Appendix A Firewall and Security Tools

The nature of firewalls and how they can be used to manipulate and control network traffic can make it difficult to troubleshoot network problems where firewalls are involved. Similarly, firewalls can introduce some unique and special requirements for managing and maintaining the firewall and the firewall configuration. This appendix examines some common tools and tool usage to assist in troubleshooting, managing and maintaining firewalls.

Applications That Are Hard to Firewall

The difficulty with application firewalls stems from the fact that the transaction between the client an server is complex and can be made more so if the protocol or the data in the communication expand increases the complexity of the transaction. Protocols such as eXtensible Markup Language (XML) ar Simple Object Access Protocol (SOAP) make web application firewalls especially tricky. To provide pi web application security, the application firewall must have a detailed understanding of...

Assigning IP Addresses to the Firewall Interfaces

To communicate on the network, the firewall needs to have IP addresses assigned to the firewall interfaces. The process of doing this changed between PIX ASA version 6.x and 7.x, but the fundamental steps are the same Enable the interface, configure the interface itself, and assign an IP address to the interface. To assign IP addresses to the PIX interfaces, the administrator must enter configuration mode. Because the PIX uses a command interface that is similar to IOS, administrators enter...

Bad UDP

UDP is such a simple protocol that there is not a whole lot that can be done with the protocol itself to account for bad UDP traffic. UDP is particularly effective as a source of bad traffic because it is connectionless. Therefore, it is a great candidate for spoofing. Malicious users can generate traffic as a different host, and because UDP is connectionless and responses are not expected, they do not really care that the targeted host is sending the responses to the wrong host. UDP is also a...

Going Beyond Basic Firewall Features

Modern firewalls provide a wide variety of significant services to the end user, whether it is a personal firewall or a network firewall used to protect an enterprise network. Firewall capabilities have increased dramatically over the past few years, and they have quickly become a nexus of security services to a network (or an individual machine). This increase of capabilities has caused firewall administrators to reevaluate and in some cases redefine the expectations of what a firewall can do....

TCPIP for Firewalls

Much like humans may speak English, German, or Russian, computers may speak any number of languages IPX SPX, AppleTalk, and TCP IP being just a few of them. Because of the portability and scalability of TCP IP, TCP IP has been settled on as the de facto standard method for providing communication services between hosts on a network and in particular across the Internet. Much like a human language, TCP IP has a defined structure and set of rules that control how hosts communicate. Therefore,...

Choosing Between the PIX and the ASA

One of the first questions to answer when trying to determine what Cisco firewall your environment requires is what the difference between the Cisco PIX Firewall and the Cisco ASA is. The ASA is essentially the latest version of the Cisco firewall solution and is based largely on the PIX software. In fact, the Cisco ASA and enterprise versions of the PIX (PIX 515E and larger) actually run the same firewall software starting with the 7.x code base. In the case of the PIX, this firewall software...

Configuring the Cisco PIXASA

Complete configuration of the Cisco PIX is beyond the scope of this book. However, we can cover some of the initial steps required to set up the PIX and to allow an administrator access to the graphical user interface (GUI), the Adaptive Security Device Manager (ASDM) (previously known as the PIX Device Manager PDM for software versions previous to 7.0). To initially configure a PIX out of the box, connect a serial connecter to the console port of the PIX (which is typically outlined with a...

Default Passwords

When you purchase a new firewall (or any network device in general) such as a Cisco PIX, a Linksys, a NetScreen, or a SonicWall, out of the box the device has some default passwords set (and in some cases there is no default password). This is because the manufacturer must allow for initial access to the device for the end user to configure it. Most recent documentation for any device admonishes the end user to immediately change the default password to something else. Table 11-1 shows common...

Determining If You Need a Firewall

It is convenient (and accurate) to say that you always need a firewall if you are connecting to the Internet. Firewalls should not be relegated exclusively to the realm of providing access to and protection from Internet-based resources. Instead, you should consider implementing a firewall any time a resource needs to be protected, regardless of where the protected resource is located, or where the requesting traffic will be coming from. Firewalls can, and in many cases should, be used to...

Dual Firewall System

With a dual-firewall architecture, the firewall system consists of the following layers Network segment between external router and exterior firewall Figure 9-5 depicts a dual-firewall system. yross FiHuring at Intoror Firewall yross FiHuring at Intoror Firewall JfOSS FlllCflng jt Emarlot Firewall Egress FlU& nng at Enterntf FKHJtEf JfOSS FlllCflng jt Emarlot Firewall Egress FlU& nng at Enterntf FKHJtEf The only real physical difference with the dual-firewall system over the...

Example 114 Using RCS for Configuration Control

Enter description, terminated with single '.' or end of file > > Initial configuration of external edge router root sauron configs 127 ls -ltotal 26 drwxrwx--- 2 root sysadmin 512 Aug 29 10 06 RCS -rw-r----- 1 root other 11879 Aug 29 10 06 frodo.cfg The ci command checks the configuration into the repository. The i flag tells the RCS software to cr< new repository. The co command is used to check items out of the repository. The l flag also locks t specific user who issued the co command....

Example 115 Checking in Changes to the RCS Repository

New revision 1.2 previous revision 1.1 enter log message, terminated with single '.' or end of file > > Added new external NAT address, 172.16.45.152 -> 192.168.155.152 - idubraws root sauron configs 33 ls -ltotal 2 drwxrwx--- 2 root sysadmin 512 Aug 29 10 20 RCS RCS, CVS, and other open source revision-control systems provide an easy, low-cost way of managi configuration changes. Change-control logging is the process by which information is entered in the change-control system made to a...

Example 116 Viewing the RCS Log for Configuration Changes

root sauron configs 13 6 rlog frodo.cfg total revisions 2 selected revisions 2 Initial configuration of external edge router date 2005 08 29 14 19 59 author root state Added new external NAT address, 172.16.45.152 -> date 2005 08 29 13 51 42 author root state The output in Example 11-6 provides a lot of information. For example, the working file is identified line. In addition, it shows how many revisions have been made to the file (in the example, two revis made). A description of the file...

Example 131 Telnetting to TCP port 80 to Test Connectivity

C Documents and Settings wnoonan> telnet web server 80 GET HTTP 1.0 HTTP 1.1 200 OK Content-Length 2795 Content-Type text html Content-Location http 192.168.173.101 Default.htm Last-Modified Tue, 23 Nov 2004 05 23 47 GMT ETag f9fcf19b1cd1c41 336 Connection close< additional output snipped> By just telnetting to TCP port 80 and typing GET HTTP 1.0 and then pressing Enter a few times, I can retrieve the default web page for the server, which at least verifies that the target host is...

Example 141 Using Telnet to Access a Server on TCP Port 443 HTTPS

< DOCTYPE HTML PUBLIC - IETF DTD HTML 2.0 EN> < title> 400 Bad Request< title> < p> Your browser sent a request that this server could not understand.< br > Reason You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.< br > < blockquote> Hint < a < address> Apache 2.0.52 (Unix) mod ssl 2.0.52 OpenSSL 0.9.7d DAV 2 www.innocentvictimcompany.com Port 443< address> Connection to 10.16.17.223 closed by...

Example 142 OpenSSL

3 openssl s_client -connect 10.16.17.223 443 depth 0 C US ST Maryland L Silver Spring O dubrawsky.org OU IT CN Ido Dubrawsky verify error num 18 self signed certificate depth 0 C US ST Maryland L Silver Spring O dubrawsky.org OU IT CN Ido Dubrawsky verify error num 10 certificate has expired depth 0 C US ST Maryland L Silver Spring O dubrawsky.org OU IT CN Ido Dubrawsky emailAddress idubraws dubrawsky.org notAfter Oct 6 01 35 00 2005 GMT verify return 1 0 s C US ST Maryland L Silver Spring O...

Example A1 ACL to Permit Only Certain ICMP Message Types

As a best practice, your external firewall interface (and all corresponding IP addresses) should not allow any other ICMP traffic. This will prevent someone from being able to ping the firewall external IP address to determine whether it is accessible and will also protect against malicious ICMP-based traffic such as a ping of death. Another aspect of reachability is to show how the device was reachable. In other words, what path through the network was taken to the destination host To answer...

Example A9 Nmap Usage Screen

C Download Hacking Tools Nmap nmap-3 . 93> nmap Nmap 3.93 Usage nmap Scan Type(s) Options < host or net Some Common Scan Types ('*' options require root privileges) * -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users) -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sV Version scan probes open ports determining service & -sR RPC scan (use with other scan types)...

Figure 113 Cisco PIX Device Manager

FttliM SW lS iii NX 10 1 1 Pi 11 Ctfrigu-flinft IWnfcHinq rS H 'Njn - litiikicplrfrt41JioiHic.l3ti lPWVUffrMI 7AH BWrtjjplirfii 4M WMflniSC ASDHVpialpn > L Dg Tv ) P XJ1 flhfvi l upj- Iva Kl 'llWiii TOI* Finn It Ml Td JIWT'nnrf GJ14B H 'Njn - litiikicplrfrt41JioiHic.l3ti lPWVUffrMI 7AH BWrtjjplirfii 4M WMflniSC ASDHVpialpn > L Dg Tv ) P XJ1 flhfvi l upj- Iva Kl 'llWiii TOI* Finn It Ml Td JIWT'nnrf GJ14B Faninlniftcat)Kluft- rpLl nndcLlpulknp-IrnlT Sl-ilF Faninlniftcat)Kluft- rpLl...

Figure 115 Webmin IPTables Rules Interface

N i f- u > - . -i j r-v> ri-J T rj* t p J .4 U I1 J' I si fcrtrJi-* ii.f ' i I jaw-acd* Tl ta* i is ix - jz- 11 m i nfc Ke f MV-J - UTiSi + M'- (, (T .BJ PB- rfttt * H PHVk Li. Trr J-.-. . . wi * i t *. n JTT.V I prTWtBii JETsd kuna c- r j Jl'.p> j r*3 tiyjia c HT -'i ClAfc w ii> 4 lii JI - J ,ulfVI R kJHf *r i i< wi y h iCnJ4 w& m i-s * nuwiHtf Cldr l> t> M m in nr-1A- rmipn*-m kr-l t .uii.Jj ' > < 1 t vjUlii . JJ . bLiC-b'i fiM. jirJij il.i < i'l M .v.l km Uk.L Ci J'. a...

Figure 119 Final Security Settings for Folder

General j Web Sharing Sharing Security r- Allow inheritable permissions from parent to propagate to this object General j Web Sharing Sharing Security I7 administrator DUBRAWSKY_GRG admii-ii .1 When that is accomplished, access to the folder is limited to only those with the proper credentials, 11-10.

Figure 123 Microsoft ISA Server Log Data

* IM Stf *rr 0IH TptriF Mltm 1 Viasoft iX T- t SMTJrr cfr Uxtte*xar ir gj Entwpris s Matt C G iftSilJn rtOw i *' 1 o,Jw BS is iR zow *npiN m5 isa wite iiiii r HyCW -J- T nyi r, (.I,) y i -. . . y 1- jnflmiUii ,- if afUBmnjaiia M nm H aMfN M il fi afi M t IjddfJ r* ifWOi i il iuW SfltfHKLiil L ir jnflmiUii ,- if afUBmnjaiia M nm H aMfN M il fi afi M t IjddfJ r* ifWOi i il iuW SfltfHKLiil L ir L - Jn -Hii p i -M CHViHlififi L - Jn -Hii p i -M CHViHlififi

Figure 136 Verifying Firewall Functioning

Type ticlp nt 1 tor a list fl EIVTIIIV LD 70H> plJeci Oli TlLU O -Jtug-0 5 E ftS FLasll W129F-J00S 0 OliiritfSQDO, JZKE ISiisiiiiujl- Pbyjlc I& CcEjiac (.'gntismut gn ti > s not ficen incdiiii-d sua If the firewall is up and running, the next step is to test the Internet connection on the outside interface of the firewall. You can do this by pinging a system out on the Internet. Doing so is somewhat tricky because many networks filter out unsolicited ICMP requests. However, some of the...

Figure 138 Checking Server Connectivity

In this example, the assumption is that the web server is not responding because it does not respond to a ping or to the Telnet connection to the web server port, 80. In more complex cases, you might need to review the firewall configuration to ensure that it is not blocking the traffic unnecessarily. Also, consider that in some cases it is not your end of the connection that may be problematic but the other end. In many cases, you might need to search the vendor's documentation to ensure that...

Figure 412 Trend Micro Firewall Profiles

The default profiles include an office network connection, a home network connection, a wireless network connection, and a direct connection to the Internet. Each one has specific exceptions to the firewall policy for various services. The office network, wireless network, and direction connection profiles each have a list of specific exceptions for various services such as HTTP, Secure Shell (SSH), DNS, and others in the firewall profile. The home network profile, however, has no preconfigured...

Figure 414 Trend Micro Firewall Exception List

Profile Name Security Level xtepii on Lis Exception List Oflfira toe direction Of Irttemel Iraffie, IP address Dr r rtge nf IP addresses, ports, and p nolo c ois for exce utkms Oflfira toe direction Of Irttemel Iraffie, IP address Dr r rtge nf IP addresses, ports, and p nolo c ois for exce utkms This opens a new window where a wide variety of information about the exception can be entered, such as the protocol to use, the direction of traffic, the port number(s) the traffic uses, whether to...

Figure 415 Trend Micro Network Virus Emergency Center

Network Virus Emergency Center Back ( ) fJBi.vDrkviruzeE- spidlv nfec1 l ompule-tv quickly sprea ding (tlrOU& ft W6 iMeniet and other notwworks. Vau ian specify actions to Irelp pievent inTethpri ftg m nfi wprk viruses P _WIMDAA-WEB WORM_SQLP1434A MSD3 026_RPC_D MS 3- J( _WORK5. (H)T_ASN 1_ WORM WrrTY.A VVORH_AeO0OT . . ii hEpJAwiv.rrer dm c n i n.TAinfa Mru e- cvrl .'d hEp JA*w.lrfln dm ie .eomMaTafrlnj seat w Wd. hltp jWww. renrtmirm c i.tiM r.fgJVIru e-icyglo.fd m- a m it rp.t...

Figure 43 Windows Security Center

G U* I4EC5* Offert et'i * Osifcim l mtuiHWt t'V-WHeuiHJDclS) G* Mi HXt < lr siiuiy-rtlrfrf iHW CuinE ht Jay Werter L-t u Lv ierttr -isips vou mt-iii yAj ' ndo* Ht.rity fe Jtrvos. heig giotidt ycu Sh Site il Kitt iriL i nit'lits UM Ott If l'if MWlW 1 J. 1 -w TertfuntD l n tniir npar iywwr RiriH. Kdutisw t Maais isfcwKsitjmi amis L-t u Lv ierttr -isips vou mt-iii yAj ' ndo* Ht.rity fe Jtrvos. heig giotidt ycu Sh Site il Kitt iriL i nit'lits UM Ott If l'if MWlW 1 J. 1 -w TertfuntD l n tniir...

Figure 54 Basic Setup Screen

LlK& iUcirfUjpjrfrWili *tnrr(. t fcr. 1* pBiionmip Soe iSI -lWVMrKl Scrvfce Prwictei J K *r r tt yew flrtw 11 WS ntnffiflpoa Those xOmge can W 4li irtJ f HT,Yi> J Ef, Aria1 su it frearrt Miii yiSMi airaJcJ iM I'lXiUi lip* If* Afrv* ti- fife> .' .Vvxff* i v ni priTW. l-llviiJ HI ,,fi ii ripdi c J Uy innirldt'ii llK& iUcirfUjpjrfrWili *tnrr(. t fcr. 1* pBiionmip Soe iSI -lWVMrKl Scrvfce Prwictei J K *r r tt yew flrtw 11 WS ntnffiflpoa Those xOmge can W 4li irtJ f HT,Yi> J Ef, Aria1 su...

Figure 56 Filter Screen

If you want to filter by MAC address, just click the Edit MAC Filter Setting button and specify the MAC addresses that should be denied access. At the bottom of the screen are four radial selections with the default setting in parenthesis Block Anonymous Internet Requests (Enabled) This setting prevents the router from being able to be pinged or otherwise connected to on the external interface, unless you have defined a port-forwarding filter. This should be enabled, but keep in mind that not...

Figure 58 Configuring Port Triggering

Ij Ap i lirilkMi S C,.1111111.7 Mictdun littrHE t> pkir* luiiifliiMii.LTS.a rr .if . flha 11.111 t u li.'UHI rtajisr tfttiM itfirH* L uA m MmlnlrtnBw EIKu* Tl t nJiM cd P.iivyt M tP l IlKlP Pari r.'v> wrpj wiiw ju port frtitd N.rr KCOflWa I 1 Ch ci, vtrUi iirilwft mgfaLsiM h'ij fri w** ip M Tl t nJiM cd P.iivyt M tP l IlKlP fei wt tied fUrfMjc MdllpMl l JMoft Pari r.'v> wrpj wiiw ju port frtitd N.rr KCOflWa I 1 Ch ci, vtrUi iirilwft mgfaLsiM h'ij fri w** ip M EH IM li'flg* ff.wijr Ajr...

Figure 63 General Device Information Screen

Has* Narra h iiii - itrf t 1JiaiKicJjb PMWsrtJflU 7Ai ASDUVciSlon 5.0ji Dcvi aTvzt P1XG15 lrtw* i noeif TcflaG FliEfi 16 Mil Tctal (Menai*. G4I4B Has* Narra h iiii - itrf t 1JiaiKicJjb PMWsrtJflU 7Ai ASDUVciSlon 5.0ji Dcvi aTvzt P1XG15 lrtw* i noeif TcflaG FliEfi 16 Mil Tctal (Menai*. G4I4B Syirwii fteagin cos Shirm CPU CPU (mflidM*ci*ti 5*1 aft an inlDrfaca Ij wrr* rpirt and autpul Ktipc Ir.tfTK Squirt 5*1 aft an inlDrfaca Ij wrr* rpirt and autpul Ktipc Ir.tfTK Squirt It-i iiH C DiimiHfcwt,...

Figure 79 Webmin Firewall Modules

The focus during this discussion is on the Linux Firewall module because the Shoreline Firewall module requires the installation of additional files from the Shorewall project (http www.shorewall.net). Webmin enables administrators to control all three tables in NetFilterfilter, mangle, and NATthrough either the Linux Firewall Webmin module or the Shorewall Webmin module, as shown in Figure 7-10.

Figure 813 Select Web Listener Screen

At the User Sets screen, select the users who the rule will apply to and click Next. Review the configuration and click Finish to create the rule. Once again, if you want to apply the rule to the firewall, you must then click Apply in the management console. ISA Server 2004 contains a number of built-in application filters to provide for application layer inspection of the corresponding traffic. Configuring the application filters is performed in various locations within the management console....

Figure 82 ISA Server 2004 Management Console

-J'MicEumJI Inltima* t urni *nd Arc 1f 14IMF1 s fttmtf (15 tMMa> l j ufa rnnnit*mr< *t< ma - fcirlitJ ir W hnme tnMIcrosolt nlmitl acuily vtd ArcG DraHon mbiiinivuiii iMiw hrtHu AtffvGn iwH 1 r r& rr* H t * I Jhhll M-LLHHyj VIH r ' 'Vl'l '.un d u( wii 'i* hrqrfO -- r J VhiL IhrlcpDMril iiilmn fniuilr vi JU I cWiiriiii i M'ivnr .CHI I Wl'l Uli1 CjSVquiitnr V Ow*Nia . > *t frl' wr F*- -.*t- XM Ork* ht* tt Sfro4 tfa x KfJT'j Y *J IS* Sin In addition, some third-party web-based...

Figure 83 External Network Interface Configuration

In addition, you also need to configure the routing table on the ISA server accordingly to support all networks it will need to reach, or you will need to install and configure Routing and Remote Access c the firewall to enable routing protocols such as OSPF or RIPv2. Finally, ensure that you disable any network services or applications that are not explicitly required ISA Server 2004. Table 8-3 lists the core services that are required by ISA Server 2004, including th startup mode that should...

Figure 89 Add Network Entities Screen

After you have specified the appropriate source, click Next to be taken to the Access Rule Destinatio screen. Once again, click Add and specify the destination traffic that the rule will apply to. When yoi have finished, click Next. At the User Sets screen, specify the users that the rule will apply to. Keep mind that only web proxy clients and firewall clients perform authentication so if you want the rule apply to everyone, including unauthenticated users, just accept the default value of All...

Figure 93 Dual Firewall Architecture

The granular control in a dual-firewall architecture comes from the fact that each firewall controls a subset of all the traffic entering and exiting a network. Because untrusted (that is, external) traffic should never be allowed to directly access a trusted (that is, internal) network, the exterior firewall can be configured specifically to grant access to and from the DMZ segment and external systems. Similarly, the interior firewall can be configured to grant access to and from the DMZ...

Figure A5 Nessus PlugIn Screen

Nessusd host Plugins Credentials Scan Options Target User Preis. KB Credits Nessusd host Plugins Credentials Scan Options Target User Preis. KB Credits rinhi jn 1 nrjl orirriTu (horlrt ATA-186 password circumvention 1 recovery CISCO IOS H.323 Protocol Implementation Flaws CISCO 105 Interface blocked by IPv4 Packet SCO ONS Platform Vulnerabilities CISCO Secure ACS Management Interface Logan Overflow When the scan has completed, Nessus launches the report containing the status of what was...

Firewall Security Policy

The firewall security policy (not to be confused with the general security policies discussed in Chapter 10, Firewall Security Policies) on the PIX firewall is what determines the traffic that will be permitted or denied by the firewall. To facilitate this, the PIX implements a combination of the following elements to assist in making filtering decisions Separate the network into zones based on security levels Use ACLs to permit or deny traffic Apply Network Address Translation (NAT) Apply...

Firewalls Manage and Control Network Traffic

The first and most fundamental functionality that all firewalls must perform is to manage and control the network traffic that is allowed to access the protected network or host. Firewalls typically do so by inspecting the packets and monitoring the connections that are being made, and then filtering connections based on the packet-inspection results and connections that are observed. Packet inspection is the process of intercepting and processing the data in a packet to determine whether it...

Firewall Specific Information

NIST Guidelines on Firewalls and Firewall Policy, Firewall Software and Internet Security FAQ, white paper.html General Firewall Configuration Guide, Personal Firewalls for Remote Access Users, Windows ICF, Linksys Firewalls, http www.linksys.com Cisco PIX Firewalls, http www.cisco.com go pix Cisco ASA, http www.cisco.com go asa Yahoo Groups PIX Firewall, http groups.yahoo.com group PIX Firewall Linux NetFilter, http www.netfilter.org Linux IPChains, Firestarter, http www.fs-security.com...

How Firewalls Use Protocols Applications and Services

Now that you understand what protocols, applications, and services are, how do firewalls use them Because the primary objective of a firewall is to protect a host or network from access, and protocols, applications, and services define how hosts are accessed from the network, firewalls can use the information from protocols, applications, and services to make filtering decisions and grant or deny access. For example, if you want to allow web access to a system, technically what you are doing is...

How the IP Routing Process Works

For all the apparent complexity involved in routing, the routing process itself is a pretty simple and straightforward process. In fact, when you understand the routing process fundamentals, it does not matter how large or small the network is the process is the exact same. To illustrate the routing process, look at Figure 3-15. This example shows two hosts, Host A and Host B, on two separate networks. Host A has an IP address of 10.1.1.100 and a MAC address of 00 05 9A 3C 78 50. Host B has an...

How This Book Is Organized

This book provides a building-block approach to the material. The initial focus is on the basics of firewalls and a review of TCP IP. Although the book is intended to be read cover to cover, it can also provide point references for various products and concepts. Chapters 1 through 3 provide the necessary background to firewalls and TCP IP concepts as they relate to firewalls. The core content lies in Part II and Part III, where the focus shifts to how various firewall products are implemented...

How Windows Firewall Works

By default, Windows Firewall comes with an assigned security profile. This profile provides what are termed as exceptions for Print and File Sharing as well as Remote Assistance and Universal Plug-and-Play (UPnP) with the local subnet. The local subnet is defined as the local network that the system is connected to. If the system is connected to multiple networks (for example, if the system has multiple interfaces), these network ranges are considered part of the local subnet. These services...

Internet Firewall with Multiple DMZs

The Internet firewall with multiple DMZs is similar to the single DMZ architecture, the only real difference being that there will be multiple single-homed DMZ segments coming off the firewall. There is no practical limit to the number of DMZ segments, the only real restriction being the number of interfaces the firewall can This architecture is typically implemented when the need to separate resources on different and distinct DMZ segments exists. With a single DMZ, all resources that will be...

Logging and Log Analysis Tools

Most firewalls can log events related to traffic that has been permitted or denied. Unfortunately, the sheer volume of data from even a moderately sized environment can quickly become unmanageable. Most firewalls use one of two types of logging methods Syslog Implemented by most firewalls and uses a relatively simple UDP-based (although the Cisco Secure PIX Firewall also supports TCP) client server logging method. Open Platform for Security Log Export Application Programming Interface (OPSEC...

Maintaining the Underlying Platform

As with any device on the network, firewalls run software (whether it is embedded in an application-specific integrated circuit ASIC or runs from Flash memory or runs from a disk file system) to be able to perform their functions. Typically, as in the case of the Cisco PIX and ASA platforms as well as NetScreen and other vendor firewalls, these firewalls run a custom operating system whose source code is not available to the general community for review or tampering. If a bug or vulnerability...

Maintaining URL Filters

One of the biggest problems with URL filtering is the maintenance required of the URL database. To help network administrators maintain their URL filters and keep them as up-to-date as possible, many vendors turn to a subscription service whereby the filtering server at the client site connects to a web server at the vendor's location and downloads a database of URLs with default settings associated with each URL. This service conveniently allows administrator to keep relatively current with...

Modifying the Configuration

As with any device, from time to time you will need to modify the configuration of the firewall. Whet new device brought on line to access the Internet or the addition of a new web server behind the fir necessary to change the firewall configuration. The problem with modifying the configuration comes controlensuring that changes made to a firewall are tracked and logged in case of problems. These i in the sections that follow. Change control is defined as the process and procedures to manage...

NAT Firewalls

A distinct firewall that existed for a short period is the Network Address Translation (NAT) firewall. In today's firewall market, NAT is a part of almost every firewall product available. From the lowliest SOHO firewall such as the Linksys BEFSX41 to the high-end enterprise PIX 535, NAT is now a function of a firewall. NAT firewalls automatically provide protection to systems behind the firewall because they only allow connections that originate from the inside of the firewall. The basic...

Protocols Services and Applications

As mentioned, TCP IP provides a mechanism to allow systems to communicate with each other across a network. If we refer back to our language analogy, most spoken languages have certain rules that define how the communications occurs. By adhering to these rules, one is then able to understand and comprehend what is being communicated. TCP IP follows a similar process to define how the communications will occur through the use of protocols, services, and applications. You cannot just start...

Single Firewall System

With a single-firewall architecture, the firewall system consists of the following layers Network segment between the external router and firewall Figure 9-4 depicts this architecture. At the outermost layer of the firewall system, the external router should be the first point of control of traffic entering (ingress filtering) and exiting (egress filtering) your network. The only traffic that should be allowed to traverse the router is traffic destined for the firewall or resources being...

Step 8 Verify That Any Dependent Non FirewallSpecific Systems Are Not the Culprit

Something else to consider in troubleshooting are the dependent services and systems that are not firewall specific or for which the firewall administrator might not be responsible. This includes the systems that are being protected by the firewall. Common services to examine are name resolution processes such as DNS and WINS. Many times, someone will attempt to access a resource by name through the firewall and when the request fails assume that the firewall is the problem. However, if name...

Summary

Application proxy firewalls can perform a specialized role in managing the security of an enterprise by providing for application layer inspection of the data that is being controlled. This allows application proxies to not only make filtering decisions based on the protocol or port that traffic is using, but by looking at the raw data and making a filtering determination based on the application itself, for example differentiating between malicious and non-malicious web traffic. Microsoft ISA...

TCP Segment Header

Like IP, the TCP segment header typically consists of five 32-bit words, with the potential for optional words containing additional options and the relevant padding to make 32 bits of data. Figure 3-9 depicts the TCP segment header. Figure 3-9. TCP Segment Header Structure The fields of the TCP segment header and their meanings are as follows Source Port (16 bits) This field represents the source protocol or application. This allows the source to know which application the data belongs to so...

The Department of Defense DoD Model

Although OSI is a protocol independent framework for defining communications, and thus is portable and applicable to almost all network communications, it does not always map directly to a particular communications process. For example, just because the OSI model defines seven distinct layers does not mean that there must be seven distinct communications processes or protocols in use. In many cases, a protocol may implement functions that span multiple layers (for example, TCP which has some...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at...

The Difference Between Policies Standards Guidelines and Procedures

One of the more confusing elements of security policies is the interaction between policies, standards, guidelines, and procedures. First, let's define what we mean by each Policy A policy is a document that outlines the requirements or rules that must be met. Policies frequently refer to standards or guidelines as the basis for the existence. The scope of a policy tends to be a broad, high level statement of intent. An example of a policy is an Encryption Use Policy, which might state to the...

The Syslog Protocol

The syslog protocol is the de facto standard method of providing event notification messages across the network. Syslog is defined by RFC 3164 and uses UDP as the default transport mechanism (by default and typically over UDP port 514). By using UDP, syslog gains the advantage of being a low-overhead connectionless delivery method (thus requiring less resources on the systems doing the logging), but that also results in syslog being an inherently unreliable delivery method. Although not common,...

Transmission Control Protocol TCP

TCP is a connection-oriented transport mechanism that resides at Layer 4 of the OSI model. TCP implements the concept of sessions between hosts to serve as virtual circuits upon which higher-layer data and communications are delivered. In doing so, TCP addresses the inherent unreliability of lower-layer protocols such as IP, providing a means of ensuring that data is accurately and reliably transmitted between hosts. The foundation of TCP is the creation of a session between hosts. This is...

Warning and Disclaimer

This book is designed to provide information about firewalls. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may...

What Is a Firewall

When most people think of a firewall, they think of a device that resides on the network and controls the traffic that passes between network segments, such as the firewall in Figure 1-1 (a network-based firewall). However, firewalls can also be implemented on systems themselves, such as with Microsoft Internet Connection Firewall (ICF), in which case they are known as host-based firewalls. Fundamentally, both types of firewalls have the same objective to provide a method of enforcing an access...

Why Logging Is Important

It is easy to say that you should log events from your firewalls because doing so provides insight as to the status of your firewall, but there are a number of specific and tangible benefits to logging Improves network administration, troubleshooting, and debugging Helps to determine the health of the system Provides intrusion detection and incident containment Facilitates performing forensic analysis Improved Network Administration, Troubleshooting, and Debugging If there is one certainty in...

Windows Firewall Checklist

When configuring Windows Firewall, you must configure several features depending on the system role in the network. The answers to the following questions will depend on whether the system will connect using a public network (such as a wireless network in a coffee shop or a library) or a private network (such as a corporate LAN or home network) or both. Additionally, Windows Firewall settings on servers that may be configured as a web server, an authentication server, or a database server will...

Figure 812 Public Name Details Screen

Doing so brings you to the Select Web Listener screen. The wel listener allows you to define the external IP address and port number that the firewall will listen for requests for this rule on. If you do not already have a listener defined, you can click New to launch New Web Listener Definition Wizard. Doing so enables you to define the interfaces and IP addresses well as the port numbers that the rule will use. You can also define the internal path that the...

Application Layer Filtering

Application proxy firewalls are the most intelligent firewall architecture. By intelligent, we mean that an application proxy firewall can perform the most detailed inspection on data before making a filtering decision. An application proxy firewall can decode and process at the application layer the data contained in packets. Consequently, application proxy firewalls can filter based on the actual application data content. For example, with a packet-filtering firewall, the firewall can merely...

Overview of IDS

Intrusion detection is an aspect of security whereby a device detects the fingerprint of an attack within the network. Modern IDSs use a variety of techniques to ensure that the alarms they raise are of actual attacks being conducted rather than a false alarm. Many IDSs connect to the network through a port on a switch, and the interface that connects to that port captures traffic to a particular system or subnet, as shown in Figure 14-2. As firewall hardware has become more and more powerful,...

The IP Packet Header

The IP packet header is what tells an IP-based host what to do with the packet that was received. Think of it as an instruction manual that contains the how to process this packet information. Therefore, an attacker wanting to generate malicious traffic will frequently modify the IP packet header in such a way as to instruct the receiving host to do something harmful with the packet, or to instruct the host to do something it is not capable of doing in hopes that it causes the host to generate...

Deciphering Port Numbers

Like IP addresses, port numbers are not an absolute guarantee of what application or service may have been running. For example, many applications can run on any port that is configured, allowing things such as peer-to-peer file sharing to use a port such as TCP port 80 for communications, which will frequently allow the application to bypass most packet filtering firewalls (but not necessarily application proxy or application-aware inspection) because TCP port 80 is frequently permitted...

Microsoft ISA Server 2004 Features

Microsoft ISA Server 2004 consists of two editions Standard Edition and Enterprise Edition. The predominant differences between the Standard and Enterprise editions relate to scalability. Table 8-summarizes the differences between the Standard and Enterprise editions. Table 8-1. Comparison of ISA Server 2004 Standard and Enterprise Editio Table 8-1. Comparison of ISA Server 2004 Standard and Enterprise Editio Unlimited, with the additio of enterprise networks (networks that can be app to any...

Updating the Firewall Software

The final topic to consider when managing firewalls is updating the firewall software. There are two update the software. One reason is to take advantage of new capabilities added to newer software v reason is the need to fix bugs and vulnerabilities in the software. Like all software, firewall software contains many lines of code. The code in the firewall may have been rigorously tested, but there wil that the software developers did not consider or just outright overlooked. A corner case is a...

Configuring the ACLs

Controlling traffic is the cornerstone of all firewalls, and the PIX ASA controls the flow of traffic through the firewall by implementing ACLs. PIX ASA ACLs are essentially linked lists of values known as ACL entries (ACEs) that are parsed in a top-down manner with entries at the top of the ACL being processed before entrees further down the ACL are processed. This processing is performed in a first-match manner, which means that as soon as the data being processed by an ACL is matched to an...

Configuring NAT Settings for Outbound Access

After the default route has been set, the PIX ASA is almost ready to pass traffic between the inside, higher-security interface and the outside, lower-security interface. In most situations, to provide for this outbound traffic functionality you need to configure NAT because the firewall will typically be hiding the internal network IP addresses from the external network resources using NAT. This is not a requirement, however (although it is generally recommended), and the PIX ASA 7.0 in...

How Net Filter Works

NetFilter, or more commonly known by the name of the manipulation utility, iptables, works, on the surface, similarly to the ipchains firewall code of earlier Linux kernels. The first thing you need to understand about NetFilter is the concept of tables, chains, and rules. Tables are used to provide certain types of functionality, which are defined in more detail through this chapter. Chains define the path in which a packet can travel. The chains are made up of rules, which define what action...

The OSI Model

Osi Model Encapsulation Process

The OSI model is a layered model that has been standardized for defining network communications. The OSI model breaks the complex process of network communications into seven distinct layers, each with it own distinct responsibilities. As shown in Figure 3-1, the seven layers of the OSI model are as follows The application layer (Layer 7) Primarily responsible for interfacing with the end user The presentation layer (Layer 6) Primarily responsible for translating the data from something the...

Initial Configuration

The initial configuration of a firewall requires several items of information. This information includes and external interface IP addresses (or the use of DHCP on one of those interfaces), the next-hop g an administrative password. The first three items are discussed in the following paragraphs. A discu administrative passwords was provided earlier in the Default Passwords section. Most small office home office (SOHO) firewalls have only two interfaces. On enterprise firewalls, the half dozen...

Figure 121 Delivery of Syslog Messages Across the Network

The syslog client is then configured to deliver syslog messages to the syslog server. For example, you can configure a Cisco Secure PIX Firewall to use syslog by running the following basic commands. For Cisco Secure PIX Firewalls running versions of the PIX OS other than 7.0, the commands are as follows logging trap information logging host inside ip-address For Cisco Secure PIX Firewalls running version 7.0 or later, you need to run the following commands from the configuration mode In...

Stateful Inspection

Stateful packet inspection lies at the heart of how PIX ASA firewalls function. This functionality is provided through a process known as the Cisco adaptive security algorithm (ASA). The ASA uses a stateful approach to security. Every inbound packet is checked exhaustively against the ASA and against connection state information in memory. The ASA applies the following default rules (although this is by far not an exhaustive list) to traffic coming into the PIX Allow any traffic connections...

Cisco Secure PIX Firewall Syslog Event Baseline

The following syslog events constitute a good baseline of events that should be monitored and paid attention to in most environments. In essence, this list is here to answer this question What specifi events should I look for It is not meant to be an exhaustive list of all syslog message IDs or the on message IDs that you should be filtering for. You can use this information to help build filtering rules for your particular logging softwarefor exam identify the messages that administrators...

What to Look for in Firewall Logs

After you have collected the firewall logs and begun the process of analyzing the logs, determine the you should be looking for in the logs. With that said, it is important to remember not to fall into the looking in your firewall logs only for bad events. Yes, firewall logs can be the key element in discov incidents and compromises, but that is only one of the reasons for analyzing your logs. You also war to use the log information to assist in defining the baselines and normal operations of...