Cyberoam Certified Network & Security Professional (CCNSP) : Learning

Cyberoam Certified Network & Security Professional (CCNSP)
Learning
training.cyberoam.com training.cyberoam.com
© Copyright 2012 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Module 4 – Firewall
Learning
training.cyberoam.com
Firewall > Agenda
• Layer 8 Firewall
• Access Control
• Zone Management
• Rule Management
• Object Management
• NAT (Inbound & Outbound)
• Routing
• Labs
Learning
Firewall
Learning
Firewall > Agenda
• Access Control
• Zone Management
• Rule Management
• Routing
• Labs
Learning
Access Control (Appliance Access)
• Use Appliance Access to limit the Administrative access to the following
services from LAN/WAN/DMZ:
– Admin Services (HTTP, HTTPS, Telnet, SSH)
– Authentication Services (User Login options)
– Network Services (DNS, Ping)
– Other Services (Web Proxy, SSL VPN)
Learning
Access Control > Default Configuration
• When Cyberoam appliance is powered up for the first time, it will have a
default Access configuration as specified below:
• Admin Services
– HTTPS (TCP port 443) and SSH (TCP port 22) services will be open for
administrative functions for LAN zone
• Authentication Services
– Cyberoam (UDP port 6060) and Captive Portal (TCP port 8090) will be open
for User Authentication Services for LAN zone.
– User Authentication Services are required to apply user based internet surfing,
bandwidth and data transfer restrictions.
Learning
Access Control > IP address at each port of the security solution
• The IP addresses assigned to each port on the appliance can be static or
dynamically obtained from DHCP server.
• The appliance also functions as a DHCP server.
• The IP addresses can be edited and virtual interfaces can be added by
adding aliases and VLAN’s.
• The advantage of using an alias is that a single interface can have
multiple connections to a network.
• In VLAN the hosts communicate as if they are attached to same
broadcast domain, regardless of their physical connectivity.
Learning
Firewall > Agenda
• Access Control
• Zone Management
• Rule Management
• Routing
• Labs
Learning
Zone Management > Default Zones
• LAN
• DMZ (De-Militarised Zone)
• WAN
• VPN
• Local WAN Zone Local Zone
DMZ Zone
LAN Zone
Learning
Adding New Zone
Learning
Firewall > Agenda
• Access Control
• Zone Management
• Rule Management
• Routing
• Labs
Learning
Rule Management
• Select FirewallRule to display the list of rules.
• Enable/Disable rule - Click to activate/deactivate the rule. If you do not want to
apply the firewall rule temporarily, disable rule instead of deleting.
– Green – Active Rule, Red – De-active Rule
• Edit Rule - Click to edit the rule.

• Insert Rule - Click to insert a new rule before the existing rule.
• Move Rule - Click to change the order of the selected rule
Learning
Rule Management > Default Firewall Rule #1
Learning
Rule Management > Default Firewall Rule #2
Learning
Firewall > Agenda
• Access Control
• Zone Management
• Rule Management
• Routing
• Labs
Learning
Managing Objects
• Objects are global building blocks for all

modules/policies/rules of Layer 8 firewall.
• Protect network by configuring firewall rules to
– Block services for specific zone
– Limit some or all users from accessing certain services
– Allow only specific user to communicate using specific service
• Appliance provides several standard objects and allows
creating:
– Customized object definitions
– Firewall rule for Customized service definitions
Learning
Defining Custom Services
• Select Objects  Services  Add to open the create page
Learning
Managing Object > IP Host & MAC Host
• By Default IP host for all the ports on the appliance is created.
Learning
MAC Host
• In Cyberoam MAC address (Machine Address) is a decision parameter along
with Identity and IP Address for the firewall policies.
Learning
Managing Object > FQDN Host
• FQDN (Fully Qualified Domain Name) host can be added to appliance.
• The necessity for adding this host also makes it possible that a firewall rule can be
made to a particular FQDN.
Learning
Managing Object > Country Host
• Cyberoam allows adding country based host to filter the traffic at the country level.
• A country host can be defined at the firewall rule itself.
Learning
Firewall > Agenda
• Access Control
• Zone Management
• Rule Management
• Routing
• Labs
Learning
Outbound NAT (Source NAT)
• Appliance has a predefined NAT policy called MASQ which NATs the outgoing
traffic with the outgoing port’s IP Address.
• Use NAT when you want to map a specific outbound traffic with a specific IP/IP
Range.
• Appliance allows creating a NAT policy, which can be bound to a firewall rule.
Learning
Inbound NAT (Virtual Host)
• Required to make internal resources available on the internet
• Maps services of a public IP address to services of a host in a private network
• Example: Web Server configured in LAN zone with 1.1.1.1, from internet users
are accessing www.abc.com which is resolving on 10.103.4.213.
• Cyberoam will automatically respond to the ARP request received on the
WAN zone for the external IP address of Virtual host. Default LAN to WAN
(Any Host to Any Host) firewall rule will allow traffic to flow between the
virtual host and the network.
• Cyberoam allows Inbound Load Balancing & Failover
Learning
Inbound NAT > Create Virtual Host
• Select Firewall  Virtual Host  Add
Learning
Inbound NAT > Create Virtual Host with Load Balancing
Learning
Inbound NAT > Create Virtual Host with Load Balancing
• Sticky IP
– Maps single source IP to a destination server. Any request from the same
source IP will always go to the same server.
• First Alive
– All requests will be served by first internal server.
– The request will only go to next server if previous one is dead and so on.
• Round Robin
– Request will be served in sequential order where first request will go to first
server then to next and so on.
– It will not consider any other parameter
• Random
– Request will be served in random order or rather we can say uniform random
method where all requests will be distributed evenly.
Learning
Inbound NAT > Create firewall rule to include Virtual host
• Create firewall rules to allow external host (from the Internet) to access a virtual
host that maps to internal servers.
• You must add the virtual host to a firewall policy to actually implement the
mapping configured in the virtual host i.e. create firewall rule that allows or denies
inbound traffic to virtual host.
Learning
Inbound NAT > Loopback Firewall Rule
• Once the virtual host is created successfully, Appliance automatically creates a
loopback firewall rule for the zone of the mapped IP address.
• Loopback firewall rule is created for the service specified in virtual host.
• If port forwarding is not enabled in virtual host then firewall rule with “All Services”
is created.
• Loopback rules allow internal users to access the internal resources using its
public IP (external IP) or FQDN.
Learning
Inbound NAT > Reflexive Firewall Rule
• In general scenario when any traffic is initiated from DMZ to WAN, there is a need
for reflexive rule.
• For an example, in case of an email server, the private IP of the email server is
mapped with the public IP on the Internet. When an email is received (inbound)
the virtual host rule for inbound works, but when an email is sent (outbound) there
is a requirement to create a reflexive rule.
• By Default, Cyberoam prompts for this rule while creating the virtual host.
Learning
Firewall > Agenda
• Access Control
• Zone Management
• Rule Management
• Routing
• Labs
Learning
Routing > Static Routing
• When you want to route traffic destined for specific network/host via a different
next hop instead of a default route.
• Add static route to know Destination Network/Host, Netmask for destination
network & Next hop IP address.
• The gateway address specifies the next-hop router to which traffic will be routed.
• A static route causes packets to be forwarded to a different next hope other than
the configured default gateway.
• By specifying through which interface/gateway the packet will leave and to which
device the packet should be routed, static routes control the traffic exiting
appliance like Cyberoam.
Learning
Routing > Static Routing > Scenario
• Scenario : L3 switch is configured to do inter-VLAN routing.
Learning
Routing > Static Routing
VLAN ID:100 VLAN ID:101
VLAN ID:102
Learning
Routing > Multicast Forwarding
• By default, Appliance understands the multicast traffic and can forward the same.
• To forward the multicast traffic, multicast traffic forwarding should be enabled and
a multicast route needs to be added.
Learning
Routing > Policy based routing
• Static routing method is limited to forwarding based on destination address only.
• Policy based routing extends static routes which provide more flexible traffic
handling capabilities.
• It allows for matching based upon source address, service/application, and
gateway weight for load balancing.
• It offers granular control for forwarding packets based upon a number of user
defined variables like:
– Destination
– Source
– Application
– Combination of all of the above
Learning
Routing > Policy based routing
Learning
Firewall > Agenda
• Access Control
• Zone Management
• Rule Management
• Routing
• Labs
Learning
Labs
• Lab #6 Securing the Appliance
• Lab #7 Create a DROP firewall rule for your machine’s IP address
• Lab #8 Create an ACCEPT firewall rule for your machine’s IP address
• Lab #9 Create Schedule & Apply in Firewall Rule
• Lab #10 Create Firewall Rule to Allow DNS Traffic
• Lab #11 Create Virtual Host to Publish a RDP Server residing in the LAN
Learning
Next -> Module 5 (User Authentication)
Learning

Cyberoam Certified Network & Security Professional (CCNSP) : Learning

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyberoam Certified Network & Security Professional (CCNSP) : Learning

Uploaded by

Copyright:

Available Formats

Cyberoam Certified Network & Security Professional (CCNSP)

• Edit Rule - Click to edit the rule.

• Objects are global building blocks for all

• A country host can be defined at the firewall rule itself.

• Lab #6 Securing the Appliance

• Lab #7 Create a DROP firewall rule for your machine’s IP address

• Lab #8 Create an ACCEPT firewall rule for your machine’s IP address

• Lab #9 Create Schedule & Apply in Firewall Rule

• Lab #10 Create Firewall Rule to Allow DNS Traffic

You might also like