Firewall
Configuration Rules
Firewall Configuration Rules
Port review
Nat Review
Proxy Review
Firewall Configuration
Port Review
PROTOCOL and PORT NUMBERS
FCSPREAMBLE DESTINATION ADDR00 00 1B 12 23 34
SOURCE ADDR 00 00 1B 09 08 07
FIELDTYPE
ETHERNET
17Source IP Address; 128.66.12.2
Destination IP Address; 128.66.13.1
IP Header
UDP
IPHEADER
TCPHEADER DATA
Source Port 5512 Destination Port69
TFTP
DATA LINKLAYER
NETWORKLAYER
TRANSPORTLAYER
APPLICATIONLAYER
USER DATAGRAM PROTOCOL
UDP Source/Destination Port. 1. The port numbers identify the receiving and sending process. It demultiplexes the UDP datagram to a particular process running on the computer. 2. The IP demultiplexes the incoming IP datagram to either TCP or UDP based upon the protocol value in the IP header. The UDP demultiplexes the UDP datagram to a particular application depending upon the port number.3.The port number and the IP address allow any application in any computer on internet to be uniquely identified.4. UDP port number can be both static and dynamic.
Static ports (<= 1023) are assigned by a central authority and are sometimes called Universal Assignments or well-known port assignments.
Typical static ports are 7 = Echo, 37 = time, 69 = TFTP, 161 = SNMP net monitor, 514 = System log, 520 = RIP.
Dynamic ports are not globally known but are assigned by software. These numbers are 0 - 65535 (minus the static port assignments).
UDP Message Length. This field indicates the size of the UDP header and its data in bytes. The minimum size must be 8 (size of header).
UDP Source Port
0 15 16 31
UDP Message Length
Data
UDP Destination Port
UDP Checksum
. . .
USER DATAGRAM PROTOCOL
Echo 7 Echo user datagram back to userDiscard 9 Discard user datagramsDaytime 13 Report time in a user friendly fashionQuote 17 Return "Quote of the day"Chargen 19 Character generatorNameserver 53 Domain Name ServerSql-Net 66 Oracle Sequel NetworkBOOTPS 67 Server port to download configuration informationBOOTPC 68 Client port to receive configuration informationTFTP 69 Trivial File Transport ProtocolPOP3 110 Post Office Protocol - V3SunRPC 111 Sun Remote Procedure CallNTP 123 Network Time ProtocolSNMP 161 Used to receive network management queriesSNMP-trap 162 Used to receive network problem reports.IRC 194 Internet Relay ChatIPX 213 IPX - IP TunnelingSysLog 514 System LogRIP 520 Routing Information ProtocolNFS 2049 Network File Service
Well Known UDP Ports Examples
Well-Known ports are standard ports between 0-1023 reserved for standard services. The Internet Assigned Numbers Authority (IANA) is responsible for assigning well - known ports.
PROTOCOL and PORT NUMBERS
FCSPREAMBLE DESTINATION ADDR00 00 1B 12 23 34
SOURCE ADDR 00 00 1B 09 08 07
FIELDTYPE
ETHERNET
6Source IP Address; 128.66.12.2
Destination IP Address; 128.66.13.1
IP Header
TCP Header
IPHEADER
TCPHEADER DATA
Source Port 5512 Destination Port23
Telnet
DATA LINKLAYER
NETWORKLAYER
TRANSPORTLAYER
APPLICATIONLAYER
TCP ENCAPSULATION
VERS
FCSPREAMBLEDESTINATION
ADDRESSSOURCE
ADDRESSFIELDTYPE
ETHERNET
0-655352668 4
HLEN TOS Total Length4 bits 4 bits 8 bits 16 bits
Identification16 bits
Flags3 bits
Fragment Offset13 bits
TTL8 bits
Protocol8 bits
Checksum16 bits
Source IP Address32 bits
Destination IP Address32 bits
IP Options(if any)32 bits
TCP Data (if any)
0 15 16 31
Source Port Destination Port
Sequence Number
Acknowledgement Number
Offset U A P R S FReserved Receive Window Size
Checksum Urgent Pointer
16 bits 16 bits
32 bits
32 bits
4 bits 6 bits 16 bits
16 bits 16 bits
IP Header
TCP Header
IP Datagram
Options (if any)
IPHEADER
TCPHEADER DATA
WELL KNOWN TCP PORT NUMBERS
9 Discard Discard all incoming data port19 Chargen Exchange streams of data port20 FTP-Data File transfer data port21 FTP-CMD File transfer command port23 Telnet Telnet remote login port25 SMTP Simple Mail Transfer Protocol port79 Finger Obtains information about active users80 HTTP Hypertext Transfer Protocol port88 Kerberos Authentication Protocol110 POP3 PC Mail retrieval service port119 NNTP Network news access port179 BGP Border Gateway Protocol513 Rlogin Remote Login In514 Rexec Remote Execute
Port Application Description
TCP PROCESS ADDRESSING End Point describes a connection in terms of: < Local Addr, Local Port # > < 164.22.40.8, 1500 > Half association describes just one process in terms of : < Prot, Local Addr, Local Port # > < tcp,164.22.40.8,1500 > Full Association describes a connection in terms of: <Prot, Local Addr, Local Port #, Remote Addr, Remote Port #> <Eg: tcp,164.22.40.8,1500,165.62.125, 22>
IP
TCP
LINK
PHYS
UDP
IP
TCP
LINK
PHYS
UDP1500
164.22.40.8
22
165.62.1.125
Port
IP Address
Selected Ports
Echo - UDP Port 7: Retransmits to the sender any thing it receives. Used for testing networks. Disable if not needed or block at the Firewall..
Discard - TCP/UDP Port 9: Discards anything it receives. Used for developing network tools. Disable if not needed or block at the Firewall.
Daytime - UDP Port 13: Sends the date/time for the server to the client. Disable if not needed or block at the Firewall..
Quote - UDP Port 17: Sends to the connecting client a quote selected from a file of quotes.. Disable if not needed or block at the Firewall..
Selected Ports (cont…)
Chargen - TCP/UDP Port 19: Continuously sends out printable ASCII characters. Used for testing network tools. Disable if not needed or block at the Firewall.
FTP - TCP Ports 20 and 21: Used for transferring files over the Internet. Disable if not needed otherwise use a proxy.
Telnet - TCP Port 23: Used to connect remotely to a server.The data is not encrypted and the password/logon is readable. Disable if not needed or block at the firewall.
SMTP - TCP Port 25: Used for the exchange of email over the Internet. Proxy SMTP across the Firewall
Selected Ports (cont…)
DNS - UDP Port 53: Translates text based names into IP addresses. Proxy DNS across the /firewall.
BootP/DHCP - UDP Ports 67 and 68: BootP allows diskless workstations to find and load their OSs over the network. DHCP provides for dynamic allocation of IP addresses. Both BootP and DHCP should be employed inside the Firewall.
TFTP - UDP Port 69: A simpler version of FTP that is used with BootP and DHCP to allow diskless workstations to acquire and load their operating systems. Disable or block at the Firewall.
Gopher - TCP Port 70: The first hypertext system on the Internet. Disable or block at Firewall.
Selected Ports (cont…)
Finger - TCP Port 79: Used to system information such as names, office hours, TP#, current projects. Disable.
HTTP - TCP Port 80: Used to transfer text, video, graphics, sound and programs over th Internet. Proxy HTTP across the /firewall.
POP3 - TCP Port 110: Allows users to check their mail over the LAN or the Internet. Proxy POP3 or block at the firewall.
RPC - UDP Port 111: Allows two computers to coordinate the execution of software. Disable or block at the firewall.
NetBios - TCP Ports 137, 138, 139: Used by MS Windows networking to connect LAN clients to file and print services.. Block at the Firewall.
IMAP - TCP Port 143: Used by clients to transfer email from servers not configured to send email to the clients. Disable if not needed.
SNMP - UDP Port 161: Used to remotely manage network devices such as routers, servers, hubs and clients. Block at the firewall.
LDAP - TCP/UDP Port 389: Used to maintain contact information across the Internet. Block at the firewall.
Selected Ports (cont…)
RSH - TCP Port 514: Used to connect remotely to a server. Teh passwords are encrypted. Block at the Firewall.
NFS - TCP/UDP Port 2049: Provides clients LAN access to data storage. The Unix equivalent of NetBios. Block at the Firewall.
Selected Ports (cont…)
NAT Review
The IAB identified three immediate Internet danger1. INTERNIC is fast exhausting Class B addresses.2. The increase in networks/hosts has resulted in a routing table explosion.3 The increase in networks/host is fast depleting the 32 bit address space.
Class B Exhaustion(Three Bears Problem).Class A : 8/24:256 networks:16,772,214 hosts - to scarce(IANA assigned ).Class B : 14/16:16384 networks:65534 hosts - about right for subnetting.Class C : 21/8: 2,097,152 networks:254 hosts - to narrow.
Routing Table ExplosionThis is a catch all term for all the problems posed by the manipulation of large data bases.
Overview
The InterNIC adopted four major strategies for handling the depletion of the IP addresses.
Creative IP Address Space Allocation.RFC 2050 - Internet Registry IP Allocation Guidelines
Private Addresses/Network Address Translation (NAT).
RFC 1918 - Address Allocation for Private Networks.RFC 1631 - The IP Network Address Translator.
Classless InterDomain Routing (CIDR).RFC 1519 - Class InterDomain Routing(CIDR): An Address and Aggregation Strategy.
IP Version 6 (IPv6).RFC 1883 - Internet Protocol, Version 6 (IPv6).
IP Address Depletion Strategies
Private IP addresses relax the rule that IP addresses are globally unique.This IP conservation technique reserves part of the IP address space for use exclusively within an organization.The organization does not require connectivity to the Internet.
IANA reserves three ranges of IP addresses for "Private Internets":10.0.0.0 - 10.255.255.255 A single Class A network172.16.0.0 - 172.31.255.255 Sixteen continuous Class B Networks192.168.0.0 - 192.168.255.255 256 contiguous Class C networks
Any organization can use these addresses provide they adhere to the following rules:
They cannot be referenced by hosts in another organization.They cannot be defined to any external router.Organization with private addresses cannot externally advertise those IP addressees and cannot forward IP datagrams containing those addresses to external routers.External routers will quietly discard all routing information regarding these addresses.
All connectivity to an Internet host must be provided by a Network Address Translator.
Private IP Addresses
NATs are based upon the idea that only a small part of the hosts in a private network will communicate outside that network. Nats are a solution for those organizations that use Non-routable IP addresses. A NAT, normally part of a Firewall, is positioned between the Private Network and the Internet and:
Dynamically translates the private IP address of an outgoing packet into an Internet IP address. Dynamically translates the return Internet IP address into a private IP address.
Only TCP/UDP Packets are translated by NAT. For example, the Private Network cannot be Pinged (ie. ICMP is not supported). NAT hides the internal network from the view of outsiders.
Network Address Translators
InternetPrivate
Network
Translate
Map
Exclude
Network Address Translator
Pool
StaticAddresses
NAT Translation Modes
Static Translation (Port Forwarding) A fixed IP translation between internal resources with non-routable IP addresses and a specific external routable IP Address.
Dynamic Translation (Automatic, Hide Mode, IP Masquerade or NAPT) A large group of internal resources are dynamically given non-routable IP address which are translated into a single external, non-routable IP address. Each internal resource is uniquely identified by an external port number.
Load Balancing Translation: A single external IP address is translated into a pool of identically configured servers. A single external IP address serves a number of servers.
Network Redundancy Translation: A single Firewall is attached to multiple Internet connections that the firewall can use for load balancing or redundancy.
The Private Network is assigned non-routable addresses. The NAT pool are registered IP address that resolve to the external address of the Private Network.
For outgoing packets a NAT Pool IP address is substituted for the source IP address. For incoming packets the original IP address is reinserted as the destination IP address replacing the NAT pool address.
Static Translation
PrivateNetwork Internet
10.4.3.1
10.4.3.2 10.4.3.1 200.10.4.10
10.4.3.2 200.10.4.11<Free> 200.10.4.12
Nat Pool
198.34.2.5200.10.4.10 198.34.2.5
Source Destination
10.4.3.1 198.34.2.5
Source Destination
Dynamic Translation
Network Address & Port Translation (NAPT) Table
PrivateNetwork Internet
10.4.3.2
10.4.3.3
10.4.3.2 21023 200.10.4.10 14003 198.34.2.1 80 T CP
10.4.3.3 1234 200.10.4.10 14005 198.34.2.1 80 TCP10.4.3.11 26066 200.10.4.10 14007 198.34.2.1 21 TCP
198.34.2.5
PrivateAddress
PrivatePort
External Address
External Port
NAT Port
Protocol Used
10.4.3.1 200.10.4.10
PublicAddress
Load Balancing Translation
PrivateNetwork Internet
BrowserFirewall
Server A
Server B
Server C
Server D
Network Redundancy Translation
PrivateNetwork Internet
Browser
Firewall
Sprint
UUNET
MindSpring
Browser
Server
Firewall Configuration Rules
Firewall Decisions
Rules by Security Levels? Paranoid: Nothing is allowed(no external connections) - The organization has been hacked and its paranoid. Cautious: That which is not explicitly permitted is not allowed. The default policy is to deny. Optimistic: That which is not explicitly prohibited is allowed. The default policy is to allow. Open: Everything is allowed. This organization has not been hacked.
NOTE: Instructor's recommendation: BE CAUTIOUS.
Rules by traffic (protocol) needs? Browser (HTTP). Address Resolution (DNS). Electronic Mail (SMTP). Network Management (SMTP).
Rules for Rules
First Match (Apply in order). Place the most specific rules at the top of the rule set and Place the least specific rules a the bottom of the rule set. Group like protocol rules.
Firewall Performance.Place those protocols bearing the most traffic at the top of the rule set. This will generally be HTTP.
The Firewall must distinguish packets.By the arrival/departure interface. By Type of packet. By the Source/Destination Address. By source/Destination Port. By IP Header Option By ICMP Message By ACK bit.
Typical Configuration Rules
Rule Direct SIP SPRT DIP DPRT OPT Flag PKT TYP ACT
NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level.
The rule is to handle only HTTP and SMTP traffic
HTTP1 Out Any >1023 Any 80 Any SYN TCP Any Pass
Allow an outgoing connection from to HTTP server.
HTTP2 In Any 80 Any >1023 Any SYN TCP Any Pass
Allow already established HTTP traffic to travel back through the firewall.
SMTP1 Out Any SServ Any 25 Any SYN TCP Any Pass
Allow the mail server to establish a outgoing connection.
SMTP2 In Any 25 Any SServ Any Any TCP Any Pass
Allow incoming connections to the mail server..
SMTP3 In Any Any Not SServ 25 Any ACK TCP Any Drop
Disallow any connection form the outside other than to the mail server.
HTTP3 In Any Any Not WServ 80 Any Any TCP Any Drop
Disallow any connection form the outside other than to the mail server..
Typical Configuration Rules (cont…)
Rule Direct SIP SPRT DIP DPRT OPT Flag PKT TYP ACT
NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level.
These are examples of spoofing rules.
Source In Any Any Any Any Source Any Any Any Drop
Drop all Source-Routed Packets.
Spoof1 In Internal Any Any Any Any Any Any Any Drop
Drop all packets that appear on the external interface that have an internal IP address.
Spoof2 Out Outside Any Any Any Any Any Any Any Drop
Drop all packets that appear on the internal interface that have an outside source IP address.
Spoof3 In Any Any Any PServs Any Any Any Any Drop
Drop all packets destined for the protected servers.
Spoof4 In Any Any Any RIP/OSPF Any Any Any Any Drop
Disallow any incoming routing packets.
Stop1 In 196.7.9.9 Any Any Any Any Any Any Any Drop
Drop any packets from this specific IP address.
Typical Configuration Rules (cont…)
Rule Direct SIP SPRT DIP DPRT OPT Flag PKT TYP ACT
NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level.
These are examples of ICMP Rules to pass packets.
ICMP1 In Any Any Any Any Any Any ICMP Source Quench Pass
Allow ICMP Source Quench packets from External hosts.
ICMP2 Out Any Any Any Any Any Any ICMP Echo Request Pass
Allow Echo Requests outbound..
ICMP3 In Any Any Any Any Any Any ICMP Echo Reply Pass
Allow the replies to the echo request to be returned.
ICMP5 In Any Any Any Any Any Any ICMP Dest Unreach Pass
Allow ICMP Destination Unreachable packets from the external hosts..
ICMP6 In Any Any Any Any Any Any ICMP Serv Unav Pass
Allow the ICMP Service Unavailable packets from the external hosts.
ICMP7 In Any Any Any Any Any Any ICMP TTL Exced Pass
Allow the ICMP Time-to-Live exceeded from external hosts.
Typical Configuration Rules (cont…)
Rule Direct SIP SPRT DIP DPRT OPT Flag PKT TYP ACT
NOTE: These rules are generic examples and not specific to any Firewall. They are presented at the cautious level.
These are examples of ICMP Rules to drop packets.
ICMP7 In Any Any Any Any Any Any ICMP Redirect Drop
Drop the ICMP Redirect on the External interface.
ICMP8 In Any Any Any Any Any Any ICMP Echo Request Drop
Drop ICMP Echo Request on the External Interface
ICMP9 Out Any Any Any Any Any Any ICMP Echo Reply Drop
Drop the ICMP Echo Reply packets that are outbound.
ICMP10 Out Any Any Any Any Any Any ICMP Dest Unreach Drop
Drop ICMP Destination Unreachable packets that are outbound
ICMP6 Out Any Any Any Any Any Any ICMP Serv Unav Drop
Drop the ICMP Service Unavailable packets that are outbound.
ICMP7 Any Any Any Any Any Any Any ICMP Any Drop
Drop all ICMP packets in either direction.