Firewall Rules For Business Functions Essay.

Scenario 1: Vendor Remote Access to Robot

        

Scenarios:

1). As part of the maintenance contract for a robot in the Manufacturing VLAN, the vendor XYZ Robots, must be able to access the robot remotely through the Internet from their offices for troubleshooting. Your Security Manager has agreed to permit SSH connections for this purpose, but only from the XYZ’s office network. The Security Analyst for XYZ provided the network 150.140.130.0/29 for this purpose. Write the rule required to enable this business function. (Hint: an explicit outgoing rule already exists.)

2). A new virus is sweeping through the Internet. Infection occurs when an infected document is opened on a user’s machine. Once infected, the computer tries to initiate a TCP connection to a remote server using port 43224 and transmits any information or documents it can collect from your network. Updated virus scan signatures are being pushed to each workstation in the enterprise and scans are being initiated, but this takes time as not all devices are online all the time. Write a rule that will mitigate the impacts of this virus if it has already infected the organization.

3). The Human Resources department is instituting a tele-commute policy, allowing some employees to work from home (or anywhere else they wish). These employees will need to us a Virtual Private Network (VPN) to gain access to the corporate network. The VPN concentrators are assigned IP addresses 192.168.60.5 and 192.168.60.6 and use SSL on TCP port 4343. Write rule(s) that will permit these employees’ use of VPN.  

4). As part of the tele-commute scenario described above, the Human Resources (HR) employees will need to gain access to sensitive information stored within the HR VLAN. Because of the sensitive nature of the information in the HR VLAN, existing firewall rules prevent all incoming connections from the other VLANS in the enterprise. Write a rule that will allow the IP addresses in the pool assigned by the VPN concentrator(s), 192.168.60.224/27, to the employees’ workstations after successfully connecting to the VPN to access all resources (all IPs, all ports) within the Human Resources VLAN.

5). An old robot in the Manufacturing VLAN is only capable of accepting Telnet connections. The XYZ Robots (see scenario 1) who supports it requires remote access, but updating the firmware to support SSH is too expensive. Because Telnet sends information in plain-text, your Security Manager will no longer allow Telnet connections from the Internet, effectively preventing XYZ Robots from supporting the machine. As a work around, you’ve suggested that the XYZ use SSH from their offices to connect to a “jump server” in DMZ 1, and then Telnet to the robot from there. The jump server’s IP address is 192.168.60.7. The old robot’s IP address is 10.10.100.53. Write the rules required to enable XYZ’s access to the old robot. (Hint: You’ll need two rules to accomplish this).

6). Although your manufacturing machines require remote access for maintenance, as described in previous scenarios, they do not require access to the Internet. Write a rule that prevents the Manufacturing VLAN from accessing the Internet. Describe where in the ACL you would place this rule in the relation to the rules you wrote for Scenarios 1 and 5.

7). Because RFC 1918 designated “private” IPs are not routed across the Internet, many enterprises explicitly block all connections from those networks at their firewall. Your Security Manager has instructed you to implement this policy on the firewall. Write the rules to complete this task.

1.Accessing a network remotely using SSH connections:

SSH connections use port 22 by default for their internet access hence my rule is based on the latter port for both inbound and outbounds. This is an access from one party only therefore I am going to use access from specific IP or subnet for that matter as shown below (Carman,2010).

The firewall rule to enable this is:

$ sudo iptables –A INPUT –p tcp -  -s 150.140.130.0/29  --dport 22 –m  conntrack  -cstate NEW ESTABLISHED  -j ACCEPT

$ sudo iptables   -A OUTPUT –p tcp  --s port 22 –m  conntrack  --cstate  ESTABLISHED  -j ACCEPT

                                       

2). Firewall rule to mitigate virus attack on a network.

To do this firewall devides the network into zones; trusted and least trusted zones. The least trusted zones are the ones infected and needs to be checked. This is achieved by use of firewall and a cloud tool called wildfire, we write a rule to send files to wildfire for virus scans(Stallings,2009).To use firewall-wildfire services you need to have an account with wildfire cloud which one logs in;

Wildfire end

1. Select Device > Setup > wildire and edit settings.

 b.Use the private wildfire services, define file size for the files the firewall forwards

1. Save.

Firewall end

Enabling firewall to get wildfire signatures;

1. Select Device > Updates:

           Enable wildfire-500 appliance.

Then attach the virus profile for scan

Rules;

Test security –policy-match source subnet/IP destination subnet/IP application dns protocol 53 “Network Infrastructure”} from users:43224

 Source:any

 IP/subnet destination

 Router IP application

 Source-region-none;

 To Data_Center;

 Destination any;

Destination-region-none;

  User-any;

  Category any;

 Application/service dns/any/any/any;

  Action allow;

 Icmp –unreachable: no terminal yes;}

3). Firewall rules to permit VPN access to cooperate network.

On cooperate network (Tankard,2009);

Creating IP object;

 On object settings>>IP object

 Enter name of the object

Select “WAN/DMZ/RT/VPN” interface

Select type as “single”

Enter server name

Save.

On employee’s network

Click available index to create IP object

Enter name

Select “LAN? DMZ/RT/VPN” as the interface

Select the employee network subnet.

Save.

Firewall>>filter setup>>default data filter page;

Create a rule now to pass packets to the cooperate network’s servers.

Direction WAN? DMZ/RT/VPN-LAN/DMZ/RT/VPN

4). Accessing sensitive information within VLAN;

For this to happen we enable ports in the inbound; ports 137,135 and UDP 500                                        

           All-ping enable

            Broadcast-ping disable

               Group{

      Address-group SIP_IP_Range{

        Address 162.250.60.0/22

       Address 199.36.248.0/22

      199.87.120.0/22

   Description “jive IP BLOCK 3,BLOCK2,BLOCK 1”

}

Address-group {

   Address 10.10.1.0/24

Description “”

}

Network-group LAN_NETWORKS{

 Description “”

Network 10.10.1.0/24

}

Ipv6-receive-redirects disable

Ipv6-src-route disable

Log-martians enable

Name VLAN50_IN{

  Default-action accept

    Description “”

ruleA{

action accept

 description “Accept Established/Related”

log disable

protocol all

state{established enable

     invalid disable

related enable

}

}
ruleB{

Action drop

Description”Drop LAN_Networks”

Destination{

Group{

  Network-group LAN_Networks

}

}

Log disable

Protocol all

}

}

Name VLAN50_LOCAL{

   Default-action drop

Description “”

ruleA{

action accept

description “accept DNS”

destination {

port 137

}log disable

Protocol udp

}

ruleB{

action accept

description “accept DHCP”

destination {

port 67-68

}log disable

Protocall udp

5).  Connecting to jump server using SSH in DMZ1

This can be achieved in three steps below.

On the origin server we run the command;

192. Origin>ssh –R*:192.168.60.7:target:22 username@jumpserver .This rule creates ssh session on the jumpserver
193. Origin> ssh jumphost IP 10.10.100.53creates session on the old robot

c.Firewall;

In the sshd_config:AllowTcpForwarding yes

GatewayPorts yes

6). Restricting VLANs access to the internet in the ACL;

Rule;

Ip access-list extended “break “ deny ip 192.168.100.124 0 0.0.0 72.163.4.161 0.0.0.0 pemit ip any

Interface fastethernet1 service-acl input “break”

The rule is placed on the ACL’s ASA.

7).Blocking RFC 1918 on a network;

In achieving this we use the firewall aliases, we create an alias for RFC 1918 with a network range and give it a name

Create alias for network range named private_networks by default

Add ranges 10.0.0.0/8

172.16.0.0/12

169.254.0.0/16

127.0.0.0/8

Create floating firewall rule under Firewal>Rules

Action –Reject

Quick –Checked

Interface –WAN

Direction  -out

TCP/IP version –ipv4

Protocol –any

Destination Single host/Alias:

 Private networks

Log –optional

References:

Carman, D. W., Kruus, P. S., & Matt, B. J. (2010). Constraints and approaches for distributed sensor

network security (final). DARPA Project report,(Cryptographic Technologies Group, Trusted Information System, NAI Labs), 1(1).

Stallings, W. (2009). Network and internetwork security: principles and practice (Vol. 1). Englewood Cliffs:

 Prentice Hall.

Tankard, C. (2011). Advanced persistent threats and how to monitor and deter them. Network

security, 2011(8), 16-19.