Download - ESM Firewall Policies Eileen Dewey
![Page 1: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/1.jpg)
ESMFirewall Policies
Eileen Dewey
Rose State CollegeMidwest City, OK 73110
![Page 2: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/2.jpg)
Firewalls
• FWs– devices that control the flow of network traffic, e.g, by packet filtering
• FWs can operate at multiple OSI layers (higher layers can mean more user-oriented filtering)
![Page 3: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/3.jpg)
Additional Functionality
• NAT– Static NAT– Hiding NAT– Port Address Translation
• DHCP– Allocate IP addresses under FW control– Used commonly for dial-in services
• VPNs– Message encryption for transport to remote VPN gateway
• Application content filtering– Filtering at Layer 7– Scan email, JavaScript– Can be bypassed via encryption
![Page 4: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/4.jpg)
Packet Filter FWs
• Perform access control for system addresses and communication sessions (Layer 3)
• Filtering behavior defined by a ruleset based on– Source address– Destination address– Type of traffic– Transport layer characteristics, e.g. port numbers– Router interface (i.e. which one?)
![Page 5: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/5.jpg)
Packet Filter Rule Set
![Page 6: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/6.jpg)
Packet Filter (Pros/Cons)• Pros
– Speed (no filtering above Layer 3 = FAST)– Flexibility (Useful for just about any network or
protocol)– Commonly deployed at the border of a network
• Cons– Cannot block application-level threats– Logging is limited– No authentication support– Can be fooled by TCP/IP flaws– Easy to misconfigure
![Page 7: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/7.jpg)
Stateful Inspection FWs
• Uses information from Layer 4 to fine tune rules• Maintains a state table to track valid high level ports• Packet filter rule exposes all high level ports, e.g.
![Page 8: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/8.jpg)
State Table
![Page 9: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/9.jpg)
Application Proxy Gateways
• Combine lower Layers with Layer 7 intelligence• Proxy agents (1 for each service) interface with
FW ruleset to decide on individual pieces of network traffic
• Can incorporate authentication– User ID and Password Authentication,– Hardware or Software Token Authentication,– Source Address Authentication, and– Biometric Authentication
![Page 10: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/10.jpg)
Application Proxy Gateways
• Advantages– Extensive logging potential– User level access control– Authentication– Less vulnerable to low-level attacks
• Disadvantages– Slow– New services may not be suported– Dedicated Proxy Servers – separate out FW and
proxy functionality
![Page 11: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/11.jpg)
Host-Based Firewalls
• FWs packaged with OSs for protecting services on an individual host
• Less expensive solution for small networks with simple security requirements
• Does not scale well
![Page 12: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/12.jpg)
FW Environments
• FW environment – a collection of systems that support FW functionality (FWs are rarely used in isolation)
• Design principles– Keep it simple– Use devices for their intended purpose– Engage defense in depth– Consider internal threats
![Page 13: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/13.jpg)
DMZ Networks
• Defined with 2 or more firewalls
• Creates layers w/ distinct security requirements
![Page 14: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/14.jpg)
VPNs
• Built on top of existing layers and protocols• Provides logical isolation via encryption• Provides remote access or connects organizations
across untrusted networks (e.g. the Internet)
![Page 15: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/15.jpg)
VPNs
• IPSEC – a common VPN protocol substrate
• Others – PPTP, L2TP
• VPNs can be expensive; performance issues may require additional capacity
• Placing VPN node at FW permits FW inspection of traffic
![Page 16: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/16.jpg)
Intranets/Extranets
• Intranet– Local network engaging Internet protocols and
services for internal use (lacking external connectivity)
– Implemented behind a FW environment
• Extranet – B2B Intranets joined via the Internet– Designed to exist outside a FW environment– Used to communicate with clients, share sensitive
information with remote partners
![Page 17: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/17.jpg)
Intrusion Detection Systems
• Often connected to FWs to provide automated response
• Host-based IDS – deployed on individual machines, tied to OS– May miss network attacks– Can impact system performance and stability
• Network-based IDS– May miss attacks delivered in multiple packets
widely distributed over time
![Page 18: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/18.jpg)
Placement of Servers
• Protect external servers with a Boundary Router/Packet Filter
• Do not place externally accessible servers on the protected network
• Place internal servers behind internal firewalls as their sensitivity and access require
• Isolate servers such that attacks on the servers do not impair the rest of the network
![Page 19: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/19.jpg)
FW Policies
• Describe how a FW implements a security policy
• Dictates how to handle different types of traffic
• Based on application risk assessment and understanding of system mission– Output is a list of applications and services,
and how they need to be secured
![Page 20: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/20.jpg)
FW Policies
Basic steps• Identification of network applications deemed
necessary• Identification of vulnerabilities associated with
applications• Cost-benefits analysis of methods for securing
the applications• Creation of applications traffic matrix showing
protection method• Creation of firewall ruleset based on applications
traffic matrix
![Page 21: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/21.jpg)
FW App Traffic Ruleset Matrix
![Page 22: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/22.jpg)
Implementing the Ruleset
• Default deny
• Always block– Non-authenticated inbound traffic with FW as
destination– Inbound ICMP traffic– Non-authenticated inbound SNMP traffic– Inbound source routing packets– Inbound traffic with an internal source address– Other strange and reserved ranges, e.g. 0.0.0.0 or
192.68.X.X
![Page 23: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/23.jpg)
Other FW Capabilities
• Logging– Event driven– Alerts triggering email, pager
• Authentication– Integrated into rulesets– E.g. “deny until authenticated”
• Don’t forget to integrate these into your policy!
![Page 24: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/24.jpg)
FW Policy Testing
• Audit and verify policy quarterly
• Offline validation - Compare hardcopies of the policy with hardcopies of the ruleset
• In-place configuration testing – trying operations that should be prohibited
![Page 25: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/25.jpg)
FW Wisdom
• Use secure links to manage the FW
• Pay attention to physical/facility security for the space housing the FW
• Review firewall policy twice a year
• Use a formal process for managing which services are allowed through the FW
• Combine review with audit and penetration testing processes
![Page 26: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/26.jpg)
Example
Security requirements• All internal network traffic permitted outbound to all sites
through both firewalls and the boundary router• Inbound SMTP (email) permitted to the main firewall
where it is passed to a proxy server and then to internal email clients
• Outbound HTTP (web) traffic permitted to the internal firewall where it is passed to an HTTP proxy server, and then onto external websites
• Inbound connections from remote systems permitted to the firewall.s VPN port where it is passed to internal systems, and
• All other inbound traffic blocked
![Page 27: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/27.jpg)
Example
![Page 28: ESM Firewall Policies Eileen Dewey](https://reader030.vdocuments.net/reader030/viewer/2022013118/5575c9bfd8b42a312a8b50cb/html5/thumbnails/28.jpg)
Example (Boundary Router)