Chapter 14 Outline (458.0K)

Chapter 14, Securing an Extranet

|1| Chapter OverviewIdentifying Common Firewall StrategiesSecuring Internet-Accessible Resources in a DMZSecuring Data Flow Through a DMZ

Chapter 14, Lesson 1

|2| Identifying Common Firewall Strategies

1. Identifying Firewall Features to Protect the Extranet|3| A. Firewall overview

1. A firewall is a security system that acts as a barrier against attacks launched from a public network.

2. It can be a hardware device, a software application, or a combination of hardware and software.

3. In the simplest deployment, the firewall is placed between the private and public network.

|4| B. Firewall services1. Network Address Translation (NAT)

a. Translation of the source address of all outbound packets from a private network address to a public network address

2. Packet filteringa. Configuration of rules at a firewall that define which protocols can

pass though the firewall

3. Static address mappinga. Configuration of how incoming packets are rerouted to servers using

private network addressing

4. Stateful inspection of network traffica. Verification that protocols follow basic rules of communications

b. Ensures that sessions are not hijacked by an attacker

5. Advanced featuresa. Detect common attacks against the private network

b. Include setting time-outs for incomplete session establishment and inspecting the content of incoming packets

|5| C. Protecting private network addressing with NAT1. NAT overview

a. Prevents exposure of the IP addressing scheme used on the private network

b. Protects against attack by replacing the source IP address in all outgoing packets with a common IP address

c. Replaces the source port to prevent duplicate port requests by outgoing packets

d. Tracks all managed connections so that response packets are returned to the correct computer on the private network

e. Microsoft Windows 2000 provides a native NAT service in Routing and Remote Access Service (RRAS).

|6| 2. Private network addressinga. The private network commonly uses Request for Comment (RFC)

1918 addressing.

(1) Three ranges of IP addresses are reserved for private network addressing.

(a) 10.0.0.0–10.255.255.255 (10.0.0.0/8)

(b) 172.16.0.0–172.31.255.255 (172.16.0.0/12)

(c) 192.168.0.0–192.168.255.255 (192.168.0.0/16)

(2) These IP addresses are not used on the Internet and are not included in the Internet routing tables.

b. NAT replaces the private network addresses with an IP address assigned by the Internet Corporation for the Assigned Names and Numbers (ICANN).

|7| D. Packet filters1. Introduction

a. Establish firewall rules to define what data can enter and exit the private network.

b. Firewall rules are made up of individual packet filters that

(1) Prevent unauthorized protocols from entering the private network

(2) Profile a protocol to identify the transmitted data

|8| 2. Typical packet filter fieldsa. Source address

(1) The individual IP address or network IP address from which the data originates

b. Source port

(1) The port from which the data is transmitted

(2) Every IP-based protocol originates from a port at the source host.

(3) The source port for a client computer connection is often a random port.

c. Destination address

(1) The individual IP address or network IP address to which the data is sent

d. Destination port

(1) The port that the server uses to listen for connections

(2) IP-based services and applications listen for connections on a predefined port.

e. Protocol

(1) Application and Services use a specific protocol ID or a transport layer protocol for transporting application data.

2 Outline, Chapter 14Designing Microsoft Windows 2000 Network Security

(2) If the application or service uses a transport layer protocol, it is either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

f. Action

(1) Defines what action to take if the other fields are matched and the data transmission is identified

(2) Includes the Allow and Deny options

(3) Many firewalls also allow logging to identify any attempts to use the protocol.

|9| 3. Port numbersa. To determine what ports are used by specific services and

applications, view the Services text file in the systemroot\system32\drivers\etc folder.

|10| 4. Mirroring packet filtersa. Allows response packets to return to the source client computer

b. Switches the source and destination information to allow the response packets to cross the firewall

|11| 5. Firewall strategiesa. Choose one of the following typical firewall strategies based on the

organization’s risk level:

(1) Specify allowed protocols and prohibit everything else

(2) Specify prohibited protocols and allow everything else

b. Higher security networks specify the allowed protocols and prohibit everything else, permitting only authorized protocols to pass through the firewall.

|12| E. Static address mapping1. Redirects incoming traffic to Internet-accessible resources hidden

behind the firewall2. Translates the destination address to the true IP address of the resource

behind the firewall and redirects the data to the resource3. Conceals the true IP address of Internet-accessible resources from

potential attackers4. Combined with packet filtering rules, allows the administrator to define

authorized protocols and redirect the protocols to servers located in a DMZ

|13| F. Stateful inspection1. Simple packet filters might not provide enough security.2. Packet filters define which ports are left open at the firewall to redirect

network traffic to Internet-accessible resources.3. Many protocols use random ports above port 1024 at the client

computer side.a. Opening all ports above 1024 can leave both the firewall and the

private network resources susceptible to attack.

4. Allows the firewall to inspect and open the ports used for an initial connection, and then close them when the connection is terminated

Outline, Chapter 14 3Designing Microsoft Windows 2000 Network Security

5. If any suspect ports are requested, the firewall can recognize the attack and drop the connection.

6. Allows firewall rules to be established so that UDP-based protocols (such as SNMP) can pass through successfully

|14| G. Advanced techniques1. Configuring time-out tolerance

a. Allows the firewall to disconnect sessions before the synchronize (SYN) queue overflows

b. Impedes SYN flood attacks, which attempt to lock up the firewall and prevent further connections by flooding it with incomplete TCP sessions

2. Content scanninga. Allows the firewall to inspect the commands transmitted within a

session

b. Can also scan all incoming content for known virus signatures

|15| H. Making the decision: designing firewall features1. Use NAT to

a. Prevent the private network addressing scheme from being revealed

b. Hide the true IP address of private network resources when accessing Internet-based resources

2. Use packet filters toa. Manage what protocols are allowed to cross between the private

network and the public network

b. Define the action to take if a protocol is identified when crossing the firewall

c. Define a default action to take if a protocol does not meet any of the defined packet filters

3. Use static address mapping toa. Advertise Internet-accessible resources that have private network

addresses using public network addressing

b. Hide the true IP address of Internet-accessible resources

4. Use stateful inspection toa. Protect UDP-based protocols that must enter the private network

b. Detect session hijacking attempts

c. Detect application-level attacks that attempt to bypass the packet filters established for a protocol

5. Use time-out tolerances toa. Prevent SYN flood attacks by closing sessions that have timed out

b. Free up connections for new connection attempts if the connection is left idle

6. Use content scanning toa. Prevent specific application commands from being issued within a

protocol

b. Detect viruses within incoming packets

|16| I. Applying the decision: designing the Market Florists firewall


1. NATa. The private network client computers require access to the Internet.

b. All outgoing IP addresses will be replaced with the NAT common address (client.marketflorist.tld IP address: 131.107.88.2).

2. Packet filtersa. Packet filtering must be defined to allow only the authorized

protocols to connect to each network resource.

b. The following protocols are allowed to enter the extranet for each Market Florist server:

(1) MFDNS server

(a) DNS: Public network users require access to the Domain

Name System (DNS) server to resolve host names in the

marketflorist.tld domain to IP addresses.

(b) Terminal Services: All administrators must be able to

remotely manage the MFDNS server.

(2) MFWEB server

(a) Hyptertext Transfer Protocol (HTTP): All Web pages

require HTTP access.

(b) HTTPS: Customers requesting a customer number require

encryption of credit card and personal information.

(c) Flower Power application: Listens for connections on a

dedicated port

(d) Terminal Services: All administrators must be able to

remotely manage the MFWEB server.

(i) The firewall should be configured to allow Terminal Services

connections to each component server or node in the

Network Load Balancing Service (NLBS) cluster.

(e) The MFWEB server also requires access to the MFSQL

server on the private network.

(3) MFFTP server

(a) FTP: The MFFTP server allows File Transfer Protocol

(FTP) clients to enter FTP commands to access FTP data.

(b) FTP-DATA: FTP client software opens an FTP-DATA

session when transferring data from the FTP server.

(c) Telnet: John and Pat require Telnet access to manipulate

the files available on the FTP server.

(d) Terminal Services: All administrators must be able to

remotely manage the MFFTP server.

(4) MFMAIL server

(a) Post Office Protocol version 3 (POP3): Remote Sales

users must connect to the mail server using POP3 to

retrieve their mail.

(b) SMTP: Remote Sales users connect to the MFMAIL

server to send e-mail, and customers connect to the

MFMAIL server to deliver mail to Market Florist e-mail

users.


(c) Terminal Services: All administrators must be able to

remotely manage the MFMAIL server.

(5) MFTUNNEL server

(a) Point-to-Point Tunneling Protocol (PPTP): Employees

require PPTP to connect to private network resources

from the Internet.

(i) Layer Two Tunneling Protocol/IP Security (L2TP/Ipsec)

cannot be supported because the MFTUNNEL server is

located behind a firewall that performs NAT.

(b) Terminal Services: All administrators must be able to

remotely manage the MFTUNNEL server.

|17| 3. Static address mappinga. To make the extranet servers accessible to customers, configure

static address mapping for each server.

(1) www.marketflorist.tld

(a) External IP address: 131.107.88.254

(b) Private network IP address: 192.168.77.2

(2) ftp.marketflorist.tld



(3) mail.marketflorist.tld



(4) vpn.marketflorist.tld



4. Stateful inspectiona. Flower Power uses UDP as its transport protocol.

b. UDP-based applications do not establish sessions.

c. Ensures that the Flower Power connections are not hijacked

d. Ensures that all response packets use the same IP addresses and UDP ports that were used by the initial request packets

|18| 5. Time-out tolerancea. Time-outs disconnect sessions to protect the Web site and other

extranet resources from a denial of service attack.

b. Prevents SYN flooding attacks against the network

6. Content scanninga. To prevent uploads of data to the MFFTP server, the firewall should

deploy content scanning and prevent all attempts to use the FTP PUT command.

b. Provides greater protection by scanning the FTP transmissions for disallowed commands

|19| 2. Comparing DMZ ConfigurationsA. Introduction


1. It is inadvisable to host Internet-accessible resources within the private network.

2. Place all Internet-accessible resources in a network segment (called a DMZ) between the private network and the public network.

3. Other terms for DMZa. Screened subnet

(1) Refers to the function of a DMZ in network security

(2) All network traffic that attempts to enter or exit the DMZ is screened by packet filters to determine whether they are allowed.

b. Perimeter network

(1) Refers to the DMZ’s location

(2) Typically exists between the private network and the public network on the perimeter of the private network

4. There are three types of DMZ designs: three-pronged firewall, mid-ground, and hybrid (or multizone).

5. A DMZ is a. Part of the public network because resources that are accessible to

the public network are placed in the DMZ

b. Part of the private network because packet filters enforce the protocols that can be used to connect to each server located in the DMZ

|20| B. Designing a three-pronged firewall DMZ1. Definitions

a. A three-pronged firewall DMZ consists of a firewall with three network interfaces.

2. Packet filtersa. Are enforced by the firewall to restrict the traffic allowed between

the zones

b. Place all Internet-accessible resources in the DMZ, which ensures that data connections originating from the public network can establish connections only to resources in the DMZ.

c. Internet-accessible resources are not allowed to establish connections to any resources on the private network.

3. Deploymenta. Ensure that the firewall solution supports three network interfaces.

b. Assign each interface to a zone.

c. Establish packet filters that define the interaction allowed between the zones.

4. Considerationsa. Consider whether IPSec will be used from the public network to the

DMZ.

b. Because IPSec cannot pass through a NAT service, use public network addressing in the DMZ whenever IPSec connections are required from the public network.


c. A three-pronged DMZ can result in a single point of failure.

|21| C. Mid-ground DMZ1. Established by using two firewalls

a. Place the first firewall between the public network and the DMZ.

b. Place the second firewall between the DMZ and the private network.

2. Considerationsa. Provides additional protection to the private network

(1) An attacker must breach two firewalls to gain access to the private network.

(2) Different methods may be required to breach the two firewalls.

b. The IP addressing can be either private or public network addressing.

(1) Use private network addressing unless there is a requirement to establish IPSec connections through the external firewall.

|22| D. Hybrid DMZ1. Is a network where more than one zone exists between the private and

public networks2. Example of a hybrid DMZ with a single firewall

a. Create two DMZs to support the need for IPSec connections and to protect the private network addressing configuration for all other Internet-accessible resources.

(1) One contains the remote access server that accepts IPSec connections and uses public network addressing.

(2) The second uses private network addressing and contains all other Internet-accessible resources.

b. The firewall prevents static address mapping for all incoming traffic to the network segment.

c. NAT is performed on all outgoing traffic originating in the zone using private network addressing.

|23| 3. Example of a hybrid DMZ with multiple firewallsa. The outermost DMZ uses public network addressing to allow IPSec

connections to the remote access server.

b. The innermost DMZ uses private network addressing to protect the remaining Internet-accessible resources.

c. Is more difficult to configure

d. Offers the most flexibility

e. Allows a security administrator to group Internet-accessible resources based on the confidentiality of the data

(1) The administrator can configure each firewall with packet filters to define what traffic can enter and exit each DMZ.

|24| E. Making the decision: choosing among DMZ strategies1. Use the three-pronged firewall DMZ to

a. Reduce the costs associated with deploying firewalls

(1) Only a single firewall is required for this design.


b. Maintain a single packet filter list

(1) The packet filter rules determine which interface a packet filter is applied to.

2. Use the mid-ground DMZ toa. Provide physical separation of the private network from the public

network

(1) An attacker must breach two firewalls to access the private network.

b. Reduce the chance that breaching the external firewall will allow access to the private network

(1) Use two different manufacturers for the internal and external firewalls.

3. Use the hybrid DMZ toa. Provide both private network and public network addressing to DMZ

segments

b. Categorize Internet-accessible resources into different levels of access that can be protected by firewall strategies

|25| F. Applying the decision: developing a DMZ strategy for Market Florist1. A three-pronged firewall DMZ configuration is deployed due to budget

constraints.2. Locate each server in the NLBS cluster for the MFWEB server in the

DMZ.3. The NLBS listens on IP address 192.168.77.2 but redirects the requests

to one of the four servers in the cluster.4. The firewall is required to redirect only incoming HTTP or HTTPS

packets to the NLBS cluster.5. The NLBS cluster service determines which node receives the incoming

packets.


|26| Securing Internet-Accessible Resources in a DMZ

|27| 1. Securing Internet Information Server (IIS)A. Introduction

1. The content on a Web server is the most common network resource exposed to the Internet.

2. IIS 5.0, included with Microsoft Windows 2000 Server, allows an organization to host Web sites.

3. Additional configuration is required to fully secure an IIS server when it is exposed to the Internet.

|28| B. Preventing attacks against the Web servers1. Change all default account names.

a. Attackers commonly attempt to connect to a Web server using the default account names included with Windows 2000.


b. Make sure the Administrator and Guest accounts are renamed, but do not choose names that are easy to guess.

2. Ensure that the Web server is not a member of the same forest as the private network.a. If the Web server is compromised, the Active Directory directory

service could become compromised.

b. Place the Web server as a standalone server or as a member of a separate forest to avoid compromising the organization's internal or private Active Directory.

|29| 3. Separate content into different folders by type.a. Allows the administrator to apply security specific to each content

type

b. Proposed structure to secure Web content

(1) Executables

(2) Scripts

(3) Include

(4) Static content

(5) Images

|30| 4. Secure available content by type.a. Apply discretionary access control lists (DACLs) specific to the

Web content type.

b. Use the following recommended DACL settings:

(1) Executables (.exe, .dll, .cmd, and .pl)

(a) Everyone (Execute)

(b) Administrators (Full Control)

(c) System (Full Control)

(2) Scripts (.asp)




(3) Include (.inc, .shtm, and .shtml)




(4) Images (.jpg, .gif)

(a) Everyone (Read)



(5) Static (.htm, .html)

(a) Everyone (Read)



|31| 5. Remove all sample applications from the Web server.


a. The sample application files included with IIS 5.0 are installed by default and could provide tools to an attacker.

b. Sample applications

(1) IIS Samples

(a) Folder: C:\Inetpub\Iissamples

(b) Virtual directory: \IISSamples

(2) IIS Documentation

(a) Folder: C:\Winnt\help\Iishelp

(b) Virtual directory: \IISHelp

(3) Data Access

(a) Folder: C:\Program Files\Common Files\System\Msadc

(b) Virtual directory: \MSADC

|32| 6. Disable unnecessary services.a. If the Web server is dedicated to hosting Web applications, disable

all unnecessary services.

b. If the service is not used to connect to the Web server, disable it to protect against attacks.

7. Block commonly attacked ports with IPSec.a. A block policy drops all connection attempts to the port described by

an IPSec filter.

b. Alternatively, assign a negotiate policy that allows computers from the private network that match the IPSec filter to connect to the IIS server.

(1) All other connection attempts will fail as if a block policy had been applied.

8. Enable IIS logging.a. IIS logging helps determine whether the IIS server has been

attacked.

b. Use the World Wide Web Consortium (W3C) Extended logging to choose exactly which properties are logged.

c. Consider storing the log results in an Open Database Connector (ODBC)-enabled database.

d. Performance considerations

(1) IIS logging is resource intensive.

(2) IIS logging can affect the IIS server performance.

(3) Enable IIS logging when testing the IIS server performance.

(4) Consider moving the IIS logs from the Windows 2000 boot partition where the operating system files are stored.

9. Implement Secure Socket Layer (SSL) to protect secure areas of the Web server.a. Protect confidential visitor information by using application-layer

SSL protection.

b. SSL encrypts all data transferred between the customer on the public network and the Web server.

10. Deploy an intrusion detection system.


a. Intrusion detection systems look for hacking attempts aimed at the Web server.

b. The intrusion detection system should inform the administrator

(1) When the attack occurred

(2) What kind of attack was attempted

(3) Whether the attack was successful

11. Disable the use of parent paths.a. Parent paths allow the use of ".." in function calls to view a parent

folder.

b. Using parent paths could allow an attacker to access a normally inaccessible folder on the IIS server.

c. Disable parent paths in the properties of the Web site in the Internet Services Manager MMC console.

12. Apply the IIS 5.0 security checklist.a. Microsoft has developed a security checklist for IIS 5.0 servers.

b. The checklist includes a high-security Web server security template (Hisecweb.inf) that can be applied to secure the Web server.

c. Obtain the checklist by searching www.microsoft.com for “Secure Internet Information Services 5 Checklist.”

13. Mitigate against successful attacks.a. Host the Web site on multiple servers simultaneously by configuring

the Web server to participate in an NLBS cluster.

b. When a public network user connects to the shared address of the NLBS cluster, the connection is directed to one of the nodes in the cluster.

c. If a server in the NLBS cluster is rendered inaccessible by attack, the NLBS cluster recognizes that the node is down and directs future traffic to the remaining servers in the cluster.

d. NLBS allows weighting of nodes, which allows the administrator to direct a higher percentage of the incoming traffic to the server with the most resources.

14. Maintain the latest service packs and hot fixes for the Web server.a. Apply regular updates to the operating system to ensure that security

fixes are applied to the Web server.

|33| C. Making the decision: securing a Web server1. To track all access to the Web server

a. Implement auditing at the Web server

b. Ensure that the logs are stored in a format that facilitates log file inspection

2. To provide the strongest security to Web-accessible dataa. Separate the data by content type

b. Apply the most restrictive permissions that still allow functionality

3. To prevent an attacker from accessing unauthorized areas of the disk subsystema. Disable the use of parent paths in the Web site's property pages


4. To prevent port scans against commonly attacked portsa. Apply an IPSec block policy to commonly attacked ports that should

not be available on the Web server

(1) This prevents a port scanner from detecting the status of the port.

b. Remove all unnecessary services from the Web server to eliminate ports from inspection

5. To detect hacking attemptsa. Deploy intrusion detection software to detect hacking attempts

(1) Some normal traffic patterns might appear as hacking attempts.

6. To prevent a successful attack against the Web server from compromising other data stored on the networka. Do not make the Web server a member of the private network forest

b. Do not store confidential documents on the disk subsystem of the Web server

7. To ensure that the latest security fixes are applied to the Web servera. Ensure that the latest service packs and hot fixes are applied to the

Web server

b. Periodically connect to the Windows Update Web site (windowsupdate.microsoft.com/)

8. To limit the effect of a successful hacking attempta. Configure the Web server to participate in an NLBS cluster

(1) If one node is brought down, all incoming traffic is redirected to the remaining servers in the cluster.

9. To apply the recommended security configuration for the Web servera. Use the IIS 5.0 security checklist tool

|34| D. Applying the decision: configuring the Web server for Market Florist1. Configure the Web server as an NLBS cluster.

a. All the component servers in the cluster use an identical hardware configuration.

b. Configure the NLBS cluster to load balance equally among the four nodes.

c. Apply any additional security configurations uniformly against all four servers.

|35| 2. Configuration for the four Web serversa. Enable auditing on each Web server.

(1) The four Web servers can store their data on the SQL server located on the private network, which

(a) Facilitates searching for specific information in the log files

(b) Allows the log material to be consolidated into a single

source location

b. Separate the content from the rest of the Web site.

(1) Break out the Web servers’ folder structure to separate the Flower Power application from the rest of the Web site.


(2) The Flower Power application requires custom security to allow customers to download the Flower Power client-side application.

c. Implement SSL on the Web server.

(1) This protects the customer registration portion of the Web site.

(2) Program the Flower Power ActiveX control to use SSL to encrypt customer orders and prevent interception of customer numbers.

d. Apply IPSec to restrict public network access to the Web server.

(1) Allow connections only to the ports that public network users can access.

(2) Block all other ports with IPSec by using a Negotiate IPSec policy.

(3) Negotiate IPSec allows connections from the private network while blocking connections from the external network.

|36| (4) Apply IPSec filters to the MFWeb1 server.

(5) Each server requires separate IPSec filters based on the cluster member’s local IP address.

e. Apply the IIS 5.0 security checklist recommendations to the IIS servers.

(1) The IIS 5.0 checklist enables recommended registry and file permission settings to secure the Web server configuration.

|37| 2. Securing Other Services Within the DMZA. Common resources

1. FTP servicesa. Not loaded by default in a Windows 2000 installation

b. The C:\Inetpub\Ftproot folder allows the Everyone group Full Control by default.

c. Consider changing the permissions and enabling disk quotas to limit the amount of data that can be written to the FTP root.

2. Telnet servicesa. Telnet provides text-based access to a server's disk subsystem.

b. If Telnet service is enabled, all users can access it by default.

c. Restrict access to Telnet servers by creating a TelnetClients group in the local Security Account Management (SAM) database or within Active Directory.

d. When the TelnetClients group exists, only members of the group can access the server.

e. To ensure that authentication credentials are not transmitted in plaintext, configure the Telnet service to accept only NT Lan Manager (NTLM) authentication.

f. Use IPSec to encrypt the data transmitted between the Telnet client and the Telnet server.

3. DNS services


a. Only externally accessible DNS resource records should be stored on a DNS server in the DMZ.

b. The external DNS server should expose only the externally registered IP addresses to public DNS clients.

c. Consider restricting zone transfers to preconfigured DNS servers to prevent an attacker from obtaining all zone information from the DNS server.

4. Terminal Servicesa. Configure Terminal Services to operate in Remote Administration

mode.

b. Remote Administration mode allows only members of the Administrators local group to connect using Terminal Services.

5. All servicesa. All services listen for client connections on a well-known port.

b. Limit access to well-known ports by creating IPSec block policies that block access to other ports on the server.

c. Change the IPSec action to negotiate and define the encryption protocols to connect to other ports on the server.

d. Only members of the private network should be able to negotiate a security association (SA) with the Web server.

|38| 6. Protect transmitted data between computers in the DMZ.a. Use IPSec to configure the security of transmitted data between the

servers located in the DMZ.

b. IPSec prevents an attacker’s computer from intercepting data transmissions between the servers in the DMZ.

c. Configure an IPSec SA between two servers in the DMZ to apply Encapsulating Security Payloads (ESP) to all transmitted data.

|39| B. Making the decision: protecting Internet-accessible resources1. To protect FTP services

a. Change NTFS permissions to match the allowed transactions

b. To prevent password interception, allow only anonymous connections.

2. To protect Telnet servicesa. Create a local security group named TelnetClients to restrict Telnet

access to authorized users

3. To protect DNS servicesa. If using the same namespace internally and externally, ensure that

the external DNS server does not contain private network IP addressing.

b. Restrict zone transfers at the external DNS server to only approved DNS servers to prevent an attacker from retrieving the entire zone data file.

4. To protect all servicesa. If allowing only specific protocol connections, block all other

protocols with an IPSec block action.


b. If private network access is required to the restricted ports on a server in the DMZ, change the IPSec action to negotiate so that private network client computers can establish an IPSec SA with the server in the DMZ.

5. To protect interaction between serversa. Configure servers in the DMZ to use IPSec transport mode for data

transmitted between the servers

(1) IPSec transport mode encrypts all data exchanged between the servers and prevents unauthorized connections.

(2) IPSec transport mode can pass through a firewall as long as NAT is not performed against the data.

|40| C. Applying the decision: protecting Internet-accessible resources at Market Florist1. Implement FTP service.

a. Customers use FTP to download product brochures.

b. Modify permissions for the Ftproot folder to assign only Read permissions to the anonymous FTP account.

c. Permissions should allow John Coake and Pat Coleman to modify the Ftproot folder contents.

2. Implement DNS service.a. Configure the external DNS server to only allow zone transfers to

configured secondary DNS servers.

b. The external DNS server should only refer to the public network addresses of the available services.

c. The DMZ should not contain references to private network addresses.

3. Implement Telnet service.a. Configure the MFFTP server with a local security group named

TelnetClients.

b. Restrict Telnet access to John Coake and Pat Coleman.

4. Implement Terminal Services.a. Install Terminal Services using Remote Administration mode on

each server in the DMZ.

b. Install Terminal Services on each component server of the MFWEB NLBS cluster to allow administrators to connect to the individual component servers.

5. Implement interaction between servers.a. Establish an IPSec SA between the MFWEB NLBS cluster servers

and the MFSQL server on the private network to encrypt all data exchanged between the servers.

b. The IPSec agreement can take place because NAT is not performed between the DMZ and the private network.



|41| Securing Data Flow Through a DMZ

1. Determining a Firewall Strategy|42| A. Specify allowed protocols and prohibit everything else

1. The packet filters identify all protocols that can pass through the firewall.

2. If the packet filter does not identify a packet, the packet is assumed to be disallowed and is dropped.

3. This strategy is typically useda. At external firewalls to define which protocols are allowed to enter

the DMZ and the private network

b. In high-security networks where only authorized protocols are allowed to enter the DMZ and the private network

|43| B. Specify prohibited protocols and allow everything else1. The packet filters identify all protocols that must be dropped at the

firewall.2. If the packet filter does not identify a packet, the packet is allowed to

pass through the firewall.3. This strategy is typically used

a. At internal firewalls to block private network users from specific protocols

b. In lower security networks where only unauthorized protocols are blocked at the firewall

|44| C. Order of the packet filters1. The order of processing depends on the specific firewall product.2. Two common methods for processing packet filters

a. Process the packet filters in the order in which they are entered.

(1) The packet filters are processed from the top to the bottom of the packet filter list.

(2) Place the most important packet filters at the top of the list.

b. Process the most specific packet filters before the more general packet filters.

(1) A packet filter that restricts access to a specific server is processed before a packet filter that defines traffic between network segments.

|45| D. Making the decision: choosing firewall strategies1. Use the “Specify allowed protocols and prohibit everything else”

strategy whena. The strategy defines exactly which protocols are allowed to enter the

DMZ

b. Defining packet filters for an external firewall

2. Use the “Specify prohibited protocols and allow everything else” strategy when


a. Preventing specific protocols, such as Finger, from entering or exiting the network

b. Defining packet filters for an internal firewall

3. Use the “Specify allowed protocols and prohibit everything else” strategy, and then create packet filters that deny specific protocols toa. Log attempts to use the prohibited protocols, since an event can only

be logged if a packet filter is matched

|46| E. Applying the decision: choosing a firewall strategy for Market Florist1. The “Specify allowed protocols and prohibit everything else” strategy

best meets the security needs of the Market Florist network.a. It allows Market Florist to define only authorized protocols that can

enter the DMZ and the private network.

b. If a protocol is not included in the packet filter list, the protocol is assumed to be denied access to the DMZ or private network.

|47| 2. Securing DNS Resolution TrafficA. Introduction

1. The DNS service is used as a locator service in a Windows 2000 network.

2. DNS is also used as the locator service for the Internet.3. When designing security for the DNS service, define how DNS traffic

moves through the private network and the DMZ to the Internet.4. Separate the internal DNS service from the external DNS service.

a. This separates the internal DNS namespace from the external DNS namespace so that private network IP addressing schemes are not exposed to the Internet.

|48| B. Example of DNS traffic flow in a DMZ1. The internal firewall is configured to allow only DNS packets from the

internal DNS server to be sent to the external DNS server in the DMZ through a DNS forwarder.

2. This configuration limits internal DNS clients to connecting to the internal DNS server.

3. The internal firewall prevents the internal DNS clients from connecting to any other external DNS server.

|49| C. Internal firewall rules to restrict DNS usage1. The first two packet filters allow the internal DNS server (10.20.30.40)

to connect to the external DNS server (10.30.30.40) using either UDP-based or TCP-based DNS connections.

2. The last two packet filters deny all other clients on the 10.20.30.0/24 network from connecting to any DNS servers beyond the firewall using UDP-based or TCP-based DNS queries.

|50| D. External firewall rules to restrict DNS usage1. The first two packet filters allow any computers on the Internet to

connect to the external DNS server (10.30.30.40) using either TCP-based or UDP-based DNS requests.


2. The last two packet filters allow the external DNS server to forward DNS queries to any DNS server on the Internet.

|51| E. Making the decision: securing DNS resolution traffic1. Establish packet filters at the external firewall to allow only TCP port

53 and UDP port 53 packets to reach the DNS server.2. Establish packet filters at the internal firewall to allow only the internal

DNS server to send TCP port 53 and UDP port 53 packets to the external DNS server.

3. Configure the internal DNS server to forward all irresolvable DNS queries to the external DNS server.

4. Configure the external DNS server to forward irresolvable DNS queries to the ISP’s DNS server.a. This strategy focuses DNS resolution traffic to specific hosts and

makes it easier to define packet filters.

|52| F. Applying the decision: securing DNS resolution traffic at Market Florist1. Market Florist must configure the internal DNS server to forward

irresolvable DNS requests to the external DNS server in the DMZ.2. Since there is a single firewall, the firewall rules are included in a single

packet filter.a. The first two packet filters allow the internal DNS server

(10.10.10.3) to forward DNS queries to the external DNS server (192.168.77.254).

b. The third and fourth packet filters prevent any other internal network clients (10.10.10.0/24) from querying DNS servers beyond the internal firewall.

c. The fifth and sixth packet filters allow any DNS clients on the Internet to query the external DNS server.

d. The final two packet filters allow the external DNS server to forward DNS queries to the ISP's DNS server (131.107.199.56).

e. The rules that deny access to hosts on the 10.10.10.0/24 network prevent private network client computers from connecting to Internet-based DNS services and bypassing the internal DNS server.

(1) These rules force private network client computers to use the internal DNS server.

|53| 3. Securing Web TrafficA. Introduction

1. A Web server is one of the most common network resources for Internet access.

2. A Web server listens for connections from external client computers.a. TCP port 80 for HTTP connections

b. TCP port 443 for HTTPS connections

|54| B. Example of Web server placement in the DMZ1. Configure access to the Web server in the DMZ at both the internal and

external firewalls.a. This allows only authorized protocols to connect.


2. At the external firewall, establish packet filters that limit connections to the Web server to the HTTP and HTTPS protocols.

|55| C. External packet filters for a Web server1. The first packet filter allows Internet users to connect to the Web server

(10.30.30.41) using HTTP, and the second packet filter allows Internet users to connect to the Web server using HTTPS.

2. Establishing packet filters at the internal firewall to restrict access to the Web server from the private network is optional.

3. Packet filters are required only if connections to the Web server must be limited to HTTP and HTTPS connections.

|56| D. Making the decision: securing Web traffic1. Establish packet filters at the external firewall to allow only TCP port

80 and TCP port 443 packets to reach the Web server.2. Implement SSL protection for Web pages that require external users to

input sensitive data.3. When authentication is required to a Web site, use either Windows

Integrated Authentication or Basic Authentication with SSL encryption to protect credentials from interception.

|57| E. Applying the decision: securing Web traffic for Market Florist1. Market Florist must ensure that the customer registration portion of the

www.marketflorist.tld Web site is protected by SSL encryption to ensure credit card information is not intercepted.

2. Market Florist must establish packet filters to restrict external access to the Web server.a. These two packet filters enable Internet users to connect to the Web

server (192.168.77.2) using only HTTP and HTTPS.

b. The firewall rules have to be established only for the NLBS Web server cluster IP address.

(1) Once the packets reach the Web cluster, the NLBS service determines which node receives the packets.

|58| 4. Securing FTP TrafficA. Overview

1. FTP allows data to be transferred to and from a central location.2. FTP uses two separate channels for FTP sessions.

a. A control stream (a connection to TCP port 21) sends FTP commands from the FTP client software to the FTP server

b. A data stream (a connection to TCP port 20) transfers data

3. Active FTP clients require the FTP server to initiate the data transfer.4. Establish packet filters that allow the FTP server to initiate FTP data

sessions.|59| B. Providing FTP access in a DMZ

1. Place the FTP server in a DMZ to restrict FTP connections from the Internet.

|60| C. FTP server packet filters


1. The first two packet filters allow any Internet users to connect to the FTP server (192.168.77.7) for FTP connections.

2. The last two packet filters enable the FTP server to establish connections to active FTP clients.

3. The last two packet filters allow data transfers initiated by the FTP server to pass through the external firewall.

4. The assumption is that active FTP clients exist on the network.5. If the FTP clients are passive, remove the last two filters from the packet

filter listing.|61| D. Making the decision: securing FTP traffic

1. Establish packet filters at the external firewall to allow only TCP port 20 and TCP port 21 packets to reach the FTP server.

2. If active FTP clients exist, or if it is unknown if they exist, establish reverse packet filters that originate at the FTP server for TCP port 20 and TCP port 21.

3. To provide maximum password security, allow only anonymous access to the FTP server.a. FTP uses plaintext authentication and is subject to password

interception.

|62| E. Applying the decision: securing FTP traffic at Market Florist1. Market Florist must allow external client computers to use only the FTP

protocol to connect to the MFFTP server in the DMZ.2. FTP server packet filters for Market Florist

a. The first two packet filters allow Internet users to connect to the MFFTP server (192.168.77.7.) using FTP sessions.

b. The last two packet filters allow the MFFTP server to initiate data transfers with active clients.

|63| 3. Configure the FTP server to accept only anonymous connections.a. Authenticated access is not required to download floral arrangement

brochures.

b. John Coake and Pat Coleman will use Telnet from the private network to manage the data in the Ftproot folder.

c. To allow Telnet access from the private network, the internal firewall must either allow all access or restrict access to TCP port 23 on the MFFTP server.

|64| 5. Securing Mail TrafficA. Overview

1. Secure mail servers against attacks by allowing only authorized protocols to connect to the mail server.

2. A mail server must support several protocols for e-mail access.|65| B. Common protocols supported by mail servers

1. Post Office Protocol v3 (POP3)a. Used by e-mail users to retrieve their messages from the mail server

b. Introduces a security risk because it uses plaintext authentication

2. Internet Mail Access Protocol v4 (IMAPv4)


a. Used by newer e-mail client software to retrieve messages from the mail server

b. Provides access to all folders on the mail server, not just the Inbox

c. Uses plaintext authentication

3. Simple Message Transfer Protocol (SMTP)a. Used by e-mail client software to send messages to other e-mail

recipients

b. Subject to spamming attacks where unsolicited messages are relayed using an unprotected e-mail server

c. SMTP relaying

(1) Prevent SMTP relaying on a server so that only e-mail messages destined to a mailbox hosted on the mail server can be received.

(2) Restrict SMTP relaying to authenticated users or to specific IP addresses or network IP addresses.

4. Lightweight Directory Access Protocol (LDAP)a. Used by e-mail client software as a directory for the e-mail server

b. Allows users to find e-mail addresses on a mail server

c. Uses plaintext authentication by default

|66| C. Protect protocols using SSL1. Implement SSL to protect POP3, IMAPv4, and LDAP.2. These protocols use SSL encryption to protect user account and

password verification during the authentication process.|67| D. Mail server packet filters

1. The first two packet filters allow POP3 clients and POP3 clients using SSL to connect to the mail server (10.30.30.43).

2. The third and fourth packet filters allow IMAP4 clients and IMAP4 clients using SSL to connect to the mail server.

3. The fifth and sixth packet filters allow LDAP clients and LDAP clients using SSL to connect to the mail server.

4. The seventh packet filter allows the mail server to accept SMTP messages from the Internet.

5. The final packet filter allows the mail server to send SMTP messages to any SMTP servers on the Internet.

6. To support HTTP-based access, add additional packet filters to allow HTTPS to access the mail server.

|68| E. Making the decision: securing mail traffic1. Determine which protocols will be allowed to access the mail server

from the public network.a. In many organizations, the only protocol allowed to connect to the

mail server from the public network is SMTP.

b. The organization does not allow e-mail to be retrieved from the public network.

2. Establish packet filters at the external firewall to allow only the necessary ports to connect to the mail server.


a. POP3 (TCP port 110), POP3-ssl (TCP port 995)

b. IMAP4 (TCP port 143), IMAP4-ssl (TCP port 993)

c. LDAP (TCP port 389), LDAP-ssl (TCP port 636)

d. SMTP (TCP port 25)

3. Establish restrictions on SMTP to prevent the mail server from relaying unsolicited bulk e-mail.

4. Restrict the protocols that can connect to the mail server from the private network.a. Restrict access to specific protocols.

(1) For example, allow only POP3 and SMTP protocol access.

b. Restrict access to specific servers.

(1) Use this strategy if the organization has multiple mail servers and the mail server in the DMZ only acts as a gateway to the other e-mail system.

c. Allow private network client computers to connect using any protocol, provided they are located on the private network.

|69| F. Applying the decision: securing mail traffic at Market Florist1. Overview

a. Market Florist must restrict the protocols that can connect to the mail server in the DMZ.

b. Only POP3 and SMTP will be used to connect to the mail server from the public network.

|70| 2. Mail server packet filtersa. The first two packet filters allow e-mail clients to retrieve mail from

the MFMAIL server by using POP3 or POP3-ssl clients.

b. The third packet filter allows the MFMAIL server to receive SMTP messages from the Internet.

c. The final packet filter allows the MFMAIL server to send SMTP messages to any mail server on the Internet.

|71| 3. Mail server configurationa. Allow only SMTP relaying if the user authenticates with the

MFMAIL server before the e-mail client attempts the SMTP relay action.

b. Do not restrict using network IP addresses, since the sales force will connect from unknown IP addresses.

|72| 6. Securing Application TrafficA. Overview

1. Servers in the DMZ are often required to store or access data from an application server in the private network.

2. Configure the internal firewall to allow only specific protocols to pass between the server in the DMZ and the application server in the private network.

3. It is risky to place the application server in the DMZ because data stored on the application server might be compromised.


4. Ensure that only authorized connections between the server in the DMZ and the application server in the private network can take place.

|73| B. Managing the connection between the two servers1. Attach the server in the DMZ directly to the computer on the private

network, using a crossover cable and a protocol other than TCP/IP.a. Works only when the two servers are near each other

b. Offers little control over data transmission between the two servers

2. Open the firewall to allow the native protocol to transfer between the server in the DMZ and the application server in the private network.a. The data transmitted between the two servers might be passed in

plaintext, which allows a network sniffer to inspect confidential data.

(1) Network sniffers can view the contents of any unencrypted data packets transmitted on the network.

3. Use IPSec to encrypt the data transmitted between the server in the DMZ and the application server in the private network.a. As long as the internal firewall is not performing NAT on the

transmitted data, use IPSec to encrypt all data transmitted between the two servers.

|74| C. SQL server packet filters for the internal firewall1. The packet filter permits the Web server (10.30.30.41) to connect to the

SQL server (10.20.30.50) using only an SQL data connection.2. No other computers in the DMZ are allowed to connect to the SQL

server.3. The Web server cannot use any other protocols to connect to the SQL

server.|75| D. IPSec packet filters for the internal firewall

1. Set up the packet filters at the internal firewall to allow both Internet Key Exchange (IKE) packets and IPSec ESP packets to pass.

2. The first packet filter allows the Web server (10.30.30.41) to negotiate an IPSec SA with the SQL server (10.20.30.50).

3. The second packet filter assumes that only ESP will be used to protect the IPSec packets.a. Enables any packets encrypted with ESP (protocol ID 50) sent

between the Web server and the SQL server to pass though the firewall

4. An ESP packet filter only describes the protocol ID; port information is not required for an ESP packet filter.

|76| E. External firewall1. Public network clients are only allowed to connect to the Web server.2. The public network clients do not query the SQL server on the private

network.3. The Web server actually performs the query on the external customer’s

behalf.4. For the transaction to occur, the external customer only needs to connect

to the Web server using HTTP or HTTPS.|77| F. Making the decision: securing application traffic


1. Determine which protocols are required to access the server-based component in the DMZ.a. In many cases, the server-based component will be a Web-based

application running on a Web server.

2. Configure the external firewall to allow only public network client computers to connect to the server in the DMZ using the protocols required for the server-based component.

3. Determine which protocols the server-based component uses to connect to the application server in the private network.

4. Determine the most secure method to connect the server in the DMZ to the application server in the private network.a. Include a strategy to prevent inspection of data in the DMZ.

5. Define the necessary packet filters at the internal firewall to allow only the required protocols to exchange data between the DMZ and the private network.

|78| G. Applying the decision: securing application traffic at Market Florist1. Overview

a. Market Florist must allow customers to connect to the SQL server on the private network.

(1) A Web interface for customer registration

(2) The Flower Power application to store order information

b. All data transmitted between the Web server (MFWEB) and the SQL server (MFSQL) must be encrypted using IPSec transport mode.

|79| 2. Flower Power packet filtersa. The first two packet filters allow public network users to connect to

the MFWEB server (192.168.77.2) using either HTTP or HTTPS.

b. The third packet filter allows public network users to connect to the Flower Power server-side application listening on UDP port 6834 on the MFWEB server.

c. The next four packet filters allow IPSec SAs to be negotiated between each component server in the NLBS Web cluster and the MFSQL server (10.10.10.20).

d. Establish separate packet filters for each Web server in the NLBS cluster.

(1) IPSec SAs are established between two computers, not between a computer and an NLBS cluster.

e. The last four packet filters allow each component server in the NLBS cluster to send ESP-encrypted SQL-data packets to the MFSQL server.

3. Warninga. The last eight packet filters allow the MFSQL and MFWEB server to

transmit data in any protocol between the two servers.

b. If the IPSec SA does not use Authentication Headers (AH), the firewall allows the packets to pass.

c. To prevent unauthorized protocols, inspect IPSec packet filters regularly at each server.


(1) Ensure that they encrypt only authorized protocols.

|80| 7. Securing Terminal Server TrafficA. Overview

1. Terminal Services allows an administrator to connect to servers on the network by using Remote Desktop Protocol (RDP).

2. Configure Terminal Services to run in Remote Administration mode rather than Application Services mode.

|81| B. Securing access to a terminal server1. Configure the external firewall to allow only RDP connections to the

terminal server.2. Configure the terminal server to require strong encryption of the

connection.a. If the Windows 2000 High Encryption Pack is installed at both the

Terminal Services client computer and the server running Terminal Services, 128-bit RC4 encryption is used to protect transmitted data.

b. If either the client or the server does not have the High Encryption Pack, 40-bit or 56-bit encryption is used.

|82| C. Terminal Services packet filters1. This packet filter allows any computer to connect to the terminal server

(10.30.30.44) with the RDP protocol.2. Any attempts to connect to the terminal server with other protocols are

denied.|83| D. Making the decision: securing terminal server traffic

1. Configure the firewall to allow only connections to TCP port 3389, the RDP protocol, to pass through the firewall.

2. Configure the terminal server to use the highest level of encryption supported by the client computers, subject to local import and export laws.

3. If only administrative access to the terminal server is required, configure the terminal server to use Remote Administration mode.a. This action prevents nonadministrative users from connecting to the

terminal server.

|84| E. Applying the decision: securing terminal server traffic at Market Florist1. Overview

a. Use Terminal Services to manage all servers in the DMZ from the private network.

b. Configure Terminal Services to use Remote Administration mode at all computers in the DMZ.

|85| 2. Terminal Services packet filtersa. The packet filters limit RDP access to the servers located in the

DMZ from the private network (10.10.10.0/24).

b. All other connections are implicitly denied.

3. NLBS clustera. A separate packet filter for the NLBS cluster IP address is not

needed.


b. Each NLBS cluster service node allows Terminal Services connections from the private network.

|86| 8. Securing VPN TrafficA. Overview

1. The organization must consider how the protocol affects the firewall and network infrastructure design.

2. L2TP and IPSec tunnel mode both use IPSec to provide encryption services to the tunnel.

3. IPSec cannot pass through a firewall that performs NAT on incoming and outgoing packets.

|87| B. Securing PPTP tunnel traffic1. Overview

a. Special considerations are not needed when placing a PPTP tunnel server in the network.

b. It does not matter if the external firewall performs NAT on incoming and outgoing packets.

c. The only requirement is to place the tunnel server in the DMZ.

|88| 2. PPTP tunnel server in the DMZa. Allow connections to the tunnel server using PPTP (TCP port 1723).

b. Allow connections to the Generic Routing Encapsulation (GRE) protocol (protocol ID 47).

|89| 3. PPTP packet filters at the external firewalla. The first packet filter allows PPTP connections from any computer

on the public network to the PPTP server (10.30.30.45).

b. The second packet filter allows GRE packets to pass through the external firewall to the PPTP server.

(1) PPTP uses GRE packets to encapsulate the original data packets.

|90| 4. Protect the Active Directory databasea. Deploy the PPTP server as a member of a workgroup rather than as a

member of the domain.

b. To support domain authentication, configure the tunnel server as a Remote Authentication Dial-In User Service (RADIUS) client to a RADIUS server on the private network.

(1) Configure the internal firewall to allow RADIUS authentication (UDP port 1812) packets and RADIUS accounting (UDP port 1813) packets to pass from the tunnel server to the RADIUS server on the private network.

c. No additional encryption is required because the RADIUS protocol provides encryption services.

|91| 5. RADIUS authentication filters at the internal firewalla. The first packet filter allows the PPTP server (10.10.10.45) to

forward RADIUS authentication requests to the RADIUS server (10.20.30.60) on the private network.


b. The second packet filter allows RADIUS accounting packets to be sent from the PPTP server to the RADIUS server for centralized collection of account information.

|92| C. Securing L2TP/IPSec tunnel traffic1. Overview

a. L2TP tunnel connections do not allow placing the tunnel server behind a firewall that performs NAT.

b. Modify the DMZ configuration to meet this requirement.

|93| 2. L2TP tunnel server in the DMZ using public network addressinga. This is the most basic configuration in which the DMZ uses public

network addressing.

b. Place the L2TP tunnel server in the DMZ like a PPTP tunnel server.

|94| 3. L2TP tunnel server in the hybrid DMZa. The outer DMZ uses public network addressing so that NAT is not

performed on any of the packets destined for the L2TP tunnel server.

b. The packets are decrypted after they reach the L2TP tunnel server so they can pass through the intermediate firewall that is performing NAT to the inner DMZ.

c. The packets can pass all the way to the private network through both the intermediate and internal firewalls.

|95| 4. Securing access to an L2TP perimeter servera. The L2TP tunnel server is a dual-homed server with the external

network interface card (NIC) on the public network and the internal NIC attached to the DMZ.

b. Protect the external NIC by establishing packet filters to allow only L2TP/IPSec connections and deny other connection attempts.

c. The L2TP tunnel server is configured to use the NAT service included in Windows 2000 to translate private network addresses in the DMZ to public network addresses.

|96| 5. L2TP/IPSec filters at the external firewalla. The first packet filter allows any remote client computer to negotiate

an IPSec SA with the L2TP server (131.107.40.5).

b. The second packet filter allows the remote client computer to exchange ESP-encrypted data with the L2TP server.

c. The external firewall or external NIC of the L2TP perimeter server does not require a packet filter.

|97| D. Making the decision: securing VPN traffic1. Use public network addressing if the L2TP tunnel server is placed in the

DMZ.2. If the DMZ uses private network addressing as defined in RFC 1918,

eithera. Establish an outer DMZ that uses public network addressing

b. Configure the L2TP server as a perimeter server with an interface on the public network to accept tunnel connections

3. Configure the external firewall to pass the tunneling protocol used by the tunnel server in the DMZ.


a. For PPTP, this requires permitting packet filters for PPTP (TCP port 1723) and GRE (protocol ID 47) to pass to the tunnel server.

b. For L2TP, this requires the external firewall to allow IKE (UDP port 500) and ESP (protocol ID 50) packets to pass through to the tunnel server.

4. Configure the internal firewall to allow RADIUS authentication to a RADIUS server on the private network.a. RADIUS authentication provides domain logon capabilities for

remote access when the tunnel server is located in a DMZ.

b. Configure packet filters for RADIUS authentication (UDP port 1812) and RADIUS accounting (UDP port 1813) that allow RADIUS transmissions only from the tunnel server to the RADIUS server.

|98| E. Applying the decision: securing VPN traffic at Market Florist1. Overview

a. The MFTUNNEL server is assigned an IP address of 192.168.77.9, which is an RFC 1918-defined private network address.

(1) This address indicates that NAT is being used to protect the private network IP addressing scheme.

b. The only tunneling protocol supported in this network infrastructure is PPTP.

c. Configure the firewall to allow the MFTUNNEL server to pass RADIUS authentication and account packets to the Internet Authentication Services (IAS) server at IP address 10.10.10.200.

|99| 2. Tunnel packet filters at the Market Florist firewalla. The first two filters allow remote clients to connect to the

MFTUNNEL server (192.168.77.9) using only PPTP connections.

b. Since the MFTUNNEL server is behind a firewall that performs NAT, packet filters for IPSec traffic are not needed.

c. The last two filters allow RADIUS authentication and RADIUS accounting packets to be passed from the MFTUNNEL server to the RADIUS server (10.10.10.200) on the private network.

|100| Chapter SummaryIdentifying firewall features to protect the extranetComparing DMZ configurationsSecuring Internet Information Server (IIS)Securing other services within the DMZDetermining a firewall strategySecuring DNS resolution traffic

|101| Securing Web trafficSecuring FTP trafficSecuring mail trafficSecuring application trafficSecuring terminal server trafficSecuring VPN traffic



Chapter 14 Outline (458.0K)

Documents

network ip address

source ip address

public network address

firewall services

firewall rules

individual ip address

private network addresses

network security