BorderManager and Firewall Notes
Types of Firewall
Screening routers |
Most basic. Uses only the packet-filtering to control/monitor network traffic that passes through border. Risk of break-in is high. Each host on the private network is exposed to the Internet. |
Bastion hosts |
Bastion host represents the private network on the internet –point of contact for incoming traffic & acts as a proxy server allowing internal clients access to external services.
Bastion hosts run only a few services, such as email, ftp, dns or web-service. Does not require any authentication or store any company-sensitive data. |
Screened hosts |
A combination of bastion host and screening router. Screening router adds security by using internet access to deny or permit certain traffic from the bastion host, and is first stop for traffic, which can continue only if the screening router lets it. Can be used with NAT and packet filtering to block certain ports. Fairly secure because security risk is limited to the screening router. |
Dual-homed hosts |
A server with at least two network interfaces – acts as a router between the networks it is attached to. Routing is disabled so that IP packets do not pass directly to other networks. Systems inside/outside communicate via the dual-homed host, not directly. Access to the internet is via proxy services and an IP/IP gateway.
Break-in is limited to hosts reachable from the Internet, although any illegal access badly compromises security. |
Screened subnets |
A variation of a screened host - bastion host placed on its own subnetwork. Screening router placed either side – one between the subnet and the private network and the other between the subnet and the internet. |
Tri-homed hosts |
Combines elements of a screening router & screened host, overcoming limitations of each. Security is centred on the screening routers by using interfaces for the internet, private network, and subnets that contain bastion hosts and application servers. |
Firewall Technologies/OSI Model
OSI Model Layer |
Firewall Technologies |
Application |
VPN
Application-level proxies |
Presentation |
VPN
Application-level proxies |
Session |
VPN
Circuit-level gateways |
Transport |
VPN
IPX/IP and IP/IP gateways |
Network |
VPN
NAT
Packet Filtering |
Data Link |
VPN
PPP |
Physical |
Not applicable |
ICMP & Dynamic NAT
Dynamic NAT translates the addresses in IP headers of the following inbound ICMP packets (all others are dropped) :
ICMP Packet Type |
ICMP Message Contents |
0 |
Echo Reply |
3 |
Destination Unreachable |
4 |
Source Quench |
8 |
Echo |
11 |
Time Exceeded |
12 |
Parameter Problem |
17 |
Address Mask Request |
18 |
Address Mask Reply |
Routing
SERVICE |
PACKET HANDLING |
Packet Filtering |
FORWARDING |
ROUTING |
NAT |
FORWARDING |
ROUTING |
Proxy Cache |
TYPICALLY IMPLEMENTED |
NOT REQUIRED |
VPN |
FORWARDING |
NOT REQUIRED |
IP Gateway |
FORWARDING |
ROUTING |
Installation Parameter Settings
PARAMATER |
ETHERNET |
TOKEN RING or FDDI |
Minimum packet receive buffers |
500 |
400 |
Maximum packet receive buffers |
2000 |
1000 |
Maximum physical receive packet size |
1514 |
4202 |
|
REGULAR |
PPP |
REGULAR |
PPP |
Maximum physical receive packet size |
1514 |
1524 |
4202 |
4212 |
Config & Log Files
FILE |
DESCRIPTION |
SYS:\ETC\FILTERS.CFG |
Filter configuration, can be copied to other servers (which need to be reinitialized for this to kick in). |
SYS:\ETC\LOGS\IPPKTLOG.LOG |
Logging file for packet loggingd |
SYS:ETC\IPPKTLOG.CFG |
Configuration file that specifies how IPPKTLOG.LOG is managed (defaults are usually used). |
CSAUDIT.LOG |
|
Common Filter Examples
EXAMPLE |
STATEFUL FILTERS |
STATIC FILTERS |
WEB ACCESS
Internet access and response |
WWW-HTTP-ST |
Outgoing:
WWW-HTTP
Incoming:
DYNAMIC/TCP |
DNS
Access to your ISPs DNS |
DNS/UDP-ST |
Outgoing:
DOMAIN or DNS/UDP
Incoming:
DYNAMIC/UDP |
ICMP/PING
Stop PING from external users |
PING-ST |
Incoming:
ICMP packets from select hosts (identified by their IP addresses)
Outgoing:
ICMP packets from select hosts (identified by their IP addresses) |
FTP
Enable FTP support |
FTP-PORT-PASV-ST |
Outgoing:
FTP
FTP-DATA
ICMP
Incoming:
FTP
FTP-DATA
ICMP |
THIS FILTER |
WORKS ON ROUTERS RUNNING |
|
RIP/SAP |
NLSP compatibility |
IPX FORWARDING |
YES |
YES |
SAP FILTERS |
YES |
NO |
To disable NAT implicit filtering (default off) to allow access to all services running on the server (such as HTTP, FTP, or Telnet)
SET NAT DYNAMIC MODE TO PASS THRU = ON |
