Transcription
single-firewall, 211Internet firewall with multiple DMZs,211–212Internet firewall with singleDMZ, 211Internet-screening firewall, 212layers, 215–216ARO (annual rate of occurrence), 22ARP (Address Resolution Protocol), 75ASA (Cisco Adaptive Security Algorithm),133anti-X, 127configuring, 137ASA 5510, 129ASA 5510 Security Plus, 129ASA 5520, 129ASA 5540, 129ASDM/PDM remote access, configuring onPIX/ASA firewall, 143assigningACLs to interfaces, 151IP addresses to firewall interfaces, 138–140attacksmotives for, 19–20targeted, 13untargeted, 13auditing policies, 237authentication, 9–10certificates, 9xauth, 9autonomous systems, 80BBasic Setup screen (BEFSR41v4 Setup tab), 116best-effort delivery, 52BGP (Border Gateway Protocol), 80bidirectional NAT, 73binary notation, 67bridging firewalls. See transparent firewallsbroadband routersLinksys BEFSR41v4, 109configuring, 115–121management and administrationfeatures, 110miscellaneous features, 111routing features, 110VPN passthrough, 110NAT-based, 108broadcast traffic, 74building NetFilter-based firewalls, checklist,174–175built-in chains. See chainsCcaching, enabling on ISA server, 205central office implementation, 209–210certificates, authentication, 9chains (Netfilter), 163user-defined, 166within filter table, 163within mangle table, 166within NAT table, 165change control, 267as part of troubleshooting methodology, 306change control systemsetting up, 267, 270–271logging, 271–272checklistfor building Netfilter-based firewalls,174–175for Linksys router configuration, 123for Trend Micro’s PC-cillin firewall featureconfiguration, 103–104for Windows Firewall configuration, 94–95of troubleshooting procedures, developing,301–310
366choosing between ASA and PIXchoosing between ASA and PIX, 127CIDR (classless interdomainrouting), 69circuit-level firewalls, 37Cisco PIX Firewall. See PIX Firewallclasses of IP addresses, 68–69classifications of routing protocols, 79CLI (command-line interface), firewallmanagement, 255–256closed source firewalls, 40closed-source vendor software, availability ofpatches, 254combining VLANs and firewalls on anetwork, 219commandsenable, 137fixup, 38, 134interface, 138logging, 153logging permit-hostdown, 250comparingdeep packet inspection and application layerfiltering, 178HTTP and HTTPS, 262known good and currentconfiguration, 308configuration filescontrolling access to, 267RCS log, viewing, 271–272configuringACLs, 147–151parameters, 148–150ASA, 137default gateway, 263–264interfaces, 262Linksys routers, 115administration, 121basic setup procedures, 116checklist, 123gaming application support, 119–121security, 117NATon PIX 6.x, 145–146on PIX 7.x, 146–147Netfilter, 166–168with Firestarter, 170–171with Firewall Builder, 169with iptables, 168with Webmin, 171PIX/ASA firewall, 137remote management access, 141–143URL filtering, 324–325syslog, 264–266Trend Micro’s PC-cillin firewall feature,97–98, 101–102checklist, 103–104profiles, 98security level, 101Windows Firewall, 89–93checklist, 94–95connection teardowns (TCP), reasons for,288–289connectionless protocolssessions, 7UDP, 61header fields, 62messages, 62connection-oriented protocols,TCP, 7, 57port numbers, 58segments, 58sliding windows, 58SYN flood, 60connectivityrequirements for Linksys routers, 112testing, 303–305through firewall, troubleshooting, 310,313–315to firewall, troubleshooting, 316console notification, 11controllingaccess to configuration files, 267management interface access, 260in-band management, 260out-of-band management, 260SSH, 261Telnet, 261corner cases, 273corrupt IP packets, 56–57creatingaccess rules, 195effective security policies, 20NetFilter-based firewalls, checklist,174–175publishing rules, 198security policies, 230CS-MARS (Cisco Security Monitoring,Analysis and Response System), 282
filtering systems, maintainingDdata link layer, 48DDNS screen (BEFSR41v4 Setuptab), 117DDoS (distributed DoS) attacks, 15deep packet inspection, 127, 178default firewall passwords, 253–254default gateway, configuring, 263–264deficiencies in syslog security, 282–283definingDMZ policy standards, 235–236rulesets for firewall security policy, 241egress filtering, 245, 247ingress filtering, 240–245management access, 247–250de-perimeterization of the network, 217desktop firewalls, 27, 217implementing, 217–218developing checklist of troubleshootingprocedures, 301–310DHCP (Dynamic Host ConfigurationProtocol), 75displaying RCS log, 271–272distance vector routing protocols, 79“DMZ-on-a-stick” architecture, 211DMZon Linksys routers, 110policies, 235DMZ forwarding, 114DNAT target, 168DNS (domain naming system), 75DoD Model, 51DoS (denial of service) attacks, 15–16, 63dotted-decimal notation, 68DROP target, 168dropped traffic, identifying in firewalllogs, 287dual-firewall architectures, 213–214layers of, 216–217dynamic NAT, 73dynamic routing, 77Eego as motivation for attacks, 19egress filtersfirewall security policy ruleset, defining,245–247for DMZs, applying, 247for internal traffic, applying, 246email, SMTP anti-spam software, 330e-mail notification, 12enable command, 137enable password, 140encapsulation process, 49–50encryption policies, 237end-user services, 44ensuring legal admissibility of firewalllogs, 285enterprise office solutions, ASA and PIXmodels designed for, 129ESP (Encapsulated Security Payload), 334estimatingALE, 22–24SLE, 22–24eventsrecording and reporting with firewalls, 11syslog, 290–295evolution of Linux firewallcapabilities, 161example of troubleshooting firewallconfiguration, 316, 319–320examples of security policies, 20exceptions for Windows Firewall, 88extended ACLs, parameters, 148–150exterior gateway routing protocols, 80Ffailed authentication, identifying in firewalllogs, 289failover, active/active, 224–225featuresof Microsoft ISA Server 2004, 182–184of Trend Micro firewall, 103of Windows Firewall, 94fieldsof IP packet header, 54, 56of TCP segment header, 59–60of UDP header, 62Filter screen (BEFSR41v4 Securitytab), 118filter table (Netfilter), 163filtering decision process on PIX Firewall,130–132filtering policies, 233filtering systems, maintaining, 254367
368Firestarter, configuring NetfilterFirestarter, configuring Netfilter, 170–171Firewall Builder, configuring Netfilter, 169firewall client, 185configuring on ISA server, 204firewall dynamic configuration layer, 230,238–239firewall logsforensics analysisperforming, 295–296port numbers, accessing fromIANA, 298spoofed IP addresses, identifying,296–298importance of, 284–285legal admissibility of, ensuring, 285reviewing, 286, 307spoofed IP addresses, identifying, 296–298suspicious events, identifying, 287–290firewall managementchange control systemconfiguring, 267, 270–271logging, 271–272configuration files, controllingaccess to, 267default gateway, configuring, 263–264default passwords, 253–254interfaces, configuring, 262operating system maintenance, 254–255physical failure, checking for, 306softwaredefects, tracking, 274–275updating, 273–275vulnerabilities, 274syslog, configuring, 264–266with CLI, 255–256with GUI, 256firewall physical integrity layer, 238firewall security layer, 230firewall security policies. See security policies,firewall static configuration layer, 230, 238firewallsfunctions performed by, 6access authentication, 9–10connection monitoring, 7–8event reporting and recording, 11packet inspection, 6proxy, 10resource protection, 10–11stateful packet inspection, 8host-based, 5trust, 21–22fixup command, 38, 134forensic analysisincorporating findings in securitypolicies, 298performing, 295–296port numbers, accessing from IANA, 298spoofed IP addresses, identifying, 296–298FORWARD chain (filter table), 164fragrouter utility, 57freeware, syslog server products, 281FTP, 82remote firewall management, 250functionalityof firewalls, 6access authentication, 9–10connection monitoring, 7–8event recording and reporting, 11packet inspection, 6proxy, 10resource protection, 10–11stateful packet inspection, 8of Microsoft ISA Server 2004, 192application filtering, 200caching web data, 205client access method configuration,203–205outbound access filtering, 195–198publishing internal resources,198–199system policy rule configuration,201–202of proxy servers, 179–180Ggaming application support, configuring onLinksys BEFSR41v4, 119, 121guidelines, 231HHA (high availability), active/active failover,224–225header fieldsof IP packets, 53–56of TCP packets, 59–60of UDP packets, 62
IPv6hexadecimal notation, 68HIPAA (Health Insurance Portability andAccountability Act of 1996), 16host ID, 67host-based firewalls, 5host-to-host layer (DoD model), 51HTTPremote firewall management, 250versus HTTPS, 262HTTPS, remote firewall management, 250hybrid routing protocols, 79IIANA (Internet Assigned NumbersAuthority), 61port numbers, accessing, 298ICMP (Internet Control MessageProtocol), 63connectionless sessions, 7messages, 64–66identifyingspoofed IP addresses in firewall logs,296–298suspicious events in firewall logs,287–290IDS (intrusion detection systems), 96, 331implementingeffective security policies, 20internal firewalls, 223–224personal/desktop firewalls, 217–218in-band management, 260incorporating forensic analysis findings intosecurity policies, 298ingress filteringapplyingfrom DMZ segment to internalsegment, 244from Internet to DMZ segment,242–244from Internet to internalsegment, 245firewall security policy ruleset, defining,240–245INPUT chain (filter table), 163inside interfaces, configuring, 263integrated firewalls, 32interface command, 138interfaces, configuring, 262internal firewalls, implementing, 223–224internal networks, segmenting/protecting, 222internal resources, protecting, 222–223Internet firewall architectureswith multiple DMZs, 211–212with single DMZ, 211Internet layer (DoD model), 51Internet-screening firewalls, 212investigating suspicious activity,287–290IP (Internet Protocol), 52–53less common applications, 81most common applications, 81packets, 53corrupt, 56–57header, 53–56routing process, 77–78IP addressesaddress classes, 68–69address display formats, 67–68assigning to firewall interfaces,138–140CIDR, 69logical addresses, 67NAT, 71–73dynamic NAT, 73static NAT, 73physical addresses, 66–67subnets, 70IP servicesARP, 75DHCP, 75DNS, 75NTP, 76ipchains filter, 161ipfw code, 161ipfwadm utility, 161IPS (intrusion prevention system)deep packet inspection, 127firewall as, 332IPsec, 83AH, 333ESP, 334transport mode, 335tunnel mode, 336iptables command utility, configuringNetfilter, 166targets, 168IPv6, 71369
370Kiwi Syslog DaemonK–LKiwi Syslog Daemon, 281known good configuration, comparing tocurrent configuration, 308layers of firewall security policies, 237–239legal admissibility of firewall logs,ensuring, 285limitations of application proxyfirewalls, 180link-state routing protocols, 79–80Linksys routers/firewalls, 109administration, configuring, 121basic setup procedures, 116BEFSR41v4, 109management and administrationfeatures, 110miscellaneous features, 111routing features, 110configuring, 115connectivity, requirements, 112gaming application support, configuring,119–121Log Viewer, 111security model, 111security, configuring, 117SPI support, 109traffic filtering, 112DMZ forwarding, 114from internal sources, 114port triggering, 113port-range forwarding, 112UPnP, 111VPN passthrough, 110Linux-based firewalls, 161ipfw code, 161Linux kernel 2.2, ipchains filter, 161Netfilter, 162chains, 163configuring, 166–171filter table, 163mangle table, 166NAT table, 164requirements for operation, 162tables, 163website, 162Liu, Cricket, 76load balancing, 165log files. See firewall logsLog screen (BEFSR41v4 Administrationtab), 122LOG target, 168Log Viewer (Linksys), 111loggingmonitoring/logging policies, 235syslogconfiguring, 264–266events, 290–295logging command, 153logging facilities (syslog), 278–279logging methods, proprietary, 283logging permit-hostdown command, 250logical addresses, 67login passwords, 140MMAC address, 66MAC Address Clone screen (BEFSR41v4Setup tab), 117malicious content, 14malware, 15management access, defining firewall securitypolicy ruleset, 247–250management console (Microsoft ISA Server2004), 187, 192management interfaceaccessing, 260via SSH, 261via Telnet, 261in-band management, 260out-of-band management, 260Management screen (BEFSR41v4Administration tab), 121management-access policies, 233managing firewalls. See firewallmanagementmangle table (Netfilter), 166manipulation utility. See NetfilterMASQUERADE target, 168masquerading, 165medium-to-large office solutions, ASA andPIX models designed for, 128message facility (syslog), 264messagesICMP, 64, 66syslog, 278–279UDP, 62
OSI modelMicrosoft ISA Server 2004, 180access rule management, 187–188features, 182–183filtering functions, 183–184firewall client, 185functionality of, 192application filtering, 200caching web data, 205client access method configuration,203–205outbound access filtering, 195–198publishig internal resources, 198–199system policy rule configuration,201–202management console, 187, 192misconceptions about, 181–182monitoring and reporting, 188publishing rules, 186remote administration, 193SecureNAT client, 184securing, 181service requirements, 191–192supported networks, 189system requirements, 189VPN functionality, 186VPN Quarantine Control, 189web caching server functionality, 185web proxy client, 185misconceptions about Microsoft ISA Server2004, 181–182monitoring network traffic, 309monitoring/logging policies, 235motives for attacks, 19–20multicast traffic, 74NNAT (Network Address Translation), 71–73configuring on PIX 6.x, 145–146configuring on PIX/ASA 7.x, 146–147dynamic NAT, 73firewalls, 35–36static NAT, 73NAT-based routers, 108NAT-T (NAT Traversal), 73, 336Netfilter, 162chains, 163configuring, 166–168with Firestarter, 170–171with Firewall Builder, 169with iptables, 168with Webmin, 171NAT table, 164requirements for operation, 162tables, 163filter table, 163mangle table, 166NAT table, 164website, 162NetIQ Security Manager, 281network access layer (DoD model), 51network communication modelsDoD model, 51OSI model, 45application layer, 46data link layer, 48encapsulation process, 49–50network layer, 47–48physical layer, 48presentation layer, 46–47session layer, 47transport layer, 47network firewalls, 29network ID, 67network layer, 47–48network traffic, monitoring, 309Network Translations, 125Network Virus Emergency Center (TrendMicro firewall), 102NIX syslogd, 281non-firewall specific systems,troubleshooting, 309normalization policies, deriving from firewalllog analysis, 286NTP (Network Time Protocol), 76Oopen source firewalls, 40operating systemsfiltering systems, 254maintaining, 254–255OPSEC LEA (Open Platform for Security Logging Export API), 283OSI model, 45application layer, 46data link layer, 48encapsulation process, 49–50371
372OSPF (Open Shortest Path First)network layer, 47–48physical layer, 48presentation layer, 46–47session layer, 47transport layer, 47OSPF (Open Shortest Path First), 80OUI (organizationally unique identifier), 66outbound access filtering on ISA Server,195, 198out-of-band management, 260OUTPUT chainfilter table, 164NAT table, 165outside interfaces, configuring, 263Ppacket filters, 34–35packet inspection, 6versus stateful packet inspection, 8packet-filtering, NAT-based, 108packets, IP, 53corrupt, 56–57header, 53–56paging notification, 12parameters for extended ACLs, 148–150password policies, 237PAT (Port Address Translation), 73patches, availability of for closed-sourcevendor software, 254PDM (PIX Device Manager), 143personal firewalls, 27–28, 33, 217implementing, 217–218Trend Micro’s PC-cillin firewallfeature, 96checklist, 103–104configuring, 97–102system requirements, 96Windows Firewall, 87checklist, 94–95configuring, 89–93exceptions, 88features, 94physical addresses, 66–67physical firewall failure, checking for, 306physical integrity layer, 230physical layer, 48ping, 63connectivity, testing, 303–305PIX/ASA firewallsconfiguring, 137filtering decision process, 130–132PIX 501, 128PIX 506E, 128PIX 515E, 128PIX 525, 129PIX 535, 129remote management access, configuring,141–143URL filtering, 324–325version 6.xIP addresses, assigning, 138–140NAT, configuring, 145–146version 7.x software, 127IP addresses, assigning, 139–140NAT, configuring, 146–147transparent mode, 133policies, 231. See also security policiesport forwarding, 165port numbers, 58accessing from IANA, 298UDP, 61Port Range Forwarding screen (BEFSR41v4Applications and Gaming tab), 119port triggering, 113Port Triggering screen (BEFSR41v4Applications and Gaming tab), 120port-range forwarding, 112POSTROUTING chain (NAT table), 165predicting ALE and SLE, 22–24PREROUTING chain (NAT table), 165presentation layer, 46–47procedures, 231profiles, configuring on Trend Microfirewall, 98proprietary firewall managementmethods, 250proprietary logging, 283protecting internal resources, 222–223protocols supported for applicationinspection, 135–136proxies for applications, 18proxy firewalls, 37proxy servers, functionality, 179–180PSKs (preshared keys), 9publishing rules, 186creating, 198
SMTP (Simple Mail Transport Protocol), anti-spam softwareQ–RQoS screen (BEFSR41v4 Applications andGaming tab), 121QUEUE target, 168RCS (revision control system)log file, viewing, 271–272repository, modifying, 270–271recent changes, reviewing as part oftroubleshooting methodology, 306reconnaissance attacks, 296redundancy, active/active failover, 224–225REJECT target, 168release notes, reading, 274remote administration of Microsoft ISAServer 2004, 193remote management access, configuring onPIX/ASA firewall, 141–143remote office implementation, 210remote-access/VPN policies, 234requirements for Linksys routerconnectivity, 112restricting access to configurationfiles, 267RETURN target, 168reviewing firewall logs, 286, 307suspicious events, 287–290revision control systems, 267RIP (Routing Information Protocol), 79risk-assessment policies, 237routed mode, 133routing policies, 234routing protocolsBGP, 80classifications of, 79OSPF, 80RIP, 79routing tables, contents of, 76rulesetsdefining for firewall security, 241egress filters, 245–247ingress filters, 240–245management access, 247–250verifying, 308SSecureNAT client, 184security contexts, 221security layersfirewall static configuration layer, 230physical integrity layer, 230security level of Trend Micro firewall,configuring, 101security policies, 20, 229, 237creating, 230DMZ policies, 235egress filtering rulesets, defining, 245–247examples of, 20filtering policies, 233firewall security layers, 230–231format, 232incorporating forensic analysisfindings, 298ingress filtering rulesets, defining, 240–245layers, 237–239management-access policies, 233rulesets, defining, 247–250monitoring/logging policies, 235remote-access/VPN policies, 234routing policies, 234rulesets, defining, 241Security tab (Linksys BEFSR41v4 router), 117segmenting internal networks, 222segments (TCP), 58header fields, 59–60selectingbetween ASA and PIX, 127software version, 273service provider solutions, ASA and PIXmodels designed for, 129service requirements for Microsoft ISAServer 2004, 191–192session layer, 47Setup tab (Linksys BEFSR41v4router), 116severity levels (syslog messages),264–266, 279Shorewall firewall, 41 172single-firewall architectures, 211Internet firewall with multiple DMZs, 211–212Internet firewall with single DMZ, 211Internet-screening firewall, 212layers, 215–216SLE (single loss expectancy), predicting, 22–24sliding windows, 58SMTP (Simple Mail Transport Protocol),anti-spam software, 330373
374SNAT (source NAT), masqueradingSNAT (source NAT), masquerading, 165SNAT target, 168SNMP (Simple Network ManagementProtocol), remote firewall management, 249SNMP notification, 11social engineering, 17softwaredefects, tracking, 274–275PIX version 7.x, 127updating, 273–275vulnerabilities, 274software firewalls, 30–31SOHO solutions, PIX models designed for, 128spam, anti-spam software, 330SPI (stateful packet inspection), support onLinksys routers, 109spoofed IP addresses, identifying in f
Kiwi Syslog Daemon, 281 known good configuration, comparing to current configuration, 308 layers of firewall security policies, 237–239 legal admissibility of firewall logs, ensuring, 285 limitations of application proxy firewalls, 180 link-state routing protocols, 79–80 Links
