Secure your firewall
On the off chance that an aggressor can increase managerial access to your firewall it is "game over" for your system security. Along these lines, making sure about your firewall is the first and most significant advance of this procedure. Never put a firewall into creation that isn't appropriately made sure about by in any event the accompanying setup activities:
Update your firewall to the most recent firmware.
Erase, handicap, or rename any default client records and change all default passwords. Make a point to utilize just mind boggling and make sure about passwords.
In the event that numerous overseers will deal with the firewall, make extra manager accounts with restricted benefits dependent on duties. Never utilize shared client accounts.
Debilitate straightforward system management convention (SNMP) or arrange it to utilize a protected network string.
Architect your firewall zones and IP addresses
So as to ensure the significant resources on your system, you should initially distinguish what the advantages (for instance, installment card information or patient information) are. At that point plan out your system structure with the goal that these benefits can be assembled and put into systems (or zones) in light of comparative affectability level and capacity.
For instance, the entirety of your servers that offer types of assistance over the (web servers, email servers, virtual private system (VPN) servers, and so forth.) ought to be put into a devoted zone that will permit constrained inbound traffic from the web (this zone is regularly called a peaceful area or DMZ). Servers that ought not be gotten to legitimately from the web, for example, database servers, must be set in inner server zones. In like manner, workstations, retail location gadgets, and voice over Internet convention (VOIP) frameworks can for the most part be set in inward system zones.
As a rule, the more zones you make, the more secure your system. In any case, remember that overseeing more zones requires extra time and assets, so you should be cautious when choosing what number of system zones you need to utilize.
On the off chance that you are utilizing IP variant 4, Internal IP locations ought to be utilized for the entirety of your inner systems. System address interpretation (NAT) must be arranged to permit inside gadgets to impart on the Internet when essential.
When you have planned your system zone structure and set up the comparing IP address conspire, you are prepared to make your firewall zones and dole out them to your firewall interfaces or subinterfaces. As you work out your system framework, switches that help virtual LANs (VLANs) ought to be utilized to keep up level-2 detachment between the systems.
Configure get to control records
Since you have set up your system zones and doled out them to interfaces, you ought to decide precisely which traffic should have the option to stream into and out of each zone.
This traffic will be allowed utilizing firewall rules called get to control records (ACLs), which are applied to every interface or subinterface on the firewall. Make your ACLs explicit to the specific source or potentially goal IP locations and port numbers at whatever point conceivable. Toward the finish of each entrance control list, ensure there is a "deny all" rule to sift through all unapproved traffic. Apply both inbound and outbound ACLs to every interface and subinterface on your firewall with the goal that solitary endorsed traffic is permitted into and out of each zone.
At whatever point conceivable, it is commonly encouraged to incapacitate your firewall organization interfaces (counting both secure shell (SSH) and web interfaces) from community. This will assist with shielding your firewall setup from outside dangers. Make a point to handicap all decoded conventions for firewall management, including Telnet and HTTP associations.
Configure your other firewall administrations and logging
On the off chance that your firewall is likewise equipped for going about as a unique host setup convention (DHCP) server, organize time convention (NTP) server, interruption counteraction framework (IPS), and so on., at that point feel free to arrange the administrations you wish to utilize. Debilitate all the additional administrations that you don't plan to utilize.
To satisfy PCI DSS necessities, arrange your firewall to answer to your logging server, and ensure that enough detail is incorporated to fulfill prerequisite 10.2 through 10.3 of the PCI DSS.
Test your firewall arrangement
In a test situation, check that your firewall fills in as planned. Remember to confirm that your firewall is blocking traffic that ought to be obstructed by your ACL arrangements. Testing your firewall ought to incorporate both weakness checking and infiltration testing.
When you have wrapped up your firewall, your firewall ought to be prepared for creation. Continuously make sure to keep a reinforcement of your firewall design spared in a protected spot with the goal that the entirety of your difficult work isn't lost in case of an equipment disappointment.
Presently recollect, this is only a diagram to assist you with understanding the significant strides of firewall arrangement. When utilizing instructional exercises, or regardless of whether you choose to design your own firewall, make certain to have a security master audit your arrangement to ensure it is set up to protect your information as could be allowed.
On the off chance that an aggressor can increase managerial access to your firewall it is "game over" for your system security. Along these lines, making sure about your firewall is the first and most significant advance of this procedure. Never put a firewall into creation that isn't appropriately made sure about by in any event the accompanying setup activities:
Update your firewall to the most recent firmware.
Erase, handicap, or rename any default client records and change all default passwords. Make a point to utilize just mind boggling and make sure about passwords.
In the event that numerous overseers will deal with the firewall, make extra manager accounts with restricted benefits dependent on duties. Never utilize shared client accounts.
Debilitate straightforward system management convention (SNMP) or arrange it to utilize a protected network string.
Architect your firewall zones and IP addresses
So as to ensure the significant resources on your system, you should initially distinguish what the advantages (for instance, installment card information or patient information) are. At that point plan out your system structure with the goal that these benefits can be assembled and put into systems (or zones) in light of comparative affectability level and capacity.
For instance, the entirety of your servers that offer types of assistance over the (web servers, email servers, virtual private system (VPN) servers, and so forth.) ought to be put into a devoted zone that will permit constrained inbound traffic from the web (this zone is regularly called a peaceful area or DMZ). Servers that ought not be gotten to legitimately from the web, for example, database servers, must be set in inner server zones. In like manner, workstations, retail location gadgets, and voice over Internet convention (VOIP) frameworks can for the most part be set in inward system zones.
As a rule, the more zones you make, the more secure your system. In any case, remember that overseeing more zones requires extra time and assets, so you should be cautious when choosing what number of system zones you need to utilize.
On the off chance that you are utilizing IP variant 4, Internal IP locations ought to be utilized for the entirety of your inner systems. System address interpretation (NAT) must be arranged to permit inside gadgets to impart on the Internet when essential.
When you have planned your system zone structure and set up the comparing IP address conspire, you are prepared to make your firewall zones and dole out them to your firewall interfaces or subinterfaces. As you work out your system framework, switches that help virtual LANs (VLANs) ought to be utilized to keep up level-2 detachment between the systems.
Configure get to control records
Since you have set up your system zones and doled out them to interfaces, you ought to decide precisely which traffic should have the option to stream into and out of each zone.
This traffic will be allowed utilizing firewall rules called get to control records (ACLs), which are applied to every interface or subinterface on the firewall. Make your ACLs explicit to the specific source or potentially goal IP locations and port numbers at whatever point conceivable. Toward the finish of each entrance control list, ensure there is a "deny all" rule to sift through all unapproved traffic. Apply both inbound and outbound ACLs to every interface and subinterface on your firewall with the goal that solitary endorsed traffic is permitted into and out of each zone.
At whatever point conceivable, it is commonly encouraged to incapacitate your firewall organization interfaces (counting both secure shell (SSH) and web interfaces) from community. This will assist with shielding your firewall setup from outside dangers. Make a point to handicap all decoded conventions for firewall management, including Telnet and HTTP associations.
Configure your other firewall administrations and logging
On the off chance that your firewall is likewise equipped for going about as a unique host setup convention (DHCP) server, organize time convention (NTP) server, interruption counteraction framework (IPS), and so on., at that point feel free to arrange the administrations you wish to utilize. Debilitate all the additional administrations that you don't plan to utilize.
To satisfy PCI DSS necessities, arrange your firewall to answer to your logging server, and ensure that enough detail is incorporated to fulfill prerequisite 10.2 through 10.3 of the PCI DSS.
Test your firewall arrangement
In a test situation, check that your firewall fills in as planned. Remember to confirm that your firewall is blocking traffic that ought to be obstructed by your ACL arrangements. Testing your firewall ought to incorporate both weakness checking and infiltration testing.
When you have wrapped up your firewall, your firewall ought to be prepared for creation. Continuously make sure to keep a reinforcement of your firewall design spared in a protected spot with the goal that the entirety of your difficult work isn't lost in case of an equipment disappointment.
Presently recollect, this is only a diagram to assist you with understanding the significant strides of firewall arrangement. When utilizing instructional exercises, or regardless of whether you choose to design your own firewall, make certain to have a security master audit your arrangement to ensure it is set up to protect your information as could be allowed.
Δεν υπάρχουν σχόλια:
Δημοσίευση σχολίου