Module 11. Providing Security-Enhanced Network Access to Internet
Download
Report
Transcript Module 11. Providing Security-Enhanced Network Access to Internet
Module 11: Providing
Secure Network Access
to Internet Users
Overview
Identifying Potential Risks from the Internet
Using Firewalls to Protect Network Resources
Using Screened Subnets to Protect Network Resources
Securing Public Access to a Screened Subnet
To host a Web site or share resources with Internet
users, an organization must open a portion of its
network to users who exist beyond the organization's
network boundaries. Allowing Internet users into a
private network increases the threat from potential
attackers. This module provides students with the
information needed to protect private network resources
from Internet users.
At the end of this module, you will be able to:
Analyze the potential threats that are introduced when
your private network is connected to the Internet.
Design a firewall strategy for protecting your private
network resources.
Design a secure method for exposing private network
resources to the Internet.
Plan to secure public access to your screened subnet.
Identifying Potential Risks from the Internet
Common Attacks
Denial of Service Attacks
Port Scanning
To protect your private network from public network
users, you must identify the various types of threats
that may be introduced from public networks. As soon
as you expose your private network to the Internet, you
have granted network access to a potentially unlimited
number of users. Without adequate planning, an
attacker may use any of several techniques to access
confidential information or damage data network
functionality.
To better protect your private network when connected
to the Internet, you need to identify:
Risks to network security from common attacks.
Threats introduced by denial of service (DoS) attacks.
Threats introduced by port scanning.
Common Attacks
Social Engineering
Exploitation of Default Security Configurations
IP Spoofing
Exploitation of Excess Services
Exploitation of System Back Doors
Session Takeover
Common attacks include any attempt to circumvent the
security of a network by exploiting known weaknesses.
Examples of common attacks include:
Social Engineering
Exploitation of Default Security Configurations
Internet Protocol (IP) Spoofing
Exploitation of Excess Services
Exploitation of System Back Doors
Buffer Overflows
Social engineering
The attacker acquires inappropriate access privileges
by using simple deception or impersonation. For
example, the attacker telephones into an organization
and uses false names and references to impersonate a
legitimate network user.
Exploitation of default security configurations
The attacker accesses a network by exploiting default
accounts, passwords, or security configurations that
were not updated.
Internet Protocol (IP) spoofing
The attacker programmatically modifies the source
address of packets so that it appears as if the packets
originated from a trusted network or trusted computer.
Exploitation of excess services
The attacker exploits poorly monitored services.
Uninstall or disable any service that does not need to be
deployed on a specific server.
Important: Most risks associated with Microsoft®
Windows® 2000 services are identified through
Microsoft security bulletins. Descriptions of the risks
can be obtained at http://www.microsoft.com/security
Exploitation of system back doors
The attacker exploits backdoor accounts that were
configured to allow administrative access to the
network in the event that the original administrative
account became corrupted or compromised.
Periodically, audit all administrative group membership
to ensure that the old backdoor accounts have been
removed.
Buffer Overflows
The attacker can exploit buffers, which are the spaces
that programmers allocate for variables in their
programming. The attacker overwrites an application's
buffer, resulting in an overflow of code. When the
overflow occurs, it may be possible for the attacker to
execute administrative functions at the security level of
the application.
Denial of Service Attacks
Denial
of Service
Attacks
Affect:
Err or
Disk Space
Err or
Bandwidth
Err or
Buffers
Err or
CPU Cycles Usage
Denial of Service (DoS) Attacks
A DoS attack is the intentional overwhelming of a
network with useless traffic, thereby preventing a
service or resource from performing as expected. DoS
attacks are not done to steal data or access resources,
but rather to disrupt network traffic. Typically, these
attacks are based on known weaknesses in the
Transmission Control Protocol/Internet Protocol
(TCP/IP) protocol suite.
By preventing services from running, a DoS attack
exploits an Internet host by overwhelming at least one
of the following private network resources:
Disk Space.
Bandwidth.
Buffers.
CPU Cycles Usage.
Installing the latest hotfixes and service packs can
prevent some DoS attacks by updating vulnerable files.
You can download the latest hotfix or service pack from
windowsupdate.microsoft.com.
Port Scanning
Attacker
Port Service
20?… closed
21?… FTP
22?… closed
23?… closed
24?… closed
25?… SMTP
Port Scan
Web Server
Port scanning is a method that an attacker uses to
identify the services running on a target computer. Port
scanning is not, in itself, a threat to security. The threat
is the ability to expose services with known
weaknesses. For example, if the network basic
input/output system (NetBIOS) session service is
discovered on a server, the attacker can use the nbtstat
command to determine the name of the computer,
whether the computer is hosting a server service, and
potentially, the name of the user currently logged on.
Port scanning is a method that an attacker uses to
identify the services running on a target computer. Port
scanning is not, in itself, a threat to security. The threat
is the ability to expose services with known
weaknesses. For example, if the network basic
input/output system (NetBIOS) session service is
discovered on a server, the attacker can use the nbtstat
command to determine the name of the computer,
whether the computer is hosting a server service, and
potentially, the name of the user currently logged on.
Use the following methods to minimize the risk of exposure from
port scanning:
Stop all unnecessary services on computers that are exposed to the
Internet. This will reduce the number of active ports that may be
exposed to a port scanner.
Create firewall rules (the list of packet filters defined for a firewall
interface) that only permit defined protocols to reach each protected
server. The implementation of firewall rules ensures that port
scanning will only reveal the ports that you intend to expose to the
Internet.
Use firewall rules to alert a firewall administrator when port scanning
has been attempted. You can configure a rule to send an e-mail alert
to an administrator whenever a connection to a specific port is
attempted.
Use the netstat command to display all open ports on computers
that are exposed to the Internet. Determine whether all open ports
can be identified and confirm that they do not represent
unauthorized services.
Tip: To determine what ports are used by specific
services, view the text file
systemroot\system32\drivers\etc\services, or see
http://www.iana.org/assignments/protocol-numbers,
which includes a listing of all protocol identification
numbers and well-known port numbers.
Using Firewalls to Protect Network Resources
Internet
Firewall
Private Network
Protecting the Internal Network
Addressing Scheme
Filtering Protocols Allowed Through
a Firewall
Concealing the True IP Address of
Internet Services
A firewall is a combination of hardware and software
that protects private network resources from users on
other networks. A firewall allows only specific forms of
traffic to flow in and out of the internal network, thereby
protecting the internal network from intruders on the
Internet. By implementing a firewall, you create a single
point of control from which you can secure and audit all
Internet traffic.
Firewalls provide the following services to protect the
private network from a public network, such as the
Internet:
Network address translation (NAT). Protects the internal
network addressing scheme.
Packet filters. Define the protocols that are allowed to
pass through the firewall.
Static address mapping. Conceals the true addresses of
Internet-accessible resources.
Protecting the Internal Network Addressing Scheme
Network Address Translation
Source
Destination
192.168.10.1
131.107.2.200
131.107.200.21
Internet
131.107.2.200
192.168.10.3
Firewall
192.168.10.1
192.168.10.2
If an attacker determines the internal network
addressing scheme of a private network, the attacker
may be able to forge TCP/IP packets that appear to
originate from the internal side of the network. NAT
replaces the internal source address of any outgoing
packets with a common outgoing source IP address.
NAT prevents the internal network addresses from being
exposed on the Internet. When traffic from the private
network is viewed from the Internet, it appears to
originate from a single computer.
Exposing Internal Addresses
If an attacker determines the internal address space of
your network, he or she can attempt an IP spoofing
attack by sending packets to your network with a
source address from the internal network.
To prevent the exposure of internal addresses:
Avoid advertising internal addressing in Domain Name System (DNS)
resource records. When the Active Directory™ directory service is
implemented, separate DNS zones must be maintained for the
internal network and the external network. Maintaining a separate
DNS zone for the internal network prevents all Active Directoryrelated DNS resource records from being exposed to Internet users.
The exposure of the internal resource records would reveal where
those services are implemented on the internal network.
Use private network addressing on the private network, as described
in RFC 1918.
Always configure a firewall between the public and private networks.
Use NAT to provide a common browsing address for all internal
hosts when they access the Internet.
Concealing Internal Network Addresses Using NAT
NAT is an effective method of concealing internal
network addresses. When network traffic originating in
the internal network is destined for addresses on the
Internet, NAT replaces the original source address with
a preconfigured address for all outgoing traffic. The
computer performing the translation tracks the
replacements so that returning packets are returned to
the correct host on the internal network.
Note: The Network Address Translation (NAT) protocol,
found in the Routing and Remote Access feature,
provides network address translation in a Windows
2000 network.
Protecting the Internal Network Addressing Scheme
Internal addressing can be based on RFC 1918, which
designates specific TCP/IP addresses that have been
set aside exclusively for internal network addressing.
The address ranges include the following:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
After an address range is selected for the private network,
configure the firewall to recognize addresses on the local area
network (LAN). These internal network addresses are stored in the
firewall configuration so that the firewall recognizes IP addresses
that represent internal clients. The ability to recognize genuine
internal clients prevents IP spoofing by immediately dropping any
external packets arriving at the external interface of a firewall with a
source address from the internal network.
Note: Proxy servers can also protect the internal addressing
scheme by sending requests to the Internet on behalf of internal
clients. This process prevents exposure of internal addressing
because only the external IP address of the proxy server is
exposed.
Filtering Protocols Allowed Through a Firewall
Firewall Rules
SMTP
POP3
IMAP
FTP
Telnet
SMTP
POP3
IMAP
FTP
Telnet
Public Network
SMTP
POP3
IMAP
Firewall
Private Network
Firewall rules are the complete list of packet filters
defined for a firewall interface. By defining packet
filters, firewall rules enable a network administrator to
choose which protocols are allowed to pass through the
firewall. By determining exactly which protocols are
allowed to pass through the firewall, you can eliminate
the risks associated with unknown protocols passing
through the firewall. The complete list of packet filters
implemented at a firewall is commonly called the
firewall rules list.
Packet filters define characteristics of a protocol so that the
protocol used by incoming or outgoing network traffic can be
identified. A packet filter contains the following information:
Source address. The host or IP subnet address of the source host.
Source port. The port or ports that the source host is allowed to use.
Destination address. The host to which you allow access.
Destination port. The port that will be connected at the destination
address.
Transport protocol. The transport protocol used by the applicationlevel protocol. The transport protocol will be either connection
oriented by using TCP or connectionless by using the User
Datagram Protocol (UDP).
Allow/Disallow. The field identifying whether network traffic matching
the packet filter can be allowed to pass through the firewall.
You can set packet filters for both incoming and
outgoing packets. The packet filters must define all
traffic streams that occur during a successful session.
For example, if you allow an external client to connect
to a Web server (the destination address), you must also
allow response traffic to originate from the Web server
(now the source address).
Common Filtering Strategies
Depending on the desired level of security, your
strategy for creating firewall rules will use packet filters
to allow only desired protocols or deny only undesired
protocols. There are two basic strategies for creating
firewall rules:
Specify allowed protocols and prohibit everything else.
Specify prohibited protocols and allow everything else.
Specify allowed protocols and prohibit everything else
Each protocol that is allowed to pass through the
firewall will be defined in individual packet filters. The
last filter in the firewall rules list will be a deny all filter.
Using a deny all filter is the most commonly
implemented strategy in a high-security network.
Specify prohibited protocols and allow everything else.
In lower-security networks, allowing all protocols to
enter the network—except for individually selected
protocols—allows for broader access of Internet
protocols. The last filter in the firewall rules list will be
an allow all filter.
Tip: On most firewalls, packet filters are processed in
their defined order. The firewall will either allow
undefined traffic to pass (in a specify prohibited
protocols and allow everything else configuration) or
will disallow the traffic (in a specify allowed protocols
and prohibit everything else configuration).
Using Additional Firewall Configuration
In addition to filter rule listings, firewalls have additional
security configuration options that prevent common
attacks from the Internet. These options include:
Scanning for common attacks
Configuring acceptable time-outs
Content scanning
Proxy services
Scanning for common attacks
Most firewalls can detect, prevent, and alert against
common attacks. For example, if a packet arrives at the
external interface of a firewall with a source address
from the internal network, the firewall will alert the
network administrator that IP spoofing is being
attempted.
Configuring acceptable time-outs
By defining an acceptable time-out interval, firewalls
can drop suspicious sessions and prevent certain
attacks. For example, an attacker may send a series of
TCP SYN (synchronization) packets to the firewall. The
SYN packets eventually consume the SYN queue,
preventing further connections from being opened.
Dropping the session after a certain time prevents the
buffer from filling and blocking other connections.
Content scanning
You can define the commands that will be permitted
within a protocol. For example, you can allow FTP get
commands (for downloading files from the FTP server)
while denying FTP put commands (for uploading files to
the FTP server). Defining these specific commands will
prevent an attacker from uploading excess data to the
FTP server.
Proxy services
To secure Internet access, the firewall may implement
proxy services. Clients will forward all requests to the
firewall, and the firewall will perform the requests for the
client in the private network. Channeling all Internetbound traffic through the proxy server prevents clients
from making the requests directly to the Internet.
Concealing the True IP Address of Internet Services
Static Address Mapping
Source
Destination
Port
131.107.2.200 131.107.235.4 80
192.168.10.3
80
Internet
131.107.235.4
Web
Server
192.168.10.3
Router
Firewall
192.168.10.1
192.168.10.2
Whereas NAT conceals the true IP address of the source
computer, static address mapping conceals the true
addresses of the destination computer. The destination
computer is advertised on the Internet with a publicly
accessible IP address. All connection attempts are
redirected to an internal server on predefined ports.
Connection attempts to nondefined ports will not be
allowed.
Concealing the Internal Address of a Web Server
When an external client connects to the externally
advertised IP address and attempts to connect to the
designated port address, the connection is redirected to
the correct server located in the screened subnet. This
process maps the destination IP port addresses to the
addresses of the server located in the screened subnet.
Controlling Protocols Used with Specific Servers
Static address mapping allows you to control which
protocols are allowed to connect to specific servers.
Static address mapping prevents an attacker from
attempting to connect to services other than those you
intend to make available to the Internet. For example, if
you want clients to only use Hypertext Transfer Protocol
(HTTP) when connecting to your Web server, you need
to configure static address mapping so that only
connections destined for TCP port 80 will be passed to
the Web server at IP address 192.168.10.3. If an external
client attempts to connect to the IP address
131.107.235.4 by using Telnet port 23, the static address
mapping rules will prevent the connection.
Using Screened Subnets to Protect Network
Resources
Three-Pronged
Firewall
Using a Three-Pronged
Firewall
Using a Mid-Ground
Screened Subnet
Ensuring Availability
Using Network Load
Balancing
Eliminating Potential
Vulnerabilities
Mid-Ground
Screened Subnet
A screened subnet (also referred to as a DMZ) consists
of the portion of the network that resides between the
Internet and the private network. To control and secure
Internet access, resources that are accessible from the
Internet are all contained within the screened subnet.
Protecting network resources with screened subnets
involves the following:
Using a three-pronged firewall
Using a mid-ground screened subnet
Ensuring availability by using Network Load Balancing
Eliminating possible vulnerabilities
Using a Three-Pronged Firewall
Screened Subnet
Internet
Firewall
Private Network
A three-pronged firewall consists of one firewall with
one interface assigned to the Internet, a second
interface assigned to the private network, and a third
interface assigned to the screened subnet. Traffic flows
are controlled by firewall rules that define the flow of
traffic between the three interfaces. The three-pronged
firewall protects the private network by redirecting all
Internet source traffic to the screened subnet and by not
allowing Internet traffic directly into the private network.
To implement a three-pronged firewall, the firewall
software must support multiple zone definitions. You
must establish separate zones for the Internet, the
private network, and the screened subnet. Each zone
will have a separate TCP/IP network address.
The following table lists the advantages and disadvantages
of implementing a three-pronged firewall.
Advantages
Disadvantages
Less cost because only one firewall
computer is implemented.
Not all firewalls support this configuration.
Can be configured with multiple
segments. Each segment can be
configured with different levels of
access to the internal network.
If the firewall is compromised, all segments of
the internal network will be exposed.
Requires only a single rule listing.
The firewall can become a bottleneck
because all incoming and outgoing traffic
must be parsed at the firewall.
The firewall rules list can become quite
complex.
Using a Mid-Ground Screened Subnet
Screened Subnet
Internet
External
Firewall
Internal
Firewall
Internal Network
A mid-ground screened subnet is an area of the
network, situated between two firewalls, that contains
systems that can be accessed from the Internet. One
firewall acts as a barrier between the Internet and the
screened subnet, and the second firewall acts as a
barrier between the screened subnet and the internal
network.
Note: It is possible to configure multiple mid-ground
screened subnets by adding additional zones between
the external firewall and the internal firewall, with an
additional firewall between each zone.
A mid-ground screened subnet can provide additional
security to the internal network by using firewalls from
more than one manufacturer. If the external firewall is
compromised, a hacker must use different methods and
toolsets to compromise the internal firewall before
gaining access to internal network resources.
The following table lists the advantages and
disadvantages of implementing a mid-ground screened
subnet.
Advantages
Disadvantages
An attacker must circumvent two
firewalls to access the internal
network, thereby adding "depth" to
your network security.
Two firewalls are more expensive.
Use of two different brands of
firewalls lessens the chance of
successful penetration.
Additional configuration and administration
are required.
Ensuring Availability Using Network Load Balancing
Host
IP Address
www.nwtraders.msft
192.168.1.10, 192.168.1.11,
192.168.1.12
192.168.1.11
Internet
Network Load
Balancing Clusters
External
Firewall
Implementing Network
Load Balancing
Implementing Round
Robin DNS
192.168.1.10
192.168.1.12
Even if a server in the screened subnet is attacked or
experiences a forced failure, it is possible to reduce the
chance of an application failure. Network Load
Balancing reduces the chance of application failure by
duplicating server programs among a cluster of
computers. Network Load Balancing, a part of the
Windows 2000 Advanced Server clustering solution,
enhances the availability and scalability of Web servers,
FTP servers, streaming media servers, virtual private
network (VPN) servers, and other mission-critical
programs. High availability is critical for e-commerce
sites and other Internet businesses.
Implementing Network Load Balancing
Network Load Balancing is not a solution for every
network. Consider the following when determining
whether to implement Network Load Balancing for
resources exposed on the Internet:
Determine which applications to use with Network Load
Balancing.
Identify network risks.
Configure the Network Load Balancing Cluster.
Determine which applications to use with Network Load
Balancing.
Network Load Balancing only supports applications that
use TCP/IP as their network protocol. For proper
configuration, the application must be associated with
specific transport protocols (TCP or UDP) and specific
ports.
Identify network risks.
Deploy Network Load Balancing where you identify
single points of failure that could interrupt access to
essential network resources. If the application is
mission critical to your organization, ensure that the
application can continue to run in the event that a
component stops responding. The determination of
mission-critical applications will vary between
organizations.
Tip: In addition to Network Load Balancing, additional
measures, such as implementing redundant array of
independent disks (RAID) and assuring that backups
occur, will also protect a Web site against failure.
Configure the Network Load Balancing Cluster.
Configure a uniform address that will be assigned to all
members of the Network Load Balancing cluster and
define the load size for each server in the cluster. The
load size determines what percentage of all incoming
traffic will be sent to a specific member of the cluster.
Setting the load size allows a higher percentage of total
traffic to be directed to more powerful servers on the
cluster.
When a server in the Network Load Balancing cluster
stops responding, existing connections are not
redirected to a different member of the cluster. Only new
connections are redirected to the remaining operational
members of the cluster. Existing connections must be
restarted to connect to an alternative member of the
cluster.
Implementing Round Robin DNS
Another way of providing redundancy is through round robin DNS.
When multiple IP addresses are assigned to a single host name,
round robin DNS can assign any of the addresses when a client
requests an IP address. Although round robin DNS provides
redundancy, two issues can arise:
Round robin DNS does not provide weighting of servers (as provided
in SRV [service] resource records) to set a preference for high-end
servers. This may result in a lower-end Web server receiving as
many or more requests than a higher-end Web server.
Round robin DNS could result in a client being directed to a server
that is not available.
Note: Microsoft uses a combination of Network Load Balancing and
round robin DNS for its external Web sites. Whereas addresses for
external Web sites are issued to Web clients by using round robin
DNS, each IP address is a Network Load Balancing cluster.
Protecting Source Data from Internet Users
Externally Available
Web Server
Source
Web
Server
Internet
Keep Source Content in the Internal Network.
Configure the External Firewall to Only Allow HTTP (or HTTPS) to
the Web Server
Configure the Internal Firewall to Only Allow Specific Protocols and
Source Web Servers Access to the Web Server
Eliminating Potential Vulnerabilities
Do Not Locate Domain Controllers in the Screened Subnet
Implement Aggressive Packet Filtering Rules
Stop all Non-Essential Services
Frequently Review Known Internet Threats
Eliminating Potential Vulnerabilities
A screened subnet is designed to limit access to the internal network
by creating a secured segment between the public network and the
private network. By restricting external source traffic to the screened
subnet, the risk of internal network data exposure to the public
network is reduced.
Design considerations for the screened subnet must
include:
Restricting domain controller placement in the screened
subnet.
Windows 2000 implements multi-master replication of
Active Directory. If a domain controller is compromised
in the screened subnet, any changes to group
membership or user rights will be replicated to all other
domain controllers in the private network. Install
network services on stand-alone servers in the
screened subnet or on domain controllers belonging to
a separate forest. Certificate-based authentication can
be used to authenticate any transactions against Active
Directory within the private network.
Implementing aggressive packet filtering rules.
Configure the firewall to only allow authorized protocols
to pass through to the private network. The
implementation of a deny all methodology requires that
if new services are introduced into the screened subnet,
firewall rules must be modified to allow the new
protocols to pass through the firewall.
Stopping all nonessential services on computers in the
screened subnet.
If a service is not required on a computer, it needs to be
disabled to avoid introducing additional vulnerability
into the network.
Frequently reviewing known Internet threats.
The firewall administrator must review Internet security
sites for new vulnerabilities. The firewall administrator
must be aware of known vulnerabilities for the services
that are implemented in the screened subnet.
Note: Microsoft offers a free e-mail notification service
that provides information about the security of
Microsoft products so that subscribers can learn about
malicious attacks. You can subscribe to the Microsoft
Security Bulletin at www.microsoft.com/security
Securing Public Access to a Screened Subnet
Securing Traffic to an HTTP and FTP Server
Securing Traffic to a DNS Server
Securing Traffic to Microsoft Exchange Server
Securing Traffic to an Application Server
Securing PPTP Traffic to a Tunnel Server
Securing L2TP Traffic to a Tunnel Server
Securing Traffic to a Terminal Services Server
To open network services and applications to Internet users without
compromising security, you need to regulate public access to
resources within the screened subnet. Regulation involves opening
specific ports on the external and internal firewalls to define which
protocols are allowed to enter and exit the screened subnet.
Each type of server in a screened subnet requires specific firewall
rules. For example, the protocols used in connecting to a Web
server are different from the protocols used to communicate with
an FTP server. For a Web server, you would only allow HTTP or
Hypertext Transfer Protocol Secure (HTTPS) protocols to enter the
screened subnet, whereas an FTP server would require the FTP and
FTP-DATA protocol. Proper firewall configuration is essential for
maintaining functional and secure traffic into a screened subnet.
In this lesson you will learn about the following topics:
Securing traffic to an HTTP and FTP server
Securing traffic to a DNS server
Securing traffic to Microsoft Exchange Server
Securing traffic to an application server
Securing PPTP traffic to a tunnel server
Securing L2TP traffic to a tunnel server
Securing L2TP traffic to a Terminal Services server
Securing Traffic to an HTTP and FTP Server
Protocol
Source
Source Port
Destination
Destination Port
HTTP
Any
Any
Web Server
TCP 80
HTTPS
Any
Any
Web Server
TCP 443
FTP Data
Any
Any
FTP Server
TCP 20
FTP Data
FTP Server
TCP 20
Any
Any
FTP Control Any
Any
FTP Server
TCP 21
FTP Control FTP Server
TCP 21
Any
Any
HTTP and
FTP Server
Internet
External
Firewall
Internal
Firewall
Securing Traffic to an HTTP and FTP Server
HTTP and FTP services are two of the most common
services that an organization will make available to
Internet users. Configure your external firewall so that
only traffic to the defined ports for the HTTP and FTP
protocols is allowed to pass to the server hosting the
HTTP and FTP services.
You can configure FTP and HTTP connections to require
authentication; however, clear-text authentication
introduces the risk that someone using a common
monitoring tool, known as a sniffer, can capture
passwords. HTTPS introduces better security in that all
transmissions between the client and the Web server
are encrypted.
Configuring a Firewall to Allow FTP Transmissions
FTP requires that both a control stream and a data
stream be configured to pass through the firewall. The
control stream (TCP port 21) is used to send FTP
commands from the FTP client to the FTP server. The
data stream (TCP port 20) is used to transfer files to and
from the FTP server. Many FTP clients (known as
passive FTP clients) also require that return paths be
included in the firewall rules. The return path is required
because the FTP server initiates data transmission after
receiving the FTP command, instead of the FTP client
initiating all FTP data transmissions.
The preceding illustration depicts a set of firewall rules.
When implementing these rules, replace the FTP server
variable with the IP address of your FTP server.
Configuring a Firewall to Allow HTTP and HTTPS
Transmissions
HTTP requires that any connections destined for TCP
port 80 be allowed to pass through the firewall. When
implementing HTTPS, you must also allow TCP port 443.
Note: For further configuration to secure Internet
Information Services (IIS) servers that are exposed to
the Internet, please download the Windows 2000
Internet Server Security Configuration Tool at
www.microsoft.com/technet/security/tools/locktool.asp
Securing Traffic to a DNS Server
Protocol
Source
Destination
Port
DNS
Any
External DNS
TCP 53
DNS
Any
External DNS
UDP 53
Protocol
Source
Destination
Port
DNS
Internal DNS
External DNS
TCP 53
DNS
Internal DNS
External DNS
UDP 53
External
DNS Server
Forwarder
Internet
Internal
DNS
Server
The DNS service is used to resolve host names and
services on both the Internet and the private network.
When designing your DNS namespace, ensure that
addresses available to the private network are not
available to any hosts on the Internet. Proper
configuration will allow DNS servers for the internal
network to interact with DNS servers for the external
network without exposing any internal network DNS
resource records.
Configuring the External DNS Server
The external DNS server will perform two functions for
the private network:
Provide resolution for any resources that can be
accessed from the Internet.
Provide resolution for any Internet resources for private
network users.
The external DNS server must be placed within the
screened subnet. The IP address that is exposed for the
external DNS server is the address that the firewall has
configured for static address mapping to the DNS
server. The actual IP address of the DNS server is not
exposed to Internet users. Firewall rules must be
configured to allow connections to the DNS server by
using both TCP 53 and UDP 53.
Configuring the Internal DNS Server
Place the internal DNS server in a physically secure
location on the private network. This DNS server will
host all necessary DNS resource records for Active
Directory and all internal network resources.
Note: If you implement Active Directory with the same
naming strategy as your Internet DNS namespace, you
will also need to create DNS resource records for
externally accessible Internet resources on the internal
DNS server. These resource records will use the internal
addresses of the externally available resources.
Configure the internal DNS server to forward all DNS
requests that it cannot resolve to the external DNS
server. This requires that you configure the internal
firewall to allow DNS requests to pass from the internal
DNS server to the external DNS server.
As shown in the preceding illustration, the filters ensure
that all internal clients use the internal DNS server for
resolution of Internet resources. The filters do not allow
internal clients to pass DNS requests through the
internal firewall. Only the internal DNS server can pass
DNS requests to the external DNS server.
Restrict zone transfers for the internal DNS server so
that only preselected DNS servers can request zone
transfers from the internal DNS server. This restriction
prevents an external DNS server or an unauthorized
internal DNS server from receiving DNS zone
information from the internal DNS server.
Securing Traffic to Microsoft Exchange Server
Protocol
Source Destination
Port
SMTP
Any
Mail Server
TCP 25
POP3
Any
Mail Server
TCP 110
IMAP
Any
Mail Server
TCP 143
Internet
Exchange
Server
Protocol
Source
Destination
Port
Any
Internal Network
Mail Server
Any
Microsoft Exchange Server provides Internet and
corporate e-mail services in a Microsoft network. If an
organization uses Exchange Server for e-mail services,
the organization must determine which
e-mail services need to be implemented for both internal
and external network users.
Configuring E-Mail Access for External Users
With the Exchange Server located in the screened subnet, you may
need to enable specific services so that external users can access email. The services that you may enable include:
Simple Mail Transfer Protocol (SMTP).
If SMTP (using server TCP port 25) is enabled for external users, set
additional restrictions at Exchange Server to limit the ability to relay
SMTP mail. These restrictions include:
No relaying is allowed. Only e-mail that is delivered to a mailbox
hosted on the Mail server can be sent.
Only relaying by a specific address range is allowed. You can
configure any hosts on the internal or screened subnet network to
relay e-mail by using SMTP. All other network address ranges are
disallowed.
Only authenticated users can relay e-mail. Exchange Server can be
configured to allow only authenticated users to send e-mail by using
SMTP.
Post Office Protocol version 3 (POP3).
POP3 (using server TCP port 110) allows clients to access their
Inboxes and transfer e-mail from Exchange Server to the POP3
client software.
Internet Message Access Protocol version 4 (IMAP4).
IMAP4 (using server TCP port 143) allows clients to access their
mailboxes, including sent items and public folders.
Tip: If external users want to access Exchange Server by using a
native Microsoft Outlook® client, it is best to have the client tunnel
into the network by using a VPN tunnel and then connect to
Exchange Server from the internal network. Another solution is to
use Outlook Web Access on a Web server protected by using
Secure Sockets Layer (SSL).
Configuring E-Mail Access for Internal Users
In addition to SMTP, POP3, or IMAP4, internal users may
also use Microsoft Outlook to connect to Exchange
Server. To provide internal access to Exchange Server,
you must configure the internal firewall to allow any
internal clients that are using any protocol to connect to
Exchange Server.
Note: In some networks, you may want to explicitly
allow the following ports and protocols to connect to
Exchange Server: TCP 135 (RPC Location Service), TCP
137 (NetBIOS Name Service), UDP 138 (NetBIOS
Datagram Service), and TCP 139 (NetBIOS Session
Service).
Securing Traffic to an Application Server
Protocol
Source
Destination
Port
HTTP
Any
Web Server
TCP 80
HTTPS
Any
Web Server
TCP 443
Protocol
Source
Destination
Port
SQL Data
Web Server
SQL Server
TCP 1433
HTTP
Server
Internet
SQL
Server
Application servers, such as Microsoft SQL Server™, provide largescale database storage for applications. Confidential data stored on
the application server must not be made available to Internet users.
To protect application servers, the data stored on the application
server will be accessed:
Through Web-based front ends.
Through tunnels that extend from the Internet to the private network.
Using Terminal Services to run a limited desktop that provides access
only to the designated application.
Note: VPN tunnel and Terminal Services solutions would not be
available to the general public, but most likely to trusted partners who
have been granted limited access to the private network for the
purpose of running the application.
The implementation of a Web-based application that
connects to the application server allows for security to
be maintained when data is accessed from the
application server located on the private network. Using
a Web-based application eliminates the need for clients
to install application software for communicating with
the application server. To secure access to the data
stored on the application server, the external firewall
would be configured to only allow external clients to
connect to the Web server in the screened subnet. The
internal firewall would further restrict traffic by only
allowing the Web server to connect to the application
server in the internal network.
Configuring the External Firewall
Configure the external firewall to allow only Web-based
protocols (HTTP and HTTPS) to connect to the Web
server in the screened subnet. If authentication is
provided when accessing the application server, the use
of HTTPS will ensure that client authentication and data
transmission is encrypted.
Configuring the Internal Firewall
The internal firewall must be configured to only allow
the Web server in the screened subnet to connect to the
application server located in the private network. In the
preceding illustration, only the Web server is allowed to
connect to SQL Server on the private network. The only
connection allowed is to the SQL service (TCP 1433)
hosted by the application server.
Securing PPTP Traffic to a Tunnel Server
Protocol
Source
Destination
Port
PPTP
Any
Tunnel Server
TCP 1723
GRE
Any
Tunnel Server
Prot ID 47
Protocol
Source
Destination
Port
RADIUS
Tunnel Server
IAS Server
UDP 1812
SQL Data
Address Pool
SQL Server
TCP 1433
SQL
Server
Internet
Tunnel
Server
IAS Server
In some circumstances, users will need to access
internal network data when they are not physically
connected to the internal network. To allow external
authorized users to connect to internal resources, you
can configure Routing and Remote Access to allow
clients on the Internet to tunnel into the private network.
Point-to-Point Tunneling Protocol (PPTP) allows clients
to tunnel securely across public networks to access
resources on the internal network.
Configuring the External Firewall
PPTP uses Generic Routing Encapsulation (GRE)
packets to encapsulate network traffic for transport
across the Internet. You must configure the firewall to
allow any connections to TCP 1723. If the firewall allows
filters based on IP numbers, create a filter that only
allows protocol identifier (ID) 47 to pass through the
firewall.
Configuring the Internal Firewall
After the client connects to the remote access server in
the screened subnet, it must be authenticated to
determine whether remote access policies allow the
connection to be created.
One method of authenticating the user is to configure
Routing and Remote Access as a Remote
Authentication Dial-In User Service (RADIUS) client and
have all authentication requests passed to an Internet
Authentication Service (IAS) server on the private
network. This configuration requires that the RADIUS
client open a connection to the IAS server that is
connecting to UDP port 1812.
After the user is authenticated, firewall filters can control the level of
access to the private network based on the IP address of the dial-up
client. The client will be assigned an IP address either from a
Dynamic Host Configuration Protocol (DHCP) server or from an
address pool configured for the remote access server.
If dial-up clients will access multiple servers, configure the rules for
each accessible server. In addition, if specific protocols can be
defined, security can be increased by only allowing those specific
protocols to connect to the server in the private network.
Note: If a dial-up user requires full access to a server on the private
network, allow the dial-up client IP address pool to connect to a
specific server by using any TCP/IP port.
Securing L2TP Traffic to a Tunnel Server
Protocol
Source
Destination
Port
IKE
Any
Tunnel Server
UDP 500
IPSec ESP
Any
Tunnel Server
Prot ID 50
IPSec AH
Any
Tunnel Server
Prot ID 51
Protocol
Source
Destination
Port
RADIUS
Tunnel Server
IAS Server
UDP 1812
SQL Data
Address Pool
SQL Server
TCP 1433
SQL
Server
Internet
Tunnel
Server
IAS Server
As an alternative to PPTP, clients can tunnel into a
corporate network by using Layer Two Tunneling
Protocol (L2TP) encrypted with Internet Protocol
Security (IPSec). This combination of protocols, called
L2TP/IPSec, allows a remote client to securely access
resources on the private network with a stronger level of
security and encryption than is available with PPTP.
IPSec cannot pass through a firewall that implements
NAT because NAT changes data within the encrypted
portion of each packet, thus changing the internal
source address to a common exterior IP address. IPSec
subsequently drops packets because the TCP or UDP
checksum has been changed. As a result, an L2TP
tunnel that uses IPSec cannot pass through a firewall.
Note: Only Windows 2000 provides an L2TP client for
client computer systems. Only PPTP can be used with
Microsoft Windows 95, Microsoft Windows 98, and
Microsoft Windows NT® version 4.0-based clients
(unless third-party IPSec clients are loaded).
Configuring the Tunnel Server
The tunnel server must have two network interfaces:
one to connect to the Internet and one to connect to the
screened subnet. Configure the external interface to
only allow IPSec traffic into the screened subnet. To
restrict traffic from the Internet to only IPSec traffic, add
packet filters on the external network interface that only
allow Internet Key Exchange (IKE) by using UDP port
500, IPSec Encapsulating Security Payload (ESP)
packets by using protocol ID 50, and IPSec
Authentication Header (AH) packets by using protocol
ID 51.
After the packets are received at the external interface
of the tunnel server, the packets are decrypted at the
tunnel server and transmitted to the screened subnet by
using the internal interface of the tunnel server.
Note: Although all L2TP communications are sent to
UDP port 1701, there is no need to open this port on the
firewall. The port information is encrypted within the
ESP payload and is not decrypted until it has already
entered the tunnel server.
Configuring the Internal Firewall
After a client has authenticated with the remote access
server within the screened subnet, configure the
internal firewall to limit access to specific servers by
using specific protocols.
In the preceding illustration, the internal firewall rules
are configured to only allow RADIUS authentication and
access to SQL Server. If additional servers were made
accessible, you could expand the firewall rules to
include all servers to which any dial-up clients would be
granted access. These rules would include the exact
servers and ports that dial-up clients would be allowed
to access through the firewall.
Securing Traffic to a Terminal Services Server
Protocol
Source
Destination
Port
MS-WBT-SERVER
Any
Terminal Server
TCP 3389
MS-WBT-SERVER
Any
Terminal Server
UDP 3389
Protocol
Source
Destination
Port
SQL Data
Terminal Server
SQL Server
TCP 1413
Any
Terminal Server
Domain Controller
/DNS
Any
Internet
SQL
Server
Terminal Server
Domain
Controller
/DNS
Installing Terminal Services on Windows 2000 Server
allows external Terminal Services clients to connect to a
Windows 2000-based desktop that is run in the memory
space of a Windows 2000-based computer. The Terminal
server provides security by encrypting data
transmissions between the remote client and the
Terminal server. For additional security, the remote
client can be restricted to running only a single desired
application on the Terminal server, rather than the
standard Windows 2000 desktop. To provide access to
the internal network by using a Terminal server, you
must configure the external and internal firewalls.
Configuring the External Firewall
The external firewall must be configured to allow the
MS-WBT-SERVER protocol (TCP 3389) to pass through
to the Terminal server. The MS-WBT-SERVER protocol
will transmit mouse and keyboard input from the remote
client to the Terminal server, and screen information
from the Terminal server to the remote client.
Note: If your organization uses Citrix MetaFrame 1.8 to
provide more features for Terminal Services, you will
need to allow external clients to use the Independent
Computing Architecture (ICA) protocol (TCP port 1494)
to connect to the Terminal server.
Configuring the Internal Firewall
The Terminal server must connect to a domain controller on the
internal network to authenticate the Terminal Services user (if they
are using an internal Active Directory user account). For the
Terminal server to find the domain controller, you must define a
firewall rule to allow the Terminal server to query the internal DNS
server. The Terminal server must be configured to use the internal
DNS server as its primary DNS server. The Terminal Server must
have access to the Active Directory -related SRV resource records
to find internal resources. To authenticate with the domain
controller, a firewall rule must be defined to allow the Terminal
server to connect to a specific domain controller using any
protocol.
Note: If the DNS server is located on a separate computer on the
internal network, configure the firewall rules to only allow the
Terminal server to connect to the DNS server that uses TCP 53 or
UDP 53.
After the user is authenticated, firewall rules can control
the level of access to the private network based on the
IP address of the Terminal server. If Terminal Services
clients will access multiple servers, configure the rules
for each server to be accessed. In addition, if specific
protocols can be defined, only allowing those specific
protocols to connect to the server in the private network
can increase security.
In the preceding illustration, firewall rules have been
configured to allow the Terminal server to connect to
SQL Server by using the SQL Data protocol (TCP 1433).
No other protocols are allowed.
Lab A: Designing a Screened Subnet
Objectives
After completing this lab, you will be able to:
Determine the IP filters that must be applied at internal
and external firewalls.
Determine server placement when exposing resources
to the Internet.
Design DNS namespace for use on the Internet.
Prerequisites
Before working on this lab, you must have:
Knowledge of screened subnet configurations.
Knowledge of firewall filter rules.
Scenario
Rogue Cellars is a small, but well-funded, Vancouverbased firm that recently purchased Northwind Traders in
an effort to expand its customer base. Northwind
Traders previously subcontracted the hosting of its Web
site to a local Internet service provider (ISP). With the
recent takeover, the decision has been made to move all
Internet-located services to the head office of Northwind
Traders in Denver.
In this lab, you will design a screened subnet that will
ensure that all Web services are publicly available yet
maintain the security of the internal network.
Exercise 1: Analyzing the Current Network
In this exercise, you will analyze the current network
infrastructure to determine the changes that must be
made to move the Internet services from the local ISP to
the Northwind Traders network.
Scenario
The current network infrastructure is shown in the
following network diagram.
Northwind Traders must move the following servers from its ISP's
network to the local network:
Web server. This server hosts the catalog Web site to which clients
connect for ordering information. All data is currently stored in a local
Microsoft Access database, but the plan is to store all data in a local
SQL database after the Web server is migrated to the local network.
FTP server. Remote staff members use this server for transferring
large data files. Files are uploaded and downloaded from a public
directory. Accounts have been created for each member of the remote
staff to ensure that only authorized users can access the confidential
data.
Mail server. The ISP's Mail server hosted all of Northwind Traders's
Internet e-mail. Northwind Traders wants to host its e-mail system by
using Exchange Server.
In addition, Northwind Traders would like to connect the Vancouver
office to the corporate network by using a VPN. The IP address of the
VPN server in Vancouver is 131.107.1.100.
Exercise 2: Designing the Exterior Firewall
Configuration In this exercise, you will investigate the
configuration that must occur at the exterior firewall to
allow secure access to Internet-accessible resources.
Scenario
On the basis of a network consultant's report, the
Northwind Traders network infrastructure has evolved
to include a screened subnet for Internet-accessible
resources. The current configuration is the following
diagram.
The ISP has provided Northwind Traders with the
following range of Internet addresses for use on the
public network:
131.107.200.33 - 131.107.200.62
The following table lists DNS entries that have been
defined for the external network.
Host name
Type
IP address or value
www.nwtraders.msft
A
131.107.200.33
ftp.nwtraders.msft
A
131.107.200.34
mail.nwtraders.msft
A
131.107.200.35
vpn.nwtraders.msft
A
131.107.200.36
nwtraders.msft
MX
mail.nwtraders.msft
client.nwtraders.msft
A
131.107.200.62
The external firewall must allow PPTP packets from the
Vancouver branch office to enter the screened subnet.
The IP address of the Vancouver VPN server is
131.107.1.100.
Criteria
You must define the necessary static address
mappings, NAT, and firewall filters necessary to ensure
that only approved traffic is able to enter the screened
subnet from the Internet.
Exercise 3: Designing the Interior Firewall
Configuration In this exercise, you will configure the
internal firewall to limit communications between the
screened subnet and the internal network to allow only
required communications.
Scenario
The external firewall has been configured to implement
security between the screened subnet and the Internet.
The internal firewall must now be configured to provide
further security between the screened subnet and the
internal network.
Criteria
Now that the external firewall has been configured, the internal
firewall must be configured to allow the following communications:
The VPN server will authenticate users by using the RADIUS
protocol to communicate with the IAS server on the internal
network.
connections will be audited by using RADIUS accounting.
VPN clients will be assigned addresses from 192.168.0.100 to
192.168.0.200.
VPN clients will require access to all computers on the internal
network.
The Web server will host an SSL-protected, ASP page-based
application that will now store data on the internal SQL Server.
Internal e-mail clients will connect to the Mail server by using only
POP3 clients. They will not use Outlook clients at this time.
Clients from the internal network will be required to connect to the
FTP server to collect large files left by remote agents.
Review
Identifying Potential Risks from the Internet
Using Firewalls to Protect Network Resources
Using Screened Subnets to Protect Network Resources
Securing Public Access to a Screened Subnet