|
-
March 23rd, 2005, 10:58 PM
#1
 Essential Firewall Hardening Guide v.2
[glowpurple]UPDATED 03/24/05[/glowpurple]
My self and a colleague put together a mandatory hardening guide for Network Firewalls for our company and with permission, we stripped out all references to the business and I now I'm making it available online. I was always looking for something like this and I know others could really use some guidelines, especially with compliance and auditing being so rampant lately.
I have two more to come soon - Network L3+ Router Hardening and Network L2 Switch Hardening (complete with Cisco how-to's for both IOS and CatOS).
Let me know what you think...
-
March 23rd, 2005, 11:20 PM
#2
Damnably fine piece of work Sir..... and I don't say that very often....
A must read for many here...
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
March 24th, 2005, 01:04 PM
#3
I really enjoyed reading this, though very tough to get through as with each rule you propose and reasons behind them I try to think how I have used them in the past.
This is a definite must have reference.
My first thoughts when reading this are you should include a disclaimer: this is NOT for the novice!
Maybe it’s just me ( cynical as I am ) but I can see people flooding you with questions like “ I just installed my first copy of linux for my network firewall, set up my Iptables just like you said, but my LAN can’t connect ... by the way, why are there no FORWARD rules listed here? “
Just a few questions.
1) did I miss it? I did not see network protocols ( such as SMB, NFS, RPC, etc. ) listed here as not to leave the network. I realize they would be dropped by the default policy ( or I believe as you call them “ Base Firewall Filters “ ) but logging them specifically could show indications of miss-configuration and/or problems within. Am I off-base here?
2) did I miss this? I did not see blocking of things like XMAS or NULL packets. Any reason, as they can be used to detect hosts, open/closed ports, etc.?
3) My last question is, well, ... I don’t know. Why did you put Firewall Management Rules before Fragementation and Reassembly of IP Datagrams , etc. ? I know we ALL do something stupid now and then. Couldn’t this potentially cause problems?
Again, a good read and reference! Thanks!
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
March 24th, 2005, 02:58 PM
#4
This is VERY helpful. Thx for sharing.
Cheers.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
-
March 24th, 2005, 03:02 PM
#5
TigerShark: Thank you, I'm glad you enjoy... There's more to come...
IKnowNot: Thank you, you raised some really good points that I neglected to address. In my purpose I did mention that the intent was to define attack protection and anti-spoofing from the un-trusted to the trusted networks the firewall was intended to protect.
Our intent with this document at a corporate level was to address the firewall base protection rules to ensure the integrity of the firewall themselves. I did make mention of outbound rules but limited them since everyone of our environments have different needs. As an example, fragmentation over VPN is common and will exhaust the re-assembly buffers in a default configuration. Also, in a VPN block, we allow any RPC or NetBIOS protocol between our VPN clients and the corporate network. I didn't want to address these "content" rules as a basis for every configuration, rather we have been developing a Content Rule Guideline to address what are acceptable protocols and traffic patterns ingress and egress of our corporate infrastructure. I included the "Content Rules" section with the disclaimer that it was merely an example of how these protocols would be implemented.
Having said all of the above, I agree that perhaps for a general rulebase designed to provide base protection of the LAN and to block protocols that aren't designed to leave the LAN, I have to make a revision. This will also address rule order as you are correct, the fragmentation and anti-spoofing should exist before any connections are allowed for management purposes.
Last of all, I need to create a sub-category to address the Intended Audience.
I'll make some changes and repost the update later...
-
March 24th, 2005, 03:38 PM
#6
Originally posted here by instronics
This is VERY helpful. Thx for sharing.
Cheers.
You're welcome instronics, can't keep it unless you give it away 
-
March 24th, 2005, 03:46 PM
#7
-
March 24th, 2005, 04:47 PM
#8
Senior Member
Perhaps stupid question, but how to open it? Word can't, notepad also? What to do?
Remember, all I\'m offering is the truth, nothing more.
-
March 24th, 2005, 04:49 PM
#9
Uh.. try a browser. 
-
March 24th, 2005, 04:51 PM
#10
Senior Member
MsMittens You are always so fast answering! Problem was that the browser is craching. But I found a way to read it! Thank you!
Remember, all I\'m offering is the truth, nothing more.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
aCISCOrouter
Reply With Quote
