View
225
Download
0
Category
Tags:
Preview:
Citation preview
Hardware Firewalls: Advanced Feature
© N. Ganesan, Ph.D.
Chapter Objective
• Discuss various additional and important features of a firewall– DHCP– Virtual server– Enabling applications that require multiple
connections– Filters (IP, MAC etc. )– Firewall rules regulating traffic– DMZ– Remote management– etc.
Module
WAN Side IP Specifications © N. Ganesan, Ph.D.
WAN Side IP
• In the case of the firewall/switch, an address for the firewall must be specified for both the WAN side and the LAN side– The LAN side address will be a private
address that is not visible to the Internet
IP Options
• Static IP– Demonstrated early
• Dynamic IP– Cable modem and LAN Internet sharing– Could also be employed in the case of
DSL
• PPPoE– DSL specific
Module
LAN Side IP Specification© N. Ganesan, Ph.D.
IP Options
• Generally speaking, a static private IP is specified for the firewall/switch for the LAN side
Module
DHCP© N. Ganesan, Ph.D.
DHCP Enabling
• DHCP can be enabled to deliver dynamic IP addresses for all the LAN side clients
• At the same time, static IP addresses can be assigned to selected clients based on their MAC addresses
Change this slide, make it enabled.
Module
Advanced Features© N. Ganesan, Ph.D.
Advanced Features
• Virtual servers• Applications• Filters• Firewalls• DMZ
Virtual Servers
• Opening a port through the firewall to give access to a web server that is hosted on the private LAN
Web Server Settings
• Private IP address: 192.168.0.1• Public Port: 80• Private Port: 80• Availability: Always
Another Way to Set the Web Server Pass Through
• Select from the virtual server list and edit the entry
Edit
Other servers
Module
Special Applications© N. Ganean, Ph.D.
Opening Ports for Special Applications
• There are special applications that would require one or more ports to be opened through the firewall/switch
• Examples include Internet chat, telephony applications etc.
Module
Filters© N. Ganesan, Ph.D.
Filters and Blockers
• IP Filters– LAN clients can be selectively blocked from
accessing the Internet based on their IP address
• MAC Filters– The same as above, but the filter is based
on MAC address of a client• URL Blocking
– URLs can be blocked from being accessed• Domain Blocking
– Access to domains can be blocked as well
IP Filters
• IP filters can be applied altogether to a client or they can be applied to specific ports of a client
• A range of IP addresses and a range of port numbers can be specified to be filtered
IP range can be specified.
A range of ports can be specified.
Module
Firewall Rules© N. Ganesan, Ph.D.
Firewall Rules
• Firewall rules can be specified to allow or block traffic entering the firewall or passing through the firewall/switch
• For example, pinking the firewall from the Internet (WAN) side can be disabled using firewall rules
Module
Creating Demilitarized Zones (DMZ)
© N. Ganesan, Ph.D.
DMZ Defined
• Computers in the DMZ by pass the control of the firewall– In other words, for all practical
purposes, they could be considered as being directly connected to the Internet
Module
Firewall Tools© N. Ganesan, Ph.D.
Tools
• Administrative– Set passwords and enable or disable remote
management
• Time– Set the current time and date
• System– Store and load firewall settings
• Firmware upgrade• Miscellaneous tools
Administrative Tools
• Set administrator and a user password
• Enable the firewall to be managed from a remote computer probably over the Internet– In general, it is not desirable to
enable this option for security reasons
1
2
3
Module
Set Time© N. Ganesan, Ph.D.
System
• Store current firewall settings to the hard drive
• Load a previously stored firewall settings from the hard drive
• Restore factory default settings for the firewall
1
2
3
Module
Firmware Upgrade© N. Ganesan, Ph.D.
Module
Miscellaneous Tools© N. Ganesan, Ph.D.
Miscellaneous Tools
• Pinging a host name or an IP address• Restarting the firewall
– Probably to activate any changes made
• Block the pinging of the firewall from the Internet (WAN) side
• Enabling UPNP and gaming mode• Allow VPN traffic based on PPTP and
IPSec to pass through • Enable dynamic DNS service
Ping Test
Block Pinging from the Internet Side
Enabling UPNP Settings and Game Mode
Allowing Virtual Private Networks (VPN) Connections
VPN Connections
• Firewall can be set to allow VPN links to the clients on the LAN side for the two popular protocols used in implementing VPNs
Module
Status Reporting© N. Ganesan, Ph.D.
Status Reporting
• Display LAN and WAN settings • Log and display the log of activities
– Attacks, dropped packets etc.
• Display traffic statistics– Number of packets transmitted and
received on the WAN (Internet – External) and LAN (Internal) side
Display of WAN and LAN Settings
Log of Activities
Log of Activities
• System activity• Debug information• Attacks• Dropped packets• Notice• Note: The log can also be
transmitted to an administrators email
Traffic Statistics
Additional Help
The End
Recommended