A common way of providing security for the extranet is to deploy firewalls between the public network and the extranet. Being aware of common firewall features will help you design secure access to the resources in your extranet.
In addition to deploying a firewall between the public network and the extranet, many organizations deploy a firewall between the private network and the extranet. This configuration is commonly referred to as a Demilitarized Zone (DMZ), perimeter network, or screened subnet. This internal firewall ensures protection of the private network if the external firewall or resources in the extranet are compromised.
After this lesson, you will be able to
Estimated lesson time: 45 minutes
In the simplest deployment, a firewall is placed between the private and public networks to secure the private network from the public network. This configuration is shown in Figure 14.1.
Figure 14.1 A firewall restricting public network access to the private network
A firewall acts as a barrier against attacks launched from the public network. A firewall can be a physical hardware device or a software application that executes on a computer.
To protect the private network, firewalls can offer a suite of services, including
The following sections describe how these services function and the security threats they address.
NAT prevents exposure of the IP addressing scheme used on your private network. An attacker with knowledge of the IP addressing scheme can attempt an IP spoofing attack by sending packets to the network with the falsified IP source address of a trusted private network address.
NAT protects against this form of attack by replacing the source IP address in all outgoing packets with a common IP address, as shown in Figure 14.2.
Figure 14.2 How NAT replaces the source IP address and source port fields for all outgoing packets
In addition to replacing the source IP address, NAT replaces the source port to prevent duplicate port requests by outgoing packets. The NAT device tracks all managed connections so that return packets are returned to the correct computer on the private network.
The private network commonly uses Request for Comment (RFC) 1918 addressing. RFC 1918 reserves three ranges of IP addresses for private network addressing:
These pools of IP addresses aren't used on the Internet and aren't included in Internet routing tables. The NAT process replaces the private network addresses with an IP address assigned to the organization by the Internet Corporation for Assigned Names and Numbers (ICANN).
NOTE
Windows 2000 provides a native NAT service in RRAS.
Once you've deployed a firewall, you must establish firewall rules to define what data is allowed to enter and exit the private network. Firewall rules are made up of individual packet filters. A firewall uses a packet filter to profile a protocol so that data transmitted using the protocol is identified. Packet filters allow a firewall administrator to prevent unauthorized protocols from entering the private network. Alternatively, administrators can apply packet filters to outbound data to restrict which protocols are available to private network computers.
A packet filter is typically composed of fields that profile a protocol and identify what action to take if the protocol attempts to pass through the firewall. The fields used by packet filters include
TIP
To determine what ports are used by specific services and applications, view the Services text file in the systemroot\system32\drivers\etc folder, where systemroot denotes the folder where Windows 2000 is installed. To view a listing of all well-known port numbers, go to www.isi.edu/in-notes/iana/assignments/port-numbers.
Many firewalls include an option to mirror all packet filters. Mirroring is necessary to allow response packets to return to the source client computer. Mirroring simply switches the source and destination information to allow the response packets to cross the firewall, as shown in Figure 14.3.
Figure 14.3 How mirroring switches the source and destination information within an IP packet
Typically, you will implement one of the following firewall strategies at your firewall:
The strategy you choose will be based on your organization's risk level. Typically, higher security networks specify the allowed protocols and prohibit everything else. This ensures that only authorized protocols are allowed to pass through the firewall.
Use static address mapping at a firewall to redirect incoming traffic to Internet-accessible resources hidden behind the firewall. The resources are advertised on the Internet with publicly accessible IP addresses. When the firewall receives the packets, the firewall translates the destination address to the true IP address of the resource behind the firewall and redirects the data to the resource, as shown in Figure 14.4.
Figure 14.4 How static address mapping redirects requests to internet-accessible resources on the private network
In the figure the external DNS advertises the Web server as the IP address 131.107.5.6. Static address mapping translates the external IP address to 192.168.10.4 on the private network.
The advantage of using static address mapping is that it conceals the true IP address of Internet-accessible resources from potential attackers. Combined with packet filtering rules, static address mapping allows you to define authorized protocols and redirect the protocols to servers located in a DMZ.
In higher-security networks, simple packet filters may not provide enough security. Packet filters define which ports are left open at the firewall to redirect network traffic to Internet-accessible resources. Many protocols utilize random ports above port 1024 at the client computer side. Opening up all ports above 1024 can leave both the firewall and the private network resources susceptible to attack. Stateful inspection allows the firewall to inspect which ports are used for an initial connection, open those ports, and then close the ports when the connection is terminated. If any suspect ports are requested, such as when a session hijack attempt takes place, the firewall can recognize the attack and drop the connection.
Stateful inspection allows firewall rules to be established so that UDP-based protocols such as Simple Network Management Protocol (SNMP) can pass through firewalls successfully. The firewall tracks client and server port information and allows only response packets to a valid host to pass through the firewall. The firewall does this by tracking the original ports used by a client application and ensuring that the server-side application only sends responses to the port used by the client application.
In addition to these services, firewalls provide advanced security through the following features:
NOTE
This attack is commonly known as a SYN flood attack. By flooding the firewall with SYN packets, the attacker can prevent further connections from being established.
When deciding which firewall features to implement, you should be aware of the benefits that each firewall feature provides. A knowledge of these benefits will assist you in utilizing the features to protect your network. Table 14.3 shows how you can use each firewall feature to protect your network.
Table 14.3 Designing Firewall Features to Protect Internet-Accessible Resources
Use This Firewall Feature | To Do the Following |
---|---|
NAT | Prevent the private network addressing scheme from being revealed Hide the true IP address of private network resources when accessing Internet-based resources |
Packet filters | Manage what protocols are allowed to cross between the private network and the public network Define what action to take if a protocol is identified when crossing the firewall Define a default action to take if a protocol doesn't meet any of the defined packet filters |
Static address mapping | Advertise Internet-accessible resources that have private network addresses using public network addressing Hide the true IP address of Internet-accessible resources |
Stateful inspection | Protect UDP-based protocols that must enter the private network Detect session hijacking attempts Detect application-level attacks that attempt to bypass the packet filters established for a protocol |
Time-out tolerances | Prevent SYN flood attacks by closing sessions that have timed out Free up connections for new connection attempts if the connection is left idle |
Content scanning | Prevent specific application commands from being issued within a protocol Detect viruses within incoming packets |
The new firewall purchased by Market Florist should provide the following features to meet its security needs:
Table 14.4 Protocols Allowed to Enter the Market Florist Extranet
Server | Protocols |
---|---|
MFDNS | DNS. Public network users require access to the DNS server to resolve host names in the marketflorist.tld domain to IP addresses. Terminal Services. All administrators require the ability to remotely manage the MFDNS server. |
MFWEB | Hypertext Transfer Protocol (HTTP). All Web pages require HTTP access. HTTPS. Customers requesting a customer number require encryption of credit card and personal information. Flower Power application. The Flower Power application listens for connections on a dedicated port. Terminal Services. All administrators require the ability to remotely manage the MFWEB server. Additionally, you should configure the firewall to allow Terminal Services connections to each of the component servers, or nodes, in the NLBS cluster. The MFWEB server also requires access to the MFSQL server on the private network. |
MFFTP | FTP. The MFFTP server allows FTP clients to enter FTP commands to access FTP data. FTP-DATA. FTP client software opens an FTP-DATA session when transferring data from the FTP server. Telnet. John and Pat require Telnet access to manipulate the files available on the FTP server. Terminal Services. All administrators require the ability to remotely manage the MFFTP server. |
MFMAIL | POP3. Remote Sales users must connect to the mail server using POP3 to retrieve their mail. SMTP. Remote Sales users connect to the MFMAIL server to send e-mail and customers connect to the MFMAIL server to deliver mail to Market Florist e-mail users. Terminal Services. All administrators require the ability to remotely manage the MFMAIL server. |
MFTUNNEL | PPTP. Employees require PPTP to connect to private network resources from the Internet. Layer 2 Tunneling Protocol over Internet Protocol Security (L2TP/IPSec) can't be supported because the MFTUNNEL server is located behind a firewall that performs NAT. Terminal Services. All administrators require the ability to remotely manage the MFTUNNEL server. |
Table 14.5 Market Florist Static Address Mapping Table
Hostname | External IP Address | Private Network IP Address |
---|---|---|
www.marketflorist.tld | 131.107.88.254 | 192.168.77.2 |
ftp.marketflorist.tld | 131.107.88.253 | 192.168.77.7 |
mail.marketflorist.tld | 131.107.88.252 | 192.168.77.8 |
vpn.marketflorist.tld. | 131.107.88.251 | 192.168.77.9 |
When an organization hosts Internet-accessible resources, it's generally unadvisable to place those resources within the private network. Instead, place all Internet-accessible resources in a network segment commonly known as a DMZ between the private network and the public network.
What Are Some Other Terms for DMZ?
DMZs have a variety of common names, including screened subnet and perimeter network. Screened subnet refers to the function of a DMZ in network security. All network traffic that attempts to enter or exit the DMZ is screened by packet filters to determine whether they're allowed. Perimeter network refers to the DMZ's location. Typically, a DMZ exists between the private and the public network on the perimeter of the private network.
All three terms refer to the same area of your network and are configured identically to provide network security to Internet-accessible resources.
Networks use one of the following DMZ designs: a three-pronged firewall DMZ, a mid-ground DMZ, or a hybrid (or multizone) DMZ.
A three-pronged firewall DMZ consists of a firewall with three network interfaces. One interface is connected to the private network, another is connected to the public network, and the final interface is connected to the DMZ, as shown in Figure 14.5.
Figure 14.5 A three-pronged firewall DMZ
So Is the DMZ Part of the Private Network or the Public Network?
A DMZ is part of the private network and part of the public network. As you can see in Figure 14.5, the DMZ is separate from both the private and public networks.
In a sense, the DMZ is part of the public network, because resources that are accessible to the public network are placed in the DMZ. But the DMZ is also part of the private network because packet filters enforce which protocols can be used to connect to each server located in the DMZ.
An administrator establishes packet filters that are enforced by the firewall to restrict what traffic is allowed between each of the three zones. All Internet- accessible resources are placed in the DMZ to ensure that data connections originating from the public network can establish connections only to resources in the DMZ. They aren't allowed to establish connections to any resources on the private network.
When deploying a three-pronged firewall, ensure that your firewall solution supports three network interfaces. Each interface will be assigned to a zone and you must establish packet filters that define the interaction allowed between each zone.
When deciding whether the DMZ will use private or public network addressing, consider whether IPSec will be used from the public network to the DMZ. Since IPSec can't pass through a NAT service, you must use public network addressing in the DMZ whenever you require IPSec connections from the public network.
You establish a mid-ground DMZ by using two firewalls. You place the first firewall between the public network and the DMZ and the second firewall between the DMZ and the private network, as shown in Figure 14.6.
Figure 14.6 A mid-ground DMZ
While a three-pronged firewall DMZ can result in a single point of failure, the use of two firewalls provides additional protection to the private network because an attacker has to breach two firewalls before gaining access to the private network. By using two different firewall products, you can increase the protection offered to the private network because different methods may be required to breach the two firewalls.
As with a three-pronged firewall DMZ, the IP addressing used in the mid-ground DMZ can be either private or public network addressing. Generally you will use private network addressing in the DMZ unless there's a requirement to establish IPSec connections through the external firewall.
Sometimes a single DMZ may not meet your business requirements. In these cases, you can deploy a hybrid DMZ. A hybrid DMZ is a network where more than one zone exists between the private and the public networks.
Figure 14.7 depicts a hybrid DMZ configuration using a single firewall.
Figure 14.7 A hybrid DMZ with a single firewall
In this scenario you create two DMZs to support the need for IPSec connections and for protection of the private network addressing configuration for all other Internet-accessible resources. One DMZ, containing the remote access server that will accept IPSec connections, uses public network addressing. The second DMZ uses private network addressing and contains all other Internet-accessible resources. The firewall prevents static address mapping for all incoming traffic to the network segment. Likewise, NAT is performed on all outgoing traffic originating in the zone using private network addressing.
Alternatively, you can use multiple firewalls to establish two or more DMZs between the private network and the public network, as shown in Figure 14.8.
Figure 14.8 A hybrid DMZ with multiple firewalls
In this scenario the outermost DMZ uses public network addressing to allow IPSec connections to the remote access server. The innermost DMZ uses private network addressing to protect the remaining Internet-accessible resources. While more difficult to configure, the hybrid DMZ offers the most flexibility and allows a security administrator to group Internet-accessible resources based on the confidentiality of the data stored on the resource. Additionally, the administrator can configure each firewall with a set of packet filters to define exactly what traffic can enter and exit each DMZ.
When network resources are exposed to the Internet, you should isolate the resources from the private network by deploying a DMZ. Table 14.6 discusses the design decisions for the three DMZ configurations that you must choose between.
Table 14.6 Choosing Between DMZ Configurations
Use | To Meet These Business Objectives |
---|---|
Three-pronged firewall DMZ | To reduce the costs associated with deploying firewalls. Only a single firewall is required for this design. To maintain a single packet filter list. The packet filter rules determine which interface a packet filter is applied to. |
Mid-ground DMZ | To provide physical separation of the private network from the public network with the DMZ being placed between the private and public networks. An attacker must breach two firewalls to access the private network. To reduce the chance that the breach of the external firewall will lead to access of the private network. If you use two different manufacturers for the internal and external firewalls, you gain security because different methods must be used to breach the second firewall. |
Hybrid | To provide both private network and public network addressing to DMZ segments. To categorize Internet-accessible resources into different levels of access that can be protected by firewall strategies. |
Market Florist is limited by its budget and must develop a DMZ configuration that uses only a single firewall. Figure 14.9 shows a three-pronged firewall DMZ configuration that will meet Market Florist's security needs and support the proposed IP addressing scheme for all servers on the network.
Figure 14.9 Proposed configuration for the Market Florist DMZ
Notice that each server in the NLBS cluster for the MFWEB server must be located in the DMZ. The NLBS listens on the IP address 192.168.77.2 but redirects the requests to one of the four servers in the cluster. The firewall is only required to redirect incoming HTTP or HTTPS packets to the NLBS cluster. The NLBS cluster service determines which node receives the incoming packets.
Knowing the features of firewalls and how they are commonly deployed will assist you in ensuring access to Internet-accessible resources is secure. Your design should take advantage of your firewall's configuration options to ensure that only authorized data transactions can take place.