Flexible, Secure Operation

(1)

C

y

b

e

r

G

u

a

r

d

C

e

n

t

r

a

l

M

a

n

a

g

e

m

e

n

t

:

Flexible, Secure Operation

A CyberGuard Corporation

White Paper

September 2002

(2)

Central Management:

Flexible, Secure Operation

Management Solution Overview

Management Solution Levels

The CyberGuard security gateway can be securely administered locally, remotely and centrally. This offers operational flexibility, both through the introduction of the solution, and during its full operational lifetime.

The integrated nature of the solution allows local management of the device (e.g., node troubleshooting, or configuration for a specific local configuration), which can then be uploaded and distributed throughout the network.

Local Administration: Local administration

allows you to administer the firewall from a system using a Web browser.

Secure Remote Management: Centralized

control and monitoring of multiple firewalls is available through the secure remote management feature. A separate graphical control panel appears for each CyberGuard firewall. Configurations can easily be compared and coordinated.

Central Management: The central

management product provides the capability to configure features and monitor alerts on remote firewalls from one central station, the central manager. To provide for the confidentiality and integrity of configuration files as they are

propagated from the firewall manager to the target firewalls, configuration data can be encrypted using one of several optional encryption methods available with the firewall. Encryption methods include: DES 56, Triple DES and CAST-128.

Management Solution Architecture

Using the central manager described above, grouping firewalls enables the firewall security officer to enter configuration changes one time from the firewall mManager and then propagate the configuration to the entire group of firewalls simultaneously.

Propagated configurations are stored on each firewall as well as on the manager. Groups can also import the configurations of other groups from the manager. A firewall will attempt to

update its configurations upon a reconnection or a reboot. The illustration that follows shows the type of data that is propagated from the manager to the firewalls in a group and the information that is sent back from the firewalls.

Scenario 1: New Node Commissioning Stage

The purpose of this scenario is to provide an overview as to how a new node is established into the network. This demonstration assumes that the network has been established and is operational, which allows us to take advantage of the firewall configuration replication capabilities.

PAC CONUS EUR Management Center 2 Management Center 1 Management Center 3 Regional NOC’s Regional NOC’s Special NOC’s Special NOC’s PAC CONUS EUR Management Center 2 Management Center 1 Management Center 3 Regional NOC’s Regional NOC’s Special NOC’s Special NOC’s

(3)

Grouping

The firewall recognizes three distinct types of groups: services groups,firewall groups and central management target groups:

1. A services group is a named set of services.

2. A firewall group is a named set of IP addresses, host, network and other group names.

Services and firewall groups are usually used as sources and destinations in the packet-filtering rules window. They are treated as if each member were listed separately.

3. A central management target group is a named set of one or more firewalls defined as target firewall in the central management rule window. These firewalls can be listed by host name or IP address. The first window accessed is that used to view, add, change, or delete groups or group members. This is used to define target groups and target firewall group members.

To secure the communication between the central manager and the individual firewalls, the central management encryption libraries are installed, and this window is used to configure encryption for groups of target firewalls or individual target firewalls.

From this window we can see that the firewalls are configured as per the grouping identified in the previous section.

Members Page 3

Use this page of the groups’ window to view, add, change, or delete group members. This page is used to place target firewall members in target groups and to configure encryption for individual target firewalls.

Note: Each target firewall may use the same encryption algorithm, but a different set of encryption keys for each target firewall may use a different encryption algorithm with a different set of encryption keys, etc.

This configuration method is recommended as it provides the strongest element of security using encryption.

By having different cryptographic keys associated with each target firewall, you are ensuring that if only one set of keys or a single key is compromised, only one system may become vulnerable rather than all systems in a centrally managed group.

The drawback to this configuration method is that it requires some degree of management for each target firewall, especially if there are a large number of such systems being managed.

(4)

Scenario 2: Creation of Security Policy and Maintenance of Integrity

The purpose of this scenario is to set up the packet filtering rules on the firewalls.

The system administrator determines which

services to allow into or out of the internal network. Packet-filtering rules define which

packets can and cannot pass through the firewall

and the specific times during which the rule applies.

Notes: The order of packet-filtering rules is

significant. When a packet arrives, the network packet-filtering software scans the rules list from top to bottom looking for a rule match, applies the

first rule that matches the characteristics of the packet received, and ignores subsequent rules. If no rule matches, the packet is denied.

The packet filtering rules window is used to view, add, change, delete, or prioritize packet-filtering rules.

This screen displays all the rules on the firewall, including the “included” rules such as central management rules. Additional comment lines showing where the included rules begin and end are added to the rules.

The user is prompted for a host in the target group. Selecting a host causes the firewall to contact the host and download all packet-filtering rules, including known “included” rules. This provides distribution of policy for all nominated nodes.

The user can also open multiple instances of the expanded packet-filtering rules window (e.g., one for each accessible target firewall) to view and compare the rules on multiple hosts.

Scenario 3: Creation of Time-Based Rules There may be operational scenarios where rules need to be applied to the firewall based upon time (e.g. certain access allowed only outside of active hours).

The times page of the packet-filtering rules window is used to specify times for which a packet-filtering rule applies. This provides a graphical way to configure active rule times in half-hour increments, as well as input fields to configure these times in one-minute increments.

Matrix of Days and Times

The matrix of days and times displays the days of the week and the hours of the day (in half-hour increments). Each selectable square in the matrix represents a particular half hour time period of a particular day of the week. You can use your mouse to select times by clicking on one square or dragging over a group of squares. Selected times will appear in blue. Times of less than 30 minutes input through the Start Time and End Time fields will appear in blue-gray.

Scenario 4: Secure User Identification and Authentication

Accurate and strong user identification and authentication (I&A) is a critical aspect of firewall security. To access the CyberGuard firewall, a user must have a login ID and a method of authentication.

(5)

The firewall supports the following methods of identification and authentication:

RADIUS™

Central Authentication SecurID

SecureNet Key

Users can be configured to use one

authentication method for inbound connections and another for outbound connections.

For the highest level of security, accounts on the firewall should be limited to administrative users such as firewall security officers. To achieve this, the firewall supports the following types of users:

Proxy

Firewall Security Officer (FSO) Firewall Security Monitor (FSM) Unprivileged

Administrative

The remote authentication dial-in user service (RADIUS) is an IP-based protocol for a network access server (NAS) to communicate with a database server of authorized users. The RADIUS system consists of two parts: an authentication server and client protocols. The RADIUS server also can be adapted to work with third-party security products or proprietary security systems.

RADIUS is also used for central authentication.

Central Authentication 8

Central authentication allows the firewall to be administered by users who are managed on a central, RADIUS-compliant, authentication server. Central authentication does not require manual configuration of the administrative user on the firewall. After successful authentication at a properly configured RADIUS server, centrally authenticated administrators are automatically added to the firewall user configuration based on properties configured on the RADIUS.

This is a tremendous benefit when managing large numbers of firewalls: the administrator does not need to be preconfigured on every firewall.

Users Window 8

The window below is used to view, add, change, or delete users. Templates can be created to assign default login IDs and provide a quick

method of entering information for more than one user.

Scenario 5: Setting Up Network Protection (TCP SYN Flood)

This scenario describes how the firewall can be configured to protect against known typical exploits.

TCP SYN Flood

The TCP SYN-flood attack is a denial-of-service attack that exploits the TCP connection establishment protocol. The attacker makes connection requests to the victim host using a fake source address. The requests are made on the TCP port that the victim host’s server process is listening on. The connection requests cause TCP SYN segments with the fake source address to be sent to the victim. For each SYN segment received, the victim sends a SYN/ACK segment, and the connection attempt enters the SYN_RCVD state. The connection is put in the connection request queue (backlog) until the final ACK is received to complete the TCP handshake.

The timeout value used by TCP to wait for the final ACK is rather long (usually about 75

seconds) to allow connections to be established over slow links. Because the SYN/ACK segment was sent to a fake host, the connection attempt stays in the backlog until it times out. The backlog is usually quite small; therefore, the backlog for a port can be flooded by a small number of SYNs, and TCP will refuse further connections on that port. Because this attack does not flood a system

(6)

with continuous connections or volumes of data, the attack is not easy to recognize. Firewalls as well as all internal hosts are typically vulnerable to this attack.

To defend against TCP SYN flood, simply check the box in the packet filtering rules window (see Scenario 2).

The CyberGuard firewall then circumvents these attacks as follows:

1. A client sends a connection request (SYN segment) to a server (firewall or internal). 2. The firewall intercepts the SYN segment and

responds to the client with a SYN/ACK segment.

3. The firewall waits the specified timeout period for the return ACK from the client to complete the TCP handshake. If the firewall does not receive a return ACK, it drops the packet. If the firewall receives a return ACK, it establishes a connection with the requested server and forwards the original connection request.

Notes:

Auditing is available for this type of attack. Scenario 6: Detecting and Alerting of Threats

Monitoring firewall activity is important so you can detect and respond to threats and critical conditions. The firewall can be configured to recognize suspicious and critical events and customize your response to these events. Log regular firewall activities to special files, which can be copied to another directory, or log firewall activities to the syslog so the files can be sent to a remote host or used for centralized auditing. The centralized auditing system reads syslogd

messages and can print graphs and tables about the data collected.

Firewall activity can also be archived to a tape device, file system on the firewall, or an

FTP server. These archives can be encrypted. WebTrends™ is an optional product from WebTrends Corporation. Used in conjunction with the firewall, WebTrends offers a variety of

configurable reports that provide extensive information about firewall activity. Configurable reports that contain information about firewall

activity in real time can be established and audit reports containing session information can be generated.

Activity logs can be moved from one directory to another to prevent the files from growing until the disk becomes full. These files can also be processed by CSMART™ (Centralized Solution for Monitoring, Auditing, Reporting, and Tracking) to generate easy-to-read reports.

The firewall is set up using the window shown below, which can be used to view a list of

suspicious event types (occurrences that may require attention) and their alert settings; enable or disable alerts; change the alert parameters; and enable or disable logging for activity types (non-threatening occurrences).

Use the alert summary window to monitor alerts and the activity reports window to view alerts and activities log files.

Scenario 7: Fault/Event Management The CyberGuard solution has the ability to track and respond to activities and alerts generated from more than 100 identifiable system events.

An activity is a non-threatening occurrence and is potentially logged to a file. For example:

Packets permitted All login attempts Specific proxy’s activity

(7)

An alert is an automatic system reaction that reports a suspicious event. When this arises, the system can be directed specifically to do any of the following:

Write the event record to a window and/or system log file

Log the event record to a secure file Mail the event record to an existing user at a given mail level

Send a numeric message to a pager telephone number

Send an enterprise-specific SNMP trap to a specified SNMP host address and community

Execute a secure program or script As well as providing information via the interfaces listed above, information can be

presented in the central alert display window. This window is used to monitor alerts on target group owners, target groups, or target firewalls.

The active display area shows target group owners, target groups, and target firewalls and the number of alerts for each. You can display target firewalls by host name or IP address.

Some of the report types available from the system are:

Console Messages Displays all console messages written to the log driver.

System Information Displays a number of helpful system reports.

Alert Summary Displays a summary of suspicious-event types and their associated alert counts.

Activity Reports Displays an alert file associated with a specified suspicious-event type.

Audit Logs Reports Generates an audit-log report from a binary audit-audit-log file.

WebTrends Audit Reports (Optional) Provides a variety of configurable reports that provide extensive information about firewall activity.

Configuration History Displays information about administrator sessions in which firewall configurations are changed.

Central Alert Display (Optional)

Monitors alerts on remote target firewalls.

Target Firewall Status (Optional) Displays the current propagation status of a target firewall group.

Scenario 8: Configuration Management

The CyberGuard solution provides a comprehensive configuration management component. This allows the network to be configured, either centrally, or from a device (which can then be distributed). Location specific configurations can be generated by target group, and rules propagated out to all devices within a particular group.

Configuration Comparison

Configurations can be compared between the firewall manager, and individual firewalls.

This configuration tracking feature allows system administrators to audit and track changes to the firewall and system configuration. This feature provides a mechanism known as a change ticket or ticket.

A ticket is a user-supplied identifier that helps to distinguish or categorize a session. The ticket is associated with the login session of a firewall administrator and the configuration file modifications made by the administrator. A session is the use of the firewall administrative program (GUI) from login to logout. All changes

(8)

made to a configuration file during a session are considered a single change to the file.

Modifications are logged in a database, which is maintained by the source code control system (SCCS). SCCS is a UNIX-based system used to store and maintain changes made to the contents of specified files. SCCS can display the changes (deltas) between an older version of a file and its current version, merge those changes, and restore previous changes. For the configuration-tracking feature, SCCS is used to track the changes to system and firewall configuration files.

When enabled, the configuration-tracking feature displays a ticket ID request window at login. The user enters a ticket string and is then challenged with the standard login and

authentication window required to access the firewall.

Scenario 9: Application of Known Good Configuration

The save and restore feature allows the administrator to save and restore configuration sets.

Configurations can be saved in their entirety to another directory on the local system, to a

directory on a remote system, or to a removable device. The configuration may then be restored as the active configuration or to an alternate directory for viewing.

Save operations can be scheduled as one-time or recurring events. The system handles moving information in any specified directory between the

local and a remote machine and to or from the active configuration.

For security purposes, the saved configurations can be encrypted.

The system also allows configurations to be scheduled for backup. The scheduler allows the save operation to take place any time throughout the day, on any number of months, days within months, and days within weeks. The scheduler allows one-time jobs or recurring jobs to be scheduled.

Scenario 10: Performance Analysis The following reports and message displays are available for the firewall:

Console messages System information Alert summary Activity reports Audit-logs files

(9)

WebTrends audit reports

The CyberGuard firewall management solution can integrate into the WebTrends™ product from WebTrends Corporation. Used in conjunction with the firewall, WebTrends offers a variety of configurable reports that provide extensive information about firewall activity. Configurable reports that contain information about firewall activity in real time can generated.

The illustration below shows the window listing suspicious event types and allows the user to open their associated files in the activity reports window, configure an audible bell, remove icons indicating recent occurrences of alerts for

suspicious event types, or reset the count of alerts.

Scenario 11: Operator Authorization Management

Authorization management adds strong security to the configuration and monitoring of the CyberGuard firewall. This feature provides the ability to require two or more privileged users to completely configure and monitor the firewall and can restrict users’ access to specific windows.

Authorization management has the following features:

Restricts access to GUI features based on user login

Allows the assignment of firewall security officer (FSO) and firewall security monitor

(FSM) users to “duties” that allow access to certain administrative tasks

Allows the grouping of windows into duties Allows windows to be either editable or read-only, based on the duty

Scenario 12: Centralized Management Failover

CyberGuard’s solutionprovides a mechanism

for managers to take over management duties for one another, either for operational “Follow the Sun” models, or in event of operation

center/system failure.

The backup manager is referred to as the

secondary manager. On the secondary manager,

the firewall manager being backed up is referred to

as the primary manager, and a monitoring

manager is a firewall manager that can monitor

alerts on firewalls.

The secondary manager can take over the active role of the firewall manager for the primary manager during times when the primary manager is not available, such as during regular system

(10)

maintenance or a power outage. When the

secondary manager takes over, it can configure the primary manager’s target groups. Files can be transferred securely between primary manager and secondary managers.

The illustrations below show the relationship between primary and secondary managers in a failover situation.

Note:

A firewall manager can be a primary manager and a secondary manager at the same time. A firewall manager can be a secondary manager for multiple primary managers. A firewall can be a member of only one group and can have only one firewall manager managing it at any one time.

!A firewall manager can monitor the alerts of

actively managed and non-actively managed target firewalls.

This means that if you choose to operate three data centers, each can act as a reserve to both of the others – giving a very high level of operational resilience, while protecting the individual firewalls against conflicting operational instructions.

Scenario 13: Network Software Updates

Using the software update feature, firewall administrators can update a system with firewall product software updates (PSUs) or operating system PTFs automatically via a remote download rather than manually via media such as floppy disk, tape, or CD-ROM.

Software update fetches an archive file using the file transfer protocol (FTP), expands the archive, and runs a script to install the PSU.

When run on a firewall, software update assumes the archive file is encrypted unless specifically configured not to. Software update can boot the system into maintenance mode (mUNIX), install any application and kernel patches, and reboot the system into multi-user mode.

Upon completion of this process (successful or unsuccessful), an alert is generated to notify the administrator of the status of the update. If the update is unsuccessful, the system will be returned to the state it was in before the execution of the system update.

The software update feature simplifies the task of updating firewalls because it can run

(11)

Fort Lauderdale, Florida 33309 Phone: 954.958.3878

Fax: 954.958.3901

E-mail: [email protected] CyberGuard Europe Limited Asmec Centre, Eagle House

The Ring, Bracknell Berkshire, RG12, 1HB United Kingdom

Phone: +44 (0) 1344 382550 Fax: +44 (0) 1344 382551 E-mail: [email protected] www.cyberguard.com

Copyright© 2003 by CyberGuard Corporation. All rights reserved. This publication is intended for use with CyberGuard Corporation products by CyberGuard's personnel, customers and end users of CyberGuard's products. It may not be reproduced in any form without the written permission of CyberGuard Corporation.

CyberGuard® is a registered trademark of CyberGuard Corporation. UnixWare® is a registered trademark of Santa Cruz Operations, Inc. All other trademarks are the property of their respective owners.