Firewall Matthew Prestifilippo, Bill Kazmierski, Pat Sparrow

Basics Intended to stop unauthorized traffic from traveling from one network to another Intended to stop unauthorized traffic from traveling from one network to another Between router and internal network setup Between router and internal network setup

All data arriving at or leaving the network passes through the firewall, where it can be accepted or denied. A list of rules can be set, allowing the firewall to determine what types of data should not be allowed to pass through. These rules can allow certain devices inside the network to have different privileges Basics

Filtering Packet Filters Packet Filters This job is done in the transport and network layerThis job is done in the transport and network layer Looks at the packets to see if forbidden IP’s are trying to come in.Looks at the packets to see if forbidden IP’s are trying to come in. Not affective in the case of spoofingNot affective in the case of spoofing Stateful Inspection Stateful Inspection Use ACK and SYN packet for verification/correspondenceUse ACK and SYN packet for verification/correspondence Keeps track of sessionsKeeps track of sessions

Filtering Application Proxies Application Proxies Application levelApplication level Extra processing power needed, but more security providedExtra processing power needed, but more security provided

Filtering A firewall can filter packets based on the source or destination IP address A firewall can filter packets based on the source or destination IP address A firewall can filter packets based on the destination port A firewall can filter packets based on the destination port A firewall can filter packets based on the protocol (UDP, TCP, IP …) A firewall can filter packets based on the protocol (UDP, TCP, IP …)

Interfaces 3 basic interfaces: 3 basic interfaces: 1. Inside – trusted network1. Inside – trusted network 2. Outside – untrusted network2. Outside – untrusted network 3. DMZ – demilitarized zone3. DMZ – demilitarized zone Web server Web server Why a DMZ? Why a DMZ?

NAT Static Static Permanent inside local -> inside global mappingPermanent inside local -> inside global mapping Dynamic Dynamic Pool of global addresses are defined. Machines that make a request to the outside are assigned accordingly.Pool of global addresses are defined. Machines that make a request to the outside are assigned accordingly.

NAT Overloading (PAT) Overloading (PAT) When there are more nodes than there are global addresses available, use port space to map to extra machinesWhen there are more nodes than there are global addresses available, use port space to map to extra machines This means that one address can be used for multiple computers (hence the term overloading)This means that one address can be used for multiple computers (hence the term overloading)

PAT

URL Filtering Need a N2H2 or a Websense server Need a N2H2 or a Websense server Filtering process includes the PIX relying on the server to determine whether or not a website is allowed. Filtering process includes the PIX relying on the server to determine whether or not a website is allowed. Could also use the access-list command Could also use the access-list command

Packet Inspection A Firewall must inspect every packet traveling in and out of a network A Firewall must inspect every packet traveling in and out of a network Too many rules can result in a bottleneck Too many rules can result in a bottleneck Looking up domain names while logging can slow performance Looking up domain names while logging can slow performance Using VPN and other functions can slow the performance Using VPN and other functions can slow the performance

PIX 515e Firewall 433 MHz Intel Celeron processor 433 MHz Intel Celeron processor 64 MB RAM 64 MB RAM 16 MB onboard flash memory 16 MB onboard flash memory 188 Mbps throughput 188 Mbps throughput can handle more than 130,000 sessions can handle more than 130,000 sessions Recommended for small to medium-sized business networks Recommended for small to medium-sized business networks

Our Setup We reset the firewall with the inside IP address of with a netmask of , which is the same as the inside address of the original network configuration We reset the firewall with the inside IP address of with a netmask of , which is the same as the inside address of the original network configuration We set the outside IP address to , which is the same as the original network configuration. We set the outside IP address to , which is the same as the original network configuration. The PIX515 has replaced the router. The PIX515 has replaced the router. By default, the firewall allows outgoing traffic to any IP address. By default, the firewall allows outgoing traffic to any IP address.

Rules Source and Destinations IPs Source and Destinations IPs Source and Destination interface Source and Destination interface Type of Packet Type of Packet Default rule: Default rule: Source: on inside interface Source: on inside interface Destination: on outside interface Destination: on outside interface Packet Type: IP Packet Type: IP Action: Permit Action: Permit

Our Rules Allow all traffic to enter the network Allow all traffic to enter the network Source: on the outside Source: on the outside Destination: on the inside Destination: on the inside Packet Type: IP Packet Type: IP Action: Permit Action: Permit  Prevent hosts from accessing Playboy.com Source: on the outside Source: on the outside Destination: on the inside Destination: on the inside Packet Type: IP Packet Type: IP Action: Deny Action: Deny

Work With IDS View IDS logs to find any bad IPS and add rules to prevent them from sending packets to the network View IDS logs to find any bad IPS and add rules to prevent them from sending packets to the network