Firewalls Rules

     Proper server firewall configuration is something I see a lot of System Administrator skip on. Some think that just because the server is already behind a WAN perimeter firewall appliance that the built-in server firewall is not important. This is just not true. There are tons of ways to get at other servers or services that are not being forwarded through the WAN perimeter firewall with port pivoting methods.

     A WAN perimeter firewall alone cannot fully protect you. For example, Users could be led to a website or served a malicious ad with JavaScript that can scan and attack your internal network. The attack would be launched from the User’s web browser so it has now bypassed your perimeter firewall. This is just one of many methods that circumvent perimeter firewall protections.

     The firewall rules you build should allow only the bare minimum of port access. If the server is a Web Server then only allow 80 and 443 through. For the management service ports like RDP 3389, or SSH 22, set up a management IP range and only allow access to those services from that IP range. Meaning the Web Server is IP 10.0.1.33 and the IT Web Admins office is at the IP range 10.0.5.1/28, so you only allow the IP range 10.0.5.1/28 to access the RDP service port.

     So far I have talked about inbound firewall rules, but outbound rules are just as important. Blocking all outbound connections can be difficult to set up but has a drastic impact on security. This is because if an exploit does make it on to your server, it very likely will need to call home to the attacker at some point. Furthermore, the exploit that got into your system may not be complete, it may need to call out to the web to get its payload portion. This means we could prevent an attacker from gaining a remote connection into our server, or hopefully break the exploit process from finishing. Additionally, this can help contain an infection from spreading to other systems.

     Blocking all outbound connections is not a full-proof method, an attacker may be able to disable the firewall rules in-place. However, a worm or automated exploit may not be smart enough to get around this. Point is, we are building little walls everywhere we can. We are trying to slow down and frustrate an attacker so that we can either detect them or convince them to go elsewhere.


Pages: 1 2 3 4 5