Firewall Management Interface

This section provides an overview and some examples of these interfaces. Managing Firewalls with a CLI A CLI enables you to use a specific instruction set to configure the firewall
Nội dung trích xuất từ tài liệu:
Firewall Management InterfaceFirewall Management InterfaceModern firewalls come with two administrative interfaces: • The CLI • The GUI (typically, but not necessarily, web based)This section provides an overview and some examples of these interfaces.Managing Firewalls with a CLIA CLI enables you to use a specific instruction set to configure the firewall. Mostfirewalls require the end user to do the initial configuration of the firewall (inputting inthe basic network information such as IP address, net mask, default gateway, andpossibly an administrative password) via CLI before the end user can switch over to theGUI. Linuxs NetFilter is, for the most part, configured through a CLI, although there doexist several products that allow for configuration of NetFilter-based firewalls through aGUI.CLIs require knowledge of the command set in the firewall product. For example, toconfigure NetFilter, use the IPTables CLI to allow inbound Secure Shell (SSH), e-mail,and web traffic (using TCP ports 22, 25, and 80, respectively) and deny all other trafficrequires the configuration in Example 11-1.Example 11-1. Configuring NetFilter with IPTables[View full width]# iptables -P INPUT DENY# iptables -P OUTPUT ACCEPT# iptables -P FORWARD ACCEPT# iptables -A INPUT -i lo -j ACCEPT# iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 10.16.17.202 --dport 22 -m state --state NEW - j ACCEPT# iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 10.16.17.202 --dport 25 -m state --state NEW -j ACCEPT# iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 10.16.17.202 --dport 80 -m state --state NEW -j ACCEPT# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT# iptables -A INPUT --reject-with icmp-host-prohibited -j REJECTExample 11-2 provides a similar configuration with the PIX command set.Example 11-2. Configuring a PIXgandalf(config)# access-list acl_test permit tcp any host 10.16.17.202 eq sshgandalf(config)# access-list acl_test permit tcp any host 10.16.17.202 eq smtpgandalf(config)# access-list acl_test permit tcp any host 10.16.17.202 eq 80gandalf(config)# access-list acl_test permit icmp any anygandalf(config)# access-list acl_test deny ip any anygandalf(config)# show access-list acl_testaccess-list acl_test; 5 elementsaccess-list acl_test line 1 permit tcp any host 10.16.17.202 eq ssh (hitcnt=0)access-list acl_test line 2 permit tcp any host 10.16.17.202 eq smtp (hitcnt=0)access-list acl_test line 3 permit tcp any host 10.16.17.202 eq www (hitcnt=0)access-list acl_test line 4 permit icmp any any (hitcnt=0)access-list acl_test line 5 deny ip any any (hitcnt=0)Knowledge of the command set is critical to effectively configure a firewall through aCLI. Many vendors (and third parties) have worked hard to reduce the configuration of afirewall to a more simplistic method. When the initial configuration is done (supplyingthe firewall software with an IP address and net mask), the end user can immediatelyswitch to a more graphical method of configuring the firewall.Managing Firewalls with a GUIA GUI provides a more-user-friendly interface to configure the firewall. Some firewallsare configured through a direct interface on the host, such as Symantec Norton InternetSecurity shown in Figure 11-1 and Figure 11-2, before the firewall is active. Some comewith a preconfigured IP address and an administrative password to be used for access bythe end user during initial configuration (such as Linksys or the PIX 501 and 506E seriessystems). Figure 11-1. Symantec Internet Security Configuration [View full size image]Figure 11-2. Symantec Firewall Configuration [View full size image]The PIX Device Manager (for PIX operating systems up to versions 6.3(5)), known as theCisco Adaptive Security Device Manager in PIX version 7.0, is a Java applet that isdownloaded from the PIX or ASA device and runs locally through the client browser.Figure 11-3 shows the PIX Device Manager screen. Figure 11-3. Cisco PIX Device Manager [View full size image]The information is presented in a more natural fashion to the end user in the form ofgraphics and graphs for performance.Not to be outdone, there are GUIs for Linuxs IPTables firewall software. Some are webbased (such as Webmin), and some are applications running on the Linux system itself(such as Firestarter or FW-Builder). Firestarter provides a simple, easy-to-use interfacefor IPTables, as shown in Figure 11-4. Figure 11-4. Firestarter for IPTables [View full size image]Webmin provides a method by which the firewall can be managed through a web browserinterface, which is more convenient than an application that can only be viewed on an XWindows-enabled server. Figure 11-5 shows this interface. ...