Firewall Policy

Building and maintaining a secure network

Branden R. Williams , ... Derek Milroy , in PCI Compliance (Quaternary Edition), 2015

Egress filtering

Firewall policies tend to forget that outbound traffic should not get a free pass. For firewalls to comply with PCI DSS (and be effective security devices), they must only permit traffic that is necessary for business—both entering and outbound. To successfully raise your firewall policies without interrupting your business, consider adding new rules to your firewall that permit certain types of traffic and log any hits to those rules. Rules in firewalls don't merely have to block things, they can assist you tag and categorize traffic that you allow through. This volition allow you lot to chop-chop determine which rules will work and which ones will not. Call up, fresh installations should outset from default-deny in both directions. If faced with a legacy configuration, effort to discover an opportunity to redo information technology on the aforementioned principle.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128015797000054

Building and Maintaining a Secure Network

Dr. Anton A. Chuvakin , Branden R. Williams , in PCI Compliance (2d Edition), 2010

Common Mistakes and Pitfalls

These requirements normally bite companies in a few specific ways. The companies requiring the most remediation under this requirement typically are companies going through PCI DSS for the first fourth dimension. Documentation tends to exist ane of the biggest deficiencies companies face up when assessing against this domain. Your best bet is to brand sure that you have documented all your firewall rules equally required by PCI DSS. Simply going through that process will forcefulness several issues that will help you lot meet your cease goal of compliance with PCI DSS. Those issues are outlined below.

Egress Filtering

Firewall policies tend to forget that outbound traffic should non get a free pass. For firewalls to comply with PCI DSS (and be constructive security devices), they must only permit traffic that is necessary for business – both inbound and outbound. To successfully enhance your firewall policies without interrupting your business concern, consider calculation new rules to your firewall that "permit" certain types of traffic and and then log whatever hits to those rules. This volition allows you to rapidly determine which rules will work and which ones will non.

Documentation

Without fail, documentation is one of the most tedious aspects of attaining and maintaining PCI compliance. Before your assessor comes on-site, make sure that all in-scope firewall rules are documented and accept all the necessary approvals. The expanded scope of Requirement 1.ane.5 now requires that all ports and services allowed in and out must accept documentation associated with them. Consider performing a chance cess on those rules and including that documentation every bit well.

Organisation Defaults

Adept internal vulnerability scanning finds most instances of default passwords or configuration on in-scope systems. Many breaches that happen today start with a default or bare countersign or default to an insecure configuration. Ensure that a vulnerability direction program correctly identifies these mistakes and that the management procedure designed to take findings through to resolution (including the earth-shaking feedback loop!) correctly reports progress on remediation activities.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B978159749499100009X

Creating Remote Access and Site-to-Site VPNs with ISA Firewalls

Dr. Thomas W. Shinder , Debra Littlejohn Shinder , in Dr. Tom Shinder's Configuring ISA Server 2004, 2005

Overview of ISA Firewall VPN Networking

Firewall policy with stateful filtering and stateful application-layer inspection is applied to the ISA firewall's VPN remote admission client and VPN gateway interfaces.

The ISA firewall includes a VPN Quarantine feature that allows you to pre-qualify VPN clients before they are immune on the network. Pre-qualification includes confirming that the VPN client has the most recent security hotfixes, services, anti-virus definitions, and anti-spyware definitions installed.

The ISA firewall'south user mapping characteristic allows you to map users who cosign via RADIUS or EAP to actual user accounts and use that data to perform strong user/grouping-based access control over remote access VPN and VPN gateway connections to the ISA firewall.

SecureNAT client support now allows remote admission VPN clients to access the Internet through the ISA firewall without requiring the Firewall customer to be installed on the remote access VPN client motorcar

IPSec tunnel fashion support allows the ISA firewall to end site-to-site VPN connections with downlevel, third-political party VPN devices, such as Cisco VPN concentrators.

The new PPTP filter allows you to publish PPTP VPN servers.

The ISA firewall supports both certificates and pre-shared keys for IPSec tunnel mode and L2TP/IPSec VPN connections. For L2TP/IPSec, this applies for both remote admission client and VPN gateway connections.

The new ISA firewall allows y'all to assign custom name servers to VPN clients and then that you exercise not need to depend on the interface name server addresses for VPN client name server assignment.

Y'all tin now monitor VPN client and VPN gateway connections moving through the ISA firewall. You tin determine the user name, the application, the protocols, and the source and destination IP accost, and much more past viewing this information in the ISA firewall's logging panel.

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/commodity/pii/B9781931836197500162

Base Network Security

Kenneth Tam , ... Josh More , in UTM Security with Fortinet, 2013

Multicast Rules

Firewall policies are based on unicast traffic. If yous need to handle multicast traffic, the procedure is very different. Dissimilar unicast, multicast traffic control tin can only be configured via the CLI. The way this traffic handled depends on the mode in which the device is deployed. In Layer 3 (NAT/Road) manner, multicast traffic is not natively forwarded, thus whatever rules that might exist will not be honored. If y'all must run in this mode and must forrad multicast traffic, "multicast-frontward" must be explicitly enabled.

config system setting

  gear up multicast-forward enable

finish

Due to the way that the TTL specification is written, a FortiGate will just forward multicast traffic with a TTL greater than 2. To increase the run a risk that the TTL will not expire before reaching the multicast router, you demand to configure the device to non decrement the TTL value.

config system setting

  set multicast-ttl-notchange enable

end

In Layer 2 (Transparent) mode, traffic with multicast destination addresses is blocked past default. A multicast firewall rule is required to allow the traffic through. If at that place's a need to alter the default behavior to forward any multicast traffic without multicast rule definitions, then multicast rules must be explicitly skipped.

config system setting

  fix multicast-skip-policy enable

end

Whether you're in Layer two or Layer three fashion, once you accept allowed the FortiGate to handle multicast traffic, you lot should tighten your control. Otherwise, you run the take chances of generating more traffic than your network can handle. At minimum, to permit all multicast traffic simply add an entry within the multicast policy section:

config firewall multicast-policy

  edit <id #>

  adjacent

end

Multicast rules differ from unicast rules. Here are some central points to keep in heed.

Like unicast, when no multicast rules are defined and forwarding is enabled, so all multicast-related traffic is blocked. Thus, an "have" multicast rule is required to allow multicast traffic.

At that place are no dependent settings within a multicast dominion. For example, when working with unicast, you lot must ascertain the source/destination interface & networks and services (ports). Nonetheless, in a multicast rule, no settings are dependent on each other. For example, a multicast rule with a unmarried source address with the "set up srcaddr" setting would only permit the particular source divers to any destination.

Unless specifically defined, a multicast rule volition default to working on all interfaces.

Source and destination addresses are explicitly defined in IP address format only. There'southward a limit of up to 2 accost entries per source or destination.

The "fix protocol" setting limits the number of protocols used within a multicast rule. This setting is not the aforementioned equally when used for unicast, where it provides the power to restrict services (ports).

Multicast rules are only definable via CLI.

IPv6 multicast rule definitions are not currently supported.

If you lot need to restrict multicast to only a specific source, destination, protocol, and port, consider the following example.

config firewall multicast-policy

  edit <id #>

    gear up srcintf <interface or zone name>

    gear up dstintf <interface or zone proper name>

    set up srcaddr <IP address format only - up to 2 (space delimited)>

    set dstaddr <IP address format merely - up to 2 (space delimited)>

  next

terminate

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9781597497473000053

Examining the ISA Server 2004 Characteristic Set up

Dr. Thomas W. Shinder , Debra Littlejohn Shinder , in Dr. Tom Shinder's Configuring ISA Server 2004, 2005

Firewall Policy Node

If you lot select Firewall Policy, the center pane displays a list of firewall policy rules, and the right pane contains tabs labeled Toolbox, Tasks, and Help, as shown in Effigy 2.12.

Effigy 2.12. Firewall Policy — Configure Rules

The firewall policy node is the "heart" of the ISA Server interface. This is where you create access rules, Web publishing rules, mail server publishing rules, and other server publishing rules to control admission to and from your network. In improver, y'all tin edit system policy, ascertain IP preferences, and consign and import both system policies and firewall policies. New access rules are created easily using the New Access Rule wizard, shown in Figure two.13.

Effigy ii.thirteen. New Access Wizard — Create New Access and Publishing Rules

You lot will learn all the step-by-stride details for creating and using access policies and publishing rules in Chapter 7, Creating and Using ISA Server 2004 Firewall Admission Policy, and Affiliate viii, Publishing Network Services to the Internet with ISA Server 2004.

Read full chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B9781931836197500095

Deciding on a Firewall

In Firewall Policies and VPN Configurations, 2006

Policies

If you select Firewall Policy, the middle pane displays a list of firewall policy rules, and the right pane contains tabs labeled Toolbox, Tasks, and Help, as shown in Figure iv.12.

Figure four.12. Firewall Policy Configure Rules

The firewall policy node is the "heart" of the ISA server interface. This is where you lot create access rules, Web publishing rules, mail server publishing rules, and other server publishing rules to control access to and from your network. In add-on, you tin edit organisation policy, ascertain IP preferences, and consign and import system policies and firewall policies.

Policies now work similar standard firewall rules. Arrangement policy rules are processed first, so user-defined rules. The firewall rules represent an ordered list where parameters are first compared to the summit-listed rule. ISA Server 2004 moves down the list of rules until it finds i that matches the connection parameters, so it enforces the matching rule'due south policy. In addition, different previous versions, ISA Server 2004's firewall rules allow you to define the source and destination for each individual protocol that a user or group is allowed to access.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597490887500062

Active Security Monitoring

Thomas Porter , Michael Gough , in How to Cheat at VoIP Security, 2007

Summary

An appropriate firewall policy tin minimize the exposure of your internal networks. However, attackers are evolving their attacks and network subversion methods. These techniques include email-based Trojan horses, stealth scanning techniques, and attacks which bypass firewall policies by tunneling admission over allowed protocols such equally ICMP, HTTP, or DNS. Attackers are too getting ameliorate at using the ever-growing listing of application vulnerabilities to compromise the few services that are allowed through a firewall.

Firewalls and Admission Control Lists are requisite security controls in any enterprise, but they are not sufficient in contemporary networks. Active monitoring of the network and attached devices provides not only one or more additional layers of defense force, but as well supplies data that may have a forensic utility. Active monitoring consists of the following types of activities: network monitoring, network intrusion detection, host-based intrusion detection, syslog, and SNMP logging. Penetration and vulnerability testing monitors and validates existing security controls.

On enterprise networks, network monitoring is typically managed by a comprehensive tool suite such as OpenView. Traffic patterns and quantities, and device country are common measurements. These tools supply data that can be useful to security administrators, particularly when combined with the results of recent penetration/vulnerability tests or with NIDS/HIDS data. Unfortunately, the correlation of these information is difficult even when using tools such every bit SMARTS (a root-crusade correlation engine), because of the overwhelming amount of data that must be organized.

NIDS and HIDS are complementary intrusion detection technologies. NIDS monitors the network for malicious or unauthorized traffic and HIDS monitors critical servers for changes to significant files and directories. Both relay consequence data to a central management console for logging and visualization. Most current NIDSs utilize a combination of signature (blueprint or regex) and anomaly-based detection. Both of these methods have benefits and drawbacks. Signature-based detection is quick, effective, and popular, but it won't catch attacks that don't have signatures. Bibelot detection is theoretically a better method for detecting attacks, but suffers from the bones trouble that information technology is hard to ascertain "normal" traffic on a network.

Although functionally different, SNMP and syslog both provide ship for effect messages over the network from agents or endpoints to a centralized information repository. SNMP is a highly structured, binary-formatted message blazon, while syslog messages are ASCII-based and relatively arbitrary within the confines of three defined fields. Neither protocol is encrypted. Thus, SNMP and syslog messages should always be limited to a constrained management network.

Penetration and vulnerability testing is both art and scientific discipline. These assessments are simply as good as the people and tools used to perform them. In today's environment virtually types of penetration/vulnerability assessment have been commoditized due to the prepare availability of scanning and vulnerability assessment tools.

Some tools, such as Nessus (which until recently was open up source), go far possible for naive administrators to perform at to the lowest degree baseline vulnerability scans on their networks. In this case, we recommend that an experienced security analyst be brought in to analyze the data since all of the vulnerability scanners report various false alarms. One of import note is that the results of a test but reverberate the security status during the testing period. Even pocket-size administrative and architectural changes to the surroundings performed only moments afterward a penetration test can alter the organization'due south security profile.

Read total chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B9781597491693500086

Firewalls

Dr. Errin Due west. Fulp , in Managing Data Security (2d Edition), 2014

3 Firewall Security Policies

When a parcel arrives at a firewall, a security policy is applied to make up one's mind the appropriate activity. Actions include accepting the parcel, which ways the packet is allowed to travel to the intended destination. A packet tin be denied, which means the package is non permitted to travel to the intended destination (it is dropped or possibly is bounced back). The firewall may also log information about the bundle, which is of import to maintain certain services.

It is piece of cake to consider a firewall policy equally an ordered list of rules, as shown in Table half dozen.i. Each firewall rule consists of a set of tuples and an action. Each tuple corresponds to a field in the parcel header, and there are five such fields for an Net packet: Protocol, Source Address, Source Port, Destination Address, and Destination Port.

Tabular array 6.1. A Security Policy Consisting of 6 Rules, Each of Which Has Five Parts (Tuples)

No. Protocol Source Destination Activity
IP Port IP Port
1 UDP 190.one.i.* * * 80 deny
2 TCP 180.* * 180.* xc accept
three UDP 210.1.* * * ninety accept
4 TCP 210.* * 220.* fourscore take
5 UDP 190.* * * 80 take
6 * * * * * deny

The firewall rule tuples can be fully specified or contain wildcards (*) in standard prefix format. All the same, each tuple represents a finite ready of values; therefore, the set up of all possible packets is also finite. (A more concise mathematical model will be introduced later in the chapter.) Information technology is possible to consider the package header consisting of tuples, but each tuple must be fully specified.

As packets pass through a firewall, their header information is sequentially compared to the fields of a rule. If a packet's header information is a subset of a rule, information technology is said to be a match, and the associated action, to accept or reject, is performed. Otherwise, the packet is compared to the next sequential rule. This is considered a first-lucifer policy since the action associated with the first rule that is matched is performed. Other matching strategies are discussed at the end of this section.

For example, presume that a parcel has the following values in the header: The protocol is TCP, source IP is 210.one.ane.1, source port is 3080, destination IP is 220.2.33.8, and destination port is fourscore. When the bundle arrives information technology is compared to the first dominion, which results in no match since the rule is for UDP packets. The firewall then compares the parcel 2d rule, which results in no lucifer since the source IP is different. The package does not match the tertiary rule, but it does match the fourth dominion. The dominion action is performed so the packet is allowed to pass the firewall.

A default dominion, or catch-all, is oft placed at the cease of a policy with action pass up. The addition of a default rule makes a policy comprehensive, indicating that every package will match at least 1 rule. In the event that a packet matches multiple rules, the activity of the first matching dominion is taken. Therefore the order of rules is very important.

If a default rule (a rule that matches all possible packets) is placed at the kickoff of a beginning-match policy, no other rule volition friction match. This situation is an anomaly referred to as shadowing. We'll talk more than nearly policy anomalies later in this chapter. Policies that employ this form of brusque-excursion evaluation are called first-lucifer policies and account for the majority of firewall implementations.

Dominion-Match Policies

Multiple rules of a unmarried firewall policy may match a parcel—for instance, a packet could match rules ane, five, and 6 of the policy in Table 6.1. Given multiple possible matches, the rule-match policy describes the rule the firewall will employ to the packet. The previous section described the almost pop match policy, start match, which volition apply the first rule that is a lucifer.

Other friction match policies are possible, including best lucifer and last match. For best-match policies, the parcel is compared against every rule to determine which rule virtually closely matches every tuple of the packet. Note that the relative order of the rules in the policy does not impact determining the best-match consequence; therefore shadowing is not an consequence. It is interesting to note that best match is the default criterion for IP routing, which is not surprising since firewalls and routers do perform like tasks. If a packet matches multiple rules with a last-match criterion, the action of the concluding rule matched is performed. Note that rule order is of import for a last-lucifer policy.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780124166882000064

Firewalls

Errin West. Fulp , in Computer and Information Security Handbook (Third Edition), 2013

Rule-Match Policies

Multiple rules of a unmarried firewall policy may match a packet—for example, a parcel could lucifer rules ane, five, and 6 of the policy in Table e74.ane. Given multiple possible matches, the rule-friction match policy describes the rule the firewall volition employ to the packet. The previous section described the nigh popular match policy, first match, which will apply the first dominion that is a match.

Other match policies are possible, including all-time match and concluding lucifer. For all-time-friction match policies, the package is compared against every rule to determine which rule most closely matches every tuple of the packet. Note that the relative society of the rules in the policy does not impact determining the best-match result; therefore shadowing is non an issue. It is interesting to note that all-time match is the default criterion for IP routing, which is non surprising since firewalls and routers practice perform like tasks. If a packet matches multiple rules with a concluding-friction match criterion, the action of the last rule matched is performed. Note that rule order is important for a last-match policy.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9780128038437000740