A firewall case study

The next case study covers a firewall implementation. Cisco routers packet filter traffic between bastion hosts and the Internet and between the bastion hosts and an organization’s internal network. The main concern here is security. We want to make sure our bastion hosts are not exposed to wide ranges of problems and attacks, and also that if some of those hosts are compromised, they are not used as a launch point to attack the rest of the network. We also want to make sure that our own access to the router is reasonably secure. Other concerns are scalability and ease of management.

What are the key elements of this firewall complex? The firewall network has to support the following components:

  • A general proxy supporting the socks protocol

  • An SMTP mail relay

  • A web caching proxy server listening on port 81

  • A web server using standard HTTP

  • A web server for secure transactions for serving SSL

  • A remote access device for access into the internal network

All the routers and servers need to be administered, of course. To do this, we should consider the following rules:

  • Network 172.28.32.0 has workstations for administration and for maintaining the proxy relay segments.

  • Network 172.28.30.0/24 has workstations and servers for updating the web servers.

  • The routers need to be administered with TACACS+ protocol for authentication, in addition to TFTP and Telnet. A compromise of a host in the firewall should not allow promiscuous snooping.

  • Remote access uses an address pool of ...

Get Cisco IOS Access Lists now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.