Secure Firewall Implementation (Exam 212-82) PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Summary
This document discusses secure firewall implementation best practices. It emphasizes filtering unused ports, creating unique user IDs for firewall services, setting firewall rules to deny all traffic except necessary services, and changing default passwords. It also highlights the importance of monitoring firewall logs and investigating suspicious entries.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Secure Firewall Implementation: Best Practices Filter u...
Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Secure Firewall Implementation: Best Practices Filter unused and common vulnerable ports o To enhance the performance of the firewall, limit the applications that are running O If possible, create a unique user ID to run the ° Configure a remote syslog server and apply strict firewall services. Rather than running the services.. O measures to protect it from malicious users using the administrator or root IDs Set the firewall ruleset to deny all traffic and enable : Monitor firewall logs at regular intervals. © only the services required Include them in your data retention policy Change all the default passwords and create a strong ; o Immediately investigate all suspicious log a password rd that that isis not not found found ini any y dictionary. stron dictionary. A strong entries found O password to ensure brute-force attacks also fail. Copyright © by EC L Al Rights Reserved. Reproduction is Strictly Prohibited Secure Firewall Implementation: Best Practices The following best practices will help harden firewall security: Filtering unused and vulnerable ports on a firewall is an effective and efficient method of blocking malicious packets and payloads. There are different types of filters in firewalls ranging from simple packet filters to complex application filters. The defense- in-depth approach using layered filters is a very effective way to block attacks. Configuring administrator accounts to run a firewall depends on the security requirements of the organization and different administrative roles the organization requires. A role defines the type of access the associated administrator has been granted to the firewall system. If possible, create a unique ID to run the firewall services rather than running it as administrator or root. While creating a firewall ruleset, organizations should first determine what type of traffic is needed to run the approved applications. Then set the firewall rules to deny all the traffic and allow only those services the organization needs. Change all the default passwords and create a strong password that is not found in any dictionary. A strong password to ensure brute-force attacks also fail. Firewalls use a complex rule base to analyze applications and determine if the traffic should be allowed through or not. Setting up firewall rules to grant access to important applications and blocking the rest will improve the performance of the firewall. Ensure that the date, time, and time zone on the remote syslog server matches the network configuration in order for the server to send syslog messages. Syslog data is not useful for troubleshooting if it shows the wrong date and time. In addition, configuring Module 07 Page 801 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls all network devices to use network time protocol (NTP) ensures correct and synchronized system clocks on all network devices. = Monitor the firewall logs at regular intervals even if the company's management policy allows for some private use of its equipment. Monitoring what websites employees are visiting, what files they are sending and receiving, and even the content in their emails will assist in maintaining the network securely. = Logging firewalls ‘allow’ actions offer greater insight into malicious traffic and tracking firewall ‘deny’ actions help identify threats. = Take regular backups of the firewall logs—at least on a monthly basis—and store these backups on secondary storage devices for future reference or for legal issues in case there is an incident. The best way to achieve this is to use a scheduling function in the firewall. Backup the firewall before and after making a change in its rules and ensure that the backup configuration file is usable. = Perform audits at least once every year on firewalls to evaluate the standards implemented to secure the organization's IT resources. This will offer a record of all the files employees access, including failed attempts. Ensuring every change is accounted for will greatly simplify audits and help the daily troubleshooting. = Firewalls cannot secure the network from internal attacks. Organizations are required to implement different strategies such as policies that restrict employee usage of external devices in the internal network. For preventing any internal network attacks, install monitoring software that will help detect any suspicious internal activity. Module 07 Page 802 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Secure Firewall Implementation: Recommendations Use a standard method and workflow for requesting and implementing firewall changes fi Do not set conflicting rules or. L.. Clean up and optimize the firewall rule base eliminate them, if they already exist Remove unused or outdated rules o. * Schedule regular firewall security audits Notify the security policy administrator on firewall changes and 2 6 Keep a log of the firewall rules and document them ‘ configuration changes Secure Firewall Implementation: Recommendations * Notify the security policy administrator on firewall changes and document them. Document any changes made to the firewall. With firewalls, it is especially critical to document the rules that have been added or changed so that other administrators know the purpose of each rule and who to contact about them. Good documentation can make troubleshooting easier and it reduces the risk of service disruptions that are caused when a deletion or change in rule the security professional is unable to understand. = Remove unused or outdated rules. Organizations can generate analysis reports to evaluate firewall access rules. This assists in identifying rules that overlap or are conflict with other rules in the access rule policy. Delete, move, or edit conflicting rules using the data from the report. Organizations can develop an easier to use and more efficient access rules policy if they eliminate unnecessary rules. * |mplement a consistent workflow solution to manage and streamline the firewall change process. Identify potential risks and fix configuration errors before making changes to the firewall. Reduce the time required to evaluate and implement the changes to support the network. = (Clean up and optimize the firewall rule base. = Schedule regular firewall security audits. = Keep a log of the firewall rules and configuration changes. Module 07 Page 803 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Secure Firewall Implementation: Do’s and Don’ts { Implement a strong firewall Don't overlook scalability } { Limit the applications that run Don't rely on packet Don't rely packet on a firewall on sl L bl filtering alone Control physical access to the Peisill Don’t be unsympathetic ’,. firewall to hardware needs Evaluate firewall capabilities Don’t cut back on Don't additional security Consider workflow integration Don't implement without SSL encryption Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited. Secure Firewall Implementation: Do’s and Don’ts =* |mplement a strong firewall. =* Limit the applications that run on a firewall. =* Control physical access to the firewall. =» Evaluate firewall capabilities. =* Consider workflow integration. =» Review and refine your policies and procedures. * Incorporate trust marks. = Take regular backups of the firewall ruleset and configuration files. = Do not overlook scalability. =* Do not rely on packet filtering alone. =* Do not be unsympathetic to hardware needs. = Do not cut back on additional security. * Do not implement without SSL encryption. *=* Do not allow telnet access through the firewall. = Do not allow direct connections between the internal client and any outside services. Module 07 Page 804 Certified Cybersecurity Technician Copyright © by EG-Gouncil EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls —- Technical Controls Firewall Tools A free network firewall distribution, based on the FreeBSD operating system with a p!Sense p!’Sense custom kernel and including third party free software packages for additional functionality Flisense : E Smoothwall Firewall https://www.smoothwall.com Status/ System Logs/ Firewall/ / Normal View Firewall Y/Z0 &:x—(ncv Syiem (ncF Captve PorilAun PornlAun Psec PPP FPPP VPN LoadBalsncer LosdBalancer CpenVPM CperVPM NTP Semngs Semnge ZoneAlarm Free ZoneAlarm Free Firewall Firewall https://www.zonealarm.com https://www.zonealarm.com Nomal View MNormal View Dynamic Vew View Sammany View Semmany View H U, é:. prr—— Actien x Time 210920 WAN 2104420 [ e——Rue Intertace Defast cery rube Py p— Scurce §00192 160 0201 51028 i@ 200252588 Protecal Pratecat e 1 f’é’ I\1\ i,\/h( Analyzer ManageEngine Firewall Analyzer https://www.manageengine.com x® on 2105428 Jen 2105428 WAN WAN 21640 Chol n WeT4} AT x ” Jan 210928 WAN ' & 400 ot o Sophos Firewall Sophos Firewall xx n 2105428 Jn210%28 WAN WAN i9m e o : https://www.sophos.com https://www.sophos.com x. Y e Comodo Firewall https://personalfirewall.comodo.com Bttps//www.pfsense.org https//www.pfsense org ¢ All Rights Reserved. Reproductio Firewall Tools = pfSense Source: https://www.pfsense.org The pfSense is a free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality. pfSense software includes a web interface for the configuration of all included components. Flisense MAMUNITY EDITION Status/ System Logs/ Firewall / Normal View TF0O TFO System| Firewall | DHCP Captive Portal Auth IPsec IPgec PPP VPN Load Balancer OpenVPN NTP Settings —| Normal View Dynamic View Summary View — —.- Last 50 Firewall Log Entries. (Maximum 50) Acticn Action Time Interface Rule Source Destination Protecel x Jan210:5628 WAN Detault deny rule IPvd §(5192.168.0.231:51025 1224002525355 3224002525355 uop uoP (1000000103) x Jan210:5628 WAN Default deny rule IPvd 15)192.168.0231 §5)192.168.0231 i®240022 IGMP (1000000103) Xx Jan2105628 WAN Default deny rule IPvd IPvé §(21192.168.0.231 151921680231 iE240022 iE2240022 IGMP (1000000103) x Jan210:5628 WAN Default deny deny rule IPvd §5)192.168.0.231 15)192.168.0231 i®240022 i@240022 IGMP (1000000103) (1000000103) x Jan210:5628 WAN Default deny rule IPvd §(5)192.168.0.37:137 §5)192.168.0.37:137 1192.168.0255137 13192.168.0255:137 uoP (1000000103) x Jan2105628 Jan210.5628 WAN block bogon IPv IPvé 15)[feB0-45(7 15 4122 ac9f a271) 57483 [feB0-45¢7 412e i(3() [102:1:3) [f102:1:3): 5355 uop networks from WAN (11000) Figure 7.63: Screenshot of pfSense Module 07 Page 805 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Some additional firewall tools are listed below: = Smoothwall Firewall (https://www.smoothwall.com) = ZoneAlarm Free Firewall (https://www.zonealarm.com) * ManageEngine Firewall Analyzer (https://www.manageengine.com) » Sophos Firewall (https.//www.sophos.com) = Comodo Firewall (https://personalfirewall.comodo.com) Module 07 Page 806 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.