Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Essential Firewall Hardening Guide

  1. #1
    Member aciscorouter's Avatar
    Join Date
    Mar 2002
    Location
    Brampton, ON, Canada
    Posts
    35

    Post Essential Firewall Hardening Guide v.2

    [glowpurple]UPDATED 03/24/05[/glowpurple]

    My self and a colleague put together a mandatory hardening guide for Network Firewalls for our company and with permission, we stripped out all references to the business and I now I'm making it available online. I was always looking for something like this and I know others could really use some guidelines, especially with compliance and auditing being so rampant lately.

    I have two more to come soon - Network L3+ Router Hardening and Network L2 Switch Hardening (complete with Cisco how-to's for both IOS and CatOS).

    Let me know what you think...
    aCISCOrouter

    "I used up all my sick days, so I’m calling in dead."
    http://www.facebook.com/profile.php?id=554370423

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Damnably fine piece of work Sir..... and I don't say that very often....

    A must read for many here...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I really enjoyed reading this, though very tough to get through as with each rule you propose and reasons behind them I try to think how I have used them in the past.

    This is a definite must have reference.

    My first thoughts when reading this are you should include a disclaimer: this is NOT for the novice!

    Maybe it’s just me ( cynical as I am ) but I can see people flooding you with questions like “ I just installed my first copy of linux for my network firewall, set up my Iptables just like you said, but my LAN can’t connect ... by the way, why are there no FORWARD rules listed here? “

    Just a few questions.

    1) did I miss it? I did not see network protocols ( such as SMB, NFS, RPC, etc. ) listed here as not to leave the network. I realize they would be dropped by the default policy ( or I believe as you call them “ Base Firewall Filters “ ) but logging them specifically could show indications of miss-configuration and/or problems within. Am I off-base here?

    2) did I miss this? I did not see blocking of things like XMAS or NULL packets. Any reason, as they can be used to detect hosts, open/closed ports, etc.?

    3) My last question is, well, ... I don’t know. Why did you put Firewall Management Rules before Fragementation and Reassembly of IP Datagrams , etc. ? I know we ALL do something stupid now and then. Couldn’t this potentially cause problems?


    Again, a good read and reference! Thanks!
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  4. #4
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    This is VERY helpful. Thx for sharing.

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  5. #5
    Member aciscorouter's Avatar
    Join Date
    Mar 2002
    Location
    Brampton, ON, Canada
    Posts
    35
    TigerShark: Thank you, I'm glad you enjoy... There's more to come...

    IKnowNot: Thank you, you raised some really good points that I neglected to address. In my purpose I did mention that the intent was to define attack protection and anti-spoofing from the un-trusted to the trusted networks the firewall was intended to protect.

    Our intent with this document at a corporate level was to address the firewall base protection rules to ensure the integrity of the firewall themselves. I did make mention of outbound rules but limited them since everyone of our environments have different needs. As an example, fragmentation over VPN is common and will exhaust the re-assembly buffers in a default configuration. Also, in a VPN block, we allow any RPC or NetBIOS protocol between our VPN clients and the corporate network. I didn't want to address these "content" rules as a basis for every configuration, rather we have been developing a Content Rule Guideline to address what are acceptable protocols and traffic patterns ingress and egress of our corporate infrastructure. I included the "Content Rules" section with the disclaimer that it was merely an example of how these protocols would be implemented.

    Having said all of the above, I agree that perhaps for a general rulebase designed to provide base protection of the LAN and to block protocols that aren't designed to leave the LAN, I have to make a revision. This will also address rule order as you are correct, the fragmentation and anti-spoofing should exist before any connections are allowed for management purposes.

    Last of all, I need to create a sub-category to address the Intended Audience.

    I'll make some changes and repost the update later...
    aCISCOrouter

    "I used up all my sick days, so I’m calling in dead."
    http://www.facebook.com/profile.php?id=554370423

  6. #6
    Member aciscorouter's Avatar
    Join Date
    Mar 2002
    Location
    Brampton, ON, Canada
    Posts
    35
    Originally posted here by instronics
    This is VERY helpful. Thx for sharing.

    Cheers.
    You're welcome instronics, can't keep it unless you give it away
    aCISCOrouter

    "I used up all my sick days, so I’m calling in dead."
    http://www.facebook.com/profile.php?id=554370423

  7. #7

  8. #8
    Senior Member
    Join Date
    Oct 2004
    Posts
    187
    Perhaps stupid question, but how to open it? Word can't, notepad also? What to do?
    Remember, all I\'m offering is the truth, nothing more.

  9. #9
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Uh.. try a browser.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  10. #10
    Senior Member
    Join Date
    Oct 2004
    Posts
    187
    MsMittens You are always so fast answering! Problem was that the browser is craching. But I found a way to read it! Thank you!
    Remember, all I\'m offering is the truth, nothing more.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •