Firewall Operations - Protecting a Critical System
By Gideon T. Rasmussen - CISSP, CFSO, CFSA, SCSA
teams must ensure that firewalls are installed, configured
and maintained in accordance with mission requirements and
the best interests of the organization. There are many reasons
why firewall administration must be tightly controlled.
Firewalls are inherently complex. Employee turnover can
result in a lack of continuity. Firewall logs may be called
as evidence in a court case. Many organizations must also
meet auditing requirements.
installing a firewall, its administrators should become
intimately familiar with its features and operations. While
there is no substitute for formal training, other resources
include system manuals, on-line documentation, manual pages,
knowledge base entries and technical support.
an organization does not have experienced personnel, administrators
should engage a consultant to properly install and configure
the system. Ensure that administrators are available to
participate in the installation and obtain knowledge transfer.
Test disaster recovery by reinstalling the firewall software
and restoring from backup.
document how each firewall should be installed in a formal
configuration standard. Installation must be in strict compliance
with system manuals to help ensure stability and compliance
with support agreements. A standard should also provide
step-by-step instructions. Consider the following topics:
Use proxies to limit traffic to designated protocols. Proxies
can block file sharing programs such as Kazaa and iMesh.
They can also defeat hacking tools. Proxies give administrators
granular control over a protocol. For example, CyberGuard's
FTP proxy can be configured to permit download and deny
upload. The HTTP proxy makes it possible to run multiple
Web sites on one system. Youll find more information
about CyberGuards proxies here: (http://www.cyberguard.com/news_room/news_newsletter_030619smartproxies.cfm).
Include comment entries in the packet filter rules file.
Firewall rules grow quickly. It is important to retain the
purpose of each rule. Adopt the following format as a standard:
"rationale, mm/dd/yy, ticket #, your name."
Grouping is very powerful and should be used whenever possible.
Grouping reduces the complexity of firewall rules and minimizes
the potential for human error. If you have several systems
with the same service requirements, create hosts and services
groups. The utility of grouping becomes more apparent as
the number of systems increases.
Create individual accounts for each administrator. Delete
the common administrative account. This configuration enhances
Use duty roles to grant specific accesses. For example,
an auditor should have read-only permissions. Support staff
only requires the ability to stop and start the system.
Tracking: Configuration tracking records changes made
during a login session. Its database enables administrators
to compare the differences between an older configuration
file and the current version. Configuration tracking can
also record a user-supplied ticket number.
Enable Dynamic Network Address Translation (DNAT) on each
external interface. DNAT changes internal IP addresses to
the external IP of the firewall with a unique source port.
The outside world sees the external address. Upon return
the firewall knows which IP to switch back to from the originating
Enforce strong password elements. Configure passwords to
expire every three months. Password elements should include
alpha, numeric and special characters.
By default, binary logging is enabled. More than 300 events
are logged. Configure activity logging to record security
events and the services enabled on the firewall.
Schedule an export of binary audit logs to an FTP server.
Copy system logs to a central syslog server. Configure log
management to prevent the system disk from filling up.
Configure the firewall to send notification of suspicious
events. You can choose from a variety of notification methods
including: file, window, e-mail, SNMP trap, pager, syslog
and shell command.
granting production status to a system, confirm that a scheduled
backup has successfully completed. Ensure the system is
properly configured by conducting a security vulnerability
scan. Also remember to monitor the firewall from a remote
a formal change process and incorporate your firewalls into
the system development life cycle. In particular, ensure
that firewall rules are not left in place when a system
is decommissioned. This can represent a serious vulnerability
if a system is repurposed or its IP address reissued while
firewall rules still provide access from the outside.
new versions and product support updates as they are issued.
The operating systems multi-level security and hardened
kernel are the foundation of the cyberGuard zero vulnerabilities
CyberGuard firewalls have achieved Common Criteria EAL4+
certification and maintain that certification through participation
in the Assurance Maintenance program. That means that new
versions and updates maintain their original certification.
an operations guide to ensure continuity. At a minimum it
should detail how to stop and start the firewall and restore
include firewalls in disaster recovery planning. Store installation
media and firewall backups off-site. Confirm that the recovery
site has firewall hardware available.
Copyright © 2005 CyberGuard Corporation All Rights Reserved.
Reprinted with Permission