TippingPoint X505 Training

Firewall Rules, Services and Virtual Servers

Firewall Objectives

> Upon completion of this module, you should be familiar with the following:
Firewall Concepts Review Firewall Rules Firewall Rule Components Services and Service Groups Bandwidth Management Scheduling Authorization Content Filtering Virtual Servers Port Address Translation

Types of Firewalls

> Network Address Translation

Translates internal IP addresses to external addresses Can be used to map many internal addresses to one (or few) external addresses Denies most connections inbound

> Proxy
Acts as a middle man Handles all external connections on behalf of internal clients

> Stateful Inspection

Keeps track of the state of all connections Denies out of state connection attempts Rules or policies determine what can or cannot be accessed from outside the network

> The X505 is a Stateful Firewall and more (IPS, rate shaping, content filtering, etc.)

Firewall Rules

Firewall Rules

> Rules are top down > Implicit deny at the end > Click on (highlight) an existing rule to create a new rule above it > There are many default rules to facilitate such things as DHCP requests, DNS queries and VPN termination

Firewall Rule Components

> Source/Destination Zones

IP Address Groups

> Action
Permit/Block/Content Filter

> Services/Service Groups > Rate Limiting > Scheduling > Authentication

Services and Service Groups

> Services are applications and protocols that can be configured in a firewall rule to police that traffic
The X505 comes with a host of pre-defined services
> i.e. dns-tcp is protocol 6 (TCP) and port 53

> Service Groups are groupings of services

Similar to the Services, the X505 comes with a host of pre-defined service groups
> i.e. dns consists of the services dns-tcp and dns-udp

Bandwidth Management

> Bandwidth management can be applied to applications on a per rule or per session basis > For example, use per session for voice and per rule for limiting WWW access, etc.

Scheduling

> Schedules can be defined to limit a firewall rule to certain times of the day/week
i.e. Work Day = MTWThF from 8AM-6PM

Authorization

> Users can be forced to authorize themselves before accessing various resources > By defining firewall rules that reference privilege groups, users can be authorized before access is allowed > You may need to position authorization rules before the LAN WAN Any rule to ensure that authorization is performed first

10

Authorization

Create a privilege group

Assign the privilege group to a user

Enable user authentication in a firewall rule

11

Authorization

12

Content Filtering

13

Content Filtering

> 3Com Content Filter Service

Servers based in NA, Europe or Asia

> Subscription Service

Must have DV Gold Maintenance level

> Backed by Surf Control > Content Categories > Manual URL Filter > Custom Web Response Page

14

Content Filtering Configuration

> Enable Content Filter and/or Manual URL Filter

Optional: Custom Response Page

> Create a firewall rule with the action Content Filter

Position the rule above the LAN content filtering takes place first WAN Any rule to ensure that

15

Manual URL Filter

> Select whether to permit or block > Specify a partial URL or enter a regular expression

16

Virtual Servers

> Virtual Servers provide the means with which to do one-to-one NAT as well as Port Address Translation (PAT)

17

Port Address Translation

> Also known as port forwarding > The virtual server listens on a certain port on the outside, and the X505 will forward the connection request to the real port internally

18

LAB 4 Firewall and Virtual Server