Solved

few clarifications

Posted on 2004-04-29
11
189 Views
Last Modified: 2010-04-17

Hello Experts
Here is brief introduction of my client's setup and then i will ask you a few queries

There are 50 workstations in the client's network 192.168.10.0 .
They connect to the internet through the router through isdn wan line.

router's isdn interface has no static address.
It neogiates with the isp router to obtain an IP address.
router blocks all kind of traffic except smtp  through access-lists.

Now the client has brought a Cisco pix 506E firewall for more security.
and has asked me to configure it for him.

My queries are.

Does the client need to buy static Ip addresses to be assigned to the outside
interfaces of firewall and router.
If no then what is the alternative.


Already www ,telnet etc are blocked through router's access-lists
 what all other security features can be enhanced with the firewall.

regards

sirdesai
0
Comment
Question by:sirdesai
  • 6
  • 5
11 Comments
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 100 total points
ID: 10951731
The PIX should connect to the LAN side of the router and the LAN goes on the inside of that. You don't need to change the router address. You can set up a small private network between the router and the PIX and move the LAN default gateway to the PIX.

The router is doing packet filtering. the PIX is a stateful firewall that will be a lot tighter. You should use both, as the router will screen out the obvious stuff the tne PIX will get the rest.
0
 

Author Comment

by:sirdesai
ID: 10956863
Hi
Thanks for your prompt answer

After reading your answer i made  following conclusions

pix inside interface will connect to lan and outside interface to router's interface
  and router as usual connects to the internet through its outsidr interface.


I wud also like to ask the connection between the rouetr and pix shud be a direct connection
using cross cable or through the network using straight cable.

 if the lan address is 192.168.10.1 then i can form a private network between the pix and router
using 192.168.100.0 .I do not require static IP address.


what does stateful firewall mean.

regards


sagar
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10961452
You've got it right.

Unless you have a need now to put something else on the same LAN as the PIX-router connection you might as well just use a x-over cable between them. You can always put a switch or hub in there later if you have a need for a mail relay or other equipment, an IDS probe, or whatever. Your proposed 192.168.100 subnet leaves more than enough room for future growth without having to make interface address changes.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10961548
Oh- stateful firewall means the firewall keeps all active sessions in memory so it has a much better idea of what packets don't belong in your network. It doesn't just check that inbound packets match the rules for inbound packets like an access list does. It also watches the outbound packets and makes sure that return traffic for allowed outbound sessions is automatically allowed, even if you didn't specifically allow it.

This eliminates the need to open holes in your firewall for, say, tcp established. Anyone can forge a packet with the ack bit set and "permit tcp any any established" in a regular access list would allow it. A stateful firewall won't allow a tcp packet with the ack bit set unless it is part of a session that was ongoing. You don't make a rule to allow it, it allows them automatically as needed.

Does that make sense?
0
 

Author Comment

by:sirdesai
ID: 10972349
Hi

thanks fir your answer but I have still not got the benefits of a firewall ...like  how it makes a network more secure when i have a router which filters most of the traffic through its access-lists..

in short i have not the meaning of stateful firewall and its benefit.

regards
sagar
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10979629
OK. Here's a simple example:

You want to allow return traffic for your web surfers. So you put in the line "permit tcp any any established." So far, so good. You're allowing inbound tcp traffic, but only if the traffic belongs to a session initiated by one of your users.

How does the router determine if the traffic is "established?" It looks for a bit in the TCP header called the ACK bit, which when set to 1 means that the packet is part of an existing session. So basically you are letting in any TCP packet that has the ACK bit set to 1. If I as a Bad Guy want to cause a denial of service inside your network, all I have to do is flood one of your inside servers with a bunch of packets with the ACK bit set and your router will allow them all through. This is because it essentially looks at each packet individually and makes a decision based on the rules you set.

A stateful firewall looks deeper. It keeps track of every current "conversation" your users are having with the outside world and examines inbound packets to see if they actually belong to these conversation. A stateful firewall would look at those packets with the ACK bit set. It would say (in firewallese) "Hmmm, these packets do not relate to any existing outbound sessions I know about. ACK or no ACK, I'm not letting them in because they obviously don't belong here."

Does that help?
0
 

Author Comment

by:sirdesai
ID: 10985212
Hi  mikebernhardt
I would like to know how the firewall know whether inbound packet belomgs to any of the current
sssions...

I will be gratful also if u tell me  how three way shake is helpful  during conversations

I know i goin out of track.

thanks and regards

0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10988141
1. They all do it a little differently, but they just keep track of what is going out and see if what is going in relates to what has gone out. They may look at sockets (IP address + TCP or UDP port) or they may look at TCP sequence numbers.

2. Here's a link that explains the 3-way handshake
http://www.pccitizen.com/threewayhandshake.htm

This is a lot of help for 50 points!
0
 

Author Comment

by:sirdesai
ID: 11115664
hi  mikebernhardt

First of all i will be increasing the points for this qoestion

as i told you i have a network with a router  and firewall .
Router is the final device in my  network.

firewall inside interface address is 192.168.10.1

firewall outside interface address is 192.168.100.1 connected to router inside interface 192.168.100.2.

this is how i have configured my firewall'

nameif ethernet0 outside security0
nameif ethernet1 outside security100
interface ethernet0 100full
inerface ethernet1 100full
ip address inside 192.168.10.1 255.255.255.0
ip address outside 192.168.100.1 255.255.255.0
nat (inside) 0 0 0
route outside 0 0  192.168.100.2 1

write memory

Then in the router i did this

int ethernet 0
ip address 192.168.100.2 255.255.255.0

router rip
network 192.168.100.0 255.255.255.0

write memory

Please tell whether this will be alright

please mail me

I am also increasing the points

Regards

Sagar
0
 

Author Comment

by:sirdesai
ID: 11115679
also i ahve added

access-list acl_in permit any any

access-group acl_in  in interface inside

 access-group acl_in  in interface outside
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 11163211
Somehow I missed your earlier comments. Thanks for accepting my answer, but I want to make a minor suggestion:

It's a good idea to not use dynamic routing in a firewall area. You shouldn't run RIP on your outside router at all. Just have a static route to your inside network:
192.168.10.0 255.255.255.0 192.168.100.1

and on the PIX, have the static default route

0.0.0.0 0.0.0.0 192.168.100.2

I assume that you already have a static route to your ISP on the router, that would of course stay there.

The problem is that is someone might be able to send false RIP routes into your router and then you're hosed.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now