Guide to Network Defense and Countermeasures Second Edition Chapter 11 Strengthening and Managing Firewalls

Guide to Network Defense and Countermeasures, Second Edition2 Objectives Manage firewalls to improve security Describe the most important issues in managing firewalls Know how to install and configure Check Point NG Know how to install and configure Microsoft ISA Server 2000 Know how to manage and configure Iptables for Linux

Guide to Network Defense and Countermeasures, Second Edition3 Managing Firewalls to Improve Security Poor management affects network –Security –Throughput –Disaster recovery Administrative tasks –Editing rule base according to the security policy –Managing firewall log files –Improving firewall performance –Configuring advanced firewall functions

Guide to Network Defense and Countermeasures, Second Edition4 Editing the Rule Base One of the best ways to improve security and performance Keep the following guidelines in mind –Make sure most important rules are near the top of the rule base –Make sure you don’t make the firewall do more logging than it has to –Reduce number of domain objects in the rule base –Keep rules that cover domain objects near the bottom of the rule base

Guide to Network Defense and Countermeasures, Second Edition5 Editing the Rule Base (continued) Reducing rules –Remove unnecessary rules –Keep number of rules to a minimum Reordering and editing rules –Keep most frequently matched rules near the top –Scan log files to find commonly used services –Reduce number of rules with Log as the action

Guide to Network Defense and Countermeasures, Second Edition6

7

8 Managing Log Files Deciding what to log –Some firewalls log only packets subject to a rule with a Deny action –Kind of log files Security log System log Traffic log Active log (Check Point NG) Audit log (Check Point NG) –Some firewalls have GUI interface to manage log files

Guide to Network Defense and Countermeasures, Second Edition9

10

Guide to Network Defense and Countermeasures, Second Edition11 Managing Log Files (continued) Configuring the log file format –Many firewalls generate log files in plain text –Sophisticated firewalls save log files in different formats Native format Open Database Connectivity (ODBC) format W3C Extended format –Edit and reconfiguring log file formats improves firewall efficiency

Guide to Network Defense and Countermeasures, Second Edition12 Managing Log Files (continued) Configuring the log file format –Review log files regularly –General steps for reviewing log files Review summary of recent log file events Display raw data in the form of a report Review data and identify traffic patterns that point to problems with the firewall rules Adjust the rules accordingly Review subsequent log file data –Log files can indicate signatures of attack attempts

Guide to Network Defense and Countermeasures, Second Edition13 Managing Log Files (continued) Preparing log file summaries and generating reports –Log summary Shows major events over a period of time Summaries are not reports Contain raw data that can be used to create reports –Some firewalls contain log file analysis tools Viewing raw data can be tedious and prone to errors –Reports Display data in an easy-to-read format Help you sorting your data

Guide to Network Defense and Countermeasures, Second Edition14

Guide to Network Defense and Countermeasures, Second Edition15

Guide to Network Defense and Countermeasures, Second Edition16

Guide to Network Defense and Countermeasures, Second Edition17 Improving Firewall Performance Might be performing unnecessary operations –Host lookups –Decryption –Logging Choose a machine with the fastest CPU for firewall Calculating memory requirements –512 MB to 1 GB of available RAM is preferred –Cache memory: [100 MB + (0.5 x number of users)]

Guide to Network Defense and Countermeasures, Second Edition18 Improving Firewall Performance (continued) Testing the firewall –Test it before and after it goes online –Ideal testing environment Lab with two computers –One connected to external interface –Another connected to internal interface

Guide to Network Defense and Countermeasures, Second Edition19 Configuring Advanced Firewall Functions Advanced features –Data caching –Remote management –Application filtering –Voice protocol support –Authentication –Time-based access scheduling Load sharing –Configure firewalls to share the total traffic load

Guide to Network Defense and Countermeasures, Second Edition20

Guide to Network Defense and Countermeasures, Second Edition21 Installing and Configuring Check Point NG Check Point NG –An enterprise-level firewall To plan for the installation, answer these questions –Is the firewall on the outside of the DMZ, or does it protect one part of the internal network from another part? –How important is it to monitor employees’ activities on the network?

Guide to Network Defense and Countermeasures, Second Edition22 Installing Check Point Modules OS requirements –Windows 2000 Professional or Server or Later –Windows NT with Service Pack 4 or later –Sun Solaris 7 or later –Red Hat Linux 6.2 or later Component –Part of an application that performs a specific range of functions

Guide to Network Defense and Countermeasures, Second Edition23 Installing Check Point Modules (continued) Check Point components –Check Point Management Server –Policy Editor –VPN/FireWall –Log Viewer –Inspection Open Platform for Security (OPSEC) –Protocol used by Check Point NG to integrate with other security products

Guide to Network Defense and Countermeasures, Second Edition24 Installing Check Point Modules (continued) Step 1: Preparing to install Check Point NG –Determine where the program will be installed –Pick a directory on a standalone server C:\WINNT is the default location If different directory, include a FWDIR variable –Enable IP forwarding on the host computer –Go to the Check Point User Center Obtain a license key to use the software Add the license in Check Point NG

Guide to Network Defense and Countermeasures, Second Edition25

Guide to Network Defense and Countermeasures, Second Edition26 Installing Check Point Modules (continued) Step 2: Select Check Point modules to install –Choose between Server/Gateway Components Mobile/Desktop Components –Decide what product to install Enterprise Primary Management or Enterprise Secondary Management Enforcement Module & Primary Management Enforcement Module –Select which Management Client you want to install

Guide to Network Defense and Countermeasures, Second Edition27 Installing Check Point Modules (continued) Step 3: Configuring Network Objects –Firewall will protect these objects –Smart management interfaces SmartDashboard SmartView Tracker –Network Objects Manager GUI tool included in SmartDashboard Easiest way to define network objects –Objects you most likely use Check Point Gateway and Node

Guide to Network Defense and Countermeasures, Second Edition28

Guide to Network Defense and Countermeasures, Second Edition29

Guide to Network Defense and Countermeasures, Second Edition30 Installing Check Point Modules (continued) Step 4: Creating filter rules –Develop a set of packet-filtering rules Called “Policy Packages” in Check Point –Create separate rules for different parts of network

Guide to Network Defense and Countermeasures, Second Edition31

Guide to Network Defense and Countermeasures, Second Edition32 What’s New in Check Point NGX Includes improved security and management capabilities –Centralized management for an organization’s perimeter, internal, and Web security needs –Enforces VPN rules by direction (inbound or outbound) –Support for backup links Backward compatibility for older authentication schemes

Guide to Network Defense and Countermeasures, Second Edition33 Installing and Configuring Microsoft ISA Server 2000 Microsoft ISA Server 2000 –Firewall designed to protect business networks –Performs a variety of proxy server functions Select the version of ISA Sever 2000 you want –Standard Edition –Enterprise Edition

Guide to Network Defense and Countermeasures, Second Edition34

Guide to Network Defense and Countermeasures, Second Edition35 Licensing ISA Server 2000 Obtain a license to use ISA Server 2000 on a permanent basis It is licensed on a per-processor basis –Need to purchase license for each processor on host –Can use as many clients as needed

Guide to Network Defense and Countermeasures, Second Edition36 Installing ISA Server 2000 Step 1: Choosing a server mode –Determines the features the firewall offers –Modes Firewall Cache Integrated

Guide to Network Defense and Countermeasures, Second Edition37

Guide to Network Defense and Countermeasures, Second Edition38 Installing ISA Server 2000 (continued) Step 2: Configuring cache locations and setting addresses –Cached Web pages need to be stored on an NTFS- formatted drive –Create a local address table (LAT) Defines your network’s internal addressing scheme –Identify the network adapter of the host computer

Guide to Network Defense and Countermeasures, Second Edition39

Guide to Network Defense and Countermeasures, Second Edition40

Guide to Network Defense and Countermeasures, Second Edition41 Configuring ISA Server 2000 Step 3: Creating a rule base from your security policy –ISA Server 2000’s Getting Started Wizard Helps you creating the rule base derived from your security policy Runs in the ISA Management Console –ISA Server is designed to integrate with Microsoft Active Directory

Guide to Network Defense and Countermeasures, Second Edition42

Guide to Network Defense and Countermeasures, Second Edition43 Configuring ISA Server 2000 (continued) Step 4: Selecting policy elements –Types of policy elements Schedules Bandwidth priorities Destination sets Client address sets Protocol definitions Content groups Dial-up entries

Guide to Network Defense and Countermeasures, Second Edition44

Guide to Network Defense and Countermeasures, Second Edition45 Monitoring the Server ISA Server Performance Monitor –Used for real-time monitoring of the server –Allows you to view alerts as soon as they are issued –Need to set up counters Keep track of the number of active connections currently forwarding data on the network

Guide to Network Defense and Countermeasures, Second Edition46

Guide to Network Defense and Countermeasures, Second Edition47 What is New in ISA Server 2004

Guide to Network Defense and Countermeasures, Second Edition48 Managing and Configuring Iptables Iptables –Configure packet filter rules for Linux firewall Netfilter –Replaces Ipchain –Enables Netfilter to perform stateful packet filtering –Can filter packets based on a full set of TCP option flags –Iptables is a command-line tool Rules are grouped in the form of chains –A rule in one chain can activate a specific rule in another chain

Guide to Network Defense and Countermeasures, Second Edition49 Built-in Chains Iptables comes with three built-in chains –Output –Input –Forward Handling packets decisions –Accept –Drop –Queue –Return

Guide to Network Defense and Countermeasures, Second Edition50

Guide to Network Defense and Countermeasures, Second Edition51 Built-in Chains (continued) Configure the default action for a chain with –P Example iptables –P OUTPUT ACCESS You can configure more specific actions on a case- by-case basis

Guide to Network Defense and Countermeasures, Second Edition52

Guide to Network Defense and Countermeasures, Second Edition53 User-Defined Chains Commands for configuring individual rules –-A chain rule—Adds a new rule to the chain –-I chain rule-number rule—Enables you to place a new rule in a specific location in the chain –-R chain rule-number rule—Enables you to replace a rule –-D chain rule-number—Deletes the rule at the position specified by [rule-number] –-D chain rule—Deletes a rule

Guide to Network Defense and Countermeasures, Second Edition54 User-Defined Chains (continued) Commands used to create rules –-s source—Identifies the source IP address –-d destination—Identifies the destination IP address –-p protocol—Identifies the protocol to be used in the rule (such as TCP, UDP, ICMP) –-i interface—Identifies the network interface the rule uses –-j target—Identifies the action associated with the rule –!—Negates whatever follows it –-l—Activates logging if a packet matches the rule

Guide to Network Defense and Countermeasures, Second Edition55 Summary Improving firewall configuration involves optimizing –Rule base –Log files Log files provide critical information –Network traffic –Attempts to attack Firewalls can generate log files in different formats Fine-tune your firewall to log only information you actually need Some firewalls include log file analysis tools

Guide to Network Defense and Countermeasures, Second Edition56 Summary (continued) Basic firewall functions –Host lookup –Encryption/decryption –Logging Machine hosting the firewall should have –Fastest processor available –At least the minimum required RAM –Cache memory Test your firewall before it goes online

Guide to Network Defense and Countermeasures, Second Edition57 Summary (continued) Check Point NG –Suite of firewall modules –Used to implement a security policy Microsoft ISA Server 2000 –Improves network security through traditional filtering and NAT Iptables –Linux command-line tool for creating packet filtering rules