Out-of-Band ManagementĪs the term indicates, out-of-band management results in access to the firewall through a secondary channel that is not carrying production traffic. This would make it more difficult to reconfigure the firewall during such an event to block traffic or shut it off altogether if necessary to defeat the attack. In-band management also runs the risk of being susceptible to a denial-of-service (DoS) attack during large-scale outbreaks such as worms. The use of simple Telnet or HTTP can result in the adminis-trative password being captured by an attacker who is sniffing the traffic between the administrative interface of the firewall and the rest of the network. Specific attention must be paid to the use of encrypted communications such as SSH and HTTPS when considering whether to manage a firewall in-band. These risks center predominantly around the use of unencrypted communications channels. In-band management can represent a significant risk to the administrator if certain precautions are not taken. In-band management refers to the administrative access to systems and network devices over the same network that is used by the traffic being filtered. Additional considerations must be made regarding how the firewall is accessed: Telnet, SSH, SNMP, FTP, TFTP, HTTP/HTTPS, or some proprietary management protocol and must conform to the management access policy as discussed in Chapter 10, "Firewall Security Policies." In-Band Management Management access comes in two forms: in-band and out-of-band. This requirement stems from the fact that an unauthorized user, whether someone with malicious intent or not, may change the configuration or disable the device and thus lower the security of the surrounding network. Network devices such as routers, switches, intrusion detection sensors, and firewalls should be accessed only by those users who need to administer them. Management AccessĬontrol of access to the management interface of network infrastructure devices is critical. This becomes important when considering how access to the firewall management interface will be controlled. One significant benefit of a CLI over a GUI is that the CLI is available through Telnet and SSH sessions as well as connected directly to the serial port. Over time, as their experience level and comfort level with the firewall increase, they may find it more convenient to use a CLI. Typically, novice users start by administering the firewall through a GUI. Whether it is through a CLI or through a GUI, the management of a firewall can range from the highly complex to the relatively easy. Webmin IPTables Rules Interface Interface Preference Webmin provides a method by which the firewall can be managed through a web browser interface, which is more convenient than an application that can only be viewed on an X Windows-enabled server. Firestarter provides a simple, easy-to-use interface for IPTables, as shown in Figure 11-4. Some are web based (such as Webmin), and some are applications running on the Linux system itself (such as Firestarter or FW-Builder). Not to be outdone, there are GUIs for Linux's IPTables firewall software. The information is presented in a more natural fashion to the end user in the form of graphics and graphs for performance. Figure 11-3 shows the PIX Device Manager screen. The PIX Device Manager (for PIX operating systems up to versions 6.3(5)), known as the Cisco Adaptive Security Device Manager in PIX version 7.0, is a Java applet that is downloaded from the PIX or ASA device and runs locally through the client browser. Some come with a preconfigured IP address and an administrative password to be used for access by the end user during initial configuration (such as Linksys or the PIX 501 and 506E series systems). Some firewalls are configured through a direct interface on the host, such as Symantec Norton Internet Security shown in Figure 11-1 and Figure 11-2, before the firewall is active. Of 4 Managing Firewalls with a GUIĪ GUI provides a more-user-friendly interface to configure the firewall.
0 Comments
Leave a Reply. |