In: Categories » Computers and technology » VPN » Using Your Policies to Create Firewall and VPN Configurations
As our businesses depend more and more on networks and the resources they provide, it is increasingly important that we protect these resources from unauthorized access, attacks, and exploits against vulnerabilities. As security professionals, our success is not dependant on fixing these inherent and ongoing problems, but relies on our abilities to select, implement, and configure solutions that protect our resources.
The threats, attacks, and abuse will always be present as long as we have networks and provide services on those networks. It all starts with written security polices, which are our roadmaps and the single most important documents you can have. Whether it is an Acceptable Use Policy, Remote User VPN Policy, or the Perimeter Access Policy, each will have a long-term impact on the security of your network. Unfortunately, security policies are afterthoughts in many companies. It is not uncommon to find companies that have selected a security product, vendor, or even a complete security solution without ever writing a security policy. As a result, the security posture of these networks is ineffective in many respects.Their configurations and rules probably do not reflect the requirements or desires of the organization. In other situations in which security policies are not an afterthought, it is common to find that those policies are outdated and probably had little or no impact on the product selection or configurations of their security solutions.The most successful organizations with respect to strong security have a commonality between them security policies.They review, update, and leverage best practice security principals when selecting and configuring their security solutions.
Another area commonly overlooked is security policy sponsorship. As important as developing the policies themselves, it is equally as important to get sponsorship for their content and implementation.This helps drive and support the entire process you will go through when creating, maintaining, and implementing your security solutions. Many organizations spend the time, resources, and money to create security policies, and fail to support them after their initial creation.Their failures are usually not a result of their efforts or even part of the original plan. Many recommendations and policies never get implemented or enforced long term because of two key missing elements: sponsorship and acceptance. Sponsorship is key because it provides the support by someone who has authoritative power in the organization to oversee your success.
This entire process is largely a team effort and without a sponsor, it will become challenging and often difficult to complete all the steps necessary to develop and implement the organizational policies. Equally important is the acceptance and understanding from the entire team on the project goals and charter. While it might be impossible to always get 100 percent from everyone on the team, everyone must agree to support the team decisions and help enforce the policies.This is an area in which facilitation skills have a major impact. Helping lead others to understand the positive impact the policies will have on them personally will aid in their long-term support. If an individual or group of people does not general accept or believe in the goals, why would they support them? Finally, keep in mind that everyone on the team should have input and understand his or her participation is critical to the success of the project. This article discusses how to take your written security policies and convert them into logical security configurations. Logical security configurations are used by technical administrators to guide them through the implementation and configuration of your firewall and VPN devices.You might be thinking that we have yet to discuss a specific firewall or VPN appliance.Well, you are right! In fact, this is a mistake commonly made by security professionals when they go through this step. By abstracting vendor-specific technology or features, you are able to think about the goals of the policies versus writing policy around a vendor’s product.This step might seem somewhat insignificant; however, it is a vital step that should not be overlooked or skipped.The primary goal of this article is to create concise and clear objectives that are specific to actual configurations of the firewall and VPN devices.
What Is a Logical Security Configuration?
Once you have developed and received approval for your written security policies, the next major step is to convert them into logical security configuration documents. You might ask, what is a logical security configuration and how is it different from an actual configuration you will create for your firewall or VPN device? This is a great question, and one that is might or might not be easily answered. Logical security configurations are documents that interpret written security policy requirements and define configuration requirements for a specific type of enforcement device, like a firewall or VPN products. Based on standard capabilities of these various devices, these documents will be used to build device-specific configurations that ultimately enforce your policy requirements. For example, a firewall device provides access control between different networks to which it connects. At a basic level, they will provide these controls from Layer 3 and layer headers, which include source IP, destination IP, source port, and destination port. Even though you might select two different firewall devices for your network, this information will be important as the administrator configures the device.
Keep in mind that we are not discussing or using actual features found in a specific vendor’s product or solution offerings. Instead, we are creating a logical configuration that will map our written security policy to the common capabilities of these devices. While there is not a definitive correlation of logical configurations to written policies or logical configurations to specific devices, it is important that you create documents that can be easy to maintain and have focus. As a result, we recommend creating logical configurations for each group or type of devices you will be using in your environment. For our example, Example Corporation, we have created the following five categories and will create a logical configuration for each of these groups.
- Firewalls
- VPN
- Workstations
- Servers
- Routers Once our logical configurations are complete, we should have a series of documents that accurately represent the rules, policies, configurations, and procedures that will be configured on the specific firewall and VPN devices in your organization.
Planning Your Logical Security Configuration
Now we are ready to start the planning phase of our logical configuration process. It is recommended you complete the following four steps before starting the actual writing of your logical security configuration documents.
1. Identifying network assets.
2. Profiling your network assets.
3. Creating security areas.
4. Assigning network assets to security areas.
Keep in mind, once you capture some of this information, it can be leveraged in each of the logical configuration documents we identified in the previous step.
legal notice
Our website is not responsible for the information contained by this article. Web-articles is a free articles resource.
Suggestion: If you need fresh, daily updated content for your website, feel free to use our service. Click here for more information.
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above.
related articles
Phishing, the new information gathering technique, is spreading and becoming more sophisticated. Phishing e-mails either ask the victim to fill out a form or direct them to a Web page designed to look like a legitimate banking site.The victim is asked for personal information such as credit card numbers, social security number, or other data that can then be used for identity theft.There has been at least one insidious phishing scheme that uses a Secure Sockets Layer (SSL) certificate so that the data...
2. Attacks over TCP and UDP ports
TCP/UDP Ports A port number is a virtual “mail slot” on each of these machines. Applications running on computers listen to the Internet for incoming information on these ports. Certain applications listen on certain ports.The Internet Assigned Numbers Authority (IANA [www.iana.org]) defines these ports (e.g.,Web servers listen on ports 80 and 443 and File Transfer Protocol (FTP) servers listen on port 21. Hypertext Transfer Protocol (HTTP), Hyper-Text Transfer Protocol Secure socke...
3. Application Proxy and Gateway Firewalls
Firewall Types There are two basic types of firewalls: Application Proxy and Gateway. Gateways are divided into packet filters and stateful inspection firewalls.These differ in function and design and have different uses in network architecture. Never try to have one type of firewall do the duty of another type. It is better to have a well-run and securely configured firewall doing its intended job, than to have something doing a job for which it wasn’t designed.This is an invitati...
4. The inspection of TCP IP packets
The Inspection Process The inspection of TCP/IP packets is a multi-step procedure. What follows is a summary of the steps, not necessarily in order : 1. A packet arrives at the outside interface. It is checked for permitted or denied ports and IP addresses. Note that stateful inspection firewalls require both a port and an IP address. IP addresses can be in the form of a single machine, group of IP addresses, or “any,” meaning any valid IP address on the spec...
5. Lower Data Transfer Rates Than a Packet Filter
Networking Standard A stateful inspection firewall is the de facto standard for network protection at this time. Installing less is not a wise move without good reason (e.g., a requirement for the fastest possible data transfer while maintaining some protection for the internal network). Performance and Protection The balance of performance versus protection between a packet filter and an application proxy is excellent. Since stateful inspection is the curre...
6. RFC 959 specifies the commands that a minimum implementation
Minimum Implementation RFC 959 specifies the commands that a minimum implementation of FTP must support, and RFC 1123 updates this list with additional commands. The implementation specified by RFC 1123 is more capable in handling communications between computers that may use different operating systems, file systems, and firewall protection. However, RFC 1123 says that computers whose operating system or file system doesn’t allow or support a command aren’t obligated to add support for it. So f...
7. Four Rules for Securing Your Devices and Local Network
Paying attention to the following four rules will go a long way in ensuring that your device, data, and local network are as secure as possible from security risks: 1. Use a firewall and configure it with the most restrictive settings that allow your device to perform the communications it requires. 2. Restrict access to individual protected resources with user names and passwords. 3. Validate data provided by users to ensure the contents won’t cause harm. 4. Encrypt data that must rema...