Section 1-4. Basic Security Policy Guidelines

team bbl


1-4. Basic Security Policy Guidelines

As you plan your security policies and configure your firewall, you should keep several things in mind. Rather than presenting a long treatise on security policies and how to protect against vulnerabilities and attacks, this small section provides a short list of rules of thumb. If you follow these suggestions, you should be able to configure a firewall to provide the best possible protection.

  • Gather and review firewall logs regularly.

    After a firewall is configured, you can easily test to see if it is blocking or permitting access to secured resources according to the correct security policies. However, there is no easy way to watch a denial-of-service or worm attack without seeing a record of traffic being permitted or denied.

    A firewall can generate a wealth (and a deluge) of logging information. This data should be collected by a Syslog server that is properly sized for the task. You should also review the Syslog data on a regular basis so that you can spot new malicious activity or expose the use of a vulnerable port you forgot to close.

    The most important reason to keep firewall logs is to keep an audit trail of network activity. If you experience an attack or a misuse of network resources, you can rely on the Syslog record as evidence.

  • Make inbound ACLs very specific.

    You should tightly control traffic coming into your secured network from the public or unsecured side. If you offer public access to a corporate web or e-mail server, for example, be sure to permit only those specific protocols and ports. Otherwise, if you leave the inbound access too broad or open, you increase the chances that someone will find a way to exploit an unexpected protocol or service. In addition, best practices suggest that any inbound access should terminate only on hosts that are located on a demilitarized zone (DMZ) firewall interfacenot on the inside network.

    As for outbound traffic control, the internal (protected) users are usually well-known and trusted. You can leave the outbound access open, but best practices suggest that you configure outbound access lists to prevent hosts on the inside network from participating in worms or attacks aimed at DMZ or outside networks.

    You might also use outbound access lists to enforce corporate policies to limit or prohibit certain activity or to control the access of unauthorized services. The firewall can also authenticate outbound users before giving them access and can work with external servers to control web content.

  • Protect the DMZ in several directions.

    If corporate resources are offered to the public network, it is usually best to place them in a DMZ. This is a small network on a firewall interface that has a medium level of security. Users on the outside or public network are allowed to reach the servers on the DMZ using specific protocols and ports.

    Be careful how you configure the security policies on the DMZ interface. Make sure that outside users are allowed access only to the specific protocols needed. Then make sure that machines on the DMZ interface are allowed access to other inside (secured) hosts using only the protocols needed for data transfer.

    For example, suppose you have a public web server that offers information using HTTP. That web server populates its web pages by sending SQL requests to other data center servers on the inside network. For the DMZ, you should configure the firewall to allow outside access to the web server using only TCP port 80 (HTTP). In addition, the DMZ server should be allowed to send only SQL packets toward the inside data center, and nothing else. If you leave open access (any protocol or port number) between the DMZ server and the inside, the DMZ can become a "springboard" so that malicious users on the outside can compromise the DMZ server and use it to compromise others on the inside.

  • Be overly cautious about ICMP traffic.

    ICMP packets are very useful when you need to troubleshoot access or network response time to a host. Ping (ICMP echo) packets are well known for this. However, configuring a firewall to allow open access for the ICMP protocol usually is not wise.

    Malicious users on the outside can use ICMP to detect or attack live hosts on a DMZ or inside network. Typically, best practice is to use a firewall to hide as much information as possible about the internal secured network. Outbound pings might be allowed so that your internal users can test to see if a service is alive on the public Internet. Inbound pings (echo requests) should be denied altogether, because you don't want outside users to know if your internal services are alive. The only exception might be to allow pings to reach your hosts that offer public services, but nothing else.

    Best practices suggest that you allow only specific types of ICMP packets to enter your network from the outside. These include echo-reply, unreachable, and time-exceeded ICMP messages. In any event, you should configure PIX 7.x ICMP inspection if at all possible so that the firewall can make a best effort at tracking and controlling ICMP message exchanges.

  • Keep all firewall management traffic secured.

    You can manage or maintain a firewall in many ways:

    - Open a management session using Telnet, SSH, PDM, or VMS

    - Copy a new operating system image or configuration file into the firewall

    - Collect Syslog information from the firewall

    - Poll firewall parameters through SNMP

    - Authenticate users through TACACS+ and RADIUS servers

    Clearly, any of these methods can drastically change the firewall's behavior or operation. You should always make every effort to keep all types of management access limited to an inside or secured network. If you open any management access toward the outside, you stand a chance of letting a malicious user manage your firewall for you. At the least, someone might intercept your Syslog or SNMP traffic and learn something important about your internal network.

    If you absolutely need some management access from the outside, only do so through a secure means like a virtual private network (VPN) connection or SSH with a strong authentication method. This allows management traffic to be extended only to someone who can verify his or her identity over an encrypted path.

  • Periodically review the firewall rules.

    Cisco uses a model called the security wheel. The process of providing network security begins with developing a strong corporate security policy. This includes the following tasks:

    - Identifying the resources that will be secured

    - Identifying the "inside" users and hosts that will need access to other, less-secure network resources

    - Identifying corporate services that will be protected but will be accessible from the unsecured networks

    - Developing an authentication scheme, if needed, that can identify and grant permission for corporate and outside users

    - Developing a plan for auditing the security activities

    Actually implementing and refining the policies becomes a continual process of four steps:

    1. Secure the network (configure firewalls, routers, intrusion protection systems, and so on)

    2. Monitor and respond to malicious activity

    3. Test existing security policies and components

    4. Manage and improve network security

Further Reading

Refer to the following recommended sources for further technical information about firewall functionality and securing a network:

Cisco's SAFE Blueprint documents at http://www.cisco.com/go/safe

Cisco Secure PIX Firewalls (Cisco Secure PIX Firewall Advanced, CSPFA, Self-Study Guide) by David Chapman and Andy Fox, Cisco Press, ISBN 1-58705-035-8

Network Security Principles and Practices by Saadat Malik, Cisco Press, ISBN 1-58705-025-0

Designing Network Security, Second Edition by Merike Kaeo, Cisco Press, ISBN 1-58705-117-6

Cisco Access Control Security: AAA Administration Services by Brandon Carroll , Cisco Press, ISBN 1-58705-124-9

CCSP Self-Study: Securing Cisco IOS Networks (SECUR) by John Roland , Cisco Press, ISBN 1-58705-151-6

Network Security Architectures by Sean Convery, Cisco Press, ISBN 1-58705-115-X

CCSP Self-Study: Cisco Secure PIX Firewall Advanced (CSPFA), 2nd Edition by Behzad Behtash, Cisco Press, ISBN 1-58705-149-4

    team bbl



    Cisco ASA and PIX Firewall Handbook
    CCNP BCMSN Exam Certification Guide (3rd Edition)
    ISBN: 1587051583
    EAN: 2147483647
    Year: 2003
    Pages: 120
    Authors: David Hucaby

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net