Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Problem 2 – DMZ Firewall (4 points) Formalize firewall rules that implement the

ID: 3717168 • Letter: P

Question

Problem 2 – DMZ Firewall (4 points) Formalize firewall rules that implement the following informal requirements for TCP traffic: - Block connections from the Internet or from the DMZ to the internal network. - Allow connections from the Internet to every server in the DMZ, but block connections to all other hosts in the DMZ. - Allow connections from the internal network to the DMZ and to the Internet. - Allow connections from the DMZ to the Internet. Specify the firewall rules using a list of iptables2 commands! Each command defines a rule that will be matched with all packets attempting to go through the firewall. The format of the command is the following (you need to replace the FIELDS in bold italic font): iptables -A FORWARD -p tcp --source IP --destination IP -m state --state STATES -j ACTION
where - IP is a range of source or destination IP addresses given using variable-length subnet mask (e.g., 203.0.113.0/25)3 - STATES is either o NEW (first packet within a TCP connection) o ESTABLISHED (subsequent packets within a TCP connection) o NEW,ESTABLISHED (packet is either NEW or ESTABLISHED). - ACTION is either ACCEPT or DROP (i.e., forward the matching packet or drop it). If a packet matches multiple rules in the list, then the action of the first matching rule is applied. Be sure to list your rules in the right order! If a packet matches none of the rules, then the default policy is applied, which can be set using: iptables -P FORWARD ACTION Be sure to set the default policy for your firewall!
Problem 2 – DMZ Firewall (4 points) Formalize firewall rules that implement the following informal requirements for TCP traffic: - Block connections from the Internet or from the DMZ to the internal network. - Allow connections from the Internet to every server in the DMZ, but block connections to all other hosts in the DMZ. - Allow connections from the internal network to the DMZ and to the Internet. - Allow connections from the DMZ to the Internet. Specify the firewall rules using a list of iptables2 commands! Each command defines a rule that will be matched with all packets attempting to go through the firewall. The format of the command is the following (you need to replace the FIELDS in bold italic font): iptables -A FORWARD -p tcp --source IP --destination IP -m state --state STATES -j ACTION
where - IP is a range of source or destination IP addresses given using variable-length subnet mask (e.g., 203.0.113.0/25)3 - STATES is either o NEW (first packet within a TCP connection) o ESTABLISHED (subsequent packets within a TCP connection) o NEW,ESTABLISHED (packet is either NEW or ESTABLISHED). - ACTION is either ACCEPT or DROP (i.e., forward the matching packet or drop it). If a packet matches multiple rules in the list, then the action of the first matching rule is applied. Be sure to list your rules in the right order! If a packet matches none of the rules, then the default policy is applied, which can be set using: iptables -P FORWARD ACTION Be sure to set the default policy for your firewall!
Problem 2 – DMZ Firewall (4 points) Formalize firewall rules that implement the following informal requirements for TCP traffic: - Block connections from the Internet or from the DMZ to the internal network. - Allow connections from the Internet to every server in the DMZ, but block connections to all other hosts in the DMZ. - Allow connections from the internal network to the DMZ and to the Internet. - Allow connections from the DMZ to the Internet. Specify the firewall rules using a list of iptables2 commands! Each command defines a rule that will be matched with all packets attempting to go through the firewall. The format of the command is the following (you need to replace the FIELDS in bold italic font): iptables -A FORWARD -p tcp --source IP --destination IP -m state --state STATES -j ACTION
where - IP is a range of source or destination IP addresses given using variable-length subnet mask (e.g., 203.0.113.0/25)3 - STATES is either o NEW (first packet within a TCP connection) o ESTABLISHED (subsequent packets within a TCP connection) o NEW,ESTABLISHED (packet is either NEW or ESTABLISHED). - ACTION is either ACCEPT or DROP (i.e., forward the matching packet or drop it). If a packet matches multiple rules in the list, then the action of the first matching rule is applied. Be sure to list your rules in the right order! If a packet matches none of the rules, then the default policy is applied, which can be set using: iptables -P FORWARD ACTION Be sure to set the default policy for your firewall! where - IP is a range of source or destination IP addresses given using variable-length subnet mask (e.g., 203.0.113.0/25)3 - STATES is either o NEW (first packet within a TCP connection) o ESTABLISHED (subsequent packets within a TCP connection) o NEW,ESTABLISHED (packet is either NEW or ESTABLISHED). - ACTION is either ACCEPT or DROP (i.e., forward the matching packet or drop it). If a packet matches multiple rules in the list, then the action of the first matching rule is applied. Be sure to list your rules in the right order! If a packet matches none of the rules, then the default policy is applied, which can be set using: iptables -P FORWARD ACTION Be sure to set the default policy for your firewall!

Explanation / Answer

DMZ (DeMilitarized Zone)

The DMZ (Demilitarized Zone) is either a logical or physical sub-network that contains most of a network’s externally connected services which connect to the Internet. The primary purpose of the DMZ is to provide another layer of security for a local area network (LAN). If a rogue actor is able to obtain access to services located in the DMZ, they are not able to gain full access to the main part of the network.

What is the Purpose of a DMZ?

In most computer networks, the most vulnerable components are those computer hosts that are responsible for providing end-user services such as web, DNS (Domain Name System), and email servers. Due to the odds of one of these servers becoming compromised through published or newly discovered exploits, when employing the DMZ concept they are configured to reside within their own subnetwork. This allows the remainder of the network to be protected if a rogue actor or hacker is able to succeed in attacking any of the servers. Any computer host that is placed in the DMZ will have limited connectivity to other hosts that solely reside within the internal network. The DMZ does permit communication across hosts located within the DMZ and to the external network or Internet. This aspect of the DMZ allows servers to provide services to both the external and internal networks. In this configuration, a computer firewall is used to monitor and control the network traffic between the servers located within the DMZ and internal network client computers. Unfortunately, DMZ configurations will not provide much if any protection against internal network attackssuch as email spoofing or network traffic analysis or packet sniffing.

What Services are Normally Placed in the DMZ?

Any network service that runs as a server requiring communication to an external network or the Internet can be placed in the DMZ. The most common services placed in the DMZ include: mail or email servers, FTP servers, Web Servers, and VOIP servers. The decision on what server(s) to place within the DMZ is based on the overall computer security policy of an organization and resource analysis of the drawbacks to placement outside of the primary domain.

When configuring an email server to be within the DMZ, the user database and associated email messages are typically stored on servers on the primary domain to keep them further secure from the Internet. This information is able to be accessed from the email server located within the DMZ that is exposed to the external network; however, the mail server is primarily responsible for passing incoming and outgoing email between the internal servers and the Internet. Network web servers are typically required to communicate with an internal database located on a database server which may contain sensitive information for the organization. As a result, the database server typically resides on the internal network in a DMZ configuration with communications occurring through an application firewall to maintain overall security. In many business networks, there is also a proxy server installed within the network’s DMZ to help ensure legal compliance with national regulations and to help network administrators monitor end-user behavior while online. This action typically requires employees to use the proxy server to surf the Internet. The proxy server construct can result in reduced Internet bandwidth for network users depending on the number ofHTTP requests that are denied and overall configuration of the server.

DMZ Architecture

There are a number of methods to create a network that includes a DMZ. The two most commonly deployed methods are the three legged model (single firewall) and a network with dual firewalls. Each of these primary architectural setups can be further expanded to create a complex network architecture depending on the enterprise or organizational requirements.

Basic Firewall DMZ Model

The three legged DMZ model makes use of a single firewall with a minimum of three network interfaces to create the architecture that contains a DMZ. In this configuration, the external network gets created or formed from the Internet Service Provider (ISP) to the network’s firewall on the first network interface. The internal network is then formed from the second network interface, and the network DMZ is created from the third network interface. In the three legged model, the firewall becomes the single point of failure for the overall network. It also must be able to handle all traffic bound for both the DMZ and the internal network. When drawing the network architecture in this model, color codes are typically used to annotate the network zones. Green is normally used to indicate the DMZ, purple for the internal LAN, red for the Internet, and another color to indicate any wireless network zones that are being supported.

Dual Firewall DMZ Model

In order to create a more secure network DMZ, two firewalls can be used to setup the architecture. The “Front-End” firewall is setup to allow traffic to pass to/from the DMZ only. The “Back-End” firewall is then setup to pass traffic from the DMZ to the internal network. The two firewall or dual firewall model is considered to be more secure than the three legged DMZ option since there would have to be two firewalls that would have to be compromised for the network to be compromised. Some organizations even go as far as to use firewalls produced by two different companies to make it less likely that a hacker could use the same security vulnerability to access the internal network.

As an example, if a network administrator makes a setup or configuration error on one firewall brand, he or she would likely make the same mistake on the second one. If a different brand or vendor’s firewall is used for each then the odds of a configuration mistake propagating across each firewall is much lower. The practice

of using two different firewalls; however, is more costly and requires additional effort to maintain when compared to the single firewall model.

What is a DMZ Host?

There are some commercially produced network routers for the home that make reference to a DMZ host. When this occurs, the “host” is located on the internal network with all ports open except for those forwarded. In this configuration, the “host” does not act as a pure DMZ, since the host is not separated from the internal network. This comes from the fact that the DMZ host maintains the ability to connect to all hosts located on the internal network. In true DMZ configurations, these connections must be made through a separating firewall. Unfortunately, the DMZ host can provide a false sense of security to new network administrators or managers. Instead, it is normally used as a straight forward method of forwarding ports to another firewall or NAT device.

Related Questions

Problem 2 Two boxes are shown in the diagram above. Suppose M = 11 kg and h = 3.
Question #1397515
Problem 2 Two charges, one of charge q and one of charge q2 are initially at a d
Question #1864210
Problem 2 Two officers of Corporation B disguised dividends as commissions and t
Question #2388255
Problem 2 Two straight fixed conducting rails form a triangle with sliding condu
Question #2039933
Problem 2 Use the simplex method to solve: A company manufactures three-speed fi
Question #3421449
Problem 2 Using the EMPLOYEE, JOB , and PROJECT tables in the ChO7_ConstructCo d
Question #3919741
Problem 2 Write a C function named copyStrArray that, given an integer \"count\"
Question #3909904
Problem 2 Write a function called calcPay which takes two floating point paramet
Question #3750048
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Problem 2 – 30 Points Each of the events below may have an effect on the stateme
Next
Problem 2 – Static Economics A waterpark is the only one in a small town. Based

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.