Best IT Documents.com Blog


BigIP LTM F5 – Balancing Methods

The BigIP F5 LTM supports various load balancing methods. These methods are categorized as either Static or Dynamic. Dynamic load balancing methods are considered balancing methods that take the server performance into consideration.

This article also explains how the BigIP F5 LTM can balance traffic outside of the fore-mentioned Static and Dynamic balancing methods.

 

Static

Round Robin – Evenly distributes requests to all available pool members.
Ratio – Ratio allows each server to be assigned a ratio value. This is useful for pool members that have greater or lower computing resources then others.

 

Example : Ratio 3:2:1:1. Based upon 8 requests, 3 requests would go to 1, 2 to 2 then 1 to 1.

 

Dynamic

Least Connections – Traffic is balanced to servers with the least total of current connections.
Fastest – Connections are distributed to pool members based upon server response time.
Observed – This method is the same as ratio but the ratio is assigned by BigIP. Each ratio is calculated based upon the total number of connections currently active on each pool member. A pool member with a lower then average connection count is assigned a ratio of 3. A pool member with a higher than average count is given ratio of 2.

Predictive – Predictive is similar to observed but ratio`s are assigned using much more aggressive ratio values. A pool member with a lower then average connection count is assigned a ratio of 4. A pool member with a higher then average count is given ratio of 1.

 

Additional

Pool Member vs Node

A Node is an IP address, and a Pool Member is an IP:Port combination. Based on this an IP could have serval different applications and be a member of several different pools. This means for load balancing and health monitoring even though a web service (such as tcp/80) may be not be busy, another service such as SQL, could be.  As such, Pool Member based balancing and health monitoring provides a much more effective and logical way in which to distribute traffic.

 

Priority Group Activation

With priority group activation a backup pool of nodes is defined within a server pool. Both the primary and backup pools are assigned priority values  and priority group activation thresholds defined. At the point the pre-configured thresholds are reached the backup pool is activated as the primary pool.

 

Fallback host (HTTP only)

With fallback host a redirect is configured and sent back to the client in the event of all pool members being offline.

Comments Off on BigIP LTM F5 – Balancing Methods

Sample Excel – PIX Firewall Peer Review Log

Posted in Firewalls (75),Sample - IT Spreadsheets - PowerPoints (251) by Guest on the January 22nd, 2015

Free Excel document download

PIX Firewall Peer Review Log

 

Comments Off on Sample Excel – PIX Firewall Peer Review Log

Sample Word – PGP Deployment Guidelines

Posted in Firewalls (75),Projects (400),Security (1500) by Guest on the November 7th, 2014
Comments Off on Sample Word – PGP Deployment Guidelines

Sample Excel – VPN Questions

Comments Off on Sample Excel – VPN Questions

Sample WatchGuard Option Profile — Additional Options

Posted in Firewalls (75),Networking (340),Security (1500) by Guest on the January 28th, 2014

There are additional options that affect how the service performs host discovery for maps and scans and how the service interacts with your Firewall, IPS / IDS configurations. These options appear on the Additional tab when you create or edit an option profile.

The initial settings are best practice in most cases. These settings should only be customized under special circumstances. For example, changing the Host Discovery setting may result in live hosts going undetected, and thus not being scanned for vulnerabilities.

To customize additional options, create a new option profile or edit an existing profile. Then apply the customized profile to on-demand or scheduled map and scan tasks.

Option Description
Host Discovery Specify which probes are sent and which ports are scanned during host discovery. This option affects both map and scan tasks. The service pings every target host using ICMP, TCP, and UDP probes and then analyzes the packets sent in response to determine which hosts are “alive”.Note that by changing the default settings, the service may not detect all live hosts, and hosts that go undetected cannot be scanned for vulnerabilities. These settings should only be customized under special circumstances. For example, to add ports that are not included in the Standard port list, remove probes that will trigger your firewall/IDS, or only discover live hosts that respond to an ICMP ping.Initial Settings: TCP & UDP – Standard Scan, ICMP – Enabled
Blocked Resources Specify ports that are blocked and IP addresses that are protected by your firewall/IDS. This option only affects scan tasks. If the scanning process triggers your IDS, then it will likely be firewalled and we won’t be able to continue our search for vulnerabilities on your network. Therefore, we need to know which IPs you have protected and which ports are blocked. This will help us prevent triggering your IDS.Optionally, if you don’t want a host to be scanned at all, then add the host’s IP address to the excluded hosts list. No scanning traffic, including ICMP, TCP and UDP probes, will be sent to excluded hosts. Configure the list of excluded hosts on the Excluded Hosts Setup page (Setup—>Excluded Hosts).Another method for allowing our scanning engine to probe your network without triggering your firewall/IDS is to add our scanner IP addresses to your firewall/IDS configuration. This list of friendly IPs is commonly known as a white list or exception list. For example, if you are using WatchGuard, add our scanner IP addresses to the “Blocked Sites Exception” list. This list is configured in the System Configuration for the WatchGuard Firebox Vclass series, and in the Policy Manager for the WatchGuard Firebox System series. Refer to your firewall/IDS documentation for specific details on how to configure an exceptions list. You can view a current list of IP addresses for the service’s external scanners on the About page (Help—>About).Note that the “WatchGuard default blocked ports” option is only applicable to the WatchGuard Firebox System series. Setting this option is not necessary if you added our scanner IP addresses to the WatchGuard exception list.Initial Setting: Disabled
Ignore RST packets Some filtering devices, such as firewalls, may cause a host to appear “alive” when it isn’t by sending TCP Reset packets using the host’s IP address.When enabled, all TCP Reset packets are ignored for scan tasks and TCP Reset packets generated by one or more filtering devices are ignored for map tasks. In other words, hosts will not be detected as being “alive” if the only responses from them are TCP Reset packets that seem to have originated from a filtering device.  Initial Setting: Disabled
Ignore firewall-generated SYN-ACK packets Some filtering devices, such as firewalls, may cause a host to appear “alive” when it isn’t by sending TCP SYN-ACK packets using the host’s IP address.When enabled, the service attempts to determine if TCP SYN-ACK packets are generated by a filtering device and ignores all SYN-ACK packets that appear to originate from such devices.Initial Setting: Disabled
Do not send ACK or SYN-ACK packets during host discovery Some firewalls are configured to log an event when out of state TCP packets are received. Out of state TCP packets are not SYN packets and do not belong to an existing TCP session. If your firewall is configured in this manner and you do not want such events logged, then you can enable this option to suppress the service from sending out of state ACK and SYN-ACK packets during host discovery for map and scan tasks. If you enable this option and you also enable the “Perform 3-way handshake” option on the Scan tab, then the “Perform 3-way handshake” option takes precedence and this option is ignored.Initial Setting: Disabled
Comments Off on Sample WatchGuard Option Profile — Additional Options

SPLAT – Nokia Appliances IP / IPSO Security Configuration Standards

Purpose

This document will provide standards for the configuration of Nokia IP Security Appliances.  These standards will provide continuity across the enterprise for all Nokia Appliances. 

Background

Nokia IP Security Appliances are purpose built security devices, which are deployed at strategic locations throughout the Corporate Security to run Check Point Firewall-1.  These appliances run a hardened operating system called IPSO which is a derivative of FreeBSD Unix.  It is important to note that some configurations will be device dependant due differences in the Nokia models. 

InterFace Configuration

Each interface that configured will:

  • Have Link Speed and Duplex Hardcoded
  • Have Autoadvertise and Flow Control disabled

Each interface that not configured will:

  • Be disabled in the physical and logical configurations 

ARP

Static ARP configurations will be network design dependant. 

Transparent Mode/Link Aggregation/FWVPN Tunnels

  • Not Configured 

System Configuration

  • DHCP/DNS
  • Not Configured 

Disk Mirroring

Device Dependant:  Disk based systems with two hard drives will have disk mirroring configured. 

Optional Disk

Device Dependant:  Flash based systems which are purchased with an hard drive will be configured in Hybrid mode with Optional Disk parameter. 

System Failure Notification/Mail Relay

  • Not Configured 

Time

  • All Corporate Security devices are set to GMT 

Host Address

The Host Address will be set to the Management interface of the firewall. 

System Logging

Network Logging:

  • Set to On
  • Primary Log Server: XXX.XXX.XXX.XXX
  • Threshhold 0% 

Local Logging

  • Set to Off
  • Flush Frequency: 4 Hours 

System Configuration Audit Logs

  • Logging of Transient and Permanent Changes 

System Voyager Audit Logs

  • Enabled 

Core Dump Server

  • Not Configured 

Hostname

The Hostname is configured as part of the initial setup and should not be changed. 

Configuration Sets

Left to default configuration of “initial” 

Job Scheduler

A Cron called Delete_Old_Backups is set to run on the 6th day of each week at 23:00. 

Backup/Restore

A backup the default directories, /config and /var/cron is set to run on the 6th day of each week at 23:15 

Images

  • Only one IPSO image will be kept on the system  

Packages

  • Only the Check Point and CPInfo packages will be Enabled 

AAA

Authentication of users will be facilitated by the following radius servers

  • XXX.XXX.XXX.XXX 

SNMP

SNMP v1/v2/v3

Read Only Community String: U4Ria$a

  • Trap Receiver: XXX.XXX.XXX.XXX 

Trap Community String: $Shadow!r3m0N

Traps:

  • Enable linkUp/linkDown traps
  • Enable systemTrapConfigurationChange traps
  • Enable systemTrapConfigurationFileChange traps
  • Enable systemTrapConfigurationSaveChange traps
  • Enable systemTrapNoDiskSpace traps
  • Enable systemTrapDiskFailure traps
  • Enable vrrpTrapNewMaster traps
  • Enable systemFanFailure traps
  • Enable systemOverTemperature traps
  • Enable Authorization traps 

High availability

VRRP

VRRP will be configured using Legacy Mode.

  • Accept Connections to VRRP IPs: Enabled
  • Monitor Firewall State: Enabled
  • Each Clustered Interface will be set as a Monitored Circuit
  • Priority: 100 & 95 on the Primary and Secondary respectively
  • Hello Interval 1
  • VMAC Mode: VRRP
  • Preempt Mode: Enabled
  • Each Cluster Interface will be monitored by all other Cluster Interfaces
  • Priority Delta 10
  • Auto-deactivation: Disabled
  • Authentication: Simple
  • Password:  Firewall Name.Interface Name 

Security And access

Users

The Following Accounts will be created on each Firewall

  • Fwbackup (Used to pull System Backup files)
  • User1
  • User2
  • User3
  • User4 – 8

Network Access and Services

  • The only Network Access that is enabled is “Allow Admin Network Login”
  • All Services are Disabled 

Voyager Web Access

  • Voyager Web Access is set to;
    • “Require 128 Bit Encryption or Higher”
  • Encryption use a Self-Signed 1024 Bit X509 Certificate 

SSH

  • SSH is enabled to allow SSH v2 only

Routing

  • All Routing configuration will be network design dependant. 

Traffic Management

  • Not Configured 

Router Services

  • Router Services will be network design dependant 

NTP

NTP Masters are:

  • Xxx.Xxx.Xxx.Xxx
  • Xxx.Xxx.Xxx.Xxx

http://www.bestitdocuments.com/Edge_services.html

 

Comments Off on SPLAT – Nokia Appliances IP / IPSO Security Configuration Standards

Sample – Partial Personal Firewall Standard

Posted in Compliances (1300),Firewalls (75),Networking (340) by Guest on the April 25th, 2013

The IT Client Computing will install the IT approved antivirus software on all workstations, laptop computers and mobile computing devices that access the Corporate network or confidential data, if antivirus software is available. The antivirus software programs will:

  • All Desktop’s and Laptop are required to have a Malware / Spyware application installed / maintained by corporate such as (McAfee, Symantec, Trend, AVG etc…)
  • General user access on the local host should be restricted to non administrative accounts to prevent configuration changes and un-authorized software install / un-installs
  • Require that virus updates and signatures be updated at least once each day;
  • Centrally record malware signature and program updates to record when updates are installed;
  • Verify that antivirus logs are being generated and that logs are centrally captured to identify potential threats;
  • Confirm that the antivirus program performs a comprehensive scan of removable media, when installed; and
  • If IT approved antivirus software is not available, the system owner is responsible to deploy a mitigating control and obtain approval from the Manager, Security Architecture & Security Assessment Center. 

Malware protection will include the following systems administration controls:

  • All remote or third party systems will be checked for effective malware protection prior to allowing access to Corporate systems, network, or confidential data.
  • The examination of electronic mail attachments, data, and software downloads for malicious code before use on corporate systems.
  • Procedures for users of systems and data to report known malicious software and requirements to prohibit users from disabling malware protection systems. 

Provide user training and awareness to include:

  • Identification of malicious software.
  • Reporting of malicious software.
  • Effective use antivirus software.
  • Procedures to avoid downloading or receiving malicious software. 
  • Any workstation or laptop computer (to include third party systems) connecting to the Corporate network must have a personal firewall implemented in accordance with the Malware and End Point Protection Standard.
  • Laptop computer personal firewalls must be configured to deny all inbound connections with only the exception of authorized encrypted network protocols and only for use for authorized remote support purposes.
  • Personal firewalls must be configured to restrict inbound and outbound traffic at a minimum of medium protection level.
  • Personal firewalls must be configured to generate and save audit logs.

No un-authorized applications are to be installed on the dekstop / laptops for any reason unless explicit permission is granted by the Information Security team.

http://www.bestitdocuments.com/Operating_system.html

 

Comments Off on Sample – Partial Personal Firewall Standard

Sample Word – Firewall Services – Sample Service Specific Permissions

Posted in Firewalls (75),Networking (340),Security (1500) by Guest on the February 26th, 2013
Comments Off on Sample Word – Firewall Services – Sample Service Specific Permissions

Sample Word – Introduction to Network Security Firewalls

Posted in Compliances (1300),Firewalls (75) by Guest on the November 28th, 2012
Comments Off on Sample Word – Introduction to Network Security Firewalls

Sample – Firewall Management and Troubleshooting PowerPoint

Posted in Compliances (1300),Firewalls (75) by Guest on the November 20th, 2012
Comments Off on Sample – Firewall Management and Troubleshooting PowerPoint

Sample – Firewall PowerPoint

Posted in Compliances (1300),Firewalls (75),Security (1500) by Guest on the November 19th, 2012
Comments Off on Sample – Firewall PowerPoint

Sample Word – High Level Firewall Policy

Posted in Compliances (1300),Firewalls (75),Policies - Standards (600) by Guest on the November 18th, 2012
Comments Off on Sample Word – High Level Firewall Policy

PowerPoint Firewall Configuration Rules

Comments Off on PowerPoint Firewall Configuration Rules

Sample Word – Policy Firewall Implementation Documentation

Posted in Compliances (1300),Firewalls (75),Policies - Standards (600),Security (1500) by Guest on the November 17th, 2012
Comments Off on Sample Word – Policy Firewall Implementation Documentation

PowerPoint – Firewall Integration

Free PowerPoint Firewall Integration document download

Sample – Firewall Integration PowerPoint

http://www.bestitdocuments.com/Edge_services.html

 

Comments Off on PowerPoint – Firewall Integration

Sample – Cloud Services Firewall and VPN Security Standards

This document is provided without warranty, always vet out what works best for you and your organization. 

Scope

This standard applies to all data, including corporate customer data, whether located at a corporate facility or a third party facility, and whether handled by corporate employees, or corporate contractors, vendors, third party service providers, or their staff or agents.  This standard also applies to all wholly owned and partially owned subsidiaries. 

The guidance in this standard shall be considered the minimum acceptable requirements for the use of Firewalls.  This standard sets forth expectations across the entire organization.  Additional guidance and control measures may apply to certain areas of corporate.  This standard shall not be construed to limit application of more stringent requirements where justified by business needs or assessed risks.  

Firewall Standard

Corporate business functions rely upon the integrity, confidentiality, and availability of its computer systems and the information assets stored within them. Responsibilities and procedures for the management, operation and security of all information processing facilities must be established.  This Standard supports the stated objectives. 

It is the policy of corporate to provide safe, secure systems to its employees, contingent workforce, and other properly authorized persons, for the purpose of enabling and supporting the conduct of business.  Use of systems shall be in conformance with relevant policies, and shall not, whether by intent or mistake, increase the risks to corporate information assets or business functions. 

Roles & Responsibilities

The IT Custodian is responsible for defining and implementing security measures and controls to ensure the system(s)/application(s) are managed and operated in a secure and effective manner. 

The Chief Information Security Officer has overall responsibility for security policy, and in conjunction with the Information Security Department will be responsible for defining, implementing, managing, monitoring and reviewing compliance with the Information Security – Firewall Standard. 

The Information Security Department will assist End Users and IT Custodians in assessing, defining, implementing, managing and monitoring appropriate controls and security measures. 

The Information Security Department will audit and review the adequacy of controls and security measures in place to measure and enforce conformance to this Standard. 

 

Requirements and Implementations

Corporate IT Security team has created the following guidelines for selecting the Hardware and Software, Configuring and Implementing Firewalls on corporate Network. Administrators are advised to use this document to maintain the same standards across all corporate offices. 

Hardware

  • The hardware for firewall’s MUST be based and specifically designed for firewall and / or VPN applications. 
  • Hardware for VPN Appliance MUST specifically be designed for VPN Application and support all IPSeC standards.
  • The Firewall and VPN components MUST both support At Least 3DES Encryption and SHA-1 Hashing.
  • The Appliances MUST support corporate IPSeC Certificates.
  • Firewall and VPN appliance MUST support ICMP and SNMP based monitoring.
  • SNMP Version 2 and 3 only
  • SNMP must be Read only
  • Should only be enabled on dedicated OOB interface.
  • They should have a dedicated Out Of Band [OOB] Interface supplied for Administration purposes.
  • Vendor must supply Hardware which has Fault Tolerance options,
  • Redundant Power supplies
  • Mirrored Hard Drives, mirrored ROM ‘s
  • Clustering
  • Vendor must supply hardware which can be deployed in a load balanced configuration
  • All Tiers A through C site Firewalls should have console access, through a PSTN service.
  • At the time of writing, Juniper Security appliances have been standardized and approved for use within corporate and Subsidiaries. 

Software

  • Firewall and VPN application MUST support stateful inspection.
  • Firewall and VPN application MUST support centralized administration and logging.
  • Software for VPN Appliance MUST specifically be designed for VPN Application and support all IPSeC standards.
  • The Firewall and VPN components MUST both support At Least 3DES Encryption and SHA-1 Hashing.
  • The Appliances MUST support corporate IPSeC Certificates.
  • Software for VPN must be configured to NOT allow Split Tunneling as standard.
  • Firewall and VPN software MUST support ICMP and SNMP based monitoring.
  • SNMP Monitoring MUST be limited to sending of Traps, No SNMP Sets Allowed
  • SNMP Version must be at a minimum version 2, preferred version 3.
  • Firewall Software should support Anti Spoofing.
  • Anti Spoofing should be enabled in the absence of a screening router with this same functionality.

Configuration and Administration

  • All Firewalls will be a member of the Centralized Firewall Management Infrastructure.
  • All firewall configurations will be kept on the centralized firewall management Infrastructure.
  • Configuration management must be done through an encrypted channel.
  • Administration level access to the Management Interfaces MUST be achieved using two factor methods.
  • Where the firewall does not support two factor authentication through the CLI, the Bastian system used to make the connection should support two factor authentication and access to the CLI interface limited to the Bastian system only.
  • SNMP monitoring MUST monitor,
  • Session Counts,
  • Network Interface Usage,
  • Disk Usage,
  • Memory Utilization and
  • Processes running
  • Failover Status

System Restarts

  • Firewall and VPN Appliances must confirm to agreed naming and implementation standards
  • Firewall and VPN Rules must confirm to agreed naming and implementation standards
  • Only persons and IP addresses specifically approved by Information Security will be granted Remote Management Console (Password Vault) access to any IT maintained firewalls. As a general guideline, Information Security will require the following
  • SANS Firewalls Training,
  • Vendor specific product training
  • Security Operations Account Approval
  • Security Engineering Account Approval
  • Individual’ Manager approval

The password(s) used to access the Password Vault will comply with the guidelines set forth in the corporate Password and Data Classification policy. 

  • All Firewall Configurations must be stored centrally in a secure location, with a documented backup procedure. 
  • Processes for Change Management MUST include a Pre and Post Change Backup of the current rule set. 
  • The Firewall Change Management process MUST be auditable. All changes must be accounted for and be referenced to an approved Change Request ticket. 
  • Management of the Firewall should be run from a dedicated Out Of Band [OOB] interface
  • Where an OOB interface does not exist, management should be run In Band, but restricted access to a dedicated Firewall Administration Workstation.
  • All Firewalls should be configured with the GMT Time zone to ensure consistent log data.
  • Dedicated Management Workstation
  • The Dedicated Administration Workstation will be assigned a Static IP Address
  • The dedicated workstation WILL be a member of the corporate Active Directory Infrastructure, at the time of writing this was the “Enterprise” domain.
  • Terminal Services and Log on Locally Access to the firewall Administration Workstation will be restricted through Active Directory Groups to the Firewall Administration Group.
  • A dedicated Firewall Administration Group will exist on the “Enterprise” domain
  • The Firewall Administration Active Directory Group members will be audited quarterly.
  • Group membership will be requested using the current standard for account administration, with an appropriate approvals chain to include Security Engineering, Security Operations Management and the requesting Individuals, managers’ approval.
  • The system accessing the firewall(s) will be properly hardened and physically secured in accordance with IT Standards for Workstations 

Logging

All firewalls and VPN’s must log to the respective centralized logging infrastructure

  • The logging server MUST have disk space to store 6 months logs on disk.
  • Logs of firewalls and VPN MUST store as defined by the Data Retention Policy
  • Appliance Naming Standard
  • All firewall and VPN appliances MUST adhere to the following naming convention
  • <Site ID>-<function>-<instance>
  • For more information please refer to the corporate DNS Standards document

 http://www.bestitdocuments.com/IT_Business_solutions.html

 

Comments Off on Sample – Cloud Services Firewall and VPN Security Standards

Sample Visio – Firewall Distribution Network drawing

Posted in Firewalls (75),Security (1500),Visio Samples - Stencils (457) by Guest on the July 20th, 2012

Free – Firewall Fireproof  Document download

Firewall Distribution Network drawing

 http://www.bestitdocuments.com/Services.html

 

 

Comments Off on Sample Visio – Firewall Distribution Network drawing

Sample Visio – Firewall Partner Business Network Fireproof Internet drawing

Posted in Firewalls (75),Security (1500),Visio Samples - Stencils (457) by Guest on the July 19th, 2012
Comments Off on Sample Visio – Firewall Partner Business Network Fireproof Internet drawing

Sample Excel – Firewall Log Management Spreadsheet

Comments Off on Sample Excel – Firewall Log Management Spreadsheet

Sample Visio – McAfee ePO Firewall Architecture

Comments Off on Sample Visio – McAfee ePO Firewall Architecture

Firewall Audit Checklist

Security Elements

Review the rule sets to ensure that they follow the order as follows:

  • Ati-spoofing filters (RFC 1918: Blocked private addresses, internal addresses appearing from the outside)
  • User permit rules (Commonly allowed:  HTTP to public web server)
  • Management permit rules (SNMP traps to network management server)
  • Noise drops (discard OSPF / HSRP overhear)
  • Deny and Alert (Event Management)
  • Deny and log (Syslog Analysis) 

Firewalls operate on a first match basis, thus the above structure is important to ensure that suspicious traffic is kept out instead of inadvertently allowing them in by not following the proper order.

Application based firewall 

Ensure that the administrators monitor any attempts to violate the security policy using the audit logs generated by the application level firewall. Alternatively some application level firewalls provide the functionality to log to intrusion detection systems. In such a circumstance ensure that the correct host, which is hosting the IDS, is defined in the application level firewall. 

Ensure that there is a process to update the application level firewall’s vulnerabilities checked to the most current vulnerabilities. 

Ensure that there is a process to update the software with the latest attack signatures. 

In the event of the signatures being downloaded from the vendors’ site, ensure that it is a trusted site. 

In the event of the signature being e-mailed to the systems administrator, ensure that digital signatures are used to verify the vendor and that the information transmitted has not been modified en-route. 

Review the denied URL’s and ensure that they are appropriate for e.g. any URL’s to hacker sites should be blocked. In some instances organizations may want to block access to x-rated sites or other harmful sites. As such they would subscribe to sites, which maintain listings of such harmful sites. Ensure that the URL’s to deny are updated as released by the sites that warn of harmful sites. 

Ensure that only authorized users are authenticated by the application level firewall.

            Stateful inspection 

Review the state tables to ensure that appropriate rules are set up in terms of source and destination IP’s, source and destination ports and timeouts. 

Ensure that the timeouts are appropriate so as not to give the hacker too much time to launch a successful attack. 

For URL’s

  • If a URL filtering server is used, ensure that it is appropriately defined in the firewall software. If the filtering server is external to the organization ensure that it is a trusted source.
  • If the URL is from a file, ensure that there is adequate protection for this file to ensure no unauthorized modifications. 

Ensure that specific traffic containing scripts; ActiveX and java are striped prior to being allowed into the internal network. 

If filtering on MAC addresses is allowed, review the filters to ensure that it is restricted to the appropriate MAC’s as defined in the security policy.

Logging  

Ensure that logging is enabled and that the logs are reviewed to identify any potential patterns that could indicate an attack.

Port restrictions  

Service

Port Type

Port Number
DNS Zone Transfers TCP  53 
TFTP Daemon UDP 69
Link TCP 87
SUN RPC TCP & UDP 111
BSD UNIX TCP 512 – 514
LPD TCP 515
UUCPD TCP 540
Open Windows TCP & UDP 2000
NFS TCP & UDP 2049
X Windows TCP & UDP 6000 – 6255
Small services TCP & UDP 20 and below
FTP TCP 21
SSH TCP 22
Telnet TCP 23
SMTP (except external mail relays) TCP 25
NTP TCP & UDP 37
Finger TCP 79
HTTP (except to external web servers) TCP 80
POP TCP 109 &110
NNTP TCP 119
NTP TCP 123
NetBIOS in Windows NT TCP &UDP 135
NetBIOS in Windows NT UDP 137 & 138
NetBIOS TCP 139
IMAP TCP 143
SNMP TCP 161 &162
SNMP UDP 161 &162
BGP TCP 179
LDAP TCP &UDP 389
SSL (except to external web servers) TCP 443
NetBIOS in Win2k TCP &UDP 445
Syslog UDP 514
SOCKS TCP 1080
Cisco AUX port TCP 2001
Cisco AUX port (stream) TCP 4001
Lockd (Linux DoS Vulnerability) TCP &UDP 4045
Cisco AUX port (binary) TCP 6001
Common high order HTTP ports TCP 8000, 8080, 8888

http://bestitdocuments.com/Services.html

 

Comments Off on Firewall Audit Checklist

Notes: Secure Platform – Splat – Operating System Specific

Secure Platform – Splat – Operating System Specific Notes:

ifconfig –a or ifconfig <interface name>

Display the status of the currently active interfaces 

uname -a

Prints information about the current system on the standard output 

netstat – nr

Display kernel routing table 

top

Display real-time statistics, system summary information and tasks 

netstat –i

Display interface in / out / error / drop packets statistics 

uptime

Display the time since last reboot 

vmstat or vmstat <time interval in sec> 

/bin/data

Display current system date and time 

ping <ip address>

Check if the firewall has connectivity 

df – kh

Report file system disk usage 

mount /mnt/cdrom

Mount a cdrom 

ethtool <interface>

Check interface speed / duplex and connectivity 

dmesg or dmesg | more

Display last output of the console 

tail – 100 / var/log/messages or tail –f /var/log/messages (view in realtime) 

free

Display amount of free and used memory in the system 

cat /proc/interrupts

Verify how interfaces are balanced across the different IRQ’s 

modprobe usb-storage; mount <device> <mount point>

Mount a USB device

grep admin / etc/scpusers | wc –1

echo admin >> /etc/scpusers 

swapon –s

Display swap usage summary 

shutdown

Shutdown a SPLAT box 

ip route add <x.x.x.x> via <gw> ; /bin/save_route –save (to make it permanent)

Add a static route 

ip route del <x.x.x.x> via <gw> ; /bin/save_route –save (to make it permanent)

Delete a static route 

arp –an

Show arp entries 

ip route get <x.x.x.x>

Check which route a certain IP will take 

Shows the machines serial number

/usr/sbin/dmidecode | awk –F” : “ ‘  

fw ver

View installed firewall version 

fw stat

View last policy installed on the gateway 

cplic printlic

Display CheckPoint licences installed 

fwaccel stat

Verify SecureXL is enabled 

cpd_sched_config_print

Verify NTPD is enabled 

cpstop ; cpstart

Restarting the firewall processes 

cat $FWDIR/conf/discntd.if

Firewall unused cluster interfaces are defined 

cphaconf debug_data

Verify the cluster MAC addresses of the cluster interfaces

cphaprobe stats

Show the cluster status 

fw ctl get int fw_salloc_total_alloc_limit

Shows the FW kernel memory usage 

fw tab –t connections –s (show) ; fw tab –t connections –x

Shows and clears the FW connections table 

cphaprob –I list

List all monitored processes 

cphaprob –a if

List health of CCP protocol and cluster monitoring (run on both) 

fw ctl multik stat

Verify CoreXL is enabled and display multi-kernal statistics

 

Comments Off on Notes: Secure Platform – Splat – Operating System Specific

Sample Visio – Checkpoint Firewall

 Free Visio document download

High Level Checkpoint Firewall

Checkpoint Firewall

 

Suggested specific ports to block from a edge routers and firewalls:

Refer to SANS/FBI Top Twenty List. Blocking these ports is a minimum requirement for perimeter security.

Comments Off on Sample Visio – Checkpoint Firewall

Sample Visio – Configuring Firewalls When Managing Oracle Application Server

If you are using Grid Control to manage instances of Oracle Application Server, there may be other ports that you need to access through a firewall, depending upon your configurations.

For example, when you are monitoring the performance of your Oracle Application Server instance from the Grid Control Console, you can click Administer on the Application Server Home page to display the Application Server Control Console. If the Oracle Application Server target you are monitoring is separated from the Grid Control Console by a firewall, you will need to configure the firewall to allow an HTTP or HTTPS connection through Application Server Control Console port (usually, 1810).

The Agent is secured by a password

To secure the Management Agent of the new Management Service, use the following command:

emctl secure agent <password_to_secure_agent_against_new_mgmt_service> 

Use a text editor to open the file and locate the EMD_URL property.

For example: 

EMD_URL=http://managed_host1.corpnet.com:1813/emd/main

Modify the port number in the EMD_URL property so the Management Agent uses a new unused port on the managed host.

For example:

EMD_URL=http://managed_host1.acme.com:1913/emd/main

Free – Document download:

Oracle OMS Visio Drawing

http://www.bestitdocuments.com/IT_Business_solutions.html

 

Comments Off on Sample Visio – Configuring Firewalls When Managing Oracle Application Server

Sample Word – Firewall Technology Selection Considerations

Posted in Compliances (1300),Firewalls (75),Networking (340),Security (1500) by Guest on the May 24th, 2012

Criteria that could be used to evaluate and compare firewall technologies: 

  • Extent to which a firewall must support and enforce a usage (e.g., Internet) policy
  • Adherence to an existing agency standard that details the specific firewall that should be acquired
  • Existence of a certification or warranty by the vendor to perform in an acceptable manner
  • Traffic volume and connectivity requirements that the firewall must support
  • Specific hardware and software required by the firewall
  • System administrative skills required to support the firewall and what vendor support is available
  • Cost of firewall 

Current performance considerations: 

  • Firewalls can range from host based personal firewalls serving a single user and a simple security policy to networked based enterprise firewalls serving large organization’s with complex security policies. 
  • The costs can range from around one hundred dollars to over ten thousand dollars.
  • Packet filtering firewalls tend to be faster than application-level firewalls and consequently tend to have greater throughput and lower latency.
  • Firewall appliances, at the low end, do not require extensive OS expertise, thus reducing the amount of support time required to keep the firewall secure, where-as high end enterprise firewalls tend to be quite complex, requiring extensive OS and maintenance expertise.

Free – Document download

More educational details on firewalls

 

Comments Off on Sample Word – Firewall Technology Selection Considerations
Next Page »