Review the following document Firewall implementation Document 1.

• Review the following document

Firewall implementation Document 

1. Firewall implementation planning document Survey of Use A firewall is a network security device or software that imposes a technological barrier to access and use of network assets while permitting authorized communications. It can be programmed to permit or deny communications based upon rules and other criteria. It can be used as a perimeter defense of a network or internally at a transition point to make a section of the network private. It may act as a proxy server hiding the true network addresses. 

Scope Firewalls provide protection for Internet-facing servers. This includes Web servers, e-mail servers, File Transfer Protocol (FTP) servers, and more. An organization must protect against attackers who try to gain access to information and resources within the internal network, such as servers and workstations. Servers can host massive amounts of data that can be invaluable if attackers can gain access to it. Database servers may host personally identifiable information (PII) about customers including their credit card data. Domain Name System (DNS) servers host information such as the Internet Protocol (IP) addresses and names of all systems in the network.  

Firewalls can permit or deny communication traffic by:  Port  Type of communication: Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)  Direction (inbound or outbound)  Application  Originating IP address  Several other criteria depending on the flexibility of the firewall product in use 

Firewalls can redirect traffic (address forwarding), masking the actual addresses of the network they protect (proxy server). Firewalls that are stateful may inspect datagrams and some even do virtual reassembly when large amounts of data are fragmented into many datagrams. 

 Firewall implementation planning must include:  A well-defined security policy that sets standards for the network, users, and so on  Bandwidth of the network  Firewall strategy: single firewall, multi-homed firewall for a perimeter network, two firewalls in a demilitarized zone (DMZ)  Firewall features that meet business and security needs. Consider:  Security assurance: Independent assurance that the relevant firewall technology fulfills its specifications  Privilege control: The degree to which the product can impose user access restrictions  Authentication: The ability to authenticate clients and allow different types of access control for different users  Audit capabilities: The ability to monitor network traffic, generate logs, and provide statistical reports  Flexibility: Open enough to accommodate the security policy of your organization, as well as allow for changes  Performance: Fast enough so that users don't notice the screening of packets  Availability: Able to perform under ordinary and extraordinary (attack) situations  Scalability: Able to handle additional workload to accommodate organizational growth  Initial purchase: Cost of the firewall and staff training Tip: Have a single firewall device with redundant components or pair the firewall with redundant firewalls incorporating either failover or load-balancing mechanisms. 

Address Space You will need to assign IP addresses to the interfaces in your firewalls. Find out if your Internet service provider (ISP) will give you a Dynamic Host Configuration Protocol (DHCP) address or a static IP address. Most ISPs use DHCP to dynamically allocate IP address space, so you would get a non-static IP address, which applies to your untrusted interface/network segment like the Internet. A trusted (internal) interface uses a different address.  

If the firewall routing device is in the DMZ, use static IP addressing. If you set up network address translation (NAT), you will need to know how many nodes or machines you will have on each network. The three network spaces defined by the Internet Engineering Task Force for NAT networks are:  10.0.0.0 - 10.255.255.255 (10/8 prefix)  172.16.0.0 - 172.31.255.255 (172.16/12 prefix)  192.168.0.0 - 192.168.255.255 (192.168/16 prefix)  In the DMZ, select a network space appropriate for the number of hosts/networks you will require. 

Technologies in Use A stateful firewall keeps track of network connections such as TCP streams and UDP communication travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall. 

An application firewall operates by monitoring and potentially blocking the input, output, or system service calls, which do not meet the configured policy of the firewall at Open Systems Interconnection (OSI) layer 7 (applications). Typically, it monitors one or more specific applications or services (examples: Web and database services). A stateful firewall can provide access controls to any type of network traffic while an application firewall is highly specialized. There are two types of this kind of firewall; network-based and host-based. 

Support Skill Set Information technology (IT) professionals responsible for network security need to have a broad set of skills. They also need to understand concepts such as compartmentalization and be vigilant in producing relevant support documentation. They need to be very familiar with the concepts of systems security, network infrastructure, access controls, assessments and audits, cryptography, and organizational security. In many cases, they need to understand physical security because physical access to equipment like firewalls by the uninvited can severely undermine the security of the entire network. 

 Vendors that sell firewalls provide support for them. This includes providing prompt access to technical expertise for installation, use, and maintenance. It may also include training. Compare support options from your prospective vendors to ensure you will be provided with the support you need. 

2. Firewall Security Strategies Security through obscurity By configuring systems in a way that does not follow normal patterns and is not easily understandable, security through obscurity can be obtained. By utilizing abnormal configurations, the probability of exploitation is reduced and a level of protection is obtained. Administrators seek security through obscurity by performing one or more of the following actions:  Modification of default ports  Spoofing of banners or headers  Utilization of extraordinary long Uniform Resource Locators (URLs)  Utilizing uncommon protocols or operating systems Keep in mind that this strategy may instill a false sense of security. Because attackers have multiple methods to scan against system configurations, utilizing this as the only security mechanism is like using nothing at all. Least privilege This strategy requires that each user or group that requires access to resources be explicitly granted permission. Because all resource access would be denied by default, each individual access need would have to be individually addressed. When least privilege is employed, there is often a dramatic increase in administrative overhead as a direct result. Least privilege is preferred for administrative scenarios. 

Simplicity This strategy reinforces that the selected solution should remain simple. By retaining a simple solution, the potential for error in configuration, bugs, or other problems is reduced. 

Defense in Depth This strategy emphasizes on a layered approach. The use of multiple safeguards ensures that no system that represents a single point of failure could be breached. The characteristics of a defense-in-depth strategy are:  Public networks are separate from private networks  Multiple security controls are implemented  Redundant security controls are implemented  Consists of multiple tiers or layers Diversity of Defense Diversity of defense is similar to defense in depth in terms of layered approach. The distinction is that diversity in defense represents each of those layers with a different technology. Chokepoint A chokepoint forces all traffic through a single pathway to ensure that security checks take place. This strategy is only valuable if the chokepoint is hard to bypass or skip around. Additionally, because all traffic is funneled into the single pathway, issues regarding bandwidth constraints or performance problems may arise. Weakest Link Because all environments have a weakest link, this strategy subscribes to the continuous process of identifying the weakest link and eradicating it. Fail-safe Failure is destined to occur on security systems, and when it does a strategy for handling the failure should already be in place. When a failure occurs and a fail-safe is triggered, there are two possible reactive choices:  Fail-open: Security systems fail, but in order to maintain availability network communications are allowed to continue.  Fail-closed: When security fails in order to retain security and integrity, the network pathway is closed and traffic flow does not continue. Fail-safe is a strategy that is most often used in conjunction with other strategies. 

Forced Universal Participation When it comes to selecting a security strategy it is important that all users and groups involved in its execution are supportive. End users are a potentially exploitable key for an attacker to utilize in order to gain unauthorized access to a network environment. When end users intentionally or inadvertently do not follow security principals, an attacker can more readily cause a breach in the security systems. A good example of this is when users write down their user name and password information and store them in plain sight. Without buy-in to the selected security strategy and a commitment to following protocol, there is a higher probability for breach. Selecting and following through with the implementation of a forced universal participation strategy will ensure that security policies are observed. 

3. Firewall Monitoring Tools The following tools are used to monitor firewalls: • Nmap: A network mapper, port scanner, and operating system (OS) fingerprinting tool. It can check the state of ports, identify targets, and probe services. • Netstat: A simple command-line tool used to list the current open, listening, and connection sockets on a system. • Tcpview: A graphical user interface (GUI) tool used to list the current open, listening, and connection sockets on a system, as well as the service or program related to each socket. • Fport: A command-line tool used to list the current open, listening, and connection sockets on a system, as well as the service or program related to each socket. • SNORT: An open source, rule-based IDS that can detect firewall breaches. • Nessus: An open source, vulnerability assessment engine that can scan for known vulnerabilities. • Wireshark: A free packet capture, protocol analyzer, or sniffer that can analyze packets or frames as they enter or leave a firewall. • NetWitness Investigator: Threat analysis software that captures raw packets from weird and wireless interfaces. The software focuses more on the data the packets contain rather than the packets themselves. • Netcat: A hacker tool that creates network communication links by using User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) ports that supports the 

transmission of standard input and output. The Netcat tool commonly creates covert channels to control a target system remotely or bypass a firewall. The tool can also test a firewall's ability to detect and block covert channels. The Cryptcat tool offers similar capabilities by using encryption. • BackTrack: A Linux distribution that includes hundreds of security and hacking tools, including Nessus and Metasploit. The BackTrack tool can perform attacks against or through a firewall for testing purposes. • Syslog: A centralized logging service that hosts a duplicate copy of log files. The Syslog tool provides a real-time backup of every log on every participating host. 

 4. Limitations of Firewalls Some of the limitations of a firewall are as follows: • Exploitable programming bugs: Whether a firewall is a software- or hardware-based, a firewall is run by software written by people, so there are chances of code errors being introduced. • Buffer overflow: A buffer overflow occurs when a program tries to store too much data in a buffer, exceeding the buffer's capacity. The overflow is usually the result of poor programming and can result in memory-based and code injection attacks and, consequently, system crashes. • Fragmentation: Most packets or datagrams are broken into smaller packets before being transferred over a network. Fragmentation occurs when packets are improperly reassembled at the destination. Attackers can infiltrate the reassembly process, resulting in overlapping packets and overrun packets, both of which can be used in attacks. • Firewalking: It is a technique used by an external attacker to learn about a firewall's configuration. Then, the attacker can find ways to bypass the firewall to reach the internal network. • Internal code planting: Attackers place malicious code on an internal system or trick an internal user into opening a malicious program or clicking a malicious link. The results in 

Question

1. Discuss why the following list of entities must be protected in this context (what are the risks) and what are ways in which each of the following entities can be protected in this context?

• Network
• Servers
• Clients
• Other resources
• Information/data

1. Describe at least one risk to each of the above entities.
2. Describe at least one method for protecting each of the above entities.