Commercial Firewalls

We’d like to bring a few important commercial firewalls to your attention. Although some commercial firewall products can be purchased as software alone, most commercial firewall products can be purchased bundled with a hardware appliance.

Linksys SOHO Firewall Units

Linksys (http://www.linksys.com/) offers a number of cable/DSL routers and wireless routers, such as the BEFSR41 and the BEFW1154. The appliance is placed between your ISP and any machines you want to connect to the Internet. These appliances contain NAT, port forwarding, and minimal filtering software that can be used to protect and hide your home or small office network. Additionally, the use of NAT and the reserved private IP range allows you to have multiple machines share one Internet connection with just a single public IP address from your ISP.

Implementation

By accessing the appliance’s web server, you can configure minimal outgoing filtering rules by IP address and TCP or UDP port, as shown in Figure 13-1. You can also set up port forwards from the Linksys appliance to internal machines, as shown in Figure 13-2.

Figure 13-1: Setting up outgoing filters

Figure 13-2: Setting up port forwards

SonicWALL

SonicWALL (http://www.sonicwall.com/) offers a number of firewall and VPN appliances, from high-end units like the PRO series to smaller SOHO appliances comparable to Linksys’s line of products. SonicWALL appliances come with a little more of a price tag, but they do provide more bang for the buck.

Implementation

As with the Linksys appliances, all of the SonicWALL configuration can be done using a web interface. In addition to basic firewall functionality, SonicWALL appliances can provide advanced attack protection (such as SYN flood and smurfing attacks), content filtering (such as black-listing adult web sites), transparent proxying for web servers, advanced NAT capabilities, and software/hardware VPN connectivity. You can view an online demo of SonicWALL’s web management interface at http://www.sonicwall.com/products/demo/index.html.

Figure 13-3 shows how a sample packet filter list looks in the SonicWALL web interface. You’ll see that the firewall allows incoming web to 192.168.168.168 and incoming syslog traffic to 192.168.168.8. The fifth rule (Key Exchange) is necessary to allow the SonicWALL to communicate with any other SonicWALL VPN devices for establishing connectivity. Rules 6 and 7 allow all traffic to pass to and from the DMZ network, while rules 8 and 9 lay out a default deny policy for incoming traffic and allow for outgoing traffic. These rules are a lot less cryptic than those we’ve been looking at in the freeware products. SonicWALL comes configured with a number of predefined services (combinations or protocols and ports), but you can define your own services by clicking on the Add Service tab.

Figure 13-3: SonicWALL Access List

SonicWALL appliances allow you to do some fancy stuff with NAT and your DMZs. Using the One-to-One NAT feature shown in Figure 13-4, you can map available public IP addresses in your block to private machines on your network. In Figure 13-3, you saw that we were passing web traffic to 192.168.168.168, but if the SonicWALL is using NAT, we need to port forward port 80 on the firewall to 192.168.168.168. SonicWALL’s solution is to use One-to-One NAT, which uses a combination of ARP spoofing and DNAT (destination NAT, explained earlier in the chapter) to provide a type of advanced port forwarding. In Figure 13-4, we’ve specified that 192.168.168.168 should get mapped to an available public IP address in our block, 209.190.216.175. That address should be on the same subnet as our SonicWALL’s public (WAN) IP address. Anytime outgoing traffic leaves 192.168.168.168 destined for the Internet, the SonicWALL will perform SNAT (or source NAT), replacing the 192.168.168.168 private address with the specified public address 209.190.216.175. Whenever return traffic comes in for 209.190.216.175, the SonicWALL answers any ARP requests for that IP address (even though it’s not the firewall’s real IP address), performs DNAT (replacing the destination 209.190.216.175 with 192.168.168.168), checks it against its firewall rules for 192.168.168.168, and sends it on its way. This allows you to perform an advanced kind of port forwarding, effectively making a “hidden” private server on your LAN somewhat public, but still with the protection of the firewall rules. The SonicWALL uses the same ARP spoofing technique on its DMZ port. You can configure your DMZ servers with available IP addresses on the same public subnet as your SonicWALL’s public interface. Whereas some firewalls require that your DMZ use IP addresses from a separate public subnet (since the DMZ is a physically separate network), the SonicWALL’s public interface can answer ARP requests for servers on its DMZ port and then forward the traffic to the proper DMZ server. This allows you to provide security for your internal and DMZ servers without requiring you to purchase multiple public IP blocks from your ISP. This may be a preferred alternative to the “One-to-one NAT” option, as this keeps your DMZ and internal machines from residing on the same physical network.

Figure 13-4: SonicWALL One-to-One NAT

Some of the SonicWALL appliances come equipped with IPSEC VPN capabilities. This allows the SonicWALL appliances to be compatible with other devices and software clients that use IPSEC. The SonicWALLs can also provide failover capabilities using their high availability configuration.

Cisco PIX

Cisco PIX firewalls are a popular commercial firewall for large installations. The PIX firewall software comes installed on hardware appliances of various sizes, from the small PIX 501 intended for SOHO use to the much larger PIX 535 for enterprise networks. The Cisco PIX firewalls provide all the things we’ve talked about thus far: advanced NAT, VPN capabilities using IPSEC, and stateful packet inspection.

Implementation

PIX firewalls have normally been configured using command-line syntax, as is the case with many of their routing and switching products. Alternatively, PIX firewalls can be configured using the PIX Device Manager (PDM), which is a web-based interface that can be accessed from the internal side of the firewall. The web-based configuration is much like the SonicWALL interface, but the command-line syntax can be tricky if you’ve never used a Cisco product before.

Cisco devices are normally accessed on their console port via a serial cable and a terminal emulator (such as HyperTerminal) or by telnet. They have two different passwords: a “telnet” password and an “enable” password. The default passwords are empty, so one of the first things you’ll want to do is change them.

To configure the PIX, you’ll first need to type configure terminal (or simply conf t) at the command line. This allows you to make configuration changes, such as assigning IP addresses, defining firewall rules, and changing the system passwords. Here we’re changing our telnet and enable passwords:

pixfirewall# conf t pixfirewall(config)# enable password secure123 pixfirewall(config)# passwd secure123

The first password command changes the “enable” password while the second password changes the “telnet” password. (We suggest you use something more secure than secure123.)

Configuring the IP addresses and default gateway on your system is rather simple and straightforward.

pixfirewall(config)# ip address outside 209.190.216.175 255.255.255.0 pixfirewall(config)# ip address inside 192.168.1.1 255.255.255.0 pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 209.190.216.254

Here we’ve configured the internal address as 192.168.1.1/24, the external address as 209.190.216.175/24, and a default gateway of 209.190.216.254. The terms outside and inside refer to the external and internal interfaces, respectively.

Cisco has a concept of “security levels” for each of its interfaces. An external interface is given the lowest security level (because the hosts on the other side are the least trusted), and the internal interface is given the highest security level (for the opposite reason). At first, this may be counterintuitive. You’d think you’d want a higher security level on the external interface—but the way Cisco uses these security levels makes it all make sense. Traffic is allowed to pass from an interface with a high security level to a low security level without passing through an access list. So the security level refers to the level of trust granted to the machines on that interface.

To allow outgoing traffic (from inside to outside), you need to configure NAT. Because the PIX can perform several NAT operations depending on the source of the packet, you have to define each NAT command with a NAT ID. The following NAT command would allow us to perform NAT on our internal 192.168.1.0 machines:

pixfirewall(config)# nat (inside) 1 192.168.1.0 255.255.255.0

The 1 after the interface name is the NAT ID. In addition to specifying that we want NAT performed on these addresses on this interface, we have to use the global command to specify a pool of public source addresses to use.

pixfirewall(config)# global (outside) 1 209.190.216.165-209.190.216.170

We use the NAT ID 1 to relate the global command to our prior nat command. Here we’ve specified five available public IP addresses that private machines could use. If we just wanted to do traditional NAT, we could do this:

pixfirewall(config)# global (outside) 1 interface

If we didn’t care about NAT at all, we’d use a NAT ID of 0 and leave out the global command altogether:

pixfirewall(config)# nat (inside) 0 192.168.1.0 255.255.255.0

To create packet filtering rules, you can use the access-list command to add rules to a named access list. Once the access list has been created, you can "install" it on an interface using the access-group command. The following commands install an access list on the external interface that passes all traffic and an access list on the internal interface that passes only incoming web and SSH:

pixfirewall(config)# access-list outgoing permit ip any any pixfirewall(config)# access-list incoming permit tcp any host 209.190.216.175 eq 80 pixfirewall(config)# access-list incoming permit tcp any host 209.190.216.175 eq 22 pixfirewall(config)# access-group outgoing in interface outside pixfirewall(config)# access-group incoming in interface inside

All other traffic will be denied by the firewall. Cisco’s default policy is to deny traffic that is not explicitly permitted.

If you’re using NAT and you want to pass external traffic to an internal, private machine, you’ll also need to set up a port forward. The following command can be used to forward traffic from your external IP 209.190.216.175 to an internal machine (say 192.168.1.50):

pixfirewall(config)# static(inside,outside) 209.190.216.175 192.168.1.50 netmask 255.255.255.255

You can use the static command to map any private addresses on the inside interface to any external addresses you put in the global pool using the global command.

When you’re finished setting up a Cisco PIX, you have to exit configuration mode and write the new configuration into memory:

pixfirewall(config)# exit pixfirewall# write memory Building configuration... [OK] pixfirewall#

As you can see, the Cisco PIX command syntax can be a bit overwhelming for the beginner, and we’ve just skimmed the surface. For more information on the Cisco PIX as well as the PIX Device Manager, visit Cisco’s web site at http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/.

Still Others

Many other worthy commercial firewall products are available, such as Checkpoint’s Firewall-1 and NetScreen’s firewall solutions. As the underlying hardware architecture improves, vendors are putting more and more capabilities into their firewall appliances, creating “intrusion prevention systems” that can do much more than simple packet filtering, but also VPN, intrusion detection, dynamic firewall rule creation, policy enforcement, and vulnerability assessment.

In addition to these robust firewall hardware solutions, you can use commercial software-based firewalls to protect your PC. Microsoft XP, for example, comes with a built-in Internet Connection Firewall (ICF) that is integrated within the Advanced tab of your network card’s Local Area Connection Properties. Without any configuration, enabling ICF provides the ability to statefully block all inbound traffic to your PC that isn’t part of an established outbound connection. Also, Zone Labs (http://www.zonelabs.com/) offers a popular software firewall product called ZoneAlarm that provides similar functionality. You can even download a basic free version that provides similar protection to Microsoft’s ICF.

Although a wide range of firewall products are available, and each product has different capabilities and methods of being configured, the basic concepts surrounding firewall rules and packet filters are the same from one product to the next. Knowing these basic concepts can take away some of the mystery behind the term firewall and make the configuration of any firewall product a great deal easier.