Firewall - PowerPoint PPT Presentation

About This Presentation
Title:

Firewall

Description:

... 80 T CP 10.4.3.3 1234 200.10.4.10 14005 198.34.2.1 80 TCP 10.4.3.11 26066 200.10.4.10 14007 198.34.2 .1 21 TCP 198.34.2.5 Private Address ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 34
Provided by: bestitdoc
Category:
Tags: firewall

less

Transcript and Presenter's Notes

Title: Firewall


1
Firewall Configuration Rules
2
Firewall Configuration Rules
  • Port review
  • Nat Review
  • Proxy Review
  • Firewall Configuration

3
Port Review
4
  • PROTOCOL and PORT NUMBERS

5
USER DATAGRAM PROTOCOL
  • UDP Source/Destination Port.
  • 1. The port numbers identify the receiving and
    sending process. It demultiplexes the UDP
    datagram to a particular process running on the
    computer.
  • 2. The IP demultiplexes the incoming IP datagram
    to either TCP or UDP based upon the protocol
    value in the IP header. The UDP demultiplexes the
    UDP datagram to a particular application
    depending upon the port number.
  • 3.The port number and the IP address allow any
    application in any computer on internet to be
    uniquely identified.
  • 4. UDP port number can be both static and
    dynamic.
  • Static ports (lt 1023) are assigned by a central
    authority and are sometimes called Universal
    Assignments or well-known port assignments.
  • Typical static ports are 7 Echo, 37 time, 69
    TFTP, 161 SNMP net monitor, 514 System log,
    520 RIP.
  • Dynamic ports are not globally known but are
    assigned by software. These numbers are 0 - 65535
    (minus the static port assignments).
  • UDP Message Length. This field indicates the
    size of the UDP header and its data in bytes.
    The minimum size must be 8 (size of header).

6
  • USER DATAGRAM PROTOCOL

Well Known UDP Ports Examples
  • Well-Known ports are standard ports between
    0-1023 reserved for standard services.
  • The Internet Assigned Numbers Authority (IANA)
    is responsible for assigning well - known ports.

7
  • PROTOCOL and PORT NUMBERS

8
  • TCP ENCAPSULATION

9
  • WELL KNOWN TCP PORT NUMBERS

10
  • TCP PROCESS ADDRESSING
  • End Point describes a connection in terms of
  • lt Local Addr, Local Port gt
  • lt 164.22.40.8, 1500 gt
  • Half association describes just one process in
    terms of
  • lt Prot, Local Addr, Local Port gt
  • lt tcp,164.22.40.8,1500 gt
  • Full Association describes a connection in
    terms of
  • ltProt, Local Addr, Local Port , Remote
    Addr, Remote Port gt
  • ltEg tcp,164.22.40.8,1500,165.62.125, 22gt

11
  • Selected Ports
  • Echo - UDP Port 7
  • Retransmits to the sender any thing it receives.
    Used for testing networks.
  • Disable if not needed or block at the Firewall..
  • Discard - TCP/UDP Port 9
  • Discards anything it receives. Used for
    developing network tools.
  • Disable if not needed or block at the Firewall.
  • Daytime - UDP Port 13
  • Sends the date/time for the server to the
    client.
  • Disable if not needed or block at the Firewall..
  • Quote - UDP Port 17
  • Sends to the connecting client a quote selected
    from a file of quotes..
  • Disable if not needed or block at the Firewall..

12
  • Selected Ports (cont)
  • Chargen - TCP/UDP Port 19
  • Continuously sends out printable ASCII
    characters. Used for testing network tools.
  • Disable if not needed or block at the Firewall.
  • FTP - TCP Ports 20 and 21
  • Used for transferring files over the Internet.
  • Disable if not needed otherwise use a proxy.
  • Telnet - TCP Port 23
  • Used to connect remotely to a server.The data is
    not encrypted and the password/logon is
    readable.
  • Disable if not needed or block at the firewall.
  • SMTP - TCP Port 25
  • Used for the exchange of email over the
    Internet.
  • Proxy SMTP across the Firewall

13
  • Selected Ports (cont)
  • DNS - UDP Port 53
  • Translates text based names into IP addresses.
  • Proxy DNS across the /firewall.
  • BootP/DHCP - UDP Ports 67 and 68
  • BootP allows diskless workstations to find and
    load their OSs over the network.
  • DHCP provides for dynamic allocation of IP
    addresses.
  • Both BootP and DHCP should be employed inside
    the Firewall.
  • TFTP - UDP Port 69
  • A simpler version of FTP that is used with BootP
    and DHCP to allow diskless workstations to
    acquire and load their operating systems.
  • Disable or block at the Firewall.
  • Gopher - TCP Port 70
  • The first hypertext system on the Internet.
  • Disable or block at Firewall.

14
  • Selected Ports (cont)
  • Finger - TCP Port 79
  • Used to system information such as names, office
    hours, TP, current projects.
  • Disable.
  • HTTP - TCP Port 80
  • Used to transfer text, video, graphics, sound
    and programs over th Internet.
  • Proxy HTTP across the /firewall.
  • POP3 - TCP Port 110
  • Allows users to check their mail over the LAN or
    the Internet.
  • Proxy POP3 or block at the firewall.
  • RPC - UDP Port 111
  • Allows two computers to coordinate the execution
    of software.
  • Disable or block at the firewall.

15
Selected Ports (cont)
  • NetBios - TCP Ports 137, 138, 139
  • Used by MS Windows networking to connect LAN
    clients to file and print services..
  • Block at the Firewall.
  • IMAP - TCP Port 143
  • Used by clients to transfer email from servers
    not configured to send email to the clients.
  • Disable if not needed.
  • SNMP - UDP Port 161
  • Used to remotely manage network devices such as
    routers, servers, hubs and clients.
  • Block at the firewall.
  • LDAP - TCP/UDP Port 389
  • Used to maintain contact information across the
    Internet.
  • Block at the firewall.

16
Selected Ports (cont)
  • RSH - TCP Port 514
  • Used to connect remotely to a server. Teh
    passwords are encrypted.
  • Block at the Firewall.
  • NFS - TCP/UDP Port 2049
  • Provides clients LAN access to data storage. The
    Unix equivalent of NetBios.
  • Block at the Firewall.

17
NAT Review
18
Overview
  • The IAB identified three immediate Internet
    danger
  • 1. INTERNIC is fast exhausting Class B addresses.
  • 2. The increase in networks/hosts has resulted in
    a routing table explosion.
  • 3 The increase in networks/host is fast depleting
    the 32 bit address space.
  • Class B Exhaustion(Three Bears Problem).
  • Class A 8/24256 networks16,772,214 hosts - to
    scarce(IANA assigned ).
  • Class B 14/1616384 networks65534 hosts -
    about right for subnetting.
  • Class C 21/8 2,097,152 networks254 hosts - to
    narrow.
  • Routing Table Explosion
  • This is a catch all term for all the problems
    posed by the manipulation of large data bases.

19
IP Address Depletion Strategies
  • The InterNIC adopted four major strategies for
    handling the depletion of the IP addresses.
  • Creative IP Address Space Allocation.
  • RFC 2050 - Internet Registry IP Allocation
    Guidelines
  • Private Addresses/Network Address Translation
    (NAT).
  • RFC 1918 - Address Allocation for Private
    Networks.
  • RFC 1631 - The IP Network Address Translator.
  • Classless InterDomain Routing (CIDR).
  • RFC 1519 - Class InterDomain Routing(CIDR) An
    Address and Aggregation Strategy.
  • IP Version 6 (IPv6).
  • RFC 1883 - Internet Protocol, Version 6 (IPv6).

20
Private IP Addresses
  • Private IP addresses relax the rule that IP
    addresses are globally unique.
  • This IP conservation technique reserves part of
    the IP address space for use exclusively within
    an organization.
  • The organization does not require connectivity to
    the Internet.
  • IANA reserves three ranges of IP addresses for
    "Private Internets"
  • 10.0.0.0 - 10.255.255.255 A single Class A
    network
  • 172.16.0.0 - 172.31.255.255 Sixteen
    continuous Class B Networks
  • 192.168.0.0 - 192.168.255.255 256 contiguous
    Class C networks
  • Any organization can use these addresses provide
    they adhere to the following rules
  • They cannot be referenced by hosts in another
    organization.
  • They cannot be defined to any external router.
  • Organization with private addresses cannot
    externally advertise those IP addressees and
    cannot forward IP datagrams containing those
    addresses to external routers.
  • External routers will quietly discard all routing
    information regarding these addresses.
  • All connectivity to an Internet host must be
    provided by a Network Address Translator.

21
Network Address Translators
  • NATs are based upon the idea that only a small
    part of the hosts in a private network will
    communicate outside that network.
  • Nats are a solution for those organizations that
    use Non-routable IP addresses.
  • A NAT, normally part of a Firewall, is
    positioned between the Private Network and the
    Internet and
  • Dynamically translates the private IP address of
    an outgoing packet into an Internet IP address.
  • Dynamically translates the return Internet IP
    address into a private IP address.
  • Only TCP/UDP Packets are translated by NAT. For
    example, the Private Network cannot be Pinged
    (ie. ICMP is not supported).
  • NAT hides the internal network from the view of
    outsiders.

22
NAT Translation Modes
  • Static Translation (Port Forwarding) A fixed IP
    translation between internal resources with
    non-routable IP addresses and a specific external
    routable IP Address.
  • Dynamic Translation (Automatic, Hide Mode, IP
    Masquerade or NAPT) A large group of internal
    resources are dynamically given non-routable IP
    address which are translated into a single
    external, non-routable IP address. Each internal
    resource is uniquely identified by an external
    port number.
  • Load Balancing Translation A single external IP
    address is translated into a pool of identically
    configured servers. A single external IP address
    serves a number of servers.
  • Network Redundancy Translation A single
    Firewall is attached to multiple Internet
    connections that the firewall can use for load
    balancing or redundancy.

23
Static Translation
Source Destination
Source Destination
10.4.3.1
200.10.4.10 198.34.2.5
10.4.3.1 198.34.2.5
198.34.2.5
Private Network
Internet

Nat Pool
10.4.3.2
10.4.3.1 200.10.4.10 10.4.3.2 200.10.4.11 ltFreegt
200.10.4.12
  • The Private Network is assigned non-routable
    addresses.
  • The NAT pool are registered IP address that
    resolve to the external address of the Private
    Network.
  • For outgoing packets a NAT Pool IP address is
    substituted for the source IP address.
  • For incoming packets the original IP address is
    reinserted as the destination IP address
    replacing the NAT pool address.

24
Dynamic Translation
Network Address Port Translation (NAPT) Table
25
Load Balancing Translation
26
Network Redundancy Translation
27
Firewall Configuration Rules
28
  • Firewall Decisions
  • Rules by Security Levels?
  • Paranoid Nothing is allowed(no external
    connections) - The organization has been hacked
    and its paranoid.
  • Cautious That which is not explicitly permitted
    is not allowed. The default policy is to deny.
  • Optimistic That which is not explicitly
    prohibited is allowed. The default policy is to
    allow.
  • Open Everything is allowed. This organization
    has not been hacked.
  • NOTE Instructor's recommendation BE CAUTIOUS.
  • Rules by traffic (protocol) needs?
  • Browser (HTTP).
  • Address Resolution (DNS).
  • Electronic Mail (SMTP).
  • Network Management (SMTP).

29
  • Rules for Rules
  • First Match (Apply in order).
  • Place the most specific rules at the top of the
    rule set and
  • Place the least specific rules a the bottom of
    the rule set.
  • Group like protocol rules.
  • Firewall Performance.
  • Place those protocols bearing the most traffic at
    the top of the rule set.
  • This will generally be HTTP.
  • The Firewall must distinguish packets.
  • By the arrival/departure interface.
  • By Type of packet.
  • By the Source/Destination Address.
  • By source/Destination Port.
  • By IP Header Option
  • By ICMP Message
  • By ACK bit.

30
  • Typical Configuration Rules

NOTE These rules are generic examples and not
specific to any Firewall. They are presented at
the cautious level. The rule is to handle only
HTTP and SMTP traffic
Rule Direct SIP SPRT DIP DPRT
OPT Flag PKT TYP ACT
HTTP1 Out Any gt1023 Any 80 Any SYN TCP Any Pass
Allow an outgoing connection from to HTTP
server. HTTP2 In Any 80 Any
gt1023 Any SYN TCP Any Pass Allow already
established HTTP traffic to travel back through
the firewall. SMTP1 Out Any SServ Any
25 Any SYN TCP Any Pass Allow the mail server to
establish a outgoing connection. SMTP2 In Any
25 Any SServ Any Any TCP Any Pass Allow
incoming connections to the mail server.. SMTP3
In Any Any Not SServ 25 Any ACK TCP Any
Drop Disallow any connection form the outside
other than to the mail server. HTTP3 In Any
Any Not WServ 80 Any Any TCP Any Drop Disa
llow any connection form the outside other than
to the mail server..
31
  • Typical Configuration Rules (cont)

NOTE These rules are generic examples and not
specific to any Firewall. They are presented at
the cautious level. These are examples of
spoofing rules.
Rule Direct SIP SPRT DIP DPRT
OPT Flag PKT TYP ACT
Source In Any Any Any Any Source Any Any Any Dr
op Drop all Source-Routed Packets. Spoof1 In
Internal Any Any Any Any Any Any Any Drop Drop
all packets that appear on the external interface
that have an internal IP address. Spoof2 Out
Outside Any Any Any Any Any Any Any Drop Drop
all packets that appear on the internal
interface that have an outside source IP
address. Spoof3 In Any Any Any PServs Any An
y Any Any Drop Drop all packets destined for the
protected servers. Spoof4 In Any Any
Any RIP/OSPF Any Any Any Any Drop Disallow any
incoming routing packets. Stop1 In 196.7.9.9
Any Any Any Any Any Any Any Drop Drop
any packets from this specific IP address.
32
  • Typical Configuration Rules (cont)

NOTE These rules are generic examples and not
specific to any Firewall. They are presented at
the cautious level. These are examples of ICMP
Rules to pass packets.
Rule Direct SIP SPRT DIP DPRT
OPT Flag PKT TYP ACT
ICMP1 In Any Any Any Any Any Any ICMP
Source Quench Pass Allow ICMP Source Quench
packets from External hosts. ICMP2 Out Any
Any Any Any Any Any ICMP Echo Request
Pass Allow Echo Requests outbound.. ICMP3 In
Any Any Any Any Any Any ICMP Echo
Reply Pass Allow the replies to the echo request
to be returned. ICMP5 In Any
Any Any Any Any Any ICMP Dest Unreach Pass Allow
ICMP Destination Unreachable packets from the
external hosts.. ICMP6 In Any Any
Any Any Any Any ICMP Serv Unav Pass Allow the
ICMP Service Unavailable packets from the
external hosts. ICMP7 In Any Any
Any Any Any Any ICMP TTL Exced Pass Allow the
ICMP Time-to-Live exceeded from external hosts.
33
  • Typical Configuration Rules (cont)

NOTE These rules are generic examples and not
specific to any Firewall. They are presented at
the cautious level. These are examples of ICMP
Rules to drop packets.
Rule Direct SIP SPRT DIP DPRT
OPT Flag PKT TYP ACT
ICMP7 In Any Any Any Any Any Any ICMP
Redirect Drop Drop the ICMP Redirect on the
External interface. ICMP8 In Any Any Any
Any Any Any ICMP Echo Request
Drop Drop ICMP Echo Request on the External
Interface ICMP9 Out Any Any Any
Any Any Any ICMP Echo Reply Drop Drop the ICMP
Echo Reply packets that are outbound. ICMP10
Out Any Any Any Any Any Any ICMP Dest
Unreach Drop Drop ICMP Destination Unreachable
packets that are outbound ICMP6 Out Any Any
Any Any Any Any ICMP Serv Unav Drop Drop
the ICMP Service Unavailable packets that are
outbound. ICMP7 Any Any Any Any
Any Any Any ICMP Any Drop Drop all ICMP
packets in either direction.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Firewall" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!