Security Rules and ACL Configuration
- logical network segment can be established using a physical or virtual LAN
- switching topology mapped to IP subnets
- traffic between segments must be routed
- firewall can be deployed to filter traffic entering or leaving a segment
- security rules for what traffic is permitted are configured as access control lists (ACL)
- ACLs are guided by principle of least access
- similar to principle of least privilege
- allow only the minimum amount of traffic required for the operation of network services permitted on the network segment
- rules are processed from top to bottom
- if traffic matches a rule that allows the packet
- it is allowed to pass
- if traffic matches a rules that blocks the packet
- it is dropped
- once a rule is matched, it stops processing rules
- most specific rules are placed at the top
- if traffic matches a rule that allows the packet
- implicit deny is when traffic not matching any rule is blocked by default
- explicit deny is a rule configured manually to block any traffic not matched by previous rules
- added at end of ACL
- Each rule can specify whether to block or allow traffic based on parameters
- referred to as a tuple
- e.g., rule with 5 params is a 5-tuple
- can configure rules to log matches
- log-only rules are used for testing new rules
- ACLs are guided by principle of least access
- security rules for what traffic is permitted are configured as access control lists (ACL)
Stateful vs Stateless ACL
- most firewalls apply stateful rules
- e.g., stateful firewall differentiates between new and established connections
- rule can allow a connection and its subsequent replies
- but not allow that server to create new connections
- rule can allow a connection and its subsequent replies
- to apply stateful rules, firewall needs to support state tables
- e.g., stateful firewall differentiates between new and established connections
- if firewall is stateless
- an explicit rule needs to be configured for the replies
Basic ACL Principles
- Block incoming requests from internal or private IP addresses (that have obviously been spoofed).
- Block incoming requests from protocols that should only function at a local network level, such as ICMP, DHCP, or routing protocol traffic.
- Use penetration testing to confirm the configuration is secure.
- Log access attempts and monitor the logs for suspicious activity.
- Take the usual steps to secure the hardware on which the firewall is running and use the management interface.
Managing Rules
Configuration Errors
Shadowed rule is a firewall rule that will never be executed because of its placement in the rule base.
- e.g., when a broader more general rule allows access and thus a smaller more specific rule that denies access doesn’t apply
- to fix, reorder the rule base such that the more specific rule is above the shadowing rule
Promiscuous rules allow more access than necessary.
Orphaned rules allow access to decommissioned systems and services.
- this is an issue because a new system may be provisioned that uses the same IP address and thus may reactivate this unwanted rule