firewall, router and switch configuration review
DESCRIPTION
The presentation provides a topical overview of the areas to be looked at when conducting a Firewall, Router, or Switch configuration review. This presentation is based on a slide deck I prepared for an internal Learning & Growth session in March of 2014. More detailed material is available from the "References" slide.TRANSCRIPT
Helping You Ensure Your Infrastructure is Secure
Firewall Router Switch Configuration Reviews
Agenda
• Overview & Functions
• What to Protect & Why
• Firewalls
• Routers & Switches
• Definitions
1
Trad i t iona l Corporate Network Overv iew
& Funct ions
Tr a d i t i o n a l C o r p o r a t e N e t w o r k O v e r v i e w
Network Functions• Let people do the things they need to for work.
• Provide security for users and resources.
– Ensure network traffic is legitimate and not malicious
– Take action against malicious traffic
– Log actions taken
2What to Protec t
& why
What to Protect• What are the Crown Jewels for the company?
– PCI, PII, Proprietary Resources• PCI is often NOT the most sensitive data stored• PCI is often emphasized because of financial penalties for non-compliance
– Examples of non-PCI data that would be critical to protect:• Company that invents, manufactures, sells surgical devices
– Schematics, drawings, plans, research & development, financials• Software company
– Code repositories, plans, research & development, financials• Social Media Company
– Usernames, passwords, personal information
Why is This Important?• Helps determine if configuration of devices permits flow of data while protecting
resources
• Questions you should ask yourself:
– What resources need protection?• Defining what resources need protection helps you decide how to control
traffic
– Are they adequately protected by device configurations?• Your firewall, router, and switch policies and configurations should protect
your important assets
– Are there concentric rings of security surrounding high value resources?• From the external firewall inward, your network devices should control and
monitor traffic to and from your resources
3
Firewalls
Firewalls
Firewalls• Usually secure by default
• Must provide Stateful Packet Inspection at a minimum
– Application Layer control is desired and available on most modern firewalls
• Take careful note of any “any” rules
– Where, if anywhere, are “any” rules OK?
• Ensure management is conducted over secure channel (SSH or HTTPS)
• Many vendors – (examples: Checkpoint, Cisco, Juniper, PFSense)
• Could have integrated IDS/IPS
Bad Example
Good Example
4
Routers & Swi tches
Routers• Unlike Firewalls, NOT secure by default
• Control flow of traffic with ACL’s at a minimum or Stateful Packet Inspection
• Control access to the device
– Secure (SSH or HTTPS, not Telnet or HTTP)
– Only from management subnet if possible
• Disable unneeded services
– Finger, CDP, Telnet
• Enable good services
– TCP Keepalives
• Configuration management
• Change management
– Most outages are caused by human error during changes
Routing Example
Switches• Also NOT secure by default
• Similar to routers slide above, but additionally:
– Disable “Default VLAN”
– Use separate VLAN for device management if possible
Additional Considerations
Virtual Private Network (VPN) Users?• Must be properly authenticated and controlled• Access for VPN users should be restricted based on
business needAuthentication to Management Interfaces
• Uses secure channels (SSH, HTTPS)• Uses Enterprise authentication (LDAP, RADIUS)• Activity is logged externally (syslog)• Watch for back doors
If back doors are in place for device management (such as local authentication that bypasses RADIUS) ensure that they are allowed by policy and secured properly
Commonalities• All devices have the following security concerns in common:
– Control and permit access to resources for authorized users
– Deny access to unauthorized users
• Additionally, the network infrastructure should
– Detect, Deter, Prevent, Log malicious activity
– Provide Admins with a secure means of managing devices
5
Defi nitions
Defi nitions• DMZ – Demilitarized Zone – An untrusted area between the outside (Internet) and
inside (Corporate LAN) networks where devices that have to be accessed by Internet
users reside.
• ACL – Access Control List – Basic method for controlling network traffic flow.
• SPI - Stateful Packet Inspection – Goes beyond what ACL’s can do and tracks traffic
based on state.
• Deep Packet Inspection – Does some level of reconstructing traffic up to the
Application Layer to ensure it is secure. Application layer firewalls.
Defi nitions• BOGON – Bogus IP addresses (public IP space that has not been issued by
IANA).
• Martian – Addresses that are private or reserved for testing or special use
cases (ex. 127.0.0.0/8, 192.168.0.0/16).
Templates, References
• NSA SNAC Guides• Vendor Documentation
-Cisco IOS Security Configuration Guidehttp://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html
• Open source / volunteer-Cymru.com Secure IOS Template
https://www.cymru.com/Documents/secure-ios-template.html
• For Routing reviews, Border Router Security Toolhttp://borderroutersec.org/
Contact UsTed LeRoy, Security [email protected]
Security Compass
http://www.securitycompass.com
SD Elements
http://www.sdelements.com