One of the first items to do when deciding with which software release to upgrade a firewall (or any device for that matter) is to read the release notes for that version. The release notes typically include a detailed list of supported devices, new features in the release, and software bugs fixed in the release. In addition, some manufacturers include a list of outstanding bugs that have not been addressed in the release at the time of shipment. The release notes represent a one-stop shop for much, if not all, of the necessary information needed to determine whether the software release being considered is appropriate for the firewall to be upgraded.
Defects and Bugs
Firewall software is complex and contains many subsystems and lines of code. Although the vendors make every effort to identify potential bugs or other errors in the software, not all possible cases can be discovered during testing before the software is released to the general public. Therefore, possible bugs and vulnerabilities in the software may not be detected until after the software has been released.
Vulnerabilities
A vulnerability is a defect that might result in the potential exploitation of the firewall by an attacker to cause either a denial-of-service (DoS) attack or to gain access to the firewall itself. A vulnerability can also be caused by a misconfiguration of the firewall. An example of a vulnerability in firewall software is the Cisco PIX Telnet/SSH DoS attack described on SecurityFocus (http://www.securityfocus.com/bid/6110). This vulnerability, although not providing access to the PIX itself, causes the PIX Telnet/SSH service to become nonresponsive. Cisco immediately released a fix for this problem in PIX OS 6.2.2.111.
A vulnerability due to a misconfiguration of the firewall can range from allowing access to Remote Procedure Call (RPC) ports on systems behind the firewall to not setting an access password on the device itself. These types of vulnerabilities are not mitigated by software upgrades but rather by correcting the configuration of the device. One of the quickest ways to find any ports that may be open due to a firewall misconfiguration is to use a network-scanning tool such as Nmap (available at http://www.insecure.org) or Foundstone's Fscan (available from http://www.foundstone.com)
Tracking a Defect
So, a bug or a vulnerability has been discovered in the software version running on your firewall. What do you do now? If the vendor has released a version that resolves the bug or vulnerability, the simplest solution is to download it and apply the patched software. If no fixed software is available, it is important to keep track of the bug and any possible workarounds the vendor has devised. Typically, vendors provide a portal on their websites that include defect information and whether a specific defect has been resolved. For Cisco PIX devices, the Product Security Incident Response Team provides security advisories that can be viewed on the Cisco website at http://www.cisco.com/go/psirt. In addition, for registered users, a database of security-related and non-security-related defects is available. For Linksys devices, this section is part of their technical support website (http://www.linksys.com). Information related to bugs in the Linux kernel is available at the Linux Kernel Archives website (http://www.kernel.org). For Linux kernels 2.6 bugs, there is a specific bug-tracking system, http://bugzilla.kernel.org. For bugs that are NetFilter specific (whether it is the NetFilter code in the kernel or the utilities used to manipulate the NetFilter firewall), there is http://bugzilla.netfilter.org. Regardless of the device, it is important to be aware of bugs and other software issues to be prepared to mitigate any new vulnerabilities that they may introduce into the network.
Summary
Managing firewalls is not much different from managing any other device on the network. However, special care must be taken when managing a firewall because it represents the nexus of security in the any network. In many cases, it represents the only security device on the network. Managing a firewall securely is not difficult and does not mean that you are limited only to command-line tools. You can manage many firewalls using SSH (for command-line configuration) and HTTPS (for a browser-based management system) to do such tasks as change default passwords, maintain the platform, make initial configurations, set up logging, modify the configuration, and update the firewall software. Finally, paying attention to potential defects in the firewall software will ensure that a bug or a vulnerability will not sneak up unnoticed and cause a DoS attack or the potential exploitation of devices in the network.
Copyright © 2007 Pearson Education. All rights reserved.