|
|
 |
Just under contruction, version 0.1, last update 2002/11/25
How to write good firewall rules?
This paper is an attempt to write a concept of how to write good firewall rules.
Writing good rules means, that other people can follow and understand them, that rules are consistent in
their structure, that you can build on them, that they are easily extensible. It is not a paper on firewall
rules themself.
Objects and name conventions
In a firewall ruleset you normally work with objects like servers, workstations, services
etc. It is not good to give them ad hoc names. In order to make objects
understandable it is important to use a consistent and structured convention for names. An object's name
should consist of several parts that give an unique description of that object. The different parts
of a name of an object should describe it from the more general to the more specific.
For example, you can use the following elements:
- Quality:
- WKS: Workstation
- SRV: Server
- SVE: Service
- RGL: Rule
- TME: Time
- Quantity:
- INV: single (individual) Component
- GRP: Group of Components
- MTA: Meta Group (group of groups)
- Name: an individual and unique name
The schema can be expanded as needed. For example you can use
extra elements of quality of your components are localy seperated, network
components like router, switches, firewalls etc.
Then you have the following possibilities to build your objects:
- WKS-INV-NAME: a single workstation
- WKS-GRP-NAME: a group workstations
- WKS-MTA-NAME: a meta group of workstations
- SRV-INV-NAME: a single server
- SRV-GRP-NAME: a group of servers
- SRV-MTA-NAME: a meta group of servers
- SVE-INV-NAME: a single service
- SVE-GRP-NAME: a group of services
- SVE-MTA-NAME: a meta group of services (do not use it)
- TME-INV-NAME: a single time range
- TME-GRP-NAME: a group of time ranges
- TME-MTA-NAME: a meta group of time ranges
- RGL-INV-NAME: a single rule
- RGL-GRP-NAME: a group of rules
- RGL-MTA-NAME: a metagroup of rules (do not use it, but can make sense if you use chains)
Group of rules and metagroup of rules are only of theoretical interest and only
usable for documentation. But it also depends on the point of view, how abstract you want
to see rules. For example some rules can be seperated into subrules.
Ruledesign
The problem of every system is, that an extension of the system can be easily done
and understood only if the concept of the system is well developed so that you can say that it has
a good basis. If you have a good concept, then you also need the discipline to use this concept all
the time. It is not good if exceptions are the rule. The rule must be the rule!
Transfered to firewall rules this means that a bad concept results over time and
with a high probability in bad firewall rulesets. With bad rulesets I mean rulesets that are hard
to understand. This gives misconfiguration a chance. And then it might be possible that services
become unavailable or the firewall unsecure.
Therefore a good concept is necessary. It can help to avoid bad rulesets. It should
not be the reality that exceptions dominate a ruleset. Whenever exceptions are necessary (because of
time constrains), they should be temporary. After an evaluation by qualified individuals, it has to
be decided to delete the rule or to integrate it in a consistent manner into the ruleset. Consistent
means not violating the concept. But the rule should be: Exceptions are an exception, and we should
avoid them.
Here is a first concept, 10 rules, on how to build a ruleset:
- Every rule should be considered as a metaobject, which defines, who has access to
what service.
- A service should be considered as one ressource that is offered by one or more
servers on one or more different ports.
- Every single rule that is needed to allow access to a service contains the source- and destination adress(es),
the protocol used, the related port and additional information like state,
TCP-flags etc.
- Every single rule is assigned to only one service (implicit, normally the case).
- To a single service a service user group is assigned, who can use this service. It is not allowed
to assign single componets to a service.
- A user group always consists out of one or more assigned groups or single components.
- Every single group consists exclusively out of single components or exclusively out of other
groups (then it is a meta group).
- Every single group, that contains no other groups, consists exclusively out of single
components, that are grouped in a meaningful way.
- Single components can be member of more than one group.
- Groups can be members of more than one meta group.
Documentation
In order to be able to understand a firewall ruleset later and even after more or less
changes, you need sufficient documentation, especially on the changes. First you should use all
documentation options your firewall configuration program is offering. This should be done using a
concept, so that the documentation follows always the same rules and thus is understandable.
All changes should be saved as a document in structural way. There are always people
that have to be informed about changes. Rules should have an unique number. To this number a directory
on a fileserver with limited access is assigned. In the directory authorized individuals can
find all relevant information about this rule. Additionally all documentation should be printed out and
stored in a save location.
What information has to be documented in case of a change in the ruleset?
- The date of change.
- Who has done the cahnges?
- Is it a new rule or has an existing one changed?
- The current number of the rule.
- Who has asked for the rule change? (name, position, contact)
- Why was the change in the ruleset necessary?
- What are the changes?
- Is the change temporary and if so, when does the rule expire?
- Is it an ad hoc rule and has it still to be integrated consistently into the ruleset?
And it is also important that you do not implement a rule on the fly: Someone is calling you
for a change in the ruleset and you do it. Think first. Be shure about what you are doing and
about what consequences your actions might have.
back to top
|
|
| Whats New |
| [2005-02-18] mp3riot version 1.3 released | | [2004-10-08] mp3riot version 1.2 is out. | | [2004-04-30] Added section Bridging | | [2004-01-09] working progress on mp3riot version 1.2 |
|
| The LWN.net Weekly Edition for September 9, 2010 is available.
|
| [$] LWN.net Weekly Edition for September 9, 2010 |
|
| The Mozilla project has released firefox 3.6.9
and 3.5.12and SeaMonkey 2.0.7. These
updates fix a relatively long list
of scary security problems; the firefox 3.6.9 update also add support
for X-Frame-Options,
which can be used by web sites to prevent their content from being trapped
inside another site's frames.
|
| Firefox and SeaMonkey updates released |
|
| Debianhas updated typo3-src(fix
regression from previous update),
freetype(multiple vulnerabilities), and
xulrunner(multiple vulnerabilities).
Gentoohas updated sarg(buffer
overflows - vulnerability from 2008),
acroread(multiple vulnerabilities),
and clamav(multiple vulnerabilities).
openSUSEhas updated kernel(multiple vulnerabilities) and sudo(local privilege escalation).
Red Hathas updated seamonkey(RHEL3-4: multiple vulnerabilities),
firefox(RHEL4-5: multiple
vulnerabilities), and
thunderbird(RHEL4-5: multiple
vulnerabilities).
SUSEhas updated kernel(multiple
vulnerabilities).
Ubuntuhas updated lftp(remote file
creation).
|
| Wednesday's security updates |
|
| The second
alpha version of the revised Mozilla Public Licensehas been posted;
the text has been annotated to make it relatively easy to see what has been
changed. "The most significant change in this draft is the patent
language. We have made it easier to read but also, we hope, better at
protecting communities who choose to use the MPL. It should also have the
side effect of making the license Apache-compatible, allowing projects
licensed under the next MPL release to include Apache-licensed code in
their code bases." |
| Mozilla Public License Alpha 2 |
|
| The Mozilla Labs Gaming project has announced
its existence. "Modern Open Web technologies introduced a
complete stack of technologies such as Open Video, audio, WebGL, touch
events, device orientation, geo location, and fast JavaScript engines which
make it possible to build complex (and not so complex) games on the Web.
With these technologies being delivered through modern browsers today, the
time is ripe for pushing the platform. And what better way than through
games?"The project is starting with a competitionto see who can
build the best web-based game.
|
| Mozilla Labs Gaming launches |
|
| Microsoft's CodePlex foundationCodePlex.com has announcedthe donation of $25,000 to support the development of the Mercurial source
code management system. "While Team Foundation Server is still the
most used version control system on CodePlex, our users are clearly
benefiting from having access to Mercurial for their open source
projects. The CodePlex team is happy to be able to offer our community of
more than 17,000 projects a choice. With Mercurial as an important feature
of CodePlex, we are excited to be making this donation to help support the
Mercurial project." |
| CodePlex.com donates $25,000 to Mercurial project |
|
| Mozilla has released Thunderbird 3.1.3 and Thunderbird 3.0.7 with security
and stability updates. See the release notes for details (3.1.3and 3.0.7).
|
| Thunderbird 3.1.3 and 3.0.7 security updates now available |
|
| Watching Ubuntu and Fedora development is something like watching episodes
of Iron Chef: Given roughly the same ingredients and the same
amount of time, the two projects produce vastly different dishes. The
Fedora 14 and Ubuntu 10.10 release cycle is particularly pronounced in this
regard, with Ubuntu's focus largely on refining improvements from 10.04 and
Fedora introducing major changes to the infrastructure. Subscribers can
click below for the full story from this week's Distributions page.
|
| [$] Looking at Fedora 14 and Ubuntu 10.10 |
|
| Debianhas updated quagga(denial of
service).
Gentoohas updated maildrop(privilege escalation) and sudo(privilege
escalation).
openSUSEhas updated xorg-x11-server(privilege escalation).
Red Hathas updated sudo(privilege
escalation), kernel(RHEL 4, RHEL 4.7: privilege escalation),
and rpm(RHEL 4, RHEL 5: privilege escalation).
Ubuntuhas updated sudo(privilege
escalation).
|
| Security advisories for Tuesday |
|
| Your editor had the good fortune to be able to attend the first LinuxCon
Brazil event, held in São Paulo. There were a number of interesting
talks to be seen, presented by speakers from Brazil and far beyond. This
article will cover three in particular (by Jane Silber, Vinod Kutty, and
Jon 'Maddog' Hall) which were interesting as a result
of the very different views they gave on how Linux users work with their
systems.
|
| [$] LC Brazil: Consumers, experts, or admins? |
|
| The 1.10.0 release of the Cairo graphics library has finally been released.
"One of the more interesting departures for cairo for this release is
the inclusion of a tracing utility, cairo-trace. cairo-trace generates a
human-readable, replayable, compact representation of the sequences of
drawing commands made by an application. This can be used to inspecting
applications to understand issues and as a means for profiling real-world
usage of cairo."The profiling feature has evidently been used to
improve performance in a number of areas. There is also improved printing
support, better 16-bit buffer support, and better use of hardware
acceleration.
|
| Cairo 1.10.0 available |
|
| Martin Graesslin looksat problems with the interaction between KWin and some graphics drivers.
"Now that I have explained all our checks we did to ensure a smooth
user experience, I want to explain how it could happen that there are
regressions in 4.5. In 4.5 we introduced two new features which require
OpenGL Shaders: the blur effect and the lanczos filter. Both are not hard
requirements. Blur effect can easily be turned off by disabling the effect
and the lanczos filter is controlled by the general effect level settings
which is also used for Plasma and Oxygen animations. Both new features
check for the required extensions and get only activated iff the driver
claims support for it. So everything should be fine, shouldn't it?
Apparently not when it comes to the free graphics drivers (please note and
remember: we do not see such problems with the proprietary NVIDIA
driver!)."(Thanks to Jos Poortvliet)
|
| Graesslin: Driver dilemma in KDE workspaces 4.5 |
|
| Debianhas updated smbind(sql
injection).
Fedorahas updated pam_mount(F13, F12:
arbitrary code execution), libhx(F13, F12:
arbitrary code execution), F13: python(multiple vulnerabilities), and F12:
sblim-sfcb(arbitrary code execution).
Mandrivahas updated lvm2(privilege
escalation).
Pardushas updated phpmyadmin(cross-site scripting) and mysql(multiple
vulnerabilities).
|
| Monday's security updates |
|
| Fedora will be holding
a Systemd test dayon September 7, 2010. "This
week's Test Day, which will take place on Tuesday 2010/09/07 rather than the more usual Thursday, is on systemd, so it's a very important one! It will also serve at least two functions: as usual, the testing will help us to improve the code so that if it does go into the final Fedora 14 release it will work as well as possible, but the Fedora steering committee will also be using the results of the Test Day to help inform their final decision as to whether to go ahead with systemd for the Beta and final release, or whether to revert to upstart. So there's a lot riding on this Test Day." |
| Systemd Test Day on Tuesday 2010/09/07 |
|
| Version 7.2 of the GDB debugger is out. New features include support for
the D language, some C++ improvements, better Python support, better
tracepoint support, and more; see the announcement for the details.
|
| GDB 7.2 released |
|
|
-->
