Are you ready to start writing your logical security configurations? If you are like most security professionals, this is what we like to do. While we all understand planning is a critical process for success, it is the actual configurations and implementations we like to spend our time working on. Since firewall and VPN solutions provide different capabilities, we have divided this section into two parts.The first part covers Firewall logical security configurations, and the second part covers VPN logical security configuration. Both parts will use a lot of information we gathered in previous sections, such as security areas.

Logical Security Configuration: Firewall

As discussed in the introduction, the Firewall Logical Security Configuration is a document that correlates security policy information into common security feature and functionality. Again, it is important to reiterate this process is not trying to write a device-specific configuration file. While there are many methodologies and process you could follow during this phase, we are going to take a simple, yet effective approach to building your first configurations.We will further divide this section into two components: general security and access policies.

General Security for Firewall Configurations

Anything that relates to the secure deployment of your firewall devices should be documented in this section.We recommend using a spreadsheet similar to the example following. It will allow you to convert your policies requirements into logical configurations in an easy way. While this might seem obvious, converting your security policies into these specific details will help in deployment and auditing of your devices. For our example, we have broken the spreadsheet into four columns.

- AREA and ITEM General and specific categories used to help organize and sort the spreadsheet.

- DESCRIPTION Statements found in our security policies that need to be configured or supported.

- REQUIREMENT Specific information that will be used to configure the devices during implementation. While the description and requirement might both be defined in your security policy, it is important to break them out in your logical security configurations.

Logical Security Configuration: VPN

Virtual private networks, commonly referred to as VPNs, are deployed in most companies today. While there are many types and uses for VPNs, many are deployed to provide secure, remote access to the companies’ network resources to remote employees. In today’s distributed environments, field sales teams, home-office based employees, and consultants are all great examples and users of VPN solutions. As VPNs provide the necessary communication links between these users and resources, they also bring new challenges to security professionals.They are common targets for attackers and are considered one of the weakest points in the overall security posture of an organization. VPNs are also used when an organization wants to connect remote sites together or with a central site.These deployments might use one of many types, but often are found using the Internet as their transport. Using the Internet as a transport has many advantages.They often are more cost effective, easily deployed, and use standardized protocols such as IPSec.The more common VPN solutions include:

- Gateway-to-gateway IPSec

- Gateway-to-gateway PPTP

- Gateway-to-gateway L2TP

- Gateway-to-gateway IPSec

- Gateway-to-gateway SSL

Best Security Practices for VPN Configurations

Your first goal is to ensure your VPN solution can be configured to enforce the requirements defined in your security policies. However, there are many common, best security practices we recommend for all VPN deployments.These include:

- Deploy VPN termination devices on dedicated network segments.

- Require secure access control for all VPN traffic.

- Use dedicated devices for VPN termination.

- Limit management access to side-band/out-of-band interfaces.

- Require additional or complementary authentication to standard username and passwords.

- Enable auditing, providing detailed audit trail for access, authentication, and use.

- Limit rules or configurations to specific users and, instead, design around groups.

- Use recent software versions.

- Audit logs and authentication records on a daily basis.

It is imperative to evaluate and integrate best security practices when deploying your VPNs. VPNs are one of the weakest areas of your network and can lead to breaches in your network security. An old cliché in security is, “security is only as strong as the weakest link.” Keep in mind, no system or device is 100-percent protected and secure from attacks or vulnerabilities. If someone wants access, he or she will gain it. Many times, your configurations and security policies only need to be as strong as the information they are protecting. As security professionals, you have learned security is a trade-off of risk versus reward. Keeping this in mind is useful when creating your VPN logical security configurations. Once a host authenticates, it is common to authorize the specific user. While host authentication is recommended, it does not ensure the person using that host is who you believe him to be.A common best practice is to deploy a strong, twofactor user authentication system such as RSA SecurID tokens and Aladdin Knowledge Systems’ eToken solutions. Other solutions include biometric systems, smart cards, USB tokens, and random one-time-password token systems. When deploying VPN access for remote users, it is recommended one of these systems be used versus a standard username- and password-based system.