Transcript Firewalls

Mr. Mark Welton




Firewalls are devices that prevent traffic from
entering or leaving a network
Firewalls are often used between networks, or
when a network connects to another network,
such as the Internet or business partners
Firewalls can be standalone appliances,
software, or integrated modules in other
devices
VPN services are often also supported on
firewalls

Basic Security Practices:
◦
◦
◦
◦
Keep it simple
Monitor your logs
Deny everything
Everything not mine is firewalled


Keep it simple – make security rules easy to
read and understand, use naming
conventions over numbering schemes
Monitor your logs – log all firewall activity
to a separate syslog server, and review the
logs as part of your normal daily routine

Deny everything – best practice, nothing
should be allowed inbound unless there is a
valid documented business need for it.
Restricting outbound traffic is also the
smart thing to do, but it often comes with
the heated debate between conveniences
over security. Many firewalls default to
allow everything outbound.

Everything not mine is firewalled – any
third-party devices or networks should be
separated for your network by a firewall


DMZ (Demilitarized Zone is a network that
is neither inside nor outside the firewall
A middle ground network that is less
restrictive than the inside network but more
secure than the outside network

Common DMZ Scenario



Inside Network - can initiate connections to
any other network, but no other network
can initiate connections to it
Outside network - The outside network
cannot initiate connections to the inside
network but can initiate connections to the
DMZ
DMZ - The DMZ can initiate connections to
the outside network, but not to the inside
network. Any other network can initiate
connections into the DMZ



One of the main benefits of this type of
design is isolation
Should the email server come under attack
and become compromised, the attacker will
not have access to the users on the inside
network
Servers in a DMZ should be locked down
with security measures as if they were on
the Internet

Understanding how each service works will
help you to understand how the firewall
should be configured

Email server - POP, IMAP, and SMTP (TCP
ports 110, 143, and 25) should be allowed.
All other ports should not be permitted
from the Internet

Web server - HTTP and HTTPS (TCP ports
80 and 443) should be allowed. All other
ports should be denied from the Internet

DNS server - Only DNS (UDP port 53, and,
possibly, TCP port 53) should be allowed
from the Internet. All other ports should be
denied.


Ideally, only the protocols needed to
manage and maintain the servers should be
allowed from the managing hosts inside to
the DMZ
Traffic should not be allowed from the DMZ
the inside network

Another common DMZ implementation
involves connectivity to a third party, such
as a vendor or supplier



Access Control List (ACL) are made up of
individual entries called access control entries
(ACE)
Wildcard masks (also called inverse masks)
are used in many devices for creating access
lists
A wildcard mask is to match a range that can
be described with a subnet mask (typical
used on routers)

A simple rules that will solve Classful
subnet/wildcard mask is:
◦ If the subnet mask has 0 replace it with 255
◦ If the subnet mask has 255 replace it with 0




Subnet mask
255.0.0.0
255.255.0.0
255.255.255.0
Matching wildcard mask
0.255.255.255
0.0.255.255
0.0.0.255




What if it is not a Classful subnet
255.255.255.224
The wildcard mask will be a derivative of the
number of host addresses provided by the
subnet mask minus one
So how many host are in this subnet?



255.255.255.224
Last octet is 11100000
So what is the power of two that represents
the number of hosts?




255.255.255.224 or /27
The last 5 bits represent the number of hosts
25 = 32 – 1 =31
So the wildcard mask is 0.0.0.31
27
26
128 64
25
24
32 16
23
22
21
20
8
4
2
1
11100000

What would the wildcard mask be for
255.240.0.0


What would the wildcard mask be for
255.240.0.0
1. Replace all 0 octets with 255 and all 255
octets with 0
◦ 0.240.255.255



2. 240 in the last octet of a subnet mask
(255.255.255.240) would yield 16 hosts
16 − 1 = 15
The wildcard mask is 0.15.255.255


So on a Cisco router this would be what a
access control entry would look like to allow
web traffic to a subnet 10.10.10.0/24
Permit tcp any 10.10.10.0 0.0.0.255 eq www

To make it more confuring this is what a
Cisco ASA(firewall) ACE would look like for
the same network
access-list GAD extended permit tcp any

Some equipment like NX-OS use CIDR


10.0.0.0 255.255.255.0 eq www
10 permit tcp 10.10.10.0/24 any eq www

So where should we apply the ACL?




ACLs can be placed on either inbound on an
interface or outbound
Inbound traffic is referred to as ingress
Outbound traffic is referred to as egress
In almost all cases you will place the ACL on
the inbound of the interface (coming into the
device)

If you placed the ACL outbound on E0 the
router would have to process the packet to
then only drop them based on an ACL
ACL are applied “Top Down”
 Unlike routes which are applied as most
specific ACL are applied as first match
 This can cause the concept of hidden rules
ip access-list extended GAD
permit tcp any 10.10.10.0 0.0.0.255 eq www
permit tcp any host 10.10.10.100 eq www
permit tcp any host 10.10.10.100 eq domain
 The second rule will be “hidden” by the first




Most devices allow objects to be “grouped”
under a single name
Object groups allow a group of networks, IP
addresses, protocols, or services
The name can then be used in a single ACL
instead of writing multiple ACLs



Routers typically use packet filtering on ACLs
As the ACLs get more complex on multiple
interfaces ACE will need to be written to allow
the traffic in and then allow the return packet
to go back
These rules can become hard to manage


Protocols like HTTP are not handled in a
single packet
A request (and handshake with TCP) are sent
over several packets then a reply is returned

Routers can use the concept of reflexive
access lists to create temporary permit
statements that are a reflection of the original
communication



Firewalls use stateful inspection
Firewalls track the connection of the flow of
data
An ACL on the inside interface allowing HTTP
will allow the return traffic based on the client
request happening first

Motivation: local network uses just one IP address
as far as outside world is concerned:
◦ range of addresses not needed from ISP: just one IP
address for all devices
◦ can change addresses of devices in local network
without notifying outside world
◦ can change ISP without changing addresses of
devices in local network
◦ devices inside local net not explicitly addressable,
visible by outside world (a security plus)

Why use NAT?
◦ You need to connect a network to the Internet and
your hosts do not have globally unique IP addresses
◦ You change over to a new ISP that requires you to
renumber your network
◦ Two intranets with duplicate addresses are now
connected

Two types of NAT Translation
◦ Static translation occurs when you specifically
configure addresses in a lookup table
 A specific inside address maps into a
prespecified outside address
 Also called one-for-one mapping
◦ Dynamic translation occurs when the NAT border
router is configured to understand which inside
addresses must be translated, and which pool of
addresses may be used for the outside addresses


In static NAT the device will always translate
to the same external address
Most common use is for NAT servers running
services to the Internet


In dynamic NAT the device will use an IP
address from the pool of addresses that is
not currently in use
What happen if all the addresses in the pool
are in use?


In dynamic NAT the device will use an IP
address from the pool of addresses that is
not currently in use
What happen if all the addresses in the pool
are in use?


NAT conserves the legally registered addressing
scheme by allowing privatization of intranets, yet
allows legal addressing scheme pools to be set
up to gain access to the Internet.
NAT also reduces the instances in which
addressing schemes overlap. If a scheme was
originally set up within a private network, then
the network was connected to the public network
(which may use the same addressing scheme)
without address translation, the potential for
overlap exists globally.


NAT increases the flexibility of connection to the
public network. Multiple pools, backup pools,
and load sharing/balancing pools can be
implemented to help ensure reliable public
network connections. Network design is also
simplified as planners have more flexibility when
creating an address plan.
Deprivatization of a network requires
renumbering of the existing network; the costs
can be associated to the number of hosts that
require conversion to the new addressing
scheme. NAT allows the existing scheme to
remain, and still supports the new assigned
addressing scheme outside the private network.

NAT increases delay
◦ Switching path delays, of course, are introduced
because of the translation of each IP address within
the packet headers
◦ Performance may be a consideration because NAT
is currently done using process switching
◦ The CPU must look at every packet to decide if it
has to translate it, and then alter the IP header and
possibly the TCP header
◦ It is not likely that this process will be easily
cacheable.




One significant disadvantage when implementing
and using NAT is the loss of end-to-end IP trace
ability
It becomes much harder to trace packets that
undergo numerous packet address changes over
multiple NAT hops
This scenario does, however, lead to more secure
links because hackers who want to determine a
packet's source will find it difficult, if not
impossible to trace or obtain the origination
source or destination address
This also means that you may have the same
issue



NAT also forces some applications that use IP
addressing to stop functioning because it
hides end-to-end IP addresses
Applications that use physical addresses
instead of a qualified domain name will not
reach destinations that are translated across
the NAT router
Sometimes this problem can be avoided by
implementing static NAT mappings

User at host 10.1.1.1opens a connection to
outside host B.


The first packet that the border router receives
from host 10.1.1.1 causes the router to check its
NAT table. If a translation is found because it has
been statically configured, the router continues
to the next step.
If no translation is found, the router determines
that address 10.1.1.1must be translated. The
router allocates a new address and sets up a
translation of the inside local address 10.1.1.1to
a legal inside global address from the dynamic
address pool

The border router replaces 10.1.1.1's inside
local IP address with the selected inside
global address, 192.168.2.2, and forwards
the packet.

Host B receives the packet and responds to
that node using the inside global IP address
192.168.2.2.

When the border router receives the packet
with the inside global IP address, the router
performs a NAT table lookup using the inside
global address as the reference.

The router then translates the address to
10.1.1.1's inside local address and forwards
the packet to 10.1.1.1. Host 10.1.1.1 receives
the packet and continues the conversation.
For each packet, the router performs Step 2
through Step 5.




Port Address Translation (PAT) allows for a
single Internet IP address to translate to a
large number of internal hosts
This is done by using both the source and
destination IP address and the source and
destination port to handle the translation
PAT is considered a subset of NAT
Same vendors refer to this a overloading

User at host 10.1.1.1opens a connection to
host B

The first packet the router receives from
10.1.1.1 causes the router to check its NAT
table

If no translation is found, the router
determines that address 10.1.1.1 must be
translated

The router allocates a new address and sets
up a translation of the inside local address
10.1.1.1 to a legal global address

the router will reuse the global address from
that translation and save enough information
to be able to distinguish it from the other
translation entry

The router replaces 10.1.1.1's inside local IP
address with the selected inside global
address, 192.168.2.2, and forwards the
packet.

Outside host B receives the packet and
responds to that node using the inside global
IP address 192.168.2.2

When the router receives the packet with the
inside global IP address, the router performs
a NAT table lookup using the inside global
address and port number, and the outside
address and port number as the references

The router then translates the address to
10.1.1.1's inside local address and forwards
the packet to 10.1.1.1


Host 10.1.1.1 receives the packet and
continues the conversation.
For each packet, the router performs Step 2
through Step 5