tailieunhanh - The Illustrated Network- P74

The Illustrated Network- P74:In this chapter, you will learn about the protocol stack used on the global public Internet and how these protocols have been evolving in today’s world. We’ll review some key basic defi nitions and see the network used to illustrate all of the examples in this book, as well as the packet content, the role that hosts and routers play on the network, and how graphic user and command line interfaces (GUI and CLI, respectively) both are used to interact with devices. | CHAPTER 28 Firewalls 699 bsdserver Inxclient winsvr2 wincli2 Ethernet LAN Switch with Twisted-Pair Wiring 700 PART VI Security This chapter takes a look at firewalls one technique for adding security to TCP IP and the Internet. Firewalls can be hardware or software designed to protect individual hosts clients and servers or entire LANs from the one or more of the threats previously cited. We ll implement a couple of types of firewalls on our site routers as shown in Figure . WHAT FIREWALLS DO Although the Illustrated Network has no dedicated firewall device often called a firewall appliance there are fairly sophisticated firewall capabilities built into our routers. So we will configure firewall protection with two types of router-based firewall rules packet filters and stateful inspection. A Router Packet Filter Let s do something fairly simple yet effective with a firewall packet filter on the Juniper Networks router on LAN2 CE6. Assume that malicious users on LAN1 are trying to harm bsdserver on LAN2. We ll have to protect it from some of the hosts on LAN1. We ll allow remote access with Telnet this is just an example or SSH from the bsdclient and allow similar access attempts from wincli1 but log them. What do those Windows guys want on the FreeBSD server We ll deny and log access from lnxserver and winsrv1 because security policy for the organization has decided that users attempting remote access from servers are not allowed to do so. The following is the firewall filter configured on CE6 and applied to the LAN2 interface. This filters IPv4 addresses but we could easily make another to do the same thing for these hosts IPv6 addresses. It is a good idea to keep in mind that from is more in the sense of out of all packets especially when the filter is applied on the output side of an interface. We also have to apply the filter to the fe-1 3 0 interface but this configuration snippet is not shown.