1. Mr. Mark Welton

2.  Firewalls are devices that prevent traffic from entering or leaving a network  Firewalls are often used between networks, or when a network connects to another network, such as the Internet or business partners  Firewalls can be standalone appliances, software, or integrated modules in other devices  VPN services are often also supported on firewalls

3.  Basic Security Practices: ◦ Keep it simple ◦ Monitor your logs ◦ Deny everything ◦ Everything not mine is firewalled

4.  Keep it simple – make security rules easy to read and understand, use naming conventions over numbering schemes  Monitor your logs – log all firewall activity to a separate syslog server, and review the logs as part of your normal daily routine

5.  Deny everything – best practice, nothing should be allowed inbound unless there is a valid documented business need for it. Restricting outbound traffic is also the smart thing to do, but it often comes with the heated debate between conveniences over security. Many firewalls default to allow everything outbound.

6.  Everything not mine is firewalled – any third-party devices or networks should be separated for your network by a firewall

7.  DMZ (Demilitarized Zone is a network that is neither inside nor outside the firewall  A middle ground network that is less restrictive than the inside network but more secure than the outside network

8.  Common DMZ Scenario

9.  Inside Network - can initiate connections to any other network, but no other network can initiate connections to it  Outside network - The outside network cannot initiate connections to the inside network but can initiate connections to the DMZ  DMZ - The DMZ can initiate connections to the outside network, but not to the inside network. Any other network can initiate connections into the DMZ

10.  One of the main benefits of this type of design is isolation  Should the email server come under attack and become compromised, the attacker will not have access to the users on the inside network  Servers in a DMZ should be locked down with security measures as if they were on the Internet

11.  Understanding how each service works will help you to understand how the firewall should be configured

12.  Email server - POP, IMAP, and SMTP (TCP ports 110, 143, and 25) should be allowed. All other ports should not be permitted from the Internet

13.  Web server - HTTP and HTTPS (TCP ports 80 and 443) should be allowed. All other ports should be denied from the Internet

14.  DNS server - Only DNS (UDP port 53, and, possibly, TCP port 53) should be allowed from the Internet. All other ports should be denied.

15.  Ideally, only the protocols needed to manage and maintain the servers should be allowed from the managing hosts inside to the DMZ  Traffic should not be allowed from the DMZ the inside network

16.  Another common DMZ implementation involves connectivity to a third party, such as a vendor or supplier

18.  Access Control List (ACL) are made up of individual entries called access control entries (ACE)  Wildcard masks (also called inverse masks) are used in many devices for creating access lists  A wildcard mask is to match a range that can be described with a subnet mask (typical used on routers)

19.  A simple rules that will solve Classful subnet/wildcard mask is: ◦ If the subnet mask has 0 replace it with 255 ◦ If the subnet mask has 255 replace it with 0  Subnet mask Matching wildcard mask  255.0.0.0 0.255.255.255  255.255.0.0 0.0.255.255  255.255.255.0 0.0.0.255

20.  What if it is not a Classful subnet  255.255.255.224  The wildcard mask will be a derivative of the number of host addresses provided by the subnet mask minus one  So how many host are in this subnet?

21.  255.255.255.224  Last octet is 11100000  So what is the power of two that represents the number of hosts?

22.  255.255.255.224 or /27  The last 5 bits represent the number of hosts  2 5 = 32 – 1 =31  So the wildcard mask is 0.0.0.31 11100000 1286432168421 2727 2626 2525 2424 23232 2121 2020

23.  What would the wildcard mask be for 255.240.0.0

24.  1. Replace all 0 octets with 255 and all 255 octets with 0 ◦ 0.240.255.255  2. 240 in the last octet of a subnet mask (255.255.255.240) would yield 16 hosts  16 − 1 = 15  The wildcard mask is 0.15.255.255

25.  So on a Cisco router this would be what a access control entry would look like to allow web traffic to a subnet 10.10.10.0/24  Permit tcp any 10.10.10.0 0.0.0.255 eq www

26.  To make it more confuring this is what a Cisco ASA(firewall) ACE would look like for the same network  access-list GAD extended permit tcp any 10.0.0.0 255.255.255.0 eq www  Some equipment like NX-OS use CIDR  10 permit tcp 10.10.10.0/24 any eq www

27.  So where should we apply the ACL?

28.  ACLs can be placed on either inbound on an interface or outbound  Inbound traffic is referred to as ingress  Outbound traffic is referred to as egress  In almost all cases you will place the ACL on the inbound of the interface (coming into the device)

29.  If you placed the ACL outbound on E0 the router would have to process the packet to then only drop them based on an ACL

30.  ACL are applied “Top Down”  Unlike routes which are applied as most specific ACL are applied as first match  This can cause the concept of hidden rules ip access-list extended GAD permit tcp any 10.10.10.0 0.0.0.255 eq www permit tcp any host 10.10.10.100 eq www permit tcp any host 10.10.10.100 eq domain  The second rule will be “hidden” by the first

31.  Most devices allow objects to be “grouped” under a single name  Object groups allow a group of networks, IP addresses, protocols, or services  The name can then be used in a single ACL instead of writing multiple ACLs

32.  Routers typically use packet filtering on ACLs  As the ACLs get more complex on multiple interfaces ACE will need to be written to allow the traffic in and then allow the return packet to go back  These rules can become hard to manage

33.  Protocols like HTTP are not handled in a single packet  A request (and handshake with TCP) are sent over several packets then a reply is returned

34.  Routers can use the concept of reflexive access lists to create temporary permit statements that are a reflection of the original communication

35.  Firewalls use stateful inspection  Firewalls track the connection of the flow of data  An ACL on the inside interface allowing HTTP will allow the return traffic based on the client request happening first

36.  Motivation: local network uses just one IP address as far as outside world is concerned: ◦ range of addresses not needed from ISP: just one IP address for all devices ◦ can change addresses of devices in local network without notifying outside world ◦ can change ISP without changing addresses of devices in local network ◦ devices inside local net not explicitly addressable, visible by outside world (a security plus)

37.  Why use NAT? ◦ You need to connect a network to the Internet and your hosts do not have globally unique IP addresses ◦ You change over to a new ISP that requires you to renumber your network ◦ Two intranets with duplicate addresses are now connected

38.  Two types of NAT Translation ◦ Static translation occurs when you specifically configure addresses in a lookup table  A specific inside address maps into a prespecified outside address  Also called one-for-one mapping ◦ Dynamic translation occurs when the NAT border router is configured to understand which inside addresses must be translated, and which pool of addresses may be used for the outside addresses

39.  In static NAT the device will always translate to the same external address  Most common use is for NAT servers running services to the Internet

40.  In dynamic NAT the device will use an IP address from the pool of addresses that is not currently in use  What happen if all the addresses in the pool are in use?

41.  In dynamic NAT the device will use an IP address from the pool of addresses that is not currently in use  What happen if all the addresses in the pool are in use?

43.  NAT conserves the legally registered addressing scheme by allowing privatization of intranets, yet allows legal addressing scheme pools to be set up to gain access to the Internet.  NAT also reduces the instances in which addressing schemes overlap. If a scheme was originally set up within a private network, then the network was connected to the public network (which may use the same addressing scheme) without address translation, the potential for overlap exists globally.

44.  NAT increases the flexibility of connection to the public network. Multiple pools, backup pools, and load sharing/balancing pools can be implemented to help ensure reliable public network connections. Network design is also simplified as planners have more flexibility when creating an address plan.  Deprivatization of a network requires renumbering of the existing network; the costs can be associated to the number of hosts that require conversion to the new addressing scheme. NAT allows the existing scheme to remain, and still supports the new assigned addressing scheme outside the private network.

45.  NAT increases delay ◦ Switching path delays, of course, are introduced because of the translation of each IP address within the packet headers ◦ Performance may be a consideration because NAT is currently done using process switching ◦ The CPU must look at every packet to decide if it has to translate it, and then alter the IP header and possibly the TCP header ◦ It is not likely that this process will be easily cacheable.

46.  One significant disadvantage when implementing and using NAT is the loss of end-to-end IP trace ability  It becomes much harder to trace packets that undergo numerous packet address changes over multiple NAT hops  This scenario does, however, lead to more secure links because hackers who want to determine a packet's source will find it difficult, if not impossible to trace or obtain the origination source or destination address  This also means that you may have the same issue

47.  NAT also forces some applications that use IP addressing to stop functioning because it hides end-to-end IP addresses  Applications that use physical addresses instead of a qualified domain name will not reach destinations that are translated across the NAT router  Sometimes this problem can be avoided by implementing static NAT mappings

48.  User at host 10.1.1.1opens a connection to outside host B.

49.  The first packet that the border router receives from host 10.1.1.1 causes the router to check its NAT table. If a translation is found because it has been statically configured, the router continues to the next step.  If no translation is found, the router determines that address 10.1.1.1must be translated. The router allocates a new address and sets up a translation of the inside local address 10.1.1.1to a legal inside global address from the dynamic address pool

50.  The border router replaces 10.1.1.1's inside local IP address with the selected inside global address, 192.168.2.2, and forwards the packet.

51.  Host B receives the packet and responds to that node using the inside global IP address 192.168.2.2.

52.  When the border router receives the packet with the inside global IP address, the router performs a NAT table lookup using the inside global address as the reference.

53.  The router then translates the address to 10.1.1.1's inside local address and forwards the packet to 10.1.1.1. Host 10.1.1.1 receives the packet and continues the conversation. For each packet, the router performs Step 2 through Step 5.

54.  Port Address Translation (PAT) allows for a single Internet IP address to translate to a large number of internal hosts  This is done by using both the source and destination IP address and the source and destination port to handle the translation  PAT is considered a subset of NAT  Same vendors refer to this a overloading

55.  User at host 10.1.1.1opens a connection to host B

56.  The first packet the router receives from 10.1.1.1 causes the router to check its NAT table

57.  If no translation is found, the router determines that address 10.1.1.1 must be translated

58.  The router allocates a new address and sets up a translation of the inside local address 10.1.1.1 to a legal global address

59.  the router will reuse the global address from that translation and save enough information to be able to distinguish it from the other translation entry

60.  The router replaces 10.1.1.1's inside local IP address with the selected inside global address, 192.168.2.2, and forwards the packet.

61.  Outside host B receives the packet and responds to that node using the inside global IP address 192.168.2.2

62.  When the router receives the packet with the inside global IP address, the router performs a NAT table lookup using the inside global address and port number, and the outside address and port number as the references

63.  The router then translates the address to 10.1.1.1's inside local address and forwards the packet to 10.1.1.1

64.  Host 10.1.1.1 receives the packet and continues the conversation.  For each packet, the router performs Step 2 through Step 5