How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.
-
date post
18-Dec-2015 -
Category
Documents
-
view
215 -
download
1
Transcript of How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.
How (not) to use How (not) to use your firewallyour firewall
Jurjen N.E. BosJurjen N.E. Bos
Information Security ConsultantInformation Security Consultant
0420
Jurjen N.E. BosJurjen N.E. Bos22
How (not) to use How (not) to use your firewallyour firewall
OverviewOverview
IntroductionIntroduction
Principles of information Principles of information securitysecurity
Strengths and weaknesses of a Strengths and weaknesses of a firewallfirewall
Basic principlesBasic principles
ConclusionConclusion
0420
Jurjen N.E. BosJurjen N.E. Bos33
How (not) to use How (not) to use your firewallyour firewall
IntroductionIntroduction
A firewall, originally, is a wall that A firewall, originally, is a wall that prevents spreading of fire through a prevents spreading of fire through a buildingbuilding
More generally, it isolates things in case More generally, it isolates things in case of hazardof hazard
Specifically, we will discuss isolating the Specifically, we will discuss isolating the Internet from a company networkInternet from a company network
0420
Jurjen N.E. BosJurjen N.E. Bos44
How (not) to use How (not) to use your firewallyour firewall
A firewallA firewall
Internet
Firewall
LAN
0420
Jurjen N.E. BosJurjen N.E. Bos55
How (not) to use How (not) to use your firewallyour firewall
Principles of information Principles of information securitysecurity
What do you want to protect?What do you want to protect?•Your dataYour data
• secrecy
• reliability
• availability
•Your hardwareYour hardware•Your reputationYour reputation
0420
Jurjen N.E. BosJurjen N.E. Bos66
How (not) to use How (not) to use your firewallyour firewall
What do you want your What do you want your firewall to do?firewall to do?
Increase securityIncrease security
Simplify maintenance of networkSimplify maintenance of network
Save moneySave money
Be user friendly and non-disruptiveBe user friendly and non-disruptive
0420
Jurjen N.E. BosJurjen N.E. Bos77
How (not) to use How (not) to use your firewallyour firewall
What can your firewall doWhat can your firewall do
A firewall protects your company LAN A firewall protects your company LAN againstagainst•known threatsknown threats•coming from outsidecoming from outside•via the firewallvia the firewall•at connection levelat connection level•by making things harder to use.by making things harder to use.
0420
Jurjen N.E. BosJurjen N.E. Bos88
How (not) to use How (not) to use your firewallyour firewall
What can’t your firewall doWhat can’t your firewall do
•Solve your security problemSolve your security problem•Protect against virusesProtect against viruses•Protect data that doesn’t flow through itProtect data that doesn’t flow through it•Be “user friendly”Be “user friendly”•Protect against every threatProtect against every threat•Protect against attacks from the insideProtect against attacks from the inside
0420
Jurjen N.E. BosJurjen N.E. Bos99
How (not) to use How (not) to use your firewallyour firewall
ExamplesExamples
A firewall does not protect against virusesA firewall does not protect against viruses• There’s a new example every month
A firewall does not protect against A firewall does not protect against unknown attacksunknown attacks
• Firewall-1 DOS attack: July 2000
A firewall makes life harderA firewall makes life harder• If you had no front door lock, you wouldn’t have to stay
home for the heating repairman. Wouldn’t that be convenient?
0420
Jurjen N.E. BosJurjen N.E. Bos1010
How (not) to use How (not) to use your firewallyour firewall
Maintaining a firewallMaintaining a firewall
Most attacks are published in enough Most attacks are published in enough detail that people can figure out for detail that people can figure out for themselves how to attack your machines.themselves how to attack your machines.•Install your system properlyInstall your system properly•Read the news on known holes (e.g. Read the news on known holes (e.g. SANS), and download the patchesSANS), and download the patches• Watch out for fake patches
• Watch out for reliability of your machines
•Read your log filesRead your log files
0420
Jurjen N.E. BosJurjen N.E. Bos1111
How (not) to use How (not) to use your firewallyour firewall
A firewall is not a machineA firewall is not a machine
A firewall does not only consist of the A firewall does not only consist of the firewall host machine, but also of:firewall host machine, but also of:•A security modelA security model•A list of firewall settings (e.g., allowed A list of firewall settings (e.g., allowed services)services)
•Procedures to maintain the firewall host Procedures to maintain the firewall host machinemachine
•An operator or group of operatorsAn operator or group of operators•A list of guidelinesA list of guidelines
0420
Jurjen N.E. BosJurjen N.E. Bos1212
How (not) to use How (not) to use your firewallyour firewall
Basic rulesBasic rules
A few trivial but important rules for A few trivial but important rules for security maintenance:security maintenance:•Use multiple layers of protectionUse multiple layers of protection•Keep it simpleKeep it simple•““No, unless” instead of “Yes, if”No, unless” instead of “Yes, if”•Monitor your systemsMonitor your systems
• Not only the firewall, but also the network behind it
•Decide on your security modelDecide on your security model• Risk analysis is a very useful tool
0420
Jurjen N.E. BosJurjen N.E. Bos1313
How (not) to use How (not) to use your firewallyour firewall
Layers of protectionLayers of protection
A B C
A
B
C
0420
Jurjen N.E. BosJurjen N.E. Bos1414
How (not) to use How (not) to use your firewallyour firewall
Protocol stackProtocol stack
Application Layer
Transport Layer
Internet Layer
Network Access Layer
SMTP, FTP, Telnet
TCP, UDP, ICMP
IP
Ethernet, ATM
User Layer Word, PDF
0420
Jurjen N.E. BosJurjen N.E. Bos1515
How (not) to use How (not) to use your firewallyour firewall
Example: firewall settingsExample: firewall settings
•Allow useful low risk services: SMTP, Allow useful low risk services: SMTP, POP (mail) , NNTP (news), HTTP (surfing)POP (mail) , NNTP (news), HTTP (surfing)
•If you If you reallyreally need it, allow services like need it, allow services like DNS (naming), IRC (chat), MBONE (video DNS (naming), IRC (chat), MBONE (video conferencing and the like)conferencing and the like)
•Don’t allow games, NTP(time), RIP, OSPF Don’t allow games, NTP(time), RIP, OSPF (routing), SNMP (management), NIS, (routing), SNMP (management), NIS, WINS (naming)WINS (naming)
0420
Jurjen N.E. BosJurjen N.E. Bos1616
How (not) to use How (not) to use your firewallyour firewall
Train your usersTrain your users
Users must know basic things in order to Users must know basic things in order to make effective use of security measures:make effective use of security measures:•The Internet is unreliable.The Internet is unreliable.•Security through obscurity doesn’t work Security through obscurity doesn’t work (they won’t notice I have all my (they won’t notice I have all my passwords in a file called “secret”).passwords in a file called “secret”).
•Social engineering is hard to recognise.Social engineering is hard to recognise.
I recommend to write a I recommend to write a guidelines guidelines documentdocument for Internet usage. for Internet usage.
0420
Jurjen N.E. BosJurjen N.E. Bos1717
How (not) to use How (not) to use your firewallyour firewall
Guidelines for usersGuidelines for users
Things to consider putting in a guidelines Things to consider putting in a guidelines document:document:•Use the connections that are availableUse the connections that are available
• No own phone connections, for example
•No downloading of objectionable materialNo downloading of objectionable material• Filters annoy “good” users, and don’t stop “bad” users
•Don’t trust the outside worldDon’t trust the outside world• Social engineering is a serious threat
•Digital data is often more valuable than Digital data is often more valuable than physical objectsphysical objects
0420
Jurjen N.E. BosJurjen N.E. Bos1818
How (not) to use How (not) to use your firewallyour firewall
Useful literatureUseful literature
There are a zillion books about There are a zillion books about information security out there. The ones I information security out there. The ones I read recently and liked:read recently and liked:
Elizabeth D. Zwicky, Simon Cooper and Elizabeth D. Zwicky, Simon Cooper and D. Brent Chapman: “Building Internet D. Brent Chapman: “Building Internet Firewalls”, second edition, O’ReillyFirewalls”, second edition, O’Reilly
Bruce Schneier: “Secrets and Lies”Bruce Schneier: “Secrets and Lies”
0420
Jurjen N.E. BosJurjen N.E. Bos1919
How (not) to use How (not) to use your firewallyour firewall
ConclusionConclusion
Basic rules of using any security system:Basic rules of using any security system:•Don’t trust anythingDon’t trust anything
• Don’t put all your eggs in one basket
• Attacks may come from everywhere
•Know what you want to protectKnow what you want to protect• Use the simplest protection that protects it
•Train your usersTrain your users•Stay alertStay alert
0420
Jurjen N.E. BosJurjen N.E. Bos2020
How (not) to use How (not) to use your firewallyour firewall
How to make a firewall How to make a firewall uselessuseless
Trust your usersTrust your users
Use the default installationUse the default installation
Use a sophisticated self designed system Use a sophisticated self designed system that locks out everything dangerousthat locks out everything dangerous
Assume the firewall will protect you Assume the firewall will protect you foreverforever