Firewall Services

The CCDA objectives covered in this section are as follows:

8 Determine the customer's requirements for new applications, protocols, number of users, peak usage hours, security, and network management.

9 Diagram the flow of information for new applications.

12 Predict the amount of traffic and the type of traffic caused by the applications, given charts that characterize typical network traffic.

A firewall is a system of devices and applications used to protect one network from another untrusted network, such as the Internet (see Figure 3-12). Usually it is implemented using a three-layer design. On the outside there is a filtering router that implements access lists, to permit access to hosts only in the isolation LAN. In the isolation LAN, hosts are installed to provide services such as Web server, DNS, FTP servers, e-mail relays, and Telnet. These hosts are usually referred to as bastion hosts. An inside filtering router permits access from the internal network to the isolation LAN. There should be no devices communicating directly from the inside network to the outside router (no back doors).

Figure 3-12 Firewall System

Figure 3-12 Firewall System

Pri Voip Interface

Figure 3-12 shows a diagram of a three-layer firewall system. The outside filtering router should restrict Telnet access to itself, use static routing, and encrypt passwords. It should permit access to the bastion hosts based on specific TCP/UDP port numbers. Use the established keyword to allow inbound TCP packets from established TCP sessions.

The inside filtering router should also allow inbound TCP packets. It should permit access to bastion hosts in the isolation LAN, such as proxy services, DNS, and Web servers.

Sites requiring strong security can use the Cisco PIX Firewall in addition to or instead of packet-filtering routers. The Cisco PIX Firewall is a hardware device that offers more robust security, provides Network Address Translation (NAT), and verifies inbound traffic state information. NAT translations can be static and/or dynamic and are verified on the command-line interface. The PIX Firewall operates on a secure real-time kernel. An architecture with a PIX Firewall could be like that shown in Figure 3-13. The PIX Firewall will control access between the outside and the isolation network and between the isolation network and the inside. NAT can be used to translate inside node IP addresses to an outside IP address pool.

Figure 3-13 PIX Firewall

0 0

Post a comment