Objective: be able to design packet filtering firewall rules and identify advantages/disadvantages of such firewalls An educational institute has a single router, referred to as the gatewayR, connecting its internal network to the Internet. The institute has the public address range 126.96.36.199/16 and the gateway router has address 188.8.131.52 on its external interface (referred to as interface ifout).
The internal network consists of three subnets:
A DMZ, which is attached to interface ifdmz of the gateway router and uses address range 184.108.40.206/24.
A small network, referred to as shared, with interface ifin of the gateway router connected to two other routers, referred to as staffR, and studentR. This network has no hosts attached (only three routers) and uses network address 10.4.0.0/16.
A staff subnet, which is for use by staff members only, that is attached to the staffR router and uses network address 10.4.10.0/24.
A student subnet, which is for use by students only, that is attached to the studentR router and uses network address 10.4.20.0/24.
In summary, there are three routers in the network: the gateway router, and routers for the staff and student subnets. There are four subnets: DMZ, shared, staff, and student.
There are three servers in the DMZ that all can accept requests from the Internet:
1. A web server supporting HTTP and HTTPS (IP address is 220.127.116.11)
2. A secure shell server using SSH (IP address is 18.104.22.168), and
3. A SMTP email server (IP address is 22.214.171.124).
Members of the staff and student subnets can access the web server; members of the staff subnet only can access the email server but using IMAP; and internal members (both staff and students) cannot access the SSH server.The gateway router also runs a stateful packet filtering firewall and performs port address translation. In addition to the DMZ setup as described above, security requirements for the educational institute are:
External Internet users cannot access any internal computers (except in DMZ and as stated in other requirements).
Staff and students can access websites in the Internet.
The SSH server in the DMZ can only be accessed by external Internet users from subnets: 126.96.36.199/24 and 188.8.131.52/24.
Considering the above information, answer the following questions:
(a) Draw a diagram illustrating the network. Although there may be many computers in the staff and student subnets, for simplicity you only have to draw three computers in the staff subnet and three computers in the student subnet. Label all computers and router.
(b) Specify the firewall rules using the format as in the table below. You may add/remove rows as needed. After the table, add an explanation of the rules (why you design the firewall rules the way you did).