330 likes | 480 Views
Firewall Configuration Rules. Firewall Configuration Rules. Port review Nat Review Proxy Review Firewall Configuration. Port Review. APPLICATION LAYER. TFTP. Source Port 5512. Destination Port 69. TRANSPORT LAYER. UDP. NETWORK LAYER. 17. IP Header.
E N D
Firewall Configuration Rules
Firewall Configuration Rules • Port review • Nat Review • Proxy Review • Firewall Configuration
APPLICATION LAYER TFTP Source Port 5512 Destination Port 69 TRANSPORT LAYER UDP NETWORK LAYER 17 IP Header Source IP Address; 128.66.12.2 Destination IP Address; 128.66.13.1 ETHERNET DATA LINK LAYER IP HEADER TCP HEADER SOURCE ADDR 00 00 1B 09 08 07 DESTINATION ADDR 00 00 1B 12 23 34 FIELD TYPE PREAMBLE FCS DATA PROTOCOL and PORT NUMBERS
0 15 16 31 UDP Source Port UDP Destination Port UDP Checksum UDP Message Length Data . . . USER DATAGRAM PROTOCOL • UDP Source/Destination Port. 1. The port numbers identify the receiving and sending process. It demultiplexes the UDP datagram to a particular process running on the computer. 2. The IP demultiplexes the incoming IP datagram to either TCP or UDP based upon the protocol value in the IP header. The UDP demultiplexes the UDP datagram to a particular application depending upon the port number. 3.The port number and the IP address allow any application in any computer on internet to be uniquely identified. 4. UDP port number can be both static and dynamic. • Static ports (<= 1023) are assigned by a central authority and are sometimes called Universal Assignments or well-known port assignments. • Typical static ports are 7 = Echo, 37 = time, 69 = TFTP, 161 = SNMP net monitor, 514 = System log, 520 = RIP. • Dynamic ports are not globally known but are assigned by software. These numbers are 0 - 65535 (minus the static port assignments). • UDP Message Length. This field indicates the size of the UDP header and its data in bytes. The minimum size must be 8 (size of header).
Echo 7 Echo user datagram back to user Discard 9 Discard user datagrams Daytime 13 Report time in a user friendly fashion Quote 17 Return "Quote of the day" Chargen 19 Character generator Nameserver 53 Domain Name Server Sql-Net 66 Oracle Sequel Network BOOTPS 67 Server port to download configuration information BOOTPC 68 Client port to receive configuration information TFTP 69 Trivial File Transport Protocol POP3 110 Post Office Protocol - V3 SunRPC 111 Sun Remote Procedure Call NTP 123 Network Time Protocol SNMP 161 Used to receive network management queries SNMP-trap 162 Used to receive network problem reports. IRC 194 Internet Relay Chat IPX 213 IPX - IP Tunneling SysLog 514 System Log RIP 520 Routing Information Protocol NFS 2049 Network File Service Well Known UDP Ports Examples USER DATAGRAM PROTOCOL • Well-Known ports are standard ports between 0-1023 reserved for standard services. • The Internet Assigned Numbers Authority (IANA) is responsible for assigning well - known ports.
APPLICATION LAYER Telnet Source Port 5512 Destination Port 23 TRANSPORT LAYER TCP Header NETWORK LAYER 6 IP Header Source IP Address; 128.66.12.2 Destination IP Address; 128.66.13.1 ETHERNET DATA LINK LAYER IP HEADER TCP HEADER SOURCE ADDR 00 00 1B 09 08 07 DESTINATION ADDR 00 00 1B 12 23 34 FIELD TYPE PREAMBLE FCS DATA PROTOCOL and PORT NUMBERS
0 15 16 31 HLEN Total Length TOS VERS 4 bits 4 bits 8 bits 16 bits Fragment Offset Identification Flags 13 bits 16 bits 3 bits TTL Protocol Checksum IP Header 8 bits 16 bits 8 bits Source IP Address 32 bits Destination IP Address 32 bits IP Options(if any) 32 bits Destination Port Source Port IP Datagram 16 bits 16 bits Sequence Number 32 bits Acknowledgement Number TCP Header 32 bits Offset Reserved Receive Window Size A P F R U S 6 bits 4 bits 16 bits Urgent Pointer Checksum 16 bits 16 bits Options (if any) TCP Data (if any) ETHERNET FIELD TYPE DESTINATION ADDRESS IP HEADER TCP HEADER SOURCE ADDRESS PREAMBLE FCS DATA 0-65535 2 4 8 6 6 TCP ENCAPSULATION
Port Application Description 9 Discard Discard all incoming data port 19 Chargen Exchange streams of data port 20 FTP-Data File transfer data port 21 FTP-CMD File transfer command port 23 Telnet Telnet remote login port 25 SMTP Simple Mail Transfer Protocol port 79 Finger Obtains information about active users 80 HTTP Hypertext Transfer Protocol port 88 Kerberos Authentication Protocol 110 POP3 PC Mail retrieval service port 119 NNTP Network news access port 179 BGP Border Gateway Protocol 513 Rlogin Remote Login In 514 Rexec Remote Execute WELL KNOWN TCP PORT NUMBERS
Port UDP UDP 1500 22 TCP IP Address TCP IP IP 164.22.40.8 165.62.1.125 LINK LINK PHYS PHYS • End Point describes a connection in terms of: < Local Addr, Local Port # > < 164.22.40.8, 1500 > • Half association describes just one process in terms of : < Prot, Local Addr, Local Port # > < tcp,164.22.40.8,1500 > • Full Association describes a connection in terms of: <Prot, Local Addr, Local Port #, Remote Addr, Remote Port #> <Eg: tcp,164.22.40.8,1500,165.62.125, 22> TCP PROCESS ADDRESSING
Selected Ports • Echo - UDP Port 7: • Retransmits to the sender any thing it receives. Used for testing networks. • Disable if not needed or block at the Firewall.. • Discard - TCP/UDP Port 9: • Discards anything it receives. Used for developing network tools. • Disable if not needed or block at the Firewall. • Daytime - UDP Port 13: • Sends the date/time for the server to the client. • Disable if not needed or block at the Firewall.. • Quote - UDP Port 17: • Sends to the connecting client a quote selected from a file of quotes.. • Disable if not needed or block at the Firewall..
Selected Ports (cont…) • Chargen - TCP/UDP Port 19: • Continuously sends out printable ASCII characters. Used for testing network tools. • Disable if not needed or block at the Firewall. • FTP - TCP Ports 20 and 21: • Used for transferring files over the Internet. • Disable if not needed otherwise use a proxy. • Telnet - TCP Port 23: • Used to connect remotely to a server.The data is not encrypted and the password/logon is readable. • Disable if not needed or block at the firewall. • SMTP - TCP Port 25: • Used for the exchange of email over the Internet. • Proxy SMTP across the Firewall
Selected Ports (cont…) • DNS - UDP Port 53: • Translates text based names into IP addresses. • Proxy DNS across the /firewall. • BootP/DHCP - UDP Ports 67 and 68: • BootP allows diskless workstations to find and load their OSs over the network. • DHCP provides for dynamic allocation of IP addresses. • Both BootP and DHCP should be employed inside the Firewall. • TFTP - UDP Port 69: • A simpler version of FTP that is used with BootP and DHCP to allow diskless workstations to acquire and load their operating systems. • Disable or block at the Firewall. • Gopher - TCP Port 70: • The first hypertext system on the Internet. • Disable or block at Firewall.
Selected Ports (cont…) • Finger - TCP Port 79: • Used to system information such as names, office hours, TP#, current projects. • Disable. • HTTP - TCP Port 80: • Used to transfer text, video, graphics, sound and programs over th Internet. • Proxy HTTP across the /firewall. • POP3 - TCP Port 110: • Allows users to check their mail over the LAN or the Internet. • Proxy POP3 or block at the firewall. • RPC - UDP Port 111: • Allows two computers to coordinate the execution of software. • Disable or block at the firewall.
Selected Ports (cont…) • NetBios - TCP Ports 137, 138, 139: • Used by MS Windows networking to connect LAN clients to file and print services.. • Block at the Firewall. • IMAP - TCP Port 143: • Used by clients to transfer email from servers not configured to send email to the clients. • Disable if not needed. • SNMP - UDP Port 161: • Used to remotely manage network devices such as routers, servers, hubs and clients. • Block at the firewall. • LDAP - TCP/UDP Port 389: • Used to maintain contact information across the Internet. • Block at the firewall.
Selected Ports (cont…) • RSH - TCP Port 514: • Used to connect remotely to a server. Teh passwords are encrypted. • Block at the Firewall. • NFS - TCP/UDP Port 2049: • Provides clients LAN access to data storage. The Unix equivalent of NetBios. • Block at the Firewall.
Overview • The IAB identified three immediate Internet danger • 1. INTERNIC is fast exhausting Class B addresses. • 2. The increase in networks/hosts has resulted in a routing table explosion. • 3 The increase in networks/host is fast depleting the 32 bit address space. • Class B Exhaustion(Three Bears Problem). • Class A : 8/24:256 networks:16,772,214 hosts - to scarce(IANA assigned ). • Class B : 14/16:16384 networks:65534 hosts - about right for subnetting. • Class C : 21/8: 2,097,152 networks:254 hosts - to narrow. • Routing Table Explosion • This is a catch all term for all the problems posed by the manipulation of large data bases.
IP Address Depletion Strategies • The InterNIC adopted four major strategies for handling the depletion of the IP addresses. • Creative IP Address Space Allocation. RFC 2050 - Internet Registry IP Allocation Guidelines • Private Addresses/Network Address Translation (NAT). RFC 1918 - Address Allocation for Private Networks. RFC 1631 - The IP Network Address Translator. • Classless InterDomain Routing (CIDR). RFC 1519 - Class InterDomain Routing(CIDR): An Address and Aggregation Strategy. • IP Version 6 (IPv6). RFC 1883 - Internet Protocol, Version 6 (IPv6).
Private IP Addresses • Private IP addresses relax the rule that IP addresses are globally unique. • This IP conservation technique reserves part of the IP address space for use exclusively within an organization. • The organization does not require connectivity to the Internet. • IANA reserves three ranges of IP addresses for "Private Internets": • 10.0.0.0 - 10.255.255.255 A single Class A network • 172.16.0.0 - 172.31.255.255 Sixteen continuous Class B Networks • 192.168.0.0 - 192.168.255.255 256 contiguous Class C networks • Any organization can use these addresses provide they adhere to the following rules: • They cannot be referenced by hosts in another organization. • They cannot be defined to any external router. • Organization with private addresses cannot externally advertise those IP addressees and cannot forward IP datagrams containing those addresses to external routers. • External routers will quietly discard all routing information regarding these addresses. • All connectivity to an Internet host must be provided by a Network Address Translator.
Network Address Translator Translate Pool Private Network Map Static Addresses Internet Exclude Network Address Translators • NATs are based upon the idea that only a small part of the hosts in a private network will communicate outside that network. • Nats are a solution for those organizations that use Non-routable IP addresses. • A NAT, normally part of a Firewall, is positioned between the Private Network and the Internet and: • Dynamically translates the private IP address of an outgoing packet into an Internet IP address. • Dynamically translates the return Internet IP address into a private IP address. • Only TCP/UDP Packets are translated by NAT. For example, the Private Network cannot be Pinged (ie. ICMP is not supported). • NAT hides the internal network from the view of outsiders.
NAT Translation Modes • Static Translation (Port Forwarding) A fixed IP translation between internal resources with non-routable IP addresses and a specific external routable IP Address. • Dynamic Translation (Automatic, Hide Mode, IP Masquerade or NAPT) A large group of internal resources are dynamically given non-routable IP address which are translated into a single external, non-routable IP address. Each internal resource is uniquely identified by an external port number. • Load Balancing Translation: A single external IP address is translated into a pool of identically configured servers. A single external IP address serves a number of servers. • Network Redundancy Translation: A single Firewall is attached to multiple Internet connections that the firewall can use for load balancing or redundancy.
Static Translation Source Destination Source Destination 10.4.3.1 10.4.3.1 198.34.2.5 200.10.4.10 198.34.2.5 198.34.2.5 Private Network Internet Nat Pool 10.4.3.2 10.4.3.1 200.10.4.10 10.4.3.2 200.10.4.11 <Free> 200.10.4.12 • The Private Network is assigned non-routable addresses. • The NAT pool are registered IP address that resolve to the external address of the Private Network. • For outgoing packets a NAT Pool IP address is substituted for the source IP address. • For incoming packets the original IP address is reinserted as the destination IP address replacing the NAT pool address.
10.4.3.2 198.34.2.5 Private Network 10.4.3.1 200.10.4.10 Internet 10.4.3.3 External Address External Port Protocol Used Private Port Public Address NAT Port Private Address 10.4.3.2 21023 200.10.4.10 14003 198.34.2.1 80 T CP 10.4.3.3 1234 200.10.4.10 14005 198.34.2.1 80 TCP 10.4.3.11 26066 200.10.4.10 14007 198.34.2.1 21 TCP Dynamic Translation Network Address & Port Translation (NAPT) Table
Server A Server B Browser Firewall Private Network Internet Server C Server D Load Balancing Translation
UUNET Browser Server Firewall Private Network Sprint Internet Browser MindSpring Network Redundancy Translation
Firewall Decisions • Rules by Security Levels? • Paranoid: Nothing is allowed(no external connections) - The organization has been hacked and its paranoid. • Cautious: That which is not explicitly permitted is not allowed. The default policy is to deny. • Optimistic: That which is not explicitly prohibited is allowed. The default policy is to allow. • Open: Everything is allowed. This organization has not been hacked. • NOTE: Instructor's recommendation: BE CAUTIOUS. • Rules by traffic (protocol) needs? • Browser (HTTP). • Address Resolution (DNS). • Electronic Mail (SMTP). • Network Management (SMTP).
Rules for Rules • First Match (Apply in order). • Place the most specific rules at the top of the rule set and • Place the least specific rules a the bottom of the rule set. • Group like protocol rules. • Firewall Performance. • Place those protocols bearing the most traffic at the top of the rule set. • This will generally be HTTP. • The Firewall must distinguish packets. • By the arrival/departure interface. • By Type of packet. • By the Source/Destination Address. • By source/Destination Port. • By IP Header Option • By ICMP Message • By ACK bit.
Typical Configuration Rules NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level. The rule is to handle only HTTP and SMTP traffic Rule Direct SIP SPRT DIP DPRT OPT Flag PKT TYP ACT HTTP1 Out Any >1023 Any 80 Any SYN TCP Any Pass Allow an outgoing connection from to HTTP server. HTTP2 In Any 80 Any >1023 Any SYN TCP Any Pass Allow already established HTTP traffic to travel back through the firewall. SMTP1 Out Any SServ Any 25 Any SYN TCP Any Pass Allow the mail server to establish a outgoing connection. SMTP2 In Any 25 Any SServ Any Any TCP Any Pass Allow incoming connections to the mail server.. SMTP3 In Any Any Not SServ 25 Any ACK TCP Any Drop Disallow any connection form the outside other than to the mail server. HTTP3 In Any Any Not WServ 80 Any Any TCP Any Drop Disallow any connection form the outside other than to the mail server..
Typical Configuration Rules (cont…) NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level. These are examples of spoofing rules. Rule Direct SIP SPRT DIP DPRT OPT Flag PKT TYP ACT Source In Any Any Any Any Source Any Any Any Drop Drop all Source-Routed Packets. Spoof1 In Internal Any Any Any Any Any Any Any Drop Drop all packets that appear on the external interface that have an internal IP address. Spoof2 Out Outside Any Any Any Any Any Any Any Drop Drop all packets that appear on the internal interface that have an outside source IP address. Spoof3 In Any Any Any PServs Any Any Any Any Drop Drop all packets destined for the protected servers. Spoof4 In Any Any Any RIP/OSPF Any Any Any Any Drop Disallow any incoming routing packets. Stop1 In 196.7.9.9 Any Any Any Any Any Any Any Drop Drop any packets from this specific IP address.
Typical Configuration Rules (cont…) NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level. These are examples of ICMP Rules to pass packets. Rule Direct SIP SPRT DIP DPRT OPT Flag PKT TYP ACT ICMP1 In Any Any Any Any Any Any ICMP Source Quench Pass Allow ICMP Source Quench packets from External hosts. ICMP2 Out Any Any Any Any Any Any ICMP Echo Request Pass Allow Echo Requests outbound.. ICMP3 In Any Any Any Any Any Any ICMP Echo Reply Pass Allow the replies to the echo request to be returned. ICMP5 In Any Any Any Any Any Any ICMP Dest Unreach Pass Allow ICMP Destination Unreachable packets from the external hosts.. ICMP6 In Any Any Any Any Any Any ICMP Serv Unav Pass Allow the ICMP Service Unavailable packets from the external hosts. ICMP7 In Any Any Any Any Any Any ICMP TTL Exced Pass Allow the ICMP Time-to-Live exceeded from external hosts.
Typical Configuration Rules (cont…) NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level. These are examples of ICMP Rules to drop packets. Rule Direct SIP SPRT DIP DPRT OPT Flag PKT TYP ACT ICMP7 In Any Any Any Any Any Any ICMP Redirect Drop Drop the ICMP Redirect on the External interface. ICMP8 In Any Any Any Any Any Any ICMP Echo Request Drop Drop ICMP Echo Request on the External Interface ICMP9 Out Any Any Any Any Any Any ICMP Echo Reply Drop Drop the ICMP Echo Reply packets that are outbound. ICMP10 Out Any Any Any Any Any Any ICMP Dest Unreach Drop Drop ICMP Destination Unreachable packets that are outbound ICMP6 Out Any Any Any Any Any Any ICMP Serv Unav Drop Drop the ICMP Service Unavailable packets that are outbound. ICMP7 Any Any Any Any Any Any Any ICMP Any Drop Drop all ICMP packets in either direction.