Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Locking Down a Symantec Enterprise Firewall
General firewall
Locking Down a Symantec Enterprise Firewall
My Steps for locking down a Symantec Enterprise Firewall
ôWARNINGö Every firewall need is different, you can use part of this document to help in locking down your SEF but you should determine your/company needs before doing any of the below steps.
1. Getting the OS ready.
Install only the OS software ôNo other applicationsö. If you have the choice install Windows Professional over Windows Server, our even better install Solaris.
Check the Symantec web site for Service Packs and patches that are allowed to run with your version of the firewall.
If you are going to be using NT authentication make sure you add the firewall to the domain before you install the firewall software.
Patch the firewall software.
2. General setup of Inbound and Outbound traffic
Create only the rules that you need ôdo not use the all* ruleö.
Create any service redirects to internal servers.
Add users if any in the firewall.
Create needed VPN connections.
3. Is the firewall running?
At this point the firewall should be up and running. Before we start locking down the firewall check all of the services and access that you need is working. Test and then Test again. Do not go onto the next step if the firewall is not running the way you want it.
If you are happy, create a backup remembering to put a password on the backup.
4. Playing with the Proxies
Under ôAccess Controlsö -> ôProxy Servicesö remove the check from the tick box of any Proxies that you do not need. You should have STMPS, DNSD, PINGD, FTPD, HTTPD for normal inbound and outbound access. You can also edit the config.cf and disable any other proxies that you do not want and KNOW that you can live without.
5. Looking at the Interfaces
Enable ôPort Scan Detectionö on the outside interface.
If you have any indirect static internal routes to subnets add them to the ôSpoof Protected Networksö on the inside interface.
We are going to add some input filters under the ôFiltersö tab but thatÆs next.
6. Filter Fun
At this point I like to do a bit of port scanning to see what the firewall looks like to the outside world. This should not cause anyone any problems because the firewall is not in production yet ôRIGHTö?
Well after the port scan I see a lot of open ports even ports that I have not allowed in the rules, whatÆs going on? Well because the firewall is an application firewall it will still listen on ports that it has proxies for, so this is ok ôfor nowö.
First things first I do not want ports 416,417,418, 423 and 481 showing up in the port scan because they are the ports that the SRMC uses which is a dead give away that my firewall is a Symantec firewall, but I still want to be able to access the firewall from the outside.
Time to create some filters that allows my outside SRMC workstation to access the firewall but blocks any other PC on the internet from seeing my open ports. The link below will help you do this. One thing about this link, it does not tell you that you have to allow TCP port 481 also if you want to get stat information in your ôActive Connectionsö
How to enhance the Symantec Enterprise Firewall security with interface filters
http://service1.symantec.com/support/ent-gate.nsf/docid/2001080708560954?Open&src=w
After I create the SRMC filters I create another filter that blocks the open ports I found from the port scan. The link below will help guide you through creating ôyourö protocol filters ôyouö want to block.
How to deny access to the firewall using an interface filter
http://service1.symantec.com/support/ent-gate.nsf/docid/2002090914021554?Open&src=w
Once I have setup the filters I port scan again and again until I am happy with the results.
7. One last Setting
DDoS are a big thing these days any kiddie that wants pay back is going to try a DDoS. Lucky for us we have a solution that is going to stop them in their tracks.
Blacklistd is a daemon that listens for a total amount of connections that comes in from a single IP address within a configured amount of time and if the thresh holds are meet then it blocks that IP address for a specified amount of time.
By default the blacklistd daemon is enabled but to get it to work you have to uncomment the setting in the config.cf.
I changed mine from this:
# connection_rate.interval=30 (default 30 seconds) ôAmount of seconds before I resetö
# connection_rate.limit=1000 (default is -1, no limit) ôNumber of connectionsö
# connection_rate.blocktime=3600 (default 1 hour) ôThe amount of block timeö
To this:
connection_rate.interval=30
connection_rate.limit=1500
connection_rate.blocktime=3600
Seeing I get a lot of web traffic I changed my connection rate limit to 1500. Http traffic comes in bursts at a time so I increase the rate limit so that I did not block a legitimate user.
8. Before the fat lady sings
Before you put your firewall into production test everything that you promised management you could do and once you have tested everything test it again. This is your last chance to play with the firewall. Once its in production the weight of the world is on your shoulders.
Every firewall setup is different, the steps in this document might not suit your companyÆs needs and could cause you more problems then it is worth. Look at your companyÆs security policy ôI am sure all good adminÆs have oneö and set your firewall up to suit.
Remember:
*******Most administrators donÆt plan to fail they just fail to plan*******
![[pipe]](/data/assets/smilies/pipe.gif "[pipe] [pipe]")
My Steps for locking down a Symantec Enterprise Firewall
ôWARNINGö Every firewall need is different, you can use part of this document to help in locking down your SEF but you should determine your/company needs before doing any of the below steps.
1. Getting the OS ready.
Install only the OS software ôNo other applicationsö. If you have the choice install Windows Professional over Windows Server, our even better install Solaris.
Check the Symantec web site for Service Packs and patches that are allowed to run with your version of the firewall.
If you are going to be using NT authentication make sure you add the firewall to the domain before you install the firewall software.
Patch the firewall software.
2. General setup of Inbound and Outbound traffic
Create only the rules that you need ôdo not use the all* ruleö.
Create any service redirects to internal servers.
Add users if any in the firewall.
Create needed VPN connections.
3. Is the firewall running?
At this point the firewall should be up and running. Before we start locking down the firewall check all of the services and access that you need is working. Test and then Test again. Do not go onto the next step if the firewall is not running the way you want it.
If you are happy, create a backup remembering to put a password on the backup.
4. Playing with the Proxies
Under ôAccess Controlsö -> ôProxy Servicesö remove the check from the tick box of any Proxies that you do not need. You should have STMPS, DNSD, PINGD, FTPD, HTTPD for normal inbound and outbound access. You can also edit the config.cf and disable any other proxies that you do not want and KNOW that you can live without.
5. Looking at the Interfaces
Enable ôPort Scan Detectionö on the outside interface.
If you have any indirect static internal routes to subnets add them to the ôSpoof Protected Networksö on the inside interface.
We are going to add some input filters under the ôFiltersö tab but thatÆs next.
6. Filter Fun
At this point I like to do a bit of port scanning to see what the firewall looks like to the outside world. This should not cause anyone any problems because the firewall is not in production yet ôRIGHTö?
Well after the port scan I see a lot of open ports even ports that I have not allowed in the rules, whatÆs going on? Well because the firewall is an application firewall it will still listen on ports that it has proxies for, so this is ok ôfor nowö.
First things first I do not want ports 416,417,418, 423 and 481 showing up in the port scan because they are the ports that the SRMC uses which is a dead give away that my firewall is a Symantec firewall, but I still want to be able to access the firewall from the outside.
Time to create some filters that allows my outside SRMC workstation to access the firewall but blocks any other PC on the internet from seeing my open ports. The link below will help you do this. One thing about this link, it does not tell you that you have to allow TCP port 481 also if you want to get stat information in your ôActive Connectionsö
How to enhance the Symantec Enterprise Firewall security with interface filters
http://service1.symantec.com/support/ent-gate.nsf/docid/2001080708560954?Open&src=w
After I create the SRMC filters I create another filter that blocks the open ports I found from the port scan. The link below will help guide you through creating ôyourö protocol filters ôyouö want to block.
How to deny access to the firewall using an interface filter
http://service1.symantec.com/support/ent-gate.nsf/docid/2002090914021554?Open&src=w
Once I have setup the filters I port scan again and again until I am happy with the results.
7. One last Setting
DDoS are a big thing these days any kiddie that wants pay back is going to try a DDoS. Lucky for us we have a solution that is going to stop them in their tracks.
Blacklistd is a daemon that listens for a total amount of connections that comes in from a single IP address within a configured amount of time and if the thresh holds are meet then it blocks that IP address for a specified amount of time.
By default the blacklistd daemon is enabled but to get it to work you have to uncomment the setting in the config.cf.
I changed mine from this:
# connection_rate.interval=30 (default 30 seconds) ôAmount of seconds before I resetö
# connection_rate.limit=1000 (default is -1, no limit) ôNumber of connectionsö
# connection_rate.blocktime=3600 (default 1 hour) ôThe amount of block timeö
To this:
connection_rate.interval=30
connection_rate.limit=1500
connection_rate.blocktime=3600
Seeing I get a lot of web traffic I changed my connection rate limit to 1500. Http traffic comes in bursts at a time so I increase the rate limit so that I did not block a legitimate user.
8. Before the fat lady sings
Before you put your firewall into production test everything that you promised management you could do and once you have tested everything test it again. This is your last chance to play with the firewall. Once its in production the weight of the world is on your shoulders.
Every firewall setup is different, the steps in this document might not suit your companyÆs needs and could cause you more problems then it is worth. Look at your companyÆs security policy ôI am sure all good adminÆs have oneö and set your firewall up to suit.
Remember:
*******Most administrators donÆt plan to fail they just fail to plan*******