Reading Room

Firewalls & Perimeter Protection

Featuring 67 Papers as of September 20, 2010

• • Overview
  • Download
  Deploying a Vyatta Core Firewall Jason Todd - September 20, 2010

  It wasnt long ago when simply placing a firewall in between your clients, servers, and the Internet was considered a good information security measure. For some organizations the firewall was put in place to simply check a box on a security audit without giving it much attention as to what the firewall was actually protecting, or not protecting. For many the firewall was viewed as a burden and tunneling protocols were developed to make applications work with firewalls.

• • Overview
  • Download
  Leveraging the Load Balancer to Fight DDoS Brough Davis - July 30, 2010

  DDoS (Distributed Denial of Service) attacks have been an ever increasing concern in the Internet world. As technologies becomes less expensive and the Internet grows it is becoming easier and profitable for criminal organizations and the naive vandal to launch destructive attacks on organizations (Mikovic et al., 2005). DDoS attacks are also becoming common tools for governments or activist groups to help serve political agendas (Ristic, 2005). Security professionals will likely always be one step behind new attack methods. In order to understand how Load Balancing technologies can be used to help mitigate DDoS attacks a quick DDoS and Load Balancing primer is needed.

• • Overview
  • Download
  Securing the Network Perimeter of a Community Bank Steven Launius - December 17, 2009

  Allocating the investment for perimeter protection and detection mechanisms can be an unique challenge with the budget of a smaller community bank. This papers purpose is to raise awareness of the external threats present to confidential customer information held on the private network of community banks, and recommend technologies and designs to protect the perimeter of the network, while taking heed of the limited resources of community banks.

• • Overview
  • Download
  Securing the Enterprise Service Bus: Protecting business critical web-services Michael Taylor - April 23, 2009

  My paper will briefly discuss Enterprise Web Services and the uses of Enterprise Service Buses, but will concentrate on potential threats and vulnerabilities to these and suggest suitable means to mitigate risks.

• • Overview
  • Download
  Intrusion Detection & Response - Leveraging Next Generation Firewall Technology Ahmed Abdel-Aziz - March 30, 2009

  This paper will address a recent trend in network security, which is leveraging next-generation firewalls (NGFW) at the network perimeter.

• • Overview
  • Download
  Perimeter Defense-in-Depth with Cisco ASA Michael Simone - February 9, 2009

  Over the course of this document, the reader will learn what to do to use the ASA security device for perimeter security, why these choices would be made, what best practices are, and business justifications for each of these decisions.

• • Overview
  • Download
  Human Being Firewall Muhammad EL-Harmeel - January 9, 2009

  This publication seeks to assist organizations in mitigating the risks from Human based attacks.

• • Overview
  • Download
  Transparent (Layer 2) Firewalls: A look at 2 Vendor Offerings: Juniper and Cisco Matt Austin - December 12, 2008

  The focus of this paper is to demystify and review how to configure and deploy Juniper and Cisco firewalls in transparent mode.

• • Overview
  • Download
  Cleaning Up the Back Yard - A discussion on your mother's home network security. Wil Knoll - November 5, 2008

  It is possible to clean up the back yard with Free Open Source Software and a little design. Using off the shelf components and Open Source software the family geek can deploy a more multilayered security stance that will provide far more visibility and control over the network. This is not to say that large swaths of the Internet can be cleaned up just by plugging in a box, but to say that if anything should be a safe haven on the internet, it should be the family network, the backyard. It makes sense to clean up the backyard before taking on the worlds trash.

• • Overview
  • Download
  Check Point firewalls - rulebase cleanup and performance tuning Barry Anderson - September 5, 2008

  Firewall rulebases tend naturally toward disorder over time, and as the size of the ruleset grows, the performance of the firewall starts to suffer. In this paper, a simple procedure for culling unused rules and ordering the rulebase for performance will be presented.

• • Overview
  • Download
  Performing Egress Filtering Dennis Distler - August 20, 2008

  The purpose of this paper is to explain egress filtering and the risk that can be mitigated along with it.

• • Overview
  • Download
  Microsoft Vista Firewall; Dissected Phil Kostenbader & Bob Rudis - August 9, 2007

  The firewall provided by Microsoft has pretty much gone unchanged since windows 2000. Their release of the firewall included with Vista, however, has seen a few new and useful features. Under the right environment, it may be possible for large organizations to make use of this facility. But why would an organization consider dropping their current solution? Flexibility in the rule construction, the ability to apply a specific policy based on 'domain' authentication, multiple methods of policy distribution, or a single vendor solution may have some organizations considering a change.

• • Overview
  • Download
  Redefining your perimeter with MPLS - an integrated network solution Vijay Sarvepalli - July 17, 2007

  This paper attempts to help network and security professionals to meet the demand to build multiple logical networks on a single physical infrastructure.

• • Overview
  • Download
  Don't Just Patch, Protect! Richard Sillito - May 1, 2007

  Security analysts need to stop trying to be movie stars and start shaking up their networks and readdress how security is implemented.

• • Overview
  • Download
  XML Firewall Architecture and Best Practices for Configuration and Auditing Don Patterson - April 30, 2007

  This paper will discuss the building blocks of Web services, Web services threats and security requirements, the XML firewall for first-line perimeter defense, best practices for configuring an XML security gateway device, and industry recommended security testing procedures for ensuring the effectiveness of thsi security control.

• • Overview
  • Download
  Egress Filtering FAQ Chris Brenton - January 18, 2007

  This FAQ covers the benefits of performing egress filtering on the end points of your perimeter.

• • Overview
  • Download
  Firewall Analysis and Operation Methods Kim Cary - October 23, 2006

  This paper shows how to leverage pre-install analysis data collection systems for post-install response via a selfservice security information application. This application was useful in securing and retaining the open community's good will for future security projects (without the motivation of a incident).

• • Overview
  • Download
  Wired 802.1x Security Mohammed Younus - July 27, 2006

  This paper defines the fundamentals of 802.1x authentication, explains how the authentication process works in 802.1x, and provides the detailed steps to implement 802.1x in a switched LAN environment using Cisco's Implementation of 802.1x.

• • Overview
  • Download
  Exploiting BlackICE When a Security Product has a Security Flaw Peter Gara - July 9, 2005

  This paper contains a fictional story about a computer expert who gets into evil ways and tries to denigrate his ex-colleague at her new workplace.

• • Overview
  • Download
  Regaining Control over your Mobile Users Shelly Biller - June 23, 2005

  No matter how much time or money some corporations spend on securing their network, once they allow mobile (laptop) users to connect to their internal network; they are exposing that network to a wide variety of security risks. Their once-secure network has now potentially become a hacker's playground.

• • Overview
  • Download
  Ethical Deception and Preemptive Deterrence in Network Security Brian McFarland - May 17, 2005

  Network administrators have several tools in their arsenal for thwarting such attacks such as firewalls and intrusion detection systems. A relatively recent concept developed to compliment existing network defense tools is the Honeypot.

• • Overview
  • Download
  Using Secure Sockets Layer bridging and content filtering mechanisms to provide defense in-depth when publishing SSL encrypted web hosts. John Hallberg - May 5, 2005

  In this paper we discuss the benefits of Secure Sockets Layer (SSL) bridging, also known as SSL initiation, a practice that allows Internet security professionals to successfully proxy encrypted traffic, thus enabling intrusion detection and/or prevention, virus detection, and content filtering of encrypted communications.

• • Overview
  • Download
  Utilizing Static Packet Filters to Enhance Network Security Scott Foster - January 17, 2005

  Many network installations today consist of a firewall to provide security between the increasing hostile environment of the Internet and the corporate network. This paper examines utilizing Access Control Lists to implement static packet filters at a network perimeter to enhance security in any sized network.

• • Overview
  • Download
  3Com Distributed Embedded Firewall Kyle Kelliher - July 25, 2004

  As the Internet community becomes more skilled in their use of attack tools, we are seeing an increase in the number and severity of Internet attacks. Internet neophytes and professionals alike are asking the same question "There are hundreds of thousands of computers on the Internet, why was my computer attacked?"

• • Overview
  • Download
  Netfilter and IPTables: A Structural Examination Alan Jones - May 2, 2004

  In this paper a study is made of the Linux packet manipulation framework, Netfilter, and the packet matching system built on top of it, IPTables.

• • Overview
  • Download
  Support guides for the Cyberguard Firewall Appliance Chris Bodill - November 19, 2003

  This paper combines various troubleshooting guides, how-to, tips and warnings known to date, for the Cyberguard Firewall Appliance, aimed to be both functional and practical.

• • Overview
  • Download
  Configuring Watchguard Proxies: A Guideline to Supplementing Virus Protection and Policy Enforcement Alan Mercer - November 6, 2003

  This paper focuses upon the layered use of the Watchguard Live Security System (LSS) proxy services to mitigate these risks and reduce exposure.

• • Overview
  • Download
  High Availability Firewall - WatchGuard Firebox Vclass V60 Wee Chia - November 6, 2003

  This paper proposes that implementation of high availability firewalls in itself cannot be considered sufficient to ensure overall system reliability.

• • Overview
  • Download
  Private Internet Exchange: The Fastest Firewall in the World? Keith Cancel - October 31, 2003

  There are now numerous amounts of firewalls available in today's market with a wide array of speeds, strengths and weaknesses.

• • Overview
  • Download
  Sidewinder 5.1 Split DNS Architecture Charlene Keltz - October 31, 2003

  This paper provides an operating system overview of Sidewinder, a short overview of a Generic Split DNS Architecture, and explains Sidewinder's Secure Split DNS Architecture.

• • Overview
  • Download
  Using Open Source to Create a Cohesive Firewall/IDS System Thomas Dager - October 31, 2003

  In this paper the author discusses two main components of the layered defense, a firewall and intrusion detection system.

• • Overview
  • Download
  Active Net Steward - Distributed Firewall Daniel Safeer - October 31, 2003

  In this paper, the author addresses the question, "How do I deal with the implied trust afforded to users who are inside of the firewall, either physically or electronically (via VPN or dialup)?

• • Overview
  • Download
  Cisco Router Hardening Step-by-Step Dana Graesser - October 31, 2003

  The three main categories of routers in use at companies today are Internet Gateway routers, Corporate Internal routers and B2B routers which should all be given careful consideration from a security perspective, as each pose unique security problems that are addressed in this paper.

• • Overview
  • Download
  IPSec VPN Using FreeBSD Greg Panula - October 31, 2003

  This paper will demonstrate a way to setup an IPSec VPN that will allow for NAT'ing using FreeBSD boxes as the gateway machines.

• • Overview
  • Download
  Comparison Shopping for Scalable Firewall Products Laura Keadle - October 31, 2003

  No Network Designer worth their salt would dream of purchasing a router or switch without demanding benchmark test results on throughput and subscription rates.

• • Overview
  • Download
  Achieving Defense-in-Depth with Internal Firewalls Steve Bridge - October 31, 2003

  A sound security perimeter today requires more than a single firewall connected at the Internet router. By segmenting the network with multiple firewalls, we can achieve the holy grail of network security - Defense-In-Depth.

• • Overview
  • Download
  Proxies and Packet Filters in Plain English Scott Algatt - October 31, 2003

  The firewall's ability to decide what is and what is not allowed are configurations that are setup by the system administrator as policies or rules and define what traffic the firewall will or will not allow to enter the network.

• • Overview
  • Download
  Personal Firewalls - Protecting the Home Internet User Bonnie McDougall - October 31, 2003

  Firewalls were one of the first protectors of computer crime and before anyone downloads a Personal Firewall, they should have an understanding of how they work.

• • Overview
  • Download
  Application Level Content Scrubbers Benjamin Sapiro - October 31, 2003

  This paper presents an overview of some of the available content scrubbers (this is not meant to be a comprehensive product comparison).

• • Overview
  • Download
  Cisco Way Joseph White - October 31, 2003

  This document will be an overview to " Cisco SAFE: "A Security Blueprint for Enterprise Networks" (Convery).

• • Overview
  • Download
  Disconnect from the Internet - Whale's e-Gap In-Depth Kevin Gennuso - October 31, 2003

  While there are a number of variations on the air gap concept, the focus of this paper will be on one implementation of this technology: Whale Communications' e-Gap.

• • Overview
  • Download
  Protecting the Next Generation Network -Distributed Firewalls Robert Gwaltney - October 31, 2003

  Corporate networks are constantly changing to meet the needs of businesses and continue to expand in ways that we couldn't have imagined only a few years ago.

• • Overview
  • Download
  Fighting Cyber Terrorism - Where Do I Sign Up? Pamela Dodge - October 31, 2003

  Cyber attacks have historically not been treated in the same fashion as physical defense of the country.

• • Overview
  • Download
  A Layer-7 Secure Security Posture Paul Vinciguerra - October 31, 2003

  This paper intends on applying the lessons learned from the lower levels of the OSI model to the upper layers.

• • Overview
  • Download
  CBAC - Cisco IOS Firewall Feature Set Foundations Evan Davies - October 31, 2003

  This paper discusses the operation and configuration of CBAC.

• • Overview
  • Download
  Building an IPv6 Firewall with OpenBSD Eric Millican - October 31, 2003

  This paper is intended to be a how-to for IPv6 firewalls running on OpenBSD 3.0. It will cover the basics of installing OpenBSD, setting up a tunnel to the 6Bone, and configuring the Packet Filter firewall included with OpenBSD.

• • Overview
  • Download
  A Review Of Floppy-Based Firewalls And Their Security Considerations Sean Closson - October 31, 2003

  For the user that is evaluating inexpensive perimeter firewall solutions, this paper discusses the features and security implications amongst three of the more popular choices available, providing an understanding of floppy disk-based firewalls and some of the technologies they employ.

• • Overview
  • Download
  Protecting the Network without Breaking the Bank Gerald Clevenger - October 31, 2003

  The high cost of securing a Network may drive managers to look for ways to outsource Network Security instead of using available resources.

• • Overview
  • Download
  The Firewall has been Installed, Now What? Developing a Local Firewall Security Policy Richard Walker - October 31, 2003

  This paper details the process I used to draft a perimeter device security policy for these firewalls.

• • Overview
  • Download
  Getting the Most out of your Firewall Logs Matt Willard - October 31, 2003

  The goal of this paper is use the logs of CheckPoint FW-1 v4.1 and provide examples of tools that will automate the process of maintaining and monitoring a firewall's logs.

• • Overview
  • Download
  Configuring a NetScreen Firewall: Best practice guideline for the basic setup of a NetScreen firewal Robert Bayley - October 31, 2003

  This paper will detail how to setup a NetScreen firewall using the command line configuration options.

• • Overview
  • Download
  The Installation and Configuration of a Cisco PIX Firewall with 3 Interfaces and a Stateful Failover Steve Textor - October 31, 2003

  This paper is intended to guide the reader through the installation and configuration of a Cisco PIX firewall.

• • Overview
  • Download
  Using ISA Server Logs to Interpret Network Traffic Brian McKee - October 31, 2003

  This paper focuses on ISA logs and how you can use them to interpret the types of traffic passed through the network.

• • Overview
  • Download
  IPFilter: A Unix Host-Based Firewall Dana Price - October 31, 2003

  This paper will explain the benefits of using IPFilter on a unix host by detailing its configuration and implementation on a Solaris 8 SPARC box, and providing examples users can follow to safeguard their machines against some of the more popular remote exploits.

• • Overview
  • Download
  Securing Extranet Connections Jeff Pipping - October 31, 2003

  This paper will present one solution to securing a large number of extranet connections. In particular, the focus will be on the corporation who is the extranet network provider, or at the hub of a large extranet.

• • Overview
  • Download
  Securing Solaris Servers Using Host-based Firewalls William Karl - October 31, 2003

  This paper will cover the addition of security to several Solaris servers through the use of host-based firewall software.

• • Overview
  • Download
  Denial of Service Attacks and the Emergence of "Intrusion Prevention Systems" Adrian Brindley - October 31, 2003

  The objective of this paper is to give a review of DoS / DDoS attacks, provide a list of basic network attack prevention techniques, provide a brief comparison of current and emerging Intrusion Prevention devices available and to give an example implementation scenario using one of these products.

• • Overview
  • Download
  Build your own firewall using SuSE Linux: A mechanics guide. Paul ONeil - October 31, 2003

  The following paper describes the different tools that can be used in setting up an appropriate router and firewall combination using Linux that offers the necessary functionality and security to its users as well as the means to monitor it by an administrator.

• • Overview
  • Download
  Case Study: Deploying and Configuring a Netscreen 100 Firewall Appliance to Secure the Network James Murphy - October 31, 2003

  The purpose of this document is to show the reader on how I deployed the Netscreen 100 firewall security appliance.

• • Overview
  • Download
  Using The Cisco Pix Device Manager Jason Holcomb - October 31, 2003

  This paper examines the PDM starting with an overview of the PIX, requirements of the PDM software, initial configuration guide, and finally a walkthrough of the software.

• • Overview
  • Download
  Long Distance Failover - High Availability using Cisco PIX Firewall Chris Ellem - October 31, 2003

  The purpose of this document is to provide information security professionals with an understanding of the requirements in implementing long distance failover using Cisco PIX Firewalls.

• • Overview
  • Download
  Secure Configuration of a Cisco 837 ADSL firewall router Brett McIntosh - October 31, 2003

  This paper describes, hopefully, a fairly typical small office/business scenario and one method to connect it securely to the Internet using a commercially available firewall/router, the Cisco 837 ADSL router.

• • Overview
  • Download
  Migrating Services Between Firewall Technologies Andrew Barratt - October 31, 2003

  This paper describes the considerations that are essential to address when a corporate firewall infrastructure is replaced with new technology.

• • Overview
  • Download
  Designing a DMZ Scott Young - October 31, 2003

  This paper takes a look at DMZ, which greatly increases the security of a network.

• • Overview
  • Download
  Choosing The Best Firewall Gerhard Cronje - October 31, 2003

  This paper briefly touches on most of the issues involved in choosing a firewall and provides a good starting point for selecting a firewall.

• • Overview
  • Download
  Solaris 8 and Checkpoint NG FP3 install with SSH, JASS and Syslog Mike Shannon - October 31, 2003

  This paper provides a detailed account of the pre-existing insecurity, a brief note of the catalytic event precipitating the actual changes to the firewall, a discussion of the implementation, and the results and ultimate success of the procedure 'hardening' the corporate firewall.

• • Overview
  • Download
  Scanning for viruses Dan Boyd - October 31, 2003

  In my first job position after college, I was hired to design and implement a firewall as well as a virus scanning mail solution and this paper addresses the processes I went through that increased security at this company.

Masters This paper was created by a SANS Technology Institute student as part of their Master's curriculum.