![Page 1: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/1.jpg)
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2nd ed.
8Firewall Configuration
and Administration
By Whitman, Mattord, & Austin © 2008 Course Technology
![Page 2: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/2.jpg)
Learning Objectives
Set up firewall rules that reflect an organization’s overall security approach
Identify and implement different firewall configuration strategies
Update a firewall to meet new needs and threats
Adhere to proven security principles to help the firewall protect network resources
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 2
![Page 3: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/3.jpg)
Learning Objectives (continued)
Use a remote management interface Track firewall log files and follow the basic initial
steps in responding to security incidents Understand the nature of advanced firewall
functions
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 3
![Page 4: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/4.jpg)
Establishing Firewall Rules and Restrictions
Rules give firewalls specific criteria for making decisions about whether to allow packets through or drop them
All firewalls have a rules file—the most important configuration file on the firewall
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 4
![Page 5: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/5.jpg)
The Role of the Rules File
Establishes the order the firewall should follow Tells the firewall which packets should be
blocked and which should be allowed Requirements
– Need for scalability– Importance of enabling productivity of end users
while maintaining adequate security
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 5
![Page 6: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/6.jpg)
Restrictive Firewalls
Block all access by default; permit only specific types of traffic to pass through
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 6
![Page 7: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/7.jpg)
Restrictive Firewalls (continued)
Follow the concept of least privilege Spell out services that employees cannot use Use and maintain passwords Choose an approach
– Open– Optimistic– Cautious– Strict– Paranoid
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 7
![Page 8: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/8.jpg)
Connectivity-Based Firewalls
Have fewer rules; primary orientation is to let all traffic pass through and then block specific types of traffic
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 8
![Page 9: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/9.jpg)
Firewall Configuration Strategies
Criteria– Scalable
– Take communication needs of individual employees into account
– Deal with IP address needs of the organization
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 9
![Page 10: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/10.jpg)
Scalability
Provide for the firewall’s growth by recommending a periodic review and upgrading software and hardware as needed
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 10
![Page 11: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/11.jpg)
Productivity
The stronger and more elaborate the firewall, the slower the data transmissions
Important features of firewall: processing and memory resources available to the bastion host
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 11
![Page 12: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/12.jpg)
Dealing with IP Address Issues
If service network needs to be privately rather than publicly accessible, which DNS will its component systems use?
If you mix public and private addresses, how will Web server and DNS servers communicate?
Let the proxy server do the IP forwarding (it’s the security device)
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 12
![Page 13: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/13.jpg)
Approaches That Add Functionality to Your Firewall
Network Address Translation (NAT) Port Address Translation (PAT) Encryption Application proxies VPNs Intrusion Detection and Prevention Systems
(IDPSs)
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 13
![Page 14: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/14.jpg)
NAT/PAT
NAT and PAT convert publicly accessible IP addresses to private ones and vice versa; shields IP addresses of computers on the protected network from those on the outside
Where NAT converts these addresses on a one-to-one association—internal to external—PAT allows one external address to map to multiple internal addresses
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 14
![Page 15: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/15.jpg)
Encryption
Takes a request and turns it into gibberish using a private key; exchanges the public key with the recipient firewall or router
Recipient decrypts the message and presents it to the end user in understandable form
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 15
![Page 16: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/16.jpg)
Encryption (continued)
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 16
![Page 17: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/17.jpg)
Application Proxies
Act on behalf of a host; receive requests, rebuild them from scratch, and forward them to the intended location as though the request originated with it (the proxy)
Can be set up with either a dual-homed host or a screened host system
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 17
![Page 18: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/18.jpg)
Application Proxies (continued)
Dual-homed setup– Host that contains the firewall or proxy server
software has two interfaces, one to the Internet and one to the internal network being protected
Screened subnet system– Host that holds proxy server software has a
single network interface
– Packet filters on either side of the host filter out all traffic except that destined for proxy server software
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 18
![Page 19: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/19.jpg)
Application Proxies on aDual-Homed Host
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 19
![Page 20: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/20.jpg)
VPNs
Connect internal hosts with specific clients in other organizations
Connections are encrypted and limited only to machines with specific IP addresses
VPN gateway can:– Go on a DMZ– Bypass the firewall and connect directly to the
internal LAN
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 20
![Page 21: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/21.jpg)
VPN Gateway Bypassing the Firewall
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 21
![Page 22: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/22.jpg)
Intrusion Detection and Prevention Systems
Can be installed in external and/or internal routers at the perimeter of the network
Built into many popular firewall packages
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 22
![Page 23: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/23.jpg)
IDPS Integrated into Perimeter Routers
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 23
![Page 24: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/24.jpg)
IDPS Positioned between Firewall and Internet
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 24
![Page 25: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/25.jpg)
Enabling a Firewall to Meet New Needs
Throughput Scalability Security Recoverability Manageability
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 25
![Page 26: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/26.jpg)
Verifying Resources Needed by the Firewall
Ways to track memory and system resources– Use the formula:
MemoryUsage = ((ConcurrentConnections)/ (AverageLifetime))*(AverageLifetime + 50 seconds)*120
– Use software’s own monitoring feature
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 26
![Page 27: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/27.jpg)
Identifying New Risks
Monitor activities and review log files Check Web sites to keep informed of latest
dangers; install patches and updates
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 27
![Page 28: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/28.jpg)
Adding Software Updates and Patches
Test updates and patches as soon as you install them
Ask vendors (of firewall, VPN appliance, routers, etc.) for notification when security patches are available
Check manufacturer’s Web site for security patches and software updates
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 28
![Page 29: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/29.jpg)
Adding Hardware
Identify network hardware so firewall can include it in routing and protection services– Different ways for different firewalls
List workstations, routers, VPN appliances, and other gateways you add as the network grows
Choose good passwords that you guard closely
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 29
![Page 30: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/30.jpg)
Dealing with Complexity on the Network
Distributed firewalls– Installed at endpoints of the network, including
remote computers that connect to network through VPNs
– Add complexity• Require that you install and/or maintain a variety of
firewalls located on your network and in remote locations
– Add security• Protect network from viruses or other attacks that
can originate from machines that use VPNs to connect (e.g., remote laptops)
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 30
![Page 31: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/31.jpg)
Adhering to Proven Security Principles
Generally Accepted System Security Principles (GASSP) apply to ongoing firewall management– Secure physical environment where firewall-
related equipment is housed
– Importance of locking software so that unauthorized users cannot access it
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 31
![Page 32: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/32.jpg)
Environmental Management
Measures taken to reduce risks to physical environment where resources are stored– Back-up power systems overcome power
outages
– Back-up hardware and software help recover network data and services in case of equipment failure
– Sprinkler/alarm systems reduce damage from fire
– Locks guard against theft
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 32
![Page 33: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/33.jpg)
BIOS, Boot, and Screen Locks
BIOS and boot-up passwords Supervisor passwords Screen saver passwords
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 33
![Page 34: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/34.jpg)
Remote Management Interface
Software that enables you to configure and monitor firewall(s) that are located at different network locations
Used to start/stop the firewall or change rule base from locations other than the primary computer
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 34
![Page 35: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/35.jpg)
Why Remote Management Tools Are Important
Reduce time and make the job easier for the security administrator
Reduce chance of configuration errors that might result if the same changes were made manually for each firewall on the network
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 35
![Page 36: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/36.jpg)
Security Concerns
Can use a Security Information Management (SIM) device to prevent unauthorized users from circumventing security systems– Offers strong security controls (e.g., multi-factor
authentication and encryption)– Should have an auditing feature– Should use tunneling to connect to the firewall or
use certificates for authentication Evaluate SIM software to ensure it does not
introduce new vulnerabilities
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 36
![Page 37: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/37.jpg)
Basic Features of Remote Management Tools
Ability to monitor and configure firewalls from a single centralized location– View and change firewall status
– View firewall’s current activity
– View any firewall event or alert messages Ability to start and stop firewalls as needed
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 37
![Page 38: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/38.jpg)
Automating Security Checks
Outsource firewall management
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 38
![Page 39: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/39.jpg)
Configuring Advanced Firewall Functions
Ultimate goal– High availability– Scalability
Advanced firewall functions– Data caching– Redundancy– Load balancing– Content filtering
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 39
![Page 40: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/40.jpg)
Data Caching
Set up a server that will:– Receive requests for URLs– Filter those requests against different criteria
Options– No caching– URI Filtering Protocol (UFP) server– VPN & Firewall (one request)– VPN & Firewall (two requests)
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 40
![Page 41: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/41.jpg)
Hot Standby Redundancy
Secondary or failover firewall is configured to take over traffic duties in case primary firewall fails
Usually involves two firewalls; only one operates at any given time
The two firewalls are connected in a heartbeat network
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 41
![Page 42: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/42.jpg)
Hot Standby Redundancy (continued)
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 42
![Page 43: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/43.jpg)
Hot Standby Redundancy (continued)
Advantages– Ease and economy of setup and quick backup
system it provides for the network– One firewall can be stopped for maintenance
without stopping network traffic Disadvantages
– Does not improve network performance– VPN connections may or may not be included in
the failover system
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 43
![Page 44: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/44.jpg)
Load Balancing
Practice of balancing the load placed on the firewall so that it is handled by two or more firewall systems
Load sharing– Practice of configuring two or more firewalls to
share the total traffic load Traffic between firewalls is distributed by routers
using special routing protocols– Open Shortest Path First (OSPF)– Border Gateway Protocol (BGP)
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 44
![Page 45: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/45.jpg)
Load Balancing (continued)
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 45
![Page 46: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/46.jpg)
Load Sharing
Advantages– Improves total network performance
– Maintenance can be performed on one firewall without disrupting total network traffic
Disadvantages– Load usually distributed unevenly (can be
remedied by using layer four switches)
– Configuration can be complex to administer
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 46
![Page 47: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/47.jpg)
Filtering Content
Firewalls don’t scan for viruses but can work with third-party applications to scan for viruses or other functions– Open Platform for Security (OPSEC) model
– Content Vectoring Protocol (CVP)
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 47
![Page 48: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/48.jpg)
Filtering Content (continued)
Install anti-virus software on SMTP gateway in addition to providing desktop anti-virus protection for each computer
Choose an anti-virus gateway product that:– Provides for content filtering
– Can be updated regularly to account for recent viruses
– Can scan the system in real time
– Has detailed logging capabilities
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 48
![Page 49: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/49.jpg)
Chapter Summary
After establishing a security policy, implement the strategies that policy specifies
If primary goal of planned firewall is to block unauthorized access, you must emphasize restricting rather than enabling connectivity
A firewall must be scalable so it can grow with the network it protects
The stronger and more elaborate your firewall, the slower data transmissions are likely to be
The more complex a network becomes, the more IP-addressing complications arise
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 49
![Page 50: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/50.jpg)
Chapter Summary (continued)
Network security setups can become more complex when specific functions are added
Firewalls must be maintained regularly to assure critical measures of success are kept within acceptable levels of performance
Successful firewall management requires adherence to principles that have been put forth by reputable organizations to ensure that firewalls and network security configurations are maintained correctly
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 50
![Page 51: FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 8 Firewall Configuration and Administration By Whitman, Mattord, & Austin© 2008](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649f485503460f94c69f31/html5/thumbnails/51.jpg)
Chapter Summary (continued)
Remote management allows configuration and monitoring of one or more firewalls that are located at different network locations
Ultimate goal for many organizations is the development of a high-performance firewall configuration that has high availability and that can be scaled as the organization grows; accomplished by using data caching, redundancy, load balancing, and content filtering
Firewalls & Network Security, 2nd ed. - Chapter 8 Slide 51