Monday, August 27, 2012

.........FirewallTips.........

Lets share our knowledge relevant to network security! We will discuss here about how to secure your network in proper manner. But our website mainly consider about firewalls and its technology. further , we would like to discuss here about open source firewalls such as pf Sense and Untangle. This will help you to configure your own open source firewall without having any issue.

Our Q&A page mainly consider about problems heighlighted by users. We will give you an optimum solution with expertise help. You can raise any number of cases , and our expertise will help you very sooner .

How to configure a firewall

Firewall Configuration
According to the user manual, you have to identify external and internal ports available in the firewall. Most of the time, you will be able to configure internal port as an external port. Further external ports can configure DHCP , Static or PoPE  connections. There are firewalls available which provides load balancing and failover features. Basic idea is packet filtering but these days there are more features available in firewalls to get the best performance. After you have configured the external port, you can configure internal ports which should connect with the local area network (LAN). You should have a free IP from LAN IP block. When you design your infra-structure , you must plan how many IP addresses needed and how many users will be login to the network (Internal and External).
There are applications servers can be place in the network. If it is for internal purpose, you can connect them to the Local area network. Because you will not going to allow external people to access or work on it. But if you have web servers and e-mail servers in your network, you better connect them in another separate network call DMZ. DMZ (demilitarized zone ) is a secure zone which can allow for external users.  Because , you can configure this secure zone outside of your local area network. The advantage behind this implementation is, if someone able to hack your server which is in the DMZ, will not be able to access your local area network.
When you consider the LAN port, basically we configure it as a trusted port. There are few internet connections can be connect with the fire wall through external ports. Further, if you have another network which needed to be with separate IP block, you can bind that IP block also to the existing LAN port. After you have configured internal, external and DMZ you have to save this configuration on your firewall, before you logged out.

Firewall Policies 
There are several default policies available with each firewall and you can use default configuration to allow web access through the firewall. But you should have to configure more policies to secure your network properly. You can control access to port level and can assign user groups to access each port. That means , through the firewall you can monitor deep user access and deny  user access to relevant ports which is more important.
Some firewalls, they have proxy policies too. Therefore, they can control web access and URL filtering also available. Eg- Watchguard
Not like other firewalls , watchguard firewall has very important feature , that is it can filter sub domains as well. We call it as “web blocker” service. Therefore if someone wants to block face book mails, he can block face book mails only. Users can access face book main page, but they cannot use face book mails.
 
NAT
NAT is very important because you can have more control over the network. Using NAT you can bind internal IP address with External or real IP address. Therefore, most of network administrators use this feature in their networks.
There are three major methods such as
1.       Dynamic NAT
2.       Static NAT
3.       1 to 1 NAT
1 to 1 NAT mainly use in situation like traffic flow going inside as well as outside too. That means if you need to manage traffic in both ways, you need to use 1 to 1 NAT option. Basically this implies data transfer from one range of network to another range of network. And if you need to concern on traffic which goes to outside from inside, you better go for dynamic NAT. If you need to setup your network to manage outside traffic to inside, you need to go for static NAT.
Eg- ABC (pvt) ltd has a domain call www.abc.com and they have their email addresses such as xyz@abc.com . So they have real IP address which is interconnected with their domain. Further their mail server located in their network and it is implemented in DMZ zone of the firewall. They have assigned a local IP address to the mail server and such scenario, they can use NAT rule in their firewall.

Firewall Policy – Firewall Rules
Once you add a policy in your firewall, it will guide the firewall to allow or deny traffic through the firewall. There are several possible ways to create a policy to allow or deny traffic according to the destination IP address or source IP address or based on the protocol.
There are basically two types of policies available such as packet filter policy and proxy policy. Packet filter mainly monitor the IP header of each packet transfer through the firewall. Proxy policies examine entire packet content and protocol with the connection too.  Proxy works with application, network and transport layers in OSI model. But packet filter will works only with network and transport layers.
Packet filter is the easiest way to manage large amount of traffic. Proxies can use to block or deny protocol wise. Other than that we can define custom policies according to our requirement such as port numbers and protocols.
How to create a custom policy in watchguard WSM
Create a policy for VNC port number is 5900 and trusted network is 10.0.1.201
1.       Select Edit > Add Policy
2.       Click New
3.       Type VNC in the Name text box
4.       Type Virtual Network Computing in the Description text box
5.       Select Packet Filter for the Type Option
6.       Click Add to define protocol and ports
7.       Select Single Port in the Type drop-down list
8.       Select TCP in Protocol drop-down list
9.       Type 5900 in the Server Port text box
10.   Click OK to close Add Protocol dialog box
11.   Click OK to close New Policy Template dialog box
 

Tuesday, August 21, 2012

Examples

Example 1
Case Study - ABC (Pvt) ltd , they have a lease line with a router which use for web based e-mail and internet browsing too. They do not have any firewall and they have planned to implement a filrewall in their infra structure. Mentioned router has provided by the ISP and ABC company does not have any control on that router. They cannot change their LAN block too.

Option 1
We can configure the fire wall in tranceparancy mode. (Bridge Mode). There are sevaral advantages and disadvantages in this method. when we consider the bridge mode, all the interfaces are in the same network. Therefore you will not be able to get more control on it. Only thing is you can monitor all the packets transfer in-bound and out-bound.

Further, you can implement other security features which firewall has such as application control and URL filtering etc.


Example 2
Watchguard X1250e is really out dated box which is not available in the market right now. After this series of firewalls, watchguard has introduced an XTM box which has more features than that.  X1250e comes with firm ware version 10.2 and you can upgrade it up to XTM version 11.5 as you upgraded in existing firewall. But you will not be able to upgrade 10.2 to 11.5 in one steps. First of all you have to upgrade it to firmware version 11.3b and then you can upgrade it to firmware version 11.5.
In your case, you have to upgrade new watchguard X1250e box to firmware version 11.5 and then you can configure firebox clustering.
Watchguard high availability feature (HA) can identify as “firecluster” which you would going to implement in your network. There are two options call “Active / Active” and “Active / Passive” fire clustering. When you consider “Active/Active” fire cluster , you can have load balancing feature and when you consider “Active/Passive” fire cluster , you will get the redundancy.

Monday, August 20, 2012

Introduction to a firewall


When we consider a firewall , there are several important interfaces can identified such as external interface , trusted interfaces and optional interfaces.  We can configure any other port also as an external port. Every Firewall has maximum number of external interfaces which can support.




LAN (Local Area Network)
After we configure our firewall in our infrastructure, we can identify each and every interface according to the network. Local Area Network which we known as LAN arm , directly connect with the core switch in the network. All the users will connect to the local area and there are few servers also can be install in this zone.

DMZ (Demilitarized Zone)
Any service need to offer to outsiders or external users , the better way is to implement relevant servers separately to the Local Area Network because of the security. Therefore we can implement them in DMZ and it will lead to network security. Following services should be offer to external users.

1. Web service
2. E-mail Service
3. FTP service
4. VoIP service

servers relevant to above services, should be implemented in DMZ to achieve the secure network.

EXTERNAL

External interface must be connected with this port. This might be a lease line or else a ADSL line.

Saturday, August 11, 2012

Basics of Firewall





There are two categories of firewalls available on your requirement. 

1. Software Firewalls (Program)
2. Hardware Firewalls (Appliance)

Basically, Firewall can use to control access among the network as well as from external access in a proper manner. Moreover it can control the network traffic and provide secure network to the end user. Further, firewall can use to control access data,control application and prevent from viruses in the gateway level. That means, you can block viruses before they execute in your network and from the gateway level you can delete these viruses. 

Insecure Network


without having a proper firewall, you will not be able to achieve a secure network. Insecure network gives you lots of troubles such as information hacking , information loosing and low performance of your internal network. This scenario leads to unsatisfactory and you will not be able to give the priority to your mission critical application in your organization.

Software Firewalls
1. IP Tables
2. ISA
3. Zone Alarm

Hardware Firewalls
1. Watchguard
2. Juniper
3. Fortigate
4. Check Point
5. Cisco

 There are several buying factors available to consider, when you buy a firewall to your organization. Not only the brand name there are several factors available. But when you consider all the firewall models, they are having same technology and techniques. But vary from features available.

Buying Factors of a Firewall

1. Firewall throughput
2. VPN Throughput
3. Concurrent Sessions per second
4. No of Interfaces
5. AV (Antivirus) Throughput
6. UTM throughput

Firewall Throughput
Most of the time, we have to consider about the firewall throughput according to our requirement. Moreover, number of users in the network and user application and number of external links also to be consider. Considering the number of users in the network, need to go for a firewall with reasonable throughput.

VPN Throughput
Number of VPN users also needed to be consider when you going to purchase a firewall. Because number of VPN connection is depend on  the VPN throughput .

Concurrent Sessions Per Second
This is also needed to be consider , because number of users ans their usage is depend on number of concurrent sessions which can handle by the firewall.

Number of Interfaces
You must concern on your infrastructure , before you buy the firewall. Because there are limitation on number of external interfaces available. So this must be a critical factor, when you going to buy a firewall.

AV Throughput
Antivirus throughput also needed to consider , because this is a gateway level antivirus and therefore we can prevent from viruses. If you have a proper gateway level antivirus, end user level protection is not that much big problem. I am not going to say that you should not go for a desktop protection. You should go for desktop protection. But up to some extent , you will be protected with gateway antivirus solution.


Basic Firewall Configuration

 Here we discussed about basic network infrastructure with a fire wall. There are few methods available to configure your firewall according to your requirement.
1. Mixed Routing Mode - All the interfaces are in different networks.
2. Drop-In-Mode - All the interfaces are having same IP address
3. Bridge Mode - (Transparent Mode) All the interfaces are in same network but can assign different IPs.


Mixed Routing Mode
 




 






Friday, August 10, 2012

Technical issues and best practise on industrial FIrewalls




Firewall technicians and end users may have several issues relevant to firewalls and this blog site will help them to share their experience with others and also they can get expertise advise through this site.

Basically, this information really helpful when you are trouble shoot firewall relevant issues and network security stuff. Further , you can upload your designs relevant to firewalls for others references.

Moreover, you can get relevant answers to issues you have faced from expertise and this may much more good practice to new comers to network security era.