ongoing administration n.
Skip this Video
Loading SlideShow in 5 Seconds..
Ongoing Administration PowerPoint Presentation
Download Presentation
Ongoing Administration

Loading in 2 Seconds...

play fullscreen
1 / 52

Ongoing Administration - PowerPoint PPT Presentation

  • Uploaded on

Ongoing Administration. Chapter 11. Learning Objectives. Learn how to evolve a firewall to meet new needs and threats Adhere to proven security principles to help the firewall protect network resources Use a remote management interface Track log files for security. continued.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Ongoing Administration' - faxon

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
learning objectives
Learning Objectives
  • Learn how to evolve a firewall to meet new needs and threats
  • Adhere to proven security principles to help the firewall protect network resources
  • Use a remote management interface
  • Track log files for security


learning objectives1
Learning Objectives
  • Follow basic initial steps in responding to security incidents
  • Take advanced firewall functions into account when administering a firewall
making your firewall meet new needs
Making Your Firewall Meet New Needs
  • Throughput
  • Scalability
  • Security
  • Recoverability
  • Manageability
verifying resources needed by the firewall
Verifying Resources Needed by the Firewall
  • Ways to track memory and system resources
    • Use the formula:MemoryUsage = ((ConcurrentConnections)/ (AverageLifetime))*(AverageLifetime + 50 seconds)*120
    • Use software’s own monitoring feature
identifying new risks
Identifying New Risks
  • Monitor activities and review log files
  • Check Web sites to keep informed of latest dangers; install patches and updates
adding software updates and patches
Adding Software Updates and Patches
  • Test updates and patches as soon as you install them
  • Ask vendors (of firewall, VPN appliance, routers, etc) for notification when security patches are available
  • Check manufacturer’s Web site for security patches and software updates
adding hardware
Adding Hardware
  • Identify network hardware so firewall can include it in routing and protection services
    • Different ways for different firewalls
  • List workstations, routers, VPN appliances, and other gateways you add as the network grows
  • Choose good passwords that you guard closely
dealing with complexity on the network
Dealing with Complexity on the Network
  • Distributed firewalls
    • Installed at endpoints of the network, including remote computers that connect to network through VPNs
    • Add complexity
      • Require that you install and/or maintain a variety of firewalls located on your network and in remote locations
    • Add security
      • Protect network from viruses or other attacks that can originate from machines that use VPNs to connect (eg, remote laptops)
adhering to proven security principles
Adhering to Proven Security Principles
  • Generally Accepted System Security Principles (GASSP) apply to ongoing firewall management
    • Secure physical environment where firewall-related equipment is housed
    • Importance of locking software so that unauthorized users cannot access it
environmental management
Environmental Management
  • Measures taken to reduce risks to physical environment where resources are stored
    • Back-up power systems overcome power outages
    • Back-up hardware and software help recover network data and services in case of equipment failure
    • Sprinkler/alarm systems reduce damage from fire
    • Locks guard against theft
bios boot and screen locks
BIOS, Boot, and Screen Locks
  • BIOS and boot-up passwords
  • Supervisor passwords
  • Screen saver passwords
using remote management interface
Using Remote Management Interface
  • Software that enables you to configure and monitor firewall(s) that are located on different network locations
  • Used to start/stop the firewall or change rulebase from locations other than the primary computer
why remote management tools are important
Why Remote Management Tools Are Important
  • Reduce time and make the job easier for the security administrator
  • Reduce chance of configuration errors that might result if the same changes were made manually for each firewall on the network
security concerns with remote management tools
Security Concerns with Remote Management Tools
  • Can use a Security Information Management (SIM) device to prevent unauthorized users from circumventing security systems
    • Offers strong security controls (eg, multi-factor authentication and encryption)
    • Should have an auditing feature
    • Should use tunneling to connect to the firewall or use certificates for authentication
  • Evaluate SIM software to ensure it does not introduce new vulnerabilities
basic features required of remote management tools
Basic Features Required of Remote Management Tools
  • Ability to monitor and configure firewalls from a single centralized location
    • View and change firewall status
    • View firewall’s current activity
    • View any firewall event or alert messages
  • Ability to start and stop firewalls as needed
tracking contents of log files for security
Tracking Contents of Log Files for Security
  • Reviewing log files can help detect break-ins that have occurred and possibly help track down intruders
  • Tips for managing log files
    • Prepare usage reports
    • Watch for suspicious events
    • Automate security checks
preparing usage reports
Preparing Usage Reports
  • Sort logs by time of day and per hour
  • Check logs to learn when peak traffic times are on the network
  • Identify services that consume the largest part of available bandwidth
suspicious events to watch for
Suspicious Events to Watch For
  • Rejected connection attempts
  • Denied connections
  • Error messages
  • Dropped packets
  • Successful logons to critical resources
responding to suspicious events
Responding to Suspicious Events
  • Firewall options
    • Block only this connection
    • Block access of this source
    • Block access to this destination
  • Track the attacks
  • Locate and prosecute the offenders
tools for tracking attacks
Tools for Tracking Attacks
  • Sam Spade
  • Netstat
  • NetCat
compiling legal evidence
Compiling Legal Evidence
  • Identify which computer or media may contain evidence
  • Shut down computer and isolate work area until computer forensic specialist arrives
  • Write protect removable media
  • Preserve evidence (make a mirror image) so it is not manipulated


compiling legal evidence1
Compiling Legal Evidence
  • Examine the mirror image, not the original
  • Review log files and other data; report findings to management
  • Preserve evidence by making a “forensically sound” copy
compiling legal evidence2
Compiling Legal Evidence
  • Observe the three As of computer forensics
    • Acquire
    • Authenticate
    • Analyze
automating security checks
Automating Security Checks
  • Outsource firewall management
security breaches will happen
Security Breaches Will Happen!
  • Use software designed to detect attacks and send alert notifications
  • Take countermeasures to minimize damage
  • Take steps to prevent future attacks
using an intrusion detection system ids
Using an Intrusion Detection System (IDS)
  • Detects whether network or server has experienced an unauthorized access attempt
  • Sends notification to appropriate network administrators
  • Considerations when choosing
    • Location
    • Intrusion events to be gathered
  • Network-based versus host-based IDS
  • Signature-based versus heuristic IDS
network based ids
Network-Based IDS
  • Tracks traffic patterns on entire network segment
  • Collects raw network packets; looks at packet headers; determines presence of known signatures that match common intrusion attempts; takes action based on contents
  • Good choice if network has been subject to malicious activity (eg, port scanning)
  • Usually OS-independent
  • Minimal impact on network performance
host based ids
Host-Based IDS
  • Collects data from individual computer on which it resides
  • Reviews audit and system logs, looking for signatures
  • Can perform intrusion detection in a network where traffic is usually encrypted
  • Needs no additional hardware
  • Cannot detect port scans or other intrusion attempts that target entire network
signature based ids
Signature-Based IDS
  • Stores signature information in a database
    • Database requires periodic updating
  • Can work with either host-based or network-based IDS
  • Often closely tied to specific hardware and operating system
  • Provides fewer false alarms than heuristic IDS
heuristic ids
Heuristic IDS
  • Compares traffic patterns against “normal activity” and sets off an alarm if pattern deviates
  • Can identify any possible attack
  • Generates high rate of false alarms
receiving security alerts
Receiving Security Alerts
  • A good IDS system:
    • Notifies appropriate individuals (eg, via e-mail, alert, pager, or log)
    • Provides information about the type of event
    • Provides information about where in the network the intrusion attempt took place
when an intrusion occurs
When an Intrusion Occurs
  • React rationally; don’t panic
  • Use alerts to begin assessment
  • Analyze what resources were hit and what damage occurred
    • Perform real-time analysis of network traffic to detect unusual patterns
    • Check to see if any ports that are normally unused have been accessed
  • Use a network auditing tool (eg, Tripwire)
during and after intrusion
During and After Intrusion
  • Document the existence of:
    • Executables that were added to the system
    • Files that were
      • Placed on the computer
      • Deleted
      • Accessed by unauthorized users
    • Web pages that were defaced
    • E-mail messages that were sent as a result of the attack
  • Document your response to the intrusion
configuring advanced firewall functions
Configuring Advanced Firewall Functions
  • Ultimate goal
    • High availability
    • Scalability
  • Advanced firewall functions
    • Data caching
    • Redundancy
    • Load balancing
    • Content filtering
data caching
Data Caching
  • Set up a server that will
    • Receive requests for URLs
    • Filter those requests against different criteria
  • Options
    • No caching
    • URI Filtering Protocol (UFP) server
    • VPN & Firewall (one request)
    • VPN & Firewall (two requests)
hot standby redundancy
Hot Standby Redundancy
  • Secondary or failover firewall is configured to take over traffic duties in case primary firewall fails
  • Usually involves two firewalls; only one operates at any given time
  • The two firewalls are connected in a heartbeat network
hot standby redundancy2
Hot Standby Redundancy
  • Advantages
    • Ease and economy of set up and quick back-up system it provides for the network
    • One firewall can be stopped for maintenance without stopping network traffic
  • Disadvantages
    • Does not improve network performance
    • VPN connections may or may not be included in the failover system
load balancing
Load Balancing
  • Practice of balancing the load placed on the firewall so that it is handled by two or more firewall systems
  • Load sharing
    • Practice of configuring two or more firewalls to share the total traffic load
  • Traffic between firewalls is distributed by routers using special routing protocols
    • Open Shortest Path First (OSPF)
    • Border Gateway Protocol (BGP)
load sharing
Load Sharing
  • Advantages
    • Improves total network performance
    • Maintenance can be performed on one firewall without disrupting total network traffic
  • Disadvantages
    • Load usually distributed unevenly (can be remedied by using layer four switches)
    • Configuration can be complex to administer
filtering content
Filtering Content
  • Firewalls don’t scan for viruses but can work with third-party applications to scan for viruses or other functions
    • Open Platform for Security (OPSEC) model
    • Content Vectoring Protocol (CVP)
filtering content guidelines
Filtering Content Guidelines
  • Install anti-virus software on SMTP gateway in addition to providing desktop anti-virus protection for each computer
  • Choose an anti-virus gateway product that:
    • Provides for content filtering
    • Can be updated regularly to account for recent viruses
    • Can scan the system in real time
    • Has detailed logging capabilities
chapter summary
Chapter Summary
  • How to expand a firewall to meet new needs
  • Importance of observing fundamental principles of network security when maintaining the firewall
  • Importance of being able to manage the firewall remotely and having log files for review
  • Responding to security incidents
  • Advanced firewall functions