Securing Your OSPF Network

Previous Table of Contents Next


In this network architecture, the router that is connected to the Internet (exterior router) forces all incoming traffic to go to the application gateway. The router that is connected to the internal network (interior router) accepts packets only from the application gateway.

The application gateway institutes per-application and per-user policies. In effect, the gateway controls the delivery of network-based services both into and from the internal network. For example, only certain users might be allowed to communicate with the Internet, or only certain applications might be permitted to establish connections between an interior and exterior host.

The route and packet filters should be set up to reflect the same policies. If the only application that is permitted is electronic mail, then only electronic mail packets should be allowed through the interior router. This protects the application gateway and avoids overwhelming it with packets that it would otherwise discard.

Controlling Traffic Flow

This section uses the scenario illustrated in Figure 10-3 to describe the use of access lists to restrict traffic to and from a firewall router and a firewall communication server. You will notice the communications server that was added to the network architecture to service dial-in users.


Figure 10-3  Controlling traffic flow with the firewall router.

In this case study, the firewall router allows incoming new connections to one or more communication servers or hosts. Having a designated router act as a firewall is desirable because it clearly identifies the router’s purpose as the external gateway and avoids encumbering other routers with this task. In the event that the internal network needs to isolate itself, the firewall router provides the point of isolation so that the rest of the internal network structure is not affected.

Connections to the hosts are restricted to incoming File Transfer Protocol (FTP) requests and e-mail services as described in the “Defining Access Lists” section later in this case study. The Telnet, or modem, connections coming into the communication server are screened by the communication server running TACACS username authentication, as described in the “Configuring the Firewall Communications Server” section later in this case study.


TIPS:  
Connections from one communication server modem line to another outgoing modem line (or to the outside world) should be disallowed to prevent unauthorized users from using your resources to launch an attack on the outside world. Because intruders have already passed the communication server TACACS authentication at this point, they are likely to have someone’s password. It is an excellent idea to keep TACACS passwords and host passwords distinct from one another.

Configuring the Firewall Router

In the firewall router configuration that follows, subnet 152.50.13.0 of the Class B 152.50.0.0 network is the firewall subnet, and subnet 152.50.14.0 provides the connection to the worldwide Internet via a service provider:

    interface ethernet 0      ip address 125.50.13.1 255.255.255.0    interface serial 0      ip address 125.50.14.1 255.255.255.0    router ospf 500      network 125.50.0.0 

This simple configuration provides no security and allows all traffic from the outside world onto all parts of your network. To provide security on the firewall router, use access lists and access groups as described in the next section.

Defining Firewall Access Lists

Access lists define the actual traffic that will be permitted or denied into the internal network, and an access group applies an access list definition to a specific router interface. Access lists can be used to do one of the following:

  Deny connections that are known to be a security risk and then permit all other connections.
  Permit those connections that are considered acceptable and deny all the rest.

For a router firewall implementation, the latter is the more secure method, and that will be how you will be using your access lists.

In this case study, incoming e-mail and news is permitted for a few hosts, but FTP, Telnet, and rlogin services are permitted only to hosts on the firewall subnet. IP extended access lists (range 100-199) and Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port numbers are used to filter traffic. When a connection is to be established for e-mail, Telnet, FTP, and so forth, the connection will attempt to open a service on a specified port number. Therefore, you can filter out selected types of connections by denying packets that are attempting to use that service.

Remember, an access list is invoked after a routing decision has been made but before the packet is sent out on an interface. The best place to define an access list is on a preferred host using your favorite text editor (such as Notepad). You can create a file that contains the access-list commands and then cut and paste directly into the router while in configuration mode.

It is advisable that you remove any instances of an old access list before loading a new or altered version. You can remove access lists with the following command while in configuration mode:

    no access-list 101 

The access-list command can now be used to permit any packets returning to machines from already established connections. With the established keyword, a match occurs if the TCP datagram has the acknowledgment (ACK) or reset (RST) bit set:

    access-list 101 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0    255.255.255.255 established 

If any firewall routers share a common network with an outside provider, you might want to allow access from those hosts to your network. In this case study, the outside provider has a serial port that uses the firewall router Class B address (125.50.14.2) as a source address so your access-list statement to permit them access would be as follows:

    access-list 101 permit ip 125.50.14.2 0.0.0.0 0.0.0.0 255.255.255.255 

The following example illustrates how to deny traffic from a user attempting to spoof any of your internal addresses from the outside world:

    access-list 101 deny ip 125.50.0.0 0.0.255.255 0.0.0.0 255.255.255.255 


Previous Table of Contents Next




OSPF Network Design Solutions
OSPF Network Design Solutions
ISBN: 1578700469
EAN: 2147483647
Year: 1998
Pages: 200
Authors: Tom Thomas

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net