Common Firewall Management Tasks

Doing so includes changing the default administrative password, configuring the default gateway, configuring the IP addresses for the internal and external (and possibly other) interfaces,
Nội dung trích xuất từ tài liệu:
Common Firewall Management TasksCommon Firewall Management TasksOne of the first things to accomplish when deploying a new firewall, whether this is foran enterprise deployment or for a deployment in a small office or home office, is toconfigure some basic aspects of networking. Doing so includes changing the defaultadministrative password, configuring the default gateway, configuring the IP addressesfor the internal and external (and possibly other) interfaces, and configuring the loggingof messages from the firewall. In addition to these tasks, the firewall administrator mustalso manage the configuration of the firewall over time. Doing so may require the use ofa change control system such as the Revision Control System (RCS), which is availableboth on the UNIX/Linux platforms as well as the Windows platform. The followingsections discuss each of these tasks in more detail.Initial ConfigurationThe initial configuration of a firewall requires several items of information. Thisinformation includes both the internal and external interface IP addresses (or the use ofDHCP on one of those interfaces), the next-hop gateway, logging, and an administrativepassword. The first three items are discussed in the following paragraphs. A discussion ofadministrative passwords was provided earlier in the Default Passwords section.InterfacesMost small office/home office (SOHO) firewalls have only two interfaces. On enterprisefirewalls, there can be well over a half dozen interfaces that comprise variousdemilitarized zones (DMZ) with varying levels of security. In addition, newer enterprisefirewalls can also support VLANs and filtering between VLANs while only having alimited number of physical interfaces. All firewalls have at least two interfaces: • Inside The inside interface is typically assigned a static IP address (and this IP address typically comes from one of the three private IP address blocks10.0.0.0/8, 172.16.0.0172.31.255.255, or 192.168.0.0/16but this is not a hard requirement). This interface serves as a default gateway for systems that are behind the firewall. A default gateway is the gateway of last resort for systems to send traffic to when the other end of the connection (that is, the system being contacted) is not reachable any other way or is not on the clients local network. • Outside The outside interface can either be assigned a static IP address as provided by the Internet service provider or it can be configured to be assigned an IP address through the Dynamic Host Configuration Protocol (DHCP).In addition to the IP addresses on the various interfaces, the firewall can also run a DHCPserver to provide IP addresses and other configuration information to systems inside thefirewall. This server makes the deployment of a SOHO firewall much easier becausemost vendors also provide some default configuration for the DHCP server, too. Caremust be taken to ensure that the scope of the DHCP server does not overlap or conflictwith any DHCP scope already in place in the network. Also, in the case of wirelessfirewall routers (such as the Linksys BEFW11S4 or the WRT54G) that are popular thesedays, it is extremely important for the administrator of the device to ensure that onlyauthorized users can associate and authenticate to the device. If these devices are notlocked down, any user can authenticate and associate to the device, and the DHCP serverwill provide them with a network address that they can use.Routing/GatewayIn many cases, where simple firewalls such as the Linksys, the Linux NetFilter, or thePIX 501 or 506E firewalls are used, there is a simple network topologyessentially aninternal network behind the firewall and an external network (typically consisting of theexternal IP address provided by the service provider). These firewalls do not do complexrouting but rather just forward packets from the internal network to the external networkusing a default gateway. The default gateway information is provided either by theadministrator or by the service providers DHCP server when the firewall boots up.In enterprise networks, however, the firewall can segment multiple networks and DMZsfrom each other. In this case, the routing can be quite complex and may require the use ofa dynamic routing protocol such as the Routing Information Protocol (RIP) or the OpenShortest Path First (OSPF) routing protocol.To add a default route to a Cisco PIX during initial configuration, you need to use theroute command as follows:pix(config)# route outside 0.0.0.0 0.0.0.0 172.16.45.1 1This tells the PIX that the default route goes out the outside interface, that the next hop is172.16.45.1, and that it is only one hop away (that is, it is the next device goingoutbound).LoggingLogging is also essential for maintaining and administering a firewall. Logging e ...