Appendix A Firewall and Security Tools

The nature of firewalls and how they can be used to manipulate and control network traffic can make it difficult to troubleshoot network problems where firewalls are involved. Similarly, firewalls can introduce some unique and special requirements for managing and maintaining the firewall and the firewall configuration. This appendix examines some common tools and tool usage to assist in troubleshooting, managing and maintaining firewalls.

Applications That Are Hard to Firewall

The difficulty with application firewalls stems from the fact that the transaction between the client an server is complex and can be made more so if the protocol or the data in the communication expand increases the complexity of the transaction. Protocols such as eXtensible Markup Language (XML) ar Simple Object Access Protocol (SOAP) make web application firewalls especially tricky. To provide pi web application security, the application firewall must have a detailed understanding of...

Bad UDP

UDP is such a simple protocol that there is not a whole lot that can be done with the protocol itself to account for bad UDP traffic. UDP is particularly effective as a source of bad traffic because it is connectionless. Therefore, it is a great candidate for spoofing. Malicious users can generate traffic as a different host, and because UDP is connectionless and responses are not expected, they do not really care that the targeted host is sending the responses to the wrong host. UDP is also a...

Introduction to Firewalls

Depending on whom you talk to, a firewall is either the cornerstone of their organization's security infrastructure, or it is a device that has woefully failed to live up to expectations. How can one device have such a contrast in perceptions The biggest reason for this is a misunderstanding of what a firewall is and is not, and what a firewall can and cannot do. This chapter looks at what a firewall is and how a firewall works to illustrate what are the reasonable expectations for a firewall....

Going Beyond Basic Firewall Features

Modern firewalls provide a wide variety of significant services to the end user, whether it is a personal firewall or a network firewall used to protect an enterprise network. Firewall capabilities have increased dramatically over the past few years, and they have quickly become a nexus of security services to a network (or an individual machine). This increase of capabilities has caused firewall administrators to reevaluate and in some cases redefine the expectations of what a firewall can do....

TCPIP for Firewalls

Much like humans may speak English, German, or Russian, computers may speak any number of languages IPX SPX, AppleTalk, and TCP IP being just a few of them. Because of the portability and scalability of TCP IP, TCP IP has been settled on as the de facto standard method for providing communication services between hosts on a network and in particular across the Internet. Much like a human language, TCP IP has a defined structure and set of rules that control how hosts communicate. Therefore,...

Choosing Between the PIX and the ASA

One of the first questions to answer when trying to determine what Cisco firewall your environment requires is what the difference between the Cisco PIX Firewall and the Cisco ASA is. The ASA is essentially the latest version of the Cisco firewall solution and is based largely on the PIX software. In fact, the Cisco ASA and enterprise versions of the PIX (PIX 515E and larger) actually run the same firewall software starting with the 7.x code base. In the case of the PIX, this firewall software...

Configuring Basic Setup

The BEFSR41v4 Setup tab consists of four screens On the Basic Setup screen, you can configure how the router connects to the service provider (for example, using DHCP or PPPoE). Depending on which connection type you specify, additional options will be made available on the screen. You can also specify the host and domain name as well as the maximum transmission unit (MTU) for the router, if it is required by your service provider. The Basic Setup screen is also where you configure the local...

Configuring the Cisco PIXASA

Complete configuration of the Cisco PIX is beyond the scope of this book. However, we can cover some of the initial steps required to set up the PIX and to allow an administrator access to the graphical user interface (GUI), the Adaptive Security Device Manager (ASDM) (previously known as the PIX Device Manager PDM for software versions previous to 7.0). To initially configure a PIX out of the box, connect a serial connecter to the console port of the PIX (which is typically outlined with a...

Configuring the Firewall for Remote Management Access

The PIX ASA firewall supports three primary methods of remote management access Both Telnet and SSH are used to provide CLI access to the firewall, whereas the ASDM PDM provides an HTTPS-based GUI management console. Telnet remote management is the simplest, yet least secure, method of remotely managing the firewall. The reason for this is that Telnet does not encrypt the data in transmit and in fact sends the data in cleartext. This makes it easy for a malicious user to capture the data and...

Default Passwords

When you purchase a new firewall (or any network device in general) such as a Cisco PIX, a Linksys, a NetScreen, or a SonicWall, out of the box the device has some default passwords set (and in some cases there is no default password). This is because the manufacturer must allow for initial access to the device for the end user to configure it. Most recent documentation for any device admonishes the end user to immediately change the default password to something else. Table 11-1 shows common...

Determining If You Need a Firewall

It is convenient (and accurate) to say that you always need a firewall if you are connecting to the Internet. Firewalls should not be relegated exclusively to the realm of providing access to and protection from Internet-based resources. Instead, you should consider implementing a firewall any time a resource needs to be protected, regardless of where the protected resource is located, or where the requesting traffic will be coming from. Firewalls can, and in many cases should, be used to...

Dual Firewall System

With a dual-firewall architecture, the firewall system consists of the following layers Network segment between external router and exterior firewall Figure 9-5 depicts a dual-firewall system. yross FiHuring at Intoror Firewall yross FiHuring at Intoror Firewall JfOSS FlllCflng jt Emarlot Firewall Egress FlU& nng at Enterntf FKHJtEf JfOSS FlllCflng jt Emarlot Firewall Egress FlU& nng at Enterntf FKHJtEf The only real physical difference with the dual-firewall system over the...

Enterprise Office and Service Provider Solution

The next two models of the PIX firewall are designed specifically for large enterprises and service providers the PIX 525 and 535. The 525 is produced in a 2U form factor and can accommodate up to ten Fast Ethernet or two Fast Ethernet and three Gigabit Ethernet interfaces. The PIX 535 also comes in a 2U form factor and can accommodate 14 Fast Ethernet or 9 Gigabit Ethernet interfaces. Both models provide all manner of high-availability functionality such as zero-downtime upgrade and VPN...

Example 114 Using RCS for Configuration Control

Enter description, terminated with single '.' or end of file > > Initial configuration of external edge router root sauron configs 127 ls -ltotal 26 drwxrwx--- 2 root sysadmin 512 Aug 29 10 06 RCS -rw-r----- 1 root other 11879 Aug 29 10 06 frodo.cfg The ci command checks the configuration into the repository. The i flag tells the RCS software to cr< new repository. The co command is used to check items out of the repository. The l flag also locks t specific user who issued the co command....

Example 115 Checking in Changes to the RCS Repository

New revision 1.2 previous revision 1.1 enter log message, terminated with single '.' or end of file > > Added new external NAT address, 172.16.45.152 -> 192.168.155.152 - idubraws root sauron configs 33 ls -ltotal 2 drwxrwx--- 2 root sysadmin 512 Aug 29 10 20 RCS RCS, CVS, and other open source revision-control systems provide an easy, low-cost way of managi configuration changes. Change-control logging is the process by which information is entered in the change-control system made to a...

Example 116 Viewing the RCS Log for Configuration Changes

root sauron configs 13 6 rlog frodo.cfg total revisions 2 selected revisions 2 Initial configuration of external edge router date 2005 08 29 14 19 59 author root state Added new external NAT address, 172.16.45.152 -> date 2005 08 29 13 51 42 author root state The output in Example 11-6 provides a lot of information. For example, the working file is identified line. In addition, it shows how many revisions have been made to the file (in the example, two revis made). A description of the file...

Example 131 Telnetting to TCP port 80 to Test Connectivity

C Documents and Settings wnoonan> telnet web server 80 GET HTTP 1.0 HTTP 1.1 200 OK Content-Length 2795 Content-Type text html Content-Location http 192.168.173.101 Default.htm Last-Modified Tue, 23 Nov 2004 05 23 47 GMT ETag f9fcf19b1cd1c41 336 Connection close< additional output snipped> By just telnetting to TCP port 80 and typing GET HTTP 1.0 and then pressing Enter a few times, I can retrieve the default web page for the server, which at least verifies that the target host is...

Example 141 Using Telnet to Access a Server on TCP Port 443 HTTPS

< DOCTYPE HTML PUBLIC - IETF DTD HTML 2.0 EN> < title> 400 Bad Request< title> < p> Your browser sent a request that this server could not understand.< br > Reason You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.< br > < blockquote> Hint < a < address> Apache 2.0.52 (Unix) mod ssl 2.0.52 OpenSSL 0.9.7d DAV 2 www.innocentvictimcompany.com Port 443< address> Connection to 10.16.17.223 closed by...

Example 142 OpenSSL

3 openssl s_client -connect 10.16.17.223 443 depth 0 C US ST Maryland L Silver Spring O dubrawsky.org OU IT CN Ido Dubrawsky verify error num 18 self signed certificate depth 0 C US ST Maryland L Silver Spring O dubrawsky.org OU IT CN Ido Dubrawsky verify error num 10 certificate has expired depth 0 C US ST Maryland L Silver Spring O dubrawsky.org OU IT CN Ido Dubrawsky emailAddress idubraws dubrawsky.org notAfter Oct 6 01 35 00 2005 GMT verify return 1 0 s C US ST Maryland L Silver Spring O...

Example A1 ACL to Permit Only Certain ICMP Message Types

As a best practice, your external firewall interface (and all corresponding IP addresses) should not allow any other ICMP traffic. This will prevent someone from being able to ping the firewall external IP address to determine whether it is accessible and will also protect against malicious ICMP-based traffic such as a ping of death. Another aspect of reachability is to show how the device was reachable. In other words, what path through the network was taken to the destination host To answer...

Example A10 Basic Nmap SYN Port Scan Against a Cisco Secure PIX Firewall

root keoland nmap nmap -sS -P0 -O -vv 10.10.10.1 Starting nmap 3.93 ( http www.insecure.org nmap ) at 2005-10-04 14 10 CDT Initiating ARP Ping Scan against 10.10.10.1 1 port at 14 10 The ARP Ping Scan took 0.01s to scan 1 total hosts. Initiating SYN Stealth Scan against firewall.myco.com (10.10.10.1) 1668 ports at 14 10 Discovered open port 443 tcp on 10.10.10.1 Discovered open port 25 tcp on 10.10.10.1 Discovered open port 21 tcp on 10.10.10.1 Discovered open port 80 tcp on 10.10.10.1 SYN...

Example A9 Nmap Usage Screen

C Download Hacking Tools Nmap nmap-3 . 93> nmap Nmap 3.93 Usage nmap Scan Type(s) Options < host or net Some Common Scan Types ('*' options require root privileges) * -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users) -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sV Version scan probes open ports determining service & -sR RPC scan (use with other scan types)...

Figure 111 Symantec Internet Security Configuration

Symantec Firewall Configuration Figure 11-2. Symantec Firewall Configuration giotxTramc Live update _ opiians. ParKfid FUrtYoil prctccLs vuuf (OKKWtir frsm unaiAhc ed iCcMS- The PIX Device Manager (for PIX operating systems up to versions 6.3(5)), known as the Cisco Adaptive Security Device Manager in PIX version 7.0, is a Java applet that is downloaded from the PIX or ASA device and runs locally through the client browser. Figure 11-3 shows the PIX Device Manager screen.

Figure 113 Cisco PIX Device Manager

FttliM SW lS iii NX 10 1 1 Pi 11 Ctfrigu-flinft IWnfcHinq rS H 'Njn - litiikicplrfrt41JioiHic.l3ti lPWVUffrMI 7AH BWrtjjplirfii 4M WMflniSC ASDHVpialpn > L Dg Tv ) P XJ1 flhfvi l upj- Iva Kl 'llWiii TOI* Finn It Ml Td JIWT'nnrf GJ14B H 'Njn - litiikicplrfrt41JioiHic.l3ti lPWVUffrMI 7AH BWrtjjplirfii 4M WMflniSC ASDHVpialpn > L Dg Tv ) P XJ1 flhfvi l upj- Iva Kl 'llWiii TOI* Finn It Ml Td JIWT'nnrf GJ14B Faninlniftcat)Kluft- rpLl nndcLlpulknp-IrnlT Sl-ilF Faninlniftcat)Kluft- rpLl...

Figure 123 Microsoft ISA Server Log Data

* IM Stf *rr 0IH TptriF Mltm 1 Viasoft iX T- t SMTJrr cfr Uxtte*xar ir gj Entwpris s Matt C G iftSilJn rtOw i *' 1 o,Jw BS is iR zow *npiN m5 isa wite iiiii r HyCW -J- T nyi r, (.I,) y i -. . . y 1- jnflmiUii ,- if afUBmnjaiia M nm H aMfN M il fi afi M t IjddfJ r* ifWOi i il iuW SfltfHKLiil L ir jnflmiUii ,- if afUBmnjaiia M nm H aMfN M il fi afi M t IjddfJ r* ifWOi i il iuW SfltfHKLiil L ir L - Jn -Hii p i -M CHViHlififi L - Jn -Hii p i -M CHViHlififi

Figure 136 Verifying Firewall Functioning

Type ticlp nt 1 tor a list fl EIVTIIIV LD 70H> plJeci Oli TlLU O -Jtug-0 5 E ftS FLasll W129F-J00S 0 OliiritfSQDO, JZKE ISiisiiiiujl- Pbyjlc I& CcEjiac (.'gntismut gn ti > s not ficen incdiiii-d sua If the firewall is up and running, the next step is to test the Internet connection on the outside interface of the firewall. You can do this by pinging a system out on the Internet. Doing so is somewhat tricky because many networks filter out unsolicited ICMP requests. However, some of the...

Figure 138 Checking Server Connectivity

In this example, the assumption is that the web server is not responding because it does not respond to a ping or to the Telnet connection to the web server port, 80. In more complex cases, you might need to review the firewall configuration to ensure that it is not blocking the traffic unnecessarily. Also, consider that in some cases it is not your end of the connection that may be problematic but the other end. In many cases, you might need to search the vendor's documentation to ensure that...

Figure 311 Physical Addressing of Data Between Hosts

Piiysfci I Address DO.Oi 4 -3C 7fl 50 Pli MCniJldiiKifts iK'.os -nn 7a.,' 0 The process in Figure 3-11 is as follows 1. Host A logically addresses the data for Host B but physically addresses it to 00 05 9A 3C 78 00, the router interface physical address. 2. The router receives the data, because it is physically addressed to it, but realizes that logically it must be delivered to Host B. Therefore, it rebuilds the frame, using the physical address of the interface on the same network as Host B...

Figure 312 Address Classes

Classless Interdomain Routing (CIDR) Although the classful address space is a great idea, the truth is that not everyone needs networks with the number of hosts that each class of address provides. For example, if you have more than 255 hosts that you need to connect to a network, using the classful address space you have to bump up to a full Class B, providing for 65,534 hosts on the network. Obviously, that is far more hosts than is necessary. To address this deficiency, CIDR was implemented....

Figure 411 Trend Micro Internet Security Window

From this window, the user can modify the firewall profiles by clicking the Firewall Profiles button in the middle of the window. This opens up the profile selection window shown in Figure 4-12. At this window, users can choose to enable or disable the firewall as well as choose the specific profile they want to apply to the firewall. Additionally, they can add and configure a new profile if the default profiles are insufficient to meet their needs.

Figure 412 Trend Micro Firewall Profiles

The default profiles include an office network connection, a home network connection, a wireless network connection, and a direct connection to the Internet. Each one has specific exceptions to the firewall policy for various services. The office network, wireless network, and direction connection profiles each have a list of specific exceptions for various services such as HTTP, Secure Shell (SSH), DNS, and others in the firewall profile. The home network profile, however, has no preconfigured...

Figure 414 Trend Micro Firewall Exception List

Profile Name Security Level xtepii on Lis Exception List Oflfira toe direction Of Irttemel Iraffie, IP address Dr r rtge nf IP addresses, ports, and p nolo c ois for exce utkms Oflfira toe direction Of Irttemel Iraffie, IP address Dr r rtge nf IP addresses, ports, and p nolo c ois for exce utkms This opens a new window where a wide variety of information about the exception can be entered, such as the protocol to use, the direction of traffic, the port number(s) the traffic uses, whether to...

Figure 415 Trend Micro Network Virus Emergency Center

Network Virus Emergency Center Back ( ) fJBi.vDrkviruzeE- spidlv nfec1 l ompule-tv quickly sprea ding (tlrOU& ft W6 iMeniet and other notwworks. Vau ian specify actions to Irelp pievent inTethpri ftg m nfi wprk viruses P _WIMDAA-WEB WORM_SQLP1434A MSD3 026_RPC_D MS 3- J( _WORK5. (H)T_ASN 1_ WORM WrrTY.A VVORH_AeO0OT . . ii hEpJAwiv.rrer dm c n i n.TAinfa Mru e- cvrl .'d hEp JA*w.lrfln dm ie .eomMaTafrlnj seat w Wd. hltp jWww. renrtmirm c i.tiM r.fgJVIru e-icyglo.fd m- a m it rp.t...

Figure 42 Windows XP Control Panel

510 CdE Ytrm ftr.& ttt T> +i Hrip f* i wH-rah, Sj Tr* K ml Auijk Offritt** U rtiJiHfly I iptintia D-alr, Tmiff, Liciijuaije. and Region l OfiUonk f* i wH-rah, Sj Tr* K ml Auijk Offritt** U rtiJiHfly I iptintia Choose Security Center at the lower-right corner of the window to open the Windows Security Center window. Choose Windows Firewall at the lower-left corner, as shown in Figure 4-3.

Figure 43 Windows Security Center

G U* I4EC5* Offert et'i * Osifcim l mtuiHWt t'V-WHeuiHJDclS) G* Mi HXt < lr siiuiy-rtlrfrf iHW CuinE ht Jay Werter L-t u Lv ierttr -isips vou mt-iii yAj ' ndo* Ht.rity fe Jtrvos. heig giotidt ycu Sh Site il Kitt iriL i nit'lits UM Ott If l'if MWlW 1 J. 1 -w TertfuntD l n tniir npar iywwr RiriH. Kdutisw t Maais isfcwKsitjmi amis L-t u Lv ierttr -isips vou mt-iii yAj ' ndo* Ht.rity fe Jtrvos. heig giotidt ycu Sh Site il Kitt iriL i nit'lits UM Ott If l'if MWlW 1 J. 1 -w TertfuntD l n tniir...

Figure 46 Program Exception List

There is a difference between specifying a program in the exceptions list and statically opening a TCP or UDP port. The difference comes from the fact that specifying a specific application in the exceptions list means that the port that the application listens on will be allowed through the firewall only if the defined application opens the port. The disadvantage to specifying the application in the exceptions is that if the port is used by another application, the firewall will not permit...

Figure 52 Port Range Forwarding

Internal I lost (Host A) 10.1.1.1 DO Hns A responds to 20& .155.202 accordingly, whh ir e rauler using NAT to fransiale Internal I lost (Host A) 10.1.1.1 DO H sl BaLleinpls to conreot tn 2G& .1C5.201.1 over TCP port 3D 209 165 20U and 1ran& la1es ar d forwards n lo th& iiamal su er ai IP address 10.1.1 100 Lxtemal Hosl (Host S) 209.165.202.130 H sl BaLleinpls to conreot tn 2G& .1C5.201.1 over TCP port 3D 209 165 20U and 1ran& la1es ar d forwards n lo th& iiamal su er ai IP...

Figure 54 Basic Setup Screen

LlK& iUcirfUjpjrfrWili *tnrr(. t fcr. 1* pBiionmip Soe iSI -lWVMrKl Scrvfce Prwictei J K *r r tt yew flrtw 11 WS ntnffiflpoa Those xOmge can W 4li irtJ f HT,Yi> J Ef, Aria1 su it frearrt Miii yiSMi airaJcJ iM I'lXiUi lip* If* Afrv* ti- fife> .' .Vvxff* i v ni priTW. l-llviiJ HI ,,fi ii ripdi c J Uy innirldt'ii llK& iUcirfUjpjrfrWili *tnrr(. t fcr. 1* pBiionmip Soe iSI -lWVMrKl Scrvfce Prwictei J K *r r tt yew flrtw 11 WS ntnffiflpoa Those xOmge can W 4li irtJ f HT,Yi> J Ef, Aria1 su...

Figure 56 Filter Screen

If you want to filter by MAC address, just click the Edit MAC Filter Setting button and specify the MAC addresses that should be denied access. At the bottom of the screen are four radial selections with the default setting in parenthesis Block Anonymous Internet Requests (Enabled) This setting prevents the router from being able to be pinged or otherwise connected to on the external interface, unless you have defined a port-forwarding filter. This should be enabled, but keep in mind that not...

Figure 57 Configuring Port Range Forwarding

F Ihc Mii-ji 7 1 abk.-Llli 1 kajitr uhuaiq 0 Sd Eolll v 137160173 n Q 0 Sd Eolll v 137160173 n Q a SM lc I jam jap rn.HB.mJa I d t d Edlii v iaiise.iJ3.il n 0 Kr I.I E.Jin -v LlMW IJ j I.I I'.yi fin IT Ffirw ifcg,cjtoJ* uiptHu eotipisufct HrttHI cr-your ntfwcrfc Whftn vwi It rtrrrt rrtmt fequMti '5n T M neiwat ttw RaJer c*i tuviWlJ H> ot+ iiyjhHii i-i coiTipjei i Mapped I.vlMlsa ir* iwywiM. 11, fa Grwtfir. viu Id il pjrl 'untiT ill i.HI I . U-frrwiifrSnalot1 Atttpga .7, Ihw * itrfp HWiti...

Figure 58 Configuring Port Triggering

Ij Ap i lirilkMi S C,.1111111.7 Mictdun littrHE t> pkir* luiiifliiMii.LTS.a rr .if . flha 11.111 t u li.'UHI rtajisr tfttiM itfirH* L uA m MmlnlrtnBw EIKu* Tl t nJiM cd P.iivyt M tP l IlKlP Pari r.'v> wrpj wiiw ju port frtitd N.rr KCOflWa I 1 Ch ci, vtrUi iirilwft mgfaLsiM h'ij fri w** ip M Tl t nJiM cd P.iivyt M tP l IlKlP fei wt tied fUrfMjc MdllpMl l JMoft Pari r.'v> wrpj wiiw ju port frtitd N.rr KCOflWa I 1 Ch ci, vtrUi iirilwft mgfaLsiM h'ij fri w** ip M EH IM li'flg* ff.wijr Ajr...

Figure 62 Cisco ASDM Launcher

Just enter the IP address or host name of the firewall and the appropriate username and password. If you do not use any form of AAA, leave the username blank and enter the enable password to connect to the firewall. The ASDM will parse the running configuration of the firewall and display the General Device Information screen, as shown in Figure 6-3. The ASDM is an intuitive GUI interface that you can use to configure the firewall in lieu of the CLI.

Figure 63 General Device Information Screen

Has* Narra h iiii - itrf t 1JiaiKicJjb PMWsrtJflU 7Ai ASDUVciSlon 5.0ji Dcvi aTvzt P1XG15 lrtw* i noeif TcflaG FliEfi 16 Mil Tctal (Menai*. G4I4B Has* Narra h iiii - itrf t 1JiaiKicJjb PMWsrtJflU 7Ai ASDUVciSlon 5.0ji Dcvi aTvzt P1XG15 lrtw* i noeif TcflaG FliEfi 16 Mil Tctal (Menai*. G4I4B Syirwii fteagin cos Shirm CPU CPU (mflidM*ci*ti 5*1 aft an inlDrfaca Ij wrr* rpirt and autpul Ktipc Ir.tfTK Squirt 5*1 aft an inlDrfaca Ij wrr* rpirt and autpul Ktipc Ir.tfTK Squirt It-i iiH C DiimiHfcwt,...

Figure 64 Logging Filters Screen

JrcPOtfoi Qrnqeunh l RP StMC Yndli Amita unim jlpDhCPaarticas lifriHt 5< VEf i CW RuiTi JJUKSCIiiinl ciKfr i rwi i i) rii h* iioniKr.i> r-< ii JrcPOtfoi Qrnqeunh l RP StMC Yndli Amita unim jlpDhCPaarticas lifriHt 5< VEf i CW RuiTi JJUKSCIiiinl ifijiF iufln 3 j-.ihii 0Lnppinp tljl-'j lLiiii l3 lu ' Lvi-.ILut iT-LngglnpffthiH Ijj r Efmf E-H-illSriup SH tftfOutuf S5-5L FiUWRPC Sniinr ' UHLFittlinC As you can see, the previous commands we ran are shown in this screen, and you can edit or...

Figure 66 ASDM Log Messages

Configuring Logging to a Remote Syslog Server Although logging to the console, monitor or ASDM can be handy for troubleshooting problems and viewing log messages while logged in to the firewall, if you need to store logs for long-term archive or auditing purposes, you need to configure the firewall to transmit the syslog messages to a remote syslog server. Like the previous logging methods, you must first enable logging in general by running the logging on command. Then, you need to define what...

Figure 74 Packet Traversal of Net Filter Tables and Chains

Packets need not traverse every chain in the NetFilter system. It all depends on the destination of the packet as well as what rules are applicable and whether NAT is involved. Although the configuration of NetFilter firewalls using the iptables utility may appear to be a daunting task, you can also configure NetFilter through a variety of graphical interface tools such as Firewall Builder, Firestarter, or Webmin. Some examples to follow show how you can configure NetFilter using the iptables...

Figure 79 Webmin Firewall Modules

The focus during this discussion is on the Linux Firewall module because the Shoreline Firewall module requires the installation of additional files from the Shorewall project (http www.shorewall.net). Webmin enables administrators to control all three tables in NetFilterfilter, mangle, and NATthrough either the Linux Firewall Webmin module or the Shorewall Webmin module, as shown in Figure 7-10.

Figure 813 Select Web Listener Screen

At the User Sets screen, select the users who the rule will apply to and click Next. Review the configuration and click Finish to create the rule. Once again, if you want to apply the rule to the firewall, you must then click Apply in the management console. ISA Server 2004 contains a number of built-in application filters to provide for application layer inspection of the corresponding traffic. Configuring the application filters is performed in various locations within the management console....

Figure 814 Application Filters

'-- U,lki4iol ' intrirwl urriy *nd AccitartHin Sfrw* MHM LJ rtmdl irtwnwt 7*irtyniA (Mt Ertiro Corfquribon Uw gi> Ptrrwrr IM7 1 UB. 1 HLSfe JMhffto fa Lmtm --I fcfl& n J PGP i'f1 _> .'r' p-.Ti fi Cf*> i V Kfi tafia M fbw 1634 tra n tt fr t-rrilngj Vrtugh ii brvn A notable exception to this is the DNS filtering, which is configured under the General section of the management console by clicking Enable Intrusion Detection and DNS Attack Detection (by def both intrusion detection and DNS...

Figure 818 Web Proxy Configuration

Configuring the firewall client is a little bit more involved than the other client configurations. First, t firewall client must be installed on the client computers. This can be done in the following manners Via file sharing and manually running the installation Via Active Directory Group Policy Via silent installation scripts and integration with login scripts Via Microsoft Systems Management Server (SMS) During the firewall client installation, you must specify the ISA server that the...

Figure 82 ISA Server 2004 Management Console

-J'MicEumJI Inltima* t urni *nd Arc 1f 14IMF1 s fttmtf (15 tMMa> l j ufa rnnnit*mr< *t< ma - fcirlitJ ir W hnme tnMIcrosolt nlmitl acuily vtd ArcG DraHon mbiiinivuiii iMiw hrtHu AtffvGn iwH 1 r r& rr* H t * I Jhhll M-LLHHyj VIH r ' 'Vl'l '.un d u( wii 'i* hrqrfO -- r J VhiL IhrlcpDMril iiilmn fniuilr vi JU I cWiiriiii i M'ivnr .CHI I Wl'l Uli1 CjSVquiitnr V Ow*Nia . > *t frl' wr F*- -.*t- XM Ork* ht* tt Sfro4 tfa x KfJT'j Y *J IS* Sin In addition, some third-party web-based...

Figure 820 Firewall Client Settings Screen

Configuring the firewall to cache web data is a straightforward process. In the management console, navigate to the Cache screen, right-click the server, and choose Properties to launch the Server Cc Properties screen, as shown in Figure 8-21. Notice how the Cache icon has a red arrow pointing dow denoting that caching is not currently enabled.

Figure 83 External Network Interface Configuration

In addition, you also need to configure the routing table on the ISA server accordingly to support all networks it will need to reach, or you will need to install and configure Routing and Remote Access c the firewall to enable routing protocols such as OSPF or RIPv2. Finally, ensure that you disable any network services or applications that are not explicitly required ISA Server 2004. Table 8-3 lists the core services that are required by ISA Server 2004, including th startup mode that should...

Figure 87 Creating an Access Rule

lyLViiioIr Inirirwl nnly nd Aciihnrtrtp WiH CinAour l i MiJiiiijr LH-TYrr IM7 I Ml I rtll I imdi Pntcy flUU HY1 HJDO-i) CinAour l i MiJiiiijr LH-TYrr IM7 I Ml I rtll I imdi Pntcy flUU HY1 HJDO-i) This will begin the New Access Rule Wizard. At the Welcome screen, assign an appropriate access ru name and click Next. At the Rule Action screen, select to Allow or Deny the traffic as appropriate c click Next. At the Protocols screen, you can select to apply the rule to All Outbound Traffic, Selec...

Figure 89 Add Network Entities Screen

After you have specified the appropriate source, click Next to be taken to the Access Rule Destinatio screen. Once again, click Add and specify the destination traffic that the rule will apply to. When yoi have finished, click Next. At the User Sets screen, specify the users that the rule will apply to. Keep mind that only web proxy clients and firewall clients perform authentication so if you want the rule apply to everyone, including unauthenticated users, just accept the default value of All...

Figure 93 Dual Firewall Architecture

The granular control in a dual-firewall architecture comes from the fact that each firewall controls a subset of all the traffic entering and exiting a network. Because untrusted (that is, external) traffic should never be allowed to directly access a trusted (that is, internal) network, the exterior firewall can be configured specifically to grant access to and from the DMZ segment and external systems. Similarly, the interior firewall can be configured to grant access to and from the DMZ...

Figure A3 Microsoft Network Monitor Capture Window

TCPDump is a command-line-based packet-capture tool that is used primarily in Linux UNIX-based environments. TCPDump is also available for use on Windows-based hosts (Windump), but requires the installation of the WinPCap driver (as does Ethereal). TCPDump has a number of command-line options for use, allowing the user to log the captured packets for review as well as specify relatively complex filtering requirements. In fact, TCPDump and Ethereal use the same filtering language so after you...

Figure A5 Nessus PlugIn Screen

Nessusd host Plugins Credentials Scan Options Target User Preis. KB Credits Nessusd host Plugins Credentials Scan Options Target User Preis. KB Credits rinhi jn 1 nrjl orirriTu (horlrt ATA-186 password circumvention 1 recovery CISCO IOS H.323 Protocol Implementation Flaws CISCO 105 Interface blocked by IPv4 Packet SCO ONS Platform Vulnerabilities CISCO Secure ACS Management Interface Logan Overflow When the scan has completed, Nessus launches the report containing the status of what was...

Firewall Security Policy

The firewall security policy (not to be confused with the general security policies discussed in Chapter 10, Firewall Security Policies) on the PIX firewall is what determines the traffic that will be permitted or denied by the firewall. To facilitate this, the PIX implements a combination of the following elements to assist in making filtering decisions Separate the network into zones based on security levels Use ACLs to permit or deny traffic Apply Network Address Translation (NAT) Apply...

Firewalls Manage and Control Network Traffic

The first and most fundamental functionality that all firewalls must perform is to manage and control the network traffic that is allowed to access the protected network or host. Firewalls typically do so by inspecting the packets and monitoring the connections that are being made, and then filtering connections based on the packet-inspection results and connections that are observed. Packet inspection is the process of intercepting and processing the data in a packet to determine whether it...

Firewalls Protect Resources

The single most important responsibility of a firewall is to protect resources from threat. This protection is achieved through the use of access control rules, stateful packet inspection, application proxies, or a combination of all to prevent the protected host from being accessed in a malicious manner or being made susceptible to malicious traffic. Firewalls are not an infallible method of protecting a resource however, and you should never rely exclusively on the firewall to protect a host....

Firewall Specific Information

NIST Guidelines on Firewalls and Firewall Policy, Firewall Software and Internet Security FAQ, white paper.html General Firewall Configuration Guide, Personal Firewalls for Remote Access Users, Windows ICF, Linksys Firewalls, http www.linksys.com Cisco PIX Firewalls, http www.cisco.com go pix Cisco ASA, http www.cisco.com go asa Yahoo Groups PIX Firewall, http groups.yahoo.com group PIX Firewall Linux NetFilter, http www.netfilter.org Linux IPChains, Firestarter, http www.fs-security.com...

High Availability Firewall Designs

Because firewalls have become critical infrastructure components on the network, it is important to ensure that the firewall, and the functionality that it provides, is always available and accessible. Firewall high availability (HA) and redundancy is typically handled in one of two ways Regardless of the failover method, firewall HA relies on implementing two firewalls in a parallel configuration. With an active passive system, one firewall is actively passing traffic while the other firewall...

How Firewalls Use Protocols Applications and Services

Now that you understand what protocols, applications, and services are, how do firewalls use them Because the primary objective of a firewall is to protect a host or network from access, and protocols, applications, and services define how hosts are accessed from the network, firewalls can use the information from protocols, applications, and services to make filtering decisions and grant or deny access. For example, if you want to allow web access to a system, technically what you are doing is...

How the IP Routing Process Works

For all the apparent complexity involved in routing, the routing process itself is a pretty simple and straightforward process. In fact, when you understand the routing process fundamentals, it does not matter how large or small the network is the process is the exact same. To illustrate the routing process, look at Figure 3-15. This example shows two hosts, Host A and Host B, on two separate networks. Host A has an IP address of 10.1.1.100 and a MAC address of 00 05 9A 3C 78 50. Host B has an...

How the Trend Micro Firewall Works

The Trend Micro firewall works as a blend of a traditional stateful firewall and intrusion detection system (IDS). An IDS monitors the traffic in and out of the protected system for attacks and upon detection of an attack it can alert the user. Most IDSs detect attacks by matching the network traffic against a signature of the attack. A signature is like a fingerprint. It identifies an attack by matching the network traffic (the evidence) against a known signature describing the attack (the...

How This Book Is Organized

This book provides a building-block approach to the material. The initial focus is on the basics of firewalls and a review of TCP IP. Although the book is intended to be read cover to cover, it can also provide point references for various products and concepts. Chapters 1 through 3 provide the necessary background to firewalls and TCP IP concepts as they relate to firewalls. The core content lies in Part II and Part III, where the focus shifts to how various firewall products are implemented...

How Windows Firewall Works

By default, Windows Firewall comes with an assigned security profile. This profile provides what are termed as exceptions for Print and File Sharing as well as Remote Assistance and Universal Plug-and-Play (UPnP) with the local subnet. The local subnet is defined as the local network that the system is connected to. If the system is connected to multiple networks (for example, if the system has multiple interfaces), these network ranges are considered part of the local subnet. These services...

ICMP Message Structure

ICMP controls the data being transmitted over the network through the use of numerous message types. Each ICMP message type contains specific formatting related to its function, but most implement a header and data field of varying lengths. All ICMP messages begin with the same 32 bits of data. First, 8 bits of data known as the TYPE field define the ICMP type. Next, 8 bits of data known as the CODE field provide additional information specific to the message type. Then, 16 bits of data known...

Internet Firewall with Multiple DMZs

The Internet firewall with multiple DMZs is similar to the single DMZ architecture, the only real difference being that there will be multiple single-homed DMZ segments coming off the firewall. There is no practical limit to the number of DMZ segments, the only real restriction being the number of interfaces the firewall can This architecture is typically implemented when the need to separate resources on different and distinct DMZ segments exists. With a single DMZ, all resources that will be...

IPTables Command Line Tool

The iptables commandline tool works very much like the older ipchains tool. The iptables utility provides for several commonly used actions (known as targets) for packets that match the filter rules ACCEPT Let the packet through. QUEUE Pass the packet to userspace. RETURN Stop processing this chain and resume at the next rule in the previous chain. REJECT Send an error packet when a matched packet is detected. MASQUERADE Map the source IP address to the IP address of the interface that the...

Logging and Log Analysis Tools

Most firewalls can log events related to traffic that has been permitted or denied. Unfortunately, the sheer volume of data from even a moderately sized environment can quickly become unmanageable. Most firewalls use one of two types of logging methods Syslog Implemented by most firewalls and uses a relatively simple UDP-based (although the Cisco Secure PIX Firewall also supports TCP) client server logging method. Open Platform for Security Log Export Application Programming Interface (OPSEC...

Maintaining the Underlying Platform

As with any device on the network, firewalls run software (whether it is embedded in an application-specific integrated circuit ASIC or runs from Flash memory or runs from a disk file system) to be able to perform their functions. Typically, as in the case of the Cisco PIX and ASA platforms as well as NetScreen and other vendor firewalls, these firewalls run a custom operating system whose source code is not available to the general community for review or tampering. If a bug or vulnerability...

Maintaining URL Filters

One of the biggest problems with URL filtering is the maintenance required of the URL database. To help network administrators maintain their URL filters and keep them as up-to-date as possible, many vendors turn to a subscription service whereby the filtering server at the client site connects to a web server at the vendor's location and downloads a database of URLs with default settings associated with each URL. This service conveniently allows administrator to keep relatively current with...

Modifying the Configuration

As with any device, from time to time you will need to modify the configuration of the firewall. Whet new device brought on line to access the Internet or the addition of a new web server behind the fir necessary to change the firewall configuration. The problem with modifying the configuration comes controlensuring that changes made to a firewall are tracked and logged in case of problems. These i in the sections that follow. Change control is defined as the process and procedures to manage...

NAT Firewalls

A distinct firewall that existed for a short period is the Network Address Translation (NAT) firewall. In today's firewall market, NAT is a part of almost every firewall product available. From the lowliest SOHO firewall such as the Linksys BEFSX41 to the high-end enterprise PIX 535, NAT is now a function of a firewall. NAT firewalls automatically provide protection to systems behind the firewall because they only allow connections that originate from the inside of the firewall. The basic...

Network Address Translation NAT

NAT was developed to address a couple of concerns. First, the number of public IP addresses available on the Internet was becoming depleted. Second, because of the interconnectivity of networks, it was possible for an administrator to assign a set of IP addresses to a network that someone else might be using. This is a common situation when two companies and their respective networks are combined. NAT addresses these two concerns by providing a mechanism by which any number of IP addresses can...

Performing Application Filtering

Application filtering is one of the most difficult types of filtering that firewalls perform, because it rec the firewall to process the data at the application layer (Layer 7) of the OSI model. Application filter one of the two primary components of an application proxy firewall, the other being the proxy functionality provided by the firewall. Chapter 2, Firewall Basics, and Chapter 8, Application Proxy Firewalls, discuss application proxy firewalls in more detail. The purpose of application...

Protocols Services and Applications

As mentioned, TCP IP provides a mechanism to allow systems to communicate with each other across a network. If we refer back to our language analogy, most spoken languages have certain rules that define how the communications occurs. By adhering to these rules, one is then able to understand and comprehend what is being communicated. TCP IP follows a similar process to define how the communications will occur through the use of protocols, services, and applications. You cannot just start...

Single Firewall System

With a single-firewall architecture, the firewall system consists of the following layers Network segment between the external router and firewall Figure 9-4 depicts this architecture. At the outermost layer of the firewall system, the external router should be the first point of control of traffic entering (ingress filtering) and exiting (egress filtering) your network. The only traffic that should be allowed to traverse the router is traffic destined for the firewall or resources being...

Software Firewalls

Software firewalls are installed on top of an all-purpose generic operating system. Software firewalls include the Sun SunScreen firewall, IPF, the Microsoft ISA Server, Check Point NG, Gauntlet, Linux's IPTables and FreeBSD, and OpenBSD's pf packet filter. Typically, the vendor's firewall software suite includes patches as well as configuration changes that must be applied to harden the underlying operating system from attack or to include a kernel module or driver for the firewall to operate...

Step 8 Verify That Any Dependent Non FirewallSpecific Systems Are Not the Culprit

Something else to consider in troubleshooting are the dependent services and systems that are not firewall specific or for which the firewall administrator might not be responsible. This includes the systems that are being protected by the firewall. Common services to examine are name resolution processes such as DNS and WINS. Many times, someone will attempt to access a resource by name through the firewall and when the request fails assume that the firewall is the problem. However, if name...

Summary

Application proxy firewalls can perform a specialized role in managing the security of an enterprise by providing for application layer inspection of the data that is being controlled. This allows application proxies to not only make filtering decisions based on the protocol or port that traffic is using, but by looking at the raw data and making a filtering determination based on the application itself, for example differentiating between malicious and non-malicious web traffic. Microsoft ISA...

Target Audience

The target audience for this book is novice network administrators, home users, and corporate employees who are telecommuting but want to use a firewall to protect their network. This book does not aim to be a thorough reference on firewalls and all of their capabilities. Instead, the focus is predominantly on smaller firewalls such as the Cisco PIX 501E, Linksys, and personal firewalls such as Windows Firewall and Trend Micro's Firewall. The reader of this book is expected to have some...

TCP Segment Header

Like IP, the TCP segment header typically consists of five 32-bit words, with the potential for optional words containing additional options and the relevant padding to make 32 bits of data. Figure 3-9 depicts the TCP segment header. Figure 3-9. TCP Segment Header Structure The fields of the TCP segment header and their meanings are as follows Source Port (16 bits) This field represents the source protocol or application. This allows the source to know which application the data belongs to so...

The Department of Defense DoD Model

Although OSI is a protocol independent framework for defining communications, and thus is portable and applicable to almost all network communications, it does not always map directly to a particular communications process. For example, just because the OSI model defines seven distinct layers does not mean that there must be seven distinct communications processes or protocols in use. In many cases, a protocol may implement functions that span multiple layers (for example, TCP which has some...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at...

The Difference Between Policies Standards Guidelines and Procedures

One of the more confusing elements of security policies is the interaction between policies, standards, guidelines, and procedures. First, let's define what we mean by each Policy A policy is a document that outlines the requirements or rules that must be met. Policies frequently refer to standards or guidelines as the basis for the existence. The scope of a policy tends to be a broad, high level statement of intent. An example of a policy is an Encryption Use Policy, which might state to the...

The Syslog Protocol

The syslog protocol is the de facto standard method of providing event notification messages across the network. Syslog is defined by RFC 3164 and uses UDP as the default transport mechanism (by default and typically over UDP port 514). By using UDP, syslog gains the advantage of being a low-overhead connectionless delivery method (thus requiring less resources on the systems doing the logging), but that also results in syslog being an inherently unreliable delivery method. Although not common,...

Transmission Control Protocol TCP

TCP is a connection-oriented transport mechanism that resides at Layer 4 of the OSI model. TCP implements the concept of sessions between hosts to serve as virtual circuits upon which higher-layer data and communications are delivered. In doing so, TCP addresses the inherent unreliability of lower-layer protocols such as IP, providing a means of ensuring that data is accurately and reliably transmitted between hosts. The foundation of TCP is the creation of a session between hosts. This is...

Trend Micro Firewall Features

Like the Windows Firewall, the Trend Micro firewall is a stateful firewall that keeps track of outbound packets and allows inbound response packets to reach the destination host. In addition, the firewall security level can easily be set according to a predefined level of Low, Medium, or High. Coupled with the IDS and antivirus features in PC-cillin, the firewall can identify and stop a network virus or worm before it damages the underlying host operating system and spreads to other systems.

Types of Routing

Fundamentally, there are three types of routing Static routing is the process of an administrator manually entering, maintaining, updating, and removing the routes that a router is configured with. Static routing is a time-consuming process and in most cases should not be used. Notable exceptions to this are in small networks or in the network perimeter, as discussed in Chapter 9, Where Firewalls Fit in a Network. Default routing, also known as the route of last resort, provides a mechanism to...

Using Firewalls to Segment Internal Resources

Perhaps the most overlooked implementation of a firewall is on the internal network. Many companies make the mistake of considering their entire internal network to be a trusted network. Unfortunately, the prevalence of worms and viruses today undermine this philosophy. Companies are repeatedly decimated by worms that spread unchecked throughout the network because there are no firewalls implemented throughout the internal network to segment and control traffic on the internal network. In a...

Viruses Worms and Trojans

It seems like as long as there have been computer systems, there has been someone willing to make malicious software to attack them. Although the terms virus, worm, and trojan are often used interchangeably to refer to malicious software, each term has its own distinct qualities and attributes that you need to understand. Viruses are pieces of malicious code that typically are attached to legitimate software. For example, an attacker might make a game for use on a computer that includes the...

Warning and Disclaimer

This book is designed to provide information about firewalls. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may...

What Is a Firewall

When most people think of a firewall, they think of a device that resides on the network and controls the traffic that passes between network segments, such as the firewall in Figure 1-1 (a network-based firewall). However, firewalls can also be implemented on systems themselves, such as with Microsoft Internet Connection Firewall (ICF), in which case they are known as host-based firewalls. Fundamentally, both types of firewalls have the same objective to provide a method of enforcing an access...

Where Application Firewalls Fit in a Network

The closer you come to the resource that needs to be protected, the more intelligent and specific you can get in filtering traffic directed at that resource. Because application firewalls enable you to perform deep packet inspection and filter based on the raw application data, they are best suited for implementation close to the resources they protect. There are a couple of reasons for this. First, many application firewalls cannot filter traffic for which a proxy does not exist. As a result,...

Why Logging Is Important

It is easy to say that you should log events from your firewalls because doing so provides insight as to the status of your firewall, but there are a number of specific and tangible benefits to logging Improves network administration, troubleshooting, and debugging Helps to determine the health of the system Provides intrusion detection and incident containment Facilitates performing forensic analysis Improved Network Administration, Troubleshooting, and Debugging If there is one certainty in...

Windows Firewall Checklist

When configuring Windows Firewall, you must configure several features depending on the system role in the network. The answers to the following questions will depend on whether the system will connect using a public network (such as a wireless network in a coffee shop or a library) or a private network (such as a corporate LAN or home network) or both. Additionally, Windows Firewall settings on servers that may be configured as a web server, an authentication server, or a database server will...