Firewall Configuration
According to the user manual, you have to identify external and internal ports available in the firewall. Most of the time, you will be able to configure internal port as an external port. Further external ports can configure DHCP , Static or PoPE connections. There are firewalls available which provides load balancing and failover features. Basic idea is packet filtering but these days there are more features available in firewalls to get the best performance. After you have configured the external port, you can configure internal ports which should connect with the local area network (LAN). You should have a free IP from LAN IP block. When you design your infra-structure , you must plan how many IP addresses needed and how many users will be login to the network (Internal and External).
There are applications servers can be place in the network. If it is for internal purpose, you can connect them to the Local area network. Because you will not going to allow external people to access or work on it. But if you have web servers and e-mail servers in your network, you better connect them in another separate network call DMZ. DMZ (demilitarized zone ) is a secure zone which can allow for external users. Because , you can configure this secure zone outside of your local area network. The advantage behind this implementation is, if someone able to hack your server which is in the DMZ, will not be able to access your local area network.
When you consider the LAN port, basically we configure it as a trusted port. There are few internet connections can be connect with the fire wall through external ports. Further, if you have another network which needed to be with separate IP block, you can bind that IP block also to the existing LAN port. After you have configured internal, external and DMZ you have to save this configuration on your firewall, before you logged out.
Firewall Policies
There are several default policies available with each firewall and you can use default configuration to allow web access through the firewall. But you should have to configure more policies to secure your network properly. You can control access to port level and can assign user groups to access each port. That means , through the firewall you can monitor deep user access and deny user access to relevant ports which is more important.
Some firewalls, they have proxy policies too. Therefore, they can control web access and URL filtering also available. Eg- Watchguard
Not like other firewalls , watchguard firewall has very important feature , that is it can filter sub domains as well. We call it as “web blocker” service. Therefore if someone wants to block face book mails, he can block face book mails only. Users can access face book main page, but they cannot use face book mails.
NAT
NAT is very important because you can have more control over the network. Using NAT you can bind internal IP address with External or real IP address. Therefore, most of network administrators use this feature in their networks.
There are three major methods such as
1. Dynamic NAT
2. Static NAT
3. 1 to 1 NAT
1 to 1 NAT mainly use in situation like traffic flow going inside as well as outside too. That means if you need to manage traffic in both ways, you need to use 1 to 1 NAT option. Basically this implies data transfer from one range of network to another range of network. And if you need to concern on traffic which goes to outside from inside, you better go for dynamic NAT. If you need to setup your network to manage outside traffic to inside, you need to go for static NAT.
Eg- ABC (pvt) ltd has a domain call www.abc.com and they have their email addresses such as xyz@abc.com . So they have real IP address which is interconnected with their domain. Further their mail server located in their network and it is implemented in DMZ zone of the firewall. They have assigned a local IP address to the mail server and such scenario, they can use NAT rule in their firewall.
Firewall Policy – Firewall Rules
Once you add a policy in your firewall, it will guide the firewall to allow or deny traffic through the firewall. There are several possible ways to create a policy to allow or deny traffic according to the destination IP address or source IP address or based on the protocol.
There are basically two types of policies available such as packet filter policy and proxy policy. Packet filter mainly monitor the IP header of each packet transfer through the firewall. Proxy policies examine entire packet content and protocol with the connection too. Proxy works with application, network and transport layers in OSI model. But packet filter will works only with network and transport layers.
Packet filter is the easiest way to manage large amount of traffic. Proxies can use to block or deny protocol wise. Other than that we can define custom policies according to our requirement such as port numbers and protocols.
How to create a custom policy in watchguard WSM
Create a policy for VNC port number is 5900 and trusted network is 10.0.1.201
1. Select Edit > Add Policy
2. Click New
3. Type VNC in the Name text box
4. Type Virtual Network Computing in the Description text box
5. Select Packet Filter for the Type Option
6. Click Add to define protocol and ports
7. Select Single Port in the Type drop-down list
8. Select TCP in Protocol drop-down list
9. Type 5900 in the Server Port text box
10. Click OK to close Add Protocol dialog box
11. Click OK to close New Policy Template dialog box
No comments:
Post a Comment