Transcript Slide 1
Firewall
Configuration Rules
Firewall Configuration Rules
Port review
Nat Review
Proxy Review
Firewall Configuration
Port Review
PROTOCOL and PORT NUMBERS
APPLICATION
LAYER
TFTP
Source Port 5512
TRANSPORT
LAYER
Destination Port
69
UDP
NETWORK
LAYER
17
IP Header
Source IP Address; 128.66.12.2
Destination IP Address; 128.66.13.1
DATA LINK
LAYER
ETHERNET
PREAMBLE
DESTINATION ADDR
00 00 1B 12 23 34
SOURCE ADDR
00 00 1B 09 08 07
FIELD
TYPE
IP
HEADER
TCP
HEADER
DATA
FCS
USER DATAGRAM PROTOCOL
UDP Source/Destination Port.
1. The port numbers identify the receiving and sending process. It demultiplexes the UDP datagram to a
particular process running on the computer.
2. The IP demultiplexes the incoming IP datagram to either TCP or UDP based upon the protocol value in
the IP header. The UDP demultiplexes the UDP datagram to a particular application depending upon the
port number.
3.The port number and the IP address allow any application in any computer on internet to be uniquely
identified.
4. UDP port number can be both static and dynamic.
Static ports (<= 1023) are assigned by a central authority and are sometimes called Universal
Assignments or well-known port assignments.
Typical static ports are 7 = Echo, 37 = time, 69 = TFTP, 161 = SNMP net monitor, 514 =
System log, 520 = RIP.
Dynamic ports are not globally known but are assigned by software. These numbers are 0 - 65535
(minus the static port assignments).
UDP Message Length. This field indicates the size of the UDP header and its data in bytes. The minimum
size must be 8 (size of header).
0
15 16
UDP Source Port
31
UDP Destination Port
UDP Checksum
UDP Message Length
Data
. . .
USER DATAGRAM PROTOCOL
Well Known UDP Ports Examples
Echo
Discard
Daytime
7
9
13
Echo user datagram back to user
Discard user datagrams
Report time in a user friendly fashion
Quote
Chargen
Nameserver
Sql-Net
BOOTPS
BOOTPC
TFTP
POP3
SunRPC
NTP
SNMP
SNMP-trap
IRC
IPX
SysLog
RIP
NFS
17
19
53
66
67
68
69
110
111
123
161
162
194
213
514
520
2049
Return "Quote of the day"
Character generator
Domain Name Server
Oracle Sequel Network
Server port to download configuration information
Client port to receive configuration information
Trivial File Transport Protocol
Post Office Protocol - V3
Sun Remote Procedure Call
Network Time Protocol
Used to receive network management queries
Used to receive network problem reports.
Internet Relay Chat
IPX - IP Tunneling
System Log
Routing Information Protocol
Network File Service
Well-Known ports are standard ports between 0-1023 reserved for standard services.
The Internet Assigned Numbers Authority (IANA) is responsible for assigning well - known ports.
PROTOCOL and PORT NUMBERS
APPLICATION
LAYER
Telnet
Source Port 5512
TRANSPORT
LAYER
Destination Port
23
TCP Header
NETWORK
LAYER
6
IP Header
Source IP Address; 128.66.12.2
Destination IP Address; 128.66.13.1
DATA LINK
LAYER
ETHERNET
PREAMBLE
DESTINATION ADDR
00 00 1B 12 23 34
SOURCE ADDR
00 00 1B 09 08 07
FIELD
TYPE
IP
HEADER
TCP
HEADER
DATA
FCS
TCP ENCAPSULATION
0
15 16
VERS
HLEN
TOS
4 bits
4 bits
8 bits
Total Length
16 bits
Identification
16 bits
TTL
31
Flags
Fragment Offset
3 bits
13 bits
Protocol
8 bits
Checksum
IP Header
16 bits
8 bits
Source IP Address
32 bits
Destination IP Address
32 bits
IP Options(if any)
32 bits
Destination Port
Source Port
IP Datagram
16 bits
16 bits
Sequence Number
32 bits
Acknowledgement Number
TCP Header
32 bits
Offset
4 bits
Reserved U A P R S F
6 bits
Receive Window Size
16 bits
Urgent Pointer
Checksum
16 bits
16 bits
Options (if any)
TCP Data (if any)
ETHERNET
PREAMBLE
8
DESTINATION
ADDRESS
6
SOURCE
ADDRESS
6
FIELD
TYPE
2
IP
HEADER
TCP
HEADER
DATA
0-65535
FCS
4
WELL KNOWN TCP PORT NUMBERS
Port
9
19
20
21
23
25
79
80
88
110
119
179
513
514
Application
Discard
Chargen
FTP-Data
FTP-CMD
Telnet
SMTP
Finger
HTTP
Kerberos
POP3
NNTP
BGP
Rlogin
Rexec
Description
Discard all incoming data port
Exchange streams of data port
File transfer data port
File transfer command port
Telnet remote login port
Simple Mail Transfer Protocol port
Obtains information about active users
Hypertext Transfer Protocol port
Authentication Protocol
PC Mail retrieval service port
Network news access port
Border Gateway Protocol
Remote Login In
Remote Execute
TCP PROCESS ADDRESSING
End Point describes a connection in terms of:
< Local Addr, Local Port # >
< 164.22.40.8, 1500 >
Half association describes just one process in terms of :
< Prot, Local Addr, Local Port # >
< tcp,164.22.40.8,1500 >
Full Association describes a connection in terms of:
<Prot, Local Addr, Local Port #, Remote Addr, Remote Port #>
<Eg: tcp,164.22.40.8,1500,165.62.125, 22>
UDP
Port
1500
TCP
IP
22
TCP
IP Address
164.22.40.8
UDP
IP
165.62.1.125
LINK
LINK
PHYS
PHYS
Selected Ports
Echo - UDP Port 7:
Retransmits to the sender any thing it receives. Used for testing
networks.
Disable if not needed or block at the Firewall..
Discard - TCP/UDP Port 9:
Discards anything it receives. Used for developing network tools.
Disable if not needed or block at the Firewall.
Daytime - UDP Port 13:
Sends the date/time for the server to the client.
Disable if not needed or block at the Firewall..
Quote - UDP Port 17:
Sends to the connecting client a quote selected from a file of quotes..
Disable if not needed or block at the Firewall..
Selected Ports (cont…)
Chargen - TCP/UDP Port 19:
Continuously sends out printable ASCII characters. Used for
testing network tools.
Disable if not needed or block at the Firewall.
FTP - TCP Ports 20 and 21:
Used for transferring files over the Internet.
Disable if not needed otherwise use a proxy.
Telnet - TCP Port 23:
Used to connect remotely to a server.The data is not
encrypted and the password/logon is readable.
Disable if not needed or block at the firewall.
SMTP - TCP Port 25:
Used for the exchange of email over the Internet.
Proxy SMTP across the Firewall
Selected Ports (cont…)
DNS - UDP Port 53:
Translates text based names into IP addresses.
Proxy DNS across the /firewall.
BootP/DHCP - UDP Ports 67 and 68:
BootP allows diskless workstations to find and load their OSs over the
network.
DHCP provides for dynamic allocation of IP addresses.
Both BootP and DHCP should be employed inside the Firewall.
TFTP - UDP Port 69:
A simpler version of FTP that is used with BootP and DHCP to allow
diskless workstations to acquire and load their operating systems.
Disable or block at the Firewall.
Gopher - TCP Port 70:
The first hypertext system on the Internet.
Disable or block at Firewall.
Selected Ports (cont…)
Finger - TCP Port 79:
Used to system information such as names, office hours, TP#, current
projects.
Disable.
HTTP - TCP Port 80:
Used to transfer text, video, graphics, sound and programs over th
Internet.
Proxy HTTP across the /firewall.
POP3 - TCP Port 110:
Allows users to check their mail over the LAN or the Internet.
Proxy POP3 or block at the firewall.
RPC - UDP Port 111:
Allows two computers to coordinate the execution of software.
Disable or block at the firewall.
Selected Ports (cont…)
NetBios - TCP Ports 137, 138, 139:
Used by MS Windows networking to connect LAN clients to file
and print services..
Block at the Firewall.
IMAP - TCP Port 143:
Used by clients to transfer email from servers not configured to
send email to the clients.
Disable if not needed.
SNMP - UDP Port 161:
Used to remotely manage network devices such as routers, servers,
hubs and clients.
Block at the firewall.
LDAP - TCP/UDP Port 389:
Used to maintain contact information across the Internet.
Block at the firewall.
Selected Ports (cont…)
RSH - TCP Port 514:
Used to connect remotely to a server. Teh passwords are
encrypted.
Block at the Firewall.
NFS - TCP/UDP Port 2049:
Provides clients LAN access to data storage. The Unix
equivalent of NetBios.
Block at the Firewall.
NAT Review
Overview
The IAB identified three immediate Internet danger
1. INTERNIC is fast exhausting Class B addresses.
2. The increase in networks/hosts has resulted in a routing table
explosion.
3 The increase in networks/host is fast depleting the 32 bit address space.
Class B Exhaustion(Three Bears Problem).
Class A : 8/24:256 networks:16,772,214 hosts - to
scarce(IANA assigned ).
Class B : 14/16:16384 networks:65534 hosts - about right for
subnetting.
Class C : 21/8: 2,097,152 networks:254 hosts - to narrow.
Routing Table Explosion
This is a catch all term for all the problems posed by the
manipulation of large data bases.
IP Address Depletion Strategies
The InterNIC adopted four major strategies for handling
the depletion of the IP addresses.
Creative
IP Address Space Allocation.
RFC 2050 - Internet Registry IP Allocation Guidelines
Private Addresses/Network
Address Translation (NAT).
RFC 1918 - Address Allocation for Private Networks.
RFC 1631 - The IP Network Address Translator.
Classless
InterDomain Routing (CIDR).
RFC 1519 - Class InterDomain Routing(CIDR): An Address
and Aggregation Strategy.
IP Version 6 (IPv6).
RFC 1883 - Internet Protocol, Version 6 (IPv6).
Private IP Addresses
Private IP addresses relax the rule that IP addresses are globally unique.
This IP conservation technique reserves part of the IP address space for use
exclusively within an organization.
The organization does not require connectivity to the Internet.
IANA reserves three ranges of IP addresses for "Private Internets":
10.0.0.0 - 10.255.255.255
A single Class A network
172.16.0.0 - 172.31.255.255
Sixteen continuous Class B Networks
192.168.0.0 - 192.168.255.255
256 contiguous Class C networks
Any organization can use these addresses provide they adhere to the following
rules:
They cannot be referenced by hosts in another organization.
They cannot be defined to any external router.
Organization with private addresses cannot externally advertise those IP
addressees and cannot forward IP datagrams containing those addresses to
external routers.
External routers will quietly discard all routing information regarding these
addresses.
All connectivity to an Internet host must be provided by a Network Address
Translator.
Network Address Translators
NATs are based upon the idea that only a small part of the hosts in a private network will
communicate outside that network.
Nats are a solution for those organizations that use Non-routable IP addresses.
A NAT, normally part of a Firewall, is positioned between the Private Network and the
Internet and:
Dynamically translates the private IP address of an outgoing packet into an Internet
IP address.
Dynamically translates the return Internet IP address into a private IP address.
Only TCP/UDP Packets are translated by NAT. For example, the Private Network cannot be
Pinged (ie. ICMP is not supported).
NAT hides the internal network from the view of outsiders.
Network Address Translator
Translate
Private
Network
Map
Exclude
Pool
Static
Addresses
Internet
NAT Translation Modes
Static Translation (Port Forwarding) A fixed IP translation between
internal resources with non-routable IP addresses and a specific external
routable IP Address.
Dynamic Translation (Automatic, Hide Mode, IP Masquerade or
NAPT) A large group of internal resources are dynamically given nonroutable IP address which are translated into a single external, nonroutable IP address. Each internal resource is uniquely identified by an
external port number.
Load Balancing Translation: A single external IP address is translated
into a pool of identically configured servers. A single external IP address
serves a number of servers.
Network Redundancy Translation: A single Firewall is attached to
multiple Internet connections that the firewall can use for load balancing
or redundancy.
Static Translation
10.4.3.1
Source
Destination
10.4.3.1
198.34.2.5
Source
Destination
200.10.4.10 198.34.2.5
198.34.2.5
Private
Network
Internet
Nat Pool
10.4.3.2
10.4.3.1
10.4.3.2
<Free>
200.10.4.10
200.10.4.11
200.10.4.12
The Private Network is assigned non-routable addresses.
The NAT pool are registered IP address that resolve to the external address of the
Private Network.
For outgoing packets a NAT Pool IP address is substituted for the source IP
address.
For incoming packets the original IP address is reinserted as the destination IP
address replacing the NAT pool address.
Dynamic Translation
10.4.3.2
198.34.2.5
Private
Network
10.4.3.1
200.10.4.10
Internet
10.4.3.3
Private Private
Address Port
10.4.3.2
10.4.3.3
10.4.3.11
21023
1234
26066
Public
Address
NAT Port
External
Address
200.10.4.10
200.10.4.10
200.10.4.10
14003
14005
14007
198.34.2.1
198.34.2.1
198.34.2.1
External Protocol
Port
Used
80
80
21
T CP
TCP
TCP
Network Address & Port Translation (NAPT) Table
Load Balancing Translation
Server A
Server B
Browser
Firewall
Server C
Server D
Private
Network
Internet
Network Redundancy Translation
UUNET
Browser
Server
Firewall
Private
Network
Sprint
Browser
MindSpring
Internet
Firewall Configuration
Rules
Firewall Decisions
Rules by Security Levels?
Paranoid: Nothing is allowed(no external connections) - The organization has
been hacked and its paranoid.
Cautious: That which is not explicitly permitted is not allowed. The default
policy is to deny.
Optimistic: That which is not explicitly prohibited is allowed. The default policy
is to allow.
Open: Everything is allowed. This organization has not been hacked.
NOTE: Instructor's recommendation: BE CAUTIOUS.
Rules by traffic (protocol) needs?
Browser (HTTP).
Address Resolution (DNS).
Electronic Mail (SMTP).
Network Management (SMTP).
Rules for Rules
First Match (Apply in order).
Place the most specific rules at the top of the rule set and
Place the least specific rules a the bottom of the rule set.
Group like protocol rules.
Firewall Performance.
Place those protocols bearing the most traffic at the top of the rule set.
This will generally be HTTP.
The Firewall must distinguish packets.
By the arrival/departure interface.
By Type of packet.
By the Source/Destination Address.
By source/Destination Port.
By IP Header Option
By ICMP Message
By ACK bit.
Typical Configuration Rules
NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious
level.
The rule is to handle only HTTP and SMTP traffic
Rule
HTTP1
Direct
Out
SIP
Any
SPRT
>1023
DIP
Any
DPRT
80
OPT
Flag
PKT
TYP
ACT
Any
SYN
TCP
Any
Pass
Any
SYN
TCP
Any
Pass
Allow an outgoing connection from to HTTP server.
HTTP2
In
Any
80
Any
>1023
Allow already established HTTP traffic to travel back through the firewall.
SMTP1
Out
Any
SServ
Any
25
Any
SYN
TCP
Any
Pass
SServ
Any
Any
TCP
Any
Pass
25
Any
ACK
TCP
Any
Drop
TCP
Any
Drop
Allow the mail server to establish a outgoing connection.
SMTP2
In
Any
25
Any
Allow incoming connections to the mail server..
SMTP3
In
Any
Any
Not SServ
Disallow any connection form the outside other than to the mail server.
HTTP3
In
Any
Any
Not WServ
80
Any
Any
Disallow any connection form the outside other than to the mail server..
Typical Configuration Rules (cont…)
NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious
level.
These are examples of spoofing rules.
Rule
Source
Direct
In
SIP
Any
SPRT
DIP
Any
DPRT
OPT
Flag
PKT
TYP
ACT
Any
Any
Source
Any
Any
Any
Drop
Any
Any
Any
Any
Any
Any
Drop
Any
Drop
Drop all Source-Routed Packets.
Spoof1
In
Internal
Any
Drop all packets that appear on the external interface that have an internal IP address.
Spoof2
Out
Outside
Any
Any
Any
Any
Any
Any
Drop all packets that appear on the internal interface that have an outside source IP address.
Spoof3
In
Any
Any
Any
PServs
Any
Any
Any
Any
Drop
RIP/OSPF Any
Any
Any
Any
Drop
Any
Any
Any
Drop
Drop all packets destined for the protected servers.
Spoof4
In
Any
Any
Any
Disallow any incoming routing packets.
Stop1
In
196.7.9.9 Any
Any
Drop any packets from this specific IP address.
Any
Any
Typical Configuration Rules (cont…)
NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious
level.
These are examples of ICMP Rules to pass packets.
Rule
ICMP1
Direct
In
SIP
Any
SPRT
Any
DIP
Any
DPRT
Any
OPT
Flag
PKT
TYP
ACT
Any
Any
ICMP
Source Quench Pass
ICMP
Echo Request
Allow ICMP Source Quench packets from External hosts.
ICMP2
Out
Any
Any
Any
Any
Any
Any
Pass
Any
Any
Any
Any
ICMP Echo Reply
Any
Any
ICMP Dest Unreach Pass
Allow Echo Requests outbound..
ICMP3
In
Any
Any
Pass
Allow the replies to the echo request to be returned.
ICMP5
In
Any
Any
Any
Any
Allow ICMP Destination Unreachable packets from the external hosts..
ICMP6
In
Any
Any
Any
Any
Any
Any
ICMP Serv Unav
Pass
Any
ICMP TTL Exced
Pass
Allow the ICMP Service Unavailable packets from the external hosts.
ICMP7
In
Any
Any
Any
Any
Any
Allow the ICMP Time-to-Live exceeded from external hosts.
Typical Configuration Rules (cont…)
NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the
cautious level.
These are examples of ICMP Rules to drop packets.
Rule
ICMP7
Direct
In
SIP
Any
SPRT
Any
DIP
Any
DPRT
Any
OPT
Flag
PKT
TYP
ACT
Any
Any
ICMP
Redirect
Any
Any
ICMP
Echo Request
Any
Any
ICMP Echo Reply
Any
Any
ICMP Dest Unreach Drop
Any
ICMP Serv Unav
Drop
Any
ICMP
Drop
Drop
Drop the ICMP Redirect on the External interface.
ICMP8
In
Any
Any
Any
Any
Drop
Drop ICMP Echo Request on the External Interface
ICMP9
Out
Any
Any
Any
Any
Drop
Drop the ICMP Echo Reply packets that are outbound.
ICMP10
Out
Any
Any
Any
Any
Drop ICMP Destination Unreachable packets that are outbound
ICMP6
Out
Any
Any
Any
Any
Any
Drop the ICMP Service Unavailable packets that are outbound.
ICMP7
Any
Any
Any
Any
Drop all ICMP packets in either direction.
Any
Any
Any