Defining Firewalls and Other Perimeter Security Devices

172 | Lesson 8

At this point, you can have the router forward PPTP requests to a server (for example, the VPN server we set up in the previous exercise). Or, you could simply enter a username and password.

8. Enter a username and password. Then verify the password.

9. Save the configuration. This doesn’t really save any information because it is an emulator, but this would work the same way on an actual router. At this point, external users would not be able to connect to your network without a username, password, and VPN adapter utilizing PPTP.

10. Log off the DIR-655.

This is one way for small offices and home offices to create an intranet of their own. By only accepting secure connections from users who know the proper username and password, you weed out the public Internet users. This, in addition to security devices and zones on the perimeter of your network, can help keep your data safe.

■

Understanding Security Devices and Zones

Security devices such as firewalls are the main defense for a company’s networks, whether they are LANs, WANs, intranets, or extranets. Perimeter security zones such as demilitarized zones (DMZs) help keep certain information open to specific users or to the public while keeping the rest of an organization’s data secret.

THE BOTTOM LINE

CERTIFICATION READY How do you define and configure a firewall?

1.1

Defining Network Infrastructures and Network Security | 173 connectivity for the entire LAN to the Internet. The firewall also hides the LAN IP addresses.

By default, the IP address 87.69.11.124 should be completely shielded. This means that all inbound ports are effectively closed and will not allow incoming traffic, unless a LAN computer initiates a session with another system on the Internet. Regardless, you should check this with third-party applications such as Nmap or with a web-based port scanning utility like ShieldsUP!. We will show these in upcoming exercises. If any ports are open, or unshielded, they should be addressed immediately. Then, the firewall should be rescanned for vulnerabilities.

Many of today’s firewalls have two types of firewall technologies built into them: SPI and NAT. However, there are a couple other types of firewall methodologies of which you should be aware:

• Packet filtering inspects each packet that passes through the firewall and accepts or rejects it based on a set of rules. There are two types of filtering: stateless packet inspection and stateful packet inspection (SPI). A stateless packet filter, also known as pure packet filtering, does not retain memory of packets that have passed through the firewall.

Because of this, a stateless packet filter can be vulnerable to IP spoofing attacks. However, a firewall running stateful packet inspection is normally not vulnerable to this because it keeps track of the state of network connections by examining the header in each packet.

It should be able to distinguish between legitimate and illegitimate packets. This function operates at the network layer of the OSI model.

• NAT filtering, also known as NAT endpoint filtering, filters traffic according to ports (TCP or UDP). This can be done in three ways: using basic endpoint connections, by matching incoming traffic to the corresponding outbound IP address connection, or by matching incoming traffic to the corresponding IP address and port.

• Application-level gateway (ALG) supports address and port translation and checks whether the type of application traffic is allowed. For example, your company might allow FTP traffic through the firewall, but it may decide to disable Telnet traffic. The ALG checks each type of packet coming in and discards those that are Telnet packets.

This adds a layer of security; however, it is resource intensive.

• Circuit-level gateway works at the session layer of the OSI model when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Circuit-level gateways hide information about the private network, but they do not filter individual packets.

Examples of network firewalls include the following:

• The D-Link DIR-655 SOHO router/firewall used previously

• Cisco PIX/ASA firewalls

• Juniper NetScreens

• Microsoft’s Internet Security and Acceleration Server (ISA) and Forefront CONFIGURE A SOHO FOUR-PORT FIREWALL

GET READY. Let’s explore where to go on a SOHO router to turn on SPI and NAT filtering firewalls. To do so, perform these steps:

1. Access the D-Link DIR-655 router at the following link:

http://support.dlink.com/emulators/dir655/133NA/login.html 2. Log in (no password is required).

3. On the main Device Information page, click the Advanced link near the top of the window. This should bring up the Advanced page.

4. On the left side, click the Firewall Settings link. This should display the Firewall Settings window.

Scan whatever firewall you are running with Nmap or an online scanner such as ShieldsUP!

TAKE NOTE

*

c08DefiningNetworkInfrastructure173 Page 173 12/24/10 12:13:23 PM f-392

c08DefiningNetworkInfrastructure173 Page 173 12/24/10 12:13:23 PM f-392 /Users/f-392/Desktop/Nalini 23.9/ch05/Users/f-392/Desktop/Nalini 23.9/ch05

174 | Lesson 8

5. Take note of the first setting: Enable SPI. This is stateful packet inspection. It should be selected by default, but if not, select it and move on to the next step.

6. View the NAT Endpoint Filtering section directly under the Firewall Settings. Increase the security of UDP Endpoint Filtering by clicking the radio button Port and Address Restricted.

7. Next, enable anti-spoofing by clicking the Enable anti-spoofing checking check box.

8. Finally, scroll down and view the Application Level Gateway (ALG) Configuration.

PPTP, IPSec (VPN), RTSP, and SIP should all be selected.

SCAN HOSTS WITH Nmap

GET READY. In this exercise, we will scan a computer with Nmap. This vulnerability scanner is best known for its port scanning abilities. We will use this tool to scan for open ports on a computer.

1. Download and install the command-line version of the Nmap program. You will also be prompted to install the WinPCap program.

2. Extract the contents to a folder of your choice.

3. Write down the IP address of a Windows host on your network. For this example, we will use a host with the IP address 10.254.254.208.

4. Scan the ports of that host with the –sS parameter (for example, nmap –sS 10.254.254.208).

5. If there are non-essential ports open, turn off their corresponding unnecessary services, such as FTP or HTTP. This can be done in a variety of places, including Computer Management. If there are no services that you wish to turn off, enable one and then rescan the ports with Nmap (to show that the service is running), turn off the service, and move on to the next step.

6. Scan the ports of that host a second time, once again with the –sS parameter. This time, you are verifying that the services are turned off by identifying that the corresponding ports are closed.

7. If possible, scan the ports of a four-port SOHO router/firewall or a computer with a firewall running. Use the –P0 parameter (for example, nmap –P0 10.254.254.208).

This may take up to five minutes. Doing this will verify whether the firewall is running properly by displaying that all of the ports are filtered. The –sS option we used previously will not work on a fully firewalled device because the initial ICMP packets from the ping will not be accepted. –P0 does not use ICMP packets, but it takes longer to complete.

SCAN THE INTERNET CONNECTION WITH ShieldsUP!

GET READY. There are several online port scanners available. This exercise requires an Internet connection in order to access one of them. This exercise will scan the ports of whatever device is facing the Internet. This could be the local computer if it connects directly to the Internet or a four-port router, or perhaps a more advanced firewalling device. It all depends on your network scenario.

1. With a web browser, connect to www.grc.com.

2. Click on the ShieldsUP! picture.

3. Scroll down and click the ShieldsUP! link.

4. Click the Proceed button.

5. Select the Common Ports scan. This will initiate a scan of the computer or device that is being displayed to the Internet. If you access the Internet through a router/

c08DefiningNetworkInfrastructure174 Page 174 12/24/10 12:13:23 PM f-392

c08DefiningNetworkInfrastructure174 Page 174 12/24/10 12:13:23 PM f-392 /Users/f-392/Desktop/Nalini 23.9/ch05/Users/f-392/Desktop/Nalini 23.9/ch05

Defining Network Infrastructures and Network Security | 175

CERTIFICATION READY How would you define a DMZ?

1.1

firewall, then this will be the device that is scanned. If your computer connects directly to the Internet, then the computer will be scanned.

6. Make note of the results. It should show the public IP that was scanned. Then it will list the ports that were scanned and their status. The desired result for all ports listed is “Stealth,” all the way down the line for each of the listed ports. If there are Open or Closed ports, you should check to make sure that the firewall is enabled and oper- ating properly.

7. Try a few other scans, such as All Service Ports or File Sharing.

A proxy server acts as an intermediary between a LAN and the Internet. By definition, proxy means “go-between,” acting as such a mediator between a private and a public network. The proxy server evaluates requests from clients, and if they meet certain criteria, forwards them to the appropriate server. There are several types of proxies, including the following:

• Caching proxy attempts to serve client requests without actually contacting the remote server. Although there are FTP and SMTP proxies among others, the most common caching proxy is the HTTP proxy, also known as a web proxy, which caches web pages from servers on the Internet for a set amount of time. This is done to save bandwidth on the company’s Internet connection and to increase the speed at which client requests are carried out.

• IP proxy secures a network by keeping machines behind it anonymous; it does this through the use of NAT. For example, a basic four-port router will act as an IP proxy for the clients on the LAN it protects.

Another example of a proxy in action is Internet content filtering. An Internet content filter, or simply a content filter, is usually applied as software at the application layer and it can filter out various types of Internet activities, such as access to certain Web sites, email, instant messaging, and so on.

Although firewalls are often the device closest to the Internet, sometimes another device could be in front of the firewall, making it the closest to the Internet—a network intrusion detection system, or perhaps a more advanced network intrusion prevention system.

A network intrusion detection system (NIDS) is a type of IDS that attempts to detect malicious network activities (e.g., port scans and DoS attacks) by constantly monitoring network traffic. The NIDS will then report any issues that it finds to a network administrator as long as it is configured properly.

A network intrusion prevention system (NIPS) is designed to inspect traffic, and, based on its configuration or security policy, it can remove, detain, or redirect malicious traffic in addition to simply detecting it.

Dalam dokumen Networking Fundamentals, Exam 98-366 (Halaman 194-197)