Firewalls

Enterprise companies today employ firewalls that do careful inspection of sessions between external and internal hosts and devices. Cisco employs a patented ASA algorithm that utilizes source IP address, destination IP address, TCP sequence numbers, port numbers and TCP flags to examine and prevent unauthorized sessions. The firewall is configured with conduit statements to filter traffic by examining source/destination IP addresses, application port and protocol port before making a decision whether to permit or deny a session or specific traffic.

Firewalls are implemented at the company demilitarized zone (DMZ) which is located between the external network and the company internal network. Static routing is typically configured at the DMZ between firewalls and internal/external routers for improved security. This is to have greater control over route propagation than would be available with dynamic routing protocols such as RIP and EIGRP. Internal and DMZ (Public) servers would be configured to use the firewall as their default route to forward Internet traffic. If an internal router were available, servers would use that as their default gateway to forward Internet traffic.

The external router broadcasts a default route to the firewall that is used to forward traffic destined for the Internet. A conduit must be configured at the firewall for each protocol type that should be allowed through your firewall. For instance, if your company manages routers and servers across a firewall, you must configure a conduit for SNMP traffic to allow traps through the firewall. The conduit would specify the source address of the router which is sending SNMP traps, the destination address of the network management station that is receiving SNMP traps, and UDP 161 which is the UDP port number for sending SNMP traffic from managed devices to a network management station.

The firewall examines the end to end session connection and does a lookup of its conduit table to determine if a particular source address, destination address, protocol port or application port is allowed through. The packet is discarded or allowed through on to the company network (inside) or Internet depending upon the conduit statements configured.

TACACS Server

This is a TCP service running on a designated Unix server that authenticates employees attempting to access a router. The routers must be configured to send a request to the TACACS server when someone attempts to logon to a router. The router prompts the user for a username/password pair and sends that to the TACACS server for authentication. TACACS servers are implemented with VPN services as well to authenticate remote users before allowing that session to continue with network authentication to Windows Server, Unix or Mainframe authentication and authorization.

RADIUS Server

This is a UDP service running on a designated network server that authenticates employees attempting to access a router. The routers must be configured to send a request to the RADIUS server when someone attempts to logon to a router. The router prompts the user for a username/password pair and sends that to the RADIUS server for authentication. RADIUS servers are implemented with VPN services as well to authenticate remote users before allowing that session to continue with network authentication to Windows Server, Unix or Mainframe authentication and authorization.

Related Knowledge Network Content

•Definitions: Firewall

•Guidelines on Firewalls and Firewall Policy

•Definitions: Network Security