TippingPoint X505 Training - Firewall – Rules, Services and Virtual Servers

TippingPoint X505 Training

Firewall Firewall –– Rules, Services and Virtual ServersRules, Services and Virtual Servers

2

Firewall – Objectives

> Upon completion of this module, you should be familiar with the following:— Firewall Concepts Review

— Firewall Rules

— Firewall Rule Components

— Services and Service Groups

— Bandwidth Management

— Scheduling

— Authorization

— Content Filtering

— Virtual Servers

— Port Address Translation

3

Types of Firewalls

> Network Address Translation— Translates internal IP addresses to external addresses

— Can be used to map many internal addresses to one (or few) external addresses

— Denies most connections inbound

> Proxy— Acts as a “middle man”

— Handles all external connections on behalf of internal clients

> Stateful Inspection— Keeps track of the state of all connections

— Denies out of state connection attempts

— Rules or policies determine what can or cannot be accessed from outside the network

> The X505 is a Stateful Firewall and more (IPS, rate shaping, content filtering, etc.)

4

Firewall Rules

5

Firewall Rules

> Rules are “top down”

> Implicit deny at the end

> Click on (highlight) an existing rule to create a new rule above it

> There are many default rules to facilitate such things as DHCP requests, DNS queries and VPN termination

6

Firewall Rule Components

> Source/Destination Zones— IP Address Groups

> Action— Permit/Block/Content Filter

> Services/Service Groups

> Rate Limiting

> Scheduling

> Authentication

7

Services and Service Groups

> Services are applications and protocols that can be configured in a firewall rule to police that traffic— The X505 comes with a host of pre-defined services

> i.e. – “dns-tcp” is protocol 6 (TCP) and port 53

> Service Groups are groupings of services— Similar to the Services, the X505 comes with a host of pre-defined service groups

> i.e. – “dns” consists of the services “dns-tcp” and “dns-udp”

8

Bandwidth Management

> Bandwidth management can be applied to applications on a per rule or per session basis

> For example, use per session for voice and per rule for limitingWWW access, etc.

9

Scheduling

> Schedules can be defined to limit a firewall rule to certain times of the day/week— i.e. – “Work Day” = MTWThF from 8AM-6PM

10

Authorization

> Users can be forced to authorize themselves before accessing various resources

> By defining firewall rules that reference privilege groups, users can be authorized before access is allowed

> You may need to position authorization rules before the “LAN”“WAN” “Any” rule to ensure that authorization is performed first

11

Authorization

Create a privilege group…

Assign the privilege groupto a user…

Enable user authentication in a firewall rule…

12

Authorization

13

Content Filtering

14

Content Filtering

> 3Com Content Filter Service — Servers based in NA, Europe or Asia

> Subscription Service— Must have “DV Gold” Maintenance level

> Backed by Surf Control

> Content Categories

> Manual URL Filter

> Custom Web Response Page

15

Content Filtering Configuration

> Enable Content Filter and/or Manual URL Filter— Optional: Custom Response Page

> Create a firewall rule with the action “Content Filter”— Position the rule above the “LAN” “WAN” “Any” rule to ensure that

content filtering takes place first

16

Manual URL Filter

> Select whether to permit or block

> Specify a partial URL or enter a regular expression

17

Virtual Servers

> Virtual Servers provide the means with which to do one-to-one NAT as well as Port Address Translation (PAT)

18

Port Address Translation

> Also known as “port forwarding”

> The virtual server “listens” on a certain port on the outside, and the X505 will forward the connection request to the “real” port internally

LAB 4Firewall and Virtual Server