sirdesai
asked on
few clarifications
Hello Experts
Here is brief introduction of my client's setup and then i will ask you a few queries
There are 50 workstations in the client's network 192.168.10.0 .
They connect to the internet through the router through isdn wan line.
router's isdn interface has no static address.
It neogiates with the isp router to obtain an IP address.
router blocks all kind of traffic except smtp through access-lists.
Now the client has brought a Cisco pix 506E firewall for more security.
and has asked me to configure it for him.
My queries are.
Does the client need to buy static Ip addresses to be assigned to the outside
interfaces of firewall and router.
If no then what is the alternative.
Already www ,telnet etc are blocked through router's access-lists
what all other security features can be enhanced with the firewall.
regards
sirdesai
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You've got it right.
Unless you have a need now to put something else on the same LAN as the PIX-router connection you might as well just use a x-over cable between them. You can always put a switch or hub in there later if you have a need for a mail relay or other equipment, an IDS probe, or whatever. Your proposed 192.168.100 subnet leaves more than enough room for future growth without having to make interface address changes.
Unless you have a need now to put something else on the same LAN as the PIX-router connection you might as well just use a x-over cable between them. You can always put a switch or hub in there later if you have a need for a mail relay or other equipment, an IDS probe, or whatever. Your proposed 192.168.100 subnet leaves more than enough room for future growth without having to make interface address changes.
Oh- stateful firewall means the firewall keeps all active sessions in memory so it has a much better idea of what packets don't belong in your network. It doesn't just check that inbound packets match the rules for inbound packets like an access list does. It also watches the outbound packets and makes sure that return traffic for allowed outbound sessions is automatically allowed, even if you didn't specifically allow it.
This eliminates the need to open holes in your firewall for, say, tcp established. Anyone can forge a packet with the ack bit set and "permit tcp any any established" in a regular access list would allow it. A stateful firewall won't allow a tcp packet with the ack bit set unless it is part of a session that was ongoing. You don't make a rule to allow it, it allows them automatically as needed.
Does that make sense?
This eliminates the need to open holes in your firewall for, say, tcp established. Anyone can forge a packet with the ack bit set and "permit tcp any any established" in a regular access list would allow it. A stateful firewall won't allow a tcp packet with the ack bit set unless it is part of a session that was ongoing. You don't make a rule to allow it, it allows them automatically as needed.
Does that make sense?
ASKER
Hi
thanks fir your answer but I have still not got the benefits of a firewall ...like how it makes a network more secure when i have a router which filters most of the traffic through its access-lists..
in short i have not the meaning of stateful firewall and its benefit.
regards
sagar
thanks fir your answer but I have still not got the benefits of a firewall ...like how it makes a network more secure when i have a router which filters most of the traffic through its access-lists..
in short i have not the meaning of stateful firewall and its benefit.
regards
sagar
OK. Here's a simple example:
You want to allow return traffic for your web surfers. So you put in the line "permit tcp any any established." So far, so good. You're allowing inbound tcp traffic, but only if the traffic belongs to a session initiated by one of your users.
How does the router determine if the traffic is "established?" It looks for a bit in the TCP header called the ACK bit, which when set to 1 means that the packet is part of an existing session. So basically you are letting in any TCP packet that has the ACK bit set to 1. If I as a Bad Guy want to cause a denial of service inside your network, all I have to do is flood one of your inside servers with a bunch of packets with the ACK bit set and your router will allow them all through. This is because it essentially looks at each packet individually and makes a decision based on the rules you set.
A stateful firewall looks deeper. It keeps track of every current "conversation" your users are having with the outside world and examines inbound packets to see if they actually belong to these conversation. A stateful firewall would look at those packets with the ACK bit set. It would say (in firewallese) "Hmmm, these packets do not relate to any existing outbound sessions I know about. ACK or no ACK, I'm not letting them in because they obviously don't belong here."
Does that help?
You want to allow return traffic for your web surfers. So you put in the line "permit tcp any any established." So far, so good. You're allowing inbound tcp traffic, but only if the traffic belongs to a session initiated by one of your users.
How does the router determine if the traffic is "established?" It looks for a bit in the TCP header called the ACK bit, which when set to 1 means that the packet is part of an existing session. So basically you are letting in any TCP packet that has the ACK bit set to 1. If I as a Bad Guy want to cause a denial of service inside your network, all I have to do is flood one of your inside servers with a bunch of packets with the ACK bit set and your router will allow them all through. This is because it essentially looks at each packet individually and makes a decision based on the rules you set.
A stateful firewall looks deeper. It keeps track of every current "conversation" your users are having with the outside world and examines inbound packets to see if they actually belong to these conversation. A stateful firewall would look at those packets with the ACK bit set. It would say (in firewallese) "Hmmm, these packets do not relate to any existing outbound sessions I know about. ACK or no ACK, I'm not letting them in because they obviously don't belong here."
Does that help?
ASKER
Hi mikebernhardt
I would like to know how the firewall know whether inbound packet belomgs to any of the current
sssions...
I will be gratful also if u tell me how three way shake is helpful during conversations
I know i goin out of track.
thanks and regards
I would like to know how the firewall know whether inbound packet belomgs to any of the current
sssions...
I will be gratful also if u tell me how three way shake is helpful during conversations
I know i goin out of track.
thanks and regards
1. They all do it a little differently, but they just keep track of what is going out and see if what is going in relates to what has gone out. They may look at sockets (IP address + TCP or UDP port) or they may look at TCP sequence numbers.
2. Here's a link that explains the 3-way handshake
http://www.pccitizen.com/threewayhandshake.htm
This is a lot of help for 50 points!
2. Here's a link that explains the 3-way handshake
http://www.pccitizen.com/threewayhandshake.htm
This is a lot of help for 50 points!
ASKER
hi mikebernhardt
First of all i will be increasing the points for this qoestion
as i told you i have a network with a router and firewall .
Router is the final device in my network.
firewall inside interface address is 192.168.10.1
firewall outside interface address is 192.168.100.1 connected to router inside interface 192.168.100.2.
this is how i have configured my firewall'
nameif ethernet0 outside security0
nameif ethernet1 outside security100
interface ethernet0 100full
inerface ethernet1 100full
ip address inside 192.168.10.1 255.255.255.0
ip address outside 192.168.100.1 255.255.255.0
nat (inside) 0 0 0
route outside 0 0 192.168.100.2 1
write memory
Then in the router i did this
int ethernet 0
ip address 192.168.100.2 255.255.255.0
router rip
network 192.168.100.0 255.255.255.0
write memory
Please tell whether this will be alright
please mail me
I am also increasing the points
Regards
Sagar
First of all i will be increasing the points for this qoestion
as i told you i have a network with a router and firewall .
Router is the final device in my network.
firewall inside interface address is 192.168.10.1
firewall outside interface address is 192.168.100.1 connected to router inside interface 192.168.100.2.
this is how i have configured my firewall'
nameif ethernet0 outside security0
nameif ethernet1 outside security100
interface ethernet0 100full
inerface ethernet1 100full
ip address inside 192.168.10.1 255.255.255.0
ip address outside 192.168.100.1 255.255.255.0
nat (inside) 0 0 0
route outside 0 0 192.168.100.2 1
write memory
Then in the router i did this
int ethernet 0
ip address 192.168.100.2 255.255.255.0
router rip
network 192.168.100.0 255.255.255.0
write memory
Please tell whether this will be alright
please mail me
I am also increasing the points
Regards
Sagar
ASKER
also i ahve added
access-list acl_in permit any any
access-group acl_in in interface inside
access-group acl_in in interface outside
access-list acl_in permit any any
access-group acl_in in interface inside
access-group acl_in in interface outside
Somehow I missed your earlier comments. Thanks for accepting my answer, but I want to make a minor suggestion:
It's a good idea to not use dynamic routing in a firewall area. You shouldn't run RIP on your outside router at all. Just have a static route to your inside network:
192.168.10.0 255.255.255.0 192.168.100.1
and on the PIX, have the static default route
0.0.0.0 0.0.0.0 192.168.100.2
I assume that you already have a static route to your ISP on the router, that would of course stay there.
The problem is that is someone might be able to send false RIP routes into your router and then you're hosed.
It's a good idea to not use dynamic routing in a firewall area. You shouldn't run RIP on your outside router at all. Just have a static route to your inside network:
192.168.10.0 255.255.255.0 192.168.100.1
and on the PIX, have the static default route
0.0.0.0 0.0.0.0 192.168.100.2
I assume that you already have a static route to your ISP on the router, that would of course stay there.
The problem is that is someone might be able to send false RIP routes into your router and then you're hosed.
ASKER
Thanks for your prompt answer
After reading your answer i made following conclusions
pix inside interface will connect to lan and outside interface to router's interface
and router as usual connects to the internet through its outsidr interface.
I wud also like to ask the connection between the rouetr and pix shud be a direct connection
using cross cable or through the network using straight cable.
if the lan address is 192.168.10.1 then i can form a private network between the pix and router
using 192.168.100.0 .I do not require static IP address.
what does stateful firewall mean.
regards
sagar