Essential
We will build an application-level gateway firewall, whereby a set of proxy programs placed at the gateway separates an intranet from the Internet.
The proxy suite is based on the Trusted Information System (TIS) Internet Building Toolkit, which includes a set of programs and a system configuration reset for the purpose of building a firewall. The program is designed to run on UNIX systems using TCP / IP with the Berkeley socket interface.
The proxy program is designed for a number of firewall configurations, in basic configurations: a dual-home gateway, a screened host gateway, and a screened subnet gateway.
The Bastion host component in the Firewall, which acts as a relay for information, logs communications, and provides services that require high security.
Firewall software - proxy SERVER
The proxy suite consists of application-level programs, which are used to replace or add to the system software. For each service, there should be a corresponding software that filters messages. Based on the analysis of the structure and content, this information will be passed or banned, depending on the protection policy. The proxy suite has the following main components:
SMTP Gateway - Proxy server for SMTP (Simple Mail Tranfer Protocol) service.
FTP Gateway - Proxy server for Ftp service
Telnet Gateway - Proxy server for Telnet service
HTTP Gateway - Proxy server for HTTP (World Wide Web)
Rlogin Gateway - Proxy server for rlogin service
Plug Gateway - Proxy server for TCP connection (TCP Plug-Board Connection server).
SOCKS - Proxy server for SOCKS-based services
NETACL - Controls network access for other services
IP filter 1 IP-level proxy proxy
SMTP Gateway - Proxy server for SMTP port
The SMTP Gateway program is based on the use of two smap and smapd softwares, which are used to prevent access through the SMTP protocol. The principle is to block the system's original mail server program, which does not allow external systems to connect directly to the mail server. Because in the trusted mail server there are some pretty high privileges. On the UNIX operating system the mail server program is executed by sendmail.
When a remote system connects to the SMTP port. The smap program will reserve the right to serve and move to the reserved folder and set the user-id to a level (no privilege). The sole purpose of smap is to communicate with other SMTP systems, collect mail, write to disk, log, and end. Smapd constantly scans this section, when it detects that it will send data to sendmail for distribution to individual boxes or to other mail servers.
Thus, a strange user on the network can not connect directly to the Mail Server. All this information can be controlled. However, the program can not solve the problem of counterfeiting or other types of attacks.
FTP Getway Proxy server for FTP service
Proxy server for FTP service provides the ability to control FTP service access based on IP address and hostname, and provides secondary access control that allows the option of locking or logging any FTP command. The destination address of this service is also optional or prohibited. All connections and data throughput are logged.
The FTP Gateway itself does not threaten the security of the firewall system, because it runs chrooted to an empty directory and does not execute a file access procedure other than reading its configuration file. FTP Server only provides FTP services, regardless of who has the right or not to have the right to download files. Therefore, the permissions must be set on the FTP Gateway and must be done before downloading or uploading files. The Ftp Gateway should be configured according to the network security policy. The proxy program allows network administrators to provide both ftp and ftp proxy services on the same system, but does not guarantee the security of the firewall.
In a nutshell, using the FTP Gateway can prevent any network access through the FTP port in a very flexible way (allowing to block each address or the entire network) and also control access to each of these capabilities. download or upload information.
Telnet Gateway - Proxy server for Telnet
Telnet Gateway is a proxy server that manages network access based on IP address and / or hostname, and provides secondary access control allowing the option to lock any destination. All data connections passed through are logged. Each time a user connects to the Telnet Gateway, the user must select the connection method.
Telnet Gateway does not compromise system security, as it only works in a certain range. Specifically, the system will transfer the control to a dedicated section. Also access to other files and folders.
Telnet Gateway is used to control access to local area networks. Unauthorized access will not be possible, and legitimate access will be logged logs for access time and actions taken.
HTTP Gateway - Proxy server for the web
HTTP Gateway is a proxy server that manages system access via HTTP (Web) port. This program, based on destination address and source address, to prohibit or allow pass-through requests.
At the same time the base and HTTP protocol code, this software will allow to execute or remove the request.
Access requirements are recorded in the log for management and statistics.
With a mechanism for receiving information directly from the HTTP gateway, this software ensures complete control of access to the system through the Web. At the same time the message processing, performed in memory, should not affect the system.
Rlogin Gateway - Proxy server for rlogin
The terminals accessed through the BSD rlogin procedure are controlled by the rlogin gateway. The program allows to check and control network access just like the telnet gateway. Rlogin clients can point to a remote system as soon as they start to connect to the proxy. The program restricts the interaction between the user and the machine.
Plug Gateway - TCP Plug-Board Connection server
Firewall provides the same services as Usernet news. Network administrators can choose either to run the service in the firewall, or to install a proxy server for this service.
Since the News service runs directly on the firewall, it's easy to make a system error, so it's safer to use a proxy. The plug gateway is designed to control the Usernet News service and other services such as Lotus Notes, Oracle, etc.
A plug gateway based on IP address or hostname, which will allow control of all system access through registered service ports. This will allow or prohibit access requests. All connectivity requirements including log data can be recorded for monitoring and control.
SQL Gateway - Proxy Server for SQL-Net
SQL Net uses a different protocol than News or Lotus Notes, so it is not possible to use the plug-in for this service. SQL Gateway was developed from the Gateway Plug and dedicated to SQL-Net.
A plug gateway based on IP address or hostname, which will allow control of all system access through registered service ports. This will allow or prohibit access requests. All connectivity requirements including log data can be recorded for monitoring and control.
SOCKS Gateway - Proxy server for SOCKS service
SOCKS is a network connection protocol between servers that supports this protocol. Two servers using this protocol will not care about whether they can be connected via IP.
SOCKS will match the matching requests from the other end server. The SOCKS server determines the access rights and establishes the communication channel between the two machines.
SOCKS Gateway is used to prevent unauthorized access to the network through this port.
NETACL - Network Access Control Tool
Online services do not provide access control to them so they are vulnerable to attack. Even on firewalls, common services have been dropped quite a lot to ensure system security, but some services still need to maintain telnet, rlogin etc.
Netacl is a tool for controlling network access, based on the client's network address, and service requirements. It embraces basic services that provide additional control over the service. So a client (identified by IP address or hostname) can access the telnet server when it connects to the telnet service port on the firewall.
In the case of firewall configurations, NETACL is used to block all hosts except for some hosts that are allowed to login to the firewall through either telnet or rlogin, and to block access from attackers.
Netacl's security is based on IP address and / or hostname. For high security systems, IP addresses should be used to avoid DNS spoofing. Netacl does not prevent IP address spoofing by source routing or other means. If there are such types of attacks, it is necessary to use a router capable of screening source routed packets.
Note that netacl does not provide UDP access control, because the current technology does not guarantee the authenticity of UDP. The security of UDP services here means the disallowance of all UDP services.
Authentication and authentication services
The Firewall suite contains an authentication server program designed to support the authorization mechanism. Authsrv contains a database of users in the network, each record corresponding to a user, containing an authentication mechanism for each user, which includes the group name, user's full name, Latest. Plain text password is used for network users to make administration simple. Non-encrypted passwords should not be used with external usernames.
Users in the database can be divided into different groups that are managed by the group administrator who has full control over the group in addition to the user. This is advantageous because many organizations share a firewall.
Authsrv is very flexible group management, administrators can group users into groups using & quot; group wiz & quot ;, the group administrator can delete, add, create group records, allow or block users, Change password of user in his group. Group management does not change the lives of other groups, creates new groups or changes relationships between groups. Group administrators only have rights in their group. This is useful for organizations that have multiple workgroups using the same firewall.
Authentication takes place when a user starts using a firewall-based service. All of the services mentioned above have the ability to authenticate and this test only applies to machines. has IP or hostname specified.
IP Filter - IP Level Filter
IP Filter is a TCP / IP packet filter, which is considered an indispensable part of setting up a transparent firewall for the user. The software will be installed in the core of the system (running UNIX kernel), running in the background when the system is up and running, to receive and analyze all IP packets.
The IP filter can do the following:
Allows passing or banning any packets.
Get to know the different services
Filter by IP address or hosts
Allows selection of any IP protocol
Allows selection by IP fragments
Allows filtering by IP options
Returns the ICMP / TCP error block and resets the packet number
Keeps state information for TCP, UDP and ICMP streams
Lu keeps state information for any IP packet
Has the function of Network Address Translator (NAT)
Establish the basis of transparent connections for the user
Provides headers for user programs for validation.
Also supports temporary space for validation rules for passing packets.
Especially for basic Internet protocols, TCP, UDP and ICMP, the IP filter allows filtering by:
Inverted host / net matching
Port number of TCP / UDP packets
Type or code of ICMP packets
Set up TCP packets
Optional combination of TCP status flags
Filter / remove the parent IP packet ends
Filter by service type
Journaling allows journaling to include:
Header of TCP / UDP / ICMP and IP packets
Part or all of the packet data
Select the solution
Purpose
A firewall consists of a powerful server software system with a specific operating system, which connects to the network through network devices: Hubs, Switches, Routers, ...
The choice of server, network device, operating system and software protection and control will determine the applicability, access speed and cost.
In this section we will present 3 coupling solutions. For each of the options, we will analyze in detail the coupling model, hardware requirements, and the advantages and disadvantages.
Solutions implemented
With a requirement for system protection and control, there are some feasible options. Depending on the strategy and the level required, one of the following connection models may be selected:
Direct connection
Parallel connection
Indirect connection
For each model, hardware and software equipment are different, pulling the implementation costs will be different. Of course the capacity and scope are also different. As the framework of this solution is to set up a firewall for an existing network, the elements of the device, the software, the network traffic, are viewed and not mentioned. If needed we will present in the network solution.
Direct connection
The firewall is located between the intranets and the Internet (the intranet here is understood as the internal network to be protected, and the Internet is the external network). All traffic goes out or goes and must pass through the firewall.
Network model
The external connection is connected to the router, through the HUB to the Firewall server, and then to the internal network. All incoming packets will be received by the Firewall Server, and validation will be forwarded. In return, if not valid will remove immediately. The same for incoming access requests is also controlled by the firewall.
Firewall software will be installed on the server. For control purposes, managers can purchase full or partial purchase of the Firewall software package. If only partial purchase, only access through the service is controlled. In addition, there is an option to allow only certain services.
Note that, the stronger the server configuration, the faster the speed of processing, the time of the firewall is not significant.
Hardware requirements
1 x SUN / HP / IBM / ... 2CPU, 332Mhz, 256MB RAM, 4GB HD, CD ROM, Ethernet Card, Monitor, Mouse or higher
1x HUB: 3Com / IBM / HP / ...
Software requirements
1 x OS: UNIX / NT
1x Firewall Software (Depend on your selection)
Advantage
Cost performance is lower than other solutions.
Ability to control all access from outside, and from inside.
Allows statistics and management, evaluation of system access. Good support for decision-makers.
System configuration is simple.
Points
When the server has a problem (hang, physical failure, ...), the entire access from the outside as well as from the outside will be stopped.
Direct parallel connection
The firewall is located between the intranets and the Internet (the intranet here is understood as the internal network to be protected, and the Internet is the external network). All traffic goes out or goes and must pass through the firewall.
This model uses two sets of firewall settings in parallel or main-standby mode. In case one set is available, the other will take over the whole job.
Network model
The external connection is connected to the router, via the hub to the server, and then to the internal network. All incoming packets will be received by the server, and validation will be forwarded internally. In return, if not valid, will be eliminated. Similarly, access control requirements are also controlled.
Firewall software will be installed on 2 servers (server). Under the control, managers can buy all or part of the purchase. If only partial purchase, only access through the service is controlled. There is also an option to allow only certain services.
The stronger the server configuration, the faster the processing speed, the less time it takes for the firewall to process.
If set up in standby mode, the second server (sub machine) can choose the hardware configuration more.
Hardware requirements
1 x Main Server: SUN / HP / IBM / ... 4CPU, 332Mhz, 256MB RAM, 4GB HD, CD ROM, Ethernet Card, Monitor, Mouse or higher
1 x Standby Server: SUN / HP / IBM / ... 2CPU, 332Mhz, 128MB RAM, 4GB HD, CD ROM, Ethernet Card, Monitor, Mouse or higher
2 x Hub: 3COM / IBM / HP / ...
Cable, connector, ...
Software requirements
OS: UNIX / NT installed on 2 servers (maybe 1 NT and 1 UNIX or both are UNIX or NT)
Firewall Software (depend on your selection) installed on 2 servers
Advantage
Fast, high performance.
Ability to control all access from outside, and from inside.
Allows statistics and management, evaluation of system access. Good support for decision-makers.
Points
High cost execution.
Configure complex configuration.
When there are problems to synchronize the two systems on the machine.
Indirect connection
A solution used to monitor access between the intranets and the Internet without affecting the current operation of the network. Therefore, it is not possible to prohibit access.
The firewall is set up in parallel with the intranets and the Internet. (The intranet here is understood to be the internal network to be protected, while the Internet is an external network.) The information exchanged will be simultaneously transmitted to the Firewall.
Network model
There will be a switchgear between the two networks. This device maintains the flow of information on the current transmission. Also, create a new firewall with the same content. This information stream includes both external and internal streams.
Firewall software will be installed on the server, which is used to receive all incoming information from the device. Then write to the store.
Note that this firewall does not change any of the packets. At the same time, it is not possible to prohibit or allow services to exchange between two networks.
Hardware requirements
2GBU, 332Mhz, 128MB RAM, 4GB HD, CD ROM, Ethernet Card, Monitor, Mouse or higher
Switches
Software requirements
1 x OS: UNIX / NT installed for server
1 x Firewall Software (Depend on your selection)
Advantage
The cost of implementation is low compared to other solutions
Ability to statistic all accesses from outside, and from inside.
Points
Do not allow deliberate or destructive access from the outside as well as from the inside
