Mr. Mark Welton
Firewalls are devices that prevent traffic from entering or leaving a network Firewalls are often used between networks, or when a network connects to another network, such as the Internet or business partners Firewalls can be standalone appliances, software, or integrated modules in other devices VPN services are often also supported on firewalls
Basic Security Practices: ◦ Keep it simple ◦ Monitor your logs ◦ Deny everything ◦ Everything not mine is firewalled
Keep it simple – make security rules easy to read and understand, use naming conventions over numbering schemes Monitor your logs – log all firewall activity to a separate syslog server, and review the logs as part of your normal daily routine
Deny everything – best practice, nothing should be allowed inbound unless there is a valid documented business need for it. Restricting outbound traffic is also the smart thing to do, but it often comes with the heated debate between conveniences over security. Many firewalls default to allow everything outbound.
Everything not mine is firewalled – any third-party devices or networks should be separated for your network by a firewall
DMZ (Demilitarized Zone is a network that is neither inside nor outside the firewall A middle ground network that is less restrictive than the inside network but more secure than the outside network
Common DMZ Scenario
Inside Network - can initiate connections to any other network, but no other network can initiate connections to it Outside network - The outside network cannot initiate connections to the inside network but can initiate connections to the DMZ DMZ - The DMZ can initiate connections to the outside network, but not to the inside network. Any other network can initiate connections into the DMZ
One of the main benefits of this type of design is isolation Should the server come under attack and become compromised, the attacker will not have access to the users on the inside network Servers in a DMZ should be locked down with security measures as if they were on the Internet
Understanding how each service works will help you to understand how the firewall should be configured
server - POP, IMAP, and SMTP (TCP ports 110, 143, and 25) should be allowed. All other ports should not be permitted from the Internet
Web server - HTTP and HTTPS (TCP ports 80 and 443) should be allowed. All other ports should be denied from the Internet
DNS server - Only DNS (UDP port 53, and, possibly, TCP port 53) should be allowed from the Internet. All other ports should be denied.
Ideally, only the protocols needed to manage and maintain the servers should be allowed from the managing hosts inside to the DMZ Traffic should not be allowed from the DMZ the inside network
Another common DMZ implementation involves connectivity to a third party, such as a vendor or supplier
Access Control List (ACL) are made up of individual entries called access control entries (ACE) Wildcard masks (also called inverse masks) are used in many devices for creating access lists A wildcard mask is to match a range that can be described with a subnet mask (typical used on routers)
A simple rules that will solve Classful subnet/wildcard mask is: ◦ If the subnet mask has 0 replace it with 255 ◦ If the subnet mask has 255 replace it with 0 Subnet mask Matching wildcard mask
What if it is not a Classful subnet The wildcard mask will be a derivative of the number of host addresses provided by the subnet mask minus one So how many host are in this subnet?
Last octet is So what is the power of two that represents the number of hosts?
or /27 The last 5 bits represent the number of hosts 2 5 = 32 – 1 =31 So the wildcard mask is
What would the wildcard mask be for
1. Replace all 0 octets with 255 and all 255 octets with 0 ◦ in the last octet of a subnet mask ( ) would yield 16 hosts 16 − 1 = 15 The wildcard mask is
So on a Cisco router this would be what a access control entry would look like to allow web traffic to a subnet /24 Permit tcp any eq www
To make it more confuring this is what a Cisco ASA(firewall) ACE would look like for the same network access-list GAD extended permit tcp any eq www Some equipment like NX-OS use CIDR 10 permit tcp /24 any eq www
So where should we apply the ACL?
ACLs can be placed on either inbound on an interface or outbound Inbound traffic is referred to as ingress Outbound traffic is referred to as egress In almost all cases you will place the ACL on the inbound of the interface (coming into the device)
If you placed the ACL outbound on E0 the router would have to process the packet to then only drop them based on an ACL
ACL are applied “Top Down” Unlike routes which are applied as most specific ACL are applied as first match This can cause the concept of hidden rules ip access-list extended GAD permit tcp any eq www permit tcp any host eq www permit tcp any host eq domain The second rule will be “hidden” by the first
Most devices allow objects to be “grouped” under a single name Object groups allow a group of networks, IP addresses, protocols, or services The name can then be used in a single ACL instead of writing multiple ACLs
Routers typically use packet filtering on ACLs As the ACLs get more complex on multiple interfaces ACE will need to be written to allow the traffic in and then allow the return packet to go back These rules can become hard to manage
Protocols like HTTP are not handled in a single packet A request (and handshake with TCP) are sent over several packets then a reply is returned
Routers can use the concept of reflexive access lists to create temporary permit statements that are a reflection of the original communication
Firewalls use stateful inspection Firewalls track the connection of the flow of data An ACL on the inside interface allowing HTTP will allow the return traffic based on the client request happening first
Motivation: local network uses just one IP address as far as outside world is concerned: ◦ range of addresses not needed from ISP: just one IP address for all devices ◦ can change addresses of devices in local network without notifying outside world ◦ can change ISP without changing addresses of devices in local network ◦ devices inside local net not explicitly addressable, visible by outside world (a security plus)
Why use NAT? ◦ You need to connect a network to the Internet and your hosts do not have globally unique IP addresses ◦ You change over to a new ISP that requires you to renumber your network ◦ Two intranets with duplicate addresses are now connected
Two types of NAT Translation ◦ Static translation occurs when you specifically configure addresses in a lookup table A specific inside address maps into a prespecified outside address Also called one-for-one mapping ◦ Dynamic translation occurs when the NAT border router is configured to understand which inside addresses must be translated, and which pool of addresses may be used for the outside addresses
In static NAT the device will always translate to the same external address Most common use is for NAT servers running services to the Internet
In dynamic NAT the device will use an IP address from the pool of addresses that is not currently in use What happen if all the addresses in the pool are in use?
In dynamic NAT the device will use an IP address from the pool of addresses that is not currently in use What happen if all the addresses in the pool are in use?
NAT conserves the legally registered addressing scheme by allowing privatization of intranets, yet allows legal addressing scheme pools to be set up to gain access to the Internet. NAT also reduces the instances in which addressing schemes overlap. If a scheme was originally set up within a private network, then the network was connected to the public network (which may use the same addressing scheme) without address translation, the potential for overlap exists globally.
NAT increases the flexibility of connection to the public network. Multiple pools, backup pools, and load sharing/balancing pools can be implemented to help ensure reliable public network connections. Network design is also simplified as planners have more flexibility when creating an address plan. Deprivatization of a network requires renumbering of the existing network; the costs can be associated to the number of hosts that require conversion to the new addressing scheme. NAT allows the existing scheme to remain, and still supports the new assigned addressing scheme outside the private network.
NAT increases delay ◦ Switching path delays, of course, are introduced because of the translation of each IP address within the packet headers ◦ Performance may be a consideration because NAT is currently done using process switching ◦ The CPU must look at every packet to decide if it has to translate it, and then alter the IP header and possibly the TCP header ◦ It is not likely that this process will be easily cacheable.
One significant disadvantage when implementing and using NAT is the loss of end-to-end IP trace ability It becomes much harder to trace packets that undergo numerous packet address changes over multiple NAT hops This scenario does, however, lead to more secure links because hackers who want to determine a packet's source will find it difficult, if not impossible to trace or obtain the origination source or destination address This also means that you may have the same issue
NAT also forces some applications that use IP addressing to stop functioning because it hides end-to-end IP addresses Applications that use physical addresses instead of a qualified domain name will not reach destinations that are translated across the NAT router Sometimes this problem can be avoided by implementing static NAT mappings
User at host opens a connection to outside host B.
The first packet that the border router receives from host causes the router to check its NAT table. If a translation is found because it has been statically configured, the router continues to the next step. If no translation is found, the router determines that address must be translated. The router allocates a new address and sets up a translation of the inside local address to a legal inside global address from the dynamic address pool
The border router replaces 's inside local IP address with the selected inside global address, , and forwards the packet.
Host B receives the packet and responds to that node using the inside global IP address
When the border router receives the packet with the inside global IP address, the router performs a NAT table lookup using the inside global address as the reference.
The router then translates the address to 's inside local address and forwards the packet to Host receives the packet and continues the conversation. For each packet, the router performs Step 2 through Step 5.
Port Address Translation (PAT) allows for a single Internet IP address to translate to a large number of internal hosts This is done by using both the source and destination IP address and the source and destination port to handle the translation PAT is considered a subset of NAT Same vendors refer to this a overloading
User at host opens a connection to host B
The first packet the router receives from causes the router to check its NAT table
If no translation is found, the router determines that address must be translated
The router allocates a new address and sets up a translation of the inside local address to a legal global address
the router will reuse the global address from that translation and save enough information to be able to distinguish it from the other translation entry
The router replaces 's inside local IP address with the selected inside global address, , and forwards the packet.
Outside host B receives the packet and responds to that node using the inside global IP address
When the router receives the packet with the inside global IP address, the router performs a NAT table lookup using the inside global address and port number, and the outside address and port number as the references
The router then translates the address to 's inside local address and forwards the packet to
Host receives the packet and continues the conversation. For each packet, the router performs Step 2 through Step 5