EVOLUTION OF FIREWALL
Firewall Basics
Traditionally, a firewall is defined as any device (or software) used to filter
or control the flow of traffic. Firewalls are typically implemented on the
network perimeter, and function by defining trusted and untrusted zones:
Packet Filtering is one of the core services provided by firewalls. Packets
can be filtered (permitted or denied) based on a wide range of criteria:
• Source address
• Destination address
• Protocol Type (IP, TCP, UDP, ICMP, ESP, etc.)
• Source Port
• Destination Port
Packet filtering is implemented as a rule-list:
Number Action Protocol Source Add. Source Port Destination Add. Destination Port
1. Deny TCP Any Any 172.16.1.5 666
2. Permit IP Any Any 172.16.1.5 Any
3. Permit TCP Any Any 172.16.1.1 443
4. Permit TCP Any Any 172.16.1.1 80
5. Permit TCP Any Any 172.16.1.10 25
6. Deny TCP 66.1.1.5 Any 172.16.1.10 110
7. Permit TCP Any Any 172.16.1.10 110
The order of the rule-list is a critical consideration. The rule-list is always
parsed from top-to-bottom. Thus, more specific rules should always be
placed near the top of the rule-list, otherwise they may be negated by a
previous, more encompassing rule.
Also, an implicit ‘deny any’ rule usually exists at the bottom of a rule-list,
which often can’t be removed. Thus, rule-lists that contain only deny
statements will prevent all traffic.
Most firewalls will permit traffic from the trusted zone to the untrusted
zone, without any explicit configuration. However, traffic from the
untrusted zone to the trusted zone must be explicitly permitted. Thus, any
traffic that is not explicitly permitted from the untrusted to trusted zone will
be implicitly denied (by default on most firewall systems).
A firewall is not limited to only two zones, but can contain multiple ‘less
trusted’ zones, often referred to as Demilitarized Zones (DMZ’s).
To control the trust value of each zone, each firewall interface is assigned a
security level, which is often represented as a numerical value or even color.
For example, in the above diagram, the Trusted Zone could be assigned a
security value of 100, the Less Trusted Zone a value of 75, and the
Untrusted Zone a value of 0.
As stated previously, traffic from a higher security to lower security zone is
(generally) allowed by default, while traffic from a lower security to higher
security zone requires explicit permission.
In this section I am going to discuss evolution of firewall , those are
Access list
Reflexive ACL
Content Based ACL
Zone Based Firewall
Adaptive Security appliance
Lab example
Basic Access Lists
• For this scenario, R1 in on the inside of the firewall, and R2 on the outside.
• Apply ingress and egress access-lists to R3’s interface.
• The security policy states the following permissions for inside networks:
o Permit access to WWW applications.
o Permit remote access to outside servers via standard virtual
terminal access protocols.
o Permit sending/retrieving emails using the standard protocols.
o Users on the inside should be able use outside DNS and access
outside FTP servers by means of active FTP mode.
o Inside users should be able to traceroute and ping to outside.
• The security policy states the following permissions for outside networks:
o Inside server at IP address 1.1.1.1 should be accessible from
outside via HTTP and active FTP.
o Inside server should be protected from “fragmented” packets attack.
o Packets for sessions initiated from inside should be permitted. For
TCP sessions, use only one line of access-list configuration.
o Make sure PMTU discovery process works.
The key problem with basic access-list is that they have no idea of sessions
tracking, i.e. they are stateless. So if you permit a packet from the inside with an
egress ACL, you should make sure that there is an appropriate mirrored entry
within the return ACL.
Also, keep in mind that popular FTP protocol has two functional modes, Active
and Passive. FTP Active mode is when the client connects to server on port 21,
and the server opens data connection source from port 20 back to the client. FTP
Passive is when client connects to server, server tells client the port number for
data connection, and client initiates data connection on that port.
Know that common UNIX and IOS traceroute implementation sends out UDP
packets destined toward port range “33434-33464” by default, and expects two
types of ICMP messages in reply “Time-Exceeded” or “Port-Unreachable”.
Additionally, pMTU discovery process needs ICMP message type 3 with code 4
“Packet too Big” to be permitted from outside.
Remember that you may permit packets from established TCP session using
keyword “established” in access-list entry. This entry matches any packet having
either of “ACK” or “RST” bits set. In addition to this, you can match non-initial
fragments of IP traffic using “fragments” keyword.
Always remember that router-generated traffic is not subject to check by egress
access-lists, it is simply permitted. However, the returning traffic is subject to
check by ingress ACL, so make sure you permitted any routing and management
traffic.
Make a useful habit of adding an explicit “deny ip any any log” at the end of your
access-lists. This may assist the troubleshooting during your lab exam. .
R3:
!
! Egress ACL
!
ip access-list extended OUTBOUND
remark == HTTP/HTTPs
remark == SSH/Telnet
permit tcp any any eq 80
permit tcp any any eq 443
permit tcp any any eq 22
permit tcp any any eq 23
remark == SMTP POP3/IMAP DNS
permit tcp any any eq 25
permit tcp any any eq 110
permit tcp any any eq 143
permit udp any any eq 53
remark == FTP, Traceroute, Pings
permit tcp any any range 20 21
permit udp any any range 33434 33464
permit icmp any any echo
remark == Traffic from internal server (HTTP/FTP)
permit tcp host 1.1.1.1 eq 80 any
permit tcp host 1.1.1.1 range 20 21 any
deny ip any any log
!
! Ingress ACL
!
ip access-list extended INBOUND
remark == Permit inbound RIP updates
permit udp any any eq rip
remark == Block non-initial frags to server
deny ip any host 1.1.1.1 fragments
remark == Permit HTTP/Active FTP to server
permit tcp any host 1.1.1.1 eq 80
permit tcp any host 1.1.1.1 range 20 21
remark == Returning TCP traffic for inside TCP session
permit tcp any any established
remark == Active FTP data channel
permit tcp any eq 20 any
remark == Returning DNS traffic
permit udp any eq 53 any
remark == Pings, Traceroute and pMTU disc returning traffic
permit icmp any any echo-reply
permit icmp any any port-unreachable
permit icmp any any time-exceeded
permit icmp any any packet-too-big
deny ip any any log
!
! Apply access-lists
!
interface FastEthernet 0/1
ip access-group OUTBOUND out
ip access-group INBOUND in
============= THANKS=====
No comments:
Post a Comment