1 / 52

Ongoing Administration

Ongoing Administration. Chapter 11. Learning Objectives. Learn how to evolve a firewall to meet new needs and threats Adhere to proven security principles to help the firewall protect network resources Use a remote management interface Track log files for security. continued.

faxon
Télécharger la présentation

Ongoing Administration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ongoing Administration Chapter 11

  2. Learning Objectives • Learn how to evolve a firewall to meet new needs and threats • Adhere to proven security principles to help the firewall protect network resources • Use a remote management interface • Track log files for security continued

  3. Learning Objectives • Follow basic initial steps in responding to security incidents • Take advanced firewall functions into account when administering a firewall

  4. Making Your Firewall Meet New Needs • Throughput • Scalability • Security • Recoverability • Manageability

  5. Verifying Resources Needed by the Firewall • Ways to track memory and system resources • Use the formula:MemoryUsage = ((ConcurrentConnections)/ (AverageLifetime))*(AverageLifetime + 50 seconds)*120 • Use software’s own monitoring feature

  6. Verifying Resources Needed by the Firewall

  7. Allocating More Memory

  8. Identifying New Risks • Monitor activities and review log files • Check Web sites to keep informed of latest dangers; install patches and updates

  9. Adding Software Updates and Patches • Test updates and patches as soon as you install them • Ask vendors (of firewall, VPN appliance, routers, etc) for notification when security patches are available • Check manufacturer’s Web site for security patches and software updates

  10. Using an Automated Update Feature

  11. Obtaining Updates from the Vendor’s Web Site

  12. Adding Hardware • Identify network hardware so firewall can include it in routing and protection services • Different ways for different firewalls • List workstations, routers, VPN appliances, and other gateways you add as the network grows • Choose good passwords that you guard closely

  13. Dealing with Complexity on the Network • Distributed firewalls • Installed at endpoints of the network, including remote computers that connect to network through VPNs • Add complexity • Require that you install and/or maintain a variety of firewalls located on your network and in remote locations • Add security • Protect network from viruses or other attacks that can originate from machines that use VPNs to connect (eg, remote laptops)

  14. Dealing with Complexity on the Network

  15. Adhering to Proven Security Principles • Generally Accepted System Security Principles (GASSP) apply to ongoing firewall management • Secure physical environment where firewall-related equipment is housed • Importance of locking software so that unauthorized users cannot access it

  16. Environmental Management • Measures taken to reduce risks to physical environment where resources are stored • Back-up power systems overcome power outages • Back-up hardware and software help recover network data and services in case of equipment failure • Sprinkler/alarm systems reduce damage from fire • Locks guard against theft

  17. BIOS, Boot, and Screen Locks • BIOS and boot-up passwords • Supervisor passwords • Screen saver passwords

  18. Using Remote Management Interface • Software that enables you to configure and monitor firewall(s) that are located on different network locations • Used to start/stop the firewall or change rulebase from locations other than the primary computer

  19. Why Remote Management Tools Are Important • Reduce time and make the job easier for the security administrator • Reduce chance of configuration errors that might result if the same changes were made manually for each firewall on the network

  20. Security Concerns with Remote Management Tools • Can use a Security Information Management (SIM) device to prevent unauthorized users from circumventing security systems • Offers strong security controls (eg, multi-factor authentication and encryption) • Should have an auditing feature • Should use tunneling to connect to the firewall or use certificates for authentication • Evaluate SIM software to ensure it does not introduce new vulnerabilities

  21. Basic Features Required of Remote Management Tools • Ability to monitor and configure firewalls from a single centralized location • View and change firewall status • View firewall’s current activity • View any firewall event or alert messages • Ability to start and stop firewalls as needed

  22. Tracking Contents of Log Files for Security • Reviewing log files can help detect break-ins that have occurred and possibly help track down intruders • Tips for managing log files • Prepare usage reports • Watch for suspicious events • Automate security checks

  23. Preparing Usage Reports • Sort logs by time of day and per hour • Check logs to learn when peak traffic times are on the network • Identify services that consume the largest part of available bandwidth

  24. Preparing Usage Reports

  25. Suspicious Events to Watch For • Rejected connection attempts • Denied connections • Error messages • Dropped packets • Successful logons to critical resources

  26. Responding to Suspicious Events • Firewall options • Block only this connection • Block access of this source • Block access to this destination • Track the attacks • Locate and prosecute the offenders

  27. Tools for Tracking Attacks • Sam Spade • Netstat • NetCat

  28. Compiling Legal Evidence • Identify which computer or media may contain evidence • Shut down computer and isolate work area until computer forensic specialist arrives • Write protect removable media • Preserve evidence (make a mirror image) so it is not manipulated continued

  29. Compiling Legal Evidence • Examine the mirror image, not the original • Review log files and other data; report findings to management • Preserve evidence by making a “forensically sound” copy

  30. Compiling Legal Evidence • Observe the three As of computer forensics • Acquire • Authenticate • Analyze

  31. Automating Security Checks • Outsource firewall management

  32. Security Breaches Will Happen! • Use software designed to detect attacks and send alert notifications • Take countermeasures to minimize damage • Take steps to prevent future attacks

  33. Using an Intrusion Detection System (IDS) • Detects whether network or server has experienced an unauthorized access attempt • Sends notification to appropriate network administrators • Considerations when choosing • Location • Intrusion events to be gathered • Network-based versus host-based IDS • Signature-based versus heuristic IDS

  34. Network-Based IDS • Tracks traffic patterns on entire network segment • Collects raw network packets; looks at packet headers; determines presence of known signatures that match common intrusion attempts; takes action based on contents • Good choice if network has been subject to malicious activity (eg, port scanning) • Usually OS-independent • Minimal impact on network performance

  35. Host-Based IDS • Collects data from individual computer on which it resides • Reviews audit and system logs, looking for signatures • Can perform intrusion detection in a network where traffic is usually encrypted • Needs no additional hardware • Cannot detect port scans or other intrusion attempts that target entire network

  36. Signature-Based IDS • Stores signature information in a database • Database requires periodic updating • Can work with either host-based or network-based IDS • Often closely tied to specific hardware and operating system • Provides fewer false alarms than heuristic IDS

  37. Heuristic IDS • Compares traffic patterns against “normal activity” and sets off an alarm if pattern deviates • Can identify any possible attack • Generates high rate of false alarms

  38. Receiving Security Alerts • A good IDS system: • Notifies appropriate individuals (eg, via e-mail, alert, pager, or log) • Provides information about the type of event • Provides information about where in the network the intrusion attempt took place

  39. When an Intrusion Occurs • React rationally; don’t panic • Use alerts to begin assessment • Analyze what resources were hit and what damage occurred • Perform real-time analysis of network traffic to detect unusual patterns • Check to see if any ports that are normally unused have been accessed • Use a network auditing tool (eg, Tripwire)

  40. During and After Intrusion • Document the existence of: • Executables that were added to the system • Files that were • Placed on the computer • Deleted • Accessed by unauthorized users • Web pages that were defaced • E-mail messages that were sent as a result of the attack • Document your response to the intrusion

  41. Configuring Advanced Firewall Functions • Ultimate goal • High availability • Scalability • Advanced firewall functions • Data caching • Redundancy • Load balancing • Content filtering

  42. Data Caching • Set up a server that will • Receive requests for URLs • Filter those requests against different criteria • Options • No caching • URI Filtering Protocol (UFP) server • VPN & Firewall (one request) • VPN & Firewall (two requests)

  43. Hot Standby Redundancy • Secondary or failover firewall is configured to take over traffic duties in case primary firewall fails • Usually involves two firewalls; only one operates at any given time • The two firewalls are connected in a heartbeat network

  44. Hot Standby Redundancy

  45. Hot Standby Redundancy • Advantages • Ease and economy of set up and quick back-up system it provides for the network • One firewall can be stopped for maintenance without stopping network traffic • Disadvantages • Does not improve network performance • VPN connections may or may not be included in the failover system

  46. Load Balancing • Practice of balancing the load placed on the firewall so that it is handled by two or more firewall systems • Load sharing • Practice of configuring two or more firewalls to share the total traffic load • Traffic between firewalls is distributed by routers using special routing protocols • Open Shortest Path First (OSPF) • Border Gateway Protocol (BGP)

  47. Load Balancing

  48. Load Sharing • Advantages • Improves total network performance • Maintenance can be performed on one firewall without disrupting total network traffic • Disadvantages • Load usually distributed unevenly (can be remedied by using layer four switches) • Configuration can be complex to administer

  49. Filtering Content • Firewalls don’t scan for viruses but can work with third-party applications to scan for viruses or other functions • Open Platform for Security (OPSEC) model • Content Vectoring Protocol (CVP)

  50. Filtering Content

More Related