esm firewall policies eileen dewey
TRANSCRIPT
ESMFirewall Policies
Eileen Dewey
Rose State CollegeMidwest City, OK 73110
Firewalls
• FWs– devices that control the flow of network traffic, e.g, by packet filtering
• FWs can operate at multiple OSI layers (higher layers can mean more user-oriented filtering)
Additional Functionality
• NAT– Static NAT– Hiding NAT– Port Address Translation
• DHCP– Allocate IP addresses under FW control– Used commonly for dial-in services
• VPNs– Message encryption for transport to remote VPN gateway
• Application content filtering– Filtering at Layer 7– Scan email, JavaScript– Can be bypassed via encryption
Packet Filter FWs
• Perform access control for system addresses and communication sessions (Layer 3)
• Filtering behavior defined by a ruleset based on– Source address– Destination address– Type of traffic– Transport layer characteristics, e.g. port numbers– Router interface (i.e. which one?)
Packet Filter Rule Set
Packet Filter (Pros/Cons)• Pros
– Speed (no filtering above Layer 3 = FAST)– Flexibility (Useful for just about any network or
protocol)– Commonly deployed at the border of a network
• Cons– Cannot block application-level threats– Logging is limited– No authentication support– Can be fooled by TCP/IP flaws– Easy to misconfigure
Stateful Inspection FWs
• Uses information from Layer 4 to fine tune rules• Maintains a state table to track valid high level ports• Packet filter rule exposes all high level ports, e.g.
State Table
Application Proxy Gateways
• Combine lower Layers with Layer 7 intelligence• Proxy agents (1 for each service) interface with
FW ruleset to decide on individual pieces of network traffic
• Can incorporate authentication– User ID and Password Authentication,– Hardware or Software Token Authentication,– Source Address Authentication, and– Biometric Authentication
Application Proxy Gateways
• Advantages– Extensive logging potential– User level access control– Authentication– Less vulnerable to low-level attacks
• Disadvantages– Slow– New services may not be suported– Dedicated Proxy Servers – separate out FW and
proxy functionality
Host-Based Firewalls
• FWs packaged with OSs for protecting services on an individual host
• Less expensive solution for small networks with simple security requirements
• Does not scale well
FW Environments
• FW environment – a collection of systems that support FW functionality (FWs are rarely used in isolation)
• Design principles– Keep it simple– Use devices for their intended purpose– Engage defense in depth– Consider internal threats
DMZ Networks
• Defined with 2 or more firewalls
• Creates layers w/ distinct security requirements
VPNs
• Built on top of existing layers and protocols• Provides logical isolation via encryption• Provides remote access or connects organizations
across untrusted networks (e.g. the Internet)
VPNs
• IPSEC – a common VPN protocol substrate
• Others – PPTP, L2TP
• VPNs can be expensive; performance issues may require additional capacity
• Placing VPN node at FW permits FW inspection of traffic
Intranets/Extranets
• Intranet– Local network engaging Internet protocols and
services for internal use (lacking external connectivity)
– Implemented behind a FW environment
• Extranet – B2B Intranets joined via the Internet– Designed to exist outside a FW environment– Used to communicate with clients, share sensitive
information with remote partners
Intrusion Detection Systems
• Often connected to FWs to provide automated response
• Host-based IDS – deployed on individual machines, tied to OS– May miss network attacks– Can impact system performance and stability
• Network-based IDS– May miss attacks delivered in multiple packets
widely distributed over time
Placement of Servers
• Protect external servers with a Boundary Router/Packet Filter
• Do not place externally accessible servers on the protected network
• Place internal servers behind internal firewalls as their sensitivity and access require
• Isolate servers such that attacks on the servers do not impair the rest of the network
FW Policies
• Describe how a FW implements a security policy
• Dictates how to handle different types of traffic
• Based on application risk assessment and understanding of system mission– Output is a list of applications and services,
and how they need to be secured
FW Policies
Basic steps• Identification of network applications deemed
necessary• Identification of vulnerabilities associated with
applications• Cost-benefits analysis of methods for securing
the applications• Creation of applications traffic matrix showing
protection method• Creation of firewall ruleset based on applications
traffic matrix
FW App Traffic Ruleset Matrix
Implementing the Ruleset
• Default deny
• Always block– Non-authenticated inbound traffic with FW as
destination– Inbound ICMP traffic– Non-authenticated inbound SNMP traffic– Inbound source routing packets– Inbound traffic with an internal source address– Other strange and reserved ranges, e.g. 0.0.0.0 or
192.68.X.X
Other FW Capabilities
• Logging– Event driven– Alerts triggering email, pager
• Authentication– Integrated into rulesets– E.g. “deny until authenticated”
• Don’t forget to integrate these into your policy!
FW Policy Testing
• Audit and verify policy quarterly
• Offline validation - Compare hardcopies of the policy with hardcopies of the ruleset
• In-place configuration testing – trying operations that should be prohibited
FW Wisdom
• Use secure links to manage the FW
• Pay attention to physical/facility security for the space housing the FW
• Review firewall policy twice a year
• Use a formal process for managing which services are allowed through the FW
• Combine review with audit and penetration testing processes
Example
Security requirements• All internal network traffic permitted outbound to all sites
through both firewalls and the boundary router• Inbound SMTP (email) permitted to the main firewall
where it is passed to a proxy server and then to internal email clients
• Outbound HTTP (web) traffic permitted to the internal firewall where it is passed to an HTTP proxy server, and then onto external websites
• Inbound connections from remote systems permitted to the firewall.s VPN port where it is passed to internal systems, and
• All other inbound traffic blocked
Example
Example (Boundary Router)