Transcript Chapter 6
Guide to Network Defense
and Countermeasures
Chapter 6
1
Chapter 6 - Strengthening and
Managing Firewalls
Understand how to work with a proxy server
to supplement a firewall with a proxy server
Describe the most important issues to be
faced when managing a firewall
Know how to install / configure Check Point
NG
Know how to install / configure Microsoft ISA
Server 2000
Know how to manage / configure iptables for
Linux
2
Working with Proxy Servers
Proxy servers forward packets to and from
the network being protected and cache Web
pages to speed up network performance
The primary goal of proxy servers is to provide
security at the Application layer and shield hosts on
the internal network
A secondary goal is the logging of traffic headed
outbound from the internal network to the Internet so
that the activities of the of employees that surf the
Web, exchange e-mail, and use other services can
be monitored
3
4
Working with Proxy Servers
How proxy servers work:
One way proxy servers prevent direct connections
between external and internal computers is by
working at the Application layer
At the Application layer, the proxy server interprets
which application was used to make a request and
which application is needed to forward that request
When a request is received, the proxy server opens
it and examines the contents; it then replaces the
original header with a new header containing its own
IP address rather than that of the original client
5
6
7
8
Working with Proxy Servers
Choosing a proxy server:
The type of proxy server needed depends on the
needs of the existing firewall configuration
Freeware proxy servers typically provide a specific
function rather than a full range of functions
Commercial proxy servers combine Web page
caching and IP address translation with content
filtering and firewall functions (packet filter and NAT)
Firewalls that perform proxy server functions act as
all-in-one security programs; the drawback is that all
security is left in the hands of a single program
9
Working with Proxy Servers
Choosing a proxy server (cont.):
Standalone proxy servers provide access to the
SOCKS communications protocol, which sets up a
secure channel between two computers
SOCKS authenticates the users by incorporating
unencrypted exchange of username and password
The SOCKS package includes the SOCKS server
(must be run on UNIX), the SOCKS client library,
and versions of several UNIX client programs
SOCKS is popular, is supported by most proxy
servers, and supports Windows/UNIX/Macintosh
10
Working with Proxy Servers
Filtering content is one of the most useful
applications of proxy servers
They can open TCP/IP packets, inspect the data
portion, and take action based on the contents
This capability enables proxy servers to filter out
contents that would otherwise appear in a user’s
Web browser window during Web surfing; they can
also block Web sites and drop executable programs
Administrators configure browsers to connect to
proxy servers rather than directly to the Internet;
then all Web content is routed through the proxy
11
12
Working with Proxy Servers
Filter rules allow administrators to set proxy
rules for identifying the content to filter out
The freeware program, Proxomitron, filters pop-up
windows, background audio, embedded scripts, ad
banners, status bar scrolling messages, blinking
text, background images, and blocks Web sites
The danger with such extreme content filtering is
that the content that the Web page’s author has
created to convey a legitimate message can also be
blocked, so use such filtering selectively
13
14
Managing Firewalls to
Improve Safety
A firewall’s effectiveness depends on the
ongoing attention its administrator devotes
to it
Effective firewall management impacts the
network in the following ways:
Security - the organization can cope with new
threats and continue to block attacks
Throughput - adjusting the firewall so that it performs
better will speed up network performance
Disaster recovery - by backing up the current
security configuration, disaster recovery is possible 15
Managing Firewalls to
Improve Safety
Edit the rule base in an ongoing basis in
order to more effectively implement
organizational security policy and improve
performance
Ensure that rules are as relevant and as few as
possible; remove unneeded rules
Place the most important rules near the top of the
rule base; scan log files to determine best rule order
Reduce firewall logging by minimizing the number of
rules that have Log as the action
Reduce the number of domain objects and move
16
any of their rules to the bottom the rule base
17
18
Managing Firewalls to
Improve Safety
Manage firewall log files continuously to
improve firewall performance and security
Some firewalls come with so many types of logging
data that including them all makes log files unwieldy
Common log files include security events, firewall
system, packet traffic, active connections, and
access audit; logging can be configured to specify
exactly which elements will be included in log files
Log file summaries present the entry-generating
events; some firewalls provide analysis tools that
prepare summaries for report generation
19
20
21
22
23
24
Managing Firewalls to
Improve Safety
To improve firewall performance:
Examine the firewall’s default settings and stop
unnecessary lookups and operations, such as host
lookups, decryption, and logging
Choose a system that has the fastest CPU available
Ensure at least the minimum RAM amount, or more
Test the firewall before and after it goes online
Configure advanced firewall functions
Improve the firewall by adding data caching, remote
management, and set up load balancing
25
Installing and Configuring
Check Point NG
Check Point NG is one of a number of
comprehensive enterprise-level firewalls
Install Check Point NG on a computer running Win
2000 Professional/Server, Win NT, Sun Solaris, or
Red Hat Linux; security components include: Check
Point Management NG; Policy Editor NG; Status
Manager NG; Log Viewer NG; Traffic Monitoring NG
After installation, define the objects (gateway and
computers) on the network to be protected
Next, develop the security policy by establishing a
set of packet filtering rules (rule base)
26
27
28
Installing and Configuring
Microsoft ISA Server 2000
Microsoft ISA Server 2000 is an enterpriselevel firewall noted for its variety of proxy
server functions, packet filtering, and NAT
Install either the Standard or Enterprise versions;
during installation, choose a server mode (Multilayer firewall, Web-cache, or Integrated), configure
cache and set addressing scheme
After installation, create the security policy: select
policy elements; configure clients and protocol rules
Upon restart, the ISA Management Console enables
set up of packet filtering and intrusion detection
29
30
Managing and Configuring
iptables
iptables enable users to configure packet
filter rules for the Linux firewall Netfilter
iptables enables Netfilter to perform stateful packet
filtering, and filter on a full set of TCP options flags
iptables is a command-line tool, and is used to set
up logging, NAT, and port forwarding of packets
iptables works with a set of rules; the rules are
grouped together in the form of a chain which is
similar to a rule base; Linux uses multiple rule
bases/chains, where one chain’s action can activate
a specific rule in another chain
31
Managing and Configuring
iptables
iptables has built-in chains which decide either
to accept, drop, queue, or return packets
The output chain reviews packets when they
originate internally with an external destination
The input chain is for packets that originate
externally with an internal destination
The forward chain is used when a packet needs to
be routed to another location
iptables allows user-defined chain creation
These chains are created to meet custom needs
using rule configuration commands
32
33
34
Chapter Summary
This chapter discussed issues and techniques
used to manage firewalls in a way that improves
their performance and reinforces the
effectiveness with which they protect a network.
Sometimes, improving a firewall configuration
involves the installation of a new component
such as a proxy server. Firewall management is
also realized by adjusting resources already in
place, such as the rule base and log files
35
Chapter Summary
A proxy server is software that processes traffic to and
from the internal network, and that stores Web pages in
cache to speed up performance. Unlike packet filters,
proxy servers can filter data at the application level by
inspecting the contents of packets. They also shield
hosts on the internal network, and log traffic headed
outbound from internal hosts so that the activities of
end-users within the organization can be tracked. Proxy
servers provide a high level of security because they
prevent a direct connection between an external and an
internal computer from ever occurring. One of their most
powerful attributes is the ability to open up TCP/IP
packets and make decisions based not just on their
headers but on the data contained. This gives proxies
the ability to filter out pop-up windows, offensive text,
advertising banners, or Java applets or other scripts
that are embedded in Web pages
36
Chapter Summary
Firewall performance can also be strengthened
through ongoing management. Tightening and
rearranging the rule base can speed up
performance, as can managing log files in a way
that reduces the load on the server and detects
intrusion attempts. The rule base should be as
short as possible and have the most important
rules near the top of the list so the firewall
processes data in the most efficient way
37
Chapter Summary
A firewall’s performance can also be improved by
logging only the traffic that represents the most
serious security concerns and by rotating log files
before they consume too much disk space and slow
down the host on which they reside. Log files that are
saved in ODBC format can be viewed with an ODBCcompliant database so you can run reports on the
data or study individual elements. It’s also useful to
prepare log file summaries - reports of log file activity
for a specific period such as a day or a week - so you
can share the information with your colleagues in a
format that is easy to read and interpret
38
Chapter Summary
Check Point NG is a suite of firewall modules that
allow you to implement a security policy through
stateful packet filtering, NAT, and authentication.
Log file analysis, real-time monitoring, and
remote management are also provided
Microsoft ISA Server 2000 has several goals: the
improvement of network security through
traditional firewall filtering and NAT, and faster
network performance through the caching of Web
pages
39
Chapter Summary
iptables is a built-in tool for creating packet filter
rules. The program includes three built-in chains
of filter rules that monitor inbound and outbound
packets as well as packets that the firewall needs
to forward to specific destinations
40