Ongoing Administration Chapter 11

Learning Objectives Learn how to evolve a firewall to meet new needs and threats Adhere to proven security principles to help the firewall protect network resources Use a remote management interface Track log files for security continued

Learning Objectives Follow basic initial steps in responding to security incidents Take advanced firewall functions into account when administering a firewall

Making Your Firewall Meet New Needs Throughput Scalability Security Recoverability Manageability

Verifying Resources Needed by the Firewall Ways to track memory and system resources Use the formula: MemoryUsage = ((ConcurrentConnections)/ (AverageLifetime))*(AverageLifetime + 50 seconds)*120 Use software’s own monitoring feature

Verifying Resources Needed by the Firewall

Allocating More Memory

Identifying New Risks Monitor activities and review log files Check Web sites to keep informed of latest dangers; install patches and updates

Adding Software Updates and Patches Test updates and patches as soon as you install them Ask vendors (of firewall, VPN appliance, routers, etc) for notification when security patches are available Check manufacturer’s Web site for security patches and software updates

Using an Automated Update Feature

Obtaining Updates from the Vendor’s Web Site

Adding Hardware Identify network hardware so firewall can include it in routing and protection services Different ways for different firewalls List workstations, routers, VPN appliances, and other gateways you add as the network grows Choose good passwords that you guard closely

Dealing with Complexity on the Network Distributed firewalls Installed at endpoints of the network, including remote computers that connect to network through VPNs Add complexity  Require that you install and/or maintain a variety of firewalls located on your network and in remote locations Add security  Protect network from viruses or other attacks that can originate from machines that use VPNs to connect (eg, remote laptops)

Dealing with Complexity on the Network

Adhering to Proven Security Principles Generally Accepted System Security Principles (GASSP) apply to ongoing firewall management Secure physical environment where firewall- related equipment is housed Importance of locking software so that unauthorized users cannot access it

Environmental Management Measures taken to reduce risks to physical environment where resources are stored Back-up power systems overcome power outages Back-up hardware and software help recover network data and services in case of equipment failure Sprinkler/alarm systems reduce damage from fire Locks guard against theft

BIOS, Boot, and Screen Locks BIOS and boot-up passwords Supervisor passwords Screen saver passwords

Using Remote Management Interface Software that enables you to configure and monitor firewall(s) that are located on different network locations Used to start/stop the firewall or change rulebase from locations other than the primary computer

Why Remote Management Tools Are Important Reduce time and make the job easier for the security administrator Reduce chance of configuration errors that might result if the same changes were made manually for each firewall on the network

Security Concerns with Remote Management Tools Can use a Security Information Management (SIM) device to prevent unauthorized users from circumventing security systems Offers strong security controls (eg, multi-factor authentication and encryption) Should have an auditing feature Should use tunneling to connect to the firewall or use certificates for authentication Evaluate SIM software to ensure it does not introduce new vulnerabilities

Basic Features Required of Remote Management Tools Ability to monitor and configure firewalls from a single centralized location View and change firewall status View firewall’s current activity View any firewall event or alert messages Ability to start and stop firewalls as needed

Tracking Contents of Log Files for Security Reviewing log files can help detect break- ins that have occurred and possibly help track down intruders Tips for managing log files Prepare usage reports Watch for suspicious events Automate security checks

Preparing Usage Reports Sort logs by time of day and per hour Check logs to learn when peak traffic times are on the network Identify services that consume the largest part of available bandwidth

Preparing Usage Reports

Suspicious Events to Watch For Rejected connection attempts Denied connections Error messages Dropped packets Successful logons to critical resources

Responding to Suspicious Events Firewall options Block only this connection Block access of this source Block access to this destination Track the attacks Locate and prosecute the offenders

Tools for Tracking Attacks Sam Spade Netstat NetCat

Compiling Legal Evidence 1.Identify which computer or media may contain evidence 2.Shut down computer and isolate work area until computer forensic specialist arrives 3.Write protect removable media 4.Preserve evidence (make a mirror image) so it is not manipulated continued

Compiling Legal Evidence 5.Examine the mirror image, not the original 6.Review log files and other data; report findings to management 7.Preserve evidence by making a “forensically sound” copy

Compiling Legal Evidence Observe the three As of computer forensics Acquire Authenticate Analyze

Automating Security Checks Outsource firewall management

Security Breaches Will Happen! Use software designed to detect attacks and send alert notifications Take countermeasures to minimize damage Take steps to prevent future attacks

Using an Intrusion Detection System (IDS) Detects whether network or server has experienced an unauthorized access attempt Sends notification to appropriate network administrators Considerations when choosing Location Intrusion events to be gathered Network-based versus host-based IDS Signature-based versus heuristic IDS

Network-Based IDS Tracks traffic patterns on entire network segment Collects raw network packets; looks at packet headers; determines presence of known signatures that match common intrusion attempts; takes action based on contents Good choice if network has been subject to malicious activity (eg, port scanning) Usually OS-independent Minimal impact on network performance

Host-Based IDS Collects data from individual computer on which it resides Reviews audit and system logs, looking for signatures Can perform intrusion detection in a network where traffic is usually encrypted Needs no additional hardware Cannot detect port scans or other intrusion attempts that target entire network

Signature-Based IDS Stores signature information in a database Database requires periodic updating Can work with either host-based or network-based IDS Often closely tied to specific hardware and operating system Provides fewer false alarms than heuristic IDS

Heuristic IDS Compares traffic patterns against “normal activity” and sets off an alarm if pattern deviates Can identify any possible attack Generates high rate of false alarms

Receiving Security Alerts A good IDS system: Notifies appropriate individuals (eg, via , alert, pager, or log) Provides information about the type of event Provides information about where in the network the intrusion attempt took place

When an Intrusion Occurs React rationally; don’t panic Use alerts to begin assessment Analyze what resources were hit and what damage occurred Perform real-time analysis of network traffic to detect unusual patterns Check to see if any ports that are normally unused have been accessed Use a network auditing tool (eg, Tripwire)

During and After Intrusion Document the existence of: Executables that were added to the system Files that were  Placed on the computer  Deleted  Accessed by unauthorized users Web pages that were defaced messages that were sent as a result of the attack Document your response to the intrusion

Configuring Advanced Firewall Functions Ultimate goal High availability Scalability Advanced firewall functions Data caching Redundancy Load balancing Content filtering

Data Caching Set up a server that will Receive requests for URLs Filter those requests against different criteria Options No caching URI Filtering Protocol (UFP) server VPN & Firewall (one request) VPN & Firewall (two requests)

Hot Standby Redundancy Secondary or failover firewall is configured to take over traffic duties in case primary firewall fails Usually involves two firewalls; only one operates at any given time The two firewalls are connected in a heartbeat network

Hot Standby Redundancy

Advantages Ease and economy of set up and quick back-up system it provides for the network One firewall can be stopped for maintenance without stopping network traffic Disadvantages Does not improve network performance VPN connections may or may not be included in the failover system

Load Balancing Practice of balancing the load placed on the firewall so that it is handled by two or more firewall systems Load sharing Practice of configuring two or more firewalls to share the total traffic load Traffic between firewalls is distributed by routers using special routing protocols Open Shortest Path First (OSPF) Border Gateway Protocol (BGP)

Load Balancing

Load Sharing Advantages Improves total network performance Maintenance can be performed on one firewall without disrupting total network traffic Disadvantages Load usually distributed unevenly (can be remedied by using layer four switches) Configuration can be complex to administer

Filtering Content Firewalls don’t scan for viruses but can work with third-party applications to scan for viruses or other functions Open Platform for Security (OPSEC) model Content Vectoring Protocol (CVP)

Filtering Content

Filtering Content Guidelines Install anti-virus software on SMTP gateway in addition to providing desktop anti-virus protection for each computer Choose an anti-virus gateway product that: Provides for content filtering Can be updated regularly to account for recent viruses Can scan the system in real time Has detailed logging capabilities

Chapter Summary How to expand a firewall to meet new needs Importance of observing fundamental principles of network security when maintaining the firewall Importance of being able to manage the firewall remotely and having log files for review Responding to security incidents Advanced firewall functions