This book covers the leading firewall products: Cisco PIX, Check Point NGX, Microsoft ISA Server, Juniper's NetScreen Firewall, and SonicWall. It describes in plain English what features can be controlled by a policy, and walks the reader through the steps for writing the policy to fit the objective. Because of their vulnerability and their complexity, VPN policies are covered in more depth with numerous tips for troubleshooting remote connections.
? The only book that focuses on creating policies that apply to multiple products.
? Included is a bonus chapter on using Ethereal, the most popular protocol analyzer, to monitor and analyze network traffic.
? Shows what features can be controlled by a policy, and walks you through the steps for writing the policy to fit the objective at hand
A firewall is as good as its policies and the security of its VPN connections. The latest generation of firewalls offers a dizzying array of powerful options; they key to success is to write concise policies that provide the appropriate level of access while maximizing security. This book covers the leading firewall products: Cisco PIX, Check Point NGX, Microsoft ISA Server, Juniper's NetScreen Firewall, and SonicWall. It describes in plain English what features can be controlled by a policy, and walks the reader through the steps for writing the policy to fit the objective. Because of their vulnerability and their complexity, VPN policies are covered in more depth with numerous tips for troubleshooting remote connections.* The only book that focuses on creating policies that apply to multiple products.* Included is a bonus chapter on using Ethereal, the most popular protocol analyzer, to monitor and analyze network traffic.* Shows what features can be controlled by a policy, and walks you through the steps for writing the policy to fit the objective at hand
Front Cover 1
Firewall Policies and VPN Configurations 4
Copyright Page 5
Contents 14
Part I: Security Policy 24
Chapter 1. Network Security Policy 26
Introduction 27
Defining Your Organization 29
Different Access for Different Organizations 42
Untrusted Networks 46
Summary 65
Solutions Fast Track 66
Frequently Asked Questions 67
Chapter 2. Using Your Policies to Create Firewall and VPN Configurations 70
Introduction 71
What Is a Logical Security Configuration? 72
Planning Your Logical Security Configuration 73
Writing Logical Security Configurations 83
Summary 90
Solutions Fast Track 90
Frequently Asked Questions 92
Part II: Firewall Concepts 94
Chapter 3. Defining a Firewall 96
Introduction 97
Why Have Different Types of Firewalls? 97
Back to Basics—Transmission Control Protocol/Internet Protocol 106
Firewall Types 121
Application Proxy 122
Gateway 126
Summary 137
Solutions Fast Track 138
Frequently Asked Questions 139
Chapter 4. Deciding on a Firewall 146
Introduction 147
Appliance/Hardware Solution 147
Software Solutions 198
Summary 223
Solutions Fast Track 227
Frequently Asked Questions 229
Part III: VPN Concepts 232
Chapter 5. Defining a VPN 234
Introduction 235
What Is a VPN? 235
Public Key Cryptography 244
IPSec 247
SSL VPNs 259
Layer 2 Solutions 267
SSH Tunnels 272
Others 280
Summary 285
Solutions Fast Track 285
Frequently Asked Questions 287
Chapter 6. Deciding on a VPN 290
Introduction 291
Appliance/Hardware Solution 294
Software Solutions 313
Summary 324
Solutions Fast Track 325
Frequently Asked Questions 326
Part IV: Implementing Firewalls and VPNs (Case Studies) 328
Chapter 7. IT Infrastructure Security Plan 330
Introduction 331
Infrastructure Security Assessment 331
Project Parameters 380
Project Team 389
Project Organization 389
Project Work Breakdown Structure 390
Project Risks and Mitigation Strategies 395
Project Constraints and Assumptions 397
Project Schedule and Budget 398
IT Infrastructure Security Project Outline 399
Summary 401
Solutions Fast Track 402
Chapter 8. Case Study: SOHO (Five Computers, Printer, Servers, etc.) 408
Introduction 409
Employing a Firewall in a SOHO Environment 418
Introducing the SOHO Firewall Case Study 419
Designing the SOHO Firewall 420
Summary 429
Solutions Fast Track 430
Frequently Asked Questions 431
Chapter 9. Medium Business (< 2000 People)
Introduction 433
Mapping Your Systems 434
Improving Accountability with Identity Management 453
VPN Connectivity 480
Summary 483
Solutions Fast Track 483
Frequently Asked Questions 485
Index 488
Using Your Policies to Create Firewall and VPN Configurations
Topics in this chapter:
■ Logical Security Configuration
■ Writing Firewall and VPN logical Security Configurations
☑ Summary
Introduction
As we learned in the previous chapter, securing your network starts with creating various security policies that articulate the rules, requirements, standards, and recommendations specific to your environment. As our businesses depend more and more on networks and the resources they provide, it is increasingly important that we protect these resources from unauthorized access, attacks, and exploits against vulnerabilities. As security professionals, our success is not dependant on fixing these inherent and ongoing problems, but relies on our abilities to select, implement, and configure solutions that protect our resources. The threats, attacks, and abuse will always be present as long as we have networks and provide services on those networks. It all starts with written security polices, which are our roadmaps—and the single most important documents you can have. Whether it is an Acceptable Use Policy, Remote User VPN Policy, or the Perimeter Access Policy, each will have a long-term impact on the security of your network.
Unfortunately, security policies are afterthoughts in many companies. It is not uncommon to find companies that have selected a security product, vendor, or even a complete security solution without ever writing a security policy. As a result, the security posture of these networks is ineffective in many respects. Their configurations and rules probably do not reflect the requirements or desires of the organization. In other situations in which security policies are not an afterthought, it is common to find that those policies are outdated and probably had little or no impact on the product selection or configurations of their security solutions. The most successful organizations with respect to strong security have a commonality between them—security policies. They review, update, and leverage best practice security principals when selecting and configuring their security solutions.
Another area commonly overlooked is security policy sponsorship. As important as developing the policies themselves, it is equally as important to get sponsorship for their content and implementation. This helps drive and support the entire process you will go through when creating, maintaining, and implementing your security solutions. Many organizations spend the time, resources, and money to create security policies, and fail to support them after their initial creation. Their failures are usually not a result of their efforts or even part of the original plan. Many recommendations and policies never get implemented or enforced long term because of two key missing elements: sponsorship and acceptance.
Sponsorship is key because it provides the support by someone who has authoritative power in the organization to oversee your success. This entire process is largely a team effort and without a sponsor, it will become challenging and often difficult to complete all the steps necessary to develop and implement the organizational policies.
Equally important is the acceptance and understanding from the entire team on the project goals and charter. While it might be impossible to always get 100 percent from everyone on the team, everyone must agree to support the team decisions and help enforce the policies. This is an area in which facilitation skills have a major impact. Helping lead others to understand the positive impact the policies will have on them personally will aid in their long-term support. If an individual or group of people does not general accept or believe in the goals, why would they support them? Finally, keep in mind that everyone on the team should have input and understand his or her participation is critical to the success of the project.
This chapter discusses how to take your written security policies and convert them into logical security configurations. Logical security configurations are used by technical administrators to guide them through the implementation and configuration of your firewall and VPN devices. You might be thinking that we have yet to discuss a specific firewall or VPN appliance. Well, you are right! In fact, this is a mistake commonly made by security professionals when they go through this step. By abstracting vendor-specific technology or features, you are able to think about the goals of the policies versus writing policy around a vendor’s product. This step might seem somewhat insignificant; however, it is a vital step that should not be overlooked or skipped. The primary goal of this chapter is to create concise and clear objectives that are specific to actual configurations of the firewall and VPN devices.
Note
It is important to understand these processes are not the end-all, be-all of security policy development. They are guidelines and should be interpreted as such. In addition, it is easy to stray from the goals of this step, which is to develop effective and clear running configurations for your devices.
What Is a Logical Security Configuration?
Once you have developed and received approval for your written security policies, the next major step is to convert them into logical security configuration documents. You might ask, what is a logical security configuration and how is it different from an actual configuration you will create for your firewall or VPN device? This is a great question, and one that is might or might not be easily answered. Logical security configurations are documents that interpret written security policy requirements and define configuration requirements for a specific type of enforcement device, like a firewall or VPN products. Based on standard capabilities of these various devices, these documents will be used to build device-specific configurations that ultimately enforce your policy requirements.
For example, a firewall device provides access control between different networks to which it connects. At a basic level, they will provide these controls from Layer 3 and layer headers, which include source IP, destination IP, source port, and destination port. Even though you might select two different firewall devices for your network, this information will be important as the administrator configures the device. Keep in mind that we are not discussing or using actual features found in a specific vendor’s product or solution offerings. Instead, we are creating a logical configuration that will map our written security policy to the common capabilities of these devices.
While there is not a definitive correlation of logical configurations to written policies or logical configurations to specific devices, it is important that you create documents that can be easy to maintain and have focus. As a result, we recommend creating logical configurations for each group or type of devices you will be using in your environment. For our example, Example Corporation, we have created the following five categories and will create a logical configuration for each of these groups.
■ Firewalls
■ VPN
■ Workstations
■ Servers
■ Routers
Once our logical configurations are complete, we should have a series of documents that accurately represent the rules, policies, configurations, and procedures that will be configured on the specific firewall and VPN devices in your organization.
Planning Your Logical Security Configuration
Now we are ready to start the planning phase of our logical configuration process. It is recommended you complete the following four steps before starting the actual writing of your logical security configuration documents.
1. Identifying network assets.
2. Profiling your network assets.
3. Creating security areas.
4. Assigning network assets to security areas.
Keep in mind, once you capture some of this information, it can be leveraged in each of the logical configuration documents we identified in the previous step.
Identifying Network Assets
One of the first steps is to identify the network assets we are trying to protect and provide secure access to or from. It is important to understand what devices and services are on the networks you are protecting. The more information you capture about your assets, the more informed you will be when you have to make decisions. This information will be useful when you create your logical security policies and for ongoing management and auditing of your systems and...
| Erscheint lt. Verlag | 28.9.2006 |
|---|---|
| Sprache | englisch |
| Themenwelt | Sachbuch/Ratgeber |
| Informatik ► Netzwerke ► Sicherheit / Firewall | |
| Informatik ► Office Programme ► Outlook | |
| Informatik ► Theorie / Studium ► Kryptologie | |
| Mathematik / Informatik ► Informatik ► Web / Internet | |
| ISBN-10 | 0-08-050651-8 / 0080506518 |
| ISBN-13 | 978-0-08-050651-7 / 9780080506517 |
| Haben Sie eine Frage zum Produkt? |
PDF (Adobe DRM)Größe: 38,5 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
EPUB (Adobe DRM)Größe: 7,9 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
