Firewall

Implementation
By :
Manish Kumar

manishkulhari@gmail.com
Objective of this course

Provide basic information about installing and
configuring Network Firewalls for use within the
UEN Network
 Demonstrate current accepted methods of
implementing firewalls
 NAT/PAT vs. Public Addresses
 Provide direction on firewall rule sets

Lots of time for Q&A

Get you out of here in a reasonable time

manishkulhari@gmail.com
Types of
Firewall
Implementation

manishkulhari@gmail.com
Basic Types of Firewall
Implementation

There are 3 types of basic firewall
implementation
 Transparent/ Bridging Firewalls
 The Sandwich Firewall
 VLAN Switch Implementation

manishkulhari@gmail.com
Types of Firewall Implementation

Transparent / Bridging Firewall

Pros
 It is Transparent to the Traffic crossing the network
 It is a very fast firewall capable of High Bandwidth Monitoring
 Easy to Implement in most scenarios

Cons
 Bridging firewalls are usually very expensive
 NAT/PAT Options are not available on the Firewall
 VPN and other features are not on the Firewall
 Does not allow for DMZ’s on the same Firewall

Traffic from the outside router is routed directly to the inside

router without a decision being made on the Firewall
manishkulhari@gmail.com
Types of Firewall Implementation

The Sandwich Firewall Implementation

Pros
 Many inexpensive models are available
 NAT/PAT/VPN Options available on many models
 Capable of DMZ implementation

Cons
 Slightly more difficult to implement
 May require the purchase of additional equipment to implement (eg Router)

Traffic from the outside router is statically routed to the outside

of the firewall and then once through the firewall is statically
routed to the inside router
manishkulhari@gmail.com
Types of Firewall Implementation

Firewall VLAN Implementation

Pros
 Can be done without additional equipment
 NAT/PAT/VPN Options available
 Capable of DMZ implementation

Cons
 Relies on VLANs for Security
 Not a highly recommended solution by security experts But it will work

Protected LAN
manishkulhari@gmail.com
NAT and PAT
vs
Public Addressing

manishkulhari@gmail.com
NAT/PAT vs. Public Addressing

PROS:
 NAT/PAT adds a layer of security to “Hide” devices within your
network.
 NAT/PAT saves address space.

CONS:
 NAT/PAT makes implementation more complicated.
 NAT/PAT alone do not provide sufficient security.
 NAT/PAT does not work well with a variety of applications.
 NAT/PAT makes it more difficult to provide services to the Public
network effectively.

manishkulhari@gmail.com
NAT/PAT vs. Public Addressing

PROS:
 Public Addressing is generally easier to implement on
firewalls
 Easier to provide public accessible services on your
network.

CONS:
 Public Addressing consumes more address space
 Public Addressing facilitates more exposure to your
internal networks

manishkulhari@gmail.com
Firewall Ruleset
Implementation

manishkulhari@gmail.com
Firewalling Rulesets

There are 2 Basic approaches to
implementing rulesets on your firewall
 Block all and Allow
 Allow all and Block

Each have their Pros and Cons

manishkulhari@gmail.com
Block all and Allow

This method is generally the most secure implementation of a firewall ruleset.

But, this method tends to have the higher implementation headache because of its
closed nature
 Unknown applications on the network which use odd ports and need access through the
firewall.
 Common applications which and not completely secure needing access through the firewall.

Instant Messengers etc…

This method should be done after close monitoring of traffic across the network for a
long period of time using network sniffers or other monitors to try and map the
legitimate services on your network needing access through the firewall

It is recommended that you use a DMZ for all general services which provide public
information, or in other words, anything that needs to be accessed by the public
internet SHOULD be placed in the DMZ

This should be the first method considered when implementing rulesets on your
firewall if possible to implement

manishkulhari@gmail.com
Allow and Block

Allow and Block is basically the opposite. Although it is capable of
adding security to a network, it is a less secure implementation
based on the fact that you will continue to allow some malicious
traffic enter the network.

This method is much easier to implement, and allows for a slower
more methodical approach for implementation.

This method does not generally effect the “Unknown Application”
problem thereby making implementation go much smoother

This approach is basically an attempt to remove the “Critical
Security Concerns” on the network first, and slowly implement a
more closed network posture.

This solution should only be considered if a Block all and Allow
solution is not possible.

manishkulhari@gmail.com
OK… I have a
Firewall, What
Next…

manishkulhari@gmail.com
Implementation Recommendations
Next Steps

If you are currently stuck on how or where to put your firewall, let us recommend
some next steps.
 Leverage the UEN Engineering and Security Departments to help with your implementation

Help is available in network design and ruleset design.
 Outsource the implementation project

We have heard a lot of great things from some districts who have had outsourced the implementation
project.

Cost would be a factor in this decision.
 Begin systematically monitoring network traffic entering your network and mapping that traffic
to generate a ruleset

Its recommended that you use a sniffer like eeye’s IRIS which helps determine which protocols and
types of traffic you have on your network
 Leverage the UEN Network Operations Center for support on basic firewall configuration for
Cisco PIX and some other supported devices.

The UEN NOC does have some great experience in support and configuration of firewall devices.
 Begin by firewalling smaller portions of your network at first and slowly moving other
networks over behind the firewall.
 Firewall Training

We recommend that you get training on your specific firewall solution.

UEN May provide some training in the future for various firewall platforms

manishkulhari@gmail.com
The UEN Firewall
Recommendation
One Year Later

manishkulhari@gmail.com
The UEN Firewall Recommendation

In October 2001, UEN released its
Firewall Recommendation for all
stakeholders.

One Year later, 17 separate entities
on the UEN Network have
implemented a firewall solution on
their networks

This represents nearly 24% of all UEN
routed networks which are currently
behind some sort of firewall.

Plans have been communicated by
stakeholders showing that many more
entities are planning implementations
within the next 6 to 8 months

manishkulhari@gmail.com