Firewall Rules and Security+
If you plan to take the Security+ exam, you should have a good understanding of firewall rules and access control lists (ACLs). This is the second of three posts in a series showing how they’re used on routers and firewalls to restrict traffic. It ends with a challenge to create firewall rules.
Can you create rules in an ACL?
Firewalls use rules implemented as ACLs to identify allowed and blocked traffic. This is similar to how a router uses rules. Firewalls use an implicit deny strategy to block all traffic that is not explicitly allowed. While rules within ACLs look a little different depending on what hardware you’re using, they generally take the following format:
Permission Protocol Source Destination Port
- Permission. You’ll typically see this as PERMIT or ALLOW allowing the traffic. Most systems use DENY to block the traffic.
- Protocol. Typically, you’ll see TCP or UDP here, especially when blocking specific TCP or UDP ports. If you want to block both TCP and UDP traffic using the same port, you can use IP instead. Using ICMP here blocks ICMP traffic effectively blocking ping and some other diagnostics that use ICMP.
- Source. Traffic comes from a source IP address. You can identify a specific IP address to allow or block, or a range of IP addresses. Wildcards such as any or all include all IP addresses.
- Destination. Traffic is addressed to a destination IP address. You can identify a specific IP address to allow or block, or a range of IP addresses, just as you can with the source. Wildcards such as any or all include all IP addresses.
- Port or protocol. Typically you’ll see the well-known port such as port 80 for HTTP. However, some devices support codes such as www for HTTP traffic. Some system support the use of keywords such as eq for equal, lt for less than, and gt for greater than. For example, instead of just using port 80, it might indicate eq 80.
An important step when deploying a firewall is to determine what traffic you want to allow. You start by assuming you have an implicit deny rule and then you add exceptions for traffic that you want to allow. You then create a rule for each exception. As an example, imagine you have to create rules on a firewall to meet the following requirements:
- Allow all HTTP traffic to a web server with an IP of 192.168.1.25.
- Allow all HTTP and HTTPS traffic to a web server with an IP of 192.168.1.25.
- Allow DNS queries from any source to a computer with an IP of 192.168.1.10.
- Block DNS zone transfer traffic from any source to any destination.
- Block all DNS traffic from any source to any destination.
- Implement implicit deny.
How many rules would you create? What protocols would you use? What ports? The table in the next post shows the solution.
Firewalls use a deny any any, deny any, or a drop all statement at the end of the ACL to enforce an implicit deny strategy. The statement forces the firewall to block any traffic that wasn’t previously allowed in the ACL. The implicit deny strategy provides a secure starting point for a firewall.
Page 2 Firewall Rules and Security+ (this page)