INTERNATIONAL UNIVERSITYSchool of Computer Science and Engineering

LAB 5: Firewall

Course: Lecturer: Pham Van HauDate: Duration: 180 minutes

Student ID............................................ Student name……………………………

A. Setup description

Deploy nodes as depicted in the following schema.

As we can observe, there are two types of nodes in our deployment: Firewall and normal nodes. To save the resource of your physical machine, we use the linux distributions that requires limited resouces. For this purpose, we use the Damn Small Linux (DSL) for the nodes and Ubuntu for the two firewalls. These machines form three different networks. In fact, in_node(10.1.1.2) is a machine in the internal network; server (10.0.1.10) is in the DMZ zone; ex_node (192.168.1.10) is supposed as a machine from the Internet.

Note: The two firewalls also play the roles of routers. Taking advantages of the knowledge gained from the previous lab do the necessary to make sure that all nodes can ping each other

The detailed configuration is as follows:

Machine # of network adapter cards

Description

In_node 1 Eth0(ip=10.1.1.2) connects to VMNET 5 FW2 2 Eth0(ip=10.1.1.1) connects to VMNET 5

Eth1(ip=10.0.1.254) connects to VMNET 6 Server 1 Eth0(ip=10.0.1.10) connects to VMNET 6

FW1 2 Eth0(ip=10.0.1.1) connects to VMNET 6 Eth1(ip=192.168.1.1) connects to VMNET 7

Ex_node 1 Eth1(ip=192.168.1.10) connects to VMNET 7 NOTE:

To become root on the dsl machine, execute “sudo su” To configure the ip address, you can use the “ifconfig eth0 ip”. You need to delete all

the default routes in the virtual machines and add the necessary information manually. To delete a route

route del –net 10.0.0.0 netmask 255.0.0.0 to add a route

route add -net 10.0.0.0 netmask 255.0.0.0 to configure the default gateway

route add default gw IP_OF_THE_GATEWAY to view the route, there are at least two ways

route netstat -rn

B.Tasks

Task 1: on FW2

Verify that, from in_node machineo “ping 10.1.1.1” works o “ping 10.0.1.10” works, if not, on FW2 execute the command

“echo 1 > /proc/sys/net/ipv4/ip_forward” Do “iptables –P INPUT DROP” From in_node1, ping 10.1.1.1 and 10.0.1.10 again. Explain what happen.

Task 2:On FW2

Do “iptables –L”, observe the output. Do “iptables –P FORWARD DROP” Do “iptables –L” again, observe the output. What has been changed since the previous

time. Ping server from in_node1, does it work? Explain.

Task 3: On FW2, do

o iptables –A FORWARD –d 10.1.1.2 –p icmp –j ACCEPTo iptables –A FORWARD –d 10.0.1.10 –p icmp –j ACCEPT

Ping server from in_node, does it work ? Explain

Hint: read the Appendix A and B to answer this question.

Task 4 : Why do I need to a DMZ ?

Task 5: Do I always need to have two separated firewalls to make a DMZ? If the alternate exists, describe it.

Task 6: on FW2, modify the iptables so that the in_node can connect to server on port 80 but from server we can not initiate the connection to in_node.

Hint: add “-m state -- state NEW,ESTABLISHED,RELATED” in the rule for the new connection and “-m state -- state ESTABLISHED,RELATED” for the established connection.

Task 7: NAT is a solution for you to hide the internal network from Internet.

Suppose that 192.168.1.1 is the EXTERNAL ip address of the server modify the firewall so that from in_node , if we connect to 122.122.122.5 the FW2 will forward the connection to the server. (hint Google NAT with iptables)

APPENDIX A

(Most of the content hereafter is copied from http://articles.techrepublic.com.com/5100-22_11-5756029.html)

General Introduction to DMZIf you think of the internal network as the "trusted" network and the external public network (the Internet) as the "untrusted" network, you can think of the DMZ as a "semi-trusted" area. It's not as secured as the LAN, but because it is behind a firewall, neither is it as non-secure as the Internet. You can also think of the DMZ as a "liaison network" that can communicate with both the Internet and the LAN while sitting between the two, as illustrated by Figure A.

Figure A

What does this accomplish? You can place computers that need to communicate directly with the Internet (public servers) in the DMZ instead of on your internal network. They will be protected by the outer firewall, although they are still at risk simply because they have direct contact with Internet computers. Because the DMZ is only "semi-secure," it's easier to hack a computer in the DMZ than on the internal network. The good news is that if a DMZ computer does get hacked, it doesn't compromise the security of the internal network, because it's on a completely separate, isolated network.

Why put any computers in this riskier network? Let's take an example: in order to do its job (make your Web site available to members of the public), your Web server has to be accessible to the Internet. But having a server on your network that's accessible from the Internet puts the entire network at risk. There are three ways to reduce that risk:

You could pay a hosting company to host your Web sites on their machines and network. However, this gives you less control over your Web servers.

You could host the public servers on the firewall computer. However, best security

practices say the firewall computer should be dedicated solely to act as a firewall (this reduces the chances of the firewall being compromised), and practically speaking, this would impair the firewall's performance. Besides, if you have a firewall appliance running a proprietary OS, you won't be able to install other services on it.

The third solution is to put the public Web servers on a separate, isolated network: the DMZ.

Firewall rules

you should be able to configure separate rules for evaluating traffic depending on its origin and destination. That is, there should be separate rules for:

Incoming traffic from the Internet to the DMZ Incoming traffic from the DMZ to the internal LAN Incoming traffic from the Internet to the internal network Outgoing traffic from the internal network to the DMZ Outgoing traffic from the internal network to the Internet Outgoing traffic from the DMZ to the Internet

Appendix B

When we say that a firewall must separate the DMZ from both the internal LAN and the Internet, that doesn't necessarily mean you have to buy two firewalls. If you have a "three legged firewall" (one with at least three network interfaces), the same firewall can serve both functions. On the other hand, there are reasons you might want to use two separate firewalls (a front end and a back end firewall) to create the DMZ.

Figure A above illustrates a DMZ that uses two firewalls, called a back to back DMZ. An advantage of this configuration is that you can put a fast packet filtering firewall/router at the front end (the Internet edge) to increase performance of your public servers, and place a slower application layer filtering (ALF) firewall at the back end (next to the corporate LAN) to provide more protection to the internal network without negatively impacting performance for your public servers. Each firewall in this configuration has two interfaces. The front end firewall has an external interface to the Internet and an internal interface to the DMZ, whereas the backend firewall has an external interface to the DMZ and an internal interface to the corporate LAN.

When you use a single firewall to create a DMZ, it's called a trihomed DMZ. That's because the firewall computer or appliance has interfaces to three separate networks:

1. The internal interface to the trusted network (the internal LAN) 2. The external interface to the untrusted network (the public Internet) 3. The interface to the semi-trusted network (the DMZ)

The trihomed DMZ looks like Figure B.