Manualshelf

HP OSMS white paper: Security of Open Source Middleware Stacks

ManualsBrandsHP ManualsSoftwareHP Linux Caliper Software Electronic LTU
11121314151617181920
Additional Best Practices
This section includes the following topics:
“Use a Firewall”
“Use Secure Communications”
“Use Layered Security” (page 21)
“Never Assume the System Is Secure”
Use a Firewall
Firewalls can explicitly limit network traffic using a variety of filtering methods. Often firewalls manage
connections by port and network address, and only those connections explicitly granted access (through
a white list) may pass through the firewall. Typically, firewalls limit inbound connections; however,
filtering outbound connections is also possible. Outbound (known as an egress firewall) protection is
useful for preventing unauthorized connections from unknown local processes (for example, Trojan
programs and other malware) or connections to risky external networks. Firewall must be placed between
the network and the systems that need protection.
Hardware firewalls are located on the network and have the main task of filtering traffic for a subnet.
Software firewalls are processes that reside on local machines and filter the connections to the local services.
Software firewalls are vulnerable to attacks originating from the local machine. If an intruder gains access,
the intruder might be able to subvert the firewall. Hardware firewalls are isolated and limited to the sole
task of filtering, so are less likely to be compromised in this manner.
Software firewalls can even reside on local systems, for example, Bastille and Red Hat Linux firewalls can
work in conjunction with firewalls positioned at the network gateway.
Network topologies that employ a demilitarized zone (DMZ) approach (see Figure 8) have layers of
firewalls that offer different levels of protection and availability to systems as needed. This approach can
limit the damage done by a successful attack by isolating the exposure to other systems.
Figure 8 DMZ Approach
The DMZ separates computers that face external hazards from other systems.
Remember, a secure system should not have access to unneeded services. This might mean that a service
accessed only on the local network should have firewall rules denying access from connections that are
not from the local network. If the service is not required at all, remove it instead of blocking access to it.
Firewalls are just one defensive measure within a layered security approach. Do not rely solely on perimeter
20