mailing list archives
Firewall Operations - Protecting a Critical System
From: "Gideon Rasmussen, CISSP, CFSO, CFSA, SCSA" <gideon () infostruct net>
Date: Mon, 15 Dec 2003 20:53:42 -0500
Firewall Operations - Protecting a Critical System
By Gideon T. Rasmussen - CISSP, CFSO, CFSA, SCSA
Security teams must ensure that firewalls are installed, configured and
maintained in accordance with mission requirements and the best
interests of the organization. There are many reasons why firewall
administration must be tightly controlled. Firewalls are inherently
complex. Employee turnover can result in a lack of continuity. Firewall
logs may be called as evidence in a court case. Many organizations must
also meet auditing requirements.
Before installing a firewall, its administrators should become
intimately familiar with its features and operations. While there is no
substitute for formal training, other resources include system manuals,
on-line documentation, manual pages, knowledge base entries and
If an organization does not have experienced personnel, administrators
should engage a consultant to properly install and configure the system.
Ensure that administrators are available to participate in the
installation and obtain knowledge transfer. Test disaster recovery by
reinstalling the firewall software and restoring from backup.
Thoroughly document how each firewall should be installed in a formal
configuration standard. Installation must be in strict compliance with
system manuals to help ensure stability and compliance with support
agreements. A standard should also provide step-by-step instructions.
Consider the following topics:
Proxies: Use proxies to limit traffic to designated protocols. Proxies
can block file sharing programs such as Kazaa and iMesh. They can also
defeat hacking tools. Proxies give administrators granular control over
a protocol. For example, CyberGuard's FTP proxy can be configured to
permit download and deny upload. The HTTP proxy makes it possible to run
multiple Web sites on one system. You’ll find more information about
CyberGuard’s proxies here:
Comments: Include comment entries in the packet filter rules file.
Firewall rules grow quickly. It is important to retain the purpose of
each rule. Adopt the following format as a standard: "rationale,
mm/dd/yy, ticket #, your name."
Grouping: Grouping is very powerful and should be used whenever
possible. Grouping reduces the complexity of firewall rules and
minimizes the potential for human error. If you have several systems
with the same service requirements, create hosts and services groups.
The utility of grouping becomes more apparent as the number of systems
Accounts: Create individual accounts for each administrator. Delete the
common administrative account. This configuration enhances accountability.
Roles: Use duty roles to grant specific accesses. For example, an
auditor should have read-only permissions. Support staff only requires
the ability to stop and start the system.
Configuration Tracking: Configuration tracking records changes made
during a login session. Its database enables administrators to compare
the differences between an older configuration file and the current
version. Configuration tracking can also record a user-supplied ticket
DNAT: Enable Dynamic Network Address Translation (DNAT) on each external
interface. DNAT changes internal IP addresses to the external IP of the
firewall with a unique source port. The outside world sees the external
address. Upon return the firewall knows which IP to switch back to from
the originating source port.
Passwords: Enforce strong password elements. Configure passwords to
expire every three months. Password elements should include alpha,
numeric and special characters.
Auditing: By default, binary logging is enabled. More than 300 events
are logged. Configure activity logging to record security events and the
services enabled on the firewall.
Logs: Schedule an export of binary audit logs to an FTP server. Copy
system logs to a central syslog server. Configure log management to
prevent the system disk from filling up.
Alerts: Configure the firewall to send notification of suspicious
events. You can choose from a variety of notification methods including:
file, window, e-mail, SNMP trap, pager, syslog and shell command.
Before granting production status to a system, confirm that a scheduled
backup has successfully completed. Ensure the system is properly
configured by conducting a security vulnerability scan. Also remember to
monitor the firewall from a remote location.
Implement a formal change process and incorporate your firewalls into
the system development life cycle. In particular, ensure that firewall
rules are not left in place when a system is decommissioned. This can
represent a serious vulnerability if a system is repurposed or its IP
address reissued while firewall rules still provide access from the
Apply new versions and product support updates as they are issued. The
operating system’s multi-level security and hardened kernel are the
foundation of the cyberGuard “zero vulnerabilities” solution
firewalls have achieved Common Criteria EAL4+ certification and maintain
that certification through participation in the Assurance Maintenance
program. That means that new versions and updates maintain their
Create an operations guide to ensure continuity. At a minimum it should
detail how to stop and start the firewall and restore from backup.
Finally, include firewalls in disaster recovery planning. Store
installation media and firewall backups off-site. Confirm that the
recovery site has firewall hardware available.
- Firewall Operations - Protecting a Critical System Gideon Rasmussen, CISSP, CFSO, CFSA, SCSA (Dec 16)