If you plan to take the Security+ exam, you should have a good understanding of firewall rules and access control lists (ACLs). This is the second of three posts in a series showing how they’re used on routers and firewalls to restrict traffic. It ends with a challenge to create firewall rules.
Can you create rules in an ACL?
Firewall Rules
Firewalls use rules implemented as ACLs to identify allowed and blocked traffic. This is similar to how a router uses rules. Firewalls use an implicit deny strategy to block all traffic that is not explicitly allowed. While rules within ACLs look a little different depending on what hardware you’re using, they generally take the following format:
Permission Protocol Source Destination Port
- Permission. You’ll typically see this as PERMIT or ALLOW allowing the traffic. Most systems use DENY to block the traffic.
- Protocol. Typically, you’ll see TCP or UDP here, especially when blocking specific TCP or UDP ports. If you want to block both TCP and UDP traffic using the same port, you can use IP instead. Using ICMP here blocks ICMP traffic effectively blocking ping and some other diagnostics that use ICMP.
- Source. Traffic comes from a source IP address. You can identify a specific IP address to allow or block, or a range of IP addresses. Wildcards such as any or all include all IP addresses.
- Destination. Traffic is addressed to a destination IP address. You can identify a specific IP address to allow or block, or a range of IP addresses, just as you can with the source. Wildcards such as any or all include all IP addresses.
- Port or protocol. Typically you’ll see the well-known port such as port 80 for HTTP. However, some devices support codes such as www for HTTP traffic. Some system support the use of keywords such as eq for equal, lt for less than, and gt for greater than. For example, instead of just using port 80, it might indicate eq 80.
An important step when deploying a firewall is to determine what traffic you want to allow. You start by assuming you have an implicit deny rule and then you add exceptions for traffic that you want to allow. You then create a rule for each exception. As an example, imagine you have to create rules on a firewall to meet the following requirements:
- Allow all HTTP traffic to a web server with an IP of 192.168.1.25.
- Allow all HTTP and HTTPS traffic to a web server with an IP of 192.168.1.25.
- Allow DNS queries from any source to a computer with an IP of 192.168.1.10.
- Block DNS zone transfer traffic from any source to any destination.
- Block all DNS traffic from any source to any destination.
- Implement implicit deny.
How many rules would you create? What protocols would you use? What ports? The table in the next post shows the solution.
Firewalls use a deny any any, deny any, or a drop all statement at the end of the ACL to enforce an implicit deny strategy. The statement forces the firewall to block any traffic that wasn’t previously allowed in the ACL. The implicit deny strategy provides a secure starting point for a firewall.
Page 1 of 3 ACLs and Security+
Page 2 Firewall Rules and Security+ (this page)
Why do we need to specify traffic to be blocked if the implicit deny is going to block it anyways?
The point of the blog post is to help test takers familiarize themselves with content and possible questions that they might see on the live exam.
Imagine you get a question that expects you to identify how to block certain traffic, but implicit deny is not given as a possible choice.
You can’t ask for a different question. Instead, you much pick the best possible answer of the available choices.
I understand you may not agree with the approach of some CompTIA test item developers.
Still, my goal is to help people prepare for similar questions that they may see.
Do I use /32 for every firewall rule that I need to identify a computer or server individually in the rule or is there an equation that I have to use to figure out the mask for the individual computer? For instance is it always /32 or is it sometimes /20 or / 17…? Also in the video here you show that the source and destination both have /32 but in the Performance Based problems on GetCertifiedGetAhead the destination address do not have a /32, why is that?
Here’s a cut and paste from the next page in this series. I’ve formatted it differently to stress what you’re asking.
IP addresses and networks. You can add a rule in the ACL to block access from any single computer based on the IP address.
If you want to block traffic from one subnet to another, you can use a rule to block traffic using the subnet IDs. For example, the sales department may be in the 192.168.1.0/24 network and the accounting department may be in the 192.168.5.0/24 network. You can ensure traffic from these two departments stays separate with an ACL on a router.
If you want to block traffic to a single computer you would use /32. For example if you wanted to block traffic to a computer with an IP address of 192.168.1.1, you would use 192.168.1.1/32.
The performance based questions have different scenarios. Also, they all have full explanations.
If the scenario requires you to block access to the network, use /24 (or whatever the CIDR notation is that for that network).
If the scenario requires you to block access to a computer, use /32.
This is a great example of how a subtle change in the wording of a question is extremely important. CompTIA isn’t trying to trick people with these questions. Instead, they are simply trying to ensure that people understand the difference. People that memorize practice questions and answers have problems. People (like you right now) that try to understand the content, do better.