TDC 477
Spring' 09
TDC477: Network Security
Assignment #2: Firewall Policy Configuration
and Tuning
Due:
Problem1 In
this part of the assignment, you are asked to design the network security
architecture using firewalls and define the rules for each one based on the
security policy given below. Your solution should include two things: (1) the
network diagram that shows the topology and the firewall locations, and (2) the
filtering rules for each firewall. (80 points)
Network and Firewall Policy Description
You are hired as network security
consultant to design a secure network for a mid-size company. The Company has
the following servers: WWW, FTP, Mail, DB (has gcc, tools ..etc), NFS, DNS, Print server, and the 20 other user
workstations. The Company employees have access to the company resources
locally and remotely according to the policy below The Company servers and
machines are on VLAN connected to the Internet through a T1 Link to the ISP.
The Company management has defined
the following Network Security Policy to be enforced in order to provide a
secure access to the Company. Your task is to design the most appropriate
network security topology and configuration (i.e., secure and cost effective).
You can use any kind of firewall (stateless, stateful, proxy
..) you need to ensure enforcing the policy. You should first (1) define
the network subnets and firewall locations, (2) review this policy and add
whatever necessary to make the Company network more secure, and (3) define the
firewall filtering rules for each firewall to implement the security policy. HINT: Use the concept of
defense-in-depth to implement your solution.
- The WWW,
DNS and relay Mail servers can be accessed by local and external users.
- The DB
Server can be accessed remotely by the Company employees thru fully
secured sessions
- Company
local users can use the Internet email and Internet browsing.
- The
Company employees can use Internet FTP to download files only.
- The FTP
server is NOT accessible by external users
- The
Company employees SHOULD NOT be allowed to use News, Telnet, or Rlogin
services externally.
- The
Company employees can use TCP ports 5,555-6,000 to run services.
- Any
incoming and outgoing Email should be scanned for viruses.
- A compromise
of ANY publicly accessible server SHOULD be restricted
- All
servers and machines SHOULD be tightly secured as much as possible.
Firewalls could have up to
three ports (including the DMZ port). You are required to: (1) Draw a
diagram of the network illustrating the networking configuration after the
firewall placement, and (2) Define the FW rules for each firewall using the
following rule format:
|
Interface |
Protocol |
IP Source |
IP Dest |
Port Src |
Port Dest |
Action |
Interface:
the
name of the interface on the firewall (IN,
OUT, DMZ if necessary) – PLEASE put rules that belong to one
interface together
Protocol: ICMP, IP,
IPX, UPD, TCP or ANY
IP
Source/Destination: E.g., IP(WWW) means IP of WWW or
ANY
Port
Source/Destination: E.g., WWW, TELNET or 80, 23
Action: Permit,
Deny, or specific action for proxy firewalls
REMEMBER: Avoid rule
anomalies. For more information, you read the following reference from http://www.mnlab.cs.depaul.edu/mnlab/publications.htm:
- Ehab Al-Shaer and
Problem 2. Stateful
firewalls permit TCP packets that already have entries in the state table. Can
this be used as a source of vulnerability or attack by hackers? if No, why? if Yes, then how and
what is the solution? (7 points)
Problem 3. Stateful
firewalls might cause problems when dynamic routing is used. Why? Explain your
answer. Can you suggest a solution? (7
points)
Problem 4. A firewall has S accept rules and receives R
(packet/sec) traffic rate. What is the total matching overhead in seconds if
the cost of evaluating one rule is X seconds and 50% is accepted
(uniformly distributed over rules). (Hint: firewalls are filtering devices that
inspecting incoming packets against policy rules sequentially till one rule is
matched) (7 points)
Submission Procedure:
§
Submit your assignment through DLWEB as a SINGLE
MS Word document
§
Late penalty is 10% per day.