Firewall Design and Management

Designing Firewall Configurations

Firewalls can be deployed in several ways
• Screening router
• Dual-homed host
• Screen host
• Screened subnet DMZ
• Multiple DMZs
• Multiple firewalls
• Reverse firewall
Screening Router

Determines whether to allow or deny packets based on

their source and destination IP addresses
Does not stop many attacks
• Especially those that use spoofed or manipulated IP
address information
Should be combined with a firewall or proxy server
• For additional protection
Screening Router
Dual-Homed Hosts

• Computer that has been configured with more than

one network interface
• Only firewall software can forward packets from one
interface to another
• Firewall is placed between the network and Internet
Dual-Homed Hosts
Screened Hosts

• Like a dual-homed host except router is added

between the host and the Internet
• Combines a dual-homed host and a screening router
• Can function as an application gateway or proxy server
Screened Hosts
Screened Subnet DMZs
• DMZ
– Subnet of publicly accessible servers placed outside the
internal LAN
– Common solution is to make servers a subnet of the
firewall
• Firewall that protects the DMZ is connected to the
Internet and the internal network
– Called a three-pronged firewall
Screened Subnet DMZs
Multiple DMZ/Firewall Configurations

• Server farm
– Group of servers connected in their own subnet
– Work together to receive requests with the help of load-
balancing software
• Load-balancing software
– Prioritizes and schedules requests and distributes them to
servers
Multiple DMZ/Firewall Configurations
Multiple Firewall Configurations

• Protecting a DMZ with Multiple Firewalls

– One firewall controls traffic between DMZ and Internet
– Second firewall controls traffic between protected
network and DMZ
• Can also serve as a failover firewall
– Advantage
• Can control where traffic goes in the three networks
you are dealing with
Multiple Firewall Configurations
Reverse Firewalls

• Monitors outgoing connections

Instead of trying to block what’s coming in
• Helps monitor outgoing connection attempts that
originates from internal users
Filters out unauthorized attempts
Pros & Cons of firewall configurations
Examining Proxy Servers

Proxy server
• Software that forwards packets to and from the
network being protected
• Caches Web pages to speed up network performance
Goals of Proxy Servers

Original goal
– Speed up network communications
– Information is retrieved from proxy cache instead of the
Internet
Goals of modern proxy servers
– Provide security at the Application layer
– Shield hosts on the internal network
– Control Web sites users are allowed to access
Proxy servers cache Web pages and other files
How Proxy Servers Work

• Proxy server goal

– Prevent a direct connection between an external
computer and an internal computer
• Proxy servers work at the Application layer
– Opens the packet and examines the data
– Decides to which application it should forward the
packet
– Reconstructs the packet and forwards it
How Proxy Servers Work

• Proxy server receives traffic before it goes to the Internet

• Client programs are configured to connect to the proxy
server instead of the Internet
– Web browser
– E-mail applications
Proxy servers replace source IP addresses with their own addresses
Configuring client programs to connect to
the proxy server rather than the Internet
Pros & Cons
Choosing a Proxy Server
• Different proxy servers perform different functions
• Freeware Proxy servers
– Often described as content filters
– Most do not have features for business applications
– Example: Squid for Linux
• Commercial Proxy servers
– Offer Web page caching, source and destination IP addresses
translation, content filtering, and NAT
– Example: Microsoft Forefront Threat Management Gateway
Choosing a Proxy Server

• Proxy Servers That Can Include Firewall Functions

– Having an all-in-one program simplifies installation,
product updating, and management
– Disadvantages
• Single point of failure
– Try to use several software and hardware products to
protect your network
Filtering Content

• Proxy servers can open packets and examine data

• Proxy servers can:
– Filter out content that would otherwise appear in a
user’s Web browser
– Block Web sites with content your users should not be
viewing
– Drop executable programs
• Java applets
Choosing a Bastion Host

• Security software does not operate on its own

– Installed on a computer that needs to be as secure as
possible
• Bastion host
– Computer that sits on the network perimeter
– Has been specially protected through OS patches,
authentication, and encryption
General Requirements
• Steps in creating a bastion host
– Select a machine with sufficient memory and processor speed
– Choose and install OS and any patches or updates
– Determine where the bastion host will fit in the network
configuration
– Install services you want to provide
– Remove services and accounts that aren’t needed.
– Back up the system and all data on it
– Conduct a security audit
– Connect the system to the network
Selecting the Bastion Host Machine

• Select familiar hardware and software

– Not necessarily the latest
• Ideal situation
– One bastion host for each service you want to provide
• FTP server, Web server, SMTP server, etc…
• Choosing an Operating System
– Pick a version that is secure and reliable
Bastion hosts are often combined with packet-filtering routers
Bastion hosts in the DMZ
Hardening the Bastion Host
• The simpler your bastion host is, the easier it is to secure
• Selecting Services to Provide
– Close unnecessary ports
– Disable unnecessary user accounts and services
• Reduces chances of being attacked
– Disable routing or IP forwarding services
– Do not remove dependency services
• System needs them to function correctly
– Stop services one at a time to check effect on system
Using Honeypots
• Honeypot
– Computer placed on the network perimeter
– Attracts attackers away from critical servers
– Appears real
– Can be located between the bastion host and internal network
– Network security experts are divided about honeypots
– Laws on the use of honeypots are confusing at best
– Another goal of a honeypot is logging
• Logs are used to learn about attackers' techniques
A honeypot in the DMZ
Disabling User Accounts

• Default accounts are created during OS installation

– Some of these account have blank passwords
• Disable all user accounts from the bastion host
– Users should not be able to connect to it
• Rename the Administrator account
– Use long, complex passwords
Handling Backups and Auditing

• Essential steps in hardening a computer

– Backups
– Detailed recordkeeping
– Auditing
• Copy log files to other computers in your network
– Should go through firewall to screen for viruses and other
vulnerabilities
• Audit all failed and successful attempts to log on to the bastion host
– And any attempts to access or change files
Network Address Translation

• Network Address Translation (NAT)

– Originally designed to help conserve public IP addresses
– Receives requests at its own IP address and forwards
them to the correct IP address
• NAT device is assigned a public IP address
• Primary address translation types:
– One-to-one NAT and many-to-one NAT
One-to-One NAT

• Process of mapping one internal IP address to one external

IP address
– Internal client sends packets (destined for an external
host) to its default gateway on the NAT device
– NAT device repackages the packet, so its public interface
appears to be the source and sends to external host
– External host responds to NAT device
– NAT device repackages response and sends it to the
internal host
One-to-one NAT
Many-to-One NAT

• Uses TCP and UDP port addresses to distinguish between

internal clients
– Allows many internal clients to use the same single
public NAT interface simultaneously
• Disadvantages:
– You can hide only so many clients behind a single IP
address
– Does not work with some types of VPNs
– Uses only a single public IP address
Types of Firewall
• Software Firewall
– Protect a single computer
– Usually less expensive, easier to configure

• Hardware Firewall
– Protect an entire network
– Implemented on the router level
– Usually more expensive, hard to configure
Campus Network
• The firewall implanted between secure and insecure
network
• Best practice in between cloud and router
– Older technique is between a router to the
Internet and your campus network.
– In this way we minimize the threats towards
router.
Campus Network
• Centralized data processing system, with a central mainframe supporting
several directly connected terminals.
• Local area networks (LANs) interconnecting PCs and terminals to each
other and the mainframe
• Premises network, consisting of several LANs, interconnecting PCs, servers,
and perhaps a mainframe or two Enterprise-wide network, consisting of
multiple, geographically distributed premises networks interconnected by a
private wide area network (WAN).
• Internet connectivity, in which the various premises networks all hook into
the Internet and may or may not also be connected by a private WAN.
Design Goals
• All traffic from inside to outside, and vice versa, must pass through
the firewall. This is achieved by physically blocking all access to the
local network except via the firewall. Various configurations are
possible, as explained later in this section.
• Only authorized traffic, as defined by the local security policy, will
be allowed to pass. Various types of firewalls are used, which
implement various types of security policies.
• The firewall itself is immune to penetration. This implies that use
of a trusted system with a secure operating system.
Campus Network Design
Government Network
• As compared to the campus network Interior Ministry needs more security.
• Demilitarized Zone (DMZ)
– Access Control
– Network reconnaissance prevention.
– Protection against Internet Protocol (IP) spoofing
• Intrusion Detection System (IDS) is a network-based intrusion detection
system that uses a signature database to trigger intrusion alarms.
• A VPN concentrator is providing secure creation of VPN connections and
delivery of messages between VPN nodes.
Government Organizations Network Design
Firewall Configuration Example
 Firewall Configuration Example
• Basics of configuring a Cisco ASA 5505 firewall:
– Rollover cable is connected to the management
PC’s COM 1 port and firewall’s Console port
– A terminal emulator (PuTTY) is used to make the
command-line connection
– Command prompt is “ciscoasa” by default and
enable password is blank
• Type enable and hit enter at password prompt
– The show switch vlan command shows that all
eight ports are placed in VLAN 1 by default
Firewall Configuration Example
• Basics of configuring a Cisco ASA 5505 firewall
(cont’d):
– Use the configure terminal command to switch
to global configuration mode so that you can
configure the firewall
– Type hostname SanFrancisco to name firewall
– To assign a strong password, type enable
password T%imPwa0)gi
– To configure interfaces, type interface (type of
interface) (interface number)
• interface ethernet 0/0
Firewall Configuration Example
• Basics of configuring a Cisco ASA 5505 firewall
(cont’d):
– Commands to use when naming VLANs
• interface VLAN1
• name if LAN
• security-level 100
• ip address 192.168.1.205 255.255.255.0
• exit
– To view IP address information:
• show ip address
Firewall Configuration Example
• Basics of configuring a Cisco ASA 5505 firewall
(cont’d):
– To save configuration changes:
• copy running-config startup-config
– If you have a TFTP server, you should copy the
configuration there
• copy startup-config tftp
– To verify IP interfaces:
• show interface ip brief
– To enable routing using the RIP routing protocol
• router rip followed by network numbers
Any Question?
Thank You