1 / 46

Firewall Configuration Module for OS7400 Distribution

This training module provides an overview of firewall configuration, NAT concepts, and scenarios to help trainees configure a firewall effectively.

saucedo
Télécharger la présentation

Firewall Configuration Module for OS7400 Distribution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distribution English OS7400 Firewall Configuration Module No. : February, 2007 Mail to training@samsung.com

  2. Objectives • After successful completion of the course the trainees should be able to execute the following activities. • Can configure a Firewall. ⓒ SAMSUNG Electronics Co.,Ltd.

  3. Contents Overview NAT Configuration Firewall Configuration Scenarios ⓒ SAMSUNG Electronics Co.,Ltd.

  4. Overview ⓒ SAMSUNG Electronics Co.,Ltd.

  5. What is Firewall ? • What is firewall ? • A firewall is a secure gateway that is used within a network to limit access from un-trusted network. • Firewall uses predefined rules to examine the traffic and determine if the packet meets the established security criteria for the destination requested. ⓒ SAMSUNG Electronics Co.,Ltd.

  6. Features of Firewall • Features • Stateful Inspection : NAT • Network Address Translation • Filtering • URL Key-Word Filtering • Packet Filtering • ICMP Filtering ⓒ SAMSUNG Electronics Co.,Ltd.

  7. NAT ⓒ SAMSUNG Electronics Co.,Ltd.

  8. NAT • NAT : Network Address Translation • Method of connecting multiple computers to the Internet using one IP address (public IP address) • Enhances the level of security within the Network by hiding its internal structure. • Solutions for IP address depletion issue, by allowing multiple hosts to share limited public IP addresses. ⓒ SAMSUNG Electronics Co.,Ltd.

  9. NAT • Basic NAT Concept • Inside – Private network • Outside – Public network ⓒ SAMSUNG Electronics Co.,Ltd.

  10. Types of NAT • Dynamic NAT • Maps a private IP address to a public IP address from a group of public IP addresses on a many-to-many basis. • Static NAT(Reverse NAT) • Mapping a private IP address to a public IP address on a one-to-one basis. • PAT (Port Address Translation) • A form of dynamic NAT that maps multiple private IP addresses to a single public IP address by using different ports. • This is a many-to-one mapping. • Redirect NAT(Port Forwarding) • Packet coming to specific public IP address and port is redirected to other specific IP address and port. ⓒ SAMSUNG Electronics Co.,Ltd.

  11. NAT configuration • Enable ⓒ SAMSUNG Electronics Co.,Ltd.

  12. NAT configuration • Basic Mode configuration : Dynamic NAT 100.0.0.2 OfficeServ7400 N A T WAN LAN 100.0.0.1 ~ 100.0.0.254 20.0.0.1~20.0.0.254 ⓒ SAMSUNG Electronics Co.,Ltd.

  13. NAT configuration • Advanced Mode configuration : Dynamic NAT ⓒ SAMSUNG Electronics Co.,Ltd.

  14. Port forward • Basic mode • Designated external PC can access to the internal PC. • Example) DMZ (mail server, web server, etc.) 30.0.0.x OfficeServ7400 20.0.10.1 30.0.0.1 ⓒ SAMSUNG Electronics Co.,Ltd.

  15. Port forward • Advanced mode • Set more detailed filter : Protocol, Port number 30.0.0.x:8080 OfficeServ7400 20.0.10.1:8080 30.0.0.1 ⓒ SAMSUNG Electronics Co.,Ltd.

  16. Static NAT configuration • Static NAT configuration : one to one ⓒ SAMSUNG Electronics Co.,Ltd.

  17. Hands on Practice of NAT ⓒ SAMSUNG Electronics Co.,Ltd.

  18. NAT Configuration VoIP Service between OfficeServ 7200 #1 and #2 ITP (3202) ITP (3302) ISP 165.213.109.187 165.213.110.187 OS7200 #2 213.134.199.135 MCP : 100.0.2.20 MGI : 100.0.2.30 OS7200 #1 213.134.199.134 MCP : 100.0.1.20 MGI : 100.0.1.30 ITP (2101) ITP (2201) IP : 100.0.1.35 DGP (2100) DGP (2200) IP : 100.0.2.35 SITE A SITE B ⓒ SAMSUNG Electronics Co.,Ltd.

  19. Concept of SIP over NAT OS7200 Public Fixed IP : 165.213.82.162 Inter Private IP : 10.0.2.1/24 ITP (3202) 165.213.82.162:6000 ITP (3201) 165.213.82.162:9000 MCP MGI IP : 165.213.82.100 165.213.82.162:30000~30031U 10.0.2.2:6000 10.0.2.2:9000 IP : 10.0.2.20 MCP (10.0.2.2) DGP (2001) NAPT 10.0.2.3:30000 ~30031 MGI (10.0.2.3) ⓒ SAMSUNG Electronics Co.,Ltd.

  20. Auto-Config. NAPT for VoIP over NAT 1719: H.323 1720: H.323 5060: SIP 30000 ~ 30031 VoIP Media 6100: IP Network 6000, 9000: For Signal of ITP for dynamic NAPT mapping of media port 5000: PC-MMC ⓒ SAMSUNG Electronics Co.,Ltd.

  21. How to configure SIP over NAT(MCP) Site A MMC Configuration -. MMC 830 IP:10.0.0.2 / GW:10.0.0.1 / Netmask: 255.255.255.0 / public: 165.213.109.186 System IP Type: Private with public -. MMC 831 IP:10.0.0.3 / GW:10.0.0.1 / Netmask:255.255.255.0 / public: 165.213.109.186 / public port : 20000 System IP Type: Private with public Site B MMC Configuration -. MMC 830 IP:192.168.0.2 / GW:192.168.0.1 / Netmask:255.255.255.0 / Public : 165.213.110.186 System IP Type: Private with public -. MMC 831 IP:192.168.0.3 / GW: 192.168.0.1 / Netmask: 255.255.255.0 / Public : 165.213.110.186 / public port : 20000 System IP Type: Private with public ⓒ SAMSUNG Electronics Co.,Ltd.

  22. NAT Practice #1 (Static Route) Or ip route 0.0.0.0/0 172.16.0.2 ⓒ SAMSUNG Electronics Co.,Ltd.

  23. NAT Practice #2 (Dynamic Route) ⓒ SAMSUNG Electronics Co.,Ltd.

  24. Firewall ⓒ SAMSUNG Electronics Co.,Ltd.

  25. Overview • Stateful inspection • Firewall maintains a table of active sessions. • Each entry records the session’s source and destination IP address and port numbers. • Entries are created only for those connections/streams that safety a defined security policy; packets associated with those sessions are permitted to pass through the firewall. • Five basic elements • Source address • Destination address • Source port • Destination port • protocol ⓒ SAMSUNG Electronics Co.,Ltd.

  26. Enable and Disable • Enable / Disable ⓒ SAMSUNG Electronics Co.,Ltd.

  27. Filter configuration • Basic Mode configuration 30.0.0.x OfficeServ7400 20.0.0.203 100.0.0.x ⓒ SAMSUNG Electronics Co.,Ltd.

  28. Filter configuration • Advanced Mode configuration ⓒ SAMSUNG Electronics Co.,Ltd.

  29. Remote access • Remote access • Can allow or deny that remote hosts access the system via web UI, ssh, ftp, telnet. • Caution : When default policy is set to “deny”, user IP address must be input to “Administration IP” field. Otherwise, user https session will be disconnected. ⓒ SAMSUNG Electronics Co.,Ltd.

  30. IP filtering • Packet filtering • Allows the user to block packets from PC with specific IP addresses connected to the system. ⓒ SAMSUNG Electronics Co.,Ltd.

  31. URL filtering • URL filtering • Deny the web access from PCs from PC with specific IP addresses connected to the system. ⓒ SAMSUNG Electronics Co.,Ltd.

  32. ICMP filtering • ICMP filtering • Deny the INTERNET CONTROL MESSAGE PROTOCOL (ICMP) Echo Requst, Timestamp Request packets. • Select the target interface and enable the interface to apply to this table. ⓒ SAMSUNG Electronics Co.,Ltd.

  33. Scenario (for Internal FTP Server) • To allow for remote users to access your internal FTP server, you configure a port forwarding entry for the server. Then, if remote users know DNS name of your server or public IP address of GWIM directly, they can connect the server. But, how about internal users in the same LAN? 1. User PC sends packets destined to public IP address to access the server. 2. GWIM forwards packets to internal FTP server after DNAT processing as configured. 3. FTP server sends reply packets with original IP address as source IP and packets are directly delivered because PC is located in the same LAN with server. 4. TCP connection fails because TCP session initiated by user requires public IP address of GWIM as peer IP address. 165.213.66.62 eth0 WAN GWIM LAN eth2 10.0.2.1 1 2 3 PC internal FTP server 4 10.0.2.101 10.0.2.100 ⓒ SAMSUNG Electronics Co.,Ltd.

  34. NAT & Firewall #2 (Internal FTP Server) eth0 WAN 165.213.66.62 • You can solve this problem by adding additional SNAT rule (Refer to Next slide). • Packets received from LAN device(eth2), to be forwarded through the same LAN device(eth2) -> Apply SNAT(Source NAT) with LAN IP (source ip 10.0.2.101 -> 10.0.2.1) • Then, reply packets are directed to GWIM and forwarded to the PC after SNAT processing by conntrack (source ip 10.0.2.100 -> 165.213.66.62) • Actually you need to configure port forwarding rule for FTP data session and you GWIM LAN eth2 10.0.2.1 1 2 4 3 10.0.2.101 10.0.2.100 PC internal FTP server ⓒ SAMSUNG Electronics Co.,Ltd.

  35. Hands on Practice of Firewall ⓒ SAMSUNG Electronics Co.,Ltd.

  36. Firewall Configuration 1. Basic Configuration The Configuration menu specifies the packet passing through the system -. Basic Mode This item enables to enter the minimum option values for packet filtering. -. Advanced Mode This item enables to add additional options for packet filtering. 2. Remote Access The Remote Access menu enables to allow/deny the system access from the outside. 3. IP Filtering The IP Filtering menu enables to block the packet IP addresses of the system. 4. URL Filtering The URL filtering menu enables to block the Web access of the system. 5. ICMP Filtering The ICMP Filtering menu blocks the Internet Control Message Protocol (ICMP) Reply packet of the system. ⓒ SAMSUNG Electronics Co.,Ltd.

  37. Firewall Practice #1 • Test1. Deny all Packets • Test2. Allow Specific some Packets • Test1) Firewall – Configuration – advanced Mode • Source IP: all • Destination IP: all • Port: all • Target: Deny • Test2) Firewall – Configuration – advanced Mode • Source IP: 20.0.0.0/24 • Destination IP: all • Port: 23 • Target: Allow • Source IP: 20.0.0.0/24 • Destination IP: all • Port: 80 • Target: Allow ⓒ SAMSUNG Electronics Co.,Ltd.

  38. Firewall Practice #1 WAN 192.168.0.0/16 System LAN 20.0.0.0/24 System network Eth0: 192.168.17.10/16 Eth3: 20.0.0.1/24 ⓒ SAMSUNG Electronics Co.,Ltd.

  39. WAN 192.168.0.0/16 System Eth0:192.168.17.10 Eth1:20.0.0.1 Eth2:20.0.1.1 LAN 20.0.0.0/24 LAN 20.0.1.0/24 Firewall Practice #2 Remote Access Test1) Firewall – Remote Access –Default Policy Default Policy : deny Administration IP : 192.168.0.116 ⓒ SAMSUNG Electronics Co.,Ltd.

  40. Firewall Practice #2 Remote Access Test2) Firewall – Remote Access – Remote IP Configuration Source IP: 20.0.0.2/32 Port: 23,443 Target: Allow ⓒ SAMSUNG Electronics Co.,Ltd.

  41. SIP Server PC ITP FTP Server SIP Phone WEB Server NAT & Firewall #1 OfficeServ7200 Configuration (A) (B) PC (C) ITP DGP • : Web, FTP Service • : VoIP Service (ITP, MGI) • : VoIP Service (SIP-ALG) • : Connection with RJ45 ⓒ SAMSUNG Electronics Co.,Ltd.

  42. DGP SIP Phone SIP Phone 10.0.0.101 ITP SIP Server NAT & Firewall #1 OfficeServ7200 Service Flow Public : 61.2.3.4 Private : 10.0.0.1/24 NAT Filter WebServer 192.168.0.10 192.168.0.10:80 Web 61.2.3.4:80 FTP 61.2.3.4:21 DMZ (192.168.0.1/24) 192.168.0.20:21 FTPServer 192.168.0.20 LIM PC WIM (A) WAN (10.0.0.1) LAN (10.0.0.1/24) Internet 10.0.0.2:6000 UDP 61.2.3.4:6000 UDP MCP (10.0.0.2) DGP 10.0.0.2:9000 UDP ITP 61.2.3.4:9000 UDP MGI (10.0.0.3) ITP 10.0.0.20 (B) 10.0.0.3:30000 UDP ~ 30031 61.2.3.4:30000 UDP ~ 30031 MCP (10.0.0.2) 61.2.3.4:5060 61.2.3.4:5060 UDP SIP ALG (61.2.3.4) (C) Public Private ⓒ SAMSUNG Electronics Co.,Ltd.

  43. NAT & Firewall #2 (Internal FTP Server) To allow for remote users to access your internal FTP server, you configure a port forwarding entry for the server. Then, if remote users know DNS name of your server or public IP address of GWIM directly, they can connect the server. But, how about internal users in the same LAN? 1. User PC sends packets destined to public IP address to access the server. 2. GWIM forwards packets to internal FTP server after DNAT processing as configured. 3. FTP server sends reply packets with original IP address as source IP and packets are directly delivered because PC is located in the same LAN with server. 4. TCP connection fails because TCP session initiated by user requires public IP address of GWIM as peer IP address. 165.213.66.62 eth0 WAN GWIM LAN eth2 10.0.2.1 1 2 3 PC internal FTP server 4 10.0.2.101 10.0.2.100 ⓒ SAMSUNG Electronics Co.,Ltd.

  44. NAT & Firewall #2 (Internal FTP Server) eth0 WAN 165.213.66.62 GWIM LAN eth2 10.0.2.1 1 2 4 3 10.0.2.101 10.0.2.100 PC internal FTP server You can solve this problem by adding additional SNAT rule (Refer to Next slide). • Packets received from LAN device(eth2), to be forwarded through the same LAN device(eth2) -> Apply SNAT(Source NAT) with LAN IP (source ip 10.0.2.101 -> 10.0.2.1) • Then, reply packets are directed to GWIM and forwarded to the PC after SNAT processing by conntrack (source ip 10.0.2.100 -> 165.213.66.62) • Actually you need to configure port forwarding rule for FTP data session and you ⓒ SAMSUNG Electronics Co.,Ltd.

  45. NAT & Firewall #2 (Internal FTP Server) Dynamic NAPT(SNAT)for LAN to LAN packets Src ip : 10.0.2.x -> 10.0.2.1 Port Forwarding for FTP-ctrl, data(for passive mode) sessions ⓒ SAMSUNG Electronics Co.,Ltd.

More Related