Tactical Perimeter Defense

Lesson 5
Configuring Firewalls
 Objectives
5A: Describe standard firewall
functionality and common
implementation practices
5B: Install, configure, and Monitor
Microsoft ISA Server 2006
5C: Examine the Concepts of IPTables
5D: Apply Firewall concepts and
Knowledge to a given scenario
 Topic 5A
Understanding Firewalls

• Firewall Basics
• Firewall Terms
• Basic Functions of a Firewall
• Address, Port, Protocol, and Service
 Firewalls and the OSI Model

Firewalls operate at Layers 2, 3, 4, and 7

of the OSI Model
– Layer 2, Data Link
– Layer 3, Network
– Layer 4, Transport
– Layer 7, Application
 Common Types of Firewalls

Simple Packet Filtering Firewalls

– Layers 2 and 3
– Packet Filter Weaknesses
Stateful Packet Filter Firewalls
– Layers 2, 3, and 4
Application Level Firewalls
– Layers 2, 3, 4, and 7
 Building Firewall Rules

Three basic options:

– Accept
– Deny
– Discard (similar to deny, but no error message
returned to the source address)

Order of a rule set is critical

 Common Firewall Topologies

Single perimeter firewall

Three-legged DMZ

Chained DMZ
 What a Firewall Cannot Do
Protect against internal threats
– Disgruntled or unscrupulous workers
– Weak password policies
– Poor administration practices
Protect against attacks that do not traverse the
firewall
– Personal modems or unauthorized wireless connections
– Social engineering
Protect against attacks on services that are allowed
through the firewall
– Allowed inbound traffic
– Malware and browser threats
 Topic 5B
Configuring Microsoft ISA Server 2006

There are many tasks in this topic. Be sure to

follow carefully, and in the event that a
task does not work, please discuss and
solve that task before moving on, as many
tasks build on earlier tasks in the topic.
 ISA Server 2006

• Introduction to ISA Server 2006

• Common Deployment Scenarios for ISA
Server 2006
• Protecting your network against both
internal and external threats
• Versions of ISA Server 2006
TASK 5B-1: Preparing for the ISA Server 2006

TASK 5B-2: Install Microsoft ISA Server 2006

 Configuring ISA Server 2006

Five Basic Steps

1. Define ISA Server network configuration
2. Create Firewall Policy rules
3. Define how ISA Server caches web content
4. Configure VPN Access (if required)
5. Setup ISA Server monitoring
 ISA Server Management Console

Console tree

Details pane

Tasks pane
TASK 5B-3: Exploring the Microsoft ISA Server
2006 Interface
Exporting / Importing ISA Server 2006
Configuration as XML Files

TASK 5B-4: Exporting the Default

Configuration
 ISA Server 2006 Firewall Policies

ISA Server 2006 Basic Rule Types

– Access Rules
• Controlling network traffic from the Internal
network to the External network
– Publishing Rules
• Control access for requests from the External
network to the Internal network.
– Network Rules
• Gain further control, using source, destination,
network relationship, and so on…
 Processing Firewall Policies

Outgoing Requests
– Verify the networks are connected, then
process the packet
– The rules check the packet in this order:
• Protocol
• Source Address and Port
• Schedule
• Destination Address
• User Set
• Content Groups
 Processing Firewall Policies, Cont’d.

• Incoming Requests
• Built-in Publishing Rules:
– Web Publishing Rules
– Secure Web Publishing Server Rules
– Mail Server Publishing Rules
– Server Publishing Rules
• Access rules that Deny traffic are processed
before publishing rules that Allow traffic.
TASK 5B-5: Creating A Basic Access Rule
 ISA Server 2006 Access Rule Elements

Eight Basic Rule Elements

– Name
– Action
– Protocols
– Network
– Source
– Destination
– Users
– Schedule Content Types
 Creating Rule Elements

TASK 5B-6: Creating a Protocol Rule Element

TASK 5B-7: Creating a User Rule Element

TASK 5B-8: Creating a Content Group Rule

Element
 ISA Server 2006 Scheduling

TASK 5B-9: Creating and Modifying Schedule

Rule Elements

TASK 5B-10: Using Content Types and

Schedules in Rules
 ISA Server 2006 Network Rule Elements
ISA Server 2006 creates network elements for the
following objects:
– Networks
– Network sets
– Computers
– Address Ranges
– Subnets
– Computer Sets
– URL Sets
– Domain Name Sets
– Web Listeners
– Server Farms
TASK 5B-11: Creating a Network Rule Element
 ISA Server 2006 Publishing Rules

• Publishing rules control access from the

external network to resources on the internal
network
• Publishing rules require a Listener Element.
• The Listener Element describes the interface
ISA Server should be listening on for access
requests to the internal network.
TASK 5B-12: Configuring a Web Publishing
Rule
 ISA Server 2006 Caching

ISA Server 2006 Supports Two Types of

Caching:
– Forward Caching
– Reverse Caching
Three main cache configurations:
– Cache Drive Settings
– Cache Drive Rules
– Content Download Jobs
TASK 5B-13: Enabling and Configuring
Caching
 ISA Server 2006 Network Templates

Network Templates can be used to

configure rule elements.

Three configuration tabs can be used:

– Network Sets
– Network Rules
– Web Chaining
TASK 5-14: Install Second Loop back Adapter

TASK 5B-15: Configure ISA Server in a Three-

legged DMZ
 Configure ISA Server Monitoring

Eight Primary Monitoring options

– Dashboard
– Alerts
– Sessions
– Services
– Reports
– Connectivity
– Logs
– Performance Monitor
TASK 5B-16: Working with Alerts

TASK 5B-17: Working with Reports

 ISA Server 2006 Logging

• Alerts provide solid real-time data, while logging

provides longer term historical data.
• Logging is split between two logs:
– Web Proxy logs
– Firewall Service logs
• ISA logs, by default, to a local MSDE (Microsoft
SQL Server Database Engine) database on the
ISA Server.
TASK 5B-18: Configuring Logging Options
 Final ISA Server 2006 Options

Secure ISA Server 2006 with the Security

Configuration Wizard

ISA Server Packet Prioritization

Uninstalling ISA Server 2006

TASK 5B-19: ISA Server 2006 and the Security
Configuration Wizard

TASK 5B-20: Configuring Packet Prioritization

TASK 5B-21: Uninstalling ISA Server 2006

 Topic 5C
IPTables Concepts
IPTables
– A packet-filtering firewall, which can be installed
with the O/S or added on independently.
Can perform NAT / Masquerading
Three main sets of tables:
– Filter
– NAT
– Mangle
(In this course, you will work with Filter)
 Topic 3D
IPTables
packet filtering firewall that checks its rules on
every packet as it enters an interface

• performs NAT as well

Process of the Packet
 Chain Fundamentals

There are three built-in chains, these cannot be

removed from the system
– INPUT
– OUTPUT
– FORWARD

Upon a match, basic actions available

– Accept
– Drop
The Flow of
the Chains
 Configuration Options
Chain Management
-N chain
creates a new chain named chain
-X chain
deletes a chain
-P chain target
sets the policy for the built in chains
-L chain
lists the rules that are in the chain
-F chain
flushes the rules from a chain
 Rule Management

-A chain rule
– appends a rule to the chain
-I chain rule-number rule
– inserts a rule into a chain by specifying a
positional number
-R chain rule-number
– replaces an existing rule as defined by the
rule-number
 Rule Management

-D chain rule-number
– deletes a rule based on its rule-number
-D chain rule
– deletes a rule by typing the rule in
 Rule Creation

-s source
indicator for the source IP address
-d destination
destination IP address (hostname)
-p protocol
TCP, UDP, ICMP, IP
 Rule Creation

-g chain
Go to the defined chain, without return
-j target
jumps to the target, such as deny or accept
--syn
defines SYN packets (note the two dashes)
 Other Options

Port numbers
– (Use two dashes) --dport <port> or --sport
<port>
– Can use a range of ports 1:1024
! entry
– negates whatever follows it
0/0 or “any”
 ICMP Types

• Destination-unreachable
• Source-quench
• Time-exceeded
• Parameter problem
• Echo-request
• Echo-reply
 Rule Examples

Modification of a default chain

– iptables –P input DROP

Creation of a new chain

– iptables –N chainname

Deleting a chain
– iptables –X chainname
 Rule Examples

Flushing a chain
– iptables -F chainname

Checking for connections

– iptables -A chainname –p TCP --syn
10.0.10.10 –y –j DROP
 Rule Examples

Negating values
iptables –A output –p TCP –d ! 172.168.35.40 --dport 80
iptables –A output –p TCP –d 172.168.35.40 --dport ! 80
iptables –A input –i ! lo

Defining a Target
iptables –A input –s 10.0.10.100 –j DROP
iptables –A input –p TCP –d 0.0.0.0/0 12345 –j DROP
 Rule Examples

Rules with multiple options

iptables –A output –p TCP –s 10.0.10.0/24 –d 0.0.0.0/0 --dport 80 –j ACCEPT
iptables –A input –p TCP –s 0.0.0.0/0 –d 10.0.10.0/24 --dport 31337 –j DROP
iptables –A input –p TCP –s 0.0.0.0/0 –d 10.0.10.0/24 --dport 5000:10000 –j DROP
 Example: Case Study

Firewall Goals

Configuration
An example network for firewall implementation.
Task 5C-1: Chain Management
 Topic 5D
Implementing Firewall Technologies

Firewall Lab Configuration

– the conceptual network
– the physical layout
– a barebones agreement on policy
Figure : The Conceptual Network
 Configuring the Internal Firewall

1. Decide if you will modify the default

policies , and write down what you
would modify them to
2. Decide if you want to create new
rules/chains for management, and write
them down
3. In Linux, if you created new chains,
define the jumps to these chains
 Configuring the Internal Firewall

4. Define the general goals of the firewall

5. Write down the rules you will configure
6. Describe how you will verify that the
rules and chains are correct
 Suggested Solutions

1. Configure the default policies

2. Creating new chains
3. Configuring the jumps to the new
chains
4. Defining the overall goals
5. Configuring the Rules
 Configuring the External Firewall

Removing chains currently being used

1. Flush all rules from all the chains you have
created
2. Delete the chains once the rules have been
flushed
3. Modify the default policies back to Accept,
so the system is as if no rules or
modifications have taken place
 Planning Out the Chains and
Rules Used

1. Decide if you will modify the default

policies, write down what you would modify
2. Decide if you want to create new chains for
management, write them down
3. If you created new chains, define the jumps
to these chains
4. Define the general goals of the firewall
 Planning Out the Chains and
Rules Used
5. Write down the rules you will configure
6. Describe how you will verify the rules and
chains are correct
 Suggested Solution

1. Configure the default policies

2. Creating new chains
3. Configuring the targets
4. Defining the overall goals
5. Configuring the rules
Lesson 5 Summary
Lesson 5 Review
End of Lesson 5