DESIGNING A NETWORK SECURITY SYSTEM

Posted on

Following are the steps needed to build a firewall:
1. Determine the network topology to be used.
2. Determine policy or policy.
3. Determine what applications or services will run.
4. Determine which users will be charged by one or more firewall rules.
5. Implement policies, rules, and procedures in implementing a firewall.
6. Dissemination of policies, rules and procedures that have been implemented.

The following is an example of implementing iptables on a firewall. The network configuration used for the example is illustrated in figure 11.14.
In the picture above there is a firewall that has two interfaces. Firewall is related to internet network through eth0 interface and related to private network through eth1 interface. Sometimes firewalls relate to internet networks using modems, in this case the interface eth0 can be replaced with ppp0.

The first ability to have a firewall is to forward the IP Address from the interface eth0 to the eth1 interface and vice versa from the eth1 interface to the eth0 interface. The trick is to give a value of 1 in the ip_forward parameter with the command.
# echo “1”> / proc / sys / net / ipv4 / ip_forward
In some Linux variants, it is done by giving configuration lines to the file / etc / sysconfig / network.

MAKE INFORMATION

Initialization of the iptables rule is used to make a general policy towards the Iptables chain that will be applied to the firewall. This policy will be applied if there are no appropriate rules. General policies that are implemented in a firewall are generally as follows:
1. The policy for removing all packets that are headed, passing and exiting from firewall.
# iptables -p DROP input
# iptables -p forward DROP
# iptables -p output DROP

2. Policy to accept all packages that go and leave the loopback device.
# iptables – A INPUT – i lo – j ACCEPT
# iptables – A OUTPUT – o lo – j ACCEPT

3. Policy accepts all packages before routing.
# iptables – t nat – p POSTROUTING – j ACCEPT
# iptables – t nat – p PREROUTING – j ACCEPT

ALLOWING TRAFFIC ICMP PACKAGES

ICMP packages are usually used to test whether a network device is properly connected in the network. Usually to test whether a device is properly connected in the network can be done with the ping command.
This command will try to send an ICMP packet to the destination IP address and use the response from that IP address. To provide flexibility to get out, enter and pass the ICMP package is applied with these rules.
# iptables – A INPUT -p icmp -j ACCEPT
# iptables – A FORWARD -p icmp -j ACCEPT
# iptables – A OUPUT -p icmp -j ACCEPT

The purpose of the above command is as follows:
1. Firewall allows ICMP packets to enter.
2. The firewall allows ICMP packets to pass.
3. Firewall allows ICMP packets to come out.

This third command allows firewalls to respond to ICMP packets sent to the firewall. If the third command is not given, the firewall cannot send out ICMP packet responses.
Note:
Sometimes ICMP packages are used for improper purposes, so sometimes firewalls are closed to receive packet traffic. If the firewall is not permitted to accept ICMP packet traffic, then the above command does not need to be specified.

ALLOWING THE SSH PACKAGE FIREWALL

To configure a computer on a network, it is usually done remotely. This means that management does not have to come with dealing with these computers. Including in this case for the management of the firewall. To manage the firewall remotely, the SSH program can be used.
The SSH program uses a TCP package with port 22 to connect between two computers. Therefore the firewall must allow the packet with the aim of port 22 to enter the firewall. The firewall also has to allow packets originating from port 22 to exit the firewall. The following is the command that is applied to allow SSH access through the eth1 interface which is from a private network.
# iptables – A INPUT – p tcp – port 22 – i eth1 – j ACCEPT
# iptables – A OUTPUT -p tcp -sport 22 -o eth1 -j ACCEPT
# iptables – A INPUT – p tcp – port 22 – i eth1 – j ACCEPT
# iptables – A OUTPUT -p tcp -sport 22 -o eth1 -j ACCEPT

The purpose of the above command is as follows:

1. The firewall allows entry for TCP packets that have a destination port 22 through the eth1 interface.
2. The firewall allows out for TCP packets originating from port 22 through the eth1 interface.

This rule allows SSH access only from private networks through the eth1 interface. For security reasons, SSH access from private networks can be restricted to access that only comes from certain network addresses or even from certain computers (input). This is done by adding the -s option followed by the network address or IP address in the first command.
# iptables – A INPUT -s 202.51.226.37 –p tcp –dport 22 –i eth1 -j ACCEPT
The syntax above is a rule that will accept TCP packet input on eth1 derived from IP address 202.51.226.37 with the aim of port 22.
ALLOW HTTP ACCESS TO CROSS THE FIREWALL
Http access is the most widely used protocol for surfing the internet. Information presented on the internet generally uses access
this http.

Access http uses port 80 with the TCP type package. Firewall usually allows access to http, especially those that cross the firewall, whether it comes out or enters a private network. Http access that exits private network is used to provide http access for computers that are on a private network. Whereas http access from the internet occurs when on a private network there is a web server that can be accessed from the internet network.
The application of the iptables rule to allow http access is as follows:
# iptables – A FORWARD – tcp – port 80 – eth1 – j ACCEPT
# iptables – A FORWARD – tcp – port 80 – eth1 – j ACCEPT
# iptables – A FORWARD -p tcp -port 80 -i eth0 -j ACCEPT
# iptables – A FORWARD – p tcp – port 80 – eth0 – j ACCEPT

The purpose of the above command is as follows:
1. The firewall allows crossing for TCP packets that have port 80 destinations through the eth1 interface.
2. The firewall allows crossing for TCP packets that have origin from port 80 through the eth1 interface.
3. The firewall allows crossing for TCP packets that have port 80 destinations through the eth0 interface.
4. Firewall allows crossing for TCP packets that have origin from port 80 through eth0 interface.

The first and second commands are used to allow http access from private networks, while the third and fourth commands are used to allow http access from the internet. The four commands can be replaced with one command using the multiport option as follows:
# iptables – A FORWARD -p tcp -m multiport -port 80 -j ACCEPT
The command states that the firewall allows TCP packets that have port 80 (destination / origin) to pass (from eth0 or eth1).

ALLOW QUERY DNS SERVER

Firewalls usually have at least one IP address for a DNS server. For DNS queries, UDP packets are used through port 53. Firewalls require a DNS server query to determine the IP address associated with a host name. DNS queryserver on this firewall is usually allowed to query DNS servers out of the firewall (either via eth0 or eth1) and query DNS servers across the firewall server. The Iptables rule that is applied to allow DNS server queries out of the firewall is as follows:
# iptables – A OUTPUT -p udp -port 53 -o eth1 -j ACCEPT
# iptables – A INPUT – p udp – port 53 – i eth1 – j ACCEPT
# iptables – A OUTPUT –p udp –dport 53 –o eth0 -j ACCEPT
# iptables – A INPUT – p udp – port 53 – i eth0 – j ACCEPT

Gravatar Image
infosolution.biz adalah tempat belajar blogger pemula dan profesional. Kamu bisa menemukan kami di sosial media berikut Facebook | Youtube | Instagram. Ingin bekerja sama dengan kami, silahkan hubungi kami.

Leave a Reply

Your email address will not be published. Required fields are marked *