IV. Hardening Steps for Firewall
Access Security
aaa-server TACACS+ host 10.0.0.2 secret123
aaa-server TACACS+ host 10.0.0.3 321terces
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 5
aaa-server TACACS+ timeout 5
aaa-server RADIUS protocol radius
aaa-server RADIUS host 10.0.1.2 secret123
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 5
aaa-server RADIUS timeout 5
aaa-server LOCAL protocol local
A secure connection should be established for the management of firewalls. This can be configured in several ways.
For Checkpoint firewalls, each administrator can be created a certificate to enforce symmetric authentication. IP restriction on management traffic can also be set up by enforcing a firewall rule in the management console.
For Cisco PIX firewalls or NetScreen firewalls, Telnet access can be disabled and SSH can be selected for in-band management connections.
System Security
Generic Device Security
The same level of attention to the management traffic should be paid to the general traffic of the firewall.
Unless the ports explicitly needed for connection to other devices, the console and auxiliary ports should be disabled. Otherwise, these ports can be used by unauthorised users for managing the device through a direct connection to the console or modem port.
Traffic Filtering
The actual traffic filtering that a firewall should perform is configured through use of policies. The appropriate rules should be configured matching the traffic filtering policy. A policy is a set of rules that determines how traffic passes between security zones (inter-zone policy), between interfaces bound to the same zone (intra-zone policy), and between addresses in the Global zone (global policy). When a security device attempts to pass a packet from one zone to another, between two interfaces bound to the same zone, or between two addresses in the Global zone, the security device checks its policy lists for a policy to permit or reject such traffic.
Logging
Firewalls should send its logs to a central server and have detailed logging options.
For example, on a Cisco PIX firewall, logging is recommended to be sent through use of AAA by applying a configuration as follows:
'aaa accounting authentication enable console'
This command causes syslog messages to be sent (at syslog level 4) each time the configuration is changed from the serial console.
To log firewall rules in a Checkpoint firewall, this can be configured by entering a configuration in the SmartCenter management console as follows:
- For each of the Security Policy rules you wish to track, right click in the Track column and choose Log from the menu. All events matching these rules are now logged.
- Launch SmartView Tracker through the SmartDashboard's Window menu. The Log mode is displayed, showing the records of all events you have logged.
Summary