings to management

7. Preserve evidence by making a “forensically sound” copy

Compiling Legal Evidence

Observe the three As of computer forensics Acquire Authenticate Analyze

Automating Security Checks

Outsource firewall management

Security Breaches Will Happen!

Use software designed to detect attacks and send alert notifications

Take countermeasures to minimize damage

Take steps to prevent future attacks

Using an Intrusion Detection System (IDS)

Detects whether network or server has experienced an unauthorized access attemptSends notification to appropriate network administratorsConsiderations when choosing Location Intrusion events to be gathered

Network-based versus host-based IDSSignature-based versus heuristic IDS

Network-Based IDS

Tracks traffic patterns on entire network segmentCollects raw network packets; looks at packet headers; determines presence of known signatures that match common intrusion attempts; takes action based on contentsGood choice if network has been subject to malicious activity (eg, port scanning) Usually OS-independentMinimal impact on network performance

Host-Based IDS

Collects data from individual computer on which it residesReviews audit and system logs, looking for signaturesCan perform intrusion detection in a network where traffic is usually encryptedNeeds no additional hardwareCannot detect port scans or other intrusion attempts that target entire network

Signature-Based IDS

Stores signature information in a database Database requires periodic updating

Can work with either host-based or network-based IDSOften closely tied to specific hardware and operating systemProvides fewer false alarms than heuristic IDS

Heuristic IDS

Compares traffic patterns against “normal activity” and sets off an alarm if pattern deviates

Can identify any possible attack

Generates high rate of false alarms

Receiving Security Alerts

A good IDS system: Notifies appropriate individuals (eg, via e-mail,

alert, pager, or log) Provides information about the type of event Provides information about where in the

network the intrusion attempt took place

When an Intrusion Occurs

React rationally; don’t panic

Use alerts to begin assessment

Analyze what resources were hit and what damage occurred Perform real-time analysis of network traffic to detect

unusual patterns Check to see if any ports that are normally unused have

been accessed

Use a network auditing tool (eg, Tripwire)

During and After Intrusion

Document the existence of: Executables that were added to the system Files that were

Placed on the computer Deleted Accessed by unauthorized users

Web pages that were defaced E-mail messages that were sent as a result of the attack

Document your response to the intrusion

Configuring Advanced Firewall Functions

Ultimate goal High availability Scalability

Advanced firewall functions Data caching Redundancy Load balancing Content filtering

Data Caching

Set up a server that will Receive requests for URLs Filter those requests against different criteria

Options No caching URI Filtering Protocol (UFP) server VPN & Firewall (one request) VPN & Firewall (two requests)

Hot Standby Redundancy

Secondary or failover firewall is configured to take over traffic duties in case primary firewall fails

Usually involves two firewalls; only one operates at any given time

The two firewalls are connected in a heartbeat network

Hot Standby Redundancy

Hot Standby Redundancy

Advantages Ease and economy of set up and quick back-up

system it provides for the network One firewall can be stopped for maintenance

without stopping network traffic

Disadvantages Does not improve network performance VPN connections may or may not be included

in the failover system

Load Balancing

Practice of balancing the load placed on the firewall so that it is handled by two or more firewall systemsLoad sharing Practice of configuring two or more firewalls to share

the total traffic load

Traffic between firewalls is distributed by routers using special routing protocols Open Shortest Path First (OSPF) Border Gateway Protocol (BGP)

Load Balancing

Load Sharing

Advantages Improves total network performance Maintenance can be performed on one firewall

without disrupting total network traffic

Disadvantages Load usually distributed unevenly (can be

remedied by using layer four switches) Configuration can be complex to administer

Filtering Content

Firewalls don’t scan for viruses but can work with third-party applications to scan for viruses or other functions Open Platform for Security (OPSEC) model Content Vectoring Protocol (CVP)

Filtering Content

Filtering Content Guidelines

Install anti-virus software on SMTP gateway in addition to providing desktop anti-virus protection for each computer

Choose an anti-virus gateway product that: Provides for content filtering Can be updated regularly to account for recent viruses Can scan the system in real time Has detailed logging capabilities

Chapter Summary

How to expand a firewall to meet new needs

Importance of observing fundamental principles of network security when maintaining the firewall

Importance of being able to manage the firewall remotely and having log files for review

Responding to security incidents

Advanced firewall functions