Lesson 5 - Configuring Firewalls
Lesson 5 - Configuring Firewalls
Lesson 5
Configuring Firewalls
Objectives
5A: Describe standard firewall
functionality and common
implementation practices
5B: Install, configure, and Monitor
Microsoft ISA Server 2006
5C: Examine the Concepts of IPTables
5D: Apply Firewall concepts and
Knowledge to a given scenario
Topic 5A
Understanding Firewalls
• Firewall Basics
• Firewall Terms
• Basic Functions of a Firewall
• Address, Port, Protocol, and Service
Firewalls and the OSI Model
Three-legged DMZ
Chained DMZ
What a Firewall Cannot Do
Protect against internal threats
– Disgruntled or unscrupulous workers
– Weak password policies
– Poor administration practices
Protect against attacks that do not traverse the
firewall
– Personal modems or unauthorized wireless connections
– Social engineering
Protect against attacks on services that are allowed
through the firewall
– Allowed inbound traffic
– Malware and browser threats
Topic 5B
Configuring Microsoft ISA Server 2006
Console tree
Details pane
Tasks pane
TASK 5B-3: Exploring the Microsoft ISA Server
2006 Interface
Exporting / Importing ISA Server 2006
Configuration as XML Files
Outgoing Requests
– Verify the networks are connected, then
process the packet
– The rules check the packet in this order:
• Protocol
• Source Address and Port
• Schedule
• Destination Address
• User Set
• Content Groups
Processing Firewall Policies, Cont’d.
• Incoming Requests
• Built-in Publishing Rules:
– Web Publishing Rules
– Secure Web Publishing Server Rules
– Mail Server Publishing Rules
– Server Publishing Rules
• Access rules that Deny traffic are processed
before publishing rules that Allow traffic.
TASK 5B-5: Creating A Basic Access Rule
ISA Server 2006 Access Rule Elements
-A chain rule
– appends a rule to the chain
-I chain rule-number rule
– inserts a rule into a chain by specifying a
positional number
-R chain rule-number
– replaces an existing rule as defined by the
rule-number
Rule Management
-D chain rule-number
– deletes a rule based on its rule-number
-D chain rule
– deletes a rule by typing the rule in
Rule Creation
-s source
indicator for the source IP address
-d destination
destination IP address (hostname)
-p protocol
TCP, UDP, ICMP, IP
Rule Creation
-g chain
Go to the defined chain, without return
-j target
jumps to the target, such as deny or accept
--syn
defines SYN packets (note the two dashes)
Other Options
Port numbers
– (Use two dashes) --dport <port> or --sport
<port>
– Can use a range of ports 1:1024
! entry
– negates whatever follows it
0/0 or “any”
ICMP Types
• Destination-unreachable
• Source-quench
• Time-exceeded
• Parameter problem
• Echo-request
• Echo-reply
Rule Examples
Deleting a chain
– iptables –X chainname
Rule Examples
Flushing a chain
– iptables -F chainname
Negating values
iptables –A output –p TCP –d ! 172.168.35.40 --dport 80
iptables –A output –p TCP –d 172.168.35.40 --dport ! 80
iptables –A input –i ! lo
Defining a Target
iptables –A input –s 10.0.10.100 –j DROP
iptables –A input –p TCP –d 0.0.0.0/0 12345 –j DROP
Rule Examples
Firewall Goals
Configuration
An example network for firewall implementation.
Task 5C-1: Chain Management
Topic 5D
Implementing Firewall Technologies