Firewalls for network security and auditing

Introduction to firewalls
Types of firewalls
Firewall know-how
Firewalls for network security and auditing
      → Firewall security risks
      → Auditing firewall activity
Firewall purchasing advice

Introduction to network security and auditing

This information was excerpted from networking expert Chris Partsenidis' tip Introduction to firewalls.

Firewall security risks

Test your firewall rules  Before someone else hacks your firewall, test your firewall rules during the self-hacking process to test your network's security. In Chapter 9, "Network Infrastructure," of Hacking for Dummies, 2nd edition, learn about the tools involved in this process and how to use them.

Risks are threats to your objectives. A proper risk analysis should be done before making any technology decision. When considering adopting firewall/VPN technology, here are some key security risks and standards which should be considered:

To assess risk ask the following questions:

What is at risk?

What is its value?

What are the threats?

What is the probability of occurrence?

Some of the common security risks are as follows:

Single point of failure

Loose security policies

Support protection

Limitation of technology

False sense of security

Weak encryption

Latency

Here are some firewall/VPN standards to consider:

Open architecture

Packet filteration

Default to denial

Auditing capabilities

Access control

Logging capabilities

Intrusion detection

Extended user authentication

Secured subnets

Strong encryption

Network management systems

Secure back-up

Statefull inspection

Real-time traffic monitoring and alerting system

Device management

Secure tunneling

Application layer traffic inspection

This information was excerpted from Firewall security risks, an expert answer from network security expert Puneet Mehta.

Auditing firewall activity

Network security expert Michael Chapple takes a look at four practical areas where some basic log analysis can provide valuable firewall management data:

• Monitor rule activity: System administrators tend to be quick on the trigger to ask for new rules, but not quite so eager to let you know when a rule is no longer necessary. Monitoring rule activity can provide some valuable insight to assist you with managing the rulebase. If a rule that was once heavily used suddenly goes quiet, you should investigate whether the rule is still needed. If it's no longer necessary, trim it from your rulebase. Legacy rules have a way of piling up and adding unnecessary complexity. Over the years, Chapple had a chance to analyze the rulebases of many production firewalls, and estimates that at least 20% of the average firewall's rulebase is unnecessary. There are systems where this ratio is as high as 60%.
• Traffic flows: Monitor logs for abnormal traffic patterns. If servers that normally receive a low volume of traffic are suddenly responsible for a significant portion of traffic passing through the firewall (either in total connections or bytes passed), then you have a situation worthy of further investigation. While "flash crowds" are to be expected in some situations (such as a Web server during a period of unusual interest), they are also often signs of misconfigured systems or attacks in progress.
• Rule violations: Looking at traffic denied by your firewall may lead to interesting findings. This is especially true for traffic that originates from inside your network. The most common cause of this activity is a misconfigured system or a user who isn't aware of traffic restrictions, but analysis of rule violations may also uncover attempts at passing malicious traffic through the device.
• Denied probes: If you've ever analyzed the log of a firewall that's connected to the Internet, you know that it's futile to investigate probes directed at your network from the Internet. They're far too frequent and often represent dead ends. However, you may not have considered analyzing logs for probes originating from inside the trusted network. These are extremely interesting, as they most likely represent either a compromised internal system seeking to scan Internet hosts or an internal user running a scanning tool -- both scenarios that merit attention.

This tip on firewall management data was excerpted from SearchSecurity.com.

Purchasing advice

One major point of differentiation between firewalls is their ability to perform application-layer inspection. Many firewalls simply don't have application-layer inspection, while others implement basic functionality (such as URL filtering). Some products, like Secure Computing Corp.'s Sidewinder G2 firewall and F5 Networks' BIG-IP Application Security Manager, have deep application inspection capabilities. These types of firewalls allow for complex application rule bases that limit the types of actions carried out over a connection. For example, you might limit inbound HTTP requests from the Internet to GET commands, while internal users might be able to issue POST commands. This functionality allows you to protect the enterprise against application-based attacks as well as network-based attacks.

Finally, consider the vendor itself. When investing in a firewall product, you're making a long-term decision. The financial commitment is only the tip of the iceberg; your firewall administrators will invest significant time and energy building and customizing a rule base for that particular product. In general, rule bases are not portable between platforms, so any future platform change will require a substantial commitment of human resources, so it's wise to make sure the vendors on your short list are all stable companies with solid financials. You certainly don't want to get on board a sinking ship.

For more information view SearchNetworking.com's Network Security Products topic page.