About the Authors

Wes Noonan, CISA, is a staff quality engineer at NetlQ working on their security solutions product line. Wes has more than 12 years of industry experience, specializing in Windows-based networks and network infrastructure security design and implementation. Wes is the author of Hardening Network Infrastructure (ISBN 0072255021), is a contributing co-author of CISSP Training Guide (ISBN 078972801X) and Hardening Network Security(ISBN 0072257032), and is a technical editor for Hacking Exposed...

Acknowledgments

I'd like to thank my wife for once again sacrificing the time it took me to work on another book. I couldn't do this without you. I could not have done this had Brian Ford not been willing to take a chance on bringing me in on this project. Likewise, I appreciate the chance to work with Ido Dubrawsky and look forward to future partnerships. I want to thank both Brian and Ido for the opportunity and privilege of working with them both. To Brett Bartow and Andrew Cupp, I know we drove you crazy...

Advanced Firewall Troubleshooting

This chapter has focused primarily on the core tasks of a firewall to process traffic through the firewall and for the firewall to provide for connectivity and access to remote and protected hosts. However, firewalls continue to gain more advanced features and functions, and it is becoming necessary to troubleshoot those advanced features and functions. Processes such as SNMP, NTP, routing, and authentication all provide ample opportunity for something to fail that you will need to...

Appendix A Firewall and Security Tools

The nature of firewalls and how they can be used to manipulate and control network traffic can make it difficult to troubleshoot network problems where firewalls are involved. Similarly, firewalls can introduce some unique and special requirements for managing and maintaining the firewall and the firewall configuration. This appendix examines some common tools and tool usage to assist in troubleshooting, managing and maintaining firewalls.

Appliance Firewalls

Appliance firewalls are firewalls that are integrated tightly with custom-built hardware (or in some cases commodity hardware) and provide firewall services to a network. Appliance firewalls include the Cisco PIX, NetScreen firewalls, SonicWall appliances, WatchGuard Fireboxes, and Nokia firewalls all the way down to the Linksys, D-Link, and NETGEAR products for home users. The underlying operating system need not be a custom operating system. It can be a highly customized version of a...

Applications That Are Hard to Firewall

The difficulty with application firewalls stems from the fact that the transaction between the client an server is complex and can be made more so if the protocol or the data in the communication expand increases the complexity of the transaction. Protocols such as eXtensible Markup Language (XML) ar Simple Object Access Protocol (SOAP) make web application firewalls especially tricky. To provide pi web application security, the application firewall must have a detailed understanding of...

Assigning IP Addresses to the Firewall Interfaces

To communicate on the network, the firewall needs to have IP addresses assigned to the firewall interfaces. The process of doing this changed between PIX ASA version 6.x and 7.x, but the fundamental steps are the same Enable the interface, configure the interface itself, and assign an IP address to the interface. To assign IP addresses to the PIX interfaces, the administrator must enter configuration mode. Because the PIX uses a command interface that is similar to IOS, administrators enter...

Bad IP Packets

In most cases, the IP packets that are received on a network can be successfully processed and acted upon accordingly. As is true with all network communications, however, it is possible for an IP packet to either be accidentally or intentionally designed in such a way as to be a bad packet. When we say bad packet, we mean a packet that for whatever reason cannot be processed properly. In some cases, this may be the result of unreliable delivery of the data (for example, if a portion of the...

Bad UDP

UDP is such a simple protocol that there is not a whole lot that can be done with the protocol itself to account for bad UDP traffic. UDP is particularly effective as a source of bad traffic because it is connectionless. Therefore, it is a great candidate for spoofing. Malicious users can generate traffic as a different host, and because UDP is connectionless and responses are not expected, they do not really care that the targeted host is sending the responses to the wrong host. UDP is also a...

Broadcast and Multicast

Most of this discussion of IP traffic has revolved around the process of unicast traffic, which is traffic that is addressed for a single host. However, IP traffic can also be broadcast or multicast traffic, providing for some flexibility in how traffic is delivered. Broadcast traffic is traffic that is destined to all hosts on a given subnet or to all hosts on all subnets. Broadcasts take advantage of the fact that the electrical signal is actually received by all hosts unless otherwise...

Introduction to Firewalls

Depending on whom you talk to, a firewall is either the cornerstone of their organization's security infrastructure, or it is a device that has woefully failed to live up to expectations. How can one device have such a contrast in perceptions The biggest reason for this is a misunderstanding of what a firewall is and is not, and what a firewall can and cannot do. This chapter looks at what a firewall is and how a firewall works to illustrate what are the reasonable expectations for a firewall....

Going Beyond Basic Firewall Features

Modern firewalls provide a wide variety of significant services to the end user, whether it is a personal firewall or a network firewall used to protect an enterprise network. Firewall capabilities have increased dramatically over the past few years, and they have quickly become a nexus of security services to a network (or an individual machine). This increase of capabilities has caused firewall administrators to reevaluate and in some cases redefine the expectations of what a firewall can do....

TCPIP for Firewalls

Much like humans may speak English, German, or Russian, computers may speak any number of languages IPX SPX, AppleTalk, and TCP IP being just a few of them. Because of the portability and scalability of TCP IP, TCP IP has been settled on as the de facto standard method for providing communication services between hosts on a network and in particular across the Internet. Much like a human language, TCP IP has a defined structure and set of rules that control how hosts communicate. Therefore,...

Broadband Routers and Firewalls

Depending on the report you want to accept, between 53 percent and 62 percent of Internet access in the United States is provided by broadband connections. Outside the United States, broadband access percentages can exceed 75 percent of all Internet access methods Although broadband Internet access provides for increased download speeds and an explosion of Internet-based services and resources, it also introduces some unique problems to the small office home office (SOHO) and home user markets....

Cisco PIX Firewall and ASA Security Appliance

One of the most widely deployed firewalls on the Internet is the Cisco PIX Firewall. The PIX, along with the new Cisco Adaptive Security Appliance (ASA), is poised to improve Cisco's market share of the firewall and virtual private network (VPN) marketplace by providing advanced security, increased performance, and more robust functionality. Originally acquired from a company called Network Translations back in the early to mid-1990s, the PIX has undergone significant development and...

Application Proxy Firewalls

Application proxy firewalls are perhaps the most complex firewalls to implement. This complexity is due in large part to the fact that unlike other firewall technologies, application proxy firewalls can make filtering decisions based on the actual application data, which requires that firewall administrators better understand the applications that will traverse the firewall. Practically speaking, two elements comprise an application proxy firewall Application layer filtering This chapter looks...

Choosing Between the PIX and the ASA

One of the first questions to answer when trying to determine what Cisco firewall your environment requires is what the difference between the Cisco PIX Firewall and the Cisco ASA is. The ASA is essentially the latest version of the Cisco firewall solution and is based largely on the PIX software. In fact, the Cisco ASA and enterprise versions of the PIX (PIX 515E and larger) actually run the same firewall software starting with the 7.x code base. In the case of the PIX, this firewall software...

Common Applications Using IP

The most common applications that use IP tend to revolve around access to Internet-based resources such as web servers and mail servers. In addition, file and print services are the most common application that is implemented in most Web browsers and web servers allow users to access graphical content using HTTP, which uses TCP port 80. In addition, if secure web browsing is required, the data can be secured using Secure Sockets Layer (SSL), commonly known as HTTPS, which uses TCP port 443....

Common Security Policies

Each organization has unique security requirements and therefore their own unique security policies. However, most if not all environments require a number of common security policies, including the following Management-access policy Filtering policy Routing policy Demilitarized zone (DMZ) policy Generally applicable policies Firewall policies (that is, the access policies on the actual firewalls) are covered later in this chapter.

Configuring Applications Gaming

The name of the Applications & Gaming tab is somewhat misleading because although the settings are typically going to be implemented by home users to support their gaming applications, in function the Applications & Gaming tab is where the configuration of filtering from external sources to internal resources is performed. This tab has five screens On the Port Range Forwarding screen, you can configure the router to permit certain types of traffic from all external hosts over the...

Configuring Basic Setup

The BEFSR41v4 Setup tab consists of four screens On the Basic Setup screen, you can configure how the router connects to the service provider (for example, using DHCP or PPPoE). Depending on which connection type you specify, additional options will be made available on the screen. You can also specify the host and domain name as well as the maximum transmission unit (MTU) for the router, if it is required by your service provider. The Basic Setup screen is also where you configure the local...

Configuring Logging on the Firewall

One of the most valuable capabilities of any firewall is the ability to log events so that the administrator can be informed of and aware of what is going on with the firewall. Cisco PIX ASA firewalls use syslog for the logging of all events on the firewall (syslog and logging in general is discussed in much greater detail in Chapter 12, What Is My Firewall Telling Me ), which allows an administrator to be able to read parse the logs for important events or events that may require additional...

Configuring Net Filter

The NetFilter packet filter is configured through the iptables command utility. Like its predecessor, ipchains, iptables enables firewall administrators to control a wide variety of features in the NetFilter packet filter. Chief among these are adding or inserting filter rules within a preexisting set of rules, defining the policy of the various chains in the filter, or creating userdefined chains for specific purposes such as testing for denialofservice (DoS) attacks or other specific The path...

Configuring the Cisco PIXASA

Complete configuration of the Cisco PIX is beyond the scope of this book. However, we can cover some of the initial steps required to set up the PIX and to allow an administrator access to the graphical user interface (GUI), the Adaptive Security Device Manager (ASDM) (previously known as the PIX Device Manager PDM for software versions previous to 7.0). To initially configure a PIX out of the box, connect a serial connecter to the console port of the PIX (which is typically outlined with a...

Configuring the Firewall for Remote Management Access

The PIX ASA firewall supports three primary methods of remote management access Both Telnet and SSH are used to provide CLI access to the firewall, whereas the ASDM PDM provides an HTTPS-based GUI management console. Telnet remote management is the simplest, yet least secure, method of remotely managing the firewall. The reason for this is that Telnet does not encrypt the data in transmit and in fact sends the data in cleartext. This makes it easy for a malicious user to capture the data and...

Configuring the Firewall Name Domain Name and Passwords

Now that the firewall has been assigned IP addresses and the interfaces are functioning properly the next step is to configure some basic firewall configuration values such as the firewall host name, domain name, and passwords. The commands to perform these configurations are the same for all versions of the PIX ASA software. You can configure the host name by running the hostname name command, and the domain name is configured by running the domainname domain command from the global...

Default Passwords

When you purchase a new firewall (or any network device in general) such as a Cisco PIX, a Linksys, a NetScreen, or a SonicWall, out of the box the device has some default passwords set (and in some cases there is no default password). This is because the manufacturer must allow for initial access to the device for the end user to configure it. Most recent documentation for any device admonishes the end user to immediately change the default password to something else. Table 11-1 shows common...

Denial of Service

A DoS attack entails a threat that simply prevents legitimate traffic from being able to access the protected resource. A common DoS is one that causes the services or server itself to crash, thus rendering the service being provided inaccessible. This attack is commonly done by exploiting buffer overflows in software and protocols or by sending data to the host that the host does not know how to respond to, thus causing the host to crash. A variant of the DoS that has gained traction and is...

Determining If You Need a Firewall

It is convenient (and accurate) to say that you always need a firewall if you are connecting to the Internet. Firewalls should not be relegated exclusively to the realm of providing access to and protection from Internet-based resources. Instead, you should consider implementing a firewall any time a resource needs to be protected, regardless of where the protected resource is located, or where the requesting traffic will be coming from. Firewalls can, and in many cases should, be used to...

Different Classes of Routing Protocols

Although each routing protocol has its own specific functionality, they can all be generally classified as falling into three categories Distance vector Distance vector routing protocols are relatively simplistic in design and tend to use a distance to determine the best path. The distance is measured by counting how many times a packet goes through a router, known as a hop, until it arrives at the destination network. The smaller the hop count, the shorter and better the route. Distance vector...

Dual Firewall Architecture

The dual-firewall architecture is more complex than the single-firewall architecture, but it is also a more secure overall design and provides for a much more granular level of control over traffic traversing the firewalls. This is because the architecture uses two firewalls, ideally of different vendors and models, to act as exterior and interior firewalls providing a DMZ segment between the two firewalls, as shown in Figure 9-3. Like previous designs, traffic is permitted into the DMZ segment...

Dual Firewall System

With a dual-firewall architecture, the firewall system consists of the following layers Network segment between external router and exterior firewall Figure 9-5 depicts a dual-firewall system. yross FiHuring at Intoror Firewall yross FiHuring at Intoror Firewall JfOSS FlllCflng jt Emarlot Firewall Egress FlU& nng at Enterntf FKHJtEf JfOSS FlllCflng jt Emarlot Firewall Egress FlU& nng at Enterntf FKHJtEf The only real physical difference with the dual-firewall system over the...

Enterprise Office and Service Provider Solution

The next two models of the PIX firewall are designed specifically for large enterprises and service providers the PIX 525 and 535. The 525 is produced in a 2U form factor and can accommodate up to ten Fast Ethernet or two Fast Ethernet and three Gigabit Ethernet interfaces. The PIX 535 also comes in a 2U form factor and can accommodate 14 Fast Ethernet or 9 Gigabit Ethernet interfaces. Both models provide all manner of high-availability functionality such as zero-downtime upgrade and VPN...

Example 113 PIX Logging

The command logging on tells the device to turn on logging on the device, and the logging timest ensures that a date time field is inserted in each syslog message sent to the remote syslog server. T informational command specifies the level of logging to be conducted. The reason why Information use for logging with the PIX is because it provides enough information to monitor the traffic going th without overwhelming the administrator with unnecessary information. Level 7, Debug, is typically u...

Example 115 Checking in Changes to the RCS Repository

New revision 1.2 previous revision 1.1 enter log message, terminated with single '.' or end of file > > Added new external NAT address, 172.16.45.152 -> 192.168.155.152 - idubraws root sauron configs 33 ls -ltotal 2 drwxrwx--- 2 root sysadmin 512 Aug 29 10 20 RCS RCS, CVS, and other open source revision-control systems provide an easy, low-cost way of managi configuration changes. Change-control logging is the process by which information is entered in the change-control system made to a...

Example 116 Viewing the RCS Log for Configuration Changes

root sauron configs 13 6 rlog frodo.cfg total revisions 2 selected revisions 2 Initial configuration of external edge router date 2005 08 29 14 19 59 author root state Added new external NAT address, 172.16.45.152 -> date 2005 08 29 13 51 42 author root state The output in Example 11-6 provides a lot of information. For example, the working file is identified line. In addition, it shows how many revisions have been made to the file (in the example, two revis made). A description of the file...

Example 131 Telnetting to TCP port 80 to Test Connectivity

C Documents and Settings wnoonan> telnet web server 80 GET HTTP 1.0 HTTP 1.1 200 OK Content-Length 2795 Content-Type text html Content-Location http 192.168.173.101 Default.htm Last-Modified Tue, 23 Nov 2004 05 23 47 GMT ETag f9fcf19b1cd1c41 336 Connection close< additional output snipped> By just telnetting to TCP port 80 and typing GET HTTP 1.0 and then pressing Enter a few times, I can retrieve the default web page for the server, which at least verifies that the target host is...

Example 141 Using Telnet to Access a Server on TCP Port 443 HTTPS

< DOCTYPE HTML PUBLIC - IETF DTD HTML 2.0 EN> < title> 400 Bad Request< title> < p> Your browser sent a request that this server could not understand.< br > Reason You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.< br > < blockquote> Hint < a < address> Apache 2.0.52 (Unix) mod ssl 2.0.52 OpenSSL 0.9.7d DAV 2 www.innocentvictimcompany.com Port 443< address> Connection to 10.16.17.223 closed by...

Example 142 OpenSSL

3 openssl s_client -connect 10.16.17.223 443 depth 0 C US ST Maryland L Silver Spring O dubrawsky.org OU IT CN Ido Dubrawsky verify error num 18 self signed certificate depth 0 C US ST Maryland L Silver Spring O dubrawsky.org OU IT CN Ido Dubrawsky verify error num 10 certificate has expired depth 0 C US ST Maryland L Silver Spring O dubrawsky.org OU IT CN Ido Dubrawsky emailAddress idubraws dubrawsky.org notAfter Oct 6 01 35 00 2005 GMT verify return 1 0 s C US ST Maryland L Silver Spring O...

Example A1 ACL to Permit Only Certain ICMP Message Types

As a best practice, your external firewall interface (and all corresponding IP addresses) should not allow any other ICMP traffic. This will prevent someone from being able to ping the firewall external IP address to determine whether it is accessible and will also protect against malicious ICMP-based traffic such as a ping of death. Another aspect of reachability is to show how the device was reachable. In other words, what path through the network was taken to the destination host To answer...

Example A10 Basic Nmap SYN Port Scan Against a Cisco Secure PIX Firewall

root keoland nmap nmap -sS -P0 -O -vv 10.10.10.1 Starting nmap 3.93 ( http www.insecure.org nmap ) at 2005-10-04 14 10 CDT Initiating ARP Ping Scan against 10.10.10.1 1 port at 14 10 The ARP Ping Scan took 0.01s to scan 1 total hosts. Initiating SYN Stealth Scan against firewall.myco.com (10.10.10.1) 1668 ports at 14 10 Discovered open port 443 tcp on 10.10.10.1 Discovered open port 25 tcp on 10.10.10.1 Discovered open port 21 tcp on 10.10.10.1 Discovered open port 80 tcp on 10.10.10.1 SYN...

Example A6 Red Hat Linux IP Configuration

wnoonan keoland wnoonan ifconfig -a eth0 Link encap Ethernet HWaddr 00 D0 09 DC B4 2B inet addr 192.168.1.118 Bcast 192.168.1.127 Mask 2 55.255.255.224 inet6 addr fe80 2d0 9ff fedc b42b 64 Scope Link UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 2443 errors 0 dropped 0 overruns 0 TX packets 201 errors 0 dropped 0 overruns 0 RX bytes 224 572 (219.3 Kb) TX bytes 30513 (29.7

Example A9 Nmap Usage Screen

C Download Hacking Tools Nmap nmap-3 . 93> nmap Nmap 3.93 Usage nmap Scan Type(s) Options < host or net Some Common Scan Types ('*' options require root privileges) * -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users) -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sV Version scan probes open ports determining service & -sR RPC scan (use with other scan types)...

Figure 111 Symantec Internet Security Configuration

Symantec Firewall Configuration Figure 11-2. Symantec Firewall Configuration giotxTramc Live update _ opiians. ParKfid FUrtYoil prctccLs vuuf (OKKWtir frsm unaiAhc ed iCcMS- The PIX Device Manager (for PIX operating systems up to versions 6.3(5)), known as the Cisco Adaptive Security Device Manager in PIX version 7.0, is a Java applet that is downloaded from the PIX or ASA device and runs locally through the client browser. Figure 11-3 shows the PIX Device Manager screen.

Figure 1110 Access Denied Without Proper Credentials

When the configuration repository directory has been secured sufficiently, the next step is to check i configuration to the repository. The initial configuration is the starting point that you will use as a kr configuration for the device. Any changes made after the initial configuration is tracked using the co repository. By doing this, you will be able to reconstruct a good configuration in case a specific chan needs to be removed. In addition, by using revision control, you can find out who...

Figure 113 Cisco PIX Device Manager

FttliM SW lS iii NX 10 1 1 Pi 11 Ctfrigu-flinft IWnfcHinq rS H 'Njn - litiikicplrfrt41JioiHic.l3ti lPWVUffrMI 7AH BWrtjjplirfii 4M WMflniSC ASDHVpialpn > L Dg Tv ) P XJ1 flhfvi l upj- Iva Kl 'llWiii TOI* Finn It Ml Td JIWT'nnrf GJ14B H 'Njn - litiikicplrfrt41JioiHic.l3ti lPWVUffrMI 7AH BWrtjjplirfii 4M WMflniSC ASDHVpialpn > L Dg Tv ) P XJ1 flhfvi l upj- Iva Kl 'llWiii TOI* Finn It Ml Td JIWT'nnrf GJ14B Faninlniftcat)Kluft- rpLl nndcLlpulknp-IrnlT Sl-ilF Faninlniftcat)Kluft- rpLl...

Figure 119 Final Security Settings for Folder

General j Web Sharing Sharing Security r- Allow inheritable permissions from parent to propagate to this object General j Web Sharing Sharing Security I7 administrator DUBRAWSKY_GRG admii-ii .1 When that is accomplished, access to the folder is limited to only those with the proper credentials, 11-10.

Figure 123 Microsoft ISA Server Log Data

* IM Stf *rr 0IH TptriF Mltm 1 Viasoft iX T- t SMTJrr cfr Uxtte*xar ir gj Entwpris s Matt C G iftSilJn rtOw i *' 1 o,Jw BS is iR zow *npiN m5 isa wite iiiii r HyCW -J- T nyi r, (.I,) y i -. . . y 1- jnflmiUii ,- if afUBmnjaiia M nm H aMfN M il fi afi M t IjddfJ r* ifWOi i il iuW SfltfHKLiil L ir jnflmiUii ,- if afUBmnjaiia M nm H aMfN M il fi afi M t IjddfJ r* ifWOi i il iuW SfltfHKLiil L ir L - Jn -Hii p i -M CHViHlififi L - Jn -Hii p i -M CHViHlififi

Figure 125 How Spoofing Works

In the example in Figure 12-5, the attacker builds packets with a source IP address of 209.165.201.1 (the IP address of the innocent victim) to transmit to the firewall. When the firewall receives the data, it logs the packets as coming from 209.165.201.1 because that is what the source IP address of the packet is. In reality, the packet came from the attacker, but the firewall has no way of knowing that. In fact, if the firewall needs to respond to any of the traffic that it received, it will...

Figure 131 Connectivity Testing Flowchart

The first step is to attempt to ping the target host by its host name. If this succeeds, it validates that everything from name resolution to physical delivery of the data is functioning properly. If this is not successful, the next step is to attempt to ping the target host by its IP address. This eliminates name resolution as part of the problem. If this succeeds, the problem is likely going to be related to name resolution (either Domain Name System DNS resolution or NetBIOS name...

Figure 134 Failed Connection to Website

J J J Q I . wn__ Mi_j El pr_ The snvt at www. frt jv fj c tahrq loo bog id r pond. Tta Liiu cull bi infcia*fi jiat i bjiT. Tr> a ui f a ft* If Jj U Ufl im tf lj*J 4 h PdPgWL. iJ-W-l JLJilW.ii''* rat *Jli Il TM I. TT .-'* rr Ar-TL > . trofctqftd ftp 4 rrcinif. m i un Hurl r *a> l c omih a m t & tf.t wflb. One of the first steps to take is to test the connectivity. Doing so involves verifying that the firewall is up and running as well as verifying that the Internet connection is...

Figure 136 Verifying Firewall Functioning

Type ticlp nt 1 tor a list fl EIVTIIIV LD 70H> plJeci Oli TlLU O -Jtug-0 5 E ftS FLasll W129F-J00S 0 OliiritfSQDO, JZKE ISiisiiiiujl- Pbyjlc I& CcEjiac (.'gntismut gn ti > s not ficen incdiiii-d sua If the firewall is up and running, the next step is to test the Internet connection on the outside interface of the firewall. You can do this by pinging a system out on the Internet. Doing so is somewhat tricky because many networks filter out unsolicited ICMP requests. However, some of the...

Figure 138 Checking Server Connectivity

In this example, the assumption is that the web server is not responding because it does not respond to a ping or to the Telnet connection to the web server port, 80. In more complex cases, you might need to review the firewall configuration to ensure that it is not blocking the traffic unnecessarily. Also, consider that in some cases it is not your end of the connection that may be problematic but the other end. In many cases, you might need to search the vendor's documentation to ensure that...

Figure 141 URL Filtering with the Cisco PIX Firewall

The following is a description of the process in Figure 14-1 1. The client sends the initial connection to the web server, which replies back as expected. This reply is held at the firewall, however, until a filtering determination has been made. 2. At the same time, the firewall connects to the filtering server using connection 2 to query the filtering server about whether the traffic should be permitted. 3. The filtering server replies to the firewall with whether the traffic should be...

Figure 144 IPsec Encapsulated Security Payload Header

The fields in the ESP header are as follows SPI This pseudo-random value identifies the security association for this traffic. Sequence Number This monotonically increasing counter identifies the sequence of this packet within the connection. This is used to prevent replay attacks. Payload Data This variable-length field contains data that is described by the Next Header field. Padding These null bytes are used to ensure that the fields fall on 8-byte boundaries. Pad Length This 8-bit field...

Figure 311 Physical Addressing of Data Between Hosts

Piiysfci I Address DO.Oi 4 -3C 7fl 50 Pli MCniJldiiKifts iK'.os -nn 7a.,' 0 The process in Figure 3-11 is as follows 1. Host A logically addresses the data for Host B but physically addresses it to 00 05 9A 3C 78 00, the router interface physical address. 2. The router receives the data, because it is physically addressed to it, but realizes that logically it must be delivered to Host B. Therefore, it rebuilds the frame, using the physical address of the interface on the same network as Host B...

Figure 312 Address Classes

Classless Interdomain Routing (CIDR) Although the classful address space is a great idea, the truth is that not everyone needs networks with the number of hosts that each class of address provides. For example, if you have more than 255 hosts that you need to connect to a network, using the classful address space you have to bump up to a full Class B, providing for 65,534 hosts on the network. Obviously, that is far more hosts than is necessary. To address this deficiency, CIDR was implemented....

Figure 411 Trend Micro Internet Security Window

From this window, the user can modify the firewall profiles by clicking the Firewall Profiles button in the middle of the window. This opens up the profile selection window shown in Figure 4-12. At this window, users can choose to enable or disable the firewall as well as choose the specific profile they want to apply to the firewall. Additionally, they can add and configure a new profile if the default profiles are insufficient to meet their needs.

Figure 412 Trend Micro Firewall Profiles

The default profiles include an office network connection, a home network connection, a wireless network connection, and a direct connection to the Internet. Each one has specific exceptions to the firewall policy for various services. The office network, wireless network, and direction connection profiles each have a list of specific exceptions for various services such as HTTP, Secure Shell (SSH), DNS, and others in the firewall profile. The home network profile, however, has no preconfigured...

Figure 413 Trend Micro Firewall Security Level

PtoflleName Securityueve Exteollonusl Security Level Choose s High, Medium, or Lowsatujity levelftirtl> l& Urawall profile. Soc m tty level -Bl Ks intoning traffic untess ellowed in Hie Exception -Al lews oulgo m p (raffle u n I e ss Oloc kedin the Exc eplion usl. -Blocks network virus attacks and oilier known threats. The security level feature of the Trend Micro firewall enables the end user to adjust the overall protection provided by the firewall. There are three security levels...

Figure 414 Trend Micro Firewall Exception List

Profile Name Security Level xtepii on Lis Exception List Oflfira toe direction Of Irttemel Iraffie, IP address Dr r rtge nf IP addresses, ports, and p nolo c ois for exce utkms Oflfira toe direction Of Irttemel Iraffie, IP address Dr r rtge nf IP addresses, ports, and p nolo c ois for exce utkms This opens a new window where a wide variety of information about the exception can be entered, such as the protocol to use, the direction of traffic, the port number(s) the traffic uses, whether to...

Figure 415 Trend Micro Network Virus Emergency Center

Network Virus Emergency Center Back ( ) fJBi.vDrkviruzeE- spidlv nfec1 l ompule-tv quickly sprea ding (tlrOU& ft W6 iMeniet and other notwworks. Vau ian specify actions to Irelp pievent inTethpri ftg m nfi wprk viruses P _WIMDAA-WEB WORM_SQLP1434A MSD3 026_RPC_D MS 3- J( _WORK5. (H)T_ASN 1_ WORM WrrTY.A VVORH_AeO0OT . . ii hEpJAwiv.rrer dm c n i n.TAinfa Mru e- cvrl .'d hEp JA*w.lrfln dm ie .eomMaTafrlnj seat w Wd. hltp jWww. renrtmirm c i.tiM r.fgJVIru e-icyglo.fd m- a m it rp.t...

Figure 42 Windows XP Control Panel

510 CdE Ytrm ftr.& ttt T> +i Hrip f* i wH-rah, Sj Tr* K ml Auijk Offritt** U rtiJiHfly I iptintia D-alr, Tmiff, Liciijuaije. and Region l OfiUonk f* i wH-rah, Sj Tr* K ml Auijk Offritt** U rtiJiHfly I iptintia Choose Security Center at the lower-right corner of the window to open the Windows Security Center window. Choose Windows Firewall at the lower-left corner, as shown in Figure 4-3.

Figure 43 Windows Security Center

G U* I4EC5* Offert et'i * Osifcim l mtuiHWt t'V-WHeuiHJDclS) G* Mi HXt < lr siiuiy-rtlrfrf iHW CuinE ht Jay Werter L-t u Lv ierttr -isips vou mt-iii yAj ' ndo* Ht.rity fe Jtrvos. heig giotidt ycu Sh Site il Kitt iriL i nit'lits UM Ott If l'if MWlW 1 J. 1 -w TertfuntD l n tniir npar iywwr RiriH. Kdutisw t Maais isfcwKsitjmi amis L-t u Lv ierttr -isips vou mt-iii yAj ' ndo* Ht.rity fe Jtrvos. heig giotidt ycu Sh Site il Kitt iriL i nit'lits UM Ott If l'if MWlW 1 J. 1 -w TertfuntD l n tniir...

Figure 46 Program Exception List

There is a difference between specifying a program in the exceptions list and statically opening a TCP or UDP port. The difference comes from the fact that specifying a specific application in the exceptions list means that the port that the application listens on will be allowed through the firewall only if the defined application opens the port. The disadvantage to specifying the application in the exceptions is that if the port is used by another application, the firewall will not permit...

Figure 47 Changing Scope

Td specify the set of computers for wiich this port Dr program is unblocked, click an option helow. To specify a custom list, type a list of IP addresses, subnets, or both, separated hy commas. O Any computer pncluding those an the Internet O My network subnet only Custom list Example 1921 B.114.201.192.168.114.201 255.255.255.0 To add a port to the exceptions list, click the Add Port button on the Exceptions tab. Doing so opens the Add a Port window. As shown in Figure 4-8, here the user can...

Figure 52 Port Range Forwarding

Internal I lost (Host A) 10.1.1.1 DO Hns A responds to 20& .155.202 accordingly, whh ir e rauler using NAT to fransiale Internal I lost (Host A) 10.1.1.1 DO H sl BaLleinpls to conreot tn 2G& .1C5.201.1 over TCP port 3D 209 165 20U and 1ran& la1es ar d forwards n lo th& iiamal su er ai IP address 10.1.1 100 Lxtemal Hosl (Host S) 209.165.202.130 H sl BaLleinpls to conreot tn 2G& .1C5.201.1 over TCP port 3D 209 165 20U and 1ran& la1es ar d forwards n lo th& iiamal su er ai IP...

Figure 53 Linksys Status

eJni , .Ulf LiE m.KfSliimJ n.Uo, eJni , .Ulf LiE m.KfSliimJ n.Uo, rihailnif* Cnbli DSj. Hnutir hHIhit* Tr TOWifvnasi.'t flMi ii ijitrt IMLK nl T cn r h ieai-Wf Tr TOWifvnasi.'t flMi ii ijitrt IMLK nl T cn r h ieai-Wf flihn. Vfliri ytvcWOTB W Ilte.W.srWSM y* tocri ari rodJ you r i cick y* Coni-T-n WSontfr i> jti H '. - J chA rc & H*tinntiel UJKSfi.Fe FMri (J M

Figure 54 Basic Setup Screen

LlK& iUcirfUjpjrfrWili *tnrr(. t fcr. 1* pBiionmip Soe iSI -lWVMrKl Scrvfce Prwictei J K *r r tt yew flrtw 11 WS ntnffiflpoa Those xOmge can W 4li irtJ f HT,Yi> J Ef, Aria1 su it frearrt Miii yiSMi airaJcJ iM I'lXiUi lip* If* Afrv* ti- fife> .' .Vvxff* i v ni priTW. l-llviiJ HI ,,fi ii ripdi c J Uy innirldt'ii llK& iUcirfUjpjrfrWili *tnrr(. t fcr. 1* pBiionmip Soe iSI -lWVMrKl Scrvfce Prwictei J K *r r tt yew flrtw 11 WS ntnffiflpoa Those xOmge can W 4li irtJ f HT,Yi> J Ef, Aria1 su...

Figure 55 Advanced Routing Screen

AAiitiibtrtfnen RmEI liitaintl Etfplorii g Wp ff .t fuxitty lin AAiitiibtrtfnen RmEI liitaintl Etfplorii NAT configuration is a simple enable disable toggle. To enable RIP routing, just select Enable and then select the transmit and receive RIP versions from the drop-down boxes. To enter a static route, fill in the appropriate information and specify the interface that the route uses as the exit interface.

Figure 56 Filter Screen

If you want to filter by MAC address, just click the Edit MAC Filter Setting button and specify the MAC addresses that should be denied access. At the bottom of the screen are four radial selections with the default setting in parenthesis Block Anonymous Internet Requests (Enabled) This setting prevents the router from being able to be pinged or otherwise connected to on the external interface, unless you have defined a port-forwarding filter. This should be enabled, but keep in mind that not...

Figure 57 Configuring Port Range Forwarding

F Ihc Mii-ji 7 1 abk.-Llli 1 kajitr uhuaiq 0 Sd Eolll v 137160173 n Q 0 Sd Eolll v 137160173 n Q a SM lc I jam jap rn.HB.mJa I d t d Edlii v iaiise.iJ3.il n 0 Kr I.I E.Jin -v LlMW IJ j I.I I'.yi fin IT Ffirw ifcg,cjtoJ* uiptHu eotipisufct HrttHI cr-your ntfwcrfc Whftn vwi It rtrrrt rrtmt fequMti '5n T M neiwat ttw RaJer c*i tuviWlJ H> ot+ iiyjhHii i-i coiTipjei i Mapped I.vlMlsa ir* iwywiM. 11, fa Grwtfir. viu Id il pjrl 'untiT ill i.HI I . U-frrwiifrSnalot1 Atttpga .7, Ihw * itrfp HWiti...

Figure 58 Configuring Port Triggering

Ij Ap i lirilkMi S C,.1111111.7 Mictdun littrHE t> pkir* luiiifliiMii.LTS.a rr .if . flha 11.111 t u li.'UHI rtajisr tfttiM itfirH* L uA m MmlnlrtnBw EIKu* Tl t nJiM cd P.iivyt M tP l IlKlP Pari r.'v> wrpj wiiw ju port frtitd N.rr KCOflWa I 1 Ch ci, vtrUi iirilwft mgfaLsiM h'ij fri w** ip M Tl t nJiM cd P.iivyt M tP l IlKlP fei wt tied fUrfMjc MdllpMl l JMoft Pari r.'v> wrpj wiiw ju port frtitd N.rr KCOflWa I 1 Ch ci, vtrUi iirilwft mgfaLsiM h'ij fri w** ip M EH IM li'flg* ff.wijr Ajr...

Figure 59 Management Screen

On the Log screen, you can specify the IP address of a syslog server and enable logging from the router. The Factory Defaults screen contains a simple toggle selection that enables you to reset the router to the factory defaults. If you need to upgrade the software on the router, you can do so on the Firmware Upgrade screen. You can browse for an upgrade file on the local computer that is managing the router and click the button to upgrade. When the router has been upgraded, it reboots to begin...

Figure 62 Cisco ASDM Launcher

Just enter the IP address or host name of the firewall and the appropriate username and password. If you do not use any form of AAA, leave the username blank and enter the enable password to connect to the firewall. The ASDM will parse the running configuration of the firewall and display the General Device Information screen, as shown in Figure 6-3. The ASDM is an intuitive GUI interface that you can use to configure the firewall in lieu of the CLI.

Figure 63 General Device Information Screen

Has* Narra h iiii - itrf t 1JiaiKicJjb PMWsrtJflU 7Ai ASDUVciSlon 5.0ji Dcvi aTvzt P1XG15 lrtw* i noeif TcflaG FliEfi 16 Mil Tctal (Menai*. G4I4B Has* Narra h iiii - itrf t 1JiaiKicJjb PMWsrtJflU 7Ai ASDUVciSlon 5.0ji Dcvi aTvzt P1XG15 lrtw* i noeif TcflaG FliEfi 16 Mil Tctal (Menai*. G4I4B Syirwii fteagin cos Shirm CPU CPU (mflidM*ci*ti 5*1 aft an inlDrfaca Ij wrr* rpirt and autpul Ktipc Ir.tfTK Squirt 5*1 aft an inlDrfaca Ij wrr* rpirt and autpul Ktipc Ir.tfTK Squirt It-i iiH C DiimiHfcwt,...

Figure 64 Logging Filters Screen

JrcPOtfoi Qrnqeunh l RP StMC Yndli Amita unim jlpDhCPaarticas lifriHt 5< VEf i CW RuiTi JJUKSCIiiinl ciKfr i rwi i i) rii h* iioniKr.i> r-< ii JrcPOtfoi Qrnqeunh l RP StMC Yndli Amita unim jlpDhCPaarticas lifriHt 5< VEf i CW RuiTi JJUKSCIiiinl ifijiF iufln 3 j-.ihii 0Lnppinp tljl-'j lLiiii l3 lu ' Lvi-.ILut iT-LngglnpffthiH Ijj r Efmf E-H-illSriup SH tftfOutuf S5-5L FiUWRPC Sniinr ' UHLFittlinC As you can see, the previous commands we ran are shown in this screen, and you can edit or...

Figure 65 Edit Logging Filters Screen

The last step is to save the configuration changes to the firewall to cause the firewall to use the updated configuration. You can do that by clicking Apply in the Logging Filters Screen shown in Figure 6-4. If you return to the home screen (by clicking the Home button in the taskbar), you will now see the syslog messages being displayed in the ASDM interface in the Latest ASDM Syslog Messages group box, as shown in Figure 6-6.

Figure 66 ASDM Log Messages

Configuring Logging to a Remote Syslog Server Although logging to the console, monitor or ASDM can be handy for troubleshooting problems and viewing log messages while logged in to the firewall, if you need to store logs for long-term archive or auditing purposes, you need to configure the firewall to transmit the syslog messages to a remote syslog server. Like the previous logging methods, you must first enable logging in general by running the logging on command. Then, you need to define what...

Figure 711 Webmin Configuration of a Simple Firewall

JJ1H1 . rirrwi-l ikfllla HiJfc-j H J1 1E .'ki jlimtEDCXK. lanril 1-ilra.njjrtrfib- G ty CwnflftutLrt* J -rt .v ' > ft J-Wr- 9 ftrtw rtefcwpfei wnfo-tHiMh > ftwfari I m n nr.H 1 'Li r.TL li n.4x--l 1JDE BiH --i . n i Zi 0 (J L - h p.-iL IE i S '. L'I u -J IriJt.iiT p. *- Uplift (T.HoirflK i E-flAtT-mittrijatAiRl L --- IkTtTjii iv rj.-mi--. NEW l - i ICI' j . 1 penis W J- 1 L .--- --- fljlfW 1 -1-.vr- z- _. CT il l 3idw.ii 1 r-'nri ' O aod na t & DMOicMiq . NE . - rCP M J Jdjll . -r LVMW...

Figure 74 Packet Traversal of Net Filter Tables and Chains

Packets need not traverse every chain in the NetFilter system. It all depends on the destination of the packet as well as what rules are applicable and whether NAT is involved. Although the configuration of NetFilter firewalls using the iptables utility may appear to be a daunting task, you can also configure NetFilter through a variety of graphical interface tools such as Firewall Builder, Firestarter, or Webmin. Some examples to follow show how you can configure NetFilter using the iptables...

Figure 79 Webmin Firewall Modules

The focus during this discussion is on the Linux Firewall module because the Shoreline Firewall module requires the installation of additional files from the Shorewall project (http www.shorewall.net). Webmin enables administrators to control all three tables in NetFilterfilter, mangle, and NATthrough either the Linux Firewall Webmin module or the Shorewall Webmin module, as shown in Figure 7-10.

Figure 810 User Sets Screen

Review the rule configuration and click Finish. At this point, the rule has been created but not appli the firewall. Just click Apply in the MMC as previously discussed. If you need to change any of the rule settings, including editing the content type or schedule configuration, just right-click the rule and choose Properties or Edit System Rule as appropriate f the corresponding rule. Publishing internal resources follows largely the same process as creating an access rule. It is a wizc driven...

Figure 813 Select Web Listener Screen

At the User Sets screen, select the users who the rule will apply to and click Next. Review the configuration and click Finish to create the rule. Once again, if you want to apply the rule to the firewall, you must then click Apply in the management console. ISA Server 2004 contains a number of built-in application filters to provide for application layer inspection of the corresponding traffic. Configuring the application filters is performed in various locations within the management console....

Figure 814 Application Filters

'-- U,lki4iol ' intrirwl urriy *nd AccitartHin Sfrw* MHM LJ rtmdl irtwnwt 7*irtyniA (Mt Ertiro Corfquribon Uw gi> Ptrrwrr IM7 1 UB. 1 HLSfe JMhffto fa Lmtm --I fcfl& n J PGP i'f1 _> .'r' p-.Ti fi Cf*> i V Kfi tafia M fbw 1634 tra n tt fr t-rrilngj Vrtugh ii brvn A notable exception to this is the DNS filtering, which is configured under the General section of the management console by clicking Enable Intrusion Detection and DNS Attack Detection (by def both intrusion detection and DNS...

Figure 816 System Policy Editor Screen

jj Authentkatlon Services flttive Directory RADIUS R5A Eccurlt1 CRL Dqwnfcad -jJ Remote Msnsqemsnt Microsoft Mansqemf Teimna) Server ICMP (finj) j Fitewi Client Firewall dwc Install _J Diagnostic SsrvEns ICHP Windows Networking Microsoft Eror Uepc HTTP Connectivity v Enabling thi crifit jralion youp cnahJoS Systran policy rules that low access between trusted DHCP servers and iSA Server, auk tiie 'Frdm' teb to specify tlio trusted DHCP servers The System Policy Editor enables you to configure...

Figure 817 Selecting the Internal Network Properties

-JWfcino'l Inwirwl iirily nd AcriliHrtwn HhH J (tint M 3 il L H J1 OM i wmw Secuii.ly & Acrtfa JHMT'I StrvW J Cur i urAtari 'ttLaaqr yivrr '17 I MU n.*9B nVliLii r--.y. Mrfi.1 ( i.'j C iVYKV i wmw Secuii.ly & Acrtfa JHMT'I StrvW J Cur i urAtari 'ttLaaqr yivrr '17 I MU n.*9B rag 3 odA-mn mn rjiirittmtufrmStc t j fFF F , i lib - y pwir.-- - - -. jffii. y. Kpnrt -j i ' From the Internal Network Properties screen, select the Web Proxy tab and specify whether to ena web proxy clients (by...

Figure 818 Web Proxy Configuration

Configuring the firewall client is a little bit more involved than the other client configurations. First, t firewall client must be installed on the client computers. This can be done in the following manners Via file sharing and manually running the installation Via Active Directory Group Policy Via silent installation scripts and integration with login scripts Via Microsoft Systems Management Server (SMS) During the firewall client installation, you must specify the ISA server that the...

Figure 82 ISA Server 2004 Management Console

-J'MicEumJI Inltima* t urni *nd Arc 1f 14IMF1 s fttmtf (15 tMMa> l j ufa rnnnit*mr< *t< ma - fcirlitJ ir W hnme tnMIcrosolt nlmitl acuily vtd ArcG DraHon mbiiinivuiii iMiw hrtHu AtffvGn iwH 1 r r& rr* H t * I Jhhll M-LLHHyj VIH r ' 'Vl'l '.un d u( wii 'i* hrqrfO -- r J VhiL IhrlcpDMril iiilmn fniuilr vi JU I cWiiriiii i M'ivnr .CHI I Wl'l Uli1 CjSVquiitnr V Ow*Nia . > *t frl' wr F*- -.*t- XM Ork* ht* tt Sfro4 tfa x KfJT'j Y *J IS* Sin In addition, some third-party web-based...

Figure 820 Firewall Client Settings Screen

Configuring the firewall to cache web data is a straightforward process. In the management console, navigate to the Cache screen, right-click the server, and choose Properties to launch the Server Cc Properties screen, as shown in Figure 8-21. Notice how the Cache icon has a red arrow pointing dow denoting that caching is not currently enabled.

Figure 821 Launching the Cache Properties Screen

To enable caching, just select the drives and the maximum cache size and click Set. When you have finished, click OK and then click Apply to apply the configuration change to the firewall. You must restart the ISA services before the caching functionality will be enabled. When caching has been enabled, you can define rules regarding what data should be cached and ho should be cached by selecting the Cache Rules tab from the Cache screen and defining an appropri rule. Like most other tasks in...

Figure 83 External Network Interface Configuration

In addition, you also need to configure the routing table on the ISA server accordingly to support all networks it will need to reach, or you will need to install and configure Routing and Remote Access c the firewall to enable routing protocols such as OSPF or RIPv2. Finally, ensure that you disable any network services or applications that are not explicitly required ISA Server 2004. Table 8-3 lists the core services that are required by ISA Server 2004, including th startup mode that should...

Figure 85 Modifying Remote Management Rules

At the Properties screen, add, edit, or delete systems that will be allowed to perform remote management on the firewalls. When you have finished, click OK to close any open windows, returnir the management console. Before any configuration changes are actually performed on the ISA serve the last task is to select to either apply or discard the changes, as shown in Figure 8-6. Figure 8-6. Applying Configuration Changes Figure 8-6. Applying Configuration Changes

Figure 87 Creating an Access Rule

lyLViiioIr Inirirwl nnly nd Aciihnrtrtp WiH CinAour l i MiJiiiijr LH-TYrr IM7 I Ml I rtll I imdi Pntcy flUU HY1 HJDO-i) CinAour l i MiJiiiijr LH-TYrr IM7 I Ml I rtll I imdi Pntcy flUU HY1 HJDO-i) This will begin the New Access Rule Wizard. At the Welcome screen, assign an appropriate access ru name and click Next. At the Rule Action screen, select to Allow or Deny the traffic as appropriate c click Next. At the Protocols screen, you can select to apply the rule to All Outbound Traffic, Selec...

Figure 89 Add Network Entities Screen

After you have specified the appropriate source, click Next to be taken to the Access Rule Destinatio screen. Once again, click Add and specify the destination traffic that the rule will apply to. When yoi have finished, click Next. At the User Sets screen, specify the users that the rule will apply to. Keep mind that only web proxy clients and firewall clients perform authentication so if you want the rule apply to everyone, including unauthenticated users, just accept the default value of All...

Figure 93 Dual Firewall Architecture

The granular control in a dual-firewall architecture comes from the fact that each firewall controls a subset of all the traffic entering and exiting a network. Because untrusted (that is, external) traffic should never be allowed to directly access a trusted (that is, internal) network, the exterior firewall can be configured specifically to grant access to and from the DMZ segment and external systems. Similarly, the interior firewall can be configured to grant access to and from the DMZ...

Figure A1 Ethereal

Ethereal uses three window panes to display data the packet list (top pane), the packet details (middle pane), and the packet bytes (bottom pane). The packet list pane displays all packets that were captured, including basic elements such as the packet number (based on the capture), the time the packet was captured, the source and destination addresses, the protocol in use (if known), and a brief information field to provide additional information (typically a summary of the higher-layer data...

Figure A2 Displaying a TCP Communications Stream

5- > 0. *'-' you around7* E ib -. . 37. .1. .1. .63. .ID. .0. .2. < K TK.5,.1 vhsg MMM' -1, .HMMHMT l- .12., rrrsucii' r 'm i> s-na you as a gynr a p- ri ver The cisto Firewall Fundament air boakt FADEi W, ,1. to demonstrate 'J .-ick r -nr i'lra The i.rer to observe network cnnrnunrfoatinnSH ,KWSe TK.-t. - - . L.- . 5. . .14. . .h qL ,S7, .1 so say something witty .97. ,1. .1 6 . . 0. . 'J . WSG Z,K 1 iff ASCIJ r iBC K r II kCuhi r C 4rrw The Yahoo Messenger IDs have been removed to...

Figure A3 Microsoft Network Monitor Capture Window

TCPDump is a command-line-based packet-capture tool that is used primarily in Linux UNIX-based environments. TCPDump is also available for use on Windows-based hosts (Windump), but requires the installation of the WinPCap driver (as does Ethereal). TCPDump has a number of command-line options for use, allowing the user to log the captured packets for review as well as specify relatively complex filtering requirements. In fact, TCPDump and Ethereal use the same filtering language so after you...

Figure A4 Nessus Login Screen

At this point, performing a scan is just a matter of navigating the tabbed screens and specifying the appropriate plug-ins to load, options for the scan, and target hosts. As shown in Figure A-5, if I want to scan Cisco hosts for vulnerabilities, I just ensure that I select the appropriate Cisco plug-ins and start the scan. Something to keep in mind is that not all plug-ins are considered safe to run. What that means is that some plug-ins are risky in nature and could result in the targeted...