1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.
-
date post
21-Dec-2015 -
Category
Documents
-
view
215 -
download
1
Transcript of 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.
![Page 1: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/1.jpg)
1
Firewall Overview
EECS710 Fall 2006Presenter: Michael LeaProfessor Hossein Saiedian
![Page 2: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/2.jpg)
2
Firewalls
1. Firewall Defined2. Benefits 3. Firewall Misconceptions4. Firewall Technologies5. Application and Design
![Page 3: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/3.jpg)
3
Firewall
6. Deployment Methodology 7. Monitoring, Maintenance, and
Support 8. Firewall Selection Criteria9. Deployment Exercise 10.Question and Answer11.Summary
![Page 4: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/4.jpg)
4
Firewall Defined
• A Firewall is security device which is configured to permit, deny or proxy data connections
• Firewall rule sets are based upon the organization's security policy
• Firewalls can either be hardware and/or software based
![Page 5: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/5.jpg)
5
Firewall Defined
• Firewall's primary task is to control traffic between computer networks with different zones of trust
• Example of different zones internal (trusted) network and the Internet (untrusted)
![Page 6: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/6.jpg)
6
Firewall Defined
• Firewalls are based on least privilege principle and separation of duties
• Firewalls require a experienced administrator– Considerable understanding of network
protocols– In depth knowledge of Security assurance
![Page 7: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/7.jpg)
7
Benefits of a firewall
• Provide Additional security • Protection between a private and public
network• Provide internal protection within a private
network for security access• Controls to stop or limit the spread of
Virus/Worm• Cost savings on Circuit costs
![Page 8: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/8.jpg)
8
Benefits of a firewall
• Business Enabler – Connect your Company to the Internet– Provide Remote access
• Enforce Security Policy control by controlling network access
• Disaster Recovery
![Page 9: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/9.jpg)
9
Firewall Misconceptions
• Security is holistic• Firewalls can give a false sense of
security– Wireless Network– Small mistakes can render a firewall
worthless as a security tool – Modem bypass
![Page 10: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/10.jpg)
10
Firewall Misconceptions
Internet
Outside
Inside
DMZ
WWW Server
Email Server
Firewall
Internet Router
Internet Worm
TCP 80 is Open
![Page 11: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/11.jpg)
11
Firewall Misconceptions
Internet
Outside
Inside
Firewall
Internet RouterMalicious Web Site
Active X ControlsJava
Web Surfer
![Page 12: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/12.jpg)
12
Firewall Technologies
• Application Firewall• IPS• Anti-X• NAT/PAT• HA• VPN• Content Filter
![Page 13: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/13.jpg)
13
Application Firewall
• Provides protection to Application servers
• Can provide protection to Web Server
• Provides Critical protection that IPS and other security tools can not provide
![Page 14: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/14.jpg)
14
Protection Provided for
• SQL Injection • Cross-Site Scripting • Command Injection • Cookie/Session Poisoning • Buffer Overflow • Zero Day Attacks• Many other Attacks and Hacks
![Page 15: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/15.jpg)
15
SQL Injection
Standard Login – Web based Application
![Page 16: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/16.jpg)
16
SQL Injection
User has access to view her salary information
![Page 17: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/17.jpg)
17
SQL Injection
Hacker using SQL Injection
![Page 18: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/18.jpg)
18
SQL Injection
Instead of authenticating the user it returns the salary results
![Page 19: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/19.jpg)
19
SQL Injection
Hacker changes the payroll database
"SELECT * FROM TableSalary where EmployeeID='' OR 1=1; INSERT INTO TableSalary (EmployeeID, EmployeeName, Salary, IncomeTax, ProfessionalTax, HRA) VALUES (5,'Bad','$70,000', 0, 0, 0)--'"
![Page 20: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/20.jpg)
20
SQL Injection
The results of the new salary change
![Page 21: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/21.jpg)
21
IPS
Intrusion Protection Systems provides deep packet inspection to protect network assets
![Page 22: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/22.jpg)
22
IPS
Provide protection against attacks• Protects critical Network
infrastructure• Protects servers from worms• Provide Zero Day attack protection
![Page 23: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/23.jpg)
23
Anti-X
Provides protection from the following threats:• Spyware• Spam• Malware• Phishing Attempts• Virus protection
![Page 24: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/24.jpg)
24
NAT/PAT
NAT (Network Address Translation)• Used to map a public address to a private address• Also known as network masquerading or IP-masquerading• Involves re-writing the source and/or destination addresses of IP packets as they pass
through a router or firewall• Private Network Addresses are 192.168.x.x, 172.16.x.x through 172.31.x.x, and
10.x.x.x • Can also be utilized when address spaces overlap
![Page 25: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/25.jpg)
25
NAT/PAT
Internet
Email Server
Web Server
23.2.29.30
NAT Example
10.1.1.10 10.1.1.20
OutsideInside
10.1.1.1
NAT Rule
Map 23.2.29.30 à 10.1.1.10
Map 23.2.29.30 à 10.1.1.20
![Page 26: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/26.jpg)
26
NAT Overloading
• NAT Overloading is used to conserve address space• Only 4,294,967,296 addressable host devices with
IPV4
NAT overload utilizes unique TCP or UDP source port (1024-65535)
![Page 27: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/27.jpg)
27
PAT
Internet
Email Server
Web Server
23.2.29.30
PAT Example
10.1.1.10 10.1.1.20
OutsideInside
10.1.1.1
PAT Rule
Map 23.2.29.30 – TCP 80 (WWW), TCP (443) à 10.1.1.20
Map 23.2.29.30 – TCP 25 (SMTP) à 10.1.1.10 (25)
*** PAT only required one registered address
![Page 28: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/28.jpg)
28
HA
High Availability
![Page 29: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/29.jpg)
29
VPN
• VPN provides for a secure connection across a untrusted network by utilizing encryption
• VPN can be used as for Wide Area connectivity • VPN can be used for host based connections • Can be utilized for backup connection
![Page 30: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/30.jpg)
30
VPN Deployment
Site-to-Site Deployment
![Page 31: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/31.jpg)
31
VPN Client Deployment
• SSL VPN• IPSEC • Security checks on local client
– Check for virus protection– Check for key stroke logger– Provide for client clean up after session
is completed
![Page 32: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/32.jpg)
32
VPN Client Deployment
• SSL VPN• IPSEC • Security checks on local client
– Check for virus protection– Check for key stroke logger– Provide for client clean up after session
is completed
![Page 33: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/33.jpg)
33
VPN Split Tunneling
![Page 34: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/34.jpg)
34
VPN Best Practices
Utilize AES – 256 bitUtilize Security check on clientsDisable Split tunnelingUtilize two factor authentication to
include two of the following– Token based authentication– Password– Biometrics
![Page 35: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/35.jpg)
35
Content Filtering
• Used to filter access to web sites • Can also limit acces to other services such
as IM, FTP, P2P, and other services• Provides for additional security
– Phishing protection– Malicious Site blocked
• Provides for monitoring of employee activity• Controls employee access based on HR
policies
![Page 36: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/36.jpg)
36
Content FilteringTypical Content filtering Deployment
![Page 37: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/37.jpg)
37
Deployment
InternetSimple Firewall
Deployment
Outside
Inside
DMZ
WWW Server
Email Server
Firewall
Internet Router
![Page 38: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/38.jpg)
38
Multiple Firewall Deployment
Internet
Multiple Firewall Deployment
Outside
Inside
DMZ
WWW Server
Email Server
Firewall
Internet Router
Data Center
Branch Office
Business Partner
Inside
InsideInside
Outside
Outside
Outside
![Page 39: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/39.jpg)
39
Deployment Best Practices
• Test Deployment before placing into production
• Verify all features and functions• Verify security• Run security test against the Firewall
deployment to test security
![Page 40: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/40.jpg)
40
Monitoring, Maintenance, and Support• Monitoring most take place or security incidents
may go unnoticed and undetected• To maintain ongoing security assurance Firewall
must be monitored, maintained, and supported • Firewalls that do not receive appropriate ongoing
maintenance will not be less affective as new security threats arise
• Vendor support must be maintained or new security threats will be able to exploit the Firewall
![Page 41: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/41.jpg)
41
Monitoring
• At a minimum firewall logs should be monitored on a daily basis
• Firewall alerts that register high should be reacted to in real time
![Page 42: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/42.jpg)
42
Monitoring SIM
SIM (Security Incident Management)• Provides a central logging point for
all security reporting devices• Built in rule set to provide event
correlation from security devices• Centralizes security monitoring
![Page 43: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/43.jpg)
43
SIM
Correlates Data from • Syslog• SNMP• SDEE• Netflow• Endpoint event logs
![Page 44: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/44.jpg)
44
SIM
![Page 45: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/45.jpg)
45
SIM Benefits
• Centralized Repository for Security Events
• Classification of Security Incidents• Rapidly locate and mitigate a attack• Reduction of false positives• Leverage your investment in security
equipment• Reduction of security events with the
use of correlation
![Page 46: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/46.jpg)
46
Maintenance
• Monitor your vendor for security updates and or patch
• Run periodic security assessments against your firewall (inside and outside assessments)
• Verify that firewall software level is up to date• Monitor industry for new technologies• Keep a close watch within the security
community about new attack vectors
![Page 47: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/47.jpg)
47
Support
• Maintain ongoing support contracts on equipment while it is in production
• Have skilled staff to support your firewall or outsource the activity to a Security Service provider
![Page 48: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/48.jpg)
48
Firewall Selection
When making a firewall purchase the following items should be considered
• Security• Features (IPS, AV control, etc)• Cost• Maintenance Cost
![Page 49: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/49.jpg)
49
Firewall Selection
• Vendor support model• Logging and Monitoring support• Performance requirements
– Maximum connections– Maximum connections/second– Maximum Firewall Throughput
![Page 50: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/50.jpg)
50
Firewall Selection
• Future scaling requirements• HA (Active/Active, Active/Passive or
None)• Content filtering• Number of Supported interfaces• Types of support interface (Fiber,
Copper, and or WAN)
![Page 51: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/51.jpg)
51
Firewall Selection
• Management software (Single firewall or Enterprise management)
• Reliability MTBF• Routing protocol support
![Page 52: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/52.jpg)
52
Summary
Firewalls are a integral part of network that provide for Security Assurance
Firewalls are constantly changing as information security technology changes
As technology changes it is critical for Security managers and decision makers to adopt to new security threats and challenges
![Page 53: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/53.jpg)
53
Deployment Exercise
SMTP Deployment
![Page 54: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/54.jpg)
54
Deployment Exercise
!--- Define the IP address for the inside interface. interface Ethernet3
nameif inside security-level 100
ip address 192.168.1.1 255.255.255.0
![Page 55: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/55.jpg)
55
Deployment Exercise
!--- Define the IP address for the outside interface.
interface Ethernet4 nameif outside security-level 0 ip address 209.164.3.1 255.255.255.248
![Page 56: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/56.jpg)
56
Deployment Exercise
!--- Create an access list that permits Simple !--- Mail Transfer Protocol (SMTP) traffic from anywhere!--- to the host at 209.164.3.5 (our server). The name of this
list is !--- smtp. Add additional lines to this access list as required.!--- Note: There is one and only one access list allowed per!--- interface per direction (for example, inbound on the
outside interface).
access-list smtp extended permit tcp any host 209.164.3.5 eq smtp
![Page 57: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/57.jpg)
57
Deployment Exercise
!--- Specify that any traffic that originates inside from the!--- 192.168.2.x network NATs (PAT) to 209.164.3.1 if!--- such traffic passes through the outside interface.
global (outside) 1 209.164.3.1nat (inside) 1 192.168.2.0 255.255.255.0
![Page 58: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/58.jpg)
58
Deployment Exercise
!--- Define a static translation between 192.168.2.57 on the inside and
!--- 209.164.3.5 on the outside. These are the addresses to be used by
!--- the server located inside the PIX Firewall.
static (inside,outside) 209.164.3.5 192.168.2.57 netmask 255.255.255.255
![Page 59: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/59.jpg)
59
Deployment Exercise
!--- Apply the access list named smtp inbound on the outside interface.
access-group smtp in interface outside
![Page 60: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/60.jpg)
60
Deployment Exercise
!--- Instruct the PIX to hand any traffic destined for 192.168.x.x!--- to the router at 192.168.1.2.
route inside 192.168.0.0 255.255.0.0 192.168.1.2 1
![Page 61: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/61.jpg)
61
Deployment Exercise
!--- Set the default route to 209.164.3.2.!--- The PIX assumes that this address is a router address.
route outside 0.0.0.0 0.0.0.0 209.164.3.2 1
![Page 62: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/62.jpg)
62
Deployment Exercise
!--- SMTP/ESMTP is inspected as "inspect esmtp" is included in the map.
policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp
![Page 63: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/63.jpg)
63
Deployment Exercise
Control access from our SP Spool serverOriginal configaccess-list smtp extended permit tcp any host 209.164.3.5 eq
smtp
To allow only 202.202.202.25access-list smtp extended permit tcp host 202.202.202.25 host
209.164.3.5 eq smtp
![Page 64: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/64.jpg)
64
Question and Answer
![Page 65: 1 Firewall Overview EECS710 Fall 2006 Presenter: Michael Lea Professor Hossein Saiedian.](https://reader030.fdocuments.us/reader030/viewer/2022032704/56649d5d5503460f94a3c4fb/html5/thumbnails/65.jpg)
65
Close