tippingpoint x505 training - firewall – rules, services and virtual servers
DESCRIPTION
TippingPoint X505 Training - Firewall – Rules, Services and Virtual ServersTRANSCRIPT
TippingPoint X505 Training
Firewall Firewall –– Rules, Services and Virtual ServersRules, Services and Virtual Servers
2
Firewall – Objectives
> Upon completion of this module, you should be familiar with the following:— Firewall Concepts Review
— Firewall Rules
— Firewall Rule Components
— Services and Service Groups
— Bandwidth Management
— Scheduling
— Authorization
— Content Filtering
— Virtual Servers
— Port Address Translation
3
Types of Firewalls
> Network Address Translation— Translates internal IP addresses to external addresses
— Can be used to map many internal addresses to one (or few) external addresses
— Denies most connections inbound
> Proxy— Acts as a “middle man”
— Handles all external connections on behalf of internal clients
> Stateful Inspection— Keeps track of the state of all connections
— Denies out of state connection attempts
— Rules or policies determine what can or cannot be accessed from outside the network
> The X505 is a Stateful Firewall and more (IPS, rate shaping, content filtering, etc.)
4
Firewall Rules
5
Firewall Rules
> Rules are “top down”
> Implicit deny at the end
> Click on (highlight) an existing rule to create a new rule above it
> There are many default rules to facilitate such things as DHCP requests, DNS queries and VPN termination
6
Firewall Rule Components
> Source/Destination Zones— IP Address Groups
> Action— Permit/Block/Content Filter
> Services/Service Groups
> Rate Limiting
> Scheduling
> Authentication
7
Services and Service Groups
> Services are applications and protocols that can be configured in a firewall rule to police that traffic— The X505 comes with a host of pre-defined services
> i.e. – “dns-tcp” is protocol 6 (TCP) and port 53
> Service Groups are groupings of services— Similar to the Services, the X505 comes with a host of pre-defined service groups
> i.e. – “dns” consists of the services “dns-tcp” and “dns-udp”
8
Bandwidth Management
> Bandwidth management can be applied to applications on a per rule or per session basis
> For example, use per session for voice and per rule for limitingWWW access, etc.
9
Scheduling
> Schedules can be defined to limit a firewall rule to certain times of the day/week— i.e. – “Work Day” = MTWThF from 8AM-6PM
10
Authorization
> Users can be forced to authorize themselves before accessing various resources
> By defining firewall rules that reference privilege groups, users can be authorized before access is allowed
> You may need to position authorization rules before the “LAN”“WAN” “Any” rule to ensure that authorization is performed first
11
Authorization
Create a privilege group…
Assign the privilege groupto a user…
Enable user authentication in a firewall rule…
12
Authorization
13
Content Filtering
14
Content Filtering
> 3Com Content Filter Service — Servers based in NA, Europe or Asia
> Subscription Service— Must have “DV Gold” Maintenance level
> Backed by Surf Control
> Content Categories
> Manual URL Filter
> Custom Web Response Page
15
Content Filtering Configuration
> Enable Content Filter and/or Manual URL Filter— Optional: Custom Response Page
> Create a firewall rule with the action “Content Filter”— Position the rule above the “LAN” “WAN” “Any” rule to ensure that
content filtering takes place first
16
Manual URL Filter
> Select whether to permit or block
> Specify a partial URL or enter a regular expression
17
Virtual Servers
> Virtual Servers provide the means with which to do one-to-one NAT as well as Port Address Translation (PAT)
18
Port Address Translation
> Also known as “port forwarding”
> The virtual server “listens” on a certain port on the outside, and the X505 will forward the connection request to the “real” port internally
LAB 4Firewall and Virtual Server