In the preceding chapter, you saw how the philosophy of firewall design has evolved from packet-filter-oriented designs toward zone-based designs. In this chapter, we discuss several well-known firewall designs and describe the filtering policies used in them. These designs then serve as the blueprints for the following implementation chapters, in which you’ll see how you can translate a zone-based design directly into Cisco IOS configuration commands.
Note
Network designers who are already familiar with the zone-based firewall design principles can skip this chapter and continue to the implementation section. All other readers are highly advised to read it, because a well-thought-out and well-documented design almost always results in superior implementation.
The simplest possible design is a protected LAN connected to the public IP network (for example, the Internet) through a firewall. No publicly accessible servers reside in the protected LAN (which means, for example, that the users connected to the LAN have to download their e-mails from somewhere else—for example, from their Yahoo! or Hotmail accounts). Figure 2-1 shows a simple firewall design.
Note
All the firewall policy tables in this book assume a stateful firewall implementation, so there are no special entries for the return packets.
Two firewall policies are commonly used in such setups:
Permissive policy (documented in Table 2-1), where the internal users can access any service on the Internet
Restrictive policy (documented in Table 2-2), where the internal users can access only a restricted set of services (for example, web and mail services)
Table 2-2. Restrictive Firewall Policy
Client Zone
Server Zone
Sessions Allowed
Inside
Outside
DNS (UDP port 53) to ISP’s name servers
ICMP echo
HTTP (TCP port 80) to everywhere
HTTPS (TCP port 443) to everywhere
FTP (TCP port 21) to everywhere
POP3 (TCP port 110) to ISP’s e-mail servers
SMTP (TCP port 25) to ISP’s e-mail servers
Outside
Inside
None
When establishing a restrictive inside-to-outside policy, consider the following caveats:
Internet Control Message Protocol (ICMP) echo has to be enabled to allow the internal users to use ping for connectivity troubleshooting.
Domain Name Service (DNS) on UDP port 53 has to be enabled; otherwise, the internal clients will not be able to resolve the hostnames into IP addresses.
In some environments, additional UDP traffic has to be allowed to support the traceroute program.
Post Office Protocol version 3 (POP3) or Internet Message Access Protocol (IMAP) as well as Simple Mail Transfer Protocol (SMTP) to some external server (for example, the Internet service provider’s servers) have to be enabled to allow users to receive and send e-mail.
Web servers sometimes use nonstandard port numbers. If your users want to access those servers, you must enable access to specific ports on specific IP addresses.
Note
Most versions of Windows use ICMP to trace the path to the destination host. UDP packets as the trace packets are used by some UNIX environments (for example, Linux) as well as Cisco IOS.
Note
TCP ports needed for FTP data sessions are identified automatically by the stateful firewall implementations. If you’re not using a stateful firewall, you need to allow TCP port 20, too, and advise the clients to use passive FTP.
The simple LAN-to-Internet firewall design successfully addresses the needs of small home offices and small companies (SOHO environment) that do not own e-mail or web servers. If customers want to run their own publicly accessible servers, however, the firewall policies have to be changed to allow incoming sessions (for example, incoming SMTP and HTTP sessions). Because of the many times hackers have successfully exploited publicly accessible servers to penetrate private networks, it’s almost a necessity to put such servers into a separate zone, as described in the next section.
There are two common ways of designing a firewall with a perimeter network (also known as demilitarized zone [DMZ]) containing public servers:
A simple setup in which all three zones are connected to the same networking device, as shown in Figure 2-2.
A more complex setup with two firewalls and a transit perimeter network, as shown in Figure 2-3. This setup is slightly more secure because the two networking devices are configured independently, thus reducing the risk of a fatal configuration error (defense-in-depth principle).
As in the preceding section, a firewall with a perimeter network can implement a permissive firewall policy, where the internal users can access any service on the public network, or a more restrictive one, as documented in Table 2-3.
Table 2-3. Restrictive Policy of a Firewall with a Perimeter Network
Client Zone | Server Zone | Sessions Allowed |
|---|---|---|
Inside | Outside | ICMP echo, HTTP, HTTPS (Optionally) FTP |
Outside | Inside | None |
Inside | Perimeter | HTTP (to access own public web server) SMTP from inside mail server to perimeter e-mail server DNS ICMP echo FTP and SSH for server management |
Perimeter | Inside | SMTP to inside mail server (to deliver inbound e-mail) |
Perimeter | Outside | DNS SMTP (to deliver outbound e-mail) |
Outside | Perimeter | DNS (as the customer runs the authoritative name server for its domain) HTTP to public web server SMTP to public mail server (Optional) FTP to public FTP server (Many sites are replacing FTP with HTTP because its single-session design does not cause any firewall issues.) |
When designing a restrictive firewall policy, you must consider the implementation details of the DNS and e-mail services. DNS service can be implemented in the following ways:
The customer does not run a DNS server. In this case, DNS requests from inside to an outside (ISP-owned) DNS server must be permitted.
The customer runs a caching DNS server in the perimeter network but does not control its own domain. In this case, DNS requests flow from inside to the perimeter and from the perimeter to outside.
The customer runs an authoritative DNS server for its domain in the perimeter network. This server usually acts as a caching DNS server for the inside clients. In this setup, the DNS requests to the perimeter DNS server arrive from inside and outside zones, and the perimeter DNS server (when acting on behalf of the inside clients) sends DNS requests to the outside. Table 2-3 describes this scenario.
The customer runs a caching name server on the inside network and an authoritative name server on the perimeter network. DNS requests thus flow from the inside server to the outside. There is also a bidirectional flow of requests between the perimeter server and the outside.
E-mail service can also be implemented in several ways:
Most commonly (also assumed in Table 2-3), the customer runs an internal e-mail server that uses SMTP to communicate with the outside world. In this case, bidirectional SMTP is required between the inside server and the perimeter server and between the perimeter server and any host on the outside, assuming the perimeter server is using DNS Mail Exchange (MX) records to deliver outbound mail.
The customer could also decide to store all external e-mail on the perimeter server. In this scenario, bidirectional SMTP is needed between the perimeter server and outside servers. Inside clients use SMTP to send mail to the perimeter server and POP3 or IMAP to retrieve it from the perimeter server.
The firewall policy just documented is extremely restrictive, allowing only the minimum number of services needed. This results in a secure network (for example, if the perimeter server is compromised, it cannot be used to launch attacks on other networks), but it could also lead to reduced robustness of the network. (For example, if the perimeter server is compromised, the inside clients cannot access the Internet because the DNS services are no longer accessible.)
Note
DNS service between the inside and the perimeter zones is no longer needed when using HTTP proxy, because the external hostnames are passed as strings in HTTP requests to the proxy server.
Some large organizations opt for an even more restraining policy with proxy servers in the perimeter network, thus eliminating any direct traffic between the internal network and the public Internet, as illustrated in Table 2-4.
Table 2-4. Policy of a Firewall with Proxy Servers in the Perimeter Network
Client Zone | Server Zone | Sessions Allowed |
|---|---|---|
Inside | Outside | None |
Outside | Inside | None |
Inside | Perimeter | HTTP, HTTPS (to access proxy web server) ICMP echo SMTP from inside mail server to perimeter mail server FTP and SSH for server management |
Perimeter | Inside | SMTP to internal e-mail server (to deliver inbound e-mail) |
Perimeter | Outside | DNS SMTP from perimeter mail server (to deliver outbound e-mail) HTTP, HTTPS (proxy access to the web) (Optional) FTP ICMP echo |
Outside | Perimeter | DNS (only if the customer runs its own name server) HTTP to public web server SMTP to public mail server (Optional) FTP; see also comments in Table 2-3 |
The transition from the single-device design (Figure 2-2) to the design with a transit perimeter network (Figure 2-3) illustrates one of the advantages of a well-documented zone-based design: Because all the firewall policies have already been documented, they don’t have to be designed from scratch. You merely split the overall firewall policy into two parts: the inner firewall handles policies from inside to everywhere else, and the outer firewall handles policies from outside to everywhere else. In fact, two zones are merged into one on each of the devices (perimeter and outside zones are merged into the perimeter zone on the inner firewall, and perimeter and inside zones are merged into the perimeter zone on the outer firewall), resulting in policies shown in Table 2-5 and Table 2-6 (assuming a transit perimeter network with proxy servers). The merge is extremely simple because the previous firewall policy did not allow any direct traffic between the inside and outside zones.
Table 2-6. Policy of the Outer Firewall
Client Zone | Server Zone | Sessions Allowed |
|---|---|---|
Perimeter | Outside | DNS SMTP from perimeter mail server (to deliver outbound e-mail) HTTP, HTTPS (proxy access to the web) (Optional) FTP ICMP echo |
Outside | Perimeter | DNS (only if the customer runs its own name server) HTTP to public web server SMTP to public mail server (Optional) FTP |
As we move from simple SOHO designs to more-complex corporate designs, robustness and availability become more and more important. To reach high availability, network designers usually deploy redundant setups in which each critical device is duplicated, resulting in a design similar to the one shown in Figure 2-4.
This scenario does not change the firewall policies. All the rules outlined in the preceding section are still valid (yet another benefit of a good design independent of the physical implementation).
Firewalls deployed by large organizations usually contain several zones in addition to the ones discussed in the previous sections. Typical large-scale firewalls include zones to support the following:
Network administrators—. Clients in this zone would have privileged access to servers in the perimeter network. For example, they could open Secure Shell (SSH) sessions to them to change their configuration and perform other maintenance duties.
Remote IPsec users—. Individual users accessing the corporate network with IPsec-encrypted sessions over the public Internet would be in this zone. These users have limited access to the resources in the internal network; their access to the perimeter network is usually equal to access granted to the regular internal users.
Remote offices—. This zone is similar to individual users using IPsec to access the internal network. However, because the remote offices are usually under stricter physical control (so that the risk of an intruder gaining access through a remote office is lower), users in the remote offices would have access to more internal resources than the individual users.
E-commerce perimeter network—. Publicly accessible e-commerce servers usually execute transactions on internal database servers. They are therefore best separated from other public servers; otherwise, an intruder gaining access to any public server could penetrate the internal database.
Note
This design uses a restrictive policy for inside clients with no HTTP proxy. For a less-restrictive policy or a policy with HTTP proxies, replace individual items in Table 2-7 with entries from the previous sections. The design also assumes that the organization does not offer public FTP service.
Not surprisingly, the firewall policy for such a firewall is substantial, as shown in Table 2-7.
Table 2-7. Firewall Policy of a Complex Firewall
Client Zone | Server Zone | Sessions Allowed |
|---|---|---|
Inside VPN users VPN offices | Perimeter | ICMP echo HTTP to web servers SMTP to mail servers DNS to name servers |
Inside VPN users VPN offices | E-commerce | ICMP echo HTTPS to e-commerce servers |
Inside VPN users VPN offices | Outside | ICMP echo, HTTP, HTTPS, FTP |
Administrators | Perimeter | HTTP to web servers SMTP to mail servers DNS to name servers SSH to all servers FTP to all servers SNMP to all servers |
Administrators | E-commerce | HTTPS, SSH, FTP, and SNMP to all servers |
Administrators | Outside | All services granted to inside users Additional services if needed |
Administrators | VPN users | All (to support remote users) |
Administrators | VPN offices | All (to support remote offices) |
Perimeter | Inside | SMTP to internal e-mail server Minimum set of ICMP traffic |
Perimeter | Outside | DNS SMTP |
E-commerce | Inside | SQL transactions |
VPN users | Inside | Access to a subset of internal servers RADIUS from VPN concentrator to authentication server |
Outside | VPN users | IPsec traffic (ISAKMP + ESP) |
VPN offices | Inside | Access to a less-restricted set of internal servers RADIUS from VPN concentrator to authentication server |
Outside | VPN offices | IPsec traffic (ISAKMP + ESP) |
Note
Missing zone pairs in the table indicate that no traffic is allowed between those zones. For example, the e-commerce servers cannot initiate sessions to the outside zone, further limiting complex exploits.
Such a complex firewall is almost always implemented with multiple devices to improve its resiliency and reduce the complexity of each individual device’s configuration. Assuming a two-device nonredundant setup, you could end up with a design similar to the one in Figure 2-5.
As you saw in the preceding section, firewalls of larger organizations tend to become rather complex. Developing a good overall firewall policy in such cases can be a complicated, tedious, and error-prone task. It’s therefore best to approach the complex firewalls with the millennia-old divide-and-conquer principle. In the example from the preceding section, you could split the problem into three independent smaller firewalls, as shown in Figure 2-6.
The firewall policy of each individual smaller firewall is significantly less complex than the overall policy because it contains fewer security zones. Furthermore, the designer can now implement different physical setups for each firewall based on its resiliency and availability requirements. For example, under budget restrictions, the e-commerce firewall could be implemented as a redundant transit perimeter firewall design (see the section “ Redundant Firewall Designs” and Figure 2-4 earlier in this chapter), the perimeter firewall could use the nonredundant setup (see the “ Firewall with Public Servers” section), and the VPN firewall could be based on a simple LAN-to-Internet firewall design.
In this chapter, you have seen how you can use zone-based firewall design principles to design a variety of firewall solutions, ranging from simple firewalls suitable to SOHO environments to complex redundant solutions deployed by large organizations. In the next chapters, you’ll find out how you can use the zone-based policy firewall configuration feature of Cisco IOS to translate these designs into actual router configuration commands.