Solved

Firewall Managment

Posted on 2011-03-22
5
301 Views
Last Modified: 2012-05-11
Can I ask some questions about management of perimeter defences?

Say you have a Firewall/IDS, installed to supplier best practice.

What responsibilities of a firewall admin after its live? Am I correct in thinking IDS is similar to AV in that you need to keep getting updated definitions to protect attacks? How frequently are they released?

Are there security patches for such products? If so what kinds of vulnerabilities do these patch, could one (if exploited) bring down or disable the firewall/IDS – or is that a bit dramatic – what’s the potential impact?

I believe firewalls are based on rules? When will rules need to be reviewed, i.e. what internally will affect if a rule base needs to be reviewed, and can you test for perhaps “stale rules”, i.e. unnecessary rules, those that aren’t being utilised are could potentially be disabled? If so how do you go about this?

How can you test your firewall from the outside, is it an easy task or very very complex?
0
Comment
Question by:pma111
  • 3
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
Hutch_77 earned 250 total points
ID: 35190636
What responsibilities of a firewall admin after its live? Am I correct in thinking IDS is similar to AV in that you need to keep getting updated definitions to protect attacks? How frequently are they released?

This depends on the contract, if you set t up and end it at that it is the responsibility of the company to maintain.  Otherwise logs and updates and changes would be needed on a semi regular basis.  The updates as less regular than an AV solution but can be as regular as a windows update.  It really depends on what the appliance needs and when.  I know Cisco's are fairly rare as they are more of a designed firewall, but Sonicwall uses more appliance type rules you are speaking of and it checks regularly.  

Are there security patches for such products? If so what kinds of vulnerabilities do these patch, could one (if exploited) bring down or disable the firewall/IDS – or is that a bit dramatic – what’s the potential impact?

Yes there are security patches.  The vulnerabilities can only be explained in the change log by the company.  The potential impact is a whole in the firewall and can bring it down.  

I believe firewalls are based on rules? When will rules need to be reviewed, i.e. what internally will affect if a rule base needs to be reviewed, and can you test for perhaps “stale rules”, i.e. unnecessary rules, those that aren’t being utilized are could potentially be disabled? If so how do you go about this?

Firewalls are very rule based at their heart and should only need to be changed when a change is needed IE removal of a web server remove the rule addition of a VPN add the VPN rules.  Without knowing the real infrastructure you cant really answer what all could be affected.  anything that NEEDS internet accessibility IE Exchange Web Servers would require rules.
Disabling the rules is dependent on the appliance sometimes you can just disable if you see the need for it in the future sometimes it is a deletion.

How can you test your firewall from the outside, is it an easy task or very very complex?

You can run hacks against the firewall trying to sniff out the open ports and gain access through them.  You can pay someone to do it and report what vulnerabilities you have.  If you know what to look for it is not terribly hard.  If you don't it is complex.  There are a lot of utilities out there specifically for this most are for hackers specifically but with permission from the company they are perfectly legal to use.
0
 
LVL 3

Author Comment

by:pma111
ID: 35190721
Is it pretty common for people to leave rules that can leave the perimeter vulnerable to attack?

Or pretty unheard of in a knowledgable IT shop?

Re the tools you list can you provide some examples?

is it one rule per server? I.e. if you have 50 web servers talking to 50 database servers, is it likely you'll have 50 firewall rules showing the web server can talk to the database server? 50 VPN connections, 50 VPN rules?

Would you be willing to show some sample rules/examples that will be in place in most IT environments so I can familiarise myself with them?

Cheers
0
 
LVL 10

Expert Comment

by:Hutch_77
ID: 35190795
Is it pretty common for people to leave rules that can leave the perimeter vulnerable to attack?

This really depends on who is running the Firewall.  Does it happen yes.. Should it happen No

Or pretty unheard of in a knowledgable IT shop?

It still happens as it sometimes gets lost in the amount of work as the firewall is often, esp in a SMB, managed by the same staff running everything else

Re the tools you list can you provide some examples?
Sam Spade is a good all around application for vulnerabilities  I woul dalso do some reading on White hack Hakers it will point you more in the right direction for this.

is it one rule per server? I.e. if you have 50 web servers talking to 50 database servers, is it likely you'll have 50 firewall rules showing the web server can talk to the database server? 50 VPN connections, 50 VPN rules?
For something like that I would look more at a tunnel with a single rull allowing the SQL port to b available to all the web servers

Would you be willing to show some sample rules/examples that will be in place in most IT environments so I can familiarise myself with them?

Nat rules are very common which is basicaly pointing an external IP and port to an internal IP and port
SMTP POP3 443 ports would be commin
It is hard to give specifics beyond that as the way you manage the firewall and what firewall you have can look very different.
0
 
LVL 3

Author Comment

by:pma111
ID: 35190840
And with regard to IDS definitions are they released more regularly than firewall security patches?

Could you show me what firewall rules look like in raw/edited format? Are they user freindly or just lines of random spaghetti code :-)?
0
 
LVL 10

Expert Comment

by:Hutch_77
ID: 35190891
THE IDS will be more frequent but really depends on the manufacturer and most are automatic much like AV

I can't really give you a rule, but Most appliances have 2 options you can get the basic web interface which helps you build hen you get the more raw command line which gives you more flexibility.  Once you learn the code it is very user friendly, it is just learning the intricacies that makes it complex.  Once you know the basics it makes sense.  it is exactly how I learned Cisco.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question