mr. mark welton. firewalls are devices that prevent traffic from entering or leaving a network ...
TRANSCRIPT
CSIS 4823Data Communications
Networking – FirewallsMr. Mark Welton
Firewalls are devices that prevent traffic from entering or leaving a network
Firewalls are often used between networks, or when a network connects to another network, such as the Internet or business partners
Firewalls can be standalone appliances, software, or integrated modules in other devices
VPN services are often also supported on firewalls
Firewalls
Basic Security Practices:◦ Keep it simple◦ Monitor your logs◦ Deny everything◦ Everything not mine is firewalled
Firewalls
Keep it simple – make security rules easy to read and understand, use naming conventions over numbering schemes
Monitor your logs – log all firewall activity to a separate syslog server, and review the logs as part of your normal daily routine
Firewalls
Deny everything – best practice, nothing should be allowed inbound unless there is a valid documented business need for it. Restricting outbound traffic is also the smart thing to do, but it often comes with the heated debate between conveniences over security. Many firewalls default to allow everything outbound.
Firewalls
Everything not mine is firewalled – any third-party devices or networks should be separated for your network by a firewall
Firewalls
DMZ (Demilitarized Zone is a network that is neither inside nor outside the firewall
A middle ground network that is less restrictive than the inside network but more secure than the outside network
Firewalls
Common DMZ Scenario
Firewalls
Inside Network - can initiate connections to any other network, but no other network can initiate connections to it
Outside network - The outside network cannot initiate connections to the inside network but can initiate connections to the DMZ
DMZ - The DMZ can initiate connections to the outside network, but not to the inside network. Any other network can initiate connections into the DMZ
Firewalls
One of the main benefits of this type of design is isolation
Should the email server come under attack and become compromised, the attacker will not have access to the users on the inside network
Servers in a DMZ should be locked down with security measures as if they were on the Internet
Firewalls
Understanding how each service works will help you to understand how the firewall should be configured
Firewalls
Email server - POP, IMAP, and SMTP (TCP ports 110, 143, and 25) should be allowed. All other ports should not be permitted from the Internet
Firewalls
Web server - HTTP and HTTPS (TCP ports 80 and 443) should be allowed. All other ports should be denied from the Internet
Firewalls
DNS server - Only DNS (UDP port 53, and, possibly, TCP port 53) should be allowed from the Internet. All other ports should be denied.
Firewalls
Ideally, only the protocols needed to manage and maintain the servers should be allowed from the managing hosts inside to the DMZ
Traffic should not be allowed from the DMZ the inside network
Firewalls
Another common DMZ implementation involves connectivity to a third party, such as a vendor or supplier
Firewalls
Firewalls
Access Control List (ACL) are made up of individual entries called access control entries (ACE)
Wildcard masks (also called inverse masks) are used in many devices for creating access lists
A wildcard mask is to match a range that can be described with a subnet mask (typical used on routers)
Access Lists
A simple rules that will solve Classful subnet/wildcard mask is:◦ If the subnet mask has 0 replace it with 255◦ If the subnet mask has 255 replace it with 0
Subnet mask Matching wildcard mask
255.0.0.0 0.255.255.255 255.255.0.0 0.0.255.255 255.255.255.0 0.0.0.255
Access Lists
What if it is not a Classful subnet 255.255.255.224 The wildcard mask will be a derivative of
the number of host addresses provided by the subnet mask minus one
So how many host are in this subnet?
Access Lists
255.255.255.224 Last octet is 11100000 So what is the power of two that represents
the number of hosts?
Access Lists
255.255.255.224 or /27 The last 5 bits represent the number of
hosts 25 = 32 – 1 =31 So the wildcard mask is 0.0.0.31
Access Lists
11100000128 64 32 16 8 4 2 1
27 26 25 24 23 22 21 20
What would the wildcard mask be for 255.240.0.0
Access Lists
What would the wildcard mask be for 255.240.0.0
1. Replace all 0 octets with 255 and all 255 octets with 0◦ 0.240.255.255
2. 240 in the last octet of a subnet mask (255.255.255.240) would yield 16 hosts
16 − 1 = 15 The wildcard mask is 0.15.255.255
Access Lists
So on a Cisco router this would be what a access control entry would look like to allow web traffic to a subnet 10.10.10.0/24
Permit tcp any 10.10.10.0 0.0.0.255 eq www
Access Lists
To make it more confuring this is what a Cisco ASA(firewall) ACE would look like for the same network
access-list GAD extended permit tcp any 10.0.0.0 255.255.255.0 eq www
Some equipment like NX-OS use CIDR 10 permit tcp 10.10.10.0/24 any eq www
Access Lists
So where should we apply the ACL?
Where to Apply Access Lists
ACLs can be placed on either inbound on an interface or outbound
Inbound traffic is referred to as ingress Outbound traffic is referred to as egress In almost all cases you will place the ACL on
the inbound of the interface (coming into the device)
Where to Apply Access Lists
If you placed the ACL outbound on E0 the router would have to process the packet to then only drop them based on an ACL
Where to Apply Access Lists
ACL are applied “Top Down” Unlike routes which are applied as most
specific ACL are applied as first match This can cause the concept of hidden rulesip access-list extended GAD permit tcp any 10.10.10.0 0.0.0.255 eq www permit tcp any host 10.10.10.100 eq www permit tcp any host 10.10.10.100 eq domain The second rule will be “hidden” by the first
Hidden Rules
Most devices allow objects to be “grouped” under a single name
Object groups allow a group of networks, IP addresses, protocols, or services
The name can then be used in a single ACL instead of writing multiple ACLs
Object Grouping
Routers typically use packet filtering on ACLs
As the ACLs get more complex on multiple interfaces ACE will need to be written to allow the traffic in and then allow the return packet to go back
These rules can become hard to manage
Firewalls vs. Routers
Protocols like HTTP are not handled in a single packet
A request (and handshake with TCP) are sent over several packets then a reply is returned
Firewalls vs. Routers
Routers can use the concept of reflexive access lists to create temporary permit statements that are a reflection of the original communication
Firewalls vs. Routers
Firewalls use stateful inspection Firewalls track the connection of the flow of
data An ACL on the inside interface allowing
HTTP will allow the return traffic based on the client request happening first
Firewalls vs. Routers
Motivation: local network uses just one IP address as far as outside world is concerned:◦ range of addresses not needed from ISP: just one
IP address for all devices◦ can change addresses of devices in local network
without notifying outside world◦ can change ISP without changing addresses of
devices in local network◦ devices inside local net not explicitly addressable,
visible by outside world (a security plus)
Network Address Translation
Why use NAT?◦ You need to connect a network to the Internet and
your hosts do not have globally unique IP addresses
◦ You change over to a new ISP that requires you to renumber your network
◦ Two intranets with duplicate addresses are now connected
Network Address Translation
Two types of NAT Translation◦ Static translation occurs when you specifically
configure addresses in a lookup table A specific inside address maps into a
prespecified outside address Also called one-for-one mapping
◦ Dynamic translation occurs when the NAT border router is configured to understand which inside addresses must be translated, and which pool of addresses may be used for the outside addresses
Network Address Translation
In static NAT the device will always translate to the same external address
Most common use is for NAT servers running services to the Internet
Network Address Translation
In dynamic NAT the device will use an IP address from the pool of addresses that is not currently in use
What happen if all the addresses in the pool are in use?
Network Address Translation
In dynamic NAT the device will use an IP address from the pool of addresses that is not currently in use
What happen if all the addresses in the pool are in use?
Network Address Translation
Network Address Translation
NAT conserves the legally registered addressing scheme by allowing privatization of intranets, yet allows legal addressing scheme pools to be set up to gain access to the Internet.
NAT also reduces the instances in which addressing schemes overlap. If a scheme was originally set up within a private network, then the network was connected to the public network (which may use the same addressing scheme) without address translation, the potential for overlap exists globally.
NAT Advantages
NAT increases the flexibility of connection to the public network. Multiple pools, backup pools, and load sharing/balancing pools can be implemented to help ensure reliable public network connections. Network design is also simplified as planners have more flexibility when creating an address plan.
Deprivatization of a network requires renumbering of the existing network; the costs can be associated to the number of hosts that require conversion to the new addressing scheme. NAT allows the existing scheme to remain, and still supports the new assigned addressing scheme outside the private network.
NAT Advantages
NAT increases delay◦ Switching path delays, of course, are introduced
because of the translation of each IP address within the packet headers
◦ Performance may be a consideration because NAT is currently done using process switching
◦ The CPU must look at every packet to decide if it has to translate it, and then alter the IP header and possibly the TCP header
◦ It is not likely that this process will be easily cacheable.
NAT Disadvantages
One significant disadvantage when implementing and using NAT is the loss of end-to-end IP trace ability
It becomes much harder to trace packets that undergo numerous packet address changes over multiple NAT hops
This scenario does, however, lead to more secure links because hackers who want to determine a packet's source will find it difficult, if not impossible to trace or obtain the origination source or destination address
This also means that you may have the same issue
NAT Disadvantages
NAT also forces some applications that use IP addressing to stop functioning because it hides end-to-end IP addresses
Applications that use physical addresses instead of a qualified domain name will not reach destinations that are translated across the NAT router
Sometimes this problem can be avoided by implementing static NAT mappings
NAT Disadvantages
User at host 10.1.1.1opens a connection to outside host B.
NAT Step 1
The first packet that the border router receives from host 10.1.1.1 causes the router to check its NAT table. If a translation is found because it has been statically configured, the router continues to the next step.
If no translation is found, the router determines that address 10.1.1.1must be translated. The router allocates a new address and sets up a translation of the inside local address 10.1.1.1to a legal inside global address from the dynamic address pool
NAT Step 2
The border router replaces 10.1.1.1's inside local IP address with the selected inside global address, 192.168.2.2, and forwards the packet.
NAT Step 3
Host B receives the packet and responds to that node using the inside global IP address 192.168.2.2.
NAT Step 4
When the border router receives the packet with the inside global IP address, the router performs a NAT table lookup using the inside global address as the reference.
NAT Step 5
The router then translates the address to 10.1.1.1's inside local address and forwards the packet to 10.1.1.1. Host 10.1.1.1 receives the packet and continues the conversation. For each packet, the router performs Step 2 through Step 5.
NAT Step 6
Port Address Translation (PAT) allows for a single Internet IP address to translate to a large number of internal hosts
This is done by using both the source and destination IP address and the source and destination port to handle the translation
PAT is considered a subset of NAT Same vendors refer to this a overloading
Port Address Translation
User at host 10.1.1.1opens a connection to host B
PAT Step 1
The first packet the router receives from 10.1.1.1 causes the router to check its NAT table
PAT Step 2
If no translation is found, the router determines that address 10.1.1.1 must be translated
PAT Step 2
The router allocates a new address and sets up a translation of the inside local address 10.1.1.1 to a legal global address
PAT Step 2
the router will reuse the global address from that translation and save enough information to be able to distinguish it from the other translation entry
PAT Step 2
The router replaces 10.1.1.1's inside local IP address with the selected inside global address, 192.168.2.2, and forwards the packet.
PAT Step 3
Outside host B receives the packet and responds to that node using the inside global IP address 192.168.2.2
PAT Step 4
When the router receives the packet with the inside global IP address, the router performs a NAT table lookup using the inside global address and port number, and the outside address and port number as the references
PAT Step 5
The router then translates the address to 10.1.1.1's inside local address and forwards the packet to 10.1.1.1
PAT Step 6
Host 10.1.1.1 receives the packet and continues the conversation.
For each packet, the router performs Step 2 through Step 5
PAT Step 6