IV. Hardening Steps for Firewall

by JUCC ISTF
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */ 
 
 
Firewalls are part of the IT environment of universities and shall be secured in accordance with the universities' Information Security Policies and relevant industrial standards. Hardening steps for the firewall systems are recommended to focus on "Access Security" and "System Security".

Access Security

 
User Authentication 
 
The use of a centralised authentication, authorisation and account mechanism is recommended for the user authentication on firewalls. User specific accounts are implemented and maintained in a general directory. Only one local account should be configured on the firewall as a backup account when the central authentication mechanism is not available.
 
RADIUS or TACACS(+) are the examples of a common centralised authentication, authorisation and accounting mechanism. For instance, in the configuration of a Cisco PIX firewall, the firewall can be configured to define remote AAA servers by a configuration similar to:
 
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ host 10.0.0.2 secret123
aaa-server TACACS+ host 10.0.0.3 321terces
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 5
aaa-server TACACS+ timeout 5
aaa-server RADIUS protocol radius
aaa-server RADIUS host 10.0.1.2 secret123
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 5
aaa-server RADIUS timeout 5
aaa-server LOCAL protocol local
 
The administrator user accounts on the firewall can be authenticated by using either an internal user database or an external user database.
 
 
  Management Traffic 

A secure connection should be established for the management of firewalls. This can be configured in several ways.

For Checkpoint firewalls, each administrator can be created a certificate to enforce symmetric authentication. IP restriction on management traffic can also be set up by enforcing a firewall rule in the management console.

For Cisco PIX firewalls or NetScreen firewalls, Telnet access can be disabled and SSH can be selected for in-band management connections.

System Security

Generic Device Security

The same level of attention to the management traffic should be paid to the general traffic of the firewall.

Unless the ports explicitly needed for connection to other devices, the console and auxiliary ports should be disabled. Otherwise, these ports can be used by unauthorised users for managing the device through a direct connection to the console or modem port.

Traffic Filtering

The actual traffic filtering that a firewall should perform is configured through use of policies. The appropriate rules should be configured matching the traffic filtering policy. A policy is a set of rules that determines how traffic passes between security zones (inter-zone policy), between interfaces bound to the same zone (intra-zone policy), and between addresses in the Global zone (global policy). When a security device attempts to pass a packet from one zone to another, between two interfaces bound to the same zone, or between two addresses in the Global zone, the security device checks its policy lists for a policy to permit or reject such traffic.

Logging

Firewalls should send its logs to a central server and have detailed logging options.

For example, on a Cisco PIX firewall, logging is recommended to be sent through use of AAA by applying a configuration as follows:

'aaa accounting authentication enable console'

This command causes syslog messages to be sent (at syslog level 4) each time the configuration is changed from the serial console.

To log firewall rules in a Checkpoint firewall, this can be configured by entering a configuration in the SmartCenter management console as follows:

  • For each of the Security Policy rules you wish to track, right click in the Track column and choose Log from the menu. All events matching these rules are now logged.  
  • Launch SmartView Tracker through the SmartDashboard's Window menu. The Log mode is displayed, showing the records of all events you have logged.
Which rules are logged depends on the firewall policy. However, one rule that most likely should always be logged is the "deny any any".

Summary
 
Implementing firewalls within the universities' networks is a necessary means to protect their information systems and resources from malicious activities initiated by hackers, malware or viruses.
 
While enjoying the security benefit brought by the firewalls, universities should also pay close attention to their weakness and associated risks, which, if exploited, would leave the entire IT environment vulnerable to external threats.
 
To effectively block unauthorised attempts from external networks using firewalls, it is important to maintain proper configuration of the rule sets in the firewalls based on universities' information security policy and industry best practices, as well as enforce strict protection on the firewall systems.