Alan C. Horn ahorn@inktomi.com
A firewall defined
Policy
Choices in firewall design and implementation
Case study : XYZ Corp.
Questions
A device which explicitly controls network access to your computer network.
A device which allows you to monitor the type of traffic passing in and out of your network and react accordingly.
A complete security management strategy
A guarantee of security
A power base
An effective tool for preventing network intrusion
A positive PR device
An empowering project
A barrier between you and the internet (some people may not like this)
Well.. You do
Write the policy first
Protect yourself while the policy is being created
Implicit policy
Internal operating policy
Part of a larger framework
What should a good policy contain
Complete definition of what is and what is not allowed.
An incident escalation procedure
An incident handling plan, perhaps for specific types of incidents as well (e.g. virus, network probe, etc)
A privacy statement
Should be legally enforceable, and reviewed by legal counsel
A change control process for the document itself
Contacts info
A clearly realized security policy
A reliable, mostly secure operating system
A physically secure location
Network layer access control (filtering)
Logging facilities
Alerting facilities
A fail closed paradigm
Good management tools
Familiarity
Security track record
Supported facilities
Cost
Reliability
Unix or Windows or Something Else ?
Use the information resources out there
Access must be controlled by some mechanism
Access must be restricted
Access must be audited and logged
Usually a data center with a locked cabinet or restricted access room.
Reliability again
| Vendor | Roll Your Own |
|---|---|
|
|
Checkpoint Firewall-1 on Solaris
Cisco Pix
Checkpoint Firewall-1 on Nokia IP series
Gauntlet
Raptor
Microsoft Solution
Vendor OS with your own solution on top
Roll your own
Linux
Net/Open/FreeBSD
Windows + free software
The names have been changed to protect the innocent
General policy is deny all and explicitly allow what is needed
We need to provide email, web browsing services at a minimum to the enterprise
There are some specialist business processes which will need individual attention to access needs
We will detect, log intrusion attempts (detects) and investigate them on a regular basis
We have a defined escalation procedure
We have a defined incident response plan
Knowledgeable technical people on staff
Has the required features available
Lower capital cost (PC hardware available in house)
Network topology analysis.
Spec and build hardware
OS installation
OS hardening process
Adding other required features
Testing phase
Start a log book
Install off the main network
Install as per the OS instructions
Gather advisories and/or latest patches and apply accordingly
Turn off all non-essential services
Make sure all accounts have adequate passwords or are disabled
Also remember ftp (even though the service is turned off)
Do not trust the network or other systems in any way (no equivalency services e.g. rhosts/shosts, no NIS, NTP is probably ok?)
Consider how to log activity (locally, to another machine ?)
Determine which filesystems may be mounted read-only and do so. Hardwire the read-only if possible
After you're finished, consider running host-based and network-based security checking tools to confirm you've covered everything.
Enable IP Filter, build rulesets to match policy
Prepare auditing software such as tripwire
Add proxy software if desired
The core operational tool in this design
Allows us to filter packets by a rules-based language, very versatile
Portable code, cross-platform
Maintains state on TCP, UDP and ICMP. UDP and ICMP through a timeout window
Allows for packet redirection (honey-pots)
Rules are processed from top to bottom in the config file
Decision on whether to pass the packet is made based on the last rule matched
IP packet headers contain distinct signatures of information.
Source IP address
Source port
Packet flags
Specified interfaces
Inbound and outbound
Destination IP address
Destination port
Special keywords
Network subnet masks
Tripwire is a file and directory integrity checker
Used to be free, now there is a commercial version, but free one still exists.
It detects modification to files by comparing to a previously generated database
Proper management essential
Reference databases and config files MUST be on read-only disks, although databases need to be writeable during updates.
Suggestions are in the software for files to watch.
/etc, /bin, /sbin, /usr/bin, /usr/sbin, /dev, roots dotfiles, system dotfiles, any other local binary paths, any setuid binaries that are essential and cannot be removed.
Come up with a test plan that makes sure all policy is adhered to, and that the firewall does only what is asked and nothing more.
Consider building a small test network with an inside and outside and pass traffic across
Consider tiger-team style attacks (penetration tests)
When satisfied that you will not disrupt legitimate operations, deploy.
Final check system and return it to a non-test state ready for deployment.
Baseline the system and do a golden backup
Somebody, somewhere, will be inconvenienced by what you do when the firewall goes into service.
Observe the firewall for several weeks, fine tuning the filtering, and logging to try and reach a balance between responsiveness and information overload.
Response plan
Disaster planning
Redundancy
Change control
Security awareness and training
Upgrades
Alan C. Horn ahorn@inktomi.com
These presentations should not be duplicated, or used without prior permissions. Please contact Alan Horn at ahorn@deorth.org for information about reusing this work.