www.dbebooks.com - Free Books & magazines
www.syngress.com
Syngress is committed to publishing high-quality books for IT Professionals and
delivering those books in media and formats that fit the demands of our cus-
tomers. We are also committed to extending the utility of the book you purchase
via additional materials available from our Web site.
SOLUTIONS WEB SITE
To register your book, visit www.syngress.com/solutions. Once registered, you can
access our Web pages. There you will find an assortment
of value-added features such as free e-booklets related to the topic of this book,
URLs of related Web sites, FAQs from the book, corrections, and any updates from
the author(s).
ULTIMATE CDs
Our Ultimate CD product line offers our readers budget-conscious compilations of
some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect
way to extend your reference library on key topics pertaining to your area of exper-
tise, including Cisco Engineering, Microsoft Windows System Administration,
CyberCrime Investigation, Open Source Security, and Firewall Configuration, to
name a few.
DOWNLOADABLE EBOOKS
For readers who can’t wait for hard copy, we offer most of our titles in download-
able Adobe PDF form. These e-books are often available weeks before hard copies,
and are priced affordably.
SYNGRESS OUTLET
Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt
books at significant savings.
SITE LICENSING
Syngress has a well-established program for site licensing our e-books onto servers
in corporations, educational institutions, and large organizations. Contact us at
for more information.
CUSTOM PUBLISHING

Many organizations welcome the ability to combine parts of multiple Syngress
books, as well as their own content, into a single volume for their own internal use.
Contact us at for more information.
Visit us at
398_FW_Policy_FM.qxd 8/29/06 9:29 AM Page i
Anne Henmi Technical Editor
Mark Lucas
Abhishek Singh
Chris Cantrell
Firewall Policies
and VPN
Configurations
398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc-
tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be
obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is
sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to
state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do not
allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation
may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The
Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is
to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned
in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER
001 HJIRTCV764
002 PO9873D5FG
003 829KM8NJH2
004 78GHTYPM99
005 CVPLQ6WQ23
006 VBP965T5T5
007 HJJJ863WD3E
008 2987GVTWMK
009 629MP5SDJT
010 IMWQ295T6T
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Firewall Policies and VPN Configurations
Copyright © 2006 by Syngress Publishing, Inc. All rights reserved. Except as permitted under the
Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by
any means, or stored in a database or retrieval system, without the prior written permission of the pub-
lisher, with the exception that the program listings may be entered, stored, and executed in a computer
system, but they may not be reproduced for publication.
Printed in Canada
1 2 3 4 5 6 7 8 9 0
ISBN: 1-59749-088-1
Publisher: Andrew Williams Page Layout and Art: Patricia Lupien
Acquisitions Editor: Erin Heffernan Copy Editor: Judy Eby, Beth Roberts
Technical Editor: Anne Henmi Indexer: Richard Carlson
Cover Designer: Michael Kavish
Distributed by O’Reilly Media, Inc. in the United States and Canada.
For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights,

at Syngress Publishing; email or fax to 781-681-3585.
398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page iv
Acknowledgments
v
Syngress would like to acknowledge the following people for their kindness and sup-
port in making this book possible.
Syngress books are now distributed in the United States and Canada by O’Reilly
Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible, and we would
like to thank everyone there for their time and efforts to bring Syngress books to
market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko,
Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark
Wilson, Rick Brown,Tim Hinton, Kyle Hart, Sara Winge, Peter Pardo, Leslie Crandell,
Regina Aggio Wilkinson, Pascal Honscher, Preston Paull, Susan Thompson, Bruce
Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn
Barrett, John Chodacki, Rob Bullington, Kerry Beck, Karen Montgomery, and Patrick
Dirden.
The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian
Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother,
Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista Leppiko, Marcel Koppes, Judy
Chappell, Radek Janousek, Rosie Moss, David Lockley, Nicola Haden, Bill Kennedy,
Martina Morris, Kai Wuerfl-Davidek, Christiane Leipersberger,Yvonne Grueneklee,
Nadia Balavoine, and Chris Reinders for making certain that our vision remains
worldwide in scope.
David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua,
Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributors for the
enthusiasm with which they receive our books.
David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen
O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing
our books throughout Australia, New Zealand, Papua New Guinea, Fiji,Tonga, Solomon
Islands, and the Cook Islands.

398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page v
398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page vi
vii
Technical Editor
Anne Henmi is an Information Security Engineer at Securify, Inc.
She works with development to contribute to the improvement of
the security posture of Securify’s products and services.
Her specialties include Linux, Secure Shell, public key technolo-
gies, penetration testing, and network security architectures. Anne’s
background includes positions as a Course Developer at Juniper
Networks, System Administrator at California Institute of
Technology, Principal Security Consultant at SSH Communications
Security, and as an Information Security Analyst at VeriSign, Inc.
Mark J. Lucas (MCSE and GIAC Certified Windows Security
Administrator) is a Senior System Administrator at the California
Institute of Technology. Mark is responsible for the design, imple-
mentation, and security of high availability systems such as Microsoft
Exchange servers, VMWare ESX hosted servers, and various
licensing servers. He is also responsible for the firewalls protecting
these systems. Mark has been in the IT industry for 10 years.This is
Mark’s first contribution to a Syngress publication. Mark lives in
Tujunga, California with his wife Beth, and the furry, four-legged
children,Aldo, Cali, Chuey, and Emma.
Chris Cantrell is a Presales System Engineer for Riverbed
Technology, the leading pioneer in the wide-area data services
(WDS) market. Before joining Riverbed, Chris spent 8 years
focusing on network security and intrusion prevention. He has held
various management and engineering positions with companies
such as Network Associates, OneSecure, NetScreen, and Juniper
Contributing Authors

398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page vii
viii
Networks. Chris was a contributing author for Configuring Netscreen
Firewalls (ISBN: 1-93226-639-9), published by Syngress Publishing
in 2004.
Chris lives in Denver, Colorado with his loving and supportive
wife, Maria, and their two children, Dylan and Nikki.
Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft
MVP) is an IT Project Leader and Systems Manager at the
University of Pennsylvania, where she provides network planning,
implementation, and troubleshooting services for various business
units and schools within the university. Her specialties include
Windows 2000 and 2003 Active Directory design and implementa-
tion, troubleshooting, and security topics. Laura has more than a
decade of experience with Windows computers; her previous expe-
rience includes a position as the Director of Computer Services for
the Salvation Army and as the LAN administrator for a medical
supply firm. She is a contributor to the TechTarget family of Web
sites, and to Redmond Magazine (formerly Microsoft Certified
Professional Magazine).
Laura has previously contributed to the Syngress Windows
Server 2003 MCSE/MCSA DVD Guide & Training System series
as a DVD presenter, author, and technical reviewer, and is the author
of the Active Directory Consultant’s Field Guide (ISBN: 1-59059-492-
4) from APress. Laura is a three-time recipient of the prestigious
Microsoft MVP award in the area of Windows Server—
Networking. Laura graduated with honors from the University of
Pennsylvania and also works as a freelance writer, trainer, speaker,
and consultant.
Abhishek Singh works as a security researcher for Third Brigade, a

Canadian-based information security company. His responsibilities
include analysis, deep packet inspection, reverse engineering, writing
signatures for various protocols (DNS, DHCP, SMTP, POP, HTTP,
398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page viii
ix
and VOIP), Zero day attacks, Microsoft Tuesday critical, and vulner-
abilities.
In Information security, Abhishek likes to research intrusion
detection/prevention systems, firewalls, two factor authentication,
wireless security, cryptography, and virtual private networks. He has
an invention disclosure in firewalls and holds one patent in two
factor authentication.The patent involves secure authentication of a
user to a system and secure operation thereafter. In cryptography, he
has proposed an algorithm in learning theory which uses Context
Free Grammar for the generation of one-time authentication iden-
tity. One-time authentication identity generates one-time passwords,
disposable SSNs, and disposable credit card numbers.To prevent
high-bandwidth and malicious covert channels, he has proposed
enforcing semantic consistency in the unused header fields of
TCP/IP, UDP, and ICMP packets. Abhishek’s research findings in
the field of compiler, computer networks, mobile agents, and artifi-
cial neural networks have been published in primer conferences and
journals.
He holds a B.Tech. in Electrical Engineering from IIT-BHU, a
Master of Science in Computer Science and in Information
Security from the College of Computing Georgia Tech. While pur-
suing his education, he was employed with Symantec Corporation
as a Senior Software Engineer and has worked on a consulting pro-
ject for Cypress Communication, which won third prize at the 2004
Turn Around Management Competition. He was also employed

with VPN Dynamics and with Infovation Inc.
Presently he lives in Banglore with his lovely wife, Swati.
James McLoughlin (CISSP, CCSP, CCSE) is a security engineer
for Lan Communications, an Irish integrator/reseller. He is cur-
rently working towards achieving his CCIE in Security, and has over
a decade of experience in the security field.
James lives in Dublin, Ireland
398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page ix
x
Susan Snedaker (MBA, BA, MCSE, MCT, CPM) is Principal
Consultant and founder of VirtualTeam Consulting, LLC (www.vir-
tualteam.com), a consulting firm specializing in business and tech-
nology consulting.The company works with companies of all sizes
to develop and implement strategic plans, operational improvements
and technology platforms that drive profitability and growth. Prior
to founding VirtualTeam in 2000, Susan held various executive and
technical positions with companies including Microsoft, Honeywell,
Keane, and Apta Software.As Director of Service Delivery for
Keane, she managed 1200+ technical support staff delivering phone
and email support for various Microsoft products including
Windows Server operating systems. She is author of How to Cheat at
IT Project Management (Syngress Publishing, ISBN: 1-597490-37-7)
The Best Damn Windows Server 2003 Book Period (Syngress
Publishing, ISBN: 1-931836-12-4) and How to Cheat at Managing
Windows Small Business Server 2003 (Syngress, ISBN: 1-932266-80-
1). She has also written numerous technical chapters for a variety of
Syngress Publishing books on Microsoft Windows and security
technologies and has written and edited technical content for var-
ious publications. Susan has developed and delivered technical con-
tent from security to telephony,TCP/IP to WiFi, CIW to IT

project management and just about everything in between (she
admits a particular fondness for anything related to TCP/IP).
Susan holds a master’s degree in business administration and a
bachelor’s degree in management from the University of Phoenix.
She also holds a certificate in advanced project management from
Stanford University. She holds Microsoft Certified Systems Engineer
(MSCE) and Microsoft Certified Trainer (MCT) certifications.
Susan is a member of the Information Technology Association of
Southern Arizona (ITASA) and the Project Management Institute
(PMI).
398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page x
xi
Jennifer Davis is a senior system administrator with Decru, a
Network Appliance company. Decru develops storage security solu-
tions that help system administrators protect data. Jennifer specializes
in scripting, systems automation, integration and troubleshooting,
and security administration.
Jennifer is a member of USENIX, SAGE, LoPSA, and BayLISA.
She is based in Silicon Valley, California.
398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page xi
398_FW_Policy_FM.qxd 8/29/06 9:30 AM Page xii
Part I Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 1 Network Security Policy . . . . . . . . . . . . . . . . . 3
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Defining Your Organization . . . . . . . . . . . . . . . . . . . . . . . . .6
Information Criticality . . . . . . . . . . . . . . . . . . . . . . . .8
Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
System Definitions . . . . . . . . . . . . . . . . . . . . . . . . . .10
Information Flow . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

People and Process . . . . . . . . . . . . . . . . . . . . . . . . . .10
Policies and Procedures . . . . . . . . . . . . . . . . . . . . . . .12
Organizational Needs . . . . . . . . . . . . . . . . . . . . . . . .12
Regulatory/Compliance . . . . . . . . . . . . . . . . . . . . . .12
Establishing Baselines . . . . . . . . . . . . . . . . . . . . . . . .13
Addressing Risks to the Corporate Network . . . . . . . . .14
Drafting the Network Security Policy . . . . . . . . . . . . . .15
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Modifications or Exceptions . . . . . . . . . . . . . . . . . . .19
Different Access for Different Organizations . . . . . . . . . . . . .19
Trusted Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Defining Different Types of Network Access . . . . . . . . . .21
xiii
Contents
398_FW_Policy_TOC.qxd 8/28/06 11:11 AM Page xiii
xiv Contents
Untrusted Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Identifying Potential Threats . . . . . . . . . . . . . . . . . . . . .25
Using VPNs in Today’s Enterprise . . . . . . . . . . . . . . . . .26
The Battle for the Secure Enterprise . . . . . . . . . . . . . . .26
External Communications (also see “Remote Access”) 28
DMZ Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Traffic Flow Concepts . . . . . . . . . . . . . . . . . . . . . . . . . .33
Networks with and without DMZs . . . . . . . . . . . . . . .36
Pros and Cons of DMZ Basic Designs . . . . . . . . . . . .37

DMZ Design Fundamentals . . . . . . . . . . . . . . . . . . . . . .38
Why Design Is So Important . . . . . . . . . . . . . . . . . .39
Designing End-to-End Security for Data
Transmission between Hosts on the Network . . . . . . . . .40
Traffic Flow and Protocol Fundamentals . . . . . . . . . . . .40
Making Your Security Come Together . . . . . . . . . . . . . .41
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .44
Chapter 2 Using Your Policies to
Create Firewall and VPN Configurations . . . . . . . . . . . . 47
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
What Is a Logical Security Configuration? . . . . . . . . . . . . . .49
Planning Your Logical Security Configuration . . . . . . . . . . .50
Identifying Network Assets . . . . . . . . . . . . . . . . . . . . . .51
Profiling Your Network Assets . . . . . . . . . . . . . . . . . . . .52
What Are Security Areas? . . . . . . . . . . . . . . . . . . . . .54
Implied Security Areas . . . . . . . . . . . . . . . . . . . . . . .54
Enforcement Points . . . . . . . . . . . . . . . . . . . . . . . . .56
Creating Security Areas . . . . . . . . . . . . . . . . . . . . . . .56
Assigning Network Assets to Security Areas . . . . . . . .57
Security Area Risk Rating . . . . . . . . . . . . . . . . . . . .58
Users and User Groups . . . . . . . . . . . . . . . . . . . . . . . . .59
Writing Logical Security Configurations . . . . . . . . . . . . . . .60
Logical Security Configuration: Firewall . . . . . . . . . . . . .60
General Security for Firewall Configurations . . . . . . .61
Access Policies for Firewall Configurations . . . . . . . . .63
398_FW_Policy_TOC.qxd 8/28/06 11:11 AM Page xiv
Contents xv
Logical Security Configuration: VPN . . . . . . . . . . . . . . .64

Best Security Practices for VPN Configurations . . . . .64
Who Needs Remote Access? . . . . . . . . . . . . . . . . . .65
Access Policies for VPN Configurations . . . . . . . . . . .66
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .69
Part II Firewall Concepts . . . . . . . . . . . . . . . . . . . . . . . . 71
Chapter 3 Defining a Firewall . . . . . . . . . . . . . . . . . . . . 73
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Why Have Different Types of Firewalls? . . . . . . . . . . . . . . . .74
Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Recognizing Network Security Threats . . . . . . . . . . .77
Recreational Hackers . . . . . . . . . . . . . . . . . . . . . . . .78
Profit-motivated Hackers . . . . . . . . . . . . . . . . . . . . .79
Vengeful Hackers . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Hybrid Hackers . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Back to Basics—Transmission
Control Protocol/Internet Protocol . . . . . . . . . . . . . . . . . . .83
TCP/IP Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
TCP/UDP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Data Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Firewall Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Application Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
High Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Refined Control . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

Slower Network Performance . . . . . . . . . . . . . . . . .101
Update Schedule Governed by Vendors . . . . . . . . . .101
Limited Control, Depending on Vendor . . . . . . . . . .101
Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
398_FW_Policy_TOC.qxd 8/28/06 11:11 AM Page xv
xvi Contents
Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Technical Description . . . . . . . . . . . . . . . . . . . . . . .104
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Stateful Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Technical Description . . . . . . . . . . . . . . . . . . . . . . .107
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .116
Chapter 4 Deciding on a Firewall . . . . . . . . . . . . . . . . 123
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Appliance/Hardware Solution . . . . . . . . . . . . . . . . . . . . . .124
Basic Description . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Hardware-based Firewalls . . . . . . . . . . . . . . . . . . . .125
PIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Juniper NetScreen Firewalls . . . . . . . . . . . . . . . . . . .143
SonicWALL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Nokia Hardened Appliances . . . . . . . . . . . . . . . . . .170
Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Software Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Basic Description . . . . . . . . . . . . . . . . . . . . . . . . . . . .175

Hardware Platform . . . . . . . . . . . . . . . . . . . . . . . . .176
Harden the OS . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Keep Up With OS Patches and Firewalls . . . . . . . . .178
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
CheckPoint FW-1 . . . . . . . . . . . . . . . . . . . . . . . . .179
IPtables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Microsoft Internet Security
and Acceleration (ISA) Server . . . . . . . . . . . . . . . . .193
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .206
398_FW_Policy_TOC.qxd 8/28/06 11:11 AM Page xvi
Contents xvii
Part III VPN Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Chapter 5 Defining a VPN . . . . . . . . . . . . . . . . . . . . . . 211
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
What Is a VPN? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
VPN Deployment Models . . . . . . . . . . . . . . . . . . . . . .213
VPN Termination at the Edge Router . . . . . . . . . . .214
VPN Termination at the Corporate Firewall . . . . . . .215
VPN Termination at a Dedicated VPN Appliance . . .215
Topology Models . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Meshed Topology . . . . . . . . . . . . . . . . . . . . . . . . . .217
Star Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Hub-and-Spoke Topology . . . . . . . . . . . . . . . . . . . .219
Remote Access Topology . . . . . . . . . . . . . . . . . . . .220
Pros of VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Cons of VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Public Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . .221
PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222

Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Internet Key Exchange . . . . . . . . . . . . . . . . . . . . . .228
Security Associations . . . . . . . . . . . . . . . . . . . . . . . .231
Pros of IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Cons of IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
SSL VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
Technical Description . . . . . . . . . . . . . . . . . . . . . . . . .237
First Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Second Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Third Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
SSL Tunnels in Linux . . . . . . . . . . . . . . . . . . . . . . . . . .239
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
Layer 2 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
PPTP versus L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Technical Description for MPLS . . . . . . . . . . . . . . . . .246
398_FW_Policy_TOC.qxd 8/28/06 11:11 AM Page xvii
xviii Contents
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
SSH Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249
Technical Description . . . . . . . . . . . . . . . . . . . . . . . . .250
SSH Tunnel in Linux . . . . . . . . . . . . . . . . . . . . . . .253
SSH Tunnel in Windows . . . . . . . . . . . . . . . . . . . . .254
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257

Technical Description . . . . . . . . . . . . . . . . . . . . . . . . .259
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .264
Chapter 6 Deciding on a VPN . . . . . . . . . . . . . . . . . . . 267
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
VPN Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
Appliance/Hardware Solution . . . . . . . . . . . . . . . . . . . . . .271
Basic Description . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Own Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Specialized Operating System . . . . . . . . . . . . . . . . . . .272
Examples of Appliance Hardware Solutions . . . . . . . . .272
Juniper SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . .272
F5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
SonicWALL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Aventail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
Cisco . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284
Nortel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Software Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Basic Description . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Hardware Platform . . . . . . . . . . . . . . . . . . . . . . . . .291
398_FW_Policy_TOC.qxd 8/28/06 11:11 AM Page xviii
Contents xix
You Need to Harden the OS . . . . . . . . . . . . . . . . .292

Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Openswan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
OpenBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
CheckPoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
Microsoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
SSL Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .303
Part IV Implementing
Firewalls and VPNs (Case Studies). . . . . . . . . . . . . . . . 305
Chapter 7 IT Infrastructure Security Plan . . . . . . . . . . 307
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Infrastructure Security Assessment . . . . . . . . . . . . . . . . . . .308
Internal Environment . . . . . . . . . . . . . . . . . . . . . . . . .309
Information Criticality . . . . . . . . . . . . . . . . . . . . . .310
Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . .310
System Definitions . . . . . . . . . . . . . . . . . . . . . . . . .311
Information Flow . . . . . . . . . . . . . . . . . . . . . . . . . .311
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
People and Process . . . . . . . . . . . . . . . . . . . . . . . . . . .312
User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Policies and Procedures . . . . . . . . . . . . . . . . . . . . . .313
Organizational Needs . . . . . . . . . . . . . . . . . . . . . . .314
Regulatory/Compliance . . . . . . . . . . . . . . . . . . . . .314
Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Establishing Baselines . . . . . . . . . . . . . . . . . . . . . . . . . .315
Addressing Risks to the Corporate Network . . . . . . . .316
External Environment . . . . . . . . . . . . . . . . . . . . . . . . .318
Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319

Recognizing External Threats . . . . . . . . . . . . . . . . .320
Top 20 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Network Security Checklist . . . . . . . . . . . . . . . . . . . . .326
Devices and Media . . . . . . . . . . . . . . . . . . . . . . . . .327
398_FW_Policy_TOC.qxd 8/28/06 11:11 AM Page xix
xx Contents
Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Intrusion Detection Systems/Intrusion Prevention
Systems (IDS/IPS) . . . . . . . . . . . . . . . . . . . . . . . . .330
System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . .335
Other Infrastructure Issues . . . . . . . . . . . . . . . . . . .336
Other Network Components:
Routers, Switches, RAS, NMS, IDS . . . . . . . . . . . . .337
Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
External Communications
(also see “Remote Access”) . . . . . . . . . . . . . . . . . . .339
TCP/IP (Some TCP/IP
Information Also Found in the “Routers” Section) . .339
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Network Management . . . . . . . . . . . . . . . . . . . . . .344
Routers and Routing . . . . . . . . . . . . . . . . . . . . . . .349
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
Intrusion Detection/Intrusion Prevention . . . . . . . .353
Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . .354
Project Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358
Functional Requirements . . . . . . . . . . . . . . . . . . . .358
Technical Requirements . . . . . . . . . . . . . . . . . . . . .359
Legal/Compliance Requirements . . . . . . . . . . . . . .360
Policy Requirements . . . . . . . . . . . . . . . . . . . . . . . .360

Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
Key Skills Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . .363
Key Personnel Needed . . . . . . . . . . . . . . . . . . . . . . . .364
Project Processes and Procedures . . . . . . . . . . . . . . . . .365
Project Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
Project Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
Project Work Breakdown Structure . . . . . . . . . . . . . . . . . .367
Project Risks and Mitigation Strategies . . . . . . . . . . . . . . .372
Project Constraints and Assumptions . . . . . . . . . . . . . . . . .374
398_FW_Policy_TOC.qxd 8/28/06 11:11 AM Page xx
Contents xxi
Project Schedule and Budget . . . . . . . . . . . . . . . . . . . . . . .375
IT Infrastructure Security Project Outline . . . . . . . . . . . . .376
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Chapter 8 Case Study: SOHO
(Five Computers, Printer, Servers, etc.) . . . . . . . . . . . . 385
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
Using netstat to Determine Open Ports on a System . .386
Determining More Information with lsof . . . . . . . . . . .391
Using netstat on Windows XP . . . . . . . . . . . . . . . . . . .392
Employing a Firewall in a SOHO Environment . . . . . . . . .395
Host-Based Firewall Solutions . . . . . . . . . . . . . . . . . . .395
Introducing the SOHO Firewall Case Study . . . . . . . . . . .396
Assessing Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Defining the Scope of the Case Study . . . . . . . . . . . . .397
Designing the SOHO Firewall . . . . . . . . . . . . . . . . . . . . .397

Determining the Functional Requirements . . . . . . . . . .398
Determining the Needs of the Family . . . . . . . . . . .398
Talking to Local User Groups . . . . . . . . . . . . . . . . .398
Creating a Site Survey of the Home . . . . . . . . . . . . . . .399
Identifying Current Technology
Options and Constraints . . . . . . . . . . . . . . . . . . . . . . .400
Implementing the SOHO Firewall . . . . . . . . . . . . . . . .401
Assembling the Components . . . . . . . . . . . . . . . . . .401
Installing the Components . . . . . . . . . . . . . . . . . . .401
Testing the Configuration
from Various Access Points . . . . . . . . . . . . . . . . . . .405
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .408
Chapter 9 Medium Business (<2000 People) . . . . . . . 409
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Mapping Your Systems . . . . . . . . . . . . . . . . . . . . . . . . . . .411
Ask Someone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411
Charting Cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
398_FW_Policy_TOC.qxd 8/28/06 11:11 AM Page xxi
xxii Contents
IP Addressing and VLANs . . . . . . . . . . . . . . . . . . . . . .416
Software Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .416
OS Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .417
Freeware Third-party Tools . . . . . . . . . . . . . . . . . . .421
Mapping Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . .430
Improving Accountability with Identity Management . . . . .430
AAA Using Cisco ACS . . . . . . . . . . . . . . . . . . . . . . . .436
Network Access Restrictions . . . . . . . . . . . . . . . . . .436
External Authentication Databases . . . . . . . . . . . . . .438

User and Group Authorization . . . . . . . . . . . . . . . .440
Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
Other Security Improvements . . . . . . . . . . . . . . . .454
VPN Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .462
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
398_FW_Policy_TOC.qxd 8/28/06 11:11 AM Page xxii
Part I
Security Policy
1
398_FW_Policy_01.qxd 8/25/06 10:52 AM Page 1
398_FW_Policy_01.qxd 8/25/06 10:52 AM Page 2
Network
Security Policy
Topics in this chapter:
■
Defining Your Organization
■
Trusted Networks
■
Untrusted Networks
Chapter 1
3
 Summary
 Solutions Fast Track
 Frequently Asked Questions
398_FW_Policy_01.qxd 8/25/06 10:52 AM Page 3