Ongoing Administration

Chapter 11
Learning Objectives

Learn how to evolve a firewall to meet new

needs and threats
Adhere to proven security principles to help
the firewall protect network resources
Use a remote management interface
Track log files for security

continued
Learning Objectives

Follow basic initial steps in responding to

security incidents
Take advanced firewall functions into
account when administering a firewall
Making Your Firewall Meet New
Needs

Throughput
Scalability
Security
Recoverability
Manageability
Verifying Resources Needed by
the Firewall

Ways to track memory and system

resources
 Use the formula:
MemoryUsage = ((ConcurrentConnections)/
(AverageLifetime))*(AverageLifetime + 50
seconds)*120
 Use software’s own monitoring feature
Verifying Resources Needed by
the Firewall
Allocating More Memory
Identifying New Risks

Monitor activities and review log files

Check Web sites to keep informed of latest
dangers; install patches and updates
Adding Software Updates and
Patches

Test updates and patches as soon as you

install them
Ask vendors (of firewall, VPN appliance,
routers, etc) for notification when security
patches are available
Check manufacturer’s Web site for security
patches and software updates
Using an Automated Update
Feature
Obtaining Updates from the
Vendor’s Web Site
Adding Hardware
Identify network hardware so firewall can
include it in routing and protection services
 Different ways for different firewalls
List workstations, routers, VPN appliances,
and other gateways you add as the network
grows
Choose good passwords that you guard
closely
Dealing with Complexity on the
Network
Distributed firewalls
 Installed at endpoints of the network, including remote
computers that connect to network through VPNs
 Add complexity
 Require that you install and/or maintain a variety of firewalls
located on your network and in remote locations
 Add security
 Protect network from viruses or other attacks that can originate
from machines that use VPNs to connect (eg, remote laptops)
Dealing with Complexity on the
Network
Adhering to Proven Security
Principles

Generally Accepted System Security

Principles (GASSP) apply to ongoing
firewall management
 Secure physical environment where firewall-
related equipment is housed
 Importance of locking software so that
unauthorized users cannot access it
Environmental Management
Measures taken to reduce risks to physical
environment where resources are stored
 Back-up power systems overcome power outages
 Back-up hardware and software help recover network
data and services in case of equipment failure
 Sprinkler/alarm systems reduce damage from fire
 Locks guard against theft
BIOS, Boot, and Screen Locks

BIOS and boot-up passwords

Supervisor passwords
Screen saver passwords
Using Remote Management
Interface

Software that enables you to configure and

monitor firewall(s) that are located on
different network locations
Used to start/stop the firewall or change
rulebase from locations other than the
primary computer
Why Remote Management Tools
Are Important

Reduce time and make the job easier for the

security administrator
Reduce chance of configuration errors that
might result if the same changes were made
manually for each firewall on the network
Security Concerns with Remote
Management Tools
Can use a Security Information Management
(SIM) device to prevent unauthorized users from
circumventing security systems
 Offers strong security controls (eg, multi-factor
authentication and encryption)
 Should have an auditing feature
 Should use tunneling to connect to the firewall or use
certificates for authentication
Evaluate SIM software to ensure it does not
introduce new vulnerabilities
Basic Features Required of
Remote Management Tools

Ability to monitor and configure firewalls

from a single centralized location
 View and change firewall status
 View firewall’s current activity
 View any firewall event or alert messages
Ability to start and stop firewalls as needed
Tracking Contents of Log Files
for Security

Reviewing log files can help detect break-

ins that have occurred and possibly help
track down intruders
Tips for managing log files
 Prepare usage reports
 Watch for suspicious events
 Automate security checks
Preparing Usage Reports

Sort logs by time of day and per hour

Check logs to learn when peak traffic times
are on the network
Identify services that consume the largest
part of available bandwidth
Preparing Usage Reports
Suspicious Events to Watch For

Rejected connection attempts

Denied connections
Error messages
Dropped packets
Successful logons to critical resources
Responding to Suspicious Events

Firewall options
 Block only this connection
 Block access of this source
 Block access to this destination
Track the attacks
Locate and prosecute the offenders
Tools for Tracking Attacks

Sam Spade
Netstat
NetCat
Compiling Legal Evidence

 Identify which computer or media may

contain evidence
 Shut down computer and isolate work area
until computer forensic specialist arrives
 Write protect removable media
 Preserve evidence (make a mirror image)
so it is not manipulated

continued
Compiling Legal Evidence

1. Examine the mirror image, not the original

2. Review log files and other data; report
findings to management
3. Preserve evidence by making a
“forensically sound” copy
Compiling Legal Evidence

Observe the three As of computer forensics

 Acquire
 Authenticate
 Analyze
Automating Security Checks

Outsource firewall management

Security Breaches Will Happen!

Use software designed to detect attacks and

send alert notifications
Take countermeasures to minimize damage
Take steps to prevent future attacks
Using an Intrusion Detection
System (IDS)
Detects whether network or server has
experienced an unauthorized access attempt
Sends notification to appropriate network
administrators
Considerations when choosing
 Location
 Intrusion events to be gathered
Network-based versus host-based IDS
Signature-based versus heuristic IDS
Network-Based IDS
Tracks traffic patterns on entire network segment
Collects raw network packets; looks at packet
headers; determines presence of known signatures
that match common intrusion attempts; takes
action based on contents
Good choice if network has been subject to
malicious activity (eg, port scanning)
Usually OS-independent
Minimal impact on network performance
Host-Based IDS
Collects data from individual computer on which
it resides
Reviews audit and system logs, looking for
signatures
Can perform intrusion detection in a network
where traffic is usually encrypted
Needs no additional hardware
Cannot detect port scans or other intrusion
attempts that target entire network
Signature-Based IDS
Stores signature information in a database
 Database requires periodic updating
Can work with either host-based or
network-based IDS
Often closely tied to specific hardware and
operating system
Provides fewer false alarms than heuristic
IDS
Heuristic IDS

Compares traffic patterns against “normal

activity” and sets off an alarm if pattern
deviates
Can identify any possible attack
Generates high rate of false alarms
Receiving Security Alerts

A good IDS system:

 Notifies appropriate individuals (eg, via e-mail,
alert, pager, or log)
 Provides information about the type of event
 Provides information about where in the
network the intrusion attempt took place
When an Intrusion Occurs
React rationally; don’t panic
Use alerts to begin assessment
Analyze what resources were hit and what damage
occurred
 Perform real-time analysis of network traffic to detect
unusual patterns
 Check to see if any ports that are normally unused have
been accessed
Use a network auditing tool (eg, Tripwire)
During and After Intrusion
Document the existence of:
 Executables that were added to the system
 Files that were
 Placed on the computer
 Deleted
 Accessed by unauthorized users
 Web pages that were defaced
 E-mail messages that were sent as a result of the attack
Document your response to the intrusion
Configuring Advanced Firewall
Functions
Ultimate goal
 High availability
 Scalability
Advanced firewall functions
 Data caching
 Redundancy
 Load balancing
 Content filtering
Data Caching
Set up a server that will
 Receive requests for URLs
 Filter those requests against different criteria
Options
 No caching
 URI Filtering Protocol (UFP) server
 VPN & Firewall (one request)
 VPN & Firewall (two requests)
Hot Standby Redundancy

Secondary or failover firewall is configured

to take over traffic duties in case primary
firewall fails
Usually involves two firewalls; only one
operates at any given time
The two firewalls are connected in a
heartbeat network
Hot Standby Redundancy
Hot Standby Redundancy
Advantages
 Ease and economy of set up and quick back-up
system it provides for the network
 One firewall can be stopped for maintenance
without stopping network traffic
Disadvantages
 Does not improve network performance
 VPN connections may or may not be included
in the failover system
Load Balancing
Practice of balancing the load placed on the
firewall so that it is handled by two or more
firewall systems
Load sharing
 Practice of configuring two or more firewalls to share
the total traffic load
Traffic between firewalls is distributed by routers
using special routing protocols
 Open Shortest Path First (OSPF)
 Border Gateway Protocol (BGP)
Load Balancing
Load Sharing

Advantages
 Improves total network performance
 Maintenance can be performed on one firewall
without disrupting total network traffic
Disadvantages
 Load usually distributed unevenly (can be
remedied by using layer four switches)
 Configuration can be complex to administer
Filtering Content

Firewalls don’t scan for viruses but can

work with third-party applications to scan
for viruses or other functions
 Open Platform for Security (OPSEC) model
 Content Vectoring Protocol (CVP)
Filtering Content
Filtering Content Guidelines
Install anti-virus software on SMTP gateway in
addition to providing desktop anti-virus protection
for each computer
Choose an anti-virus gateway product that:
 Provides for content filtering
 Can be updated regularly to account for recent viruses
 Can scan the system in real time
 Has detailed logging capabilities
Chapter Summary
How to expand a firewall to meet new needs
Importance of observing fundamental principles of
network security when maintaining the firewall
Importance of being able to manage the firewall
remotely and having log files for review
Responding to security incidents
Advanced firewall functions