Discussion - Firewall and VPN Management Techniques
Network Security, Firewalls,
and VPNs
Lesson 5
Firewall and VPN Management Techniques
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objectives
Assess firewall design strategies.
Follow the creation of an example VPN implementation.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
2
Key Concepts
Purpose of written firewall policies
How reverse proxy and port forwarding enhance internal network security
Use of protected DMZs and publicly facing bastion hosts for providing security
Strategies for Internet and private network separation
Planning and selecting an appropriate VPN solution for an organization
Remote access alternatives to VPN
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
3
Written Firewall Policy
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
A written firewall policy provides several benefits and serves several purposes, such as:
A guide for installation
A guide for configuration
A tool to assist in troubleshooting
A guideline to detect changes and differences
A mechanism to ensure consistent filtering across all firewalls
3/5/18
4
Guide for installation/config
Troubleshooting tool
Guideline for detecting changes
Mechanism for consistency
What a Written Firewall Policy Includes
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
5
Security zones
Type of firewall
Ruleset
Logging
Backups
More
VPNs and Remote Access
Host-to-gateway VPN
Gateway-to-gateway VPN
Types of VPNs and remote access:
Operating system-based VPNs
VPN appliance
Remote Desktop Protocol
Remote control tools, such as pcAnywhere
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
6
VPN Appliance
Some firewalls have virtual private networking built into them
Some stand-alone VPN appliances work in conjunction with a firewall
Internet
Firewall
VPN
Network
Remote user
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Appliances come in all shapes and sizes. The larger the number of remote users the more likely the network will require a dedicated VPN. In the next slide we talk about the range of security risks we see clients having.
3/5/18
7
Constructing and Ordering Firewall Rules
Rule sets are about enforcing security relevant to the organization
Use fewer rules rather than more rules
Getting rules out of order causes unexpected and unwanted consequences
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
8
Constructing and Ordering Firewall Rules
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Placement:
Critical denial exceptions first or early in the rule set
Rules related to more common traffic earlier in the set rather than later
Universal denial rule should be the last rule
3/5/18
9
Critical denial exceptions
Rules for common traffic
Universal denial rule
What Should You Allow and What Should You Block?
Perform complete inventory
Include:
Protocol in use
Port(s) in use
Likely source and destination addresses
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
10
What Should You Allow and What Should You Block?
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
11
What to Block
All Internet control message protocol (ICMP) traffic originating from the Internet
Any traffic directed specifically to the firewall
Any traffic to known closed ports
Any traffic to known ports of known malware, such as 31337, used by Back Orifice
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
12
What to Block (Cont.)
Inbound Transmission Control Protocol (TCP) 53 to block external DNS zone transfer requests
Inbound User Datagram Protocol (UDP) 53 to block external DNS user queries
Any traffic from IP addresses on a blacklist
Any traffic from internal IP addresses that are not assigned
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
13
Planning an Openswan Deployment
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Verify your system meet requirements
Set up Linux VPN box as a firewall also
If your firewall does NAT, disable NAT
Networks at both ends of VPN tunnel must use different IP address ranges; for example, if internal network = 192.168.0.1 to 192.168.0.254, other network may use 192.168.1.1 through 192.168.1.254
Permanent site-to-site VPNs require firewalls at both ends that use static IP addresses
3/5/18
14
Verify system reqs
Set up firewall
Configure IP addresses
Disable NAT on firewall
Openswan Sample Topology
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Log in to management interface
Update software
Enable additional services, if necessary
Create inbound and outbound rules
Configure QoS
3/5/18
15
Installing Openswan
Unpack Openswan source files
Install options:
Userland-only
KLIPS
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
16
Installing Openswan
KLIPS installation
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
17
Deploying Openswan
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
18
Start Openswan on both VPN devices
Initialize tunnel
Testing Openswan
Allow UDP 500 and ESP (protocol 50) through the firewall
Run ipsec verify command
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
19
Reverse Proxy
Reverse proxy allows access to internal Web site content from the public network
Benefits
Enhanced security
Encryption
Reverse caching
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Benefits
Enhanced security: No direct access to internal Web servers from the public network
Encryption: The proxy server can function as the encryption endpoint, allowing for packet inspection of traffic destined for the Web server
Reverse caching: Increased performance because Web pages are cached on the proxy server
3/5/18
20
Port Forwarding
Receipt of IP traffic based on IP/port number
IP/port number forwards to another IP/port number
Benefits
Ability to utilize a single public IP address
Maps to multiple other internal destinations
No direct connectivity to internal resources
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
21
Combining Port Forwarding with NAT
Private IP addresses of the internal systems are masked from the public network
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
By adding NAT to a port forwarding configuration, the private IP addresses of the internal systems are masked from the public network
3/5/18
22
Alternatives to VPNs
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
23
Terminal Services
Remote in to servers
Host entire desktops
Microsoft DirectAccess
Windows-based
High administrative control
pcAnywhere
Remote control solution
Windows, Linux, and Mac OS X
Bastion Hosts
Simple single-layer architecture
Reside outside of the firewall or in the demilitarized zone (DMZ)
Typically serve as the first point of connection from the Internet
Can be a software or hardware solution
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
24
Categories of Bastion Hosts
Proprietary OS
Built specifically to be bastion hosts
General-Purpose OS
Serve as client or server Oss
Can be configured to serve as bastion hosts
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
25
Bastion Host Placement
Ingress/egress architecture with a bastion host in the DMZ
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
26
Separating Public from Private Resources
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
An aspect of defense-in-depth is to deploy multiple subnets in series to separate private resources from public. This is known as an N-Tier deployment. N represents
the number of subnets under private control.
3/5/18
27
Who Requires Remote Access?
Salespeople on the road
Field technicians
Consultants working in customer work sites
Who else?
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
28
Do You Need a VPN?
Does your organization:
Traffic in sensitive data?
Employ telecommuters, traveling employees, or other remote workers?
Already use Secure Sockets Layer (SSL)-–encrypted Internet pages?
Have more than a few employees?
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
29
Summary
Purpose of written firewall policies
How reverse proxy and port forwarding enhance internal network security
Use of protected DMZs and publicly facing bastion hosts for providing security
Strategies for Internet and private network separation
Planning and selecting an appropriate VPN solution for an organization
Remote access alternatives to VPN
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/5/18
30
Virtual Labs and Required Text
Configuring a VPN Client for Secure File Transfers
Read Chapters 8 & 14
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Use the following script to introduce the lab:
“A key part of this lesson explored the process of planning for and selecting an appropriate VPN solution for an organization. Focusing on the Openswan VPN product, you learned practical tips for installing and testing a VPN implementation.
In the lab for this lesson, Configuring a VPN Client for Secure File Transfers, you’ll configure a VPN client to connect to a Linux Debian Openswan VPN. Then you’ll use Wireshark to examine tunneled VPN traffic (that is, traffic protected by the IPsec protocol) and compare it with non-tunneled traffic. You’ll also look at the detailed packet interactions of the File Transfer Protocol, or FTP, and Secure Shell, or SSH, protocol.”
3/5/18
31