In this network architecture, the router that is connected to the Internet (exterior router) forces all incoming traffic to go to the application gateway. The router that is connected to the internal network (interior router) accepts packets only from the application gateway.
The application gateway institutes per-application and per-user policies. In effect, the gateway controls the delivery of network-based services both into and from the internal network. For example, only certain users might be allowed to communicate with the Internet, or only certain applications might be permitted to establish connections between an interior and exterior host.
The route and packet filters should be set up to reflect the same policies. If the only application that is permitted is electronic mail, then only electronic mail packets should be allowed through the interior router. This protects the application gateway and avoids overwhelming it with packets that it would otherwise discard.
Controlling Traffic Flow
This section uses the scenario illustrated in Figure 10-3 to describe the use of access lists to restrict traffic to and from a firewall router and a firewall communication server. You will notice the communications server that was added to the network architecture to service dial-in users.
In this case study, the firewall router allows incoming new connections to one or more communication servers or hosts. Having a designated router act as a firewall is desirable because it clearly identifies the routers purpose as the external gateway and avoids encumbering other routers with this task. In the event that the internal network needs to isolate itself, the firewall router provides the point of isolation so that the rest of the internal network structure is not affected.
Connections to the hosts are restricted to incoming File Transfer Protocol (FTP) requests and e-mail services as described in the Defining Access Lists section later in this case study. The Telnet, or modem, connections coming into the communication server are screened by the communication server running TACACS username authentication, as described in the Configuring the Firewall Communications Server section later in this case study.
Configuring the Firewall Router
In the firewall router configuration that follows, subnet 126.96.36.199 of the Class B 188.8.131.52 network is the firewall subnet, and subnet 184.108.40.206 provides the connection to the worldwide Internet via a service provider:
interface ethernet 0 ip address 220.127.116.11 255.255.255.0 interface serial 0 ip address 18.104.22.168 255.255.255.0 router ospf 500 network 22.214.171.124
This simple configuration provides no security and allows all traffic from the outside world onto all parts of your network. To provide security on the firewall router, use access lists and access groups as described in the next section.
Defining Firewall Access Lists
Access lists define the actual traffic that will be permitted or denied into the internal network, and an access group applies an access list definition to a specific router interface. Access lists can be used to do one of the following:
For a router firewall implementation, the latter is the more secure method, and that will be how you will be using your access lists.
In this case study, incoming e-mail and news is permitted for a few hosts, but FTP, Telnet, and rlogin services are permitted only to hosts on the firewall subnet. IP extended access lists (range 100-199) and Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port numbers are used to filter traffic. When a connection is to be established for e-mail, Telnet, FTP, and so forth, the connection will attempt to open a service on a specified port number. Therefore, you can filter out selected types of connections by denying packets that are attempting to use that service.
Remember, an access list is invoked after a routing decision has been made but before the packet is sent out on an interface. The best place to define an access list is on a preferred host using your favorite text editor (such as Notepad). You can create a file that contains the access-list commands and then cut and paste directly into the router while in configuration mode.
It is advisable that you remove any instances of an old access list before loading a new or altered version. You can remove access lists with the following command while in configuration mode:
no access-list 101
The access-list command can now be used to permit any packets returning to machines from already established connections. With the established keyword, a match occurs if the TCP datagram has the acknowledgment (ACK) or reset (RST) bit set:
access-list 101 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 established
If any firewall routers share a common network with an outside provider, you might want to allow access from those hosts to your network. In this case study, the outside provider has a serial port that uses the firewall router Class B address (126.96.36.199) as a source address so your access-list statement to permit them access would be as follows:
access-list 101 permit ip 188.8.131.52 0.0.0.0 0.0.0.0 255.255.255.255
The following example illustrates how to deny traffic from a user attempting to spoof any of your internal addresses from the outside world:
access-list 101 deny ip 184.108.40.206 0.0.255.255 0.0.0.0 255.255.255.255