The Illustrated Network- P74

The Illustrated Network- P74:In this chapter, you will learn about the protocol stack used on the global publicInternet and how these protocols have been evolving in today’s world. We’llreview some key basic defi nitions and see the network used to illustrate all of theexamples in this book, as well as the packet content, the role that hosts and routersplay on the network, and how graphic user and command line interfaces (GUIand CLI, respectively) both are used to interact with devices.
Nội dung trích xuất từ tài liệu:
The Illustrated Network- P74 CHAPTER 28 Firewalls 699 bsdserver lnxclient winsvr2 wincli2 eth0: 10.10.12.77 eth0: 10.10.12.166 LAN2: 10.10.12.52 LAN2: 10.10.12.222 MAC: 00:0e:0c:3b:87:32 MAC: 00:b0:d0:45:34:64 MAC: 00:0e:0c:3b:88:56 MAC: 00:02:b3:27:fa:8c (Intel_3b:87:32) (Dell_45:34:64) (Intel_3b:88:56) IPv6: fe80::20e: IPv6: fe80::2b0: IPv6: fe80::20e: IPv6: fe80::202: cff:fe3b:8732 d0ff:fe45:3464 cff:fe3b:8856 b3ff:fe27:fa8c Ethernet LAN Switch with Twisted-Pair Wiring LAN2 fe-1/3/0: 10.10.12.1 New York CE6 MAC: 0:05:85:8b:bc:db Office lo0: 192.168.6.1 (Juniper_8b:bc:db) IPv6: fe80:205:85ff:fe8b:bcdb Performed on Routers ge- .2 0/0 16 /3Ace ISP so-0/0/1 P7 lo0: 192.168.7.1 so 79.1 -0 / 17 0/2 .2 ge- /0 0/0 so-0/0/3 0/0 so- 16. 2 47. /3 27.2 1 so -0 / 17 0/2 .1 PE1 0 lo0: 192.168.1.1 /0/ -0 so 2.1 1 so- so-0/0/3 0/0 29. /2 27.1 /0/ 0 1 -0 so 2.2 so-0/0/1 P2 1 24.1 lo0: 192.168.2.1 Global Public InternetAS 65127700 PART VI Security This chapter takes a look at firewalls, one technique for adding security to TCP/IPand the Internet. Firewalls can be hardware or software designed to protect individualhosts, clients, and servers or entire LANs from the one or more of the threats previouslycited. We’ll implement a couple of types of firewalls on our site routers, as shown inFigure 28.1.WHAT FIREWALLS DOAlthough the Illustrated Network has no dedicated firewall device (often called afirewall appliance), there are fairly sophisticated firewall capabilities built into ourrouters. So, we will configure firewall protection with two types of router-based fire-wall rules: packet filters and stateful inspection.A Router Packet FilterLet’s do something fairly simple yet effective with a firewall packet filter on the Juni-per Networks router on LAN2, CE6. Assume that malicious users on LAN1 are tryingto harm bsdserver (10.10.12.77) on LAN2. We’ll have to “protect” it from some of thehosts on LAN1. We’ll allow remote access with Telnet (this is just an example) or SSH fromthe bsdclient (10.10.11.177), and allow similar access attempts from wincli1(10.10.11.51), but log them. ( What do those Windows guys want on the Free-BSD server?) We’ll deny and log access from lnxserver (10.10.11.66) and winsrv1(10.10.11.111) because security policy for the organization has decided that usersattempting remote access from servers are not allowed to do so. The following is the firewall filter configured on CE6 and applied to the LAN2interface. This filters IPv4 addresses, but we could easily make another to do the samething for these hosts’ IPv6 addresses. It is a good idea to keep in mind that fr ...