Guide to Tactical Perimeter Defense

Chapter 7 Managing Firewalls to Improve Security

Objectives
Explain how to edit a rule base Describe how to manage log files List measures for improving firewall performance and security Explain how to install and configure Microsoft ISA Server 2006 Explain how to manage and configure Iptables for Linux

Tactical Perimeter Defense

Editing the Rule Base

Place most important rules near top of the rule base Dont make firewall do more logging than it has to Reduce number of domain objects in the rule base
Domain objects increase possibility of security breaches: DNS spoofing or zone transfer

Keep rules that cover domain objects near the bottom of the rule base

Tactical Perimeter Defense

Reducing Rules
Check for duplicate or unnecessary entries Consolidate rules

Table 7-1 Inefficient firewall rules

Tactical Perimeter Defense

Reducing Rules (cont.)

Table 7-2 More efficient firewall rules

Tactical Perimeter Defense

Reordering and Editing Rules

Place most frequently matched rules near the top of the list Scan log files to find commonly used services
Examples: SMTP server, DNS server

Goal: reduce number of rules with Log as the action to bare minimum
Log only events attempting to access restricted resources

Tactical Perimeter Defense

Reordering and Editing Rules (cont.)

Activity 7-1: Improving a Rule Base
Objective: Review a sample rule and make improvements Which rules cover the same sort of communication? Which rules are too far down the list and should be moved up? Which rules give the firewall more work to do than is necessary?

Tactical Perimeter Defense

Managing Log Files

Configure firewall to generate log files more efficiently Use third-party software to get more information from log files Increase firewall effectiveness by:
Modifying log file format Preparing log file summaries Generating reports

Be aware of too many administrators Keep change management record accessible

Tactical Perimeter Defense 8

Deciding What to Log

Some firewalls log only packets subject to a rule with a Deny action Types of log files offered by firewalls
Security log: specific security events System log: when firewall was started or stopped Traffic log: each packet entering/leaving firewall

Firewalls may include a GUI interface to customize log file display Firewalls offer many types of logging data
First seven types in Table 7-4 are must-haves
Tactical Perimeter Defense 9

Deciding What to Log (cont.)

Table 7-4 Types of log file data

Tactical Perimeter Defense

10

Configuring the Log File Format

Log file formats
Text editor: tedious and difficult to view Native format: view in firewalls interface Open Database Connectivity (ODBC) format: view in ODBC-compliant database format W3C Extended format: view in text editor; choose fields; tools generate summaries

Edit and configure log file formats for greater efficiency

Tactical Perimeter Defense

11

Configuring the Log File Format (cont.)

Review log files
View summary of recent log file events Display raw data in form of report Review data and identify traffic patterns Adjust rules accordingly Review subsequent log file data to ensure unnecessary log file entries have been reduced

Tactical Perimeter Defense

12

Preparing Log File Summaries and Generating Reports

Log file summaries
List totals of how many events occurred and what type

Log file analyzers can be built into firewall or addons ZoneLog Analyser: add-on analyzer
Known port lists Filters Custom reports IP address resolution
13

Tactical Perimeter Defense

Preparing Log File Summaries and Generating Reports (cont.)

Figure 7-2 Using ZoneLog Analysers log import filters

Tactical Perimeter Defense

14

Preparing Log File Summaries and Generating Reports (cont.)

Figure 7-5 An activity summary in different formats

Tactical Perimeter Defense

15

Preparing Log File Summaries and Generating Reports (cont.)

Figure 7-7 Address lookup details

Tactical Perimeter Defense

16

Improving Firewall Performance and Security

Make sure firewall uses internal host file Consider using an internal DNS server Do not log noncritical events

Tactical Perimeter Defense

17

Calculating Resource Requirements

Invest in equipment that can support multiple processors Use load-balancing when possible Purchase the fastest processor chip your budget can handle Ensure that firewall has enough RAM (over 512 MB) Set aside enough storage space to cache Web pages and other files
100 MB + (0.5 MB x number of users)
Tactical Perimeter Defense 18

Testing the Firewall

Test before and after the firewall goes online Test before installing on network
Inexpensive option: two client computers for internal and external interface Large enterprise: test cell (dedicated test lab) mirroring network architecture
Expensive, but ensures network availability

Tactical Perimeter Defense

19

Configuring Advanced Firewall Functions

Data caching Remote management Application content filtering Voice protocol support Authentication Time-based access scheduling Load-sharing

Tactical Perimeter Defense

20

Configuring Advanced Firewall Functions (cont.)

Activity 7-2: Configuring Windows Firewall
Objective: Configure the Windows XP built-in firewall, Windows Firewall, and set up logging Windows Firewall is active by default when Service Pack 2 is installed Use Exceptions tab to configure requests Add or edit Programs and Services list Edit Security Logging section to log dropped packets and successful connections

Tactical Perimeter Defense

21

Configuring Advanced Firewall Functions (cont.)

Figure 7-8 The Advanced Tab and the Log Settings dialog box

Tactical Perimeter Defense

22

Installing and Configuring Microsoft ISA Server 2006

Microsoft ISA Server 2006
Security, connectivity, and management functions in one product Handles traditional firewall functions Filters at application level Caches Web pages

Tactical Perimeter Defense

23

Installing and Configuring Microsoft ISA Server 2006 (cont.)

Table 7-5 ISA Server 2006 Standard and Enterprise versions

Tactical Perimeter Defense

24

Installing and Configuring Microsoft ISA Server 2006 (cont.)

Table 7-6 Minimum hardware requirements for ISA Server 2006

Tactical Perimeter Defense

25

Licensing ISA Server 2006

Licensed on a per-processor basis Severe penalties for inadequate licensing
Legal; loss of certification and/or job

Security policy should state software licensing requirements explicitly Enforce requirements Include licensing issues and requirements in security training

Tactical Perimeter Defense

26

Reviewing ISA Server 2006 Components

Configuration Storage server: configuration information for all array members ISA Server services: firewall, VPN, and caching functions Array: group of ISA servers that are connected physically, share common configuration, and run ISA server services ISA server management: management through connecting to Configuration Storage server
Tactical Perimeter Defense 27

Installing ISA Server 2006

Installation order
Install Configuration Storage server Create array and enterprise network rules and policies on Configuration Storage server Install ISA Server services on one or more computers

Virtual version: VHD format

Runs on Windows 2000, XP, Vista, and Server 2003

Evaluation software: helpful for Windows Server 2003 installation

Tactical Perimeter Defense 28

Installing ISA Server 2006 (cont.)

Activity 7-3: Installing ISA Server 2006 Evaluation Software
Objective: Download and install ISA Server 2006 evaluation software Use Windows Server 2003 as your OS Follow installation instructions After installation, start the server and examine the management console

Tactical Perimeter Defense

29

Installing ISA Server 2006 (cont.)

Figure 7-9 The ISA Server management console

Tactical Perimeter Defense

30

Installing ISA Server 2006 (cont.)

ISA Server management console provides guidance on configuration tasks
Assign administrative roles Define your networks Define enterprise policies
Default policy denies all traffic

Configure array settings

Defines how array members communicate with each other and the Configuration Storage server Specifies how network is designed
Tactical Perimeter Defense 31

Installing ISA Server 2006 (cont.)

Figure 7-12 Defining networks in ISA Server arrays

Tactical Perimeter Defense

32

Installing ISA Server 2006 (cont.)

Activity 7-4: Configuring ISA Server 2006
Objective: Configure ISA Server 2006 settings Assign administrative roles Define networks Enter enterprise policy rules Set up basic firewall policies

Tactical Perimeter Defense

33

Installing ISA Server 2006 (cont.)

Figure 7-14 Configuring enterprise policy rules

Tactical Perimeter Defense

34

Installing ISA Server 2006 (cont.)

Activity 7-5: Configuring Advanced Security Features in ISA Server 2006
Objective: Configure ISA Server 2006 security features Examine and configure security filters Create firewall policies Configure caching Edit scheduling

Tactical Perimeter Defense

35

Installing ISA Server 2006 (cont.)

Figure 7-19 The firewall policy rule base

Tactical Perimeter Defense

36

Monitoring Servers
Monitoring integrated into ISA Server management console
Connectivity Alerts Sessions System performance Customized report generation Logging Configuration of array members

Tactical Perimeter Defense

37

Monitoring Servers (cont.)

Figure 7-20 The ISA Server Monitoring window

Tactical Perimeter Defense

38

Managing and Configuring Iptables

Iptables: used to configure packet-filtering rules for Netfilter
Stateful filtering Based on full set of TCP flags Command-line tool Rules are grouped in chains
Multiple rule bases/chains Rule in one chain can activate rule in another chain

Tactical Perimeter Defense

39

Built-in Chains
Types of built-in chains
Output: packet received inside network has destination address on external network Input: packets from external network has destination address on internal network Forward: packet need to be routed to another location

A match is handled by one of four methods:

Accept, drop, queue, or return

Tactical Perimeter Defense

40

Built-in Chains (cont.)

Examples
Accept default action for packets from internal network to Internet
iptables P OUTPUT ACCEPT

Blocks all incoming connection attempts by default

iptables P INPUT DROP

Rejects all forwarded packets by default

iptables P FORWARD DROP

Tactical Perimeter Defense

41

Figure 7-21 Built-in chains of packet-filtering rules in Iptables

Tactical Perimeter Defense

42

User-Defined Chains
Some commands for configuring rules
-A chain rule: adds a new rule to the chain -I chain rulenumber rule: places a new rule in a specific location -R chain rulenumber rule: replaces a rule with a new rule in the specified location -D chain rulenumber: deleted a rule at the position specified by rulenumber -D chain rule: deletes a rule

Tactical Perimeter Defense

43

User-Defined Chains (cont.)

Some commands for creating rules
-s source: identifies source IP address -d destination: identifies destination IP address -p protocol: identifies protocol used in rule -i interface: identifies network interface rule uses -j target: identifies action associated with rule !: negates whatever follows it -l: activated logging if a packet matches a rule

Tactical Perimeter Defense

44

User-Defined Chains (cont.)

Example
Enable all users on the 10.0.20.0/24 network to access the Web server at 10.0.20.2 by using the World Wide Wed service
iptables A OUTPUT s www j ACCEPT 10.0.20.0/24 d 10.0.20.2

Tactical Perimeter Defense

45

Summary
Improving a firewall configuration
Optimize rule base and fine-tune logging

Log files
Text-based, ODBS, W3C Extended, firewall interface Fine-tune log files to log only essential information Analysis tools: summaries of raw data, generation of reports

Hosts processor speed has greatest impact on firewall performance

Tactical Perimeter Defense

46

Summary (cont.)
Testing a firewall
Before and after it goes online Before installing on network

Configuring a firewall
Advanced features: data caching, remote management, application filtering, load balancing, etc.

Microsoft ISA Server 2006

Firewall and caching functions Security, connectivity, and management features

Iptables: command-line tool for packet-filtering rules

Includes three built-in chain of rules
Tactical Perimeter Defense 47