1 Guide to Network Defense and Countermeasures Chapter 6
1 Guide to Network Defense and Countermeasures Chapter 6.
Jan 20, 2016
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Guide to Network Defense and Countermeasures
Chapter 6
2
Chapter 6 - Strengthening and Managing Firewalls
Understand how to work with a proxy server to supplement a firewall with a proxy server
Describe the most important issues to be faced when managing a firewall
Know how to install / configure Check Point NG Know how to install / configure Microsoft ISA
Server 2000 Know how to manage / configure iptables for
Linux
3
Proxy servers forward packets to and from the network being protected and cache Web pages to speed up network performance The primary goal of proxy servers is to provide
security at the Application layer and shield hosts on the internal network
A secondary goal is the logging of traffic headed outbound from the internal network to the Internet so that the activities of the of employees that surf the Web, exchange e-mail, and use other services can be monitored
Working with Proxy Servers
4
5
How proxy servers work: One way proxy servers prevent direct connections
between external and internal computers is by working at the Application layer
At the Application layer, the proxy server interprets which application was used to make a request and which application is needed to forward that request
When a request is received, the proxy server opens it and examines the contents; it then replaces the original header with a new header containing its own IP address rather than that of the original client
Working with Proxy Servers
6
7
8
9
Choosing a proxy server: The type of proxy server needed depends on the
needs of the existing firewall configuration Freeware proxy servers typically provide a specific
function rather than a full range of functions Commercial proxy servers combine Web page
caching and IP address translation with content filtering and firewall functions (packet filter and NAT)
Firewalls that perform proxy server functions act as all-in-one security programs; the drawback is that all security is left in the hands of a single program
Working with Proxy Servers
10
Choosing a proxy server (cont.): Standalone proxy servers provide access to the
SOCKS communications protocol, which sets up a secure channel between two computers
SOCKS authenticates the users by incorporating unencrypted exchange of username and password
The SOCKS package includes the SOCKS server (must be run on UNIX), the SOCKS client library, and versions of several UNIX client programs
SOCKS is popular, is supported by most proxy servers, and supports Windows/UNIX/Macintosh
Working with Proxy Servers
11
Filtering content is one of the most useful applications of proxy servers They can open TCP/IP packets, inspect the data
portion, and take action based on the contents This capability enables proxy servers to filter out
contents that would otherwise appear in a user’s Web browser window during Web surfing; they can also block Web sites and drop executable programs
Administrators configure browsers to connect to proxy servers rather than directly to the Internet; then all Web content is routed through the proxy
Working with Proxy Servers
12
13
Filter rules allow administrators to set proxy rules for identifying the content to filter out The freeware program, Proxomitron, filters pop-up
windows, background audio, embedded scripts, ad banners, status bar scrolling messages, blinking text, background images, and blocks Web sites
The danger with such extreme content filtering is that the content that the Web page’s author has created to convey a legitimate message can also be blocked, so use such filtering selectively
Working with Proxy Servers
14
15
A firewall’s effectiveness depends on the ongoing attention its administrator devotes to it
Effective firewall management impacts the network in the following ways: Security - the organization can cope with new threats
and continue to block attacks Throughput - adjusting the firewall so that it performs
better will speed up network performance Disaster recovery - by backing up the current security
configuration, disaster recovery is possible
Managing Firewalls toImprove Safety
16
Edit the rule base in an ongoing basis in order to more effectively implement organizational security policy and improve performance Ensure that rules are as relevant and as few as
possible; remove unneeded rules Place the most important rules near the top of the
rule base; scan log files to determine best rule order Reduce firewall logging by minimizing the number of
rules that have Log as the action Reduce the number of domain objects and move any
of their rules to the bottom the rule base
Managing Firewalls toImprove Safety
17
18
19
Manage firewall log files continuously to improve firewall performance and security Some firewalls come with so many types of logging
data that including them all makes log files unwieldy Common log files include security events, firewall
system, packet traffic, active connections, and access audit; logging can be configured to specify exactly which elements will be included in log files
Log file summaries present the entry-generating events; some firewalls provide analysis tools that prepare summaries for report generation
Managing Firewalls toImprove Safety
20
21
22
23
24
25
To improve firewall performance: Examine the firewall’s default settings and stop
unnecessary lookups and operations, such as host lookups, decryption, and logging
Choose a system that has the fastest CPU available Ensure at least the minimum RAM amount, or more Test the firewall before and after it goes online
Configure advanced firewall functions Improve the firewall by adding data caching, remote
management, and set up load balancing
Managing Firewalls toImprove Safety
26
Check Point NG is one of a number of comprehensive enterprise-level firewalls Install Check Point NG on a computer running Win
2000 Professional/Server, Win NT, Sun Solaris, or Red Hat Linux; security components include: Check Point Management NG; Policy Editor NG; Status Manager NG; Log Viewer NG; Traffic Monitoring NG
After installation, define the objects (gateway and computers) on the network to be protected
Next, develop the security policy by establishing a set of packet filtering rules (rule base)
Installing and ConfiguringCheck Point NG
27
28
29
Microsoft ISA Server 2000 is an enterprise-level firewall noted for its variety of proxy server functions, packet filtering, and NAT Install either the Standard or Enterprise versions;
during installation, choose a server mode (Multi-layer firewall, Web-cache, or Integrated), configure cache and set addressing scheme
After installation, create the security policy: select policy elements; configure clients and protocol rules
Upon restart, the ISA Management Console enables set up of packet filtering and intrusion detection
Installing and ConfiguringMicrosoft ISA Server 2000
30
31
iptables enable users to configure packet filter rules for the Linux firewall Netfilter iptables enables Netfilter to perform stateful packet
filtering, and filter on a full set of TCP options flags iptables is a command-line tool, and is used to set
up logging, NAT, and port forwarding of packets iptables works with a set of rules; the rules are
grouped together in the form of a chain which is similar to a rule base; Linux uses multiple rule bases/chains, where one chain’s action can activate a specific rule in another chain
Managing and Configuringiptables
32
iptables has built-in chains which decide either to accept, drop, queue, or return packets The output chain reviews packets when they originate
internally with an external destination The input chain is for packets that originate externally
with an internal destination The forward chain is used when a packet needs to be
routed to another location iptables allows user-defined chain creation
These chains are created to meet custom needs using rule configuration commands
Managing and Configuringiptables
33
34
35
Chapter Summary
This chapter discussed issues and techniques used to manage firewalls in a way that improves their performance and reinforces the effectiveness with which they protect a network. Sometimes, improving a firewall configuration involves the installation of a new component such as a proxy server. Firewall management is also realized by adjusting resources already in place, such as the rule base and log files
36
Chapter Summary
A proxy server is software that processes traffic to and from the internal network, and that stores Web pages in cache to speed up performance. Unlike packet filters, proxy servers can filter data at the application level by inspecting the contents of packets. They also shield hosts on the internal network, and log traffic headed outbound from internal hosts so that the activities of end-users within the organization can be tracked. Proxy servers provide a high level of security because they prevent a direct connection between an external and an internal computer from ever occurring. One of their most powerful attributes is the ability to open up TCP/IP packets and make decisions based not just on their headers but on the data contained. This gives proxies the ability to filter out pop-up windows, offensive text, advertising banners, or Java applets or other scripts that are embedded in Web pages
37
Chapter Summary
Firewall performance can also be strengthened through ongoing management. Tightening and rearranging the rule base can speed up performance, as can managing log files in a way that reduces the load on the server and detects intrusion attempts. The rule base should be as short as possible and have the most important rules near the top of the list so the firewall processes data in the most efficient way
38
Chapter Summary
A firewall’s performance can also be improved by logging only the traffic that represents the most serious security concerns and by rotating log files before they consume too much disk space and slow down the host on which they reside. Log files that are saved in ODBC format can be viewed with an ODBC-compliant database so you can run reports on the data or study individual elements. It’s also useful to prepare log file summaries - reports of log file activity for a specific period such as a day or a week - so you can share the information with your colleagues in a format that is easy to read and interpret
39
Chapter Summary
Check Point NG is a suite of firewall modules that allow you to implement a security policy through stateful packet filtering, NAT, and authentication. Log file analysis, real-time monitoring, and remote management are also provided
Microsoft ISA Server 2000 has several goals: the improvement of network security through traditional firewall filtering and NAT, and faster network performance through the caching of Web pages
40
Chapter Summary
iptables is a built-in tool for creating packet filter rules. The program includes three built-in chains of filter rules that monitor inbound and outbound packets as well as packets that the firewall needs to forward to specific destinations
Related Documents
