INTERNATIONAL UNIVERSITY School of Computer Science and Engineering LAB 5: Firewall Course !ate Student I!"""""""""""""""""""""""""""""""""""""""""""" A.

Setup description !eplo$ nodes as depicted in the follo%ing schema" Lecturer Pham Van Hau

Duration: 180 minutes

Student name###########

As %e can o&ser'e( there are t%o t$pes of nodes in our deplo$ment )ire%all and normal nodes" To sa'e the resource of $our ph$sical machine( %e use the linu* distri&utions that re+uires limited resouces" )or this purpose( %e use the !amn Small Linu* ,!SL- for the nodes and U&untu for the t%o fire%alls" These machines form three different net%or.s" In fact( in/node,01"0"0"2- is a machine in the internal net%or.3 ser'er ,01"1"0"01- is in the !45 6one3 e*/node ,072"089"0"01- is supposed as a machine from the Internet"
Note: The t%o fire%alls also pla$ the roles of routers" Ta.ing ad'antages of the .no%ledge gained from the pre'ious la& do the necessar$ to ma.e sure that all nodes can ping each other

The detailed configuration is as follo%s 4achine In/node )=2 Ser'er : of net%or. adapter cards 0 2 0 !escription Eth1,ip;01"0"0"2- connects to V4NET < Eth1,ip;01"0"0"0- connects to V4NET < Eth0,ip;01"1"0"2<>- connects to V4NET 8 Eth1,ip;01"1"0"01- connects to V4NET 8

)=0 E*/node

2 0

Eth1,ip;01"1"0"0- connects to V4NET 8 Eth0,ip;072"089"0"0- connects to V4NET ? Eth0,ip;072"089"0"01- connects to V4NET ?

NOTE: To &ecome root on the dsl machine( e*ecute @sudo suA To configure the ip address( $ou can use the @ifconfig eth1 ipA" You need to delete all the default routes in the 'irtual machines and add the necessar$ information manuall$" To delete a route route del Bnet 01"1"1"1 netmas. 2<<"1"1"1 to add a route route add Cnet 01"1"1"1 netmas. 2<<"1"1"1 to configure the default gate%a$ route add default g% ID/O)/TEE/FATE=AY to 'ie% the route( there are at least t%o %a$s route netstat Crn
B.Tasks

Task 1: on )=2 Verif$ that( from in/node machine o @ping 01"0"0"0A %or.s o @ping 01"1"0"01A %or.s( if not( on )=2 e*ecute the command @echo 1 > /proc/sys/net/ipv4/ip_forward !o @ipta&les BD INDUT !RODA )rom in/node0( ping 01"0"0"0 and 01"1"0"01 again" E*plain %hat happen" Task 2: On FW2 !o @ipta&les BLA( o&ser'e the output" !o @ipta&les BD )OR=AR! !RODA !o @ipta&les BLA again( o&ser'e the output" =hat has &een changed since the pre'ious time" Ding ser'er from in/node0( does it %or.G E*plain" Task 3: On )=2( do o ipta&les BA )OR=AR! Bd 01"0"0"2 Bp icmp BH ACCEDT o ipta&les BA )OR=AR! Bd 01"1"0"01 Bp icmp BH ACCEDT Ding server from in/node( does it %or. G E*plain

Hint read the Appendi* A and I to ans%er this +uestion" Task 4: =h$ do I need to a !45 G Task 5: !o I al%a$s need to ha'e t%o separated fire%alls to ma.e a !45G If the alternate e*ists( descri&e it" Task 6: on )=2( modif$ the ipta&les so that the in_node can connect to ser'er on port 91 &ut from ser'er %e can not initiate the connection to in/node" Hint: add @Cm state CC state NE=(ESTAILISEE!(RELATE!A in the rule for the ne% connection and @Cm state CC state ESTAILISEE!(RELATE!A for the esta&lished connection" Task 7: NAT is a solution for $ou to hide the internal net%or. from Internet" Suppose that 072"089"0"0 is the EXTE NAL ip address of the ser'er modif$ the fire%all so that from in/node ( if %e connect to 022"022"022"< the )=2 %ill for%ard the connection to the ser'er" ,hint Foogle NAT %ith ipta&les-

A!!EN"#X A $%ost o& t'e content 'erea&ter is copied &ro( http JJarticles"techrepu&lic"com"comJ<011C22/00C<?<8127"html)

*eneral #ntroduction to "%+ If $ou thin. of the internal net%or. as the KtrustedK net%or. and the e*ternal pu&lic net%or. ,the Internet- as the KuntrustedK net%or.( $ou can thin. of the !45 as a KsemiCtrustedK area" ItLs not as secured as the LAN( &ut &ecause it is &ehind a fire%all( neither is it as nonCsecure as the Internet" You can also thin. of the !45 as a Kliaison net%or.K that can communicate %ith &oth the Internet and the LAN %hile sitting &et%een the t%o( as illustrated &$ )igure A"

)igure A

=hat does this accomplishG You can place computers that need to communicate directl$ %ith the Internet ,pu&lic ser'ers- in the !45 instead of on $our internal net%or." The$ %ill &e protected &$ the outer fire%all( although the$ are still at ris. simpl$ &ecause the$ ha'e direct contact %ith Internet computers" Iecause the !45 is onl$ KsemiCsecure(K itLs easier to hac. a computer in the !45 than on the internal net%or." The good ne%s is that if a !45 computer does get hac.ed( it doesnLt compromise the securit$ of the internal net%or.( &ecause itLs on a completel$ separate( isolated net%or." =h$ put an$ computers in this ris.ier net%or.G LetLs ta.e an e*ample in order to do its Ho& ,ma.e $our =e& site a'aila&le to mem&ers of the pu&lic-( $our =e& ser'er has to &e accessi&le to the Internet" Iut ha'ing a ser'er on $our net%or. thatLs accessi&le from the Internet puts the entire net%or. at ris." There are three %a$s to reduce that ris. You could pa$ a hosting compan$ to host $our =e& sites on their machines and net%or." Eo%e'er( this gi'es $ou less control o'er $our =e& ser'ers"

 You could host the pu&lic ser'ers on the fire%all computer" Eo%e'er( &est securit$ practices sa$ the fire%all computer should &e dedicated solel$ to act as a fire%all ,this reduces the chances of the fire%all &eing compromised-( and practicall$ spea.ing( this %ould impair the fire%allLs performance" Iesides( if $ou ha'e a fire%all appliance running a proprietar$ OS( $ou %onLt &e a&le to install other ser'ices on it" The third solution is to put the pu&lic =e& ser'ers on a separate( isolated net%or. the !45"

Firewall rules $ou should &e a&le to configure separate rules for e'aluating traffic depending on its origin and destination" That is( there should &e separate rules for Incoming traffic from the Internet to the !45 Incoming traffic from the !45 to the internal LAN Incoming traffic from the Internet to the internal net%or. Outgoing traffic from the internal net%or. to the !45 Outgoing traffic from the internal net%or. to the Internet Outgoing traffic from the !45 to the Internet

Appendi* I =hen %e sa$ that a fire%all must separate the !45 from &oth the internal LAN and the Internet( that doesnLt necessaril$ mean $ou ha'e to &u$ t%o fire%alls" If $ou ha'e a Kthree legged fire%allK ,one %ith at least three net%or. interfaces-( the same fire%all can ser'e &oth functions" On the other hand( there are reasons $ou might %ant to use t%o separate fire%alls ,a front end and a &ac. end fire%all- to create the !45" )igure A a&o'e illustrates a !45 that uses t%o fire%alls( called a back to back DM ! An ad'antage of this configuration is that $ou can put a fast pac.et filtering fire%allJrouter at the front end ,the Internet edge- to increase performance of $our pu&lic ser'ers( and place a slo%er application la$er filtering ,AL)- fire%all at the &ac. end ,ne*t to the corporate LAN- to pro'ide more protection to the internal net%or. %ithout negati'el$ impacting performance for $our pu&lic ser'ers" Each fire%all in this configuration has t%o interfaces" The front end fire%all has an e*ternal interface to the Internet and an internal interface to the !45( %hereas the &ac.end fire%all has an e*ternal interface to the !45 and an internal interface to the corporate LAN" =hen $ou use a single fire%all to create a !45( itLs called a t"#hom$d DM ! ThatLs &ecause the fire%all computer or appliance has interfaces to three separate net%or.s 0" The internal interface to the trusted net%or. ,the internal LAN2" The e*ternal interface to the untrusted net%or. ,the pu&lic InternetM" The interface to the semiCtrusted net%or. ,the !45The trihomed !45 loo.s li.e )igure I"