firewall configuration strategies
DESCRIPTION
Firewall Configuration Strategies. Chapter 3. Learning Objectives. Set up firewall rules that reflect an organization’s overall security approach Understand the goals that underlie a firewall’s configuration Identify and implement different firewall configuration strategies - PowerPoint PPT PresentationTRANSCRIPT
Firewall Configuration Strategies
Chapter 3
Learning Objectives
Set up firewall rules that reflect an organization’s overall security approachUnderstand the goals that underlie a firewall’s configurationIdentify and implement different firewall configuration strategiesEmploy methods of adding functionality to your firewall
Establishing Rules and Restrictions for Your Firewall
Rules give firewalls specific criteria for making decisions about whether to allow packets through or drop themAll firewalls have a rules file—the most important configuration file on the firewall
The Role of the Rules File
Establishes the order the firewall should followTells the firewall which packets should be blocked and which should be allowedRequirements Need for scalability Importance of enabling productivity of end
users while maintaining adequate security
Restrictive Firewalls
Block all access by default; permit only specific types of traffic to pass through
Strategies for Implementing a Security Policy
Follow the concept of least privilegeSpell out services that employees cannot useUse and maintain passwordsChoose an approach Open Optimistic Cautious Strict Paranoid
Connectivity-Based Firewalls
Have fewer rules; primary orientation is to let all traffic pass through, then block specific types of traffic
Overview to Firewall Configuration Strategies
Criteria Scalable Take communication needs of individual
employees into account Deal with IP address needs of the organization
Scalability
Provide for the firewall’s growth by recommending a periodic review and upgrading software and hardware as needed
Productivity
The stronger and more elaborate the firewall, the slower the data transmissionsImportant features of firewall: processing and memory resources available to the bastion host
Productivity
Dealing with IP Address Issues
If service network needs to be privately rather than publicly accessible, which DNS will its component systems use?If you mix public and private addresses, how will Web server and DNS servers communicate?Let the proxy server do the IP forwarding (it’s the security device)
Firewall Configuration Strategies
Firewall Configuration Strategies
Settle on general approaches; establish rules for themDeploy firewalls, routers, VPN tunnels, and other tools in a way that will implement rulesUse security components to defend against common attacks
Using Security Components to Defend Against Attacks
Screening Router
Filters traffic passing between one network and anotherSimple, minimally secureTwo interfaces—external and internal—each with its own unique IP addressPerforms IP forwarding, based on an access control list (ACL)
Screening Router
Stateful Packet Filtering
Dual-Homed Host
A workstation with an internal interface and an external interface to the InternetDisadvantage Host serves as a single point of entry to the
organization
Screened Host
Similar to dual-homed host, but the host is dedicated to performing security functionsSits exposed on the perimeter of the network rather than behind the firewallRequires two network connectionsAlso called a dual-homed gateway or bastion host
Screened Host
Two Routers, One Firewall
Router positioned on the outside Performs initial, static packet filtering
Router positioned just inside the network Routes traffic to appropriate computers in the
LAN being protected Can do stateful packet filtering
Two Routers, One Firewall
DMZ Screened Subnet
Screened subnet Network exposed to external network, but partially
protected by a firewallThree-pronged firewall Three network interfaces connect it to:
External network DMZ Protected LAN
Service network Screened subnet that contains an organization’s publicly
accessible server
DMZ Screened Subnet
Three-Pronged Firewall with Only One Firewall
Advantages Simplification Lower cost
Disadvantages Complexity Vulnerability Performance
Common Service Network Systems
Those that contain Web and mail serversThose that contain DNS serversThose that contain tunneling servers
Multiple-Firewall DMZs
Achieve the most effective Defense in DepthHelp achieve load distributionAdded security offsets slowdown in performanceTwo or more firewalls can be used to protect Internal network One DMZ Two DMZs Branch offices that need to connect to main office’s
internal network
Two Firewalls, One DMZ
Two firewalls used to set up three separate networks (tri-homed firewall) Internal protected network (behind DMZ) External private network or service network
(within DMZ) External network (outside DMZ)
Advantage Enables control of traffic in the three networks
Two Firewalls, One DMZ
Two Firewalls, Two DMZs
Setting up separate DMZs for different parts of the organization helps balance the traffic load between them
Two Firewalls, Two DMZs
Multiple Firewalls to Protect Branch Offices
Load Distribution Through Layering of Firewalls
Reverse Firewalls
Inspect and monitor traffic going out of a network rather than trying to block what’s coming in Help block Distributed Denial of Service (DDoS) attacks
Specialty Firewalls
Protect specific types of network communications (eg, e-mail, instant-messaging)Examples Mail Marshal and WebMarshal by Marshal Software OpenReach includes a small-scale packet-filtering
firewall for its VPN VOISS Proxy Firewall (VF-1) by VocalData Speedware Corporation sells its own firewall software
Approaches That Add Functionality to a Firewall
Network Address Translation (NAT)Encryption Application proxiesVPNsIntrusion detection systems (IDSs)
NAT
Converts publicly accessible IP addresses to private ones and vice versa; shields IP addresses of computers on the protected network from those on the outside
NAT
Encryption
Takes a request, turns it into gibberish using a private key; exchanges the public key with the recipient firewall or routerRecipient decrypts the message and presents it to the end user in understandable form
Encryption
Application Proxies
Act on behalf of a host; receive requests, rebuild them from scratch, and forward them to the intended location as though the request originated with it (the proxy)Can be set up with either a dual-homed host or a screened host system
Application Proxies
Dual-homed setup Host that contains the firewall or proxy server software
has two interfaces, one to the Internet and one to the internal network being protected
Screened subnet system Host that holds proxy server software has a single
network interface Packet filters on either side of the host filter out all
traffic except that destined for proxy server software
Application Proxies on aDual-Homed Host
VPNs
Connect internal hosts with specific clients in other organizationsConnections are encrypted and limited only to machines with specific IP addressesVPN gateway can: Go on a DMZ Bypass the firewall and connect directly to the
internal LAN
VPN Gateway Bypassing the Firewall
Intrusion Detection Systems
Can be installed in external and/or internal routers at the perimeter of the networkBuilt into many popular firewall packages
IDS Integrated into Perimeter Routers
IDS Positioned Between Firewall and Internet
Chapter Summary
How to design perimeter security for a network that integrates firewalls with a variety of other software and hardware componentsRules and restrictions that influence configuration of a security perimeterSecurity configurations that either perform firewall functions or that use firewalls to create protected areas