ABC Network Setup Security

UNIVERSITY OF WALES NEWPORT

MSc. Computing

Network design & network hardening policies for

ABC BROADCASTING CORPORATION (A SATELLITE TV COMPANY)

Sina Rahati Tan Kok Chee Swipeng Tay Onwuegbuzie Innocent U. Yao Zhen Wei

DATE SUBMITTED: May 11, 2009 RECEIVED BY: Mr. Christopher Lim (Course Lecturer)

_______________________Net _______________________Network work Infrastructure, Network Security and Management Policies

TABLE OF CONTENT LIST OF FIGURES Figure i: Diagram of Asian Countries Where ABC Broadcasting Corps Operates…………………….7 Figure ii: Diagram Showing a Simplified Form of ABC Corps VPN and Leased Line Connections....9 Figure iii: A Detailed Diagram of ABC Broadcasting Corporations Network……………………… Network………………………..15 ..15 Fig iv: The Demilitarized Zone (DMZ)………………………………………… (DMZ)………………………………………………………….…….24 ……………….…….24 Fig v: Virtual Private Network (VPN)………………………………………… (VPN)…………………………………………………………...…….25 ………………...…….25 …………………………………………………… ……………………………………………………… …………………………………....... ……....... 5 ABSTRACT…………………………

CHAPTER ONE 1.1.0 Purpose and Scope…………………………… Scope……………………………………………………… ………………………………………………...…6 ……………………...…6 1.2.0 Introduction……………………… Introduction………………………………………………… ……………………………………………………… ……………………………………..6 ………..6 1.3.0 Company Profile of ABC Broadcasting Corporation……………………………………………..6 Corporation……………………………………………..6 1.4.0 Linking ABC Broadcasting Corporation to Its Various Various Branches……………………….….……7 1.5.0 The Virtual Virtual Private Network (VPN)……………………………………….......................……….8 (VPN)……………………………………….......................……….8 1.5.1 How VPN Work……………………… ork…………………………………………………… …………………………………………….……...….…..8 ……………….……...….…..8 1.5.2 Security Measures Used In IP-VPN……………………………………………………… IP-VPN………………………………………………………….…...9 ….…...9 1.5.3 Tunnel………………………………………… Tunnel……………………………………………………………………… …………………………………………………..9 ……………………..9 1.5.4 Firewall……………… Firewall…………………………………………… ……………………………………………………...…… ………………………...…………………….9 ……………….9 1.5.5 Encryption…………………… Encryption………………………………………………… ……………………………………………….……… ………………….……………….…..9 ……….…..9 1.5.6 Point to point Tunneling Protocol……………………………………………………… Protocol…………………………………………………………......…10 …......…10 1.5.7 Internet Protocol Security (IPSec)…………………………...…………………………… (IPSec)…………………………...…………………………………..10 ……..10 1.5.8 AAA Servers………………… Servers…………………………………………… ………………………………………….....……………… ……………….....……………….…....10 .…....10

CHAPTER TWO 2.1.0 Point to Point Leased Line …………………………… ……………………………………………………… …………………………………………1 ………………11 1 2.2.0 Point to Point Protocol…………………………………………………………………….… Protocol…………………………………………………………………….…….11 ….11 2.3.0 CSU/DSU Device………………………… Device……………………………………………………… …………………………………………………..…1 ……………………..…11 1

CHAPTER THREE 3.1.0 Analyzing ABC Corps Network Configuration Setup……………………..… Setup……………………..……………..……..12 …………..……..12 3.2.0 Head Quarters Qua rters and Branch Office VPN Connection……………………………...……………..13 3.3.0 Head Quarter and Branch Office Leased Line Connection………………………...................…14

CHAPTER FOUR 4.1.0 System/Security Hardening……………………………………………………..………...…….16 Hardening……………………………………………………..………...…….16 4.2.0 Network Hardening Measures………………… Measures……………………………...………………… …………...………………………………..…..16 ……………..…..16 4.3.0 Testing the Firewall……………… Firewall………………………………………… ………………………………..……………………… ……..…………………………….18 …….18 4.4.0 Default Settings………………… Settings……………………………………………… ……………………………………………………… ……………………………….….18 …….….18 4.5.0 Rule Sets……………………………………………… Sets…………………………………………………………………………… ……………………………...………….19 ...………….19 4.6.0 Audit………………………… Audit…………………………………………………… ……………………………………………………… …………………………….………….19 .………….19 4.7.0 Mandatory Requirements…………………… Requirements………………………………………………..… …………………………..…………………….…19 ………………….…19 4.8.0 Consequences Consequen ces of Non-Conformance………………………… Non-Conformance…………………………………………………… ………………………………….20 ……….20 4.9.0 Operating systems (OS) / Cisco IOS requirements……………………………..…….………….21 requirements……………………………..…….………….21 2

IT Security for ABC Broadcasting Corporation___________________________ Corporation_______________________________________ ____________________ ________


CHAPTER FIVE 5.1.0 Guidelines for Building Firewall Environments…………………… Environments……………………………………………….23 ………………………….23 5.2.0 DMZ Networks…………………… Networks………………………………………………… ……………………………………………………...…… ………………………...…….23 .23 5.3.0 Virtual Virtual Private Network………………………… Network…………………………………………………… ………………………………………….…..25 ……………….…..25 5.4.0 Intranet…………………… Intranet………………………………………………… ……………………………………………………… ……………………………………….26 …………….26 5.5.0 Intrusion Detection System (IDS)…………………………………………………..…… (IDS)…………………………………………………..…………..26 ……..26 5.6.0 Intrusion Prevention System (IPS)…………………………………………….… (IPS)…………………………………………….……………….27 …………….27 5.7.0 Infrastructure Components……………………… Co mponents…………………………………………………… ………………………………...……………28 …...……………28

CHAPTER SIX 6.1.0 General Security Measures………………………………………………………………… Measures……………………………………………………………………..29 …..29 6.2.0 Installation and Configuration…………………… Configuration………………………………………………… ………………………………………….…30 …………….…30 6.3.0 Firewall Software……………… Software…………………………………………… ……………………………………………………… …………………………………30 ………30 6.4.0 Access to the Firewall………………………………………… Firewall……………………………………………………………………… ………………………………..31 …..31 6.5.0 Testing the Firewall……………… Firewall………………………………………… ……………………………………………….……… …………………….……………31 ……31

CHAPTER SEVEN 7.1.0 General Genera l Settings and an d Defaults…………………………………………………..……………..32 Defaults…………………………………………………..……………..32 7.1.1 Security Policy………………………………………… Policy…………………………………………………………………… ……………………………..……….32 …..……….32 7.1.2 Enable Network Address Translation (Nat)…………………………………..……………….32 (Nat)…………………………………..……………….32 7.1.3 Specify Limits of Authentication Failures…………………………………………………….32 Failures…………………………………………………….32 7.1.4 Reserve Enough Disk Space to Hold the Log File………………………………………..…..32

CHAPTER EIGHT 8.1.0 Managing Rule Sets……………………………………………………………………… Sets……………………………………………………………………………33 ……33 8.2.0 Hardening the Rule Set……………………………………………… Set………………………………………………………………………..34 ………………………..34 8.2.1 Turn off Unused Rules…………………… Rules……………………………………………… …………………………………….……………..34 ………….……………..34 8.2.2 Deny "Spoofed Packets"………………………… Packets"……………………………………………………… ……………………………..……………..34 ..……………..34 8.2.3 Rule Order Is Important……………………… Important………………………………………………… ………………………………...……………..34 ……...……………..34 8.2.4 Performance of the Rule Set…………………………………………………..……………… Set…………………………………………………..………………35 35 8.2.5 Browse and Edit the Default Rules……………………………………………………………35 Rules……………………………………………………………35 8.2.6 Block Any Access to the Firewall Itself………………………………………………… Itself………………………………………………………35 ……35 8.2.7 Log All Packets Marked For Drop……………………………………………………………35 Drop……………………………………………………………35 8.2.8 Drop Broadcast Traffic and Switch Logging Off…………………………….…………… Off…………………………….……………….35 ….35 8.2.9 Block the DMZ If Appropriate………………………………………… Appropriate…………………………………………………………….…36 ………………….…36 8.2.9.1 The DMZ Should Never Initiate Undesired Connections………………………… Connections………………………………….36 ……….36 8.2.9.2 Put Comments at the Rules………………………………………………………………… Rules…………………………………………………………………36 36

CHAPTER NINE 9.1.0 Audit………………………… Audit…………………………………………………… ……………………………………………………… ………………………………….…37 …….…37 9.2.0 Auditable Events……………………… Events…………………………………………………… ……………………………………….……….….…37 ………….……….….…37 9.3.0 Sample Traffic Rule Matrix………………… Matrix………………………………….………….… ……………….………….….……………..….39 .……………..….39 9.4.0 Blocking Standards…………………… Standards………………………………………………… ……………………………..………………………40 ..………………………40 9.5.0 Firewall Allow and an d Denial/Blocking Rules…………………… Rules……………………………………………..….41 ………………………..….41 3



CHAPTER TEN 10.1.0 Management Security Hardening Policies………………………………………………...43 Policies………………………………………………...43

CHAPTER ELEVEN 11.1.0 Recommendations………………………… Recommendations……………………………………………………… ……………………………………………....45 ………………....45 11.1.1 Opinions……………………… Opinions………………………………………………… …………………………………………………….… ………………………….……..45 …..45 11.2.0 Summary and Conclusion……………………… Conclusion…………………………………………………… …………………………………………45 ……………45 11.3.0 Terms and Definition………………… Definition……………………………………………… ……………………………………….…………..46 ………….…………..46 References…………………………………………………… References………………………… ……………………………………………………… …………………………….……..48 .……..48

4



ABSTRACT Designing a network is not just about placing routers, firewalls, intrusion detection system, etc in a network but it is about having good reasons for placing such hardware in its place. The world has gone beyond just designing a network alone for the sake of achieving a functional inter-connected LAN or WAN WAN for doing business. The threat to organizational security has heightened to an extent that a safe network design is not complete without having the necessary protective hardware’s in place as well as spelling out appropriate rules and measures to counter the attack to organizational threats such as malicious programs, Hackers and Social Engineers. ABC Broadcasting Corporation is an organization that offers broadband satellite Television Services to its numerous clients with excellent services. This document is aimed at explaining how to designing a well protected and hack-proof network, both on the hardware/software side and the human angle. Two Network link infrastructural methods is used to secure ABC broadcasting Corps network, these are; IP-VPN and Point to Point Leased Line. Detailed explanation is given on how these networks are being setup and protected with well descriptive diagrams. The last phase of this document focuses on Network Security. Network Security is being subdivided into two parts which are Network hardware security, which centers on Firewall Configuration Rules and secondly Management Security, which focuses on measure to thwart, prevent and annul Hackers, Crackers and Social Engineering attacks.

5



CHAPTER ONE 1.1.0 PURPOSE AND SCOPE

This document is intended to be an accompaniment to ABC Broadcasting Corporation IT Policy Policy,, “Network “Network Security Security.” .” The policy describes the state’ state’ss overall overall requirement requirementss regarding regarding the acquisition of technologies and implementation of policies and practices related to network boundary (perimeter) security. This document is designed to provide a deeper understanding of the principal technological solutions described in ABC Broadcasting Corporation IT Policy and assist State of ABC personnel who may be responsible for acquiring, implementing or monitoring boundary security. security.

1.2.0 INTRODUCTION

Information technology networks can be described in many ways, but the description that seems to provide the best understanding of how to defend networks is to compare it to an onion. If you think of a network as being composed of multiple layers, the outermost layer is the part that you touch, the boundary between between it and the world. As you peel back the layers, you move closer to the valuable “core.” In network terms, the core most often represents our most valuable data and applications. Each layer of the network provides a different level of functionality and requires its own unique set of solutions to adequately secure the information traversing it between the core and the boundary boundar y. The most effective security architectures incorporate security strategies at every layer of the network. This makes it extremely difficult for someone attempting to compromise the network to attack from the outside, because they must not only peel back the boundary (the first layer of defense), but each layer beneath beneath it to get to the most valuable data or infrastructur infrastructure. e. This strategy strategy is called “Defense in Depth” and represents the most effective means of thwarting system compromise. Even though some defenses may be defeated, it is much more difficult to penetrate all of the layers than just one layer. Nevertheless, the perimeter or network boundary is critical as the first line in defense of the network and is the focus of this paper p aper.. 1.3.0 COMPANY COMPANY PROFILE OF ABC BROADCASTING CORPORATION CORPORATION

ABC Broadcasting Corporation is a private broadcasting company that broadcast satellite News and Movies to different countries in Asian region. The News is outsourced from local and overseas News agencies and Movies are outsourced from movies distribution companies. These news and movies are transmitted to a satellite and broadcast back to the peoples in Malaysia, Singapore, Indonesia, Philippines, Thailand, Laos, Cambodia and Vietnam. The customers will need to purchase a small satellite dish, a decoder and subscribe to ABC Broadcasting Corporation to have access to the broadcast news and movies.

6



Figure i: Diagram of Asian Countries Where ABC Broadcasting Corps Operates ABC Corporation Corporation has it’s it’s headquarter in Kuala Lumpur which is the capital of Malaysia Malaysia and spreads its branches in the countries that are shown in the above diagram. This is where the products and services are developed and the management sets its policies and strategies. There are seven branch offices; Singapore (Singapore), Jakarta (Indonesia), Bangkok (Thailand), Vientiane (Laos), Phnom Penh (Cambodia), Hanoi (Vietnam) and Manila (Philippines). These branches receive their policies and guidelines from the Kuala Lumpur. The sales of the satellite dish and decoder and access are through the company’s outlets which are located in different parts of the region. Renewal of access to the broadca broadcast st news news and movies movies is through through these outlet outletss or through through the intern internet et by visiti visiting ng the company’s company’s website. 1.4.0 LINKING ABC BROADCASTING CORPORATION CORPORATION TO ITS VARIOUS BRANCHES

There are various possible modes of linking a company’s branches to its Head Quarters (HQ), amongst these are the Internet Protocol Virtual Private Network (IP-VPN), Frame Relay, Point to Point Leased lines, X.25, and Broadband Broadband Integrated Integrated Service Service Digital Digital Network Network (B-ISDN) (B-ISDN)-Asyn -Asynchronou chronouss Transfer Mode (ATM). Analyzing these various network link methods take into consideration the dynamics of the technological advancement with respect to IT in general which may directly or indirectly affect the chosen network type. The network configuration that is chosen must have the following features: Scalable geographic connectivity Improve security • Low operational costs •

•

7


_______________________Net _______________________Network work Infrastructure, Network Security and Management Policies • • • • • • •

Reduce transmission time and operational costs for customers Enhance productivity Simple network topology Support future global expansion Provide telecommuter support? Support broadband networking compatibility In line with the management’s objectives

Having studied the available network connectivity methods, it was concluded to choose and implements the IP-VPN and the Point to Point Leased Line methods for linking ABC Broadcasting Corporation to its various branches. The IP-VPN is to link the distant branches of the company to the Head Quarters in Kuala Lumpur while the Point to Point Leased Line it to link closer branches to the Head Quarter. Let’s talk first about the IP-VPN. 1.5.0 THE VIRTUAL PRIVATE NETWORK (VPN)

A VPN is a private network that uses a public network (usually the Internet) to connect remote sites/branches together. Instead of using a dedicated, real-world connection such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to its remote sites or employees. 1.5.1 HOW VPNS WORK

When making a VPN connection, there are two connections. The first connection is made to the Internet Service Provider. In connecting to the service provider, TCP/IP (Transmission Control Protocol/Internet Protocol) and PPP (Point-to-Point Protocol) are used to communicate to the ISP. The remote user is assigned an IP address by the ISP. The user logs into the company login. This second connection establishes the VPN connection and a tunnel are created with the use of PPTP (for example) after the user is authorized. The IP datagram’s containing encapsulated PPP packets are sent. In normal connections, the company’s firewall does not allow PPP packets from entering the network; thus, Internet users are not able to access a private network. However, VPN services allow users who meet security criteria to be admitted. The VPN server disassembles the packet and transfers the packet to the destination computer located in the private network (Microsoft TechNet 2009). Note: It should also be noted that it is possible for the organization to host its own private Internet Service Providing (ISP) Stations, most especially at its HQ and its local and overseas branches. This is to boost security measures since total trust cannot be banked on the public ISP’s, as they might sniff into the organizations VPN tunnel for selfish reasons. Below is a simplified network diagram of ABC Broadcasting Corporations VPN network

8



ABC'S BRANCH OFFICE WITH FIBRE OPTICS

LEASED LINE

LEASED LINE

VPN Tunnel

IP-VPN Internet Cloud

ABC's Branch Office Office

ABC's Head Quarters

TeleWorker

Figure ii: Diagram Showing a Simplified Form of ABC Corps VPN and Leased Line Connections 1.5.2 SECURITY MEASURES USED IN IP-VPN

A well-designed and secured VPN uses several methods for keeping connection and data secure and these are explained below. below. 1.5.3 TUNNEL A tunnel is a virtual point-to-point connection made through a public network. Once there is a connection, information can be exchanged on this virtual link. In addition, tunneling allows senders to encapsulate packets with their IP packets, which prevents data from being altered. 1.5.4 FIREWALL

A firewall provides a strong barrier between your private network and the Internet. You can set firewalls to restrict the number of open ports, what types of packets are passed through and which protocols are allowed through. 1.5.5 ENCRYPTION

Encryption is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Most computer encryption systems belong in one of two categories: Symmetric-key encryption • Asymmetric Key or Public-key encryption •

9



1.5.6 POINT TO POINT TUNNELING PROTCOL (PPTP)

Point-to-Point Tunneling Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across across TCP/IP TCP/IP-ba -based sed data networ networks ks (i.e. (i.e. the Public Public Intern Internet) et).. PPTP PPTP suppor supports ts on-dem on-demand, and, multimulti protocol, virtual private networking over public networks, such as the Internet.

1.5.7 INTERNET PROTOCOL SECURITY (IPSEC)

The Intern Internet et Protoc Protocol ol Securi Security ty(IP (IPSec Sec)) is a suite suite of protoc protocol ol for securi securing ng Internet Internet Protocol Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), servers), between a pair of security gateways (e.g. routers or firewalls or firewalls), ), or between a security gateway and a host (Wikipedia 2009). 1.5.8 AAA SERVERS

AAA (Authentication, Authorization and Accounting) servers are used for more secure access in a remote-access VPN environment. When a request to establish a session comes in from a dial-up client, the request is proxied to the AAA server. server. AAA then checks for the following: Who you are (authentication) • What you are allowed to do (authorization) • What you actually do (accounting) • The accounting information is especially useful for tracking client use, for security auditing, billing or reporting purposes pu rposes (How Stuff Works Works 2009).

10



CHAPTER TWO 2.1.0 POINT TO POINT LEASED LINE

A point-to-point leased line is a dedicated pair, or pairs, of copper wire connecting two end user userss thro throug ugh h a netwo network rk rent rented ed from from a tele teleco comm mmun unic icat atio ions ns prov provid ider er.. Unli Unlike ke norm normal al dial dial-u -up p connections, leased lines are always active and deliver guaranteed bandwidth. Point to point leased line is a cost effective, resilient and secure solution for connecting multiple offices or remote workers with guaranteed uptime and bandwidth. Leased line offers a number of significant advantages over traditional dial-up connections and these advantages are: Non-contention - A Leased line is 100% dedicated to the companys’ exclusive use. Security - A dedicated leased line is private, and therefore secure. Reliability and resilience – A leased line is backed by Service Level Agreements and is monitored by the service provider at all time performance. Symmetric – Upload and download speeds are the same. • Cost control – The monthly rental charge is fixed and does not vary with variable usage. Permanence – The connection is always on. • • • •

•

2.2.0 POINT TO POINT PROTOCOL

The PointPoint-toto-Poi Point nt Proto Protocol col (PPP) (PPP) origin originall ally y emerg emerged ed as an encapsu encapsulat lation ion protoc protocol ol for transporting IP traffic over point-to-point links. PPP also established a standard for the assignment and management of IP addresses asynchronous (start/stop) and bit-oriented synchronous encapsulation, network protocol multiplexing, link configuration, link quality testing, error detection, and option negot negotia iati tion on for for such such capab capabil ilit itie iess as netwo network rk laye layerr addr addres esss negot negotia iati tion on and and data data-c -com ompr pres essi sion on negotiation. PPP supports these functions by providing an extensible Link Control Protocol (LCP) and a family of Network Control Protocols (NCPs) to negotiate optional configuration parameters and facilities. In addition to IP, PPP supports other protocols, including Novell's Internetwork Packet Exchange (IPX) and DECnet (James & Keith 2009). 2.3.0 CSU/DSU DEVICE

Channel Service Service Unit (CSU) is a device that connects a terminal to a digital line, while Data Serv Servic icee Unit Unit (DSU (DSU)) is a devi device ce that that perf perfor orms ms prot protec ecti tive ve and and diag diagno nost stic ic func functi tion onss for for a telecommunications line. Typically, the two devices are packaged together as a single unit. We can think of CSU and DSU as a very high-powered and expensive modem. This device is required for both ends of a T-1 or E-1 connection. The units at both ends of the connection must be from the same manufacturer, their configurations must be set to be similar and the routers at both ends must be configured to be in in the same subnet (Robert et al 2005) .

11



CHAPTER THREE 3.1.0 ANALYSING ANALYSING ABC CORPS NETWORK CONFIGURATION SETUP

For ABC Broadcasting Corporation to survive it must consider network security as critical function of its success. Appropriate measures are taken to tighten the security of ABC Corp’s Network infrastructure to prevent breach of security and yet be in line with the companys’ objectives which aim for flexibility, scalability and affordable cost for consumers. Below is the analysis of ABC Corps Network infrastructure; ABC Corp’s Network infrastructure is made up of three (3) layers; 1. The Outer-Layer which accommodates the Web server, FTP server, and E-mail server. This layer is the general public layer and is enclosed in the External DMZ. The employees’ and the public including the clients and partners pa rtners have access to this layer. 2. The Middle-Layer is a more protected layer than the outer layer. This layer is strictly for the employees, whether they connect from within, branch office or from remote location. This layer layer is wher wheree most most of the the opera operati tion onal al depar departm tmen ents ts are are foun found, d, e.g. e.g. Sale Sales, s, Acco Account untin ing, g, Broad Broadcas casti ting, ng, and Cust Custom omer er rela relati tion onss depar departm tmen ents ts.. Acces Accesss into into this this layer layer requi require ress authentication. 3. The Inner-Layer is the most protected of all the three layers; hence it is referred to as the “Core” of the network. This layer is where the Research and Development, Human Relations and IT departments are located. Lists of hardwares used in setting up ABC’s ABC’s network: 1. Firewalls 2. Switches 3. Intrus Intrusion ion Dete Detecti ction on Syste Systems ms (IDS (IDS)) 4. Routers 5. Leas Leased ed Lin Linee Rout Router erss 6. Fibe Fiberr Opt Optic icss Cab Cable le 7. Work ork Stat Statio ions ns 8. Web server 9. Proxy roxy serve erver r 10. FTP server server 11. 11. E-Mail E-Mail server server 12. VPN/AAA VPN/AAA server server 13. Active Direct Directory ory server server 14. CSU/DS CSU/DSU U Modem 15. Departmental Departmental servers servers 16. Digital Transmission Satellite Dish Dish 17. Digital Video Video Broadcasting (DVB) System 18. Clients/Sub Clients/Subscri scribers bers 19. Printe Printers rs Note: All the Routers used in this setup are Cisco’s 3800 series routers, and the Core Switches are Cisco’ Cisco’ss cataly catalyst st 4500 series series Switch Switches. es. D-Link D-Links’ s’ DES-3028 DES-3028 Series Series Switch Switches es are use as Access Access Switches. The Boundary Firewalls are Cisco’s PIX 500 series appliance firewalls. The IDS used is 12



Cisco Threat Defense IDS 4250 series. Cisco’s VPN concentrator 3000 Series is also used. All the servers in the External DMZ are Unix-Based Linux platform servers ABC Corps network has being segmented into several Virtual Local Area Networks (VLANs). This VLAN architecture is to help isolate uncontrolled broadcast of packets (Broadcast Storm) which might lead to network jam and consequently shutting down the network function. Secondly, the VLAN implementation is to ensure that the information meant for one department is contained within that department without unauthorized access to other departments. The range of IP addresses for the VLANs are; 192.168.1.x/24 range (VLAN 1) • 192.168.2.x/24 range (VLAN 2) • 192.168.3.x/24 range (VLAN 3) • 192.168.4.x/24 range (VLAN 4) • 192.168.5.x/24 range (VLAN 5) •

3.2.0 HEAD QUARTERS AND BRANCH OFFICE VPN CONNECTION

The initiator (employee or dealer) logs into the company’s secured VPN interface on his computer computer by providing providing user ID and password password or pass-phras pass-phrase, e, depending on how the configurati configuration on is being set up. The log-in is authenticated by the VPN server at his own end, which is hosted either by the Branch office or an external ISP. Upon fulfillment the log-in requirements, access to the HQ are granted through a secured VPN tunneled which travel through the public internet cloud. The packet then meets up with the HQ’s router, and then the Boundary Firewall. At the router end, Network Address Translation (NAT) is implemented which masquerades ABC internal IP addresses from the public. The Boundary Firewall is a Stateless hardware Appliance Firewall; hence it inspects the transiting packet up to the Network layer of the Internet Protocol Stack before forwarding it to the Intrusion Detection System/Switch. This piece of hardware screens the frame against some laid down security parameters. If the frame is found to contain malicious codes, the IDS triggers an alarm and notifies the IT personnel and employees that an attack is about to take place or has already taking place. On the other hand if the frame is “clean”, it is allowed into the network. The level of access into the network depends on the person who logs into the network. The access is spelt out based on the rules on the Internal Firewall 1 and this will grant the frame to reach the VPN concentrator /AAA server. The Internal Firewall 1 is a State-full Firewall, in other words, it carries out inspection on the packet up to the Application layer of the Internet Protocol Stack. It ensures that the packet meets the standards of the policies that are set in the firewall before allowing it to transmit further into the network. The VPN concentrator/AAA server analyses the packet, by decrypting the packet to reveal its content, while processing Authentication, Accounting and Authority. This Authentication, Accounting and and Auth Author orit ity y on the the packe packett are are to ensur ensuree that that the the empl employ oyee ee is an auth authent entic icat ated ed memb member er the the organizati organization on and has the authority authority to be in the network. The authorized authorized packet then transmits transmits to the destin destinati ation on departm department ent which which its reques requestt has been origin originall ally y made. made. These These depart departmen ments ts includ includee Broadca Broadcasti sting ng Depart Departmen ment, t, Account Accounting ing Depart Departmen ment, t, Sales Sales Depart Departmen mentt or Custom Customer er Relati Relations ons Department. The Research and Development (R&D) Department, Humans Relations (HR) Department and Information Technology (IT) Department are situated in the Network Core which is highly 13



restricted from the employees. This inner layer is restricted to a few employees who have the authority as defined in the organizations policies. The function of the Active Directory server which is controlled by the System Administrator from the IT department is to oversee the entire access rule, with respect to passwords, log-ins, printing, emailing, and other security and instructional issues initiated by the employees and non-employees. 3.3.0 HEAD QUARTER AND BRANCH OFFICE LEASED LINE CONNECTION

The second means of linking to ABC’s HQ office is through Leased Line. The Leased Line is used for the branch offices whose country share boundary with the HQ’s country, e.g. Singapore and Thailand. This dedicated Leased Line is provided by a third party Leased Line provider. For an employee to have access to the HQ through Leased Line, he initiates a connection from his office. The frame travels travels through through the Boundary Firewall Firewall 1, Router, CSU/DSU CSU/DSU Modem, and then through the E1 Fiber Optics leased line which spans several kilometers and then to the Headquarters CSU/DSU Modem, Router and the Boundary Firewall. The frame meets up with the External IDS, if found clean, moves to the Internal Firewall 1, and then to the AAA Server which authenticates the request. After fulfilling the set rules, it is then allowed into the internal network. For ABC’s customers, subscribers or dealers, who desires to have access to ABC’s network for the purpose of enquiry on broadcasting services and online subscription, their access is limited and routed to the Web, FTP and E-mail servers, which is controlled by the External DMZ and regulated by the Boundary Firewall. The main function of the Internal DMZ is to contain and confine the various departments within their regions and limits, it restricts them from accessing other part of the network which they should not have access to. The internal DMZ is regulated by the Internal Firewall 2. Below is the overall network diagram of ABC Broadcasting Corps

14



SPACE SATELLITE

CLIENTS/SUBSCRIBER S FIBRE

DVB/ENCODER

OPTICS (E1) LEASED LINE

PROXY FTP E-MAIL SERVER SERVER SERVER

INTERNAL WEB SERVER

REDUNDA NTBACKUP LEASED LINE

BROADCASTING DEPT (VLAN 4)

BOUNDA RYFIREW ALL 1

PUBLIC INTERNET ABC'S BRANCH WITH LEASED LINE CONNECTION PUBLIC INTERNET CLOUD

CSU/DSU MODEM EXTERNAL DMZ

CENTRAL INTERNAL INTERNAL E-MAI L SERVER ACTIVE DIRECTORY/DNS SERVER DHCP SERVER

LEASED CSU/DSU LINE MODEM ROUTER

LEASED LINE OPERATOR OPERATOR

DIGITAL TRANSMISION SAT DISH

INTERNAL FIREWALL 1

VPN SERVER LEASED LINE ROUTER

BOUNDARYFIR EWALL 2 VPN INTERNET CLOUD/TUNNEL

SERVER FARM SWITCH

EXTERNAL IDS

VPN CONCENTRATOR/ AAA SERVER SERVER

CORE SWITCH

BOUNDARY FIREWALL

INTERNET ROUTER ABC'S BRANCH BRANCH OFFICE WITH VPN CONNECTION LOCAL ISP/NETWORK ISP/NETWORK ACCESS SERVER

INTERNAL FIREWALL 2

R&D DEPT HUMAN RELATIONS DEPT

SALES DEPT (VLAN 1)

IT DEPT CUSTOMER RELATIONS DEPT (VLAN 2)

ABC's TELEWORKER/STAFF WITH VPN CLIENT SOFTWARE

HIGHLY SECURED INTERIOR

ACCOUNTING DEPT DEPT (VLA N 3)

INTERNAL DMZ

ABC BROADCASTING CORPORATION CORPORATION NETWORK INFRASTUCTURE

Figure iii: A Detailed Diagram of ABC Broadcasting Corporations Network

CHAPTER FOUR 15



4.1.0 SYSTEM/SECURITY HARDENING

In the section we shall consider the Network Hardening Policies and Management Hardening Policies. The Network Hardening Policies addresses security issues and procedures applicable to ABC Corps network, while the Management Hardening Policies addresses security issues and procedures applicable to the human resources (employees, dealers and customers), managing and running ABC Corps. In this discussion, the term “system” refers to a computers, laptop, server, router, switches and firewalls that may connect to the network. System hardening is a systematic process of securing the network by configuring the computer, laptop, server, router, switches and firewalls on the network to protect it from unauthorized access, or from being used to compromise the network. System hardening will make the system more secure without affecting its efficiency and reliability. All these hardwares that produced in the factory factory and sold to ABC Corporation Corporation as a “out of the box” device are usually by default designed for the convenience of the end user in mind. Security is a secondary. Whichever the operating system that is used be it Windows, Solaris, or Linux, the default configuration is frequently less secure than the one that is required by ABC Corp. Systems hardening is done by enabling the correct set of security features and at the same time disabling features that are not required that will compromise the network. For example, the initial security configuration could include enabling auditing of specific system events, requiring the use of strong passwords that contain both alphanumeric and symbolic characters, allowing administrative log in only from the physical console of the system, disabling processes such as file sharing and Web server processes if those functions are not required, and blocking inbound attempts to connect over the network to critical system ports such as the Remote Procedure Call (RPC) port. In the case of ABC Corp, further security measures measures to increase increase security from hackers hackers includes includes deletion deletion of any operating system files that are not required and could be misused by hackers and the source code compilers frequently included on UNIX and Linux systems. By hardening the system administrators and users can have more confidence in the integrity of the data that are processed by the system. In addition, the performance of the system will improve from the turning off and disabling unnecessary ports, protocols, and services in the host.

4.2.0 NETWORK HARDENING MEASURES 4.2.1 BASIC FIREWALL REQUIREMENTS REQUIREMENTS

This section provides best practice security measures for firewall (including Management Console and Policy Server), described in more or less general terms. More detailed background information is provided in the next chapters.

(a). Mandatory Requirements Network documentation • Change control • Firewall documentation • Physical security • Patches • Backup procedure • Alert procedure • 16


_______________________Net _______________________Network work Infrastructure, Network Security and Management Policies •

Management Protocols

(b). Recommended Requirements Testing procedure • User names/passwords for managing the Firewall • Management stations that can access and configure the Firewall • (c). Prerequisite Operating System (OS) and Appliance OS The OS involved are non-betas and up-to-date. • The OS version is qualified / certified for the Firewall version. • The OS involved must be 'hardened'. • Select the Firewall platform CPU speed and memory size to match the expected network load. • The Firewa Firewall ll must must be delive delivered red,, instal installed led,, adminis administer tered, ed, and operat operated ed in a manner manner that that • maintains security. Information cannot flow among the internal (trusted) and external (untrusted) networks unless • it passes through the firewall. Note: that a, b, c are only applicable to software based firewall. 4.2.2 PROCEDURES AND RESPONSIBILITIES

Separation of roles and responsibilities for managing the Firewall and Network is recommended. Manages the Operating System – System Administrator Administrator.. • Manages the Firewall Software – Firewall Administrator Administrator or Network Engineer. • Manages the accounts on the Firewall – Security Administrator or Helpdesk. • Scanning of the log files – Security. • Check whether firewall is deployed according to procedures • Auditor or Security. • Administrators of the Firewall must be informed about the most recent security threats. • 4.2.3 FIREWALL ENVIRONMENT 4.2.3.1 GUIDELINES FOR BUILDING FIREWALL FIREWALL ENVIRONMENTS Keep it simple (KISS) • Use devices as they intended to be used • Create defense in depth • Pay attention to internal treats •

4.2.3.2 GENERAL SECURITY MEASURES 17


_______________________Net _______________________Network work Infrastructure, Network Security and Management Policies • •

• • • •

•

Place the Firewall (and other directly connected devices) in a physical secured area. No test rule set should ever be tested on a production system. Use firewall system solely as a firewall. The Firewall system runs no other services. The host system running the Firewall does not host an y public data. There will be no trusted relations on OS leve l from the Firewall with other systems. Interruption of an individual firewall service may not compromise data or network. In this case the Firewall must not leave the opportunity for an open connection between the external (untrusted) and internal (trusted) network. Ensure that backup procedures exist for the Firewall configuration and the log files.

4.2.3.3 INSTALLA INSTALLATION TION AND CONFIGURATION CONFIGURATION The system should boot only from the primary hard disk. • Only system administrators can change date and/or time in the BIOS. • System must be physically labeled with a reference. • Offline installation and configuration. The Firewall has to be physically disconnected from the • external networks during installation or changes in c onfiguration. 4.2.3.4 FIREWALL SOFTWARE Only vendor-authorized production release versions of firewall must be used. • All configuration parameters must be considered when installing the Firewall for the first time. • 4.2.3.5 ACCESS TO THE FIREWAL FIREWALL L Remote administration is only allowed under strict conditions. • Login Login via generic generic Firew Firewall all Administ Administrat rator or account accountss must must be disabl disabled. ed. Use user user traceab traceable le • accounts instead. Only an authorized administrator may change user data. • 4.3.0 TESTING THE FIREWALL FIREWALL Every configuration must be thoroughly tested. 4.4.0 DEFAULT SETTINGS Security Security policy may only be changed by authorized authorized administrators. administrators. Enable Network Address • Translation wherever possible. Only authorized administrators may change date and time. • Only author authorize ized d admini administr strato ators rs may specif specify y limit limitss of authent authenticat ication ion failur failures es (if Securi Security ty • Servers are used). Reserve enough disk space to hold the log file. •

4.5.0 RULE SETS 4.5.1MANAGING THE RULE SETS 18



• • • •

Make the standard rule set visible and remove unused rules. Also ensure that there are no disabled rules within Production rule bases. Before activating a new or changed rule set, a back-up of the old rule set must be made. Keep the rule base simple and short. Perform periodic checks on the rule set. The rule set is documented properly and stored away in a safe place.

4.5.2 HARDENING THE RULE SETS The rule set shall explicitly deny an information flow from manipulated origins, so called • 'spoofed packets'. Rule order is important. Evaluating of rules is sequential. First rule that matches is applied to • packet. Browse and edit the default rules. • Block any client access to the Firewall Firewall itself except permitted permitted administrati administration on flows. Admit • only authorized Administrators to access the Firewall itself. Log ALL packets marked for drop (including implicit deny at end of rule list). • Drop broadcast traffic without logging. • Block the DMZ if appropriate. Grant access acc ess to the DMZ based only on specific rules. • The DMZ may never initiate undesired connections. • Maximize the performance of the rule set. • Put comments on every rule. • 4.6.0 AUDIT Firewalls should be regularly audited. • Examination of the log files shall be done at least once a month by the holder of the • Monitoring account. Audit trail properties. Audit trail will contain at least: date and time of the event, type of event, • subject identity, identity, outcome (success or failure) of the event. 4.7.0 MANDATORY REQUIREMENTS

These requirements are mandatory to ensure a secure firewall system. a.

Netwo Network rk Docu Docume menta ntatio tion n All networ network k relate related d docume documenta ntatio tion n must must be updated updated and curren currency cy of content content mainta maintaine ined. d. Network related documentation should be appropriately identified with date, version number, and commentary as to what changes have been made to the content. All such changes should be managed via a formal change control mechanism. In order to ensure that the Firewall is securing the required section of the network a detailed diagram of the network may be required. This can be used to ensure that the Firewall is protecting what it should be protecting and will help in identifying any weaknesses that may exist within the Firewall setup.

b. Chan Change ge Con Contr trol ol 19



Management should document a formal change control policy for amending the Firewall’s configuration. This policy should describe the principles and objectives on which change control process should operate. Having defined when changes should be performed, the objectives should describe change requirements (that is key standards). Change Control is required to ensure that Administrators Administrators of the Firewall are in fact performing the task required. This is implemented to ensure:Changes made reflect the change in policy; and • The administrators do not perform changes without notification. • 4.8.0 CONSEQUENCES OF NON-COMFORMANCE Non-conformance may result in loss of control over changes to network devices resulting in unauthorized access into a device and the potential for an unauthorized person to alter security configuration parameters. Personnel installing changes must be authorized to do so and held accountable for the change. If the organization does not identify the authorized individuals who update the Firewall, the risk increases of unauthorized changes to the configurations. 4.8.1 FIREWALL DOCUMENTATION Firewall documentation should exist, and as a minimum detail the Firewall policy and the rational for the inclusion of each individual rule. Documentations should also justify the exclusion of specific rules, where the absence impacts on the security of the Firewall and/or the corporate network. In order to design a rule base, it is important to have supporting documentation outlining the policies required by the organization. These should be kept up to date to reflect the actual policies that are in place on the Firewall. 4.8.2 PHYSICAL SECURITY Ensure that the Firewall and the network cabling related to it are physically secured. Physical access to the Firewall Firewall or the related network cabling provides opportunities opportunities for an intruder intruder to bypass bypass the Firewall itself. 4.8.3 PATCHES Ensure that patches to the base operating system (OS), appliance OS and the Firewall are current. For a firewall to be successful, it must operate on a secure OS. If the Firewall is running on an inferior OS, then it is open to attacks. It should be ensured that the OS and the Firewall is secure and that all patches have been applied. If appliance base firewall is concern, IOS and firewall application itself are duly patched. 4.8.4 BACKUP PROCEDURES Ensure that backup procedures exist for the Firewall configuration and the log files. The Firewall should be backed up to ensure quick recovery from data loss. The log files are recommended to be archived separately to ensure a permanent record of transactions. The archived log files should be removed from the Firewall as they will slowly consume all available space on the system and potentially causing failures. There should be sufficient space for the log files to reduce the risk that the partition will be deliberately filled b y an attacker. 4.8.5 ALERT PROCEDURE If Alerts Alerts are enabled, then there should be a documented procedure for handling the alert. 20



4.8.6 MANAGEMENT PROTOCOLS Many environments are perfectly content with managing their network by the easiest and quickest means available. Many management applications, such as remote shell (RSH) or telnet, send all details between the management station and managed device in plain text. This allows anyone who is in the same VLAN (either manually configured or through a compromised connection) to view all of your commands and parameters with a simple protocol analyzer. For this reason, you should use secure and efficient management protocols to connect to your enterprise devices. 4.8.7 RECOMMENDED REQUIREMENTS These requirements are strongly recommended, however it is recognized that these are not possible in all instances. Failure to comply with these requirements may degrade the security of the firewall. 4.8.8 TESTING PROCEDURES It is recommended that procedures exist for testing the Firewall before the actual changes are installed on the Firewall. If the Firewall policy is altered then there need to be a process whereby the new policy is tested before it is ‘burnt’ into the actual firewall. This is done to ensure that the changes to the Firewall do not have a negative effect on its operation. 4.8.9.0 USER NAMES / PASSWORDS Operating system (OS) is not considered secure when unauthorized people can get physical access to the computer. This includes the ability to obtain usernames and passwords (using tools like NTFSdos and L0phtcrack), and if such tools (i.e. PC anywhere etc) are being used for managing the computer, others may watch the local console monitor to obtain and possibly also interrupt the remote management session. Only Network Administrator should have access to the Firewall. This includes physical access, local logon and remote firewall logon. OS remote access should not be allowed. Hard-to-guess usernames and password should be used. Each user with read or read/write access to the Firewall configuration should be identified by unique usernames. 4.8.9.1 ACCESS AND CONFIGURE During installation you must set DNS host names and/or IP addresses of those Management Stations allowed to access the Firewall. We recommend using IP addresses instead of DNS host names, as this may increases the risk of spoofed DNS attacks to the Firewall management ports.

4.9.0 OPERATING SYSTEMS (OS) / CISCO IOS REQUIREMENTS 4.9.1 NON-BETAS NON-BETAS AND UP-TO-DATE UP-TO-DATE All versions of OS shall be made up-to-date with service packs or (security) patches. No beta versions will be used in a production environment. 4.9.2 QUALIFIED FOR THE FIREWALL FIREWALL VERSION It is important to keep OS and patches at a level supported by the Firewall. Sometimes the latest version of the OS is not yet qualified or even correctly working with the expected firewall version. Testing Testing should be performed before applying to production.

4.9.3 HARDENED 21



Out-of-the-box OS are normally not prepared to perform security services. Measures must be taken to tighten the security of these OS; this is called 'hardening'. Refer to the appropriate Operational Security Guideline (OSG) to harden the OS.

4.9.4 CAPACITY CAPACITY MATCH MATCH THE EXPECTED NETWORK LOAD As part of Capacity Management, the CPU and memory capacity should be sufficient enough to endure peek moments on the network, to protect against some denial-of-service (DoS) attacks and to support specific features such as cryptographic techniques or c ontent filtering. 4.9.5 INSTALLED, INSTALLED, ADMINISTERED, AND OPERATED OPERATED THAT MAINTAINS MAINTAINS SECURITY The systems that will run the Firewall software must be built from scratch. Hard disks must be complet completely ely partit partition ioned ed and format formatted ted uncondi unconditio tional nally ly (destr (destructi uctive) ve).. This This also also means means that the concerning OS must also be installed from scratch. This is important to ensure that the fundament of the system is trusted.

4.9.6 NO BACKDOORS When the network infrastructure is well designed, no backdoors (like through modems or RAS servers) to systems should be available in the protected network which means that information cannot flow among the internal and external networks unless it passes through the Firewall. When deviating from the Security Policy this must be approved by IT Security and Risk Management or Senior Management.

4.9.7 CHANGE MANAGEMENT (CM) PROCEDURE Procedure concerning Change Management (CM) for the Operating System (OS) involved and Firewall is in place. A CM procedure enforces changes to be done in a standard and auditable way. Control over the perimeter of the networks is very important. At all times it must be clear what the status of this perimeter is (before or after the change ha s been made). 4.9.8 SEPARA SEPARATION TION OF ROLES FOR MANAGING Several roles are needed for managing firewall in a secure and auditable way. The following roles are determined: Who Manages the Operating System S ystem – System Administrator. Administrator. • Who Manages the Firewall Software – Firewall Administrator or Network Engineer. • Who Manages the accounts on the Firewall – Security Administrator or Helpdesk. • Scanning of the log files – Security. • Who Checks whether firewall is deployed according to procedures -Auditor or Security. Security. • It is recommended to have these roles separated from each other. In this way all actions performed on OS and firewall can be traced back to a single person. 4.9.9 BE INFORMED OF RECENT ATTACKS The secure firewall of today may not be secure tomorrow. It is important to react immediately on alerts and problems or attacks in the field. Administrator Administrator of the Firewall must be informed about the most recent attacks. This implies taking a subscription to an alerting service or mailing list.

22



CHAPTER FIVE 5.1.0 GUIDELINES FOR BUILDING BUI LDING FIREWALL FIREWALL ENVIRONMENTS 5.1.1 KEEP IT SIMPLE (KISS) The KISS principle is something that should be first and foremost in the mind of a firewall environment designer. Essentially, the more simple the firewall solution, the more secure it likely will be and the easier it will be to manage. Complexity in design and function often leads to errors in configuration. 5.1.2 USE DEVICES AS THEY WERE INTENDED TO BE USED Using network devices as they were primarily intended in, this context means do not make firewalls out of equipment not meant for firewall use. For example: Routers are meant for routing. Their packet filtering capability is not their primary purpo purpose se and the distin distincti ction on should should never never be lost lost on those those design designing ing a firewa firewall ll implem implement entati ation. on. Depending on routers alone to provide firewall capability is dangerous; they can be miss-configured easily. Network switches are another example. When it is used to switch firewall traffic outside of a firewall environment, they are susceptible to attacks that could impede switch functionality func tionality.. In many cases, hybrid firewalls and firewall appliances are better choices simply because they are optimized to be firewalls first and foremost. 5.1.3 CREATE DEFENSE IN DEPTH Defense in depth involves creating layers of security as opposed to one layer. The infamous ‘Maginot line’ is, in hindsight, an excellent example of what not to do in firewall environments: place all your protection at the Firewall. Where several firewalls can be used, they should be used. Where routers can be configured to provide some access control or filtering, they should be. If a server operating system can provide some firewall capability, capability, use it. 5.1.4 PAY ATTENTION TO INTERNAL THREATS Lastly, attention to external threats to the exclusion of internal threats leaves the network wide open to attack from the inside. While it may be difficult to think of your work colleagues as posing a potential threat, consider that an intruder who gets past the Firewall somehow could now have free reign to attack internal or external systems. Therefore, important systems such as internal web and email servers or financial systems should be placed behind internal firewalls or DMZ environments. 5.2.0 DMZ NETWORKS The most common firewall environment implementation is known as a DMZ, or Demilitarized Zone network. A DMZ network is created out of a network connecting two firewalls (i.e. when two or more firewalls exist in an environment, the networks connec ting the Firewalls can be DMZ networks). DMZ networks serve as attachment points for computer systems and resources that need to be accessible either externally either externally or internally, but that should not be placed on internal protected networks. Internally accessible servers can be can be located on the internal DMZ located between the two firewalls; the Firewalls could provide protection and access control for the servers, protecting them both from external and internal attack. This environment is represented in Figure 5.1.

23



FIG IV: THE DEMILITARIZED DEMILITARIZED ZONE (DMZ)

DMZ networks are typically implemented as network switches that sit between two firewalls or between a firewall and a boundary router. Given the special nature of DMZ networks, they typically serve as attachment points for systems that require or foster external connectivity.

24



5.3.0 VIRTUAL PRIVATE NETWORK Networks (VPN) Another valuable use for firewalls is for enablement of VPNs. A VPN is constructed on top of existing network media by using additional protocols and usually, encryption. If the VPN is encrypted, it can be used as an extension of the protected network. In most cases, VPNs are used to provide secure network links across networks that are not trusted. VPN technology is often used to create secure networks between organizations or branches, as shown in Figure 5.3.

FIG V: VIRTUAL PRIVATE NETWORK (VPN)

On the protocol level, there are several possible choices for a modern VPN. The first and perhaps the most currently used is a set of protocols known as IPSec (Internet Protocol Security). The IPSec standards consist of IPv6 security features ported over to IPv4, the version of IP in use today on the Internet. Other current VPN protocols include PPTP (Point-to-Point Tunneling Protocol), a Microsoft Standard and the L2TP (Layer 2 Tunneling Protocol). 5.3.1 PLACEMENT OF VPN SERVERS Placing the VPN server at the Firewall is the best location for this function and in most cases; firewall would have integrated VPN function. However in certain case, it is NOT recommended to place VPN server behind the Firewall which VPN traffic will be encrypted and the Firewall is then unable to inspect the traffic, inbound or outbound, and perform access control, logging, or scanning for viruses, etc. 5.3.2 VPN ARCHITECTURES Although VPNs are designed to support confidentiality and integrity, they generally do not improve availability, the ability for authorized users to access systems as needed. In fact, many VPN implementations actually tend to decrease availability somewhat because they add more components 25



and services to the existing network infrastructure. This is highly dependent upon the chosen VPN architecture model and the details of the implementation. The following are the three (3) primary VPN architectures:5.3.2.1 HOST-TO-HOST HOST-TO-HOST In this model, IPSec connections are created as needed for each individual VPN user. User’s hosts have been configured to act as IPSec clients with the IPSec server. When a user wishes to use resources on the IPSec server, the user’s host initiates communications with the IPSec server. The user is asked by the IPSec server to authenticate before the connection can be established. The client and server server exchang exchangee inform informati ation, on, and if the authent authentica icatio tion n is succes successfu sful, l, the IPSec IPSec connect connection ion is established. The user can now use the server, and the network traffic between the user’s host and the server will be protected by the IPSec connection. 5.3.2.2 5.3. 2.2 HOST-TO-GATEW HOST-TO-GATEWA AY In this model, IPSec connections are created as needed for each individual VPN user. Remote user’s hosts have been configured to act as IPSec clients with the organizations IPSec gateway. When a remote user wishes to use computing resources through the VPN, the host initiates communications with the VPN gateway. The user is typically asked by the VPN gateway to authenticate before the conn connec ecti tion on can can be esta establ blis ishe hed. d. The The VPN VPN gate gatewa way y can can perf perf inno innosl slov ov@y @yah ahoo oo.c .com omor orm m the the authentication itself or consult a dedicated authentication server. The client and gateway exchange inform informati ation, on, and the IPSec IPSec connect connection ion are establ establish ished. ed. The user user can now use the organi organizat zation ionss computing resources, and the network traffic between the user’s host and the VPN gateway will be protec protected ted by the IPSec IPSec connecti connection. on. Traf Traffic fic betwee between n the user user and system systemss not contro controlle lled d by the organization can also be routed through the VPN gateway; this allows IPSec protection to be applied to this traffic as well if desired. 5.3.2 5.3 .2.3 .3 GATEWA GATEWAY-TO-TO-GATEW GATEWA AY This model is relatively simple to understand. To facilitate VPN connections, one of the VPN gateways issues a request to the other to establish an IPSec connection. The two VPN gateways exchange information with each other and create an IPSec connection. Routing on each network is configured so that as hosts on one network need to communicate with hosts on the other network, their network traffic is automatically routed through the IPSec connection, protecting it appropriately. A single single IPSec IPSec connection connection establishing establishing a tunnel between the gateways gateways can support support all communications communications between the two networks, or multiple IPSec connections can each protect different types or classes of traffic. 5.4.0 INTRANET An Inte Intern rnal al Netw Networ ork k (int (intra ranet net)) is a netwo network rk that that emplo employs ys the the same same types types of serv servic ices es,, applic applicati ations ons,, and protoc protocols ols presen presentt in an Intern Internet et implem implement entati ation, on, without without involv involving ing extern external al connectivity. Within intranet, many smaller intranets can be created by the use of internal firewalls. Since intranet utilizes the same protocols and application services present on the Internet, many of the security issues inherent in Internet implementations are also present in intranet implementations. Therefore, intranets are typically implemented behind firewall environments.

5.5.0 INTRUSION DETECTION SYSTEM (IDS) IDS are designed to notify and in some cases prevent unauthorized access to a networked system or resource. Some IDS are also capable of interacting with firewalls in order to bring a 26



reactive element to the provision of network security services. Firewalls that interact with IDS are capable of responding to perceived remote threats automatically, without the delays associated with a human response. For example: If an IDS detects a denial-of-service (DoS) attack in progress, it can instruct certain firewalls to automatically block the source of the attack. There are two (2) different types of IDS generally available:-

5.5.1 HOST HOST-BASED -BASED IDS The first type, Host-Based IDS must be installed on each individual computer system that is to be protected. Host-Based IDS is very closely integrated with the operating system (OS) it protects, so each different OS will have a different Host- Based IDS module. Host-Based IDS, therefore, are usually able to detect threats at a high level of granularity. Weaknesses associated with Host-Based IDS include: Often, Host-Based IDS products have a negative impact on system performance. The larger the • number of parameters examined by the IDS, the greater the impact on system s ystem performance. Host-Based IDS do not always notice network-based attacks such as denial of service (DoS). • Many Host-Based IDS have a negative impact on OS stability. stability. • 5.5.2 NETWORK-BASED IDS The second type of IDS is Network-Based IDS. Network- Based IDS are implemented as protocol analyzers with intelligence. These devices monitor network traffic that passes by on the wire looking for attack signatures that indicate certain types of attacks are in progress. Attack signatures are simply strings of characters that are often present during an attack. Network-Based IDS is normally more effective than Host-Based IDS due to the fact that a single system can monitor multiple systems and resources. Issues associated with Network-Based IDS include: Many Network-Based IDS miss attack signatures that are spread across multiple packets. Most • Network-Based IDS do not have the capability of reassembling all fragmented network traffic. This can be used to bypass Network-Based IDS. This shortcoming can be addressed through implementation of Network traffic Analysis System e.g. Niksun and Mazu Network. Network-Based IDS rely on promiscuous mode network interfaces to examine all network • traffic on a given wire. If proper network security guidelines are followed, Network- Based IDS cannot function without special switch configurations (i.e. port mirroring, etc.). Many network switches lack such functionality. Most Network-Based Network-Based IDS can be detected using tools designed to locate/identify promiscuous mode interfaces. Once the promiscuous mode interface has been detected, it is not normally difficult to crash the IDS or to flood it with useless network traffic. To To overcome this problem, IPS is recommended. Many IDS lack the functionality necessary to identify network-layer attacks. Basically, not all • attacks will have a predictable attack signature. To overcome this problem, use of IPS is recommended. In the context of denial-of-service (DoS) attacks, many IDS are disabled by the every event they are supposed to monitor. 5.6.0 INTRUSION PREVENTION SYSTEM (IPS) IPS has many advantages over their legacy counterparts, IDS. One advantage is they are designed to sit in-line with traffic flows and prevent attacks in real-time. In addition, most IPS solutions have the ability to look at (decode) layer 7 protocols like HTTP, FTP, and SMTP which provides greater awareness.

27



When deploying NIPS however, consideration should be given to whether the network segment is encrypted encrypted or not as many products products are unable to support inspection inspection of such traffic. traffic. There are two (2) different types of IPS generally available:5.6.1 HOST-BASED IPS (HIPS) A HIPS is one where the intrusion prevention application is resident on that specific IP address (e.g. PC system). The HIPS relies on agents installed directly on the system being protected. It binds closely with the operating system (OS) kernel and services, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them. It may also monitor data streams and the environment specific to a particular application in order to protect that application from generic attacks. 5.6.2 NETWORK-BASED IPS (NIPS) A NIPS is one where the IPS application/hardware and any actions taken to prevent an intrusion on a specific network host(s) is done from a host with another IP address on the network. NIPS are designed to analyze, detect, and report on security related events. NIPS are designed to inspect traffic and based on their configuration or security policy, policy, they can drop malicious traffic. The NIPS has at least two network interfaces, one designated as internal and one as external . As packets appear at the either interface they are passed to the detection engine, at which point the IPS device functions much as any IDS would in determining whether or not the packet being examined poses a threat. 5.7 INFRASTRUCTURE COMPONENTS 5.7.1 HUBS The most simple of these connection devices is the network concentrator, or hub. Hubs are devices that function at Layer 1 of the OSI model. In other words, there is no real intelligence in networ network k hubs; hubs; they they exist exist only to provid providee physic physical al attachm attachment ent points points for network networked ed syste systems ms or resources. There is weakness associated with network hubs. Network hubs allow any device connected to them to see the network traffic destined for, or originating from, any other device connected to that same network hub. For this reason, network hubs should not be used at all in networking including building the building the DMZ networks or firewall environments. 5.7.2 SWITCHES A more advanced infrastructure device is the network switch. Network switches are Layer 2 devices, which mean that they actually employ basic intelligence in providing attachment points for networked systems or components. Network switches are essentially multi-port bridges, so they are also capable of delivering the full network bandwidth to each physical port. Another effect of the bridging nature of switches is that systems connected to a switch cannot eavesdrop on each other. These anti-eavesdrop capabilities inherent in network switches make them useful for implementing DMZ networks and firewall environments. firewall environments. It is important to note that switches should not be used to provide any firewall or traffic isolation capability outside of a firewall environment, due to denial of service-like attacks that can cause switches to flood connected networks with packets.

28



CHAPTER SIX 6.1.0 GENERAL SECURITY MEASURES 6.1.1 PLACE IN A PHYSICAL SECURED AREA Physical access to a firewall can always lead to compromising the system and therefore should be secured against unauthorized physical access. The same rule applies to devices such as local consoles that are directly connected to the Firewall. It is recommended that Administrative task via the Management Console (GUI) to be done from dedicated workstations. These workstations should be placed in a secure office environment. Although general office space is considered to be secure, these dedicated workstations must be placed in a room with an extra layer of access control (i.e. access card or a physical lock). If remote management is required, a restricted access acc ess (i.e. only selected IP address) is recommended. 6.1.2 NO TEST ON A PRODUCTION SYSTEM Testing rule sets is very important, but activating a corrupt rule set during normal operation can be considered as a security risk. Tests should be done on a system dedicated to testing. No test rule set should ever be tested on a Production system. 6.1.3 SYSTEM SOLELY AS A FIREWALL Firewall is a complicated piece of software. The manufacturer has developed it to be able to perform many additional functions like Intrusion Detection (IDS) or proxy/gateway. Additionally, functi function on like like IDS or applica applicatio tion n level level proxy proxy should should be implem implement ented ed on separa separate te and dedicat dedicated ed systems. The routing function can be configured as static or dynamic. Only static routing should be done to the next router. The Firewall may also be used for bandwidth allocation. Bandwidth allocation however is recommended to perform on routers, if possible. 6.1.4 RUNS NO OTHER SERVICES Services such as web servers should not run on the system, as this might give an attacker the possibilities to compromise the system as a whole. All unnecessary daemons should therefore be removed from the system (e.g. telnetd, ftpd, etc). Another scenario: Tracing the attacker during or after an attack (by doing a reverse DNS for example) must not be done on the Firewall system. Services not directly related to the Firewall should be disabled. 6.1.5 HOST NO PUBLIC DATA The system running the Firewall does not host any public data. There is no reason for normal users to connect to the Firewall system to obtain an y data. 6.1.6 NO AUTOMATIC AUTOMATIC TRUSTED RELATIONS ON OS LEVEL Trusted Trusted relations relations imply that systems systems may for example, example, log in the Firewall with a pre-defined pre-defined authentication, giving immediately the rights that belong to that specific account. Authentication and authorization must be done d one by every system individually. individually.

29



6.1.7 INTERRUPTION WILL NOT COMPROMISE DATA OR NETWORK Interruption of firewall service may not compromise data or network. Upon initial start-up of the firewall or recovery from an interruption in firewall service, the firewall must not compromise its resources or those of any connected network. 6.1.8 BACKUP AND RECOVERY PROCEDURES Ensure that backup procedures exist for the Firewall configuration and the log files. The Firewall should be backed up to ensure quick recovery from data loss. The log files should be archived separately to ensure a permanent record of transactions. The archived log files should be removed from the Firewall as they will slowly consume all available space on the system and potentially causing system failures. There should be sufficient space for the log files to reduce the risk that the partition will be deliberately filled b y an attacker. 6.2.0 INSTALLATION AND CONFIGURATION 6.2.1 ENABLE NETWORK TIME PROTOCOL (NTP) If possi possibl ble, e, enab enable le Netw Networ ork k Time ime Prot Protoc ocol ol (NTP (NTP)) to synch synchro roni nize ze time time and and date. date. Only Only administrator can manually change system date and/or time. Time and date are important for stamping events that are logged and for synchronizing across the security infrastructure. Ensure NTP updates are only possible via trusted time servers within the internal network. If possible, NTP should be enabled with MD5 authentication. If date and time has to be set manually, it is important that only authorized personnel can change the date and time of the system. This function must be protected by a password. System must be physically labeled with a reference. When problems with the Firewall occur it is important to k 6.2.2 PHYSICALLY PHYSICALLY LABELED (INVENTORY) ( INVENTORY) now the exact configuration of the complete system and the physical location of the hardware. For this purpose make a configuration list of both software and hardware. Store the information in a safe place, but within reach. 6.2.3 OFFLINE INSTALLA INSTALLATION TION AND CONFIGURATION CONFIGURATION The Firewall has to be physically disconnected from the external networks during installation or changes in configuration. 6.3.0 FIREWALL SOFTWARE 6.3.1 VENDOR-AUTHORIZED PRODUCTION RELEASE VERSIONS USED All versions of firewall must be the official production versions. No beta-versions are allowed as they may not be stable and will not have been tested in depth. 6.3.2 CONFIGURATION CONFIGURATION PARAMETERS There are many settings that are important. By default many parameters are set to ON, although that might not be correct in some cases. Therefore, all configuration parameters must be considered when installing the Firewall for the first time. For example: SYNDefender This complex of parameters protects against SYN-attacks (like SYN-flooding). There are 3 defends scenario possible; the firewall documentation may gives a detail explanation and advice how to handle in the event of an attack. 30



Security Server The use of Security Servers should be restricted to the minimum. VoIP • Voice over IP should be switched off. VPN-1 Net • If no VPN community is defined, then Block all connections. •

6.4.0 ACCESS TO THE FIREWALL FIREWALL 6.4.1 REMOTE ADMINISTRATION ADMINISTRATION Administrators are allowed to manage firewalls remotely. However, additional security settings should be implemented: Using a dedicated management LAN accessing the Firewall via a discrete network ada pter; • Using Using networ network k encryp encryptio tion n (SSH (SSH or IPSEC IPSEC)) between between the Firewal Firewalll and the admini administr strati ative ve • systems (i.e. workstation or server); Implementing IP filtering on the discrete network adapter allowing only access from dedicated • IP addresses and using only management protocols. A list of allowed workstations and their IP addresses is maintained. Also a list is maintained of • people that may use these dedicated workstations. 6.4.2 LOGIN VIA THE ADMINISTRATOR ADMINISTRATOR OR ROOT ACCOUNTS Login via the Administ Administrator rator or Root accounts must be disabled. disabled. These accounts are often the targets of attacks. Every administrator should use his own (unique and traceable) username and password combination. Passwords should match IT Security password policies. Normal user accounts are not allowed to exist on a firewall. 6.4.3 DEFINE ACCESS TO THE SECURITY DAT DATABASES Firewall may contain many security databases (i.e. Object database, user database, LDAP user databas database, e, Securi Security ty policy policy/ru /rules les,, Log databas database, e, etc) etc) and access access to all these these databas databases es should should be restricted to authorized administrator only. only. 6.4.4 ONLY AUTHORIZED ADMINISTRATOR MAY CHANGE USER DATA query, modify modify, delete, delete, and assign user The Firewa Firewall ll softwa software re shall shall restri restrict ct the abilit ability y to query, attributes as personal identification and account-id to Administrators. Administrators. 6.5.0 TESTING THE FIREWALL FIREWALL 6.5.1 EVERY CONFIGURATION MUST BE THOROUGHLY TESTED It is important to test the Firewall. Objective is to prove that the system is stable and acts as predicted. It will stand up to known attacks. Testing should be done in a methodological way. It includes the following aspects: The test documentation shall consist of test plans, test procedure descriptions, expected test • results and actual test results. The test plans shall identify the test detail and test scenarios. • The expected test results shall show the anticipated outputs from a successful execution of the • tests; There will be a formal transfer of the firewall from test to p roduction state. • 31



CHAPTER SEVEN 7.1.0 GENERAL SETTINGS AND DEFAULTS 7.1.1 SECURITY POLICY By default, the security policy rules deny all inbound and outbound information flows. Only an authorized administrator has the authority to change the security policy rules. 7.1.2 ENABLE NETWORK ADDRESS TRANSLATION (NAT) Although the use of private IP addresses is a part of network architecture, the use of NAT by the Firewall is strongly recommended . Use of private ranges hides the structure of the inner network for the outer world (e.g. the Internet). Private ranges will never be transferred through the routing systems on the Internet, thus creating a further level of security. These are the ranges of private IP-addresses: • 127.0.0.0 - 127.255.255.255 • 10.0.0.0 - 10.255.255.255 • 172.16.0.0 - 172.31.255.255 • 192.0.2.0 - 192.0.2.255 • 192.168.0.0 - 192.168.255.255 • 244.0.0.0 – 255.255.255.255 Note: If the above IP ranges are in use within ABC BROADCASTING CORPORATION internal network, the routing configuration and spoofing rules on the Firewall device (especially one deployed internally to ABC BROADCASTING CORPORATION) CORPORATION) must be applied with care.

NAT'. This is not a function that should be used. Note: If the Firewall has the facility to use 'Automatic NAT'. NAT NAT should always be manually configured in order to maintain better control of the configuration. Note: If the Firewall has the facility to use 'Automatic NAT' however whenever possible NAT should be performed by a separate device like a specific router. This improves the performance of the Firewall, reduce rule set management and allow the Firewall to focus on traffic control. 7.1.3 SPECIFY LIMITS OF AUTHENTICATION AUTHENTICATION FAILURES Only authorized administrators may specify limits of authentication failures. The Firewall soft softwa ware re shal shalll rest restri rict ct the the numb number er of auth authent entic icat atio ion n fail failur ures es for for Admin Adminis istr trat ator orss to thre threee (3) (3) (recommended). A procedure must be in place to handle this event and unlock access to the Firewall. 7.1.4 RESERVE ENOUGH DISK SPACE TO HOLD THE LOG FILE Make an estimation of the space required by the logging function of the rules in the rule set. Information must be saved during several days to facilitate follow-up of attacks and breaches of security. security. A minimum minimum period of 90 days for storing log files is recommended.

32



CHAPTER EIGHT 8.1.0 MANAGING RULE SETS 8.1.1 REMOVE UNUSED RULES Make the standard rule set visible and remove unused rules. Immediately after installation, firewall will enforce a standard rule set. This rule set permits certain protocols to pass the Firewall. This rule set is not visible by default. Inspect this rule set thoroughly and remove the unused rules or better remove them all, as they might give unexpected behavior to the Firewall when adding other rules. 8.1.2 BACK-UP THE OLD RULE SET Before activating a new or changed rule set, a back-up of the old rule set must be made. It is crucial that the Administrator can roll back immediately to the old rule set if the new one is not working correctly. correctly. Of course one should test the new rule set properly. properly. Note: Sometimes the objects referenced by the rules are affected by the changes, so roll back is for these objects also very important. 8.1.3 KEEP THE RULE BASE SIMPLE AND SHORT An increasing number of rules can lead to an ineffective or wrongly configured rule set. Recommended is to specify no more than 30 rules per rule set. More than 50 rules make a rule set incomprehensible; instead one should reconsider the architecture of the network(s) involved. The basic steps involved in creating a firewall policy: Identification of network applications; • Identification of vulnerabilities associated with applications; • Cost-benefits analysis of methods for securing the applications; • If required, conduct a Risk Analysis through Traffic Traffic Rule Matrix as a guide which shows • protection method of the applications before creating firewall rules, and Creation of firewall rule set based on applications app lications • Traffic Traffic Rule Matrix, IT Security Policies and Standards and best practices 8.1.4 PERFORM PERIODIC CHECKS ON THE RULE SET Some rules can have a limited lifetime. Therefore, a rule set should be checked on a regular basis and adjusted to reflect the current conditions. For those temporary rules, a remark should be made in the "COMMENT" field as to when the rule shall be removed. 8.1.5 DOCUMENT AND STORED RULE SET The rule set is documented properly and stored away in a safe place. Whenever there are problems with the Firewall, it is important that the rule set, which might be part of the problem, is available and understandable. Documentation per rule should at least include: Name firewall administrator and name na me firewall system; • Entity requesting the rule and the reason; • Description of the rule: source, destination, protocol and action; • Name and color conventions conve ntions of firewall objects used; • Expected lifetime of a rule. • Note: The rule set is considered to be critical data. The document should also be part of Network Operation Standard Operating Procedure (SOP). 33



8.2.0 HARDENING THE RULE SET 8.2.1 TURN OFF UNUSED RULES Hardening the rule base involves quick and easy steps to turn off some default rules. These rules allow certain communications that may be used for malicious intent. It is best practice to turn off all rules and only allow services that are explicitly exp licitly required. 8.2.2 DENY "SPOOFED PACKETS" PACKETS" The rule rule set shall shall explic explicitl itly y deny an inform informati ation on flow flow from from manipu manipulat lated ed origin origins, s, so called called "Spoofed Packets". The Firewall shall drop requests for access or services where the information arrives on an • external interface, and the presumed address of the source subject is an external entity on an internal network. The Firewall shall drop requests for access or services where the information arrives on an internal interface, and the presumed address of the source subject is an external entity on the external network. Drop traffic arriving on the external interface with a source address of private IP. IP. • The Firewall shall drop requests for access or services where the information arrives on either • an internal or external interface, and the presumed address of the source subject is an external entity on the loopback network. The Firewall shall drop requests where the subject specifies the pa th in which data should route • to its destination, so called "IP-source routing". For application protocols p rotocols supported by firewall (e.g. DNS, HTTP, HTTP, SMTP, SMTP, and POP3), the • Firewall shall deny any access or service requests that do not conform to its associated published protocol specification (RFC). 8.2.3 RULE ORDER IS IMPORTANT The order of the rules in the rule set is critical. Having the same rules, but placing them in a different order, can radically alter how the Firewall works. Firewall works by inspecting packets in a sequential manner. manner. When the Firewall receives a packet, it compares it against the first rule, then the second, then the third, etc. When it finds a rule that matches, it stops checking and applies that rule. If the packet goes through each rule without finding a match, then that packet is denied. It is critical to understand that the first rule that matches is applied to the packet, not the rule that best matches. Based on this, it is strongly advised to keep the more specific rules first, the more general rules last. This prevents a general rule being matched before hitting a more specific rule. The following lists the order in which traffic is processed by a firewall enforcement module: Implied rules configured FIRST in the security rule base. • Stealth rule (normally the first explicit rule). • All explicit rules except the last rule. • Implied rules configured BEFORE LAST in the security rule base. • Cleanup rule (normally the last explicit rule). • Implied rules configured LAST in the security rule base. • Implicit drop rule. • Anti-spoofing check. • 34



Address translation rule base.

Note: Example of good rule order:- Start: Rules that permit Administration of the Firewall - inbound. • Block all other access to the Firewall (AND LOG/ALERT). LOG/ALERT). • Rules that permit Administration of the Firewall -outbound (if required, e.g. Management • Station echo replies). Block all other access from the Firewall (AND LOG/ALERT). LOG/ALERT). Rules that affect performance • e.g. dropping multicast traffic. Rules actually allow applications through to DMZ. • Rules that permit administration of DMZ devices (internal firewall of two-stage firewall • architecture). End: Catchall rule to drop and log everything else • 8.2.4 PERFORMANCE OF THE RULE SET Although rule order is most important, do a review of the complete rule base for performance. When possible, move the most commonly used rules towards the top of the rule base, without changing the effect of the complete rule set. This improves performance since the Firewall parses fewer rules. 8.2.5 BROWSE AND EDIT THE DEFAULT RULES The first step is to eliminate any rules (e.g. implicit) that permit data. It is important to be sure to start with a clean slate and ensure that no packets are getting through. Unfortunately, most firewall comes with a variety of services wide open, by default. The first step is to turn off these default properties or being completely aware of the consequences when left open. Note: Often the implicit rules controlled by the global properties of the security policy were not reviewed reviewed for their appropriateness appropriateness before implementati implementation. on. Default Default applications applications and services services settings settings should be reviewed and enable or disable accordingly. 8.2.6 BLOCK ANY ACCESS TO THE FIREWALL FIREWALL ITSELF No one should have access to the Firewall except authorized administrators. All traffic not originating from predefined sources to the Firewall itself should not be allowed and these actions should always be logged. 8.2.7 LOG ALL PACKETS PACKETS MARKED FOR DROP By default, firewall drops all packets that do not match any rules. However, these packets are not logged by default. default. Change this rule by creating a Drop All and Log Rule; and add it to the end of the rule base. Note: Only exception to logging all dropped packets is the broadcast rule. b ase should have. Note: This is a standard rule that every rule base

8.2.8 DROP BROADCAST TRAFFIC AND SWITCH LOGGING OFF

35



Depending on the place in the infrastructure there might be a great deal of broadcast traffic on the network that the Firewall drops and logs, which can quickly fill up the logs. If this is the case you might create a rule that drops or rejects this traffic, but does not log it. 8.2.9 BLOCK THE DMZ IF APPROPRIATE APPROPRIATE Depending on other rules consider that the internal users will possibly have open access to the DMZ, which is undesirable. In that case make a rule that denies access. Grant access to the DMZ based only on specific rules. 8.2.9.1 THE DMZ SHOULD NEVER INITIATE UNDESIRED CONNECTIONS The DMZ should NEVER initiate traffic to your internal network, with the exception of services that are specifically permitted. If unexpected traffic is noticed, then this may mean that the DMZ was compromised. Add a rule that denies, logs, and alerts whenever there is any other traffic from the DMZ to the internal network than permitted services. 8.2.9.2 PUT COMMENTS AT AT THE RULES Comments help to keep track the purpose of the rules. By having a better understanding of the rules, there is obviously less chance for error. Also, Also, if available, put a review number. number.

36



CHAPTER NINE 9.1.0 AUDIT 9.1.1 FIREWALLS SHOULD BE REGULARLY AUDITED On a regul regular ar base base an indep indepen enden dentt part party y will will test test the the Fire Firewa wall ll.. The The goal goal is to iden identi tify fy vulnerabilities in the Firewall on that very moment. An independent party, like Security vendor and Corporate Assurance will do audits on the Firewall on a regular base. The goal is to assure that the Firew Firewall all is well well mainta maintaine ined d and that that proced procedure uress are follow followed. ed. Penetr Penetrati ation on testin testing g should should not be performed during production hours. 9.1.2 EXAMINATIONS OF LOG FILES Audits will be done at least every day to examine the log files. There will be defined a separate account for the person who checks the audit trail. This account has minimal rights; only the right to read and copy the audit trail to a medium. It is recommended to make use of real time alert abilities (if available). 9.1.3 AUDIT TRAIL PROPERTIES Audit trail data is stamped with a dependable date and time when recorded. Audit events include modifications to the group of users associated with the authorized administrator role, all use of the identification and authentication mechanisms (including any attempted reuse of authentication data), data), all inform informati ation on flow flow control control decision decisionss made made by the Firewall Firewall,, and the use of all security security functions. If the audit trail becomes filled, then the only auditable events that may be performed are those performed by the authorized administrator. administrator. 9.1.4 LOG FILES SETTINGS The Firewall software shall record within each audit record at least the following information: Date and time of the event, type of event, subject identity, outcome (success or failure) of the event; and for specific cases c ases extra information as specified below. below. 9.2.0 AUDITABLE EVENTS The Network Administrator is expected to provide an analysis of the maximum amount of audit data that can be expected to be lost in the event of audit storage failure, exhaustion, and/or attack.

37



38



9.3.0 SAMPLE TRAFFIC RULE MATRIX: MATRIX:

39



9.4.0 BLOCKING STANDARDS

40



9.5.0 FIREWALL FIREWALL ALLOW AND DENIAL/BLOCKING RULES

41



42



These rules should be implemented on all Firewalls, Routers and Managed Switches (Chow C 2006). As earlier said, Network hardening policies will not be complete without Management policies. This This involv involves es implem implement enting ing polici policies es which which govern governss the employ employees ees that that manage manage,, operate operate,, and implem implement ent all the system system hardwa hardware re and softwa software re facili facilitie tiess in ABC Corpor Corporati ations ons’’ networ network. k. Any mismanagement on the human side of the network security could result in serious consequences and hence these management policies are essential and should be strictly adhered to. In this case the humans act as the first line of firewall in preventing intruders such as Social Engineers, Hackers, Cyber thieves etc from breaking into the organizations internal network.

43



CHAPTER TEN 10.1.0 MANAGEMENT SECURITY HARDENING POLICIES

These Policies are strictly aim to avoid and prevent Social Engineering attacks. • • •

•

•

•

•

•

• •

•

• •

•

•

•

•

•

An organization should ensure that it has a strong information security policy. policy. The organization should conduct in-depth information security training for all the employees. The employees should be suspicious of unsolicited email messages, phone calls, or visits from individuals asking about other employees or other internal information. When dealing with an unknown person claiming to be from a legitimate organization, their identity need to be verify directly with the company. company. The staff should be trained not to be afraid to question the credentials of someone posing to work for ABC Corporation. The staff are be encourage to use strong password that has at least eight (8) characters long and contains capital and small letters as well as numbers plus special characters. The password will be changed, at a regular interval, depending on the organizations password policies. The passwords should not be written on computer chassis, under keyboards or pasted on office wall or notice board which defies its purpose of confidentiality. Downloading Downloading of unsolicited unsolicited email attachments attachments should not be allowed because you might just be downloading and installing malicious programs such as virus, Trojans, keystrokes keystrokes loggers or spyware. The staff should not download and install any software on their computer system or any other system system across across any phone phone convers conversati ation. on. Instal Installat lation ion of new softwa software re program program(s) (s) is the responsibility of the IT staff. Backup should be done do ne on important files, folder and softwares on regular ba ses. The firewall and IDS log files should be checked regularly to see if there is any security vulnerability incidence that was not reported by the system, based on previous firewall rules (This instruction is for System/Network Administrators). Administrators). Install, Install, maintain maintain and update anti-virus anti-virus software, software, anti-spyw anti-spyware are software, software, Operating Operating system system patches and email filters at regular intervals. All unused softwares, applications and programs should be uninstalled. User accounts of employees who have left ABC Corporation will be removed, and the Human Relations Department should notify other departments about his complete absence from the organization. The staff should be trained to pay attention to the Uniform Resource Locators (URLs) of a web site they visits. Malicious web sites generally look identical to a legitimate site and the different is the URL which will use a variation in spelling or a different domain. Employees must not send sensitive information over the Internet before checking a web sites security. Employees should make sure that they deal with websites that has valid and non-expired Certificates before sending confidential information across the internet. Staffs are not allowed to reveal personal or financial information in email, and they are not to respond to email solicitations for this information. The information may be trivial but will be used by social engineer to obtain vital information of ABC Corporation. All the organizational documents and information whether they are in print or electronic mode are to be treated treated initia initially lly as classi classifie fied d and confiden confidentia tial. l. These These inform informati ation on will will later later be classified as private and public information as defined by the organizations policies 44



•

•

•

•

•

•

•

Employees must not give out personal information or information about the organization to anyone, including the structure of your networks, unless he is certain of a person’s authority to have that information. Care should be taken in providing information in ABC Corporation’s web site. Posting of organizational charts or lists of key people should be a voided. All documents that might contain sensitive data and are to be discarded should be cross shredded. Organizations’ information that is in the possession of a laid-off, resigned or retired employee should be retrieved from him/her (e.g. passwords, access keys and codes, etc) and the password to computers and other electronic gadgets which he/she used to have access to should be changed immediately. immediately. After the security management hardening plan has been established, it should be followed up to ensure that the employees understands and complies with them. Any employee who believes to be under a social engineering attack should report the incident immediately to the organizations Anti Social Engineering Department. All company personnel/employees should wear the company’s badge at all time and these badges should be of d ifferent patterns which is a function of the department an e mployee is. Unidentified storage medias such as floppy disks, USB pen/flash drives, mini discs should not be insert inserted ed into into any organiza organizatio tions ns comput computer er system system even when it bears bears the label label of the company’s Logo and has “For Sales Department, etc,” labeled on it. Its source must be fully verified before usage.

Organizational security size should be the same as the size of the organization. In other words all employees in an organization should be adequately informed and trained on organizational o rganizational security policies and implementations Mitnick and Simon (2002 p271),

45



CHAPTER ELEVEN 11.1.0 RECOMMENDATIONS It is obvious that Network/Organizational Security should not be solely left in the hands of Network administrators or System Administrators but should be in the hands of all the employees working in an organization, since the threat to organizational security is not only on the networking hardware or software, but also on the humans (i.e. (i.e. employees) working in the organization. organization. To the socalled Social Engineers, the human loop-hole is the easiest way of attacking an organization as Mitnick and Simon (2002 p3) commented: “Humans are security’s security’s weakest link”. So, it is recommended that for ABC Corporation to survive in this highly threatened and competi competitiv tivee busine business ss environ environmen ment, t, the organi organizat zation ion should should have have all the necessa necessary ry protect protective ive networ networkin king g hardwar hardwares/ es/sof softwa twares res in place, place, with with compet competent ent Networ Network k and Syste System m Admini Administr strato ators rs manning them as well as involving the entire staff of the organization in the security process by educating them to take security as diligent as they handle their day to day tasks. This will be achieved by training the entire staff about organizational security. Details of the issues that the staff is needed to be trained about are discussed discussed in this document document under the caption “Management Security Security Hardening Hardening Policies”. 11.1.1 OPINIONS Designing and setting up of an organizational Network is not all about the beauty of the netw networ ork k topol topology ogy,, whic which h may appea appearr in both both logic logical al and physi physica call diag diagram ram,, but it take takess the the understanding of what the operations of such organization is and then designing a well secured network that suits the nature of operations of that organization. It is our (Gro (Group up Member Members) s) opini opinion on that that a netw networ ork k such such as that that of ABC Broa Broadca dcast stin ing g Corpor Corporati ation on should should implem implement ent a two-way two-way security security measur measuree in securi securing ng the perime perimeter terss of the organi organizat zation ion.. This This involv involves es the securi security ty from from the hardwa hardware re angle, angle, by employ employing ing the qualif qualified ied competent hands to man and run the network resources. The other security measure is to strictly consider the “weakness of the human, which serves as a link to Social Engineering attack. Every staff of ABC Corps must be involved in the training and awareness on how to recognize and mitigate the attack of Social Engineers of any kind and degree. Efforts has being made to spell out all that is require to set-up a well secured and befitting network for ABC broadcasting Corps in this document. If well implemented strictly by the book then ABC Broadcasting Corps can stand to firmly compete with any of its opponent in the business world of broadcasting and its likes.

11.2.0 SUMMARY AND CONCLUSION Time has being taken to explain the entire Networking infrastructure that can be used to setup a tight and proficient network for ABC Broadcasting Corporation. This network link types are IP-VPN and Point to Point Leased Line. Point to point leased line is to be used to link branch offices that shares common country boundary with the Head Quarters office which is located at Kuala Lumpur, Malaysia, while IP-VPN is to link branch offices that are farther away in other parts of Asia. The operation of ABC Broadcasting Corporation is p articularly centered on the Asian continent. The other phase of this document talks about Network and organizational security. Efforts are made to deta detail il all all the the meas measur ures es need needed ed to achi achiev evee a Hack Hack-P -Pro roof of Netw Networ ork, k, both both on the the Netw Networ ork k infrastructural part and the employees’ part. In conclusion, the war between Network Security experts and organizational security threats like Hackers and Social Engineers will never end but it is expected that with the extent of security which 46



this document has spelt out for ABC Broadcasting Corporation, the organization will be able to stand the test of time as well as claiming its ground and proving its worth in the market place amongst it fellow competitors. 11.3.0 TERMS AND DEFINITION Authentication Proof of identity (or source). An authentication scheme between two entities consists of a proving party and a verifying party. Authentication can be provided in various ways like for example username-pas username-password sword,, keyed hash, MAC (symmetri (symmetricc encryption) encryption) or digital digital signature signature (asymmetri (asymmetricc encryption). Authorization A set of rules which determine who get access with what kind of privileges on a specific resource. Authorization should be preceded by a strong form of authentication to be effective. Cisco IOS (Internetwork Operating System) Cisco IOS is the software used on the vast majority of Cisco Systems routers and all current Cisco network switches. IOS is a package of routing, switching, internetworking and telecommunications functions tightly integrated with a multitasking operating system. Console The console is an interface on the router which can communicate with a terminal or terminal emulator via a serial port. Daemon A daemon is a computer program that runs in the background, rather than under the direct control of a user; they are usually initiated as processes. Typically daemons have names that end with the letter "d". DMZ Demilitarized Zone: a network segment between two networks of different security level. A DMZ is used to\ create a secure and controlled environment to protect traffic between two networks. DoS Denial of Service: an abbreviation often used for network attacks that prevent a network component from providing its operational functions. External Interface The interface on a router directly connected to the network that is not under control by the owner of the router. In some cases internal and external interface on a router are merely pointed out by definition. FTP File Transfer Protocol: Widely Widely used TCP-based files transfer and file management protocol. IDS An Intrusion Detection System (IDS) generally detects unwanted manipulations to computer systems, mainly through the Internet. The manipulations may take the form of attacks by crackers. IPS An Intrusion Prevention System (IPS) is a computer security device that exercises access control to protect computers from exploitation. Intrusion prevention technology is considered by some to be an extension of IDS technology but it is actually another form of access control, like an application layer firewall. IPSec IPSec (IP security) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet in a data stream. 47



Promiscuous mode Refers to a configuration of a network card wherein a setting is enabled so that the card passes all traffic it receives to the CPU rather than just packets addressed to it, a feature normally used for packet sniffing. Protocol A communications protocol is the set of standard rules for data representation, signaling, authentication and error detection required to send information over a communications channel. Proxy A proxy is a server (a computer system or an application program) which services the requests of its clients by making requests to other servers. A client connects to the proxy server, requesting a file, connection, web page, or other resource available from a different server. VPN A Virtual Virtual Private Network (VPN) is a private communications network often used by companies or organizations, to communicate confidentially over a public network. VPN traffic can be carried over a public networking infrastructure (e.g. the Internet) on top of standard protocols, or over a service provider's private network with a defined Service Level Agreement (SLA). A VPN can send data (e.g., voice, data or video, or a combination of these media) across secured and encrypted private channels between two points. Before a firewall policy can be created, some form of risk analysis must be performed on the applications that are necessary for accomplishment of the organization’s mission. The results of this analysis will include a list of the applications and how those applications will be secured. Risk analysis of the Information Technology infrastructure should be weighed based on an evaluation of the following elements: Threats; • Vulnerabilities; • Countermeasures in place to mitigate vulnerabilities, and • The impact if sensitive data is compromised. • The goal is to understand and evaluate these elements prior to establishing firewall policy. The result of the risk analysis will dictate the manner in which the firewall system handles network applications traffic. The details of which applications can traverse a firewall, and under what exact circumstances such activities can take place, should be documented in the form of applications Traffic Rule Matrix.

48



REFERENCE •

Mitnick, K & Simon , W W,, 2002, Art of Deception (Controlling the Human Element of Security), 1st edn, Wiley Publishing Inc, Indianapolis, Indiana, USA.

•

James, F K & Keith, W R, 2009, Computer Networking: A Top-Down Approach Featuring the Internet, 3rd edn, Pearson Education South Asia, India.

•

Chow C, 2006, Astro; Operational Security Guideline: Cisco Router, Version Version 1.0, Kuala Lumpur.

•

Gilbert, H 2004, Virtual Virtual Private Networking: A Construction, Construction, Operation and Utilization Guide, 2nd edn, John Wiley and Sons, USA.

•

Todd, L 2007, CCNA: Cisco Certified Network Associate (CCNA), 3rd edition, John Wiley and Sons USA.

•

Larry, Larry, L P & Bruce, S D, 2007, Computer Networks: A System System Approach, 4th edition, Morgan Kaufmann Publications. Retrieved April 5, 2009 from; http://books.google.com.my/books?id=fknMX18T40cC&printsec=frontcover&source=gbs_su mmary_r&cad=0. mmary_r&cad=0.

•

Robert S, Michael C, & Laura, E, H, 2005, Network+ study guide & practice exams (CSU/DSU chap 3, p.141), 3rd edn, Elsevier Publications. Retrieved April 6, 2009, from; http://books.google.com.my/books?id=l8hU54ewGaYC&pg=PA141&dq=csu/dsu.

•

Lemos, R 2000, “Mitnick teaches ‘Social Engineering’.” July 17, 2000. ZDNet News, Retrieved April 1, 2009, from http://zdnet.com.com/2100-11-522261.html?legacy=zdnn.

•

Wikipedia 2009, Internet Protocol Security (IPSec) Wikipedia: The Free Online Encyclopedia. Retrieved April 6, 2009 from; http://en.wikipedia.org/wiki/IPsec.

•

Spirent White Paper 2002, Broadband Architecture: Point-to-point Protocol Come of age. Retrieved April 2, 2009 from; www.spirentcom.com/pdf .

•

Simpson, W 1994 "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661 .Retrieved April 2, 2009 from; http://www.ietf.org/rfc/rfc2341.txt.

•

How Stuff Works 2009, Virtual Private Network (VPN), How Stuff Works Inc. Retrieved April 5, 2009 from http://computer.howstuffworks.com/vpn.htm/printable.

•

Microsoft TechNet TechNet 2009, 200 9, Virtual Private Network, TechNet Magazines, Microsoft Corporations. Retrieved April 5, 2009 from; http://technet.microsoft.com/enus/network/bb545442.aspx.. us/network/bb545442.aspx

49


ABC Network Setup Security

Recommend Documents