www.dbebooks.com - Free Books & magazines www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our solutions@syngress.com Web pages. There you will find an assortment of value-added features such as free e-booklets related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE EBOOKS For readers who can’t wait for hard copy, we offer most of our titles in download- able Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Contact us at sales@syngress.com for more information. CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Contact us at sales@syngress.com for more information. Visit us at 398_FW_Policy_FM.qxd 8/29/06 9:29 AM Page i Anne Henmi Technical Editor Mark Lucas Abhishek Singh Chris Cantrell Firewall Policies and VPN Configurations 398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc- tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 78GHTYPM99 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Firewall Policies and VPN Configurations Copyright © 2006 by Syngress Publishing, Inc. All rights reserved. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the pub- lisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in Canada 1 2 3 4 5 6 7 8 9 0 ISBN: 1-59749-088-1 Publisher: Andrew Williams Page Layout and Art: Patricia Lupien Acquisitions Editor: Erin Heffernan Copy Editor: Judy Eby, Beth Roberts Technical Editor: Anne Henmi Indexer: Richard Carlson Cover Designer: Michael Kavish Distributed by O’Reilly Media, Inc. in the United States and Canada. For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights, at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585. 398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page iv Acknowledgments v Syngress would like to acknowledge the following people for their kindness and sup- port in making this book possible. Syngress books are now distributed in the United States and Canada by O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible, and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown,Tim Hinton, Kyle Hart, Sara Winge, Peter Pardo, Leslie Crandell, Regina Aggio Wilkinson, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn Barrett, John Chodacki, Rob Bullington, Kerry Beck, Karen Montgomery, and Patrick Dirden. The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, David Lockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek, Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and Chris Reinders for making certain that our vision remains worldwide in scope. David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributors for the enthusiasm with which they receive our books. David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands. 398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page v 398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page vi vii Technical Editor Anne Henmi is an Information Security Engineer at Securify, Inc. She works with development to contribute to the improvement of the security posture of Securify’s products and services. Her specialties include Linux, Secure Shell, public key technolo- gies, penetration testing, and network security architectures. Anne’s background includes positions as a Course Developer at Juniper Networks, System Administrator at California Institute of Technology, Principal Security Consultant at SSH Communications Security, and as an Information Security Analyst at VeriSign, Inc. Mark J. Lucas (MCSE and GIAC Certified Windows Security Administrator) is a Senior System Administrator at the California Institute of Technology. Mark is responsible for the design, imple- mentation, and security of high availability systems such as Microsoft Exchange servers, VMWare ESX hosted servers, and various licensing servers. He is also responsible for the firewalls protecting these systems. Mark has been in the IT industry for 10 years.This is Mark’s first contribution to a Syngress publication. Mark lives in Tujunga, California with his wife Beth, and the furry, four-legged children,Aldo, Cali, Chuey, and Emma. Chris Cantrell is a Presales System Engineer for Riverbed Technology, the leading pioneer in the wide-area data services (WDS) market. Before joining Riverbed, Chris spent 8 years focusing on network security and intrusion prevention. He has held various management and engineering positions with companies such as Network Associates, OneSecure, NetScreen, and Juniper Contributing Authors 398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page vii viii Networks. Chris was a contributing author for Configuring Netscreen Firewalls (ISBN: 1-93226-639-9), published by Syngress Publishing in 2004. Chris lives in Denver, Colorado with his loving and supportive wife, Maria, and their two children, Dylan and Nikki. Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is an IT Project Leader and Systems Manager at the University of Pennsylvania, where she provides network planning, implementation, and troubleshooting services for various business units and schools within the university. Her specialties include Windows 2000 and 2003 Active Directory design and implementa- tion, troubleshooting, and security topics. Laura has more than a decade of experience with Windows computers; her previous expe- rience includes a position as the Director of Computer Services for the Salvation Army and as the LAN administrator for a medical supply firm. She is a contributor to the TechTarget family of Web sites, and to Redmond Magazine (formerly Microsoft Certified Professional Magazine). Laura has previously contributed to the Syngress Windows Server 2003 MCSE/MCSA DVD Guide & Training System series as a DVD presenter, author, and technical reviewer, and is the author of the Active Directory Consultant’s Field Guide (ISBN: 1-59059-492- 4) from APress. Laura is a three-time recipient of the prestigious Microsoft MVP award in the area of Windows Server— Networking. Laura graduated with honors from the University of Pennsylvania and also works as a freelance writer, trainer, speaker, and consultant. Abhishek Singh works as a security researcher for Third Brigade, a Canadian-based information security company. His responsibilities include analysis, deep packet inspection, reverse engineering, writing signatures for various protocols (DNS, DHCP, SMTP, POP, HTTP, 398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page viii ix and VOIP), Zero day attacks, Microsoft Tuesday critical, and vulner- abilities. In Information security, Abhishek likes to research intrusion detection/prevention systems, firewalls, two factor authentication, wireless security, cryptography, and virtual private networks. He has an invention disclosure in firewalls and holds one patent in two factor authentication.The patent involves secure authentication of a user to a system and secure operation thereafter. In cryptography, he has proposed an algorithm in learning theory which uses Context Free Grammar for the generation of one-time authentication iden- tity. One-time authentication identity generates one-time passwords, disposable SSNs, and disposable credit card numbers.To prevent high-bandwidth and malicious covert channels, he has proposed enforcing semantic consistency in the unused header fields of TCP/IP, UDP, and ICMP packets. Abhishek’s research findings in the field of compiler, computer networks, mobile agents, and artifi- cial neural networks have been published in primer conferences and journals. He holds a B.Tech. in Electrical Engineering from IIT-BHU, a Master of Science in Computer Science and in Information Security from the College of Computing Georgia Tech. While pur- suing his education, he was employed with Symantec Corporation as a Senior Software Engineer and has worked on a consulting pro- ject for Cypress Communication, which won third prize at the 2004 Turn Around Management Competition. He was also employed with VPN Dynamics and with Infovation Inc. Presently he lives in Banglore with his lovely wife, Swati. James McLoughlin (CISSP, CCSP, CCSE) is a security engineer for Lan Communications, an Irish integrator/reseller. He is cur- rently working towards achieving his CCIE in Security, and has over a decade of experience in the security field. James lives in Dublin, Ireland 398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page ix x Susan Snedaker (MBA, BA, MCSE, MCT, CPM) is Principal Consultant and founder of VirtualTeam Consulting, LLC (www.vir- tualteam.com), a consulting firm specializing in business and tech- nology consulting.The company works with companies of all sizes to develop and implement strategic plans, operational improvements and technology platforms that drive profitability and growth. Prior to founding VirtualTeam in 2000, Susan held various executive and technical positions with companies including Microsoft, Honeywell, Keane, and Apta Software.As Director of Service Delivery for Keane, she managed 1200+ technical support staff delivering phone and email support for various Microsoft products including Windows Server operating systems. She is author of How to Cheat at IT Project Management (Syngress Publishing, ISBN: 1-597490-37-7) The Best Damn Windows Server 2003 Book Period (Syngress Publishing, ISBN: 1-931836-12-4) and How to Cheat at Managing Windows Small Business Server 2003 (Syngress, ISBN: 1-932266-80- 1). She has also written numerous technical chapters for a variety of Syngress Publishing books on Microsoft Windows and security technologies and has written and edited technical content for var- ious publications. Susan has developed and delivered technical con- tent from security to telephony,TCP/IP to WiFi, CIW to IT project management and just about everything in between (she admits a particular fondness for anything related to TCP/IP). Susan holds a master’s degree in business administration and a bachelor’s degree in management from the University of Phoenix. She also holds a certificate in advanced project management from Stanford University. She holds Microsoft Certified Systems Engineer (MSCE) and Microsoft Certified Trainer (MCT) certifications. Susan is a member of the Information Technology Association of Southern Arizona (ITASA) and the Project Management Institute (PMI). 398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page x [...]... 59 Writing Logical Security Configurations 60 Logical Security Configuration: Firewall 60 General Security for Firewall Configurations 61 Access Policies for Firewall Configurations 63 398_FW_Policy_TOC.qxd 8/28/06 11:11 AM Page xv Contents Logical Security Configuration: VPN 64 Best Security Practices for VPN Configurations 64 Who Needs... Contents Part III VPN Concepts 209 Chapter 5 Defining a VPN 211 Introduction 212 What Is a VPN? 212 VPN Deployment Models 213 VPN Termination at the Edge Router 214 VPN Termination at the Corporate Firewall 215 VPN Termination at a Dedicated VPN Appliance... 65 Access Policies for VPN Configurations 66 Summary 67 Solutions Fast Track 67 Frequently Asked Questions 69 Part II Firewall Concepts 71 Chapter 3 Defining a Firewall 73 Introduction 74 Why Have Different Types of Firewalls?... work Policies and Procedures Infrastructure policies and procedures touch on the day-to-day operations of the IT staff, including the way security is monitored (auditing functions, log files, password policies, alerts) and how it is maintained (backups, updates, upgrades) Policies regarding user behavior are also crucial to ensuring that the network infrastructure remains safe Finally, corporate policies. .. 391 Using netstat on Windows XP 392 Employing a Firewall in a SOHO Environment 395 Host-Based Firewall Solutions 395 Introducing the SOHO Firewall Case Study 396 Assessing Needs 396 Defining the Scope of the Case Study 397 Designing the SOHO Firewall 397 Determining the Functional Requirements... 41 Summary 42 Solutions Fast Track 43 Frequently Asked Questions 44 Chapter 2 Using Your Policies to Create Firewall and VPN Configurations 47 Introduction 48 What Is a Logical Security Configuration? 49 Planning Your Logical Security Configuration... 116 Chapter 4 Deciding on a Firewall 123 Introduction 124 Appliance/Hardware Solution 124 Basic Description 124 Hardware 124 Hardware-based Firewalls 125 PIX 126 Juniper NetScreen Firewalls 143 SonicWALL... 299 Summary 301 Solutions Fast Track 302 Frequently Asked Questions 303 Part IV Implementing Firewalls and VPNs (Case Studies) 305 Chapter 7 IT Infrastructure Security Plan 307 Introduction 308 Infrastructure Security Assessment ... Topology 217 Star Topology 218 Hub-and-Spoke Topology 219 Remote Access Topology 220 Pros of VPN 221 Cons of VPN 221 Public Key Cryptography 221 PKI 222 Certificates ... 262 Solutions Fast Track 262 Frequently Asked Questions 264 Chapter 6 Deciding on a VPN 267 Introduction 268 VPN Types 269 IPsec 269 PPTP 270 L2TP . Security Configurations . . . . . . . . . . . . . . .60 Logical Security Configuration: Firewall . . . . . . . . . . . . .60 General Security for Firewall Configurations . . . . . . .61 Access Policies. . . .64 Best Security Practices for VPN Configurations . . . . .64 Who Needs Remote Access? . . . . . . . . . . . . . . . . . .65 Access Policies for VPN Configurations . . . . . . . . . . .66 Summary. Questions . . . . . . . . . . . . . . . . . . . . . . . .44 Chapter 2 Using Your Policies to Create Firewall and VPN Configurations . . . . . . . . . . . . 47 Introduction . . . . . . . . . . .