Ongoing Administration

1
Ongoing Administration

• Chapter 11

2
Learning Objectives

• Learn how to evolve a firewall to meet new needs
  and threats
• Adhere to proven security principles to help the
  firewall protect network resources
• Use a remote management interface
• Track log files for security

continued
3
Learning Objectives

• Follow basic initial steps in responding to
  security incidents
• Take advanced firewall functions into account
  when administering a firewall

4
Making Your Firewall Meet New Needs

• Throughput
• Scalability
• Security
• Recoverability
• Manageability

5
Verifying Resources Needed by the Firewall

• Ways to track memory and system resources
• Use the formulaMemoryUsage ((ConcurrentConnect
  ions)/ (AverageLifetime))(AverageLifetime 50
  seconds)120
• Use softwares own monitoring feature

6
Verifying Resources Needed by the Firewall
7
Allocating More Memory
8
Identifying New Risks

• Monitor activities and review log files
• Check Web sites to keep informed of latest
  dangers install patches and updates

9
Adding Software Updates and Patches

• Test updates and patches as soon as you install
  them
• Ask vendors (of firewall, VPN appliance, routers,
  etc) for notification when security patches are
  available
• Check manufacturers Web site for security
  patches and software updates

10
Using an Automated Update Feature
11
Obtaining Updates from the Vendors Web Site
12
Adding Hardware

• Identify network hardware so firewall can include
  it in routing and protection services
• Different ways for different firewalls
• List workstations, routers, VPN appliances, and
  other gateways you add as the network grows
• Choose good passwords that you guard closely

13
Dealing with Complexity on the Network

• Distributed firewalls
• Installed at endpoints of the network, including
  remote computers that connect to network through
  VPNs
• Add complexity
• Require that you install and/or maintain a
  variety of firewalls located on your network and
  in remote locations
• Add security
• Protect network from viruses or other attacks
  that can originate from machines that use VPNs to
  connect (eg, remote laptops)

14
Dealing with Complexity on the Network
15
Adhering to Proven Security Principles

• Generally Accepted System Security Principles
  (GASSP) apply to ongoing firewall management
• Secure physical environment where
  firewall-related equipment is housed
• Importance of locking software so that
  unauthorized users cannot access it

16
Environmental Management

• Measures taken to reduce risks to physical
  environment where resources are stored
• Back-up power systems overcome power outages
• Back-up hardware and software help recover
  network data and services in case of equipment
  failure
• Sprinkler/alarm systems reduce damage from fire
• Locks guard against theft

17
BIOS, Boot, and Screen Locks

• BIOS and boot-up passwords
• Supervisor passwords
• Screen saver passwords

18
Using Remote Management Interface

• Software that enables you to configure and
  monitor firewall(s) that are located on different
  network locations
• Used to start/stop the firewall or change
  rulebase from locations other than the primary
  computer

19
Why Remote Management Tools Are Important

• Reduce time and make the job easier for the
  security administrator
• Reduce chance of configuration errors that might
  result if the same changes were made manually for
  each firewall on the network

20
Security Concerns with Remote Management Tools

• Can use a Security Information Management (SIM)
  device to prevent unauthorized users from
  circumventing security systems
• Offers strong security controls (eg, multi-factor
  authentication and encryption)
• Should have an auditing feature
• Should use tunneling to connect to the firewall
  or use certificates for authentication
• Evaluate SIM software to ensure it does not
  introduce new vulnerabilities

21
Basic Features Required of Remote Management Tools

• Ability to monitor and configure firewalls from a
  single centralized location
• View and change firewall status
• View firewalls current activity
• View any firewall event or alert messages
• Ability to start and stop firewalls as needed

22
Tracking Contents of Log Files for Security

• Reviewing log files can help detect break-ins
  that have occurred and possibly help track down
  intruders
• Tips for managing log files
• Prepare usage reports
• Watch for suspicious events
• Automate security checks

23
Preparing Usage Reports

• Sort logs by time of day and per hour
• Check logs to learn when peak traffic times are
  on the network
• Identify services that consume the largest part
  of available bandwidth

24
Preparing Usage Reports
25
Suspicious Events to Watch For

• Rejected connection attempts
• Denied connections
• Error messages
• Dropped packets
• Successful logons to critical resources

26
Responding to Suspicious Events

• Firewall options
• Block only this connection
• Block access of this source
• Block access to this destination
• Track the attacks
• Locate and prosecute the offenders

27
Tools for Tracking Attacks

• Sam Spade
• Netstat
• NetCat

28
Compiling Legal Evidence

• Identify which computer or media may contain
  evidence
• Shut down computer and isolate work area until
  computer forensic specialist arrives
• Write protect removable media
• Preserve evidence (make a mirror image) so it is
  not manipulated

continued
29
Compiling Legal Evidence

• Examine the mirror image, not the original
• Review log files and other data report findings
  to management
• Preserve evidence by making a forensically
  sound copy

30
Compiling Legal Evidence

• Observe the three As of computer forensics
• Acquire
• Authenticate
• Analyze

31
Automating Security Checks

• Outsource firewall management

32
Security Breaches Will Happen!

• Use software designed to detect attacks and send
  alert notifications
• Take countermeasures to minimize damage
• Take steps to prevent future attacks

33
Using an Intrusion Detection System (IDS)

• Detects whether network or server has experienced
  an unauthorized access attempt
• Sends notification to appropriate network
  administrators
• Considerations when choosing
• Location
• Intrusion events to be gathered
• Network-based versus host-based IDS
• Signature-based versus heuristic IDS

34
Network-Based IDS

• Tracks traffic patterns on entire network segment
• Collects raw network packets looks at packet
  headers determines presence of known signatures
  that match common intrusion attempts takes
  action based on contents
• Good choice if network has been subject to
  malicious activity (eg, port scanning)
• Usually OS-independent
• Minimal impact on network performance

35
Host-Based IDS

• Collects data from individual computer on which
  it resides
• Reviews audit and system logs, looking for
  signatures
• Can perform intrusion detection in a network
  where traffic is usually encrypted
• Needs no additional hardware
• Cannot detect port scans or other intrusion
  attempts that target entire network

36
Signature-Based IDS

• Stores signature information in a database
• Database requires periodic updating
• Can work with either host-based or network-based
  IDS
• Often closely tied to specific hardware and
  operating system
• Provides fewer false alarms than heuristic IDS

37
Heuristic IDS

• Compares traffic patterns against normal
  activity and sets off an alarm if pattern
  deviates
• Can identify any possible attack
• Generates high rate of false alarms

38
Receiving Security Alerts

• A good IDS system
• Notifies appropriate individuals (eg, via e-mail,
  alert, pager, or log)
• Provides information about the type of event
• Provides information about where in the network
  the intrusion attempt took place

39
When an Intrusion Occurs

• React rationally dont panic
• Use alerts to begin assessment
• Analyze what resources were hit and what damage
  occurred
• Perform real-time analysis of network traffic to
  detect unusual patterns
• Check to see if any ports that are normally
  unused have been accessed
• Use a network auditing tool (eg, Tripwire)

40
During and After Intrusion

• Document the existence of
• Executables that were added to the system
• Files that were
• Placed on the computer
• Deleted
• Accessed by unauthorized users
• Web pages that were defaced
• E-mail messages that were sent as a result of the
  attack
• Document your response to the intrusion

41
Configuring Advanced Firewall Functions

• Ultimate goal
• High availability
• Scalability
• Advanced firewall functions
• Data caching
• Redundancy
• Load balancing
• Content filtering

42
Data Caching

• Set up a server that will
• Receive requests for URLs
• Filter those requests against different criteria
• Options
• No caching
• URI Filtering Protocol (UFP) server
• VPN Firewall (one request)
• VPN Firewall (two requests)

43
Hot Standby Redundancy

• Secondary or failover firewall is configured to
  take over traffic duties in case primary firewall
  fails
• Usually involves two firewalls only one operates
  at any given time
• The two firewalls are connected in a heartbeat
  network

44
Hot Standby Redundancy
45
Hot Standby Redundancy

• Advantages
• Ease and economy of set up and quick back-up
  system it provides for the network
• One firewall can be stopped for maintenance
  without stopping network traffic
• Disadvantages
• Does not improve network performance
• VPN connections may or may not be included in the
  failover system

46
Load Balancing

• Practice of balancing the load placed on the
  firewall so that it is handled by two or more
  firewall systems
• Load sharing
• Practice of configuring two or more firewalls to
  share the total traffic load
• Traffic between firewalls is distributed by
  routers using special routing protocols
• Open Shortest Path First (OSPF)
• Border Gateway Protocol (BGP)

47
Load Balancing
48
Load Sharing

• Advantages
• Improves total network performance
• Maintenance can be performed on one firewall
  without disrupting total network traffic
• Disadvantages
• Load usually distributed unevenly (can be
  remedied by using layer four switches)
• Configuration can be complex to administer

49
Filtering Content

• Firewalls dont scan for viruses but can work
  with third-party applications to scan for viruses
  or other functions
• Open Platform for Security (OPSEC) model
• Content Vectoring Protocol (CVP)

50
Filtering Content
51
Filtering Content Guidelines

• Install anti-virus software on SMTP gateway in
  addition to providing desktop anti-virus
  protection for each computer
• Choose an anti-virus gateway product that
• Provides for content filtering
• Can be updated regularly to account for recent
  viruses
• Can scan the system in real time
• Has detailed logging capabilities

52
Chapter Summary

• How to expand a firewall to meet new needs
• Importance of observing fundamental principles of
  network security when maintaining the firewall
• Importance of being able to manage the firewall
  remotely and having log files for review
• Responding to security incidents
• Advanced firewall functions