• DISCOVER
  • CREATE
IN-FOCUS
CONCEPTS
PROCESS
ROLES
CONTEXT
RATIONALE
HANDS-ON LAB
CHALLENGE
CONTRIBUTING FACTORS
COURSE OF ACTION
Key Concepts:
  • Organization traffic and acceptable use policy (AUP) policy review—what is acceptable traffic
  • Strategies for Internet and private network separation
  • Firewall rules and their application in restricting and permitting data transit
  • Use of protected demilitarized zones (DMZs) to provide security for publicly facing bastion hosts
  • Conflicts between security strategies and requirements for availability

Network Security,
Firewalls, and VPNs

Firewall Design Strategies

Firewall Design Strategies
Limitations of a Firewall
A firewall is a key component of a security infrastructure and is not a simple security measure. To properly design the security policy of a firewall, you must understand the complexities of the firewall.

Think about answers to the following questions. Then, click each question to reveal its answer. After going through the answers, click the ACTIVITY button to attempt a simple activity related to the limitations of a firewall.
  • What are the limitations of a firewall?
  • What are the limitations of encryption with a firewall?
  • What are the benefits and drawbacks of malware scanning by firewalls?
  • What are the benefits and drawbacks of intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) provided by firewalls?
  • What are the benefits and drawbacks of a firewall acting as a virtual private network (VPN) endpoint?
Some of the limitations of a firewall are:
  • Exploitable programming bugs
  • Buffer overflow
  • Fragmentation
  • Firewalking
  • Internal code planting
  • Denial of Service (DoS)
Click here to view more about each of these limitations.
A firewall does not filter encrypted data and cannot read an encrypted packet. Instead, a firewall supports or allows encrypted communications of data over specific protocols or ports and disallows and prevents encrypted communications elsewhere. A firewall may also allow encrypted traffic only for specific users. Firewall rules associated with an encrypted traffic range from full allowance to full denial of data communication.
The main benefit of malware scanning is the detection of viruses, Trojan horses, spam, and spyware. However, the following drawbacks are associated with malware scanning:
  • Potential impact on performance, such as wirespeed, performance, and memory and central processing unit (CPU) implications
  • Requirement of regular maintenance and update
  • Noncomparable feature set with other dedicated solutions and noncomplementing feature set with current mechanisms
The benefits of an IDS and an IPS include the logical pairing of functionality and a reduction in the administrative overhead of maintaining multiple devices. The drawbacks of an IDS and an IPS are:
  • Potential performance implications, such as wirespeed
  • Possible feature set limitations
The benefit of a VPN endpoint is a reduction in the administrative overhead of maintaining multiple devices. The drawbacks of a VPN endpoint are:
  • Potential performance implications
  • Possible feature set limitations compared with stand-alone solutions
Firewall Security Strategies
To understand various security strategies that can be applied by using firewalls, review the following scenario. After going through the scenario, click the ACTIVITY button to attempt a simple activity related to firewall security strategies.

Resources
You are trying to determine the best approach for securing inbound traffic from the Internet to various application servers on your client's local area network (LAN). You want to select a strategy that will give the client significant control over user accessibility. You also want to ensure that all data passing into your client's network is properly evaluated before access is granted. Data integrity is the top priority; however, your client has a limited budget for deployment.

One of the common strategies for security is to implement a combined defense-in-depth and defense-in-diversity strategy. Click the RESOURCES icon to know more about the various firewall security strategies that would be suitable for the client's network environment.
Reverse Proxy and Port Forwarding
In the internal network security of an organization, a reverse proxy and port forwarding play important roles. A reverse proxy and port forwarding are methods of providing a buffer from direct access, creating concealment and, therefore, enhancing the security of the internal network. Next, think about answers to the following questions related to a reverse proxy and port forwarding. Then, click each question to reveal its answer. After going through the answers, click the ACTIVITY button to attempt a simple activity related to a reverse proxy and port forwarding.
  • What is a reverse proxy?
  • What is port forwarding?
  • What is the benefit of adding port forwarding to network address translation (NAT)?
X
A reverse proxy safely allows access to internal Web site content from a public network. A reverse proxy can provide enhanced security, encryption, and reverse caching. Reverse caching enables the proxy to provide static Web content, such as images, which reduces the load on the actual Web server.
Port forwarding is a firewall, proxy, and routing service that can receive a resource request on an interface at one port and then forward the request to another address on the same or a different port. Port forwarding can use a single public Internet Protocol (IP) address and map it to multiple other internal destinations without directly connecting to internal resources.
If you add a NAT to a port-forwarding configuration, the private IP addresses of the internal systems are masked from the public network. Click the image to see an enlarged view.
Bastion Hosts and Ingress or Egress Filtering
To reduce the impact of firewall limitations and add an extra level of security, many organizations use bastion hosts. In addition, organizations use ingress and egress to limit the type of traffic flowing through the bastion hosts.

Think about answers to the following questions related to bastion hosts and ingress or egress filtering. Then, click each question to reveal its answer. After going through the answers, click the ACTIVITY button to attempt a simple activity related to bastion hosts.
  • How are bastion hosts used to avoid firewall limitations?
  • How does ingress and egress filtering help define firewall rules?
X
A bastion host is a software or hardware solution that resides on the public side of a DMZ and is the first point of defense for external traffic, filtering traffic before the traffic reaches the primary firewall. A bastion host is a firewall or a router, but it can also be a Web server, a Domain Name System (DNS) server, or other type of server. It has a simple single-layer architecture and is stripped of most services. It withstands any attack attempt on the primary firewall and provides protection for hosts behind it. Click the image to see an enlarged view.
For a firewall to allow an external host to request access to internal resources, you need to create an inbound rule or ingress filter. Similarly, you need to create an egress filter to control outbound connections.
Need for Firewall Rules
Firewall rules, also known as filters, are instruction sets that indicate how a firewall should take action on network traffic.

Think about answers to the following questions related to firewall rules. Then, click each question to reveal its answer. After going through the answers, click the ACTIVITY button to attempt a simple activity related to firewall rules.
  • How are bastion hosts used to avoid firewall limitations?
  • How does ingress and egress filtering help define firewall rules?
  • How are bastion hosts used to avoid firewall limitations?
  • How does ingress and egress filtering help define firewall rules?
When creating firewall rules, follow these guidelines:
  • Validate the source and destination addresses.
  • Keep the number of rules to a minimum.
  • Place the Deny All rule at the bottom of the rule list.
  • Place the denial exceptions rule at the top of the rule list.
  • Place the rules pertaining to more common traffic closer to the top of the list.
The ports 443, 80, and 25 and any required environmentally specific application ports should be allowed. All other ports associated with the Deny All rule should be blocked.
In a firewall rule, the data that needs to be logged includes all connection rejections, all the traffic that successfully traverses through the firewall, firewall configuration changes, and access to firewall systems. Logging data helps the administrator to:
  • Validate whether the firewall rules are configured properly.
  • View historical tracking and trend analysis.
  • Enable reactive tracking.
  • Trace attacks.
When monitoring firewall traffic, suspicious events trigger an alert to an administrator; these events should be handled promptly. In addition, the administrator should review firewall log files regularly to uncover attacks or suspicious patterns of activity.

In this section, you will have an opportunity to practice the concepts and processes that you have explored in this lesson.

The Hands-On Lab provides you with an engaging learning experience that is diagnostic and flexible. Following the instructions provided in the Lab Manual, you will be able to practice the steps IT Security Specialists perform on a daily basis and develop the skills required for effective execution and management of IT Security operations.

In this section, you will have an opportunity to apply what you’ve learned in this lesson in the context of analyzing a business situation. Although simplified, a problem scenario provided here depicts the challenges often faced by professionals in the workplace.

In this interactive case study, you will explore a business situation, review critical information related to the problem discussed in the case, decide on the course of action, and receive a decision analysis summary that discusses the implications of your decision. Once you analyze the impact of your decision, explore alternative solutions to learn about other potential ways to address the issue in the case. Complete your work on the case by submitting the graded assignment that will reflect on your process of analyzing the business situation and defining an appropriate course of action.

You have been working on the Corporation Tech network project. Your manager now wants to inform you about your next task, which is a continuation of the assignment based on the Corporation Tech scenario.

Click the image of the manager to get his instructions.

After you have gone through the challenge, navigate to Contributing Factors from the panel at the top of your screen.
Corporation Tech's network configuration affects the options available for security and network defense. I would like you to design an updated network structure that separates the private and public services within Corporation Tech's network. All the best!
Contributing Factors
From where do you think you can gather information on this case? Let's find out by clicking the contributing factors. After you have gone through the contributing factors, navigate to Course of Action from the panel at the top of your screen.

Ask a Consultant
Read E-mail
Review Critical Considerations

Select the icons from the top to receive additional
information related to the situation


Tim Hanks

Refer back to the network survey created at the start of this project, together with host vulnerability assessments and access requirements. The Web server of Corporation Tech provides public access to the organization's static Web site for contact information, while sales team members in the field transfer contract and bid documents by using a site secured with a logon id and password. Try designing a network configuration that includes network gateways, port or address redirection systems, and the location of hosts within private and protected network segments.

Hi,

As already discussed, you need to create a new network structure that separates the private and public services within Corporation Tech's network.

When designing the new network structure, include network gateways, port or address redirection systems, and the location of firewalls, routers or switches, and hosts within private and protected network segments.

All the best!Regards,
Mike Hutchins
Consider the following when you create the new network design:
  • All of Corporation Tech's computer systems share the same class C public IP address range, including workstations and servers providing authentication, e-mail, and both secure and public Web sites.
  • The Internet service provider (ISP) costs are high due to the subnet lease, and it would be beneficial if the new network design could reduce the number of public addresses needed.
Course of Action
Use the following checklist as a guide to complete this assignment. Note that the tasks that you have completed are already checked in the list.

Tasks

  • Consider the advice of the consultant.
  • Review the critical considerations.
  • Access the previously gathered data in Part 1 of this project.
  • Identify vulnerabilities and clear-text information transfer.
  • Conduct research and determine the best network design to ensure security of internal access while retaining public Web site availability.
  • Identify any opportunities for reduced ISP costs through port redirection or address translation.
  • Design a network configuration, identifying network gateways, port or address redirection systems, and the location of hosts within private and protected network segments.
  • Create a professional report detailing the information above as supportive documentation for the network security plan.
  • Create a report that includes a basic network diagram and research results.
At the end of this lesson, you should be able to:
  • Assess firewall rules by specifying the items that need to be allowed and blocked and describe various firewall security strategies.
  • Explain the importance of firewall logging, monitoring, and bastion hosts.
  • Explain the limitations and weaknesses of firewalls and evaluate the benefits and drawbacks of firewall enhancements.
  • Define the concerns of encryption related to firewalls and the pros and cons of a reverse proxy and port forwarding.
In this lesson, you will learn about the limitations and weaknesses of firewalls and the benefits and drawbacks of various firewall enhancements. You will explore the importance of a reverse proxy and port forwarding in a firewall and learn to use bastion hosts and ingress and egress filtering to support a firewall. In addition, you will look at guidelines for creating firewall rules.