Have a look at the architectures of firewalls too. In particular I like the way the pix functions with is security zones. I find this helps to illiminate some potential firewall rule base mistakes that admins might make.
Just a quick explanation ..... each interface on a pix firewall is assigned a number or security rating. By default external is given a rating of 0 (most unsecure) and inside a rating of 100 (most secure). The pix works by allowing traffic from a zone of higher security to a lower, but never from a lower to a higher unless you specifically enable it.
Cheers
Mark
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 06 December 2001 03:44
To: Richard Saddington
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: How easy is it to configure a rulebase.
One common problem with firewall rulebases is forgetting the effect of
combinations.
For example, a common firewall setup is a 3 legged one with external,
server and internal networks connecting to a single firewall.
internet
|
FW--- server segment
|
Internal
If I have rules blocking Internet access to Internal for a protocol like
SSH but allow
SSH :external->server
and
SSH:server->internal,
I have also allowed SSH: External to Internal for anyone who has both
access (an employee from home say) who might have her home machine
compromised.
This is easily apparent in this example, but can be hidden in more
complicated rule sets.
Just looking at the rulebase by itself will not point out these flows.
One has to make a graph of allowed control/data flows , then find its
transitive closure for such protocols as Telnet, FTP, SSH HTTP, which
allow outbound connections to different hosts than the inbound connection.
Bill Royds
System Administrator, CHIN
ph: (819) 994-1200 X 239
"Richard Saddington" <[EMAIL PROTECTED]>
12/05/01 02:53 PM
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
cc: (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject: RE: How easy is it to configure a rulebase.
Thanks for your response,
The point you make about a firewall not telling you that you have left a
whole in the security is useful. What i am trying to find out is common
issues where administrators have configured a rulebase that looks correct
and may work correctly, only to discover at a later date they have left a
wide open hole somewhere. Either because rules function differently to
expected they didn't test every possible rule boundary.
The point I was hoping to get feedback on was altering an existing
rulebase
to incorporate changes in an organisations security policy. Should the
whole
rulebase be reworked or can extra rules just be added to the end? Then
comes
the issue of performance, should rules that permit the most amount of
traffic be given priority over more defined rules?
Any comments welcome.
Regards
Richard
>From: "Hiemstra, Brenno" <[EMAIL PROTECTED]>
>To: "'Richard Saddington'" <[EMAIL PROTECTED]>,
>[EMAIL PROTECTED]
>Subject: RE: How easy is it to configure a rulebase.
>Date: Wed, 5 Dec 2001 11:22:18 +0100
>
>Richard,
>
>In my opinion it's not the way "how easy it is" to configure
>a rulebase. I don't care how easy as long as it's good, functional
>and more of all secure.
>
>I think firewall administration is not for anyone that knows
>how to make a rule in CP FW-1. You need to know more
>to setup a right rulebase. You need to know more about
>what service you are going to allow and what the implications
>are on the firewalls / server.
>
>Firewall administration doesn't need to be made easy because
>a firewall will not tell you that you made a wrong rule that opens
>up your whole network. Firewall administration needs to be made
>thorough and secure. A good viewable GUI is an advantage but
>if the firewall itself lacks security that doesn't make it more secure.
>
>Administrating a firewalls ruleset in a plain text file maybe a
>pain in the ass if the rulebase is big but then you will learn
>administrating firewalls the hardway (in my opinion). Its still
>possible to openup the rulebase more then it need though!
>
>Just my thoughts..
>
>Regards,
>
>
>Brenno
>
> > -----Original Message-----
> > From: Richard Saddington
[SMTP:[EMAIL PROTECTED]]
> > Sent: dinsdag 4 december 2001 13:59
> > To: [EMAIL PROTECTED]
> > Subject: How easy is it to configure a rulebase.
> >
> > Hi All,
> >
> > I am an undergrad student researching firewall technologies,
>specifically
> >
> > how rulebases are configured to filter packets.
> >
> > What I would like to know is problems people have had configuring rule
> > tables, e.g. getting the rules in the right order, difficulties
> > implementing
> > the security policy/changes in security policy etc.
> >
> > The two products I have been looking at are CP's Firewall-1 and the
> > Netscreen-100. Any info on rulebases on these firewalls would be most
> > useful.
> >
> > Cheers
> > Richard
> >
> >
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at
>http://explorer.msn.com/intl.asp
> >
> > _______________________________________________
> > Firewalls mailing list
> > [EMAIL PROTECTED]
> > http://lists.gnac.net/mailman/listinfo/firewalls
>_______________________________________________
>Firewalls mailing list
>[EMAIL PROTECTED]
>http://lists.gnac.net/mailman/listinfo/firewalls
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
