|
Notes on Building Internet Firewalls
Chapter 7: Firewall Design
- The "right solution" to building a firewall is seldom a single
technology; it's usually a carefully crafted combination of
technologies to solve different problems.
- You are not looking for the "perfect firewall", you are looking
for the firewall that best solves your particular problem.
- Basic Process of Designing Firewalls:
- Define needs
- Evaluate Available Products
- Determine how to assemble products into a firewall
- Defining Needs:
- If you don't know what you need, the products you look at
will shape your decisions.
- Begin by developing or consulting your security policy
- Consider: What will the firewall actually do? How secure
do you need it to be, what about net usage, reliability?
- Consider: What are the constraints (budget, personnel, politics,
etc.)
- Personnel is much harder to change than budget; therefore, your
first effort should be to fit the firewall to available
resources.
- Evaluate Available Products:
- Scalability
- Reliability and redundancy (can you easily replace parts?)
- Auditability (is there a mechanism to ensure the firewall
is doing its job)
- Price (hardware, software licensing, support and upgrades,
training, installation, etc.)
- Management and Configuration
- Adaptability
- Putting it All Together:
- Deterine where logs will go; keep separate from the firewall
so an attacker cannot easily destory the logs.
- Backup systems need to bas secure as the firewall systems.
If not doing local backups at each machine, make the backup
server part of the firewall.
- Examine all cases where the firewall is getting info from
external machines and get rid of as many dependencies as
possible (i.e. DNS server, time servers, etc.)
- Determine where reports and alarms will go.
- Since attackers can compromise network connectivity, either
machines should have ways of sending alarms that are not
dependent on a network connection (ie modem ports) or alarms
should be generated by independent monitoring machines.
Restricted access |
