practices of Information Security 200 Principles ond of technology-based control systems will require additional Min configuration and maintenance a ll these areas. ee, usually specialized training in ” y er a> PHYSICAL DESIGN Zz PE i Sf two pars: security program is made up of two pats: secut Go exnerat neipnsial design of an RIOT security (covered in Chapter 9) sical designegs Ties (presented in Chapters 6, 7, an TiS is found in the information security bees : information security program—W! : : terete anes makes it ready for implementation Physical design Fasecs the cama and implementation of technologies and processes that mitigate risk from threats UO ty rermation ascets of an organization. Specifically. the team responsible for the physical design a Selects specific technologies to support the informatior Identifies complet& technical soTations and maintenance elements, to improve the security of the environment Designs physical security measures to support the technical solution = Prepares project plans for the implementation phase that follows n security blueprint technologies, including deployment, opertin een In commercial and residential construction, firewalls are concrete or masonry walls that run from the bay. ment through the roof, to prevent a fire from jumping from one section of the building to another, In aircn and automobiles, a firewall is an insulated metal barrier that keeps the hajaand dangerous moving part oft ‘motor separate from the inflammable interior where the passengers sit. firewall in an information secu i similar to a building’s firewall in that it ci es of information from movisg Suside world, known as the untrusted network (for example, the Internet), am “Tet ost Known asthe I ts usted petrork. The Trrewall may be a separate computer system, a software seni " ting rouler OF Serr.or a separate network containing. a number of capportig Te > Figéwalls can be categorized by processing mode, ee a of Dein, Modes of Firewall y foe © Spies mr reeesngampfe categories of Gyewalls packet herine Gusualls apa ct THewalls. and hybrids. Hybrid firewalls use a combination of the 0 four methods, and in practice, mos Eatin , mast Firewall miypltiple approaches. ls fall into this category, since most firewall implementations Sono called a ftefing firewall, amines the header informaiga 182 Se ee : hrewall installed on.a TCP/IP based network typically ™ ep packet Gen ‘OF forward it to the next neiwork conns = Packet filtering firewalls examine eve ales on) Figure 6 fates oration such as des : Packet filtering firewalls scan netwoi Shows the structure of an IPv4 packet. we we of the firewall’s database. Filtering fi Packets looking for compliance with or violatica 0 : : i firewalls ins 3) If the device finds ha Pect packets at the network Dyer, or La of Beet te The rete oe cononr gestion, it stop Fe ae mgt ee combination of the following. 'Y implemented in packet filtering firewalls are base? "Avolo) Frederic: Frewals snd Intemet Security, the Second Hundred (i oo! vu cio mis iternet) Years Accessed 6 May 2007 from w™ "IPI-atchive.article09186a00800c8Sae. htm! 4 I 3, pus Scanned with CamScannerSecurity Technology: Firewalls and VPNs 204 ” abi [Header A attaoeimieciel ype of service mere |. version ye of sevice | (abit) a (16 bis) Flags Identification (16 bits) (bt) Fragment offset (13 bits) Tie We (@ bis) | Potoco (bis) Header checksum (16 bis) Padek fille cw Source IP address (32 bits) Destination IP address (32 bits) Options Data (oma IP Packet Structure IP source and destination address Direction (inbound or outbound) ‘s Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port \ depending on the nature of the packet. The two primary service A packet's content will vary in structure, 3 show the structures of these two major elements \ypes are TCP and UDP (as noted above). Figures 6-2 and 6-. of the combined protocol known as TCP/IP. Source por Destination port jment number Window ‘Urgent pointer Options [padding * L4— tc? header —ol & ‘Scanned with CamScanner202 Principles and Practices of Information Security le pf 31 bits = Destination port uoP header an Checksum UDP Datagram Structure le firewall models examine two aspects of the packet header: the destination and source ait, im They enforce address restrictions, rules designed to prohibit packets with certain addresses addresses from passing through the device. They accomplish this throu; are created and modified by the firewall administrators. Figure 6-4 shows how a p be used as a simple firewall to filter data packets from inbound connections and allow outbound ‘connections unrestricted access to the public network et filtering router cn Packt fering Tsted network router sed 35. fest eeraton real Unused network) ia a 4" 8 data packets locked oan Packet Filtering Router To better understand an addres: ure a simple rule based on the corn to” Scheme, Consider Table 6-1. If an administrator were to cout nthe content of Table 6- , network device inthe 192.168 x address no yan) Connection attempt made by an extemal compu! Isinict a specific service, rather than just a range of IP addr section of this chapter. EMR sp Frew! Rule ang Format Source Address Destinatic we ns (HTTP, ‘Action (Allow or Det) — FTP, Telnet) I7216.x.x. < 10.10%. Any = 192.168.x.x 10,10.10.25 HTTP a Allow, __ saa 192.168.0.1 10:10.10:19 = ————— ‘Allow ae ‘Scanned with CamScannerSecurity Technology: Firewalls and VPNs 203 . to restrict a i rhe sity treet specific service is now considered standard in most a ‘unfortunately. such systems are unable to detect whether packet ick bate besa SiR NS ced technique used in some attacks, including IP spoofing atjack peering ea are three subsets of firewalls: stat fi tic filtering, dy: Sp namic filtering, and sta c; ic filtering 's that the filtering rules be developed and installed with the firewall ae ms weet od 3 od either By a person di eed and sequence 5¥-a person directly editing the rule set specify the rules and the sequence. Any changes to the a Berson using. a proprammable ar anes fon This or Tenng coramon i network routers and gateways. ~~ of jynamic filtering firewall can react to an emergent event Sr ta fe pve Sm ane gine TE STD Sats, oFMEERTIVE, as 1m Gropping all packets from a particular address when an ince he presence of a particular type of malformed packet 1s detected, While static filtering firewalls allow entire sets of one ty} ff packet to enter in response to authorized requests, the dynamic packet filtering firewall alloys oly a particula with a particular Source, destination; and port address (9 enter through the firewall Ir does re by opening and closing “doors” in the firewall based on the information contained in the packet header, ths ponakes dynamic packet filters an intermediate form, between traditional static packet filters and appli- atjgn vhich are described later). ‘Stateful_ inspection firewalls, also called stateful firewalls, keep_track ‘of each network connection TF nicrnal and external systems USIAE a STATE TADIEA SUate ible tracks the, state and context of each * intrmictINe coftputers (or proxies) inthe less protected areas of the organization's network. This technique is still widely used to implement lect commeyge functions, although most users of this technology have upgraded to take advantage of the DM -ussed below, Primary disadvantage of application-level firewalls is that they are designed for one or a few speifiopn tocols and cannot easily be reconfigured to. -against attacks on other s. Since application firewals work at the application layer (hence the name), they are typically restricted to a single application ( gu FIR ‘Telnet, HTTP, SMTP, and SNMP). The processin; time and resources necessary to read each Packet down tothe pr ig application layer diminishes the ability of these firewalls to handle multiple types of applicatio | Circuit Gateways Gre creuit gateway firewall opera m ——_sacway Firewall operates at the transport layer Again, connections are authorized ~ltesses, Tike filtering firewalls, circuit Baleway firewalls do not usually look at trafiic flowing betweet Ohe network and another, but the 4 :y do prevent direct connections between ‘one network and another, They PaRESBY reatng tunnels connecting specific processes prepares oe each side of the firewall. a ety only authorized uffic, Such as a specific of TCP connection for only authorized users i@ feet eneay iS @ firewall component offen included ip the category of application gi Way, But itis in fact a separate type of firewall. Wri i y ing for NIS - ck describes Oe Processing oe Han SHEWAY as follawsA circuit level pater in Se, 800-10. John Wack des Processing E = gateway relays TCP connections but does n0 Ca * zateway example prov here Would be an Tee aot Saitou lever gateway, since SRGEME Sn Ee OY Ee SWblished, the firewall sim 4 Steal level gateway would be for NNTP. in whic the NNTP cere he syste nah a NNTP server would connect to the firewall, and connect tothe firewall. The firewell would, again, simply pass by MAC layer firewalls r (Layer 2) of the OSI ction to Firewalls.himl. __— Scanned with CamScannerSecurity Technology: Firewalls ond VPNs 205 051 model 7 Application pplication gateways 6 Presentation ars? 5 Session Cie gateways ———] 4 Transport pace fitering —| 3 Network _ ac layer firewalls —P] 2, Datalink a PONTSPA Hybrid Firealls (fon Firewalls combine the clements of other types of firewalls that i, the elements of packet filterin, and cin ways. A Se Sar ST CoS Syatomrmay acluatty Consist | fe connected so that they work ‘id proxy service’, or of packet filtering Po eaante firewall devices, each Is a separate firewall system, but they it for example, a hybrid firewall system might include a packet filtering firewal that is set UP to i sceenalleceptable requests then pass the requests to a proxy server which, in turn, requests services from Web server deep ins iided advantage to the hybrid firewall approach is that it engbles an organization to make a s rout completely replacing its existing Is fe the organization's networks, An a curity improvement with Firewalls Categorized by Generation Eee also frequently categorized by their position \ The first generation of firewall devices consists of erations. More recent generations of firewalls offer increasingly complex capabilities, including the increased security and convenience of creating a DMZ—“demilitarized zone.” At Presents there are five gen- ly recognized generations of firewalls, and these generations can be implemented in a wide variety of ona developmental continuum —that is, by genera- routers that perform only simple packet filtering that is, simple networking devices that 0 ation’s networks. alls oF proxy servers dedicated sys- Guide intermediate services for requestors. the filterimg router and i as described previously, moniter, ef stateful inspection firewalls} which, fernal and external systems using state tables. ich are also known asflynamicP Gurce, destination, and port address to enter. ef specialized form that works under ee BR This ype oF Firewall evaoates packets M0 security in the kernel as data is passed UP and ov ty security kemel of its Centri Firewall. The Ci#°° sec {ow only @ Scanned with CamScannerJn Securit 212. Principles and Practices of Information Security his debate by insta + of the authors responded to t : ing ah, qian i sae challenged the group t0 penetrate his system Aree firewall, and then visiting @ Sea eae claiming to have accessed his system, The hacker ey, later, he received ae Ca prompt, which he claimed was from the student’ system. Aft screen showing Is graphic of a ser of research, the student found out f reseat i ract attackers. It was an image of a comman had withstood the challenge \a— ly artery from the outside. A forme’ ine 4oing 38 hat the firewall had an image stored in firmware that was design «4 window with a DOS prompt. The hardware (Nap, sit (Q Fircvall Architectures Each ofthe firewall devices noted earlier can be configured in a number of network connection arch ‘These approaches are sometimes mutually exclusive and sometimes can be combined. ‘ti The configuration that works best for a particular organization depends on three factors: the objes the network, the organization’s ability to develop and implement the architectures_ an mentations of firewalls. These implementations Q)augi-homed firewalls, and screened subnet firewalls fig sections. ~ (» host Tirewal, eTetail in the folly, h of these 1s examing ‘ket Filtering Routers Most organizations with an Internet connection have some form of(a routePat the boundar uzation’s internal networks and the external service provider. Many of these ro {0 reject packets that the organization does not allow into the Wr work. This is a simple but effective ways Tower the organization's risk from external attack\The drawbacks to this type of system include a ad feity of the access contpl lists used to filer the REE can degrade network performance. Figure 6-4 (shown earlier in this chapter) is an example of this typed! architecture, \ Screened Host Firewalls between te uuters can be configura lication proxy examines an_ application layer protocol, ia ices, This separate host is often referred to as a bastion host it can! fo its advantage, this config the attack can access ine lly than the router alone. Figure 6-1! sho™ ost. MHPFOMISe TWO Separate systems, before tects the data more ful we cul complexity is the dual-homed host (is this arc s ice cards) rather than one, as 1 i a 1s connected to tf external network nor providing an additional Tayer of protection Wh fe move Between the internal and exterge i ie is connected to the Scanned with CamScannerSecurity Technology. Firewailt and YPN 243 Peckur flan Bastion-host fi Trusted etwork ( onasted hoe retwork Blocked data packets oa) Screened Host Firewall makes use of NAT. As described earli Ssses, thereby creating cars 10 peti anes of non-routable_inte ; ipimusion from external ‘attackers. The internal addresses used by NAT consist of three dierent ranges] Craizations that need a large group of addfesses for internal use will use the Class A address range of ix, which has more than 16.5 million usable addresses Organizations that need smaller groups of tater nally assigned addresses can select from the reserved group of 16 Class B adress blocks found in Be Mo lox to 172.31.x.x range (abaut'J.05 million total addresses), Fi ally, those with smaller Deeds cain We “Class C addresses, in the 192,168.x..rangs each of which has approximately 65,500 addiresses. See Table 4 for a recap of the IP address ranges reserved for on-public networks. Messages Sent with ternal sdsessee within these three reserved ranges cannot be routed externally, Se that if a compater with one of thes interal-use addresses is directly connected to the extemal network, ‘and avoids the NAT server. its traf fc cannot be routed on the public network, Taking advantage of this, NAT prevents external attacks from reaching internal machines with addresses in specified F the NAT server is a multi-homed aston it translates between the true, external IP add : authorities and the internally assigned, non-rout ighing addresses to internal communications and tracking “hich incoming message is a response to which outgoing traft a dual-homed host firewall that uses NAT and proxy access to protect _ Figure 6-12 shows & Ph the internal network Reed, Non-Routable Address Ranges Decimal Mask 25.000 716 or [24 ‘Scanned with CamScannercurity 214 Principles and Practices of Information Security Internal fering router TTsted network " F Proxy access internal data paces NAT assigned local addresses Dual-Homed Host Firewall Another fenefit of a dual-homed{host is its ability to translate between many different protocols athe respective data-link layers, including-Ethernet, token ring, Fiber Distributed Data Interface (PDD) a asyiichronous transfé¥ mode (ATM). On the downside, if this dual-homed host is compromised, it & dist the connection to the external network, and as traffic volume increases, it can become overloaded. Howere, compared to more complex solutions this architecture provides strong overall protection with mind expense. Screened Subnet Firewalls (with DMZ) The dominant architecture used toda Until recently, xamples of these include We tain database servers. More recent strategies using pet) Demnilitarzed zone (oma) wre Trusted network \ ote WBE Be pe PRED screened subnet (omtz) Scanned with CamScannerr Security Technology: Firewalls ond VPNs 215 ; arrangement finds the subnet firewall consisti ss eon eo in ising o {Wo oF more internal bastion hosts behind 2 od subnet architecture. The first eneral model consists of Siang a on hosts between them. In the second tastions are routed as follows Connections from the outside or untrusted netw * Connections from the outside or untrusted i ee antes ‘gall to the separate network segment known as the DMZ. ce a 1s Connections into the trusted intemal network are allowed only from the DMZ bastion host servers Lega ae e soem eth scement coat pesto two faneins it protects the DMZ sys- tems, from outside threats by providing a network of intermediate secunt sect tee general public networks but less secure than the internal network); and it protects th Wa eee by limiting how external connections can gain access to them. Although extremely secure, the screened sub- getcan be expensive to implement and complex to configure and manage. The value of the information it s must justify the cost ‘Another facet of the DMZ is the creation of an area of known as an extranet. An extranet is a segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general publig. An example is an online retailer that allows anyone to browse the product catalog and place items into a shopping cart, but requires extra authentication and authorization ‘when the customer is ready to check out and place an order. are many variants of the ‘two filtering routers, with one or more dual- general model, as illustrated in Figure 6-13, the ~SOCKS Servers Deserving of brief special attention is the SOCKS firewall implementation. SOCKS is the protocol for han- dling TCP traffic via a proxy server. The SOCKS system is a proprietary circuit-level proxy server that places special SOCKS client-side agents on each workstation. The general approach is to place the filtering Iequirements on the individual workstation rather than on a single point of defense (and thus point of failure). This frees the entry router from filtering responsibilities, but it requires that each workstation be managed as ‘firewall detection and protection device. A SOCKS system can require support and management resources beyond those of traditional firewalls since it requires the configuration and management of hundreds of indi~ Yidual clients, as opposed to a single device or small set of devices the Right Firewall feat to determine which is the best firewall for an organization, you should cor i What type of firewall technology offers the right balance between proteston and cost for the needs of > De otwanization’ —eCerw nsider the following © included in the base price? What features are available at extra cost? Are all cost fac- = Sao firewall? How accessible are the staff technicians who can Rese le networkin the target organization? ‘tent to which the firewall design provides the required pro- 5 i of reach. is cost. Cost may keep a certain make, model, or type out ‘may he seh in order to provide @ viable solution Becca a aga ences 7 eh 7077 ‘Scanned with CamScanner216 Principles ond Practices of Information Security ig Firewalls ing and Managin Configuring cn selected, the initial configuration and ong, tecture a fp be considered. Good policy and practice dictates that ach fas wall(s) needs ction host, or other firewall implementation, must have its device, whether a filtering rouleh ering firewalls examine each incoming packet using a nj" cont or deny the packet, That set of rules is made up of simple statements tha et etermine whether to allow or deny seitents a jacket contains based on the ports a it destination addresses and the type of req Pein source and ¢ Tt policies can be complex and difficult. IT professional packet In fact, the configuration of firewall po tang matt pliaion programming can appreciate the difficulty of debugging both syntax erors and loge gps Senay eior in firewall polices are usually easy to identify a the systems alert the administrator rectly configured policies. However,(logic errors, such as allowing instead of denying, specifying the fantor service type, and using the wrong switch, are another story A myriad of simple mistakes can ye device designed to protect users’ communications and turn it into one giant choke point. A choke pot, restricts all communications or an incorrectly configured rule can cause other unexpected results. Foreus ple, novice firewall administrators often improperly configure a virus-screening e-mail gateway (inka as atypeof e-mail firewall) o that, instead of screening e-mail for malicious code, it blocks all incomingeng and causes, understandably, a great deal of frustration among users. Configuring firewall policies is as much an art as itis a science, Each configuration rule must Lae eee Ses iB bbe carey crafted, debugged, tested, and placed into the access control list in the proper sequence-good, cones Sequenced firewall rules ensure that the actions taken comply with the organization's policy. Ina we designed, efficient firewall rule set, rules that can be evaluated quickly and govern broad acces © performed before ones that may take longer to evaluate and affect fewer cases. The most important ig remember when configuring firewalls is this: when security rules conflict with the performance of us re loses, If users can’t work because of a security restriction, the security administration sae pete p70. peat eR a? remove = safeguard. In other words, organizations are much sit sk than certain fai a Aenea oe at tet isk than certain flr. The following sections desribe the es pacts ys to configure the rules that support firewalls. architecture and technology have be ‘Once the firewa agement of the Practices for Firewalls This section outlines some ofthe best practices for firewall use-* Note that these rules are not presented 8 f rules, refer to the next section, lowed out) This allows members of the organization 02 eae and logging of outbound traffic can be implemented when sie ‘Scanned with CamScanner| Security Technology: Firenclls and Yrs 247 pocked to prevent ilegal zone transt ers, and to pre cauire network, If internal users eed einen PHEVEN attackers from taking do rv rganization should enable them to use a Vitual Pr om aking down he nanan dyaem that provides reasonable Level of ta Vinal Private Network a om ost the eval i oF other sec When Web services are offered outside the firewall ere, Sains works trough the use of some’ form 6f proxy adcess gee shou eh server ty behind the Firewall, allow OF TTS a ces are invisible 1o the outside Interyen tthe through for the Internet at large to view it. The bev ‘also known as Secure Sockets Layer or $51." non (solution isto place eto 981") daininside the network and use proxy services fom a DMZ Koco the Web servers containing critical web trafic bound for internal network adresses to allow only those — ee ae eee ees axldresses. This restriction can be accomplished using NAT or other ane that originated from internal wall approaches. All other incoming HTTP trafic should be blocked pire cevpelacnshnapalion vavertising, they should be placed in the DMZ. and rebuilt ona timed Mine they are compromised, schedule or when—not if, but when Alldata that ip not verifiably authentic p 3 When attempting to co Faille To permit malicious traffic, attackers will fr : onvinse packs fering La vous equent ly put an internal add field, To avoid this prob aes trate uy al address in the source eld, problem, set rules so that the external firewall blocks all inbound traffic with an | organizational soures a | ni (esl Bun Rel (4 ) Md be blocked frorn your internal net lon Galante pad eases. gh or should be dropped le to ereate simp fased on the best practices outlined ear- ‘as illustrated in Figuse 6-14, with an firewalls are discussed, and y of the rules are bi how they interact. In the exercise that follows, man twork configuration lier For the purposes of this discussion, assume a ne internal and an external filtering firewall. In the exercise, the rules for both : fete rule sets for each filtering firewall Itis important to note ited for each interface on a firews id bound to that Tor example, which means fed to the trusted side of opposed to protocol port nut ‘can ames be redirected 10 ant the activity. The System (or ‘Well-Known) Ports are those from 0 through » from 1024 through 49151, and Dynamic (oF Private) Ports are mmentdport-numbers for more information). . 3 Ech several well-koown PotOeD oie : numbers fare listed in Table 6-5. Note that this is not an exhaustive ‘Scanned with CamScanner218. Principles and Practices of oe) Emternal Fitesing Router ext P- 10.10.10.1 Int iP ~10.10.10.2 aa | mtd ata ead ero = )-Ce Ce Switch f information Security eo Trusted network | Internal Server FirewallAdmin ad |p: 192,168.22. IP: 192.168.2.3 SAITP Sever eg nal Filtering Router P fa P- 10.10.103 NAT Table tot P— 192,168.21 INTAddress EXT Address ¥92.1682.1 TO.10.107 192,168.22 10.10.108 192,168.23 10.10.10.10 Example Network Configuration Select Well-Known Port Numbers Port Number Protocol 7 Echo = 20 = File Transfer (Default Data) — (FTP) _ pel File Transfer [Control] (FTP) +5 Tenet 25 Simple Mail Transfer Protocol - (SMTP) 53 Domain Name Serv ‘ices ~ (DNS) 80 Hypertext Transfer Protocol — (HTTP) ZZ Ho e Post Office Protocol version 3 — (POP3) ; y Simple Network Management Protocol ~ (SNMP) Destination Port >1023) ) Scanned with CamScannerSecurity Technology: Firewalls ond VPs 2N9 ‘able 66, you can see that this rule states that any ; te ce port) that is destined for the internal network (whee deg yay Source adress and from s tarateallWOZA (fen xcoogee ene destination address is 10.10.10.0) and for a yn port vr 2 Web site, and the response is directed to a specific destination port allowing the browscr and Web tener to keep each conversation separate. While this rule is sufficient forthe external route (firewall) itis Sozcrous simply to allow any traffic in just because itis destined to a high port range. A betier solution isto foe the internal firewall router use state tables that track connections (a in stateful packet inspection) and fps prevent dangerous packets from entering this upper port range Set 2: cause cee te firewall, and prohibit the firewall from directly accessing any other devices. Note that this example is for tte external filtering router/firewall only. Similar rules should be crafted for the internal router. Why are there separate rules for each IP address? The 10.10.1021 address regulates external access to and by the fire- yall, while the 10.10.10.2 address regulates internal access. Not all attackers are outside the firewall! Note that if the firewall administrator nceds direct access to the firewall, from inside or outside the net- work, a permission rule allowing access from his/her IP address should preface this rule. Be aware that itis posible to access the interface on the opposite side of the device, as traffic would be routed through the box“ and “boomerang” back when it hits the first router on the far side. Thus itis important to protect bath inter- ‘fxzsinboth the inbound and outbound rule set Destination Address 10.10.10.1, 10.10.102 is allowed out. As a general rule it is wise not to restrict “a andle it, to avoid overloading the firewall. If an ‘separate filtering device. The rule shown in ‘be used on the outbound interface. ‘Scanned with CamScannera 220 Principles ond Practices of Information Security Why sh et 3 fter rule se 2? It makes sense to allow the rules th come after rule set 1 a Vhy should rule s impact the most tr be earlier in the list. The more rules a firewall must process to find one 1h.) erint the more rules a : ; i re it alle, 8 a firewall will run, Therefore, most widely applicable rues gh . to the current packet, the slo ae : eae that a @ f set 4 m3 or te i Simple Mail Transport Protocol (SMTP) data is shown i Rule Set 4: The rule ™ able 6. he packets governed by this rile are allowed to pass ihroush the Firewall, but are all LOU oye, ‘shown, tt ckets gov fant that e-mail traffic reach your e-mail server, and on en ee ean pasen seecmal amen tate firewall. If eee a sacronT a ea ere en the e-mail server has been properly configured, the Sai eee Norma rae organization allows home ageess to an intemal e-mail seer fee ing aes a second, separate server to handle the POP3 protocol that retrieves mail for. ‘e-mail tiny, tke Outlook and Eudors. This is usually a low-risk operation, especially if e-mail encryption is inlay More challenging isthe sending of e-mail using the SMTP protocol, a service attractive t Spammers may seek to hijack an outbound mail server. Rule Set 4 Source Address Source Port Destination Address, Destination Port 10.10.10.6 25 Acting Any Any Alli © Rule Set 5: All Internet Control Message Protoc {EMP Echo requests, are used by internal systeme administrat nicate. There is Virtually no legitimate use for ICMP outside ICMP uses port 7 to request a response malicious attack. It's best to make all di Traceroute uses a variation data should be denied. Pings, formally knows lors to ensure that clienis and servers can comme the network, except to test the perimeter nus to a query (¢-g., “Are you there?") and can be the first indicators irectly connected networking devices “black holes” to extemal pres, on the ICMP Echo eduests, So restricting this one port provides protection agiss two oes Of probes. Allowing internal users ts vee ICMP requires configuring two rules, as shown in ER ks: 5 Seare Address Source Port Destination Address Destination Port __ 10.10.10.0. Any MS - 7 Alot —— Ay Any 10.10.10.0 7 PS ternal address, the firewall allows the oe Fy intemal source, then it byp: 4 s jon) access to all internal servers from lic networks - deked. Though not used much in Winger environments, Telnet is still useful to system's re Systems. But the presence of external Fequests for Telnet services can indicate a POEMS ge Allowing internal use of Telnet Tequires the same type of initial permission rule you use with Ping: 6-11. Note that this rule is u i i . Packet and stops processing the ay asses the first rule and moves to the S Scanned with CamScanner