Solved

Firewall Managment

Posted on 2011-03-22
5
300 Views
Last Modified: 2012-05-11
Can I ask some questions about management of perimeter defences?

Say you have a Firewall/IDS, installed to supplier best practice.

What responsibilities of a firewall admin after its live? Am I correct in thinking IDS is similar to AV in that you need to keep getting updated definitions to protect attacks? How frequently are they released?

Are there security patches for such products? If so what kinds of vulnerabilities do these patch, could one (if exploited) bring down or disable the firewall/IDS – or is that a bit dramatic – what’s the potential impact?

I believe firewalls are based on rules? When will rules need to be reviewed, i.e. what internally will affect if a rule base needs to be reviewed, and can you test for perhaps “stale rules”, i.e. unnecessary rules, those that aren’t being utilised are could potentially be disabled? If so how do you go about this?

How can you test your firewall from the outside, is it an easy task or very very complex?
0
Comment
Question by:pma111
  • 3
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
Hutch_77 earned 250 total points
ID: 35190636
What responsibilities of a firewall admin after its live? Am I correct in thinking IDS is similar to AV in that you need to keep getting updated definitions to protect attacks? How frequently are they released?

This depends on the contract, if you set t up and end it at that it is the responsibility of the company to maintain.  Otherwise logs and updates and changes would be needed on a semi regular basis.  The updates as less regular than an AV solution but can be as regular as a windows update.  It really depends on what the appliance needs and when.  I know Cisco's are fairly rare as they are more of a designed firewall, but Sonicwall uses more appliance type rules you are speaking of and it checks regularly.  

Are there security patches for such products? If so what kinds of vulnerabilities do these patch, could one (if exploited) bring down or disable the firewall/IDS – or is that a bit dramatic – what’s the potential impact?

Yes there are security patches.  The vulnerabilities can only be explained in the change log by the company.  The potential impact is a whole in the firewall and can bring it down.  

I believe firewalls are based on rules? When will rules need to be reviewed, i.e. what internally will affect if a rule base needs to be reviewed, and can you test for perhaps “stale rules”, i.e. unnecessary rules, those that aren’t being utilized are could potentially be disabled? If so how do you go about this?

Firewalls are very rule based at their heart and should only need to be changed when a change is needed IE removal of a web server remove the rule addition of a VPN add the VPN rules.  Without knowing the real infrastructure you cant really answer what all could be affected.  anything that NEEDS internet accessibility IE Exchange Web Servers would require rules.
Disabling the rules is dependent on the appliance sometimes you can just disable if you see the need for it in the future sometimes it is a deletion.

How can you test your firewall from the outside, is it an easy task or very very complex?

You can run hacks against the firewall trying to sniff out the open ports and gain access through them.  You can pay someone to do it and report what vulnerabilities you have.  If you know what to look for it is not terribly hard.  If you don't it is complex.  There are a lot of utilities out there specifically for this most are for hackers specifically but with permission from the company they are perfectly legal to use.
0
 
LVL 3

Author Comment

by:pma111
ID: 35190721
Is it pretty common for people to leave rules that can leave the perimeter vulnerable to attack?

Or pretty unheard of in a knowledgable IT shop?

Re the tools you list can you provide some examples?

is it one rule per server? I.e. if you have 50 web servers talking to 50 database servers, is it likely you'll have 50 firewall rules showing the web server can talk to the database server? 50 VPN connections, 50 VPN rules?

Would you be willing to show some sample rules/examples that will be in place in most IT environments so I can familiarise myself with them?

Cheers
0
 
LVL 10

Expert Comment

by:Hutch_77
ID: 35190795
Is it pretty common for people to leave rules that can leave the perimeter vulnerable to attack?

This really depends on who is running the Firewall.  Does it happen yes.. Should it happen No

Or pretty unheard of in a knowledgable IT shop?

It still happens as it sometimes gets lost in the amount of work as the firewall is often, esp in a SMB, managed by the same staff running everything else

Re the tools you list can you provide some examples?
Sam Spade is a good all around application for vulnerabilities  I woul dalso do some reading on White hack Hakers it will point you more in the right direction for this.

is it one rule per server? I.e. if you have 50 web servers talking to 50 database servers, is it likely you'll have 50 firewall rules showing the web server can talk to the database server? 50 VPN connections, 50 VPN rules?
For something like that I would look more at a tunnel with a single rull allowing the SQL port to b available to all the web servers

Would you be willing to show some sample rules/examples that will be in place in most IT environments so I can familiarise myself with them?

Nat rules are very common which is basicaly pointing an external IP and port to an internal IP and port
SMTP POP3 443 ports would be commin
It is hard to give specifics beyond that as the way you manage the firewall and what firewall you have can look very different.
0
 
LVL 3

Author Comment

by:pma111
ID: 35190840
And with regard to IDS definitions are they released more regularly than firewall security patches?

Could you show me what firewall rules look like in raw/edited format? Are they user freindly or just lines of random spaghetti code :-)?
0
 
LVL 10

Expert Comment

by:Hutch_77
ID: 35190891
THE IDS will be more frequent but really depends on the manufacturer and most are automatic much like AV

I can't really give you a rule, but Most appliances have 2 options you can get the basic web interface which helps you build hen you get the more raw command line which gives you more flexibility.  Once you learn the code it is very user friendly, it is just learning the intricacies that makes it complex.  Once you know the basics it makes sense.  it is exactly how I learned Cisco.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now