Firewalls can regulate which protocols are allowed to enter and exit the DMZ. By configuring the firewall to allow only the authorized protocols to connect to each server in the DMZ, you can prevent hackers from attaching to the servers using alternative protocols.
After this lesson, you will be able to
Estimated lesson time: 60 minutes
When configuring a firewall, decide between the following basic firewall strategies based on your desired security level:
What About the Order of the Packet Filters?
The order in which packet filters are processed depends on the specific firewall product. Firewalls typically process the packet filters using one of two common methods.
The first method is to process the packet filters in the order in which they're entered. In other words, the packet filters are processed from the top to the bottom of the packet filter list. If your firewall uses this strategy, ensure that the most important packet filters are placed at the top of the list. For example, place a packet filter that restricts access to the Web server using HTTP and HTTPS above a rule that denies access to any servers in the DMZ.
The second method is to process the most specific packet filters before the more general packet filters. In other words, a packet filter that restricts access to a specific server will be processed before a packet filter that defines traffic between network segments. For example, a packet filter that allows the DNS server in the DMZ to connect to a DNS server at an ISP will be processed before a packet filter that allows any computer on the public network to connect to the DNS server.
Table 14.13 outlines the factors you need to consider when deciding between the common firewall strategies.
Table 14.13 Choosing Between Firewall Strategies
Use This Strategy | In These Circumstances |
---|---|
Specify allowed protocols and prohibit everything else. | Your strategy defines exactly which protocols are allowed to enter the DMZ You're defining packet filters for an external firewall |
Specify prohibited protocols and allow everything else. | You must prevent specific protocols, such as Finger, from entering or exiting the network You're defining packet filters for an internal firewall |
These aren't the only strategies. Nothing prevents you from using "Specify allowed protocols and prohibit everything else" and creating packet filters that deny specific protocols. This is commonly done to log attempts to use the prohibited protocols since you can log an event only if a packet filter is matched.
For Market Florist, the "Specify allowed protocols and prohibit everything else" firewall strategy best meets the security needs of the network. This strategy enables Market Florist to define only authorized protocols that can enter the DMZ and the private network. If a protocol isn't included in the packet filter list, the protocol is assumed to be denied access to the DMZ or private network.
The DNS service is used as a locator service in a Windows 2000 network. In addition, DNS is also used as the locator service for the Internet. When designing security for the DNS service, define how DNS traffic will move through your private network and through the DMZ to the Internet.
The key to securing DNS is separating the internal DNS service from the external DNS service. This allows separation of the internal DNS namespace from the external DNS namespace so that private network IP addressing schemes aren't exposed to the Internet.
Figure 14.12 shows a typical DNS deployment that's used when both internal and external DNS services are deployed in a network.
Figure 14.12 DNS traffic flow in a DMZ
In this configuration the internal firewall is configured to allow only DNS packets from the internal DNS server to be sent to the external DNS server in the DMZ through a DNS forwarder. This configuration limits internal DNS clients to connecting to the internal DNS server. The internal firewall prevents the internal DNS clients from connecting to any other external DNS server.
Based on the IP address information shown in the figure, Table 14.14 lists the packet filters that you must apply at the internal firewall to restrict DNS traffic between the two DNS servers.
Table 14.14 Internal Firewall Rules to Restrict DNS Usage
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
DNS | 10.20.30.40 | Any | 10.30.30.40 | 53 | TCP | Allow |
DNS | 10.20.30.40 | Any | 10.30.30.40 | 53 | UDP | Allow |
DNS | 10.20.30.0/24 | Any | 10.30.30.40 | 53 | TCP | Deny |
DNS | 10.20.30.0/24 | Any | 10.30.30.40 | 53 | UDP | Deny |
The first two packet filters allow the internal DNS server (10.20.30.40) to connect to the external DNS server (10.30.30.40) using either UDP-based or TCP-based DNS connections. The last two packet filters deny all other clients on the 10.20.30.0/24 network from connecting to any DNS servers beyond the firewall using UDP-based or TCP-based DNS queries.
NOTE
All firewall rules in this lesson assume that the firewalls support packet filter mirroring. As discussed in Lesson 1, packet filter mirroring allows response packets to be passed successfully through the firewall.
At the external firewall, create additional packet filters to allow external client computers to connect only to the DNS server using the DNS protocol. All other requests sent to the DNS server should be prevented (unless the DNS server is hosting other authorized services).
Table 14.15 lists the packet filters that you must establish at the external firewall to allow public network users to query the DNS server located in the DMZ and to allow the external DNS server to forward DNS requests to other DNS servers on the Internet.
Table 14.15 Internal Firewall Rules to Restrict DNS Usage
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
DNS | Any | Any | 10.30.30.40 | 53 | TCP | Allow |
DNS | Any | Any | 10.30.30.40 | 53 | UDP | Allow |
DNS | 10.30.30.40 | Any | Any | 53 | TCP | Allow |
DNS | 10.30.30.40 | Any | Any | 53 | UDP | Allow |
The first two packet filters allow any computers on the Internet to connect to the external DNS server (10.30.30.40) using either TCP-based or UDP-based DNS requests. The last two packet filters allow the external DNS server to forward DNS queries to any DNS server on the Internet.
NOTE
Packet filters will always refer to the true IP address of the server, not the advertised address on the Internet. Static address mapping converts the destination address before the packet filter is applied to determine if the data is allowed to reach the destination server.
When configuring a firewall to allow DNS traffic, include the following items in your security design:
Market Florist must configure the internal DNS server to forward irresolvable DNS requests to the external DNS server in the DMZ. Because there's only a single firewall, the firewall rules are included in a single packet filter listing. Table 14.16 shows the packet filters necessary to restrict DNS traffic for Market Florist.
Table 14.16 DNS Packet Filters for Market Florist
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
DNS | 10.10.10.3 | Any | 192.168.77.254 | 53 | TCP | Allow |
DNS | 10.10.10.3 | Any | 192.168.77.254 | 53 | UDP | Allow |
DNS | 10.10.10.0/24 | Any | Any | 53 | TCP | Deny |
DNS | 10.10.10.0/24 | Any | Any | 53 | UDP | Deny |
DNS | Any | Any | 192.168.77.254 | 53 | TCP | Allow |
DNS | Any | Any | 192.168.77.254 | 53 | UDP | Allow |
DNS | 192.168.77.254 | Any | 131.107.199.56 | 53 | TCP | Allow |
DNS | 192.168.77.254 | Any | 131.107.199.56 | 53 | UDP | Allow |
The first two packet filters allow the internal DNS server (10.10.10.3) to forward DNS queries to the external DNS server (192.168.77.254). The third and fourth packet filters prevent any other internal network clients (10.10.10.0/24) from querying DNS servers beyond the internal firewall. The fifth and sixth packet filters allow any DNS clients on the Internet to query the external DNS server. And the final two packet filters allow the external DNS server to forward DNS queries to the ISP's DNS server (131.107.199.56).
NOTE
The rules that deny access to hosts on the 10.10.10.0/24 network prevent private network client computers from connecting to Internet-based DNS services and bypassing the internal DNS server. These rules force private network client computers to use the internal DNS server.
A Web server is one of the most common network resources made available for Internet access. A Web server listens for connections from external client computers on TCP port 80 for HTTP connections and on TCP port 443 for HTTPS connections.
Figure 14.13 depicts a Web server located in a DMZ that allows internal and external access to the Web server.
Figure 14.13 Web server placement in a DMZ
Configure access to the Web server in the DMZ at both the internal and external firewalls to ensure that only authorized protocols are allowed to connect.
At the external firewall, establish packet filters that limit connections to the Web server to the HTTP and HTTPS protocols. Table 14.17 lists the required packet filters for Figure 14.13.
Table 14.17 External Packet Filters for a Web Server
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
HTTP | Any | Any | 10.30.30.41 | 80 | TCP | Allow |
HTTPS | Any | Any | 10.30.30.41 | 443 | TCP | Allow |
The first packet filter allows Internet users to connect to the Web server (10.30.30.41) using HTTP, and the second packet filter allows Internet users to connect to the Web server using HTTPS.
NOTE
Establishing packet filters at the internal firewall to restrict access to the Web server from the private network is optional. The packet filters are required only if connections to the Web server must be limited to HTTP and HTTPS connections.
When configuring a firewall to allow Web server traffic, include the following items in your security design:
Market Florist must ensure that the customer registration portion of the ww.marketflorist.tld Web site is protected by SSL encryption to ensure that credit card information isn't intercepted. In addition, Market Florist must establish packet filters to restrict external access to the Web server. Table 14.18 lists the required packet filters.
Table 14.18 Web Server Packet Filters for Market Florist
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
HTTP | Any | Any | 192.168.77.2 | 80 | TCP | Allow |
HTTPS | Any | Any | 192.168.77.2 | 443 | TCP | Allow |
These two packet filters enable Internet users to connect to the Market Florist Web server (192.168.77.2) using only HTTP and HTTPS protocols.
NOTE
The firewall rules have to be established only for the NLBS Web server cluster IP address. Once the packets reach the Web cluster, the NLBS service determines which node receives the packets.
FTP allows data to be transferred to and from a central location. When designing packet filters for FTP connections, it's helpful to understand how FTP transmissions work.
FTP uses two separate channels for FTP sessions. FTP uses a control stream (a connection to TCP port 21) to send FTP commands from the FTP client software to the FTP server and a data stream (a connection to TCP port 20) for transferring data. The two channels are used to allow a data transmission to be interrupted through the control stream.
Some FTP clients, known as passive FTP clients, require the FTP server to initiate the data transfer. You must establish packet filters that allow the FTP server to initiate FTP data sessions.
To restrict FTP connections from the Internet, you typically place the FTP server in a DMZ, as shown in Figure 14.14.
Figure 14.14 Providing FTP access in a DMZ
Table 14.19 shows the packet filters that you need to establish at the external firewall to allow access to the FTP server in the DMZ.
Table 14.19 FTP Server Packet Filters
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
FTP Data | Any | Any | 192.168.77.7 | 20 | TCP | Allow |
FTP | Any | Any | 192.168.77.7 | 21 | TCP | Allow |
FTP Data | 192.168.77.7 | 20 | Any | Any | TCP | Allow |
FTP | 192.168.77.7 | 21 | Any | Any | TCP | Allow |
The first two packet filters allow any Internet users to connect to the FTP server (192.168.77.7) for FTP connections. The last two packet filters enable the FTP server to establish connections to passive FTP clients.
NOTE
The packet filters listed in Table 14.19 assume that passive FTP clients exist on the network. The last two packet filters allow data transfers initiated by the FTP server to pass through the external firewall. If the FTP clients were nonpassive, you could remove the last two filters from the packet filter listing.
When configuring a firewall to allow access to an FTP server, include the following items in your security design:
Market Florist must allow external client computers to only use the FTP proto-col to connect to the MFFTP server in the DMZ. To accomplish this, apply the packet filters shown in Table 14.20 at the external firewall.
Table 14.20 FTP Server Packet Filters for Market Florist
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
FTP Data | Any | Any | 192.168.77.7 | 20 | TCP | Allow |
FTP | Any | Any | 192.168.77.7 | 21 | TCP | Allow |
FTP Data | 192.168.77.7 | 20 | Any | Any | TCP | Allow |
FTP | 192.168.77.7 | 21 | Any | Any | TCP | Allow |
The first two packet filters allow Internet users to connect to the MFFTP server (192.168.77.7) using FTP sessions. The last two packet filters allow the MFFTP server to initiate data transfers with passive FTP clients.
Configure the FTP server to accept only anonymous connections. The FTP server is used to download floral arrangement brochures and authenticated access isn't required. Anonymous access ensures that credentials can't be intercepted. John and Pat will use Telnet from the private network to manage the data in the Ftproot folder.
NOTE
To allow Telnet access from the private network, the internal firewall must either allow all access or restrict access to TCP port 23 on the MFFTP server.
Many organizations use e-mail to communicate within the organization and with other organizations. Ensure that mail servers are secured against attacks by allowing only authorized protocols to connect to the mail server.
Figure 14.15 shows a typical mail server deployment in a DMZ environment.
Figure 14.15 Providing e-mail access in a DMZ
Carefully plan mail access for an organization so that e-mail doesn't cause security problems. Typically, a mail server must support several protocols for e-mail access. Common protocols supported by mail servers include
NOTE
You can prevent SMTP relaying on a server so that only e-mail messages destined to a mailbox hosted on the mail server can be received. Alternatively, you can place restrictions to allow only SMTP relaying to authenticated users or to specific IP addresses or network IP addresses.
IMPORTANT
You can protect POP3, IMAPv4, and LDAP by implementing SSL. The protocols will use SSL encryption to protect user account and password verification during the authentication process.
Table 14.21 lists the packet filters that you must establish at the external firewall to allow access to the mail server in the DMZ by external client computers.
Table 14.21 Mail Server Packet Filters
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
POP3 | Any | Any | 10.30.30.43 | 110 | TCP | Allow |
POP3-SSL | Any | Any | 10.30.30.43 | 995 | TCP | Allow |
IMAP4 | Any | Any | 10.30.30.43 | 143 | TCP | Allow |
IMAP4-SSL | Any | Any | 10.30.30.43 | 993 | TCP | Allow |
LDAP | Any | Any | 10.30.30.43 | 389 | TCP | Allow |
LDAP-SSL | Any | Any | 10.30.30.43 | 636 | TCP | Allow |
SMTP | Any | Any | 10.30.30.43 | 25 | TCP | Allow |
SMTP | 10.30.30.43 | Any | Any | 25 | TCP | Allow |
The first two packet filters allow POP3 clients and POP3 clients using SSL to connect to the mail server (10.30.30.43). The third and fourth packet filters allow IMAP4 clients and IMAP4 clients suing SSL to connect to the mail server. The fifth and sixth packet filters allow LDAP clients and LDAP clients using SSL to connect to the mail server. The seventh packet filter allows the mail server to accept SMTP messages from the Internet, and the final packet filter allows the mail server to send SMTP messages to any SMTP servers on the Internet.
NOTE
Some mail servers, such as Exchange Server 5.5 and Exchange 2000 Server, support HTTP-based access to user mailboxes. To support HTTP-based access, you can add additional packet filters to allow HTTPS to access the mail server.
When configuring a firewall to allow access to a mail server, include the following items in your security design:
Market Florist must restrict which protocols can connect to the mail server in the DMZ. According to the scenario, only POP3 and SMTP will be used to connect to the mail server from the public network. To allow only these protocols, create the packet filters in Table 14.22 at the external firewall.
Table 14.22 Mail Server Packet Filters for Market Florist
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
POP3 | Any | Any | 192.168.77.8 | 110 | TCP | Allow |
POP3-ssl | Any | Any | 192.168.77.8 | 995 | TCP | Allow |
SMTP | Any | Any | 192.168.77.8 | 25 | TCP | Allow |
SMTP | 192.168.77.8 | Any | Any | 25 | TCP | Allow |
The first two packet filters allow e-mail clients to retrieve mail from the MFMAIL server by using POP3 or POP3-ssl clients. The third packet filter allows the MFMAIL server to receive SMTP messages from the Internet. And the final packet filter allows the MFMAIL server to send SMTP messages to any mail server on the Internet.
In addition, configure the mail server to allow only SMTP relaying if the user authenticates with the MFMAIL server before the e-mail client attempts the SMTP relay action. Because the remote sales force will be connecting from unknown IP addresses, you can't establish restrictions using network IP addresses.
Servers in the DMZ are often required to store or access data from an application server, such as an SQL server, in the private network. You can protect the transfer of data by configuring the internal firewall to allow only specific protocols to pass between the server in the DMZ and the application server in the private network.
It's too risky to place the application server in the DMZ because data stored on the application server might be compromised. When you make use of the internal firewall's packet filtering abilities, only authorized connections between the server in the DMZ and the application server in the private network can take place.
You can manage the connection between the two servers by using one of three methods:
Figure 14.16 Securing access to an SQL server on the private network
Figure 14.17 Securing access to an SQL server on the private network by using IPSec
NOTE
IPSec encryption prevents the firewall from inspecting the actual protocol that's being transmitted through the firewall. Be sure to set up your rules so that only server-to-server connections are allowed to pass using IPSec. This prevents other servers from establishing IPSec agreements and attempting to pass through the firewall.
Once you've identified the participating servers and the necessary protocols, define the packet filters necessary to allow communications to take place. Table 14.23 lists the packet filter required to write data to an SQL server using TCP/IP socket connections from a Web server in the DMZ as shown in Figure 14.16.
Table 14.23 SQL Server Packet Filters for the Internal Firewall
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
SQL Data | 10.30.30.41 | Any | 10.20.30.50 | 1433 | TCP | Allow |
The packet filter permits the Web server (10.30.30.41) to connect to the SQL server (10.20.30.50) using only an SQL data connection. No other computers in the DMZ are allowed to connect to the SQL server. Also, the Web server can't use any other protocols to connect to the SQL server.
In this case the external firewall would use the same filters defined in Table 14.15. Public network clients are only allowed to connect to the Web server. The public network clients don't query the SQL server on the private network. It's the Web server that actually performs the query on behalf of the external customer. For the transaction to occur, the external customer only needs to connect to the Web server using HTTP or HTTPS.
If the connection between the Web server and the SQL server uses IPSec to encrypt all transmitted data, set up the packet filters at the internal firewall to allow both Internet Key Exchange (IKE) packets and IPSec ESP packets to pass, as shown in Table 14.24.
Table 14.24 IPSec Packet Filters for the Internal Firewall
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
IKE | 10.30.30.41 | 500 | 10.20.30.50 | 500 | UDP | Allow |
ESP | 10.30.30.41 | 10.20.30.50 | ID 50 | Allow |
The first packet filter allows the Web server (10.30.30.41) to negotiate an IPSec SA with the SQL server (10.20.30.50). The second packet filter assumes that only ESP will be used to protect the IPSec packets and enables any packets encrypted with ESP (protocol ID 50) sent between the Web server and the SQL server to pass through the firewall.
NOTE
An ESP packet filter only describes the protocol ID. Port information isn't required for an ESP packet filter.
When configuring a firewall to allow access to an application server on the private network, configure the firewall rules to match how data transmissions take place. Your design should include the following:
Market Florist must allow customers to connect to the SQL server on the private network using both a Web interface for customer registration and the Flower Power application to store order information. Because the customer registration information requires transmission security, all data transmitted between the Web server (MFWEB) and the SQL server (MFSQL) must be encrypted using IPSec transport mode, as shown in Table 14.25.
Table 14.25 Flower Power Packet Filters for Market Florist
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
HTTP | Any | Any | 192.168.77.2 | 80 | TCP | Allow |
HTTPS | Any | Any | 192.168.77.2 | 443 | TCP | Allow |
Flower Power | Any | Any | 192.168.77.2 | 6834 | UDP | Allow |
IKE | 192.168.77.3 | 500 | 10.10.10.20 | 500 | UDP | Allow |
IKE | 192.168.77.4 | 500 | 10.10.10.20 | 500 | UDP | Allow |
IKE | 192.168.77.5 | 500 | 10.10.10.20 | 500 | UDP | Allow |
IKE | 192.168.77.6 | 500 | 10.10.10.20 | 500 | UDP | Allow |
ESP | 192.168.77.3 | 10.10.10.20 | ID 50 | Allow | ||
ESP | 192.168.77.4 | 10.10.10.20 | ID 50 | Allow | ||
ESP | 192.168.77.5 | 10.10.10.20 | ID 50 | Allow | ||
ESP | 192.168.77.6 | 10.10.10.20 | ID 50 | Allow |
The first two packet filters allow public network users to connect to the MFWEB server (192.168.77.2) using either HTTP or HTTPS. The third packet filter allows public network users to connect to the Flower Power server-side application listening on UDP port 6834 on the MFWEB server. The next four packet filters allow IPSec SAs to be negotiated between each component server in the NLBS Web cluster and the MFSQL server (10.10.10.20). You must establish separate packet filters for each Web server in the NLBS cluster because IPSec SAs are established between two computers, not between a computer and an NLBS cluster. The last four packet filters allow each component server in the NLBS cluster to send ESP-encrypted SQL-data packets to the MFSQL server.
WARNING
The last eight packet filters allow the MFSQL and MFWEB server to transmit data in any protocol between the two servers. As long as the IPSec SA doesn't use Authentication Headers (AH), the firewall will allow the packets to pass. To prevent unauthorized protocols, you must inspect IPSec packet filters regularly at each server to ensure that they encrypt only authorized protocols.
Terminal Services allows an administrator to connect to servers on the network by using Remote Desktop Protocol (RDP). You can restrict Terminal Services to be used for administrative purposes only by configuring Terminal Services to run in Remote Administration mode rather than Application Services mode.
To restrict access to a terminal server, configure the external firewall to allow only RDP connections to the terminal server. As shown in Figure 14.18, configure the external firewall to allow only connections using RDP to pass through to the terminal server.
Figure 14.18 Securing access to a terminal server in the DMZ
Configure the terminal server to require strong encryption of the connection. If the Windows 2000 High Encryption Pack is installed at both the Terminal Services client computer and the server running Terminal Services, 128-bit RC4 encryption is used to protect transmitted data. If either the client or the server doesn't have the High Encryption Pack, 40-bit or 56-bit encryption is used.
To allow the RDP to pass through the external firewall, you must define the packet filter in Table 14.26.
Table 14.26 Terminal Services Packet Filters
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
RDP | Any | Any | 10.30.30.44 | 3389 | TCP | Allow |
This packet filter allows any computer to connect to the terminal server (10.30.30.44) with the RDP protocol. Any attempts to connect to the terminal server with other protocols are denied.
When configuring a firewall to allow access to a terminal server located in the DMZ, consider the following design points:
Market Florist wants to use Terminal Services to manage all servers in the DMZ from the private network. To restrict access to Terminal Services to administrators only, configure Terminal Services to use Remote Administration mode at all computers in the DMZ. In addition, establish the packet filters shown in Table 14.27.
Table 14.27 Terminal Services Packet Filters for Market Florist
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
RDP | 10.10.10.0/24 | Any | 192.168.77.3 | 3389 | TCP | Allow |
RDP | 10.10.10.0/24 | Any | 192.168.77.4 | 3389 | TCP | Allow |
RDP | 10.10.10.0/24 | Any | 192.168.77.5 | 3389 | TCP | Allow |
RDP | 10.10.10.0/24 | Any | 192.168.77.6 | 3389 | TCP | Allow |
RDP | 10.10.10.0/24 | Any | 192.168.77.7 | 3389 | TCP | Allow |
RDP | 10.10.10.0/24 | Any | 192.168.77.8 | 3389 | TCP | Allow |
RDP | 10.10.10.0/24 | Any | 192.168.77.9 | 3389 | TCP | Allow |
RDP | 10.10.10.0/24 | Any | 192.168.77.254 | 3389 | TCP | Allow |
The packet filters configured in Table 14.27 limit RDP access to the servers located in the DMZ from the private network (10.10.10.0/24). All other connections are implicitly denied.
NOTE
You don't need to establish a separate packet filter for the NLBS cluster IP address. Each node of the NLBS cluster service allows Terminal Services connections from the private network.
When an organization wants its network to permit VPN traffic, they must consider how the protocol they use affects their firewall and network infrastructure design. Remember that L2TP and IPSec tunnel mode both use IPSec to provide encryption services to the tunnel. IPSec is unable to pass through a firewall that performs NAT on incoming and outgoing packets.
This section examines the design decisions you face when deploying PPTP, L2TP/IPSec, and IPSec tunnel mode servers in a DMZ.
You don't have to take any special considerations into account when placing a PPTP tunnel server in your network. It doesn't matter if the external firewall performs NAT on incoming and outgoing packets. The only requirement is to place the tunnel server in the DMZ, as shown in Figure 14.19.
Figure 14.19 Securing access to a PPTP tunnel server in the DMZ
To support the placement of the PPTP tunnel server in the DMZ, configure the external firewall to allow connections to the tunnel server using PPTP (TCP port 1723) and the Generic Routing Encapsulation (GRE) protocol (protocol ID 47). Table 14.28 lists the packet filters that you must establish at the external firewall to support the network shown in Figure 14.19.
Table 14.28 PPTP Packet Filters at the External Firewall
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
PPTP | Any | Any | 10.30.30.45 | 1723 | TCP | Allow |
GRE | Any | 10.30.30.45 | ID 47 | Allow |
The first packet filter allows PPTP connections from any computer on the public network to the PPTP Server (10.30.30.45). The second packet filter allows GRE packets, which are used by PPTP to encapsulate the original data packets, to pass through the external firewall to the PPTP server.
To protect the Active Directory database, you can deploy the PPTP server as a member of a workgroup rather than as a member of the domain. To support domain authentication, configure the tunnel server as a RADIUS client to a RADIUS server on the private network. To support this, configure the internal firewall to allow RADIUS authentication (UDP port 1812) packets and RADIUS accounting (UDP port 1813) packets to pass from the tunnel server to the RADIUS server on the private network. No additional encryption is required because the RADIUS protocol provides encryption services.
To support RADIUS authentication to a RADIUS server in the private network, configure the internal firewall with the packet filters listed in Table 14.29.
Table 14.29 RADIUS Authentication Filters at the Internal Firewall
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
RADIUS Auth | 10.10.10.45 | Any | 10.20.30.60 | 1812 | UDP | Allow |
RADIUS Accting | 10.10.10.45 | Any | 10.20.30.60 | 1813 | UDP | Allow |
The first packet filter allows the PPTP server (10.10.10.45) to forward RADIUS authentication requests to the RADIUS server (10.20.30.60) on the private network. The second filter allows RADIUS accounting packets to be sent from the PPTP server to the RADIUS server for centralized collection of accounting information.
NOTE
An L2TP tunnel server uses the same filters to provide authentication to a remote access client. Once the data has entered the DMZ, authentication takes place in the same manner.
L2TP tunnel connections require that the tunnel server not be placed behind a firewall that performs NAT. You can modify the configuration of the DMZ to meet this requirement.
Figure 14.20 depicts the most basic configuration in which the DMZ uses public network addressing. Because the firewall doesn't perform NAT, you can place the L2TP tunnel server in the DMZ like a PPTP tunnel server.
Figure 14.20 Securing access to an L2TP Tunnel server in the DMZ using public network addressing
Alternatively, you can establish a hybrid DMZ that consists of an outer DMZ and an inner DMZ, as shown in Figure 14.21.
Figure 14.21 Securing access to an L2TP Tunnel server in the hybrid DMZ
In this configuration the outer DMZ uses public network addressing so that NAT isn't performed on any of the packets destined for the L2TP tunnel server. Once the packets reach the tunnel server and are decrypted, they can pass through the intermediate firewall that's performing NAT to the inner DMZ. The packets can also pass all the way to the private network through both the intermediate and internal firewalls.
Finally, Figure 14.22 shows an L2TP tunnel deployment where the L2TP tunnel server is parallel to the firewall at the public network boundary.
Figure 14.22 Securing access to an L2TP perimeter server
In this configuration the L2TP tunnel server is a dual-homed server with the external network interface card (NIC) on the public network, and the internal NIC is attached to the DMZ.
IMPORTANT
To protect the external NIC, you must establish packet filters to allow only L2TP/IPSec connections. All other connection attempts must be denied.
The L2TP tunnel server is configured to use the NAT service included in Windows 2000 to translate private network addresses in the DMZ to public network addresses.
In each of these scenarios you must apply the packet filters in Table 14.30 at the external firewall to allow only L2TP/IPSec connections to pass through to the tunnel server. In the case of the L2TP perimeter server, you apply the packet filters to the L2TP perimeter server's external NIC.
Table 14.30 L2TP/IPSec Filters at the External Firewall
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
IKE | Any | 500 | 131.107.40.5 | 500 | UDP | Allow |
ESP | Any | 131.107.40.5 | ID 50 | Allow |
The first packet filter allows any remote client computer to negotiate an IPSec SA with the L2TP server (131.107.40.5). The second packet filter allows the remote client computer to exchange ESP-encrypted data with the L2TP server.
NOTE
Even though L2TP is defined to use UDP port 1701 for connections, the external firewall or external NIC of the L2TP perimeter server doesn't require a packet filter for this protocol. It's only after the transmission is accepted at the tunnel server that the L2TP packet is decrypted from the IPSec ESP packet. Only the IPSec ESP packet must be allowed to pass through the firewall.
When configuring a firewall to allow access to an L2TP tunnel server located in the DMZ, consider the following:
The MFTUNNEL server is assigned an IP address of 192.168.77.9, which is an RFC 1918–defined private network address. This address indicates that the firewall for Market Florist is using NAT to protect the private network IP addressing scheme. The only tunneling protocol supported in this network infrastructure is PPTP.
To meet all design objectives for the Market Florist remote access solution, configure the firewall to allow the MFTUNNEL server to pass RADIUS authentication and accounting packets to the Internet Authentication Services (IAS) server at IP address 10.10.10.200. Table 14.31 shows the packet filters that you must create at the firewall to allow the necessary traffic to pass.
Table 14.31 Tunnel Packet Filters at the Market Florist Firewall
Protocol | Source IP | Source Port | Target IP | Target Port | Transport Protocol | Action |
---|---|---|---|---|---|---|
PPTP | Any | Any | 192.168.77.9 | 1723 | TCP | Allow |
GRE | Any | 192.168.77.9 | ID 47 | Allow | ||
RADIUS Auth | 192.168.77.9 | Any | 10.10.10.200 | 1812 | UDP | Allow |
RADIUS Accting | 192.168.77.9 | Any | 10.10.10.200 | 1813 | UDP | Allow |
The first two filters allow remote clients to connect to the MFTUNNEL server (192.168.77.9) using only PPTP connections. Because the MFTUNNEL server is behind a firewall that performs NAT, you don't need to include packet filters for IPSec traffic. The last two filters allow RADIUS authentication and RADIUS accounting packets to be passed from the MFTUNNEL server to the RADIUS server (10.10.10.200) on the private network.
Creating packet filters at external and internal firewalls takes careful planning and design. After deciding on a firewall strategy, you must define the packet filters to fit your strategy. Packet filters must allow only authorized protocols to pass through the firewall. If additional protocols can pass through the firewall, you may be leaving your network vulnerable to an attacker.