Policies by FQDN WatchGuard Training.

Slides:



Advertisements
Similar presentations
What’s New in Fireware XTM v11.3.2
Advertisements

Enabling Secure Internet Access with ISA Server
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Implementing Domain Name System
Web Server Administration Chapter 4 Name Resolution.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.
The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.
Domain Name System: DNS
DOMAIN NAMING SYSTEM (AN OVERVIEW) By -DEEPAK. Topics --DNS What is DNS? Purpose of DNS DNS configuration files.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
Fortinet Single Sign On
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
DNS Domain Name Service References: Wikipedia 1.
Department Of Computer Engineering
Domain Name Services Oakton Community College CIS 238.
1 Enabling Secure Internet Access with ISA Server.
Lecturer : Ms.Trần Thị Ngọc Hoa Chapter 2 Methods Configuring Name Resolution Methods.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Module 7: Configuring TCP/IP Addressing and Name Resolution.
Name Resolution Domain Name System.
LANDesk Management Gateway
Windows Server 2008 R2 Domain Name System Chapter 5.
Domain names and IP addresses Resolver and name server DNS Name hierarchy Domain name system Domain names Top-level domains Hierarchy of name servers.
Objectives  Basic Introduction to DNS  Purpose of Domain Naming  DNS Features: Global Distribution  Fully Qualified Domain Name  DNS Lookup Types.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
XTM Networking Tips and Tricks Carlo Alvarez Technical Trainer - APAC.
Zone Properties. Zone Properties Continued Aging allows zone to remove “stale” or “old” records for clients who have not updated within a certain period.
Access Control List ACL. Access Control List ACL.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
DNS & BIND Chapter 24. This Chapter DNS Overview.
CHAPTER 3 PLANNING INTERNET CONNECTIVITY. D ETERMINING INTERNET CONNECTIVITY REQUIREMENTS Factors to be considered in internet access strategy: Sufficient.
Pharming Group 10: Phuc H. Dao Anita Lugonja. Motivation To give students an opportunity to learn about DNS poisoning To give students an opportunity.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
How to configure DNS for a Windows 2000 domain? 1.Start the Install/Remove Programs Control Panel Applet (Start - Settings - Control Panel - Add/Remove.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Configuring and Troubleshooting Domain Name System
Configuring Name Resolution and Additional Services Lesson 12.
Windows Server 2003 La migrazione da Windows NT 4.0 a Windows Server 2003 Relatore: MCSE - MCT.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 6 Resolving Network Host Names.
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
CS2910 Week 5, Class 2 Today DNS Muddy Points More HTTP Headers Review for Midterm Exam This coming Monday: Midterm Exam SE-2811 Slide design: Dr. Mark.
NAT64-CPE Mode Operation for Opening Residential Service Gang Chen Hui
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Web Server Administration Chapter 4 Name Resolution.
1. Internet hosts:  IP address (32 bit) - used for addressing datagrams  “name”, e.g., ww.yahoo.com - used by humans DNS: provides translation between.
OPTION section It is the first section of the named.conf User can use only one option statement and many option-value pair under the section. Syntax is.
Role Of Network IDS in Network Perimeter Defense.
Domain Name System INTRODUCTION to Eng. Yasser Al-eimad
WHAT IS DNS??????????.
So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Short Intro to DNS (part of Tirgul 9) Nir Gazit. What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System.
Chapter 5c.  Upon completion of this chapter, you should be able to:  Configure IP addresses  Identify & select valid IP addresses for networks  Configure.
Copyright ©2016 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training What’s New in Fireware v
DNS Domain name server a server to translate IP aliases to addresses
Understand Names Resolution
Fortinet NSE8 Exam Do You Want To Pass In First Attempt.
Module 3: Enabling Access to Internet Resources
Enabling Secure Internet Access with TMG
IMPLEMENTING NAME RESOLUTION USING DNS
Benefits of Using Domain Name System (DNS)
IIS.
Access Control Lists CCNA 2 v3 – Module 11
COMPUTER NETWORKS PRESENTATION
Presentation transcript:

Policies by FQDN WatchGuard Training

Policies by FQDN RFE36954: Ability to use FQDN in policies and blocked sites lists RFE27064: Ability to use FQDN in From and/or To field in policies RFE79740: Ability to use FQDN in From and/or To field in policies WatchGuard Training

Policies by FQDN What it is… What it isn’t… FQDN as part of the source and/or destination of a policy FQDN as part of an alias FQDN for a blocked site FQDN for a blocked site exception Wildcards for the host on a domain (*.example.com) What it isn’t… FQDN resolved to IPv6 addresses FQDN for server configurations (Log Server, SSO Agent, etc.) WatchGuard Training

Use Cases WatchGuard Training

Use Cases Allow traffic to a specific domain using a separate policy Allow traffic to software update sites such as windowsupdate.microsoft.com or antivirus signature update sites, even though all other traffic is blocked. This is especially useful when these sites are hosted on content delivery networks (CDNs) that frequently add and change IP addresses. Deny traffic to a specific domain Deny all traffic from CDE (Cardholder Data Environment) but allow signature updates For PCI compliance traffic from the CDE must be restricted, however allowing critical updates is still necessary. Many of the services that need to be allowed are also using CDNs WatchGuard Training

Configuration WatchGuard Training

FQDN in Policies When modifying the To or From fields in a policy, FQDN is now listed in after selecting Add > Add Other This allows the configuration of a FQDN and can include a single leading wildcard. WatchGuard Training

FQDN in Aliases FQDN members can also be added to aliases, which are then used in policies. WatchGuard Training

FQDN in Blocked Sites (and Exceptions) FQDN members can also be added to the blocked sites, and blocked sites exceptions lists. WatchGuard Training

FQDN in Logging Logging will show the FQDN that was matched in the logs when a policy is applied to traffic by FQDN. WatchGuard Training

FQDN in Reporting Reporting will show the FQDN that was matched when the policy was applied to traffic by FQDN. WatchGuard Training

FQDN in Reporting Blocked Sites will identify the IP addresses blocked by FQDN included in the configuration. WatchGuard Training

How does this work? WatchGuard Training

Forward Lookups When a user configures a domain name, the system will perform forward DNS resolution and store the mapping. Clients and the Firewall should use the same name servers. For example: www.google.com Non-authoritative answer: Name: www.google.com Address: 74.125.25.104 Address: 74.125.25.105 Address: 74.125.25.147 Address: 74.125.25.99 Address: 74.125.25.106 Address: 74.125.25.103 WatchGuard Training

Why not Reverse lookups? It is natural to think that we might be able to perform reverse DNS resolution on the source or destination IP when receiving a traffic, and see if the resolved FQDN matches the configuration. Unfortunately, reverse DNS resolution might not always work. Quite commonly, the reverse DNS resolution result is not what you might expect. For example: 74.125.25.147 (from our previous lookup to www.google.com) Non-authoritative answer: 147.25.125.74.in-addr.arpa name = pa-in-f147.1e100.net. WatchGuard Training

What about Wildcards? With Wildcards we do forward lookups for www and the domain itself For example: *.google.com we resolve www.google.com and google.com To resolve the rest of the hosts implied by *.google.com, we implement DNS sniffing for A records that match our configuration. As DNS traffic passes through the firewall, we learn the responses to relevant queries. WatchGuard Training

What happens when don’t we see responses? As seen here, if the clients are trying to reach an internal destination with an internal name server, the firewall may not have an opportunity to sniff this traffic for local servers. We recommend that internal name servers are on a different internal network than clients to ensure the firewall can see responses from the server. WatchGuard Training

Thank You! WatchGuard Training

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.