Table 12-4 External Firewall Filters to Access an L2TP Tunnel Server Protocol Transport Source Source Target IP Target Action Protocol IP Port Port IKE UDP Any 500 23.16.18.17 500 Allow AH ID 51 Any 23.16.18.17 Allow* ESP ID 50 Any 23.16.18.17 Allow *AH is required only if the IPSec SA for the L2TP tunnel requires AH protection. After the L2TP tunnel clients connect to the L2TP server, the RADIUS server (located on the private network at IP address 192.168.222.3) authenticates the client. After the tunnel client is successfully authenticated, the tunnel client is assigned an IP address in the 23.16.18.128/25 address range. To allow this access, the firewall rules shown in Table 12-5 must be configured at the internal firewall. Table 12-5 Internal Firewall Rules to Access an L2TP Tunnel Server Protocol Transport Source Source Target Target Action Protocol IP Port IP Port RADIUS UDP 23.16.18.17 Any 192.168.222.3 1812 Allow Authenti- cation RADIUS Accounting UDP 23.16.18.17 Any 192.168.222.3 1813 Allow Internal Any 23.16.18. Any 192.168.222. Any Allow Access 128/25 0/24 Deploying firewall rules for clients that support NAT-T If the tunnel clients and tunnel server support NAT traversal (NAT-T), you can deploy private network addressing in the DMZ, as shown in Figure 12-4. 204 Part III: Designing Network Configurations As with a PPTP tunnel server, you must first define static address mappings at the external firewall to ensure that the NAT discovery (NAT-D) and NAT-T traffic are redirected to the tunnel server in the DMZ. These static address mappings are shown in Table 12-6. Table 12-6 L2TP with NAT-T Static Address Mapping External IP Transport External Port Internal IP Internal Port Address Protocol Address 23.16.16.5 UDP 500 192.168.223.22 500 23.16.16.5 UDP 4500 192.168.223.22 4500 After the static address mappings are defined, you must define what proto- cols are allowed to pass through the external firewall to the DMZ. These fire- wall rules are defined in Table 12-7. Table 12-7 External L2TP/IPSec Firewall Rules for NAT-T Clients Protocol Transport Source Source Target IP Target Action Protocol IP Port Port NAT-D UDP Any Any 192.168.223.22 500 Allow NAT-T UDP Any Any 192.168.223.22 4500 Allow Private Network DMZ Internet Internal server Radius server Client Client Client Tunnel server Internet 23.16.16.5 39.100.24.5 External client 192.168.223.22 192.168.223.0/24 192.168.222.3 192.168.222.0/24 Figure 12-4: A two- firewall DMZ for L2TP services that support NAT-T 205 Chapter 12: Designing Demilitarized Zones with Multiple Firewalls After the L2TP NAT-T tunnel clients connect to the L2TP server, the RADIUS server (located on the private network at IP address 192.168.222.3) authenti- cates the client. After the tunnel client is successfully authenticated, the tunnel client is assigned an IP address in the 23.16.18.128/25 address range. To allow this access, the firewall rules shown in Table 12-8 must be configured at the internal firewall. Table 12-8 Internal L2TP/IPSec Firewall Rules for NAT-T Clients Protocol Transport Source Source Target Target Action Protocol IP Port IP Port RADIUS UDP 23.16.18.17 Any 192.168.222.3 1812 Allow Authenti- cation RADIUS Accounting UDP 23.16.18.17 Any 192.168.222.3 1813 Allow Internal Any 23.16.18. Any 192.168.222. Any Allow Access 128/25 0/24 Deploying a Web server with a SQL back end Many Web sites collect information for registrations, newsletters, or purchas- ing information. Typically, this information is stored in a database. Figure 12-5 shows a typical DMZ configuration for a Web server with a back-end Oracle database located on the private network. Private Network DMZ Internet Internal server Oracle server Client Client Client Web server Internet 23.16.16.5 39.100.24.5 External client 192.168.223.0/24 192.168.222.0/24 Figure 12-5: A DMZ hosting a Web-based database application. 206 Part III: Designing Network Configurations In Figure 12-5, the Web server located in the DMZ at IP address 192.168.223.13 must access an Oracle SQL back-end server using a SQL*Net connection. The Oracle server is located in the private network at IP address 192.168.222.5. To access the Web server, the firewall must allow both HyperText Transfer Protocol (HTTP) and SSL-secure HTTP (HTTPS) to access the Web server. In addition, the firewall must allow the Web server to communicate with the Oracle Server using a SQL*Net connection. This requires connections to the Oracle server listening on TCP port 1521. The first step is to define the static address mapping that will redirect HTTP and HTTPS packets received at the firewall to the Web server in the DMZ. Table 12-9 shows the static address mappings that must be deployed at the firewall in order to allow HTTP and HTTPS redirects to the Web server. Table 12-9 Static Address Mappings External IP Transport External Port Internal IP Internal Port Address Protocol Address 23.16.16.5 TCP 80 192.168.223.13 80 23.16.16.5 TCP 443 192.168.223.13 443 After the static address mappings are defined, the external firewall rules must be configured. Table 12-10 shows the firewall rules that must be implemented in order to allow connections to the Web server. Table 12-10 External Firewall Rules to Access an Internal Web Server Protocol Transport Source Source Target IP Target Action Protocol IP Port Port HTTP TCP Any Any 192.168.223.13 80 Allow HTTPS TCP Any Any 192.168.223.13 443 Allow The last step is to configure the internal firewall to allow the Web server to connect to the Oracle back-end database in the private network. Table 12-11 shows the firewall rule that must be configured at the internal firewall. 207 Chapter 12: Designing Demilitarized Zones with Multiple Firewalls Table 12-11 Internal Firewall Rule to Access a Back-End SQL Server Protocol Transport Source Source Target IP Target Action Protocol IP Port Port Oracle TCP 192.168.223.13 Any 192.168.222.5 1521 Allow SQL*Net This firewall rule allows only the Web server to connect to the Oracle database — not the external Web clients themselves. By using forms on HTML pages, the types of queries performed by the external clients are restricted to specific types of queries. Allowing private network users to access the Internet In many ways, the more difficult configurations with a two-firewall DMZ involve outbound traffic rather than inbound traffic. This is because the original source address information is typically translated at either the internal or external fire- wall. Figure 12-6 shows a typical configuration in which internal clients on the 192.168.222.0/24 network will be allowed to access the Internet through the two firewalls between the private network and the Internet. In this scenario, the best strategy is to configure the firewalls starting at the innermost firewall and work your way out to the firewall between the DMZ and the Internet. Private Network DMZ Internet Client Client Internet 192.168.222.0/24 39.100.24.5 23.16.16.5 192.168.223.0/24 External client ClientClient Client Figure 12-6: Allowing outbound traffic through a two-firewall DMZ. 208 Part III: Designing Network Configurations If you assume that the DMZ in Figure 12-6 uses 192.168.223.0/24 private net- work addressing, the internal firewall requires the firewall rule shown in Table 12-12 to allow outbound network traffic to the Internet from the private network. Table 12-12 Internal Firewall Outbound Firewall Rule Protocol Transport Source Source Target Target Action Protocol IP Port IP Port Any Any 129.168.222.0/24 Any Any Any Allow Because both the private network and the DMZ use private network address- ing, the packets have the same source IP and port information when they reach the external firewall (but before the packets are transmitted on the Internet). To allow this traffic, the external firewall must be configured with the same outbound firewall rule as the internal rule shown in Table 12-12. The only catch is that the external firewall must be configured to perform network address translation (NAT) on the outbound packets. All outbound packets that arrive at the external firewall that originated from either the pri- vate network or the DMZ must be translated to the external browsing address configured at the firewall. Table 12-13 shows the network address translation that must be performed at the external firewall. Table 12-13 External Firewall NAT Configuration Source IP Source Port Translated IP Translated Port Action 192.168.222.0/24 Any 23.16.16.5 Any Allow 192.168.223.0/24 Any 23.16.16.5 Any Allow The scenario changes if the DMZ is configured to use public network addressing. When public network addressing is used in the DMZ, the internal firewall — not the external firewall — must be configured to perform network address translation. Assuming that the internal firewall’s network interface connected to the DMZ uses the IP address 23.16.18.5, the translation must be configured at the internal firewall, as shown in Table 12-14, so that the out- bound packets have public network addresses after they enter the DMZ. 209 Chapter 12: Designing Demilitarized Zones with Multiple Firewalls Table 12-14 Internal Firewall NAT Configuration Source IP Source Port Translated IP Translated Port Action 192.168.222.0/24 Any 23.16.18.5 Any Allow The internal firewall must be configured to allow the original source addresses to pass into the DMZ. You use the true IP addresses, as shown in Table 12-15, rather than the translated addresses because the firewall rules are applied at one firewall while the NAT takes place at the other firewall. Table 12-15 Internal Firewall Outbound Firewall Rule Protocol Transport Source Source Target Target Action Protocol IP Port IP Port Any Any 192.168.222.0/24 Any Any Any Allow The external firewall requires different address information in its outbound firewall rules because the original source address information has now been translated to the common IP address of 23.16.18.5. Table 12-16 shows the out- bound firewall rule required to allow private network users to access the Internet. Table 12-16 External Firewall Outbound Firewall Rule Protocol Transport Source Source Target IP Target Action Protocol IP Port Port Any Any 23.16.18.5 Any Any Any Allow 210 Part III: Designing Network Configurations Part IV Deploying Solutions Using Firewall Products In this part . . . W hat firewall product should you use to protect your network? Several options are available. This part shows you the steps to securing your network using Windows or Linux. We also describe how to use a per- sonal firewall, such as ZoneAlarm or Norton Personal Firewall, or two popular enterprise firewalls: Microsoft Internet Security and Acceleration (ISA) Server and Check Point FireWall-1. Vendors are all too happy to tell you to buy their firewall product, which is no surprise. The last chapter in this part helps you decide what features you need and what firewall product to use. This part also gives you criteria for choosing a firewall solution. Chapter 13 Using Windows as a Firewall In This Chapter ᮣ Firewall functions in Windows ᮣ Windows 98 and Windows Me ᮣ Windows NT 4.0 ᮣ Windows 2000 ᮣ Windows XP ᮣ Windows Server 2003 O ver the years, the Windows operating system has grown by leaps and bounds. It now does much more than provide just the core functional- ity, or — as operating system buffs like to call it — the kernel functionality. Entire applications are part of Windows now. The inseparable inclusion of Internet Explorer in the Windows operating system was even the reason for a major lawsuit against the software giant. However, one thing that can be considered a core functionality of an operat- ing system is the provision of a solid security infrastructure. It is considered much better to let one dedicated party, such as the operating system itself, handle all the details of implementing security protocols and object access enforcement, than it is to make each separate application responsible for handling this complex task. For secure Internet access, this concept is taken one step further. Often a truly dedicated application, such as the firewall software, handles all the packet inspection and housekeeping that comes with providing Internet access. Yet, the increased functionality in more recent versions of Windows has also added many features that can be used to provide secure Internet access. Windows XP, the latest version of the Microsoft Windows desktop operating system, even includes a built-in Internet Connection Firewall. [...]... 23.0.1 .65 UDP 500 500 IKE Input 23.0.2.12 23.0.1 .65 ID 50 Any Any IPSec ESP Input 23.0.2.12 23.0.1 .65 ID 51 Any Any IPSec AH Output 23.0.1 .65 23.0.2.12 UDP 500 500 IKE Output 23.0.1 .65 23.0.2.12 ID 50 Any Any IPSec ESP Output 23.0.1 .65 23.0.2.12 ID 51 Any Any IPSec AH On the other Windows 2000 server with IP address 23.0.2.12, you have to create similar filters The IPSec ESP protocol provides integrity for. .. 192. 168 .0.1 192. 168 .0.1 219 220 Part IV: Deploying Solutions Using Firewall Products On Windows 98 SE and Windows Me systems, you can configure the ICS computer to use different IP addresses than 192. 168 .0.0/24 Search the Microsoft support Web site for Microsoft Knowledge Base article Q230148 for details In later versions of Windows, you can no longer change the default range of IP addresses for ICS... example, the Windows 2000 L2TP server has external IP address 23.0.1 .65 Table 13-1 Windows 2000 L2TP Firewall Rules (Tunnel Endpoint) Filter Source Destination Transport Source Destination Description Protocol Port Port Input Any 23.0.1 .65 UDP 500 500 IKE Input Any 23.0.1 .65 UDP 1701 1701 L2TP Output 23.0.1 .65 Any UDP 500 500 IKE Output 23.0.1 .65 Any UDP 1701 1701 L2TP In this situation, no specific firewall... traffic destined for the firewall computer For example, if you want to enable remote administration of your firewall, you have to configure a rule for the input chain to allow whatever network traffic your remote administration tools use • Output chain: The output chain applies to all traffic that leaves the firewall computer For example, if your firewall needs to contact a DNS server for name lookups,... forms of network address translation SNAT changes a packet’s source address before sending it on; this is most often used to hide the real IP address of a client computer in outgoing traffic DNAT changes the destination address of packets, which is commonly used for transparent proxies — proxy servers that handle network traffic for clients without the client knowing Masquerading is a specialized form... publisher wants you to read the other chapters in this book too, so we’re not allowed to say “no” here An application that’s dedicated to performing a specific task almost always does a better job than an operating system that’s responsible for performing many tasks For example, Windows comes with a built-in word processor named WordPad, yet anyone who wants to do serious word processing installs another... Windows NT 4.0 server will accept PPTP calls Search the Microsoft support Web site for Microsoft Knowledge Base article Q15 467 4 for details Note that Microsoft offers a free download that can be used to enhance the remote access and filtering capabilities of Windows NT 4.0 This Routing And Remote Access Service Update for Window NT 4.0 can be downloaded from windowsupdate.microsoft.com 223 224 Part... Routing➪General node to open the Properties dialog box of the network interface for which the filters should be defined 3 Click the Input Filters button to display (and define) the list of packet filters for incoming traffic 4 When done, click the Output Filters button to examine (and define) the filters for outgoing traffic 225 2 26 Part IV: Deploying Solutions Using Firewall Products Figure 13-3 shows a... on the external interface, the IP address of the internal network adapter changes to 192. 168 .0.1 The Windows 2000 ICS computer is automatically configured to assign IP addresses in the 192. 168 .0.2 through 192. 168 .0.255 range to DHCP clients on the internal network, and DNS queries from the internal network are forwarded to the DNS server of the ISP You should not enable ICS on a Windows 2000 server... reservation Figure 13-4: Windows 2000 NAT static address mapping For applications that embed IP or port information in the data portion of the IP packets, NAT requires specific NAT editors to substitute that information correctly Windows 2000 includes fewer NAT editors than what is provided in Windows 98 SE and Windows Me NAT editors are included for ICMP (PING), FTP, PPTP, and DirectPlay Note that the PPTP . 12 -6. Table 12 -6 L2TP with NAT-T Static Address Mapping External IP Transport External Port Internal IP Internal Port Address Protocol Address 23. 16. 16. 5 UDP 500 192. 168 .223.22 500 23. 16. 16. 5. Client Tunnel server Internet 23. 16. 16. 5 39.100.24.5 External client 192. 168 .223.22 192. 168 .223.0/24 192. 168 .222.3 192. 168 .222.0/24 Figure 12-4: A two- firewall DMZ for L2TP services that support NAT-T 205 Chapter. Port RADIUS UDP 23. 16. 18.17 Any 192. 168 .222.3 1812 Allow Authenti- cation RADIUS Accounting UDP 23. 16. 18.17 Any 192. 168 .222.3 1813 Allow Internal Any 23. 16. 18. Any 192. 168 .222. Any Allow Access