Republished with permission from WatchGuard Technologies, Inc.


Disaster Recovery and Your Firebox

by David M. Piscitello, Core Competence, Inc.

Mark Edmeadís TISC Insight column (reposted to LiveSecurity as "Foundations: Are You Prepared for Disaster?") defines Business Continuity Planning as ďan organizationís ability to continue to function when normal operations are disrupted.Ē In the specific context of an enterprise firewall, many disruptions are readily foreseen: loss of power, misconfiguration, denials of service, destruction of or damage to equipment by natural or manmade disasters, and so on. But you shouldnít tunnel your vision for firewall resumption planning; in many cases, recovering or replacing your hardware appliance may be the easy part. In this column, Iíll discuss broader aspects of business resumption planning and disaster recovery you should consider when addressing those security services your firewalls provide.

Enterprise firewalls are key IT systems

When business resumption and disaster recovery are mentioned, an IT department typically thinks first and foremost about restoring critical servers and information. Accordingly, recovery methods and processes may quite competently address the restoration of business data, yet overlook security system data. Restoring Internet connectivity to servers containing mission critical data, without implementing security, is as much a recipe for disaster as whatever act of God or man crippled your organization in the first place. Firewalls arenít always near the top of the list -- but they should be.

Itís more than simply your firewall

Business data to be protected against disaster must include the policy and configuration data that governs your firewall operation. Thus, data on the system on which you run your Control Center and VPN Manager are as important as whatís installed on the Firebox. All the following information that youíll find (by default) in the WatchGuard folder of your Control Center host is important to assure full and accurate recovery of security services following a disruption:

  1. Firewall configuration files. If you donít have the most current configuration, you risk re-exposing a vulnerability you previously remedied.
  2. Remote user and VPN configuration files. Without these, you canít be assured you will restore secure communications among sites and mobile users.
  3. Flash images of the Firebox firmware. You can expedite service resumption if you have copies of the firmware you were running prior to the incident.
  4. Installation files. Again, to expedite the replacement of the system on which you run your Control Center, you must have licensed WatchGuard software readily at hand.
  5. Digital Certificates. Without these, you may not be able to resume remote administration of SOHO firewalls via the VPN Manager.
  6. WatchGuard licenses. Without license information, youíll waste precious time attempting to restore your firewall and Control Center host.
  7. Log files and Historical reports. These are critical for any forensic investigation you may need to perform following a major business disruption.

Security policy documentation, topology diagrams, and VPN documentation Iíve mentioned in earlier columns (listed at the end of this article) are also vital for business resumption. If you lose key IT staff during or following a disaster, such documentation may prove to be the sole transfer of information. Moreover, any security patches, hot fixes, and other system hardening performed on systems such as your Control Center host should be recorded in a log, and a copy of this log should be included in your archive. Consider burning this information onto a CD stored in a secure location on site so that you can recover the system locally: in a disaster, Internet connectivity may not be available. Donít forget user accounts and passwords for the Control Center, VPN Manager, and SOHOs (these should be protected using encryption if they are to be stored on removable media).

In small and medium businesses, quite often only the LAN administrator and ďthe firewall guyĒ know and keep certain information, such as system and software inventories as well as WatchGuard support contract and contact information. Gather this and any other information you believe necessary  for resuming business security and present them to management or the committee in your organization responsible for Business Continuity Planning and Disaster Recovery Planning. Be certain suitable means of archival and restoration of security data and systems are incorporated into the recovery methodology your company adopts.

Contingency planning

Small and medium business are often more vulnerable to loss of equipment than large enterprises. Many such companies canít justify the cost of mirroring data off site, readying hot-standby systems, and other such diversity measures on a large scale. However, there are some contingencies most businesses may be able to afford.

In a pinch, a SOHO may not entirely replace a Firebox, but it will provide enough security services for you to put an office temporarily back online, until you can arrange for a replacement Firebox. Similarly, if you have recently upgraded a Firebox, think about whether you can use the one replaced as a spare. I know for a fact even a Pentium II 180Mhz with 64 MB RAM running Windows NT can serve as a WatchGuard Control Center. This is not as meticulous a solution as the cold standby I described earlier, but it will do, and costs very little.

Think about creative ways to emulate what large enterprises might do. If you do any e-business whatsoever with companies similar in size to yours, consider discussing the possibility of entering into some arrangement where you can either share the cost of an offsite service center, or swap (secured) space in each otherís data centers.

See that you havenít created single points of failure in your IT staff. Cross-train so that several staff members know how to administer the Firebox and VPNs. If you already have a relationship with a security or IT consulting services group, inquire whether they can offer temporary staffing should you lose key IT staff in a disaster.

A small but important part in the big picture

I originally set out to explain how to recover a Firebox from a misconfiguration or corrupted flash image. This is more than adequately explained on the web at WatchGuard's LiveSecurity site. But given the considerable attention organizations are now directing at business continuity and resumption, and disaster recovery, speaking only to a single ďhow toĒ seemed too limited in scope. I hope youíll  treat security data as part of your mission critical data as you flesh out the big picture for your organization.  ##


Copyright© 2001, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.

Copyright © 1996 - 2001 WatchGuard Technologies, Inc. All rights reserved.