Chapter 7 - 03 - Understand Different Types of Firewalls and their Role - 09_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

Secure Firewall Implementation: Best Practices

Filter unused and common vulnerable ports o To enhance the performance of the firewall,
limit the applications that are running
O

If possible, create a unique user ID to run the °
Configure a remote syslog server and apply strict
firewall services. Rather than running the services..
O

measures to protect it from malicious users
using the administrator or root IDs

Set the firewall ruleset to deny all traffic and enable : Monitor firewall logs at regular intervals.
©

only the services required Include them in your data retention policy

Change all the default passwords and create a strong ; o
Immediately investigate all suspicious log
a
password rd that
that isis not
not found found ini any y dictionary. stron
dictionary. A strong entries found
O

password to ensure brute-force attacks also fail.

Copyright © by EC L Al Rights Reserved. Reproduction
is Strictly Prohibited

Secure Firewall Implementation: Best Practices
The following best practices will help harden firewall security:
Filtering unused and vulnerable ports on a firewall is an effective and efficient method
of blocking malicious packets and payloads. There are different types of filters in
firewalls ranging from simple packet filters to complex application filters. The defense-
in-depth approach using layered filters is a very effective way to block attacks.
Configuring administrator accounts to run a firewall depends on the security
requirements of the organization and different administrative roles the organization
requires. A role defines the type of access the associated administrator has been
granted to the firewall system. If possible, create a unique ID to run the firewall services
rather than running it as administrator or root.
While creating a firewall ruleset, organizations should first determine what type of
traffic is needed to run the approved applications. Then set the firewall rules to deny all
the traffic and allow only those services the organization needs.

Change all the default passwords and create a strong password that is not found in any
dictionary. A strong password to ensure brute-force attacks also fail.
Firewalls use a complex rule base to analyze applications and determine if the traffic
should be allowed through or not. Setting up firewall rules to grant access to important
applications and blocking the rest will improve the performance of the firewall.
Ensure that the date, time, and time zone on the remote syslog server matches the
network configuration in order for the server to send syslog messages. Syslog data is not
useful for troubleshooting if it shows the wrong date and time. In addition, configuring

Module 07 Page 801 Certified Cybersecurity Technician Copyright © by EC-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

all network devices to use network time protocol (NTP) ensures correct and
synchronized system clocks on all network devices.
= Monitor the firewall logs at regular intervals even if the company's management policy
allows for some private use of its equipment. Monitoring what websites employees are
visiting, what files they are sending and receiving, and even the content in their emails
will assist in maintaining the network securely.
= Logging firewalls ‘allow’ actions offer greater insight into malicious traffic and tracking
firewall ‘deny’ actions help identify threats.
= Take regular backups of the firewall logs—at least on a monthly basis—and store these
backups on secondary storage devices for future reference or for legal issues in case
there is an incident. The best way to achieve this is to use a scheduling function in the
firewall. Backup the firewall before and after making a change in its rules and ensure
that the backup configuration file is usable.
= Perform audits at least once every year on firewalls to evaluate the standards
implemented to secure the organization's IT resources. This will offer a record of all the
files employees access, including failed attempts. Ensuring every change is accounted
for will greatly simplify audits and help the daily troubleshooting.
= Firewalls cannot secure the network from internal attacks. Organizations are required to
implement different strategies such as policies that restrict employee usage of external
devices in the internal network. For preventing any internal network attacks, install
monitoring software that will help detect any suspicious internal activity.

Module 07 Page 802 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls - Technical Controls

Secure Firewall Implementation: Recommendations

Use a standard method and workflow for
requesting and implementing firewall changes

fi
Do not set conflicting rules or. L..
Clean up and optimize the firewall rule base
eliminate them, if they already exist

Remove unused or outdated rules o. * Schedule regular firewall security audits

Notify the security policy
administrator on firewall changes and
2 6 Keep a log of the firewall rules and
document them ‘ configuration changes

Secure Firewall Implementation: Recommendations
* Notify the security policy administrator on firewall changes and document them.
Document any changes made to the firewall. With firewalls, it is especially critical to
document the rules that have been added or changed so that other administrators know
the purpose of each rule and who to contact about them. Good documentation can
make troubleshooting easier and it reduces the risk of service disruptions that are
caused when a deletion or change in rule the security professional is unable to
understand.
= Remove unused or outdated rules. Organizations can generate analysis reports to
evaluate firewall access rules. This assists in identifying rules that overlap or are conflict
with other rules in the access rule policy. Delete, move, or edit conflicting rules using
the data from the report. Organizations can develop an easier to use and more efficient
access rules policy if they eliminate unnecessary rules.
* |mplement a consistent workflow solution to manage and streamline the firewall
change process. Identify potential risks and fix configuration errors before making
changes to the firewall. Reduce the time required to evaluate and implement the
changes to support the network.

= (Clean up and optimize the firewall rule base.
= Schedule regular firewall security audits.
= Keep a log of the firewall rules and configuration changes.

Module 07 Page 803 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Secure Firewall Implementation: Do’s and Don’ts

{ Implement a strong firewall Don't overlook scalability }

{ Limit the applications that run
Don't rely on packet
Don't rely packet
on a firewall
on sl L bl
filtering alone

Control physical access to the
Peisill Don’t be unsympathetic
’,.
firewall
to hardware needs

Evaluate firewall capabilities Don’t cut back on
Don't
additional security

Consider workflow integration Don't implement without
SSL encryption

Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited.

Secure Firewall Implementation: Do’s and Don’ts
=* |mplement a strong firewall.
=* Limit the applications that run on a firewall.
=* Control physical access to the firewall.
=» Evaluate firewall capabilities.
=* Consider workflow integration.
=» Review and refine your policies and procedures.
* Incorporate trust marks.
= Take regular backups of the firewall ruleset and configuration files.
= Do not overlook scalability.
=* Do not rely on packet filtering alone.
=* Do not be unsympathetic to hardware needs.
= Do not cut back on additional security.
* Do not implement without SSL encryption.
*=* Do not allow telnet access through the firewall.
= Do not allow direct connections between the internal client and any outside services.

Module 07 Page 804 Certified Cybersecurity Technician Copyright © by EG-Gouncil
EC-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls —- Technical Controls

Firewall Tools
A free network firewall distribution, based on the FreeBSD operating system with a
p!Sense
p!’Sense custom kernel and including third party free software packages for additional
functionality

Flisense : E Smoothwall Firewall
https://www.smoothwall.com
Status/ System Logs/ Firewall/ / Normal View
Firewall Y/Z0

&:x—(ncv
Syiem (ncF Captve PorilAun
PornlAun Psec PPP
FPPP VPN LoadBalsncer
LosdBalancer CpenVPM
CperVPM NTP Semngs
Semnge ZoneAlarm Free
ZoneAlarm Free Firewall
Firewall
https://www.zonealarm.com
https://www.zonealarm.com
Nomal View
MNormal View Dynamic Vew
View Sammany View
Semmany View H
U,
é:.
prr——
Actien

x
Time

210920 WAN
2104420
[ e——Rue
Intertace

Defast cery rube Py
p—
Scurce

§00192 160 0201 51028 i@ 200252588
Protecal
Pratecat
e 1
f’é’ I\1\
i,\/h(
Analyzer
ManageEngine Firewall Analyzer
https://www.manageengine.com

x® on 2105428
Jen 2105428 WAN
WAN 21640 Chol n WeT4}

AT
x
”
Jan 210928 WAN
'
& 400
ot
o
Sophos Firewall
Sophos Firewall
xx n 2105428
Jn210%28 WAN
WAN i9m e
o : https://www.sophos.com
https://www.sophos.com

x. Y e Comodo Firewall
https://personalfirewall.comodo.com
Bttps//www.pfsense.org
https//www.pfsense org ¢

All Rights Reserved. Reproductio

Firewall Tools
= pfSense
Source: https://www.pfsense.org
The pfSense is a free network firewall distribution, based on the FreeBSD operating
system with a custom kernel and including third party free software packages for
additional functionality. pfSense software includes a web interface for the configuration
of all included components.

Flisense
MAMUNITY EDITION

Status/ System Logs/ Firewall / Normal View TF0O
TFO

System| Firewall | DHCP Captive Portal Auth IPsec
IPgec PPP VPN Load Balancer OpenVPN NTP Settings
—|

Normal View Dynamic View Summary View
—
—.-

Last 50 Firewall Log Entries. (Maximum 50)
Acticn
Action Time Interface Rule Source Destination Protecel

x Jan210:5628 WAN Detault deny rule IPvd §(5192.168.0.231:51025 1224002525355
3224002525355 uop
uoP
(1000000103)
x Jan210:5628 WAN Default deny rule IPvd 15)192.168.0231
§5)192.168.0231 i®240022 IGMP
(1000000103)
Xx Jan2105628 WAN Default deny rule IPvd
IPvé §(21192.168.0.231
151921680231 iE240022
iE2240022 IGMP
(1000000103)
x Jan210:5628 WAN Default deny
deny rule IPvd §5)192.168.0.231
15)192.168.0231 i®240022
i@240022 IGMP
(1000000103)
(1000000103)

x Jan210:5628 WAN Default deny rule IPvd §(5)192.168.0.37:137
§5)192.168.0.37:137 1192.168.0255137
13192.168.0255:137 uoP
(1000000103)
x Jan2105628
Jan210.5628 WAN block bogon IPv
IPvé 15)[feB0-45(7
15 4122 ac9f a271) 57483
[feB0-45¢7 412e i(3() [102:1:3)
[f102:1:3): 5355 uop
networks from WAN
(11000)

Figure 7.63: Screenshot of pfSense

Module 07 Page 805 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Security Controls — Technical Controls

Some additional firewall tools are listed below:
= Smoothwall Firewall (https://www.smoothwall.com)
= ZoneAlarm Free Firewall (https://www.zonealarm.com)
* ManageEngine Firewall Analyzer (https://www.manageengine.com)
» Sophos Firewall (https.//www.sophos.com)
= Comodo Firewall (https://personalfirewall.comodo.com)

Module 07 Page 806 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.