Your SlideShare is downloading. ×
  • Like
Firewall Redevelopment Project
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Firewall Redevelopment Project

  • 440 views
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
440
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
12
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. INFORMATION TECHNOLOGY SERVICES DIVISION OF INFORMATION AND ACADEMIC SERVICES Security Project Plan Firewall Redevelopment Prepared by Barry Lynam Network Services 4/04/2001 04:07:00 AM
  • 2. SECURITY PROJECT PLAN FIREWALL REDEVELOPMENT Table Of Contents 1. MANAGEMENT SUMMARY..............................................................................................................1 2. INTRODUCTION...........................................................................................................................1 2.1. Firewall Technology...................................................................................................1 2.2. Configuration Change Management System............................................................2 2.3. Intrusion Detection Systems......................................................................................2 2.4. Server Internet Access Request ...............................................................................2 3. GOALS AND OBJECTIVES..............................................................................................................3 3.1. Firewalls.......................................................................................................................3 3.2. Configuration Change Management System............................................................3 3.3. Intrusion Detection Systems......................................................................................3 3.4. Server Internet Access Request................................................................................3 4. RESOURCE REQUIREMENTS...........................................................................................................4 5. RISK ANALYSIS..........................................................................................................................4 6. TIMELINES.................................................................................................................................5 6.1. Firewall Evaluation.....................................................................................................5 6.2. Server Internet Access Request system...................................................................5 6.3. Configuration Change Management System............................................................6 7. PROJECT MANAGEMENT APPROACH.................................................................................................6 8. COMMUNICATION AND TRAINING STRATEGY.......................................................................................6 8.1. New Firewall Installation and Intrusion Detection System......................................7 8.2. Personal Firewall Product..........................................................................................7 8.3. Configuration Change Management System............................................................7 8.4. Server Internet Access Request................................................................................7 9. QUALITY ASSURANCE..................................................................................................................7 9.1. Server Internet Access Request................................................................................7 9.2. Configuration Change Management System............................................................7 9.3. Firewalls.......................................................................................................................8 10. POST IMPLEMENTATION..............................................................................................................8 10.1. Firewalls.....................................................................................................................8 10.2. Intrusion Detection Systems....................................................................................8 10.3. New Web Based Systems.........................................................................................8 -i– 4/04/2001 04:07:00 AM
  • 3. SECURITY PROJECT PLAN FIREWALL REDEVELOPMENT 1. M ANAGEMENT S UMMARY It has been identified in various security audit reports that QUT’s firewall use is not extensive enough. Currently, firewalls are provided on the QUT Network perimeter. It has been suggested that firewalls be deployed internally to separate out corporate systems and also to prevent internal users from exploiting any weakness in systems. This will be investigated and an appropriate solution implemented. Our current firewalls are based on FreeBSD. While these systems are still considered good solutions, no formal evaluation was ever performed. The first firewall was introduced as part of the Internet Access Service’s, Plan-B. This was done after a shortcoming in IAS was discovered and a solution was sought urgently. A formal evaluation, selection and implementation of a suitable firewall product will be conducted. With the increased use of newer ISP services, for example, cable, ADSL and other “always on” Internet connection technologies, by staff and students to access QUT’s network, there is an increased risk of infiltration via these systems. For these reasons, personal firewalls should also be evaluated. It has also been identified that QUT can make more use of the capabilities of the firewalls by keeping extensive logs of activity, (both valid accesses and denial of access) through the use of an Intrusion Detection System (IDS). An IDS analyses logs to find the signatures of known attacks and attack methods. It also checks for any suspicious activity using a set of user-defined rules. Changes to routers, firewalls, or hosts are currently managed in an adhoc manner. If a system is suspected of being comprised, it is very important to be able to identify if the system is correctly configured, that is, does the current configuration only have authorised changes. A regimented configuration change management process needs to be implemented. 2. I NTRODUCTION 2.1.Firewall Technology QUT’s current firewall technology consists of two distinct parts. • Two PC’s running FreeBSD protect the network perimeter. All external traffic for QUT passes through the system. • Internally, public access subnets are limited in what protocols pass onto the greater QUT network. Staff subnets are not limited in their access to the QUT network. Security auditors have identified this as a potential security risk. As stated earlier, no formal evaluation of firewall technology has been performed. An evaluation needs to be performed of both freeware and commercial products. PAGE 1 4/04/2001 04:07:00 AM
  • 4. SECURITY PROJECT PLAN FIREWALL REDEVELOPMENT With the growth and availability of high-speed network connections for the home, QUT is open to attack from semi-trusted external hosts. A host on such a network, owned by a member of the QUT community may be compromised. The user may connect to QUT services via authorised means, but because the host has been previously compromised, hackers may then gain access to other QUT services. For this reason, Personal Firewalls will also be evaluated with a recommendation that the QUT community use the software, particularly where they have an “always on” Internet connection. 2.2.Configuration Change Management System Configuration changes to many of QUT’s systems including firewalls and routers need to be documented. Not only what was actually added or changed, but also why it was added or changed. This is so that later, during problem solving the trouble-shooter can understand what the change was to achieve. It may be discovered at a later date that the changes did not quite achieve the desired effect or had some unknown side effect. It is proposed that a new system be implemented to document the current configuration of any system. It will record, what exact change has been made and why it was made, who requested the change etc. The system would be available to all system administrators working at QUT to use and be versatile enough to cope with any type of system. 2.3.Intrusion Detection Systems Usually routers and firewalls are capable of logging many events that are currently not retained. This information needs to be collected and analysed. An Intrusion Detection System (IDS) does this. It is proposed that an evaluation of IDS systems be performed. The system should also be easy to configure and maintain. Both freeware and commercial systems need to be considered. 2.4.Server Internet Access Request Currently, if a system administrator requires that there server should be accessible via the Internet, and therefore have the firewall rules modified, they print a form available via the Web, fill it out by hand, and then fax it to Network Management for processing. This processing includes a simple audit of their system and a short phone interview to point out any obvious system configuration problems. This procedure is deficient in many points from the fax being unreadable causing time delays to no continual validation of the server. It is proposed that a new Web based system be implemented to streamline this process. The new system will use email notifications of new requests for approval. Request data will be stored electronically to allow constant network scanning of the host and potential automated firewall updating depending on the product selected. PAGE 2 4/04/2001 04:07:00 AM
  • 5. SECURITY PROJECT PLAN FIREWALL REDEVELOPMENT 3. G OALS AND O BJECTIVES 3.1.Firewalls Firewall technology will be evaluated to ensure that QUT is using the most appropriate firewalling technology on its network. When the new technology is deployed it will ensure that access to QUT systems via the network is much more controlled and appropriate. This deployment will include a more controlled default configuration for both public and staff networks. QUT central corporate systems will also be separately firewalled as well as appropriate controls placed on research systems. The second objective is to provide the QUT community with a recommended Personal Firewall product for home use. The software should be relatively easy to use for non-IT aware staff. It should also interoperate with other QUT networking related software, for example, Virtual Private Network (VPN). 3.2.Configuration Change Management System The objective of this new system is to easily determine the correct configuration of any system either, host, network equipment, or service. While the system will not keep actual configuration files (this is very system dependent), it will be relatively easy to work out the correctness of a configuration from data held by the system. This will be helpful during system audits, system rebuilds and replacements. Usually this sort of information is kept in some sort of log book, however this tends to not work effectively as access to the log book is usually restricted due to location of the log. This will hopefully make this situation more manageable. 3.3.Intrusion Detection Systems Intrusion Detection Systems, both freeware and commercial, will be evaluated to choose a system for QUT’s needs. IDS systems are capable of performing logs analysis, real time network analysis and host based analysis. The evaluation of IDS should keep all of this in mind and if possible, recommend a system that is capable of performing all of these. As a minimum, logging on both firewalls and routers will be implemented. The logs should then be analysed for any suspicious activity. 3.4.Server Internet Access Request The specific goal of this system is to create a Web based form that system administrators use to request access from the Internet for services hosted on their server. The backend database will keep this information for each host. The central QUT Firewalls will automatically update their configuration from this database. A system administrator fills out the web form, giving details of all services running on the server and indicating which ones need Internet access. The Web form will be accessed via QUT Access passwords to ensure valid requests. An email message will be sent to ITS Security staff informing them of a new request and provide a link to enable them to immediately access the new request. They will then perform an audit of the host requiring the access. When the host is deemed sufficiently secure, the ITS staff member will then approve the request via the web. The firewalls will then pick up the new host the next time it rebuilds its configuration. PAGE 3 4/04/2001 04:07:00 AM
  • 6. SECURITY PROJECT PLAN FIREWALL REDEVELOPMENT To stop the data from going out of date as servers are replaced, a process will run that checks to make sure, a) the host still responds, b) it is still running the servers that the system was originally told about and none other. Any discrepancy will be reported to the system administrator and ITS security staff for action. The firewall configurations will also be checked to ensure validity. An external server will access the database to ensure that no more access is given then is required. It will also scan for any extra host access not in the database and report those to ITS security staff. 4. R ESOURCE R EQUIREMENTS It is anticipated that this project would take a competent HEWA7 network professional 6 months to complete. HEWA7 Network Engineer for 6 months $32 000 Extra firewall hardware/software, possible $88 000 Personal Firewall licensing etc 5. R ISK A NALYSIS As stated previously, as there was no formal evaluation of firewall technology, QUT may be inadequately protected from threats. Given the number of users using the QUT network internally, the University is exposing itself to the same threats that the external firewalls are designed to protect from. It is generally acknowledged that there are as many breaches of IT security internally as externally. Therefore more firewalling needs to be implemented internally. QUT is also exposing itself to risk by allowing trusted access to its network by QUT staff and students who have high speed, permanent, home network connections. QUT needs to provide guidance to these people in IT security matters and recommend a personal firewall product or at least strategy to manage this risk to an acceptable level. Failure to successfully log data passing through the firewall / router could increase the risk that security threats and vulnerabilities are not identified on a timely basis, which in turn, may result in QUT’s network becoming compromised. The risks associated with a lack of change control include, the possibility of conflicting rulesets, unwanted side effects, and rules that do not perform the required function. There is no monitoring of systems to ensure any firewall rules are still appropriate. Hosts are decommissioned and recommissioned, without any thought to the firewall. It is suspected that there are rules in the firewall for hosts that no longer exist. Some hosts have more access then they really need. For example, the current Server Access Request form, allows access for five services. Some of these are obsolete. PAGE 4 4/04/2001 04:07:00 AM
  • 7. SECURITY PROJECT PLAN FIREWALL REDEVELOPMENT 6. T IMELINES The timelines listed for each of the separate parts of the project are an indication of time required for a single person working exclusively on the project. It is anticipated that as the investigative phases proceed that the timelines will need to be reviewed. The review will be performed by Senior Network Engineer – Security, Team Leader – Network Management, Manager, Network Services and the staff performing the investigations. 6.1.Firewall Evaluation Below is a table describing the basic timeline for the firewall related tasks in this project. Stage Activity Expected duration 1 Investigation 1.1 Collect product information 2 weeks 1.2 Decide evaluation criteria including sample 1 week set of rules 1.3 Arrange for evaluation units/software 1 week 1.4 Investigate appropriate locations for new 2 weeks firewalls 2 Evaluation 2.1 Evaluate products 4 weeks 2.2 Purchase new equipment (Dependent on suppliers) 2.3 Negotiate with Personal Firewall software (Dependent on suppliers suppliers) 3 Implementation 3.1 Install, test, configure equipment 4 weeks 3.2 Provide a standard QUT installation 2 weeks procedure for Personal Firewall product 4 Promotion 4.1 Publicise new Personal Firewall product 2 weeks 6.2.Server Internet Access Request system The following is the timeline for the Server Internet Access Request system. PAGE 5 4/04/2001 04:07:00 AM
  • 8. SECURITY PROJECT PLAN FIREWALL REDEVELOPMENT Stage Activity Expected duration 1 Design 1.1 SQL table definitions 1 week 1.2 Design HTML form 1 week 2 Implementation 2.1 Write and test system. (The system will need to 4 weeks be written to be able to integrate with the firewall evaluation.) 3 Release 3.1 Release system. (The system can be released 1 week before actual integration with new firewalls.) 3.2 Promote new system 2 weeks 6.3.Configuration Change Management System This is the basic timeline for the creation of the Configuration Change Management System. As this system needs to be more versatile and therefore complex, it will take longer to create. Stage Activity Expected duration 1 Design 1.1 SQL table definitions 2 weeks 1.2 Design HTML form 2 weeks 2 Implementation 2.1 Write and test system. 6 weeks 2.2 Create documentation and training material 2 weeks 3 Release 3.1 Release system. 1 week 3.2 Promote new system 2 weeks 7. P ROJECT MANAGEMENT APPROACH The Manager – Network Services, Team Leader - Network Management and Senior Network Engineer – Security will form a steering committee and meet as required and at least every two months. Senior Network Engineer – Security will provide regular status reports with the assistant of the steering committee and staff involved in the project. 8. C OMMUNICATION AND TRAINING S TRATEGY The promotion of the various parts of this project will be different depending on the outcome. PAGE 6 4/04/2001 04:07:00 AM
  • 9. SECURITY PROJECT PLAN FIREWALL REDEVELOPMENT 8.1.New Firewall Installation and Intrusion Detection System This will be a low-key event, with an article in ITS News for the general population and a presentation at an All CSO Meeting for IT support staff. 8.2.Personal Firewall Product This is be a much more visible promotion. There will be a workshop for IT support staff so that they will be able to answer first line questions from their client base. There will also be promotion to all staff via, ITS News, and email broadcasts, letting staff know about the situation in which to use the product, that is, if you use an external ISP. Web pages will be provided, similar to information provided for the Secure External Access Service, SEAS. 8.3.Configuration Change Management System It is anticipated that this system will initially be released for Network Management and Network Operations staff. It will then be released for other IT Services sections to use if they so choose. Sections will get training on its operation if they wish to use it. After a time for bedding down, IT support staff in the University will then be made aware of the system and what it does and be invited to use it if they desire. 8.4.Server Internet Access Request The redeveloped Server Internet Access Request system will be presented at an All CSO meeting. As this part of the project is automating a current manual system, IT support staff already are aware of what the system will do. There are however extra functions that will be provided and that will need to be explained. No other promotion will be required. 9. Q UALITY A SSURANCE 9.1.Server Internet Access Request The feedback for this system will come from our IT Support staff client base and from within Network Management. Checking the, sometimes, illegible details on the faxed form will no longer be necessary. IT Support staff will be able to check the rules for there own servers. They will also be able to check the status of the request. It is anticipated that the number of host access rules will be reduced as the system will check the availably of servers and notify relevant staff if it determines that the server is no longer available. Old hosts will be removed from the firewall rules. 9.2.Configuration Change Management System This is also a system designed to improve the quality of our services by allowing documentation for any system to be accessed by multiple people and allow easy updating. The system will mean that staff will stop having to remember when a system has a different configuration from the norm. There should be a drop in the number of problems caused by configuration errors made during upgrades. PAGE 7 4/04/2001 04:07:00 AM
  • 10. SECURITY PROJECT PLAN FIREWALL REDEVELOPMENT 9.3.Firewalls External auditors regularly audit the security of the QUT Network. In the previous two major audits, firewalls have come under a large amount or criticism. Once the redevelopment is done, the next audit should show that the criticisms have been addressed. 10.P OST I MPLEMENTATION 10.1.Firewalls Network Management should constantly review the firewalling methodology and approach as a matter of course. If it is deemed that a new approach needs to be taken, Network Management should, if necessary, put forward a new project proposal. 10.2.Intrusion Detection Systems One of the criteria for evaluation of IDS’s will be how the system is kept up to date. The Senior Network Engineer – Security will need to ensure that any signature files are kept updated. This system should not just be left in a constant state. If the system isn’t constantly updated it becomes worthless as new methods of attack are developed by the hacking community. 10.3.New Web Based Systems The new Web based systems, Configuration Change Management and Server Internet Access Request, will need to be updated as the needs of QUT change. There is a valid argument for the Server Internet Access Request to become part of a Host Management system, that would include information about hosts including it current hardware configuration, installed software, services supplied by different stakeholders etc. Configuration Change Management could also be a part of that. PAGE 8 4/04/2001 04:07:00 AM