The configuration of a firewall can be one of the most complex parts of your security strategy. In this video, you’ll learn about the physical installation, the concept of implicit deny, and the process used for access lists and security rules.
<< Previous: FirewallsNext: Network Access Control Models >>
There are a lot of different ways you can connect your firewall to the network. Of course, you need to have your firewall between you and the outside world, or between you and the data that needs to be protected.
So you can see that the firewall we’re representing here as the brick wall, we have switches down here at the bottom with these arrows pointing the other directions, and these arrows that are pointing into each other and away from each other are the routers on our network.
One way to connect the firewall is through something called virtual wire. In this mode, the firewall doesn’t act as a Layer 2 device. It doesn’t act as a Layer 3 device. It’s effectively a repeater. It takes everything coming in one port, sends it off to the other, and everything from the other port, it sends back to the inside. That is as much forwarding as it knows how to do. Take everything from one interface and put it on the other one.
This is a way that you can connect to the network, but not change any of your IP configurations or any of your network infrastructure because you’re effectively just a bump on the wire.
Another way to configure a firewall is as a Layer 2 device, or as a switch. This is the same as if you were putting a physical switch in your network, except now this switch is also a firewall.
Here’s a scenario where we’re still using our router to connect to the outside world. We have our firewall that’s acting as a Layer 2 device, so it’s taking all the traffic from the switch and then switching it on to other switches that might be somewhere else in our organization. Most firewalls, though, are going to connect at Layer 3.
This is a very common way to connect a firewall. So we don’t even need an external router. We’ll connect directly from the internet right into our device at Layer 3. This has an IP address on the outside, all IP addresses on the inside. We are then able to route between those using dynamic routing protocols, or static routing, and it effectively has the same functionality as if you had a physical router in place. The difference, of course, though is that now, as it’s being routed, we are also firewalling this traffic as well.
We’ve traditionally put our firewall between the inside of the network and the outside, so it might be a firewall that we put right in the middle between the inside and the external side where the internet might be. This will protect all of our inside devices from anything that might be on the external network.
But we’re seeing an increasing number of people wanting to have a firewall on the inside of their organization, especially in a data center or a virtualized environment, so you might have many switches in your environment and you’ll put the firewall right in the middle so that if any traffic needs to traverse between different switches, it’s all going to go through the firewall.
This might be a good way to segment off a data center or the core of the network and only allow the traffic and the applications that should really be going to those very critical devices.
If you have a web server, or a file server, or some other type of service that you’re providing out to the internet, you may want to put those devices on something called a DMZ. This stands for demilitarized zone.
I have a DMZ down here in my picture with some servers connected to it. I have the completely separate network that is the internal inside network of my organization, and these are all connected to a firewall which, ultimately, is then connected to the internet. We’re letting the firewall manage the control of where traffic goes and to keep our inside network secure, even as people are coming into the network and accessing resources on our DMZ.
Our firewalls decide what traffic is able to be allowed or denied through the firewall based on a series of access lists. This is an example of an access list from a device.
This is referring to access list number one, here’s a deny rule that says, if any traffic’s coming from 172.16.5.2 and it doesn’t happen to be a member of any particular subnet, it’s 0.0.0.0, which is specifically referring to this individual IP address, then deny that traffic. Another rule in the access list, the same access list, is to deny traffic from 172.16.5.3. So those two rules are designed to block certain traffic, and only from these two IP addresses.
And then the third access list entry is to permit any. So this access list is designed to block these two IP addresses, and if you are not one of these two IP addresses, then all other traffic is allowed through this firewall.
Most firewalls and security devices are configured to implicitly deny anything that does not appear in our access list or are security policies. So if we look at a list of security policies for our web server, we can see that we are allowing traffic through on port 22, on port 80, on port 443, on port 8443. We’re also allowing DNS traffic inbound on port 53, and NTP traffic on port 123. There’s also allowing ping, ICMPs, to come into this device as well.
And that’s it. There’s nothing after that line that says, stop all other traffic from coming through the firewall, but it is an implicit deny that’s at the bottom, which means that if it doesn’t match any of these access list rules that are in our firewall, then if it gets all the way through into the bottom, that traffic will be automatically dropped.
There are many different ways to configure these access lists in our firewalls. We often will configure our inbound traffic to have some very extensive filtering. We’re only allowing inbound certain kinds of traffic, that’s the whole point for having the firewall on the edge of our network, after all.
We’re only going to allow things that are required to come through the firewall, and we might even take inbound traffic and configure a DMZ so that anything that’s inbound will not come to our internal network. It will go to a network there we can have much more control over. This allows us to protect directly against any type of inbound attack and allows us to create some very specific and granular controls over exactly what kind of traffic is coming inbound.
When you’re configuring outbound traffic, there are generally two schools of thought. One is to allow all traffic outbound, but only blacklist things that you don’t want people to visit. So you might choose a URL category or prevent somebody from going to a known malware site. The other school of thought maybe the reverse of this, where no traffic is allowed and you must explicitly whitelist where people are allowed to go.
This often means that there are more administrative requirements, because you’re going to be adding to this whitelist constantly, but it is a way that you can be very sure exactly where people are allowed to go and only allow that traffic outbound through your firewall.