Solved

Firewall Managment

Posted on 2011-03-22
5
299 Views
Last Modified: 2012-05-11
Can I ask some questions about management of perimeter defences?

Say you have a Firewall/IDS, installed to supplier best practice.

What responsibilities of a firewall admin after its live? Am I correct in thinking IDS is similar to AV in that you need to keep getting updated definitions to protect attacks? How frequently are they released?

Are there security patches for such products? If so what kinds of vulnerabilities do these patch, could one (if exploited) bring down or disable the firewall/IDS – or is that a bit dramatic – what’s the potential impact?

I believe firewalls are based on rules? When will rules need to be reviewed, i.e. what internally will affect if a rule base needs to be reviewed, and can you test for perhaps “stale rules”, i.e. unnecessary rules, those that aren’t being utilised are could potentially be disabled? If so how do you go about this?

How can you test your firewall from the outside, is it an easy task or very very complex?
0
Comment
Question by:pma111
  • 3
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
Hutch_77 earned 250 total points
Comment Utility
What responsibilities of a firewall admin after its live? Am I correct in thinking IDS is similar to AV in that you need to keep getting updated definitions to protect attacks? How frequently are they released?

This depends on the contract, if you set t up and end it at that it is the responsibility of the company to maintain.  Otherwise logs and updates and changes would be needed on a semi regular basis.  The updates as less regular than an AV solution but can be as regular as a windows update.  It really depends on what the appliance needs and when.  I know Cisco's are fairly rare as they are more of a designed firewall, but Sonicwall uses more appliance type rules you are speaking of and it checks regularly.  

Are there security patches for such products? If so what kinds of vulnerabilities do these patch, could one (if exploited) bring down or disable the firewall/IDS – or is that a bit dramatic – what’s the potential impact?

Yes there are security patches.  The vulnerabilities can only be explained in the change log by the company.  The potential impact is a whole in the firewall and can bring it down.  

I believe firewalls are based on rules? When will rules need to be reviewed, i.e. what internally will affect if a rule base needs to be reviewed, and can you test for perhaps “stale rules”, i.e. unnecessary rules, those that aren’t being utilized are could potentially be disabled? If so how do you go about this?

Firewalls are very rule based at their heart and should only need to be changed when a change is needed IE removal of a web server remove the rule addition of a VPN add the VPN rules.  Without knowing the real infrastructure you cant really answer what all could be affected.  anything that NEEDS internet accessibility IE Exchange Web Servers would require rules.
Disabling the rules is dependent on the appliance sometimes you can just disable if you see the need for it in the future sometimes it is a deletion.

How can you test your firewall from the outside, is it an easy task or very very complex?

You can run hacks against the firewall trying to sniff out the open ports and gain access through them.  You can pay someone to do it and report what vulnerabilities you have.  If you know what to look for it is not terribly hard.  If you don't it is complex.  There are a lot of utilities out there specifically for this most are for hackers specifically but with permission from the company they are perfectly legal to use.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Is it pretty common for people to leave rules that can leave the perimeter vulnerable to attack?

Or pretty unheard of in a knowledgable IT shop?

Re the tools you list can you provide some examples?

is it one rule per server? I.e. if you have 50 web servers talking to 50 database servers, is it likely you'll have 50 firewall rules showing the web server can talk to the database server? 50 VPN connections, 50 VPN rules?

Would you be willing to show some sample rules/examples that will be in place in most IT environments so I can familiarise myself with them?

Cheers
0
 
LVL 10

Expert Comment

by:Hutch_77
Comment Utility
Is it pretty common for people to leave rules that can leave the perimeter vulnerable to attack?

This really depends on who is running the Firewall.  Does it happen yes.. Should it happen No

Or pretty unheard of in a knowledgable IT shop?

It still happens as it sometimes gets lost in the amount of work as the firewall is often, esp in a SMB, managed by the same staff running everything else

Re the tools you list can you provide some examples?
Sam Spade is a good all around application for vulnerabilities  I woul dalso do some reading on White hack Hakers it will point you more in the right direction for this.

is it one rule per server? I.e. if you have 50 web servers talking to 50 database servers, is it likely you'll have 50 firewall rules showing the web server can talk to the database server? 50 VPN connections, 50 VPN rules?
For something like that I would look more at a tunnel with a single rull allowing the SQL port to b available to all the web servers

Would you be willing to show some sample rules/examples that will be in place in most IT environments so I can familiarise myself with them?

Nat rules are very common which is basicaly pointing an external IP and port to an internal IP and port
SMTP POP3 443 ports would be commin
It is hard to give specifics beyond that as the way you manage the firewall and what firewall you have can look very different.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
And with regard to IDS definitions are they released more regularly than firewall security patches?

Could you show me what firewall rules look like in raw/edited format? Are they user freindly or just lines of random spaghetti code :-)?
0
 
LVL 10

Expert Comment

by:Hutch_77
Comment Utility
THE IDS will be more frequent but really depends on the manufacturer and most are automatic much like AV

I can't really give you a rule, but Most appliances have 2 options you can get the basic web interface which helps you build hen you get the more raw command line which gives you more flexibility.  Once you learn the code it is very user friendly, it is just learning the intricacies that makes it complex.  Once you know the basics it makes sense.  it is exactly how I learned Cisco.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now