Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewall Configuration Rules. Firewall Configuration Rules l Port review l Nat Review l Proxy Review l Firewall Configuration.

Published byKevin Hunter Modified over 9 years ago

Similar presentations

Presentation on theme: "Firewall Configuration Rules. Firewall Configuration Rules l Port review l Nat Review l Proxy Review l Firewall Configuration."— Presentation transcript:

1 Firewall Configuration Rules

2 Firewall Configuration Rules l Port review l Nat Review l Proxy Review l Firewall Configuration

3 Port Review

4 PROTOCOL and PORT NUMBERS FCS PREAMBLE DESTINATION ADDR 00 00 1B 12 23 34 SOURCE ADDR 00 00 1B 09 08 07 FIELD TYPE ETHERNET 17 Source IP Address; 128.66.12.2 Destination IP Address; 128.66.13.1 IP Header UDP IP HEADER TCP HEADER DATA Source Port 5512 Destination Port 69 TFTP DATA LINK LAYER NETWORK LAYER TRANSPORT LAYER APPLICATION LAYER

5 USER DATAGRAM PROTOCOL UDP Source/Destination Port. 1. The port numbers identify the receiving and sending process. It demultiplexes the UDP datagram to a particular process running on the computer. 2. The IP demultiplexes the incoming IP datagram to either TCP or UDP based upon the protocol value in the IP header. The UDP demultiplexes the UDP datagram to a particular application depending upon the port number. 3.The port number and the IP address allow any application in any computer on internet to be uniquely identified. 4. UDP port number can be both static and dynamic. 4 Static ports (<= 1023) are assigned by a central authority and are sometimes called Universal Assignments or well-known port assignments. * Typical static ports are 7 = Echo, 37 = time, 69 = TFTP, 161 = SNMP net monitor, 514 = System log, 520 = RIP. 4 Dynamic ports are not globally known but are assigned by software. These numbers are 0 - 65535 (minus the static port assignments). l UDP Message Length. This field indicates the size of the UDP header and its data in bytes. The minimum size must be 8 (size of header). UDP Source Port 0 15 16 31 UDP Message Length Data UDP Destination Port UDP Checksum...

6 USER DATAGRAM PROTOCOL Echo7Echo user datagram back to user Discard9Discard user datagrams Daytime13Report time in a user friendly fashion Quote17Return "Quote of the day" Chargen19Character generator Nameserver53Domain Name Server Sql-Net66Oracle Sequel Network BOOTPS67Server port to download configuration information BOOTPC68Client port to receive configuration information TFTP69Trivial File Transport Protocol POP3110Post Office Protocol - V3 SunRPC111Sun Remote Procedure Call NTP123Network Time Protocol SNMP161Used to receive network management queries SNMP-trap162Used to receive network problem reports. IRC194Internet Relay Chat IPX213IPX - IP Tunneling SysLog514System Log RIP520Routing Information Protocol NFS2049Network File Service Well Known UDP Ports Examples l Well-Known ports are standard ports between 0-1023 reserved for standard services. l The Internet Assigned Numbers Authority (IANA) is responsible for assigning well - known ports.

7 PROTOCOL and PORT NUMBERS FCS PREAMBLE DESTINATION ADDR 00 00 1B 12 23 34 SOURCE ADDR 00 00 1B 09 08 07 FIELD TYPE ETHERNET 6 Source IP Address; 128.66.12.2 Destination IP Address; 128.66.13.1 IP Header TCP Header IP HEADER TCP HEADER DATA Source Port 5512 Destination Port 23 Telnet DATA LINK LAYER NETWORK LAYER TRANSPORT LAYER APPLICATION LAYER

8 TCP ENCAPSULATION

9 WELL KNOWN TCP PORT NUMBERS 9DiscardDiscard all incoming data port 19Chargen Exchange streams of data port 20FTP-DataFile transfer data port 21FTP-CMDFile transfer command port 23TelnetTelnet remote login port 25SMTPSimple Mail Transfer Protocol port 79FingerObtains information about active users 80HTTPHypertext Transfer Protocol port 88Kerberos Authentication Protocol 110POP3PC Mail retrieval service port 119NNTPNetwork news access port 179BGPBorder Gateway Protocol 513RloginRemote Login In 514RexecRemote Execute PortApplicationDescription

10 TCP PROCESS ADDRESSING l End Point describes a connection in terms of: l Half association describes just one process in terms of : l Full Association describes a connection in terms of: IP TCP LINK PHYS UDP IP TCP LINK PHYS UDP 1500 164.22.40.8 22 165.62.1.125 Port IP Address

11 Selected Ports l Echo - UDP Port 7: 4 Retransmits to the sender any thing it receives. Used for testing networks. 4 Disable if not needed or block at the Firewall.. l Discard - TCP/UDP Port 9: 4 Discards anything it receives. Used for developing network tools. 4 Disable if not needed or block at the Firewall. l Daytime - UDP Port 13: 4 Sends the date/time for the server to the client. 4 Disable if not needed or block at the Firewall.. l Quote - UDP Port 17: 4 Sends to the connecting client a quote selected from a file of quotes.. 4 Disable if not needed or block at the Firewall..

12 Selected Ports (cont…) l Chargen - TCP/UDP Port 19: 4 Continuously sends out printable ASCII characters. Used for testing network tools. 4 Disable if not needed or block at the Firewall. l FTP - TCP Ports 20 and 21: 4 Used for transferring files over the Internet. 4 Disable if not needed otherwise use a proxy. l Telnet - TCP Port 23: 4 Used to connect remotely to a server.The data is not encrypted and the password/logon is readable. 4 Disable if not needed or block at the firewall. l SMTP - TCP Port 25: 4 Used for the exchange of email over the Internet. 4 Proxy SMTP across the Firewall

13 Selected Ports (cont…) l DNS - UDP Port 53: 4 Translates text based names into IP addresses. 4 Proxy DNS across the /firewall. 4 BootP/DHCP - UDP Ports 67 and 68: 4 BootP allows diskless workstations to find and load their OSs over the network. 4 DHCP provides for dynamic allocation of IP addresses. 4 Both BootP and DHCP should be employed inside the Firewall. l TFTP - UDP Port 69: 4 A simpler version of FTP that is used with BootP and DHCP to allow diskless workstations to acquire and load their operating systems. 4 Disable or block at the Firewall. l Gopher - TCP Port 70: 4 The first hypertext system on the Internet. 4 Disable or block at Firewall.

14 Selected Ports (cont…) l Finger - TCP Port 79: 4 Used to system information such as names, office hours, TP#, current projects. 4 Disable. l HTTP - TCP Port 80: 4 Used to transfer text, video, graphics, sound and programs over th Internet. 4 Proxy HTTP across the /firewall. l POP3 - TCP Port 110: 4 Allows users to check their mail over the LAN or the Internet. 4 Proxy POP3 or block at the firewall. l RPC - UDP Port 111: 4 Allows two computers to coordinate the execution of software. 4 Disable or block at the firewall.

15 l NetBios - TCP Ports 137, 138, 139: 4 Used by MS Windows networking to connect LAN clients to file and print services.. 4 Block at the Firewall. l IMAP - TCP Port 143: 4 Used by clients to transfer email from servers not configured to send email to the clients. 4 Disable if not needed. l SNMP - UDP Port 161: 4 Used to remotely manage network devices such as routers, servers, hubs and clients. 4 Block at the firewall. l LDAP - TCP/UDP Port 389: 4 Used to maintain contact information across the Internet. 4 Block at the firewall. Selected Ports (cont…)

16 l RSH - TCP Port 514: 4 Used to connect remotely to a server. Teh passwords are encrypted. 4 Block at the Firewall. l NFS - TCP/UDP Port 2049: 4 Provides clients LAN access to data storage. The Unix equivalent of NetBios. 4 Block at the Firewall. Selected Ports (cont…)

17 NAT Review

18 The IAB identified three immediate Internet danger 1. INTERNIC is fast exhausting Class B addresses. 2. The increase in networks/hosts has resulted in a routing table explosion. 3 The increase in networks/host is fast depleting the 32 bit address space. l Class B Exhaustion(Three Bears Problem). 4 Class A : 8/24:256 networks:16,772,214 hosts - to scarce(IANA assigned ). 4 Class B : 14/16:16384 networks:65534 hosts - about right for subnetting. 4 Class C : 21/8: 2,097,152 networks:254 hosts - to narrow. l Routing Table Explosion 4 This is a catch all term for all the problems posed by the manipulation of large data bases. Overview

19 l The InterNIC adopted four major strategies for handling the depletion of the IP addresses. 3 Creative IP Address Space Allocation. RFC 2050 - Internet Registry IP Allocation Guidelines 3 Private Addresses/Network Address Translation (NAT). RFC 1918 - Address Allocation for Private Networks. RFC 1631 - The IP Network Address Translator. 3 Classless InterDomain Routing (CIDR). RFC 1519 - Class InterDomain Routing(CIDR): An Address and Aggregation Strategy. 3 IP Version 6 (IPv6). RFC 1883 - Internet Protocol, Version 6 (IPv6). IP Address Depletion Strategies

20 Private IP addresses relax the rule that IP addresses are globally unique. 4 This IP conservation technique reserves part of the IP address space for use exclusively within an organization. 4 The organization does not require connectivity to the Internet. l IANA reserves three ranges of IP addresses for "Private Internets": 4 10.0.0.0 - 10.255.255.255A single Class A network 4 172.16.0.0 - 172.31.255.255 Sixteen continuous Class B Networks 4 192.168.0.0 - 192.168.255.255256 contiguous Class C networks l Any organization can use these addresses provide they adhere to the following rules: 4 They cannot be referenced by hosts in another organization. 4 They cannot be defined to any external router. 4 Organization with private addresses cannot externally advertise those IP addressees and cannot forward IP datagrams containing those addresses to external routers. 4 External routers will quietly discard all routing information regarding these addresses. l All connectivity to an Internet host must be provided by a Network Address Translator. Private IP Addresses

21 NATs are based upon the idea that only a small part of the hosts in a private network will communicate outside that network. l Nats are a solution for those organizations that use Non-routable IP addresses. l A NAT, normally part of a Firewall, is positioned between the Private Network and the Internet and: 4 Dynamically translates the private IP address of an outgoing packet into an Internet IP address. 4 Dynamically translates the return Internet IP address into a private IP address. l Only TCP/UDP Packets are translated by NAT. For example, the Private Network cannot be Pinged (ie. ICMP is not supported). l NAT hides the internal network from the view of outsiders. Network Address Translators Internet Private Network Translate Map Exclude Network Address Translator Pool Static Addresses

22 NAT Translation Modes l Static Translation (Port Forwarding) A fixed IP translation between internal resources with non-routable IP addresses and a specific external routable IP Address. l Dynamic Translation (Automatic, Hide Mode, IP Masquerade or NAPT) A large group of internal resources are dynamically given non- routable IP address which are translated into a single external, non- routable IP address. Each internal resource is uniquely identified by an external port number. l Load Balancing Translation: A single external IP address is translated into a pool of identically configured servers. A single external IP address serves a number of servers. l Network Redundancy Translation: A single Firewall is attached to multiple Internet connections that the firewall can use for load balancing or redundancy.

23 The Private Network is assigned non-routable addresses. l The NAT pool are registered IP address that resolve to the external address of the Private Network. 4 For outgoing packets a NAT Pool IP address is substituted for the source IP address. 4 For incoming packets the original IP address is reinserted as the destination IP address replacing the NAT pool address. Static Translation Private Network Internet 10.4.3.1 10.4.3.2 10.4.3.1200.10.4.10 10.4.3.2200.10.4.11 200.10.4.12 Nat Pool 198.34.2.5 200.10.4.10 198.34.2.5 Source Destination 10.4.3.1 198.34.2.5 Source Destination

24 Dynamic Translation Network Address & Port Translation (NAPT) Table Private Network Internet 10.4.3.2 10.4.3.3 10.4.3.2 21023 200.10.4.1014003 198.34.2.1 80 T CP 10.4.3.3 1234 200.10.4.1014005 198.34.2.1 80 TCP 10.4.3.11 26066 200.10.4.1014007 198.34.2.1 21 TCP 198.34.2.5 Private Address Private Port External Address External Port NAT Port Protocol Used 10.4.3.1200.10.4.10 Public Address

25 Load Balancing Translation Private Network Internet Browser Firewall Server A Server B Server C Server D

26 Network Redundancy Translation Private Network Internet Browser Firewall Sprint UUNET MindSpring Browser Server

27 Firewall Configuration Rules

28 Firewall Decisions l Rules by Security Levels? 4 Paranoid: Nothing is allowed(no external connections) - The organization has been hacked and its paranoid. 4 Cautious: That which is not explicitly permitted is not allowed. The default policy is to deny. 4 Optimistic: That which is not explicitly prohibited is allowed. The default policy is to allow. 4 Open: Everything is allowed. This organization has not been hacked. NOTE: Instructor's recommendation: BE CAUTIOUS. l Rules by traffic (protocol) needs? 4 Browser (HTTP). 4 Address Resolution (DNS). 4 Electronic Mail (SMTP). 4 Network Management (SMTP).

29 Rules for Rules l First Match (Apply in order). 4 Place the most specific rules at the top of the rule set and 4 Place the least specific rules a the bottom of the rule set. 4 Group like protocol rules. l Firewall Performance. 4Place those protocols bearing the most traffic at the top of the rule set. 4 This will generally be HTTP. l The Firewall must distinguish packets. 4By the arrival/departure interface. 4 By Type of packet. 4 By the Source/Destination Address. 4 By source/Destination Port. 4 By IP Header Option 4 By ICMP Message 4 By ACK bit.

30 Typical Configuration Rules RuleDirect SIP SPRT DIP DPRT OPT Flag PKT TYP ACT NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level. The rule is to handle only HTTP and SMTP traffic HTTP1 Out Any>1023Any80AnySYNTCPAnyPass Allow an outgoing connection from to HTTP server. HTTP2 In Any 80Any >1023AnySYNTCPAnyPass Allow already established HTTP traffic to travel back through the firewall. SMTP1 Out Any SServAny 25AnySYNTCPAnyPass Allow the mail server to establish a outgoing connection. SMTP2 In Any 25AnySServAnyAnyTCPAnyPass Allow incoming connections to the mail server.. SMTP3 In Any Any Not SServ25AnyACKTCPAnyDrop Disallow any connection form the outside other than to the mail server. HTTP3 In Any Any Not WServ 80AnyAnyTCPAnyDrop Disallow any connection form the outside other than to the mail server..

31 Typical Configuration Rules (cont…) RuleDirect SIP SPRT DIP DPRT OPT Flag PKT TYP ACT NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level. These are examples of spoofing rules. Source In AnyAnyAnyAnySourceAnyAnyAnyDrop Drop all Source-Routed Packets. Spoof1 In Internal AnyAny AnyAnyAnyAnyAnyDrop Drop all packets that appear on the external interface that have an internal IP address. Spoof2 Out Outside AnyAny AnyAnyAnyAnyAnyDrop Drop all packets that appear on the internal interface that have an outside source IP address. Spoof3 In Any AnyAnyPServsAnyAnyAnyAnyDrop Drop all packets destined for the protected servers. Spoof4 In Any Any AnyRIP/OSPF AnyAnyAnyAnyDrop Disallow any incoming routing packets. Stop1 In 196.7.9.9 Any Any AnyAnyAnyAnyAnyDrop Drop any packets from this specific IP address.

32 Typical Configuration Rules (cont…) RuleDirect SIP SPRT DIP DPRT OPT Flag PKT TYP ACT NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level. These are examples of ICMP Rules to pass packets. ICMP1 In AnyAnyAnyAnyAnyAny ICMP Source Quench Pass Allow ICMP Source Quench packets from External hosts. ICMP2 Out Any AnyAny AnyAnyAny ICMP Echo Request Pass Allow Echo Requests outbound.. ICMP3 In Any AnyAny AnyAnyAnyICMP Echo ReplyPass Allow the replies to the echo request to be returned. ICMP5 In Any AnyAnyAnyAnyAnyICMP Dest UnreachPass Allow ICMP Destination Unreachable packets from the external hosts.. ICMP6 In Any Any AnyAnyAnyAnyICMP Serv UnavPass Allow the ICMP Service Unavailable packets from the external hosts. ICMP7 In Any Any Any AnyAnyAnyICMP TTL ExcedPass Allow the ICMP Time-to-Live exceeded from external hosts.

33 Typical Configuration Rules (cont…) RuleDirect SIP SPRT DIP DPRT OPT Flag PKT TYP ACT NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level. These are examples of ICMP Rules to drop packets. ICMP7 In AnyAnyAnyAnyAnyAny ICMP Redirect Drop Drop the ICMP Redirect on the External interface. ICMP8 In Any AnyAny AnyAnyAny ICMP Echo Request Drop Drop ICMP Echo Request on the External Interface ICMP9 Out Any AnyAny AnyAnyAnyICMP Echo ReplyDrop Drop the ICMP Echo Reply packets that are outbound. ICMP10 Out Any AnyAnyAnyAnyAnyICMP Dest UnreachDrop Drop ICMP Destination Unreachable packets that are outbound ICMP6 Out Any Any AnyAnyAnyAnyICMP Serv UnavDrop Drop the ICMP Service Unavailable packets that are outbound. ICMP7 Any Any Any Any AnyAnyAnyICMP AnyDrop Drop all ICMP packets in either direction.

Download ppt "Firewall Configuration Rules. Firewall Configuration Rules l Port review l Nat Review l Proxy Review l Firewall Configuration."

Similar presentations

CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
TCP/IP TCP/IP architecture

TCP/IP TCP/IP architecture
©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.
IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.

IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.
Transport Layer Protocols TCP and UDP. L.Krist NVCC2 Transport Control Protocols The function of the Transport Layer is to insure packets have no errors.

Transport Layer Protocols TCP and UDP. L.Krist NVCC2 Transport Control Protocols The function of the Transport Layer is to insure packets have no errors.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.

Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
Chapter 5 The Network Layer.

Chapter 5 The Network Layer.
Introduction to TCP/IP

Introduction to TCP/IP
Subnetting.

Subnetting.
1 Version 3.0 Module 9 TCP/IP Protocol and IP Addressing.

1 Version 3.0 Module 9 TCP/IP Protocol and IP Addressing.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
網際網路協定基礎介紹 Data Communications and Computer Networks: A Business User’s Approach Fifth Edition (Chap 10)

網際網路協定基礎介紹 Data Communications and Computer Networks: A Business User’s Approach Fifth Edition (Chap 10)
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
McGraw-Hill©The McGraw-Hill Companies, Inc., 2001 TCP/IP.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2001 TCP/IP.
Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.

Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.

Similar presentations

Ads by Google