1. No category

Kingston University London

Kingston University London
Thesis Title
Design and Implementation of a Network Security Policy Based on Firewalls
Dissertation submitted
For the Degree of Master of Science in Networking and Data
Communications
By
FILIPPIDIS VASILEIOS
SUPERVISOR
DR. PANAYIOTIS KOTZANIKOLAOU
KINGSTON UNIVERSITY, FACULTY OF COMPUTING, INFORMATION
SYSTEMS & MATHEMATICS
ΤEI OF PIRAEUS, DEPARTMENTS OF ELECTRONICS AND
AUTOMATION
JULY 2011
ACKNOWLEDGMENTS
I would like to thank everyone for their helpful support and subscription, in a
professional or personal status, to carry out my thesis subject and finally my Master
of Science (MSc) studies have come to an end.
I especially thank my professor Dr. P. Kotzanikolaou for being my supporter and of
course my advisor for this thesis accomplishment.
Several people deserve my thanks for their help, support and being next to me but
very special thanks to Antonis Anagnostopoulos for his time, for sharing his
administrative support and for his friendship.
2
TABLE OF CONTENTS
ABSTRACT ........................................................................................................................................... 4
1. INTRODUCTION .......................................................................................................................... 5
1.1.
Thesis Statement .................................................................................................................. 7
1.2.
Terminology ........................................................................................................................ 7
1.3.
Thesis Outline ...................................................................................................................... 8
2. Related Work – Background ........................................................................................................... 9
2.1.
Firewall Concepts ................................................................................................................ 9
2.2.
What is a Firewall? ............................................................................................................ 11
2.3.
Types of Firewall ............................................................................................................... 13
2.3.1.
Packet Filters................................................................................................................. 13
2.3.2.
Stateful Inspection Packet Filter ................................................................................... 14
2.3.3.
Application.................................................................................................................... 15
2.3.4.
Hybrid ........................................................................................................................... 15
2.4.
Mentioned Firewall Advantages ........................................................................................ 16
2.5.
Firewall Interfaces: Inside, Outside and DMZ................................................................... 18
2.6.
Firewall Policies ................................................................................................................ 19
3. Designing the Test-Bed Environment ........................................................................................... 20
3.1.
Evaluation of different solutions........................................................................................ 20
3.2.
Test-Bed Environment ....................................................................................................... 21
3.3.
Security Network Design .................................................................................................. 23
3.4.
Network Details ................................................................................................................. 23
3.5.
VMware Machines............................................................................................................. 24
3.6.
Encountered Problems ....................................................................................................... 25
4. Network Security Policy ............................................................................................................... 27
4.1.
Groups and Nodes.............................................................................................................. 28
4.2.
Networks............................................................................................................................ 29
4.3.
Security Zone Objects........................................................................................................ 29
4.4.
Basic Firewall Configuration & Policy Rules.................................................................... 31
4.5.
Extending Firewall Configuration ..................................................................................... 33
5. The Process of Implementation..................................................................................................... 35
5.1.
Brief description of the Virtual Machines.......................................................................... 35
5.2.
The Setup of Virtual Machines .......................................................................................... 37
5.2.1.
Mail Server ................................................................................................................... 37
5.2.2.
Web Server ................................................................................................................... 37
5.2.3.
Firewall ......................................................................................................................... 38
5.2.4.
Administrator’s Workstation......................................................................................... 40
6. CheckPoint Smart Console R70 Programs ................................................................................... 42
6.1.
Smart Dashboard ............................................................................................................... 43
6.2.
SmartView Tracker ............................................................................................................ 43
6.3.
SmartView Monitor ........................................................................................................... 44
7. Summary, Conclusion and Future Directions ............................................................................... 45
3
ABSTRACT
This thesis, studies the design and implementation of a network security policy based
on firewalls. This implementation will provide a virtual organization unit emulating a
real one, due to the use of virtualization software. This emulated environment will
provide the prerequisites for the implementation of this project.
A firewall in general is a unique powerful equipment that gives all the magic skills to
its owner. In our case, with the additional settings and configuration, it provides an
amazing shield against to any unreliable item, person or organization.
This thesis will start with a general analysis of firewall technology, how to categorize
firewalls and what their individual role is. This section will continue with a
classification of firewall layers, presenting their advantages and disadvantages. It
ends with a historical description and overview about firewalls.
We introduce the steps that this essay will follow, so the precondition information
and data will be ready to support this implementation. The data that have as purpose
to give life to this implementation are the design and definition of a Test-Bed along
with the network security policy.
The implementation of a virtual Firewall based on the CheckPoint technology side
by side with all the necessary peripheral machines, will give “flesh and bone” to a
real environment structure.
CheckPoint as one of the most reliable firewall, with the relevant settings of its basic
and extended modulation, will give a combination of dexterity, knowledge and the
philosophy of building a dynamic structure of your network.
4
1. INTRODUCTION
Some decades ago, Universities along with some companies and agencies
were the first organizations that started a new communication method, which was
called Internet. At the beginning internet wasn’t so famous. The need of someone has
to look for something useful and interesting has made the Internet one of the most
famous searching machines. From that day till now, everything has been changed.
Day by day, the number of people that relies on the power of Internet is extremely
high. The value of important information makes networks a candidate target from
security attacks.
Talking for security problems, in the past, was really a joke. Now, a possible attack
from other user, hacker or virus is 100% positive and extremely dangerous without
the appropriate help. That’s why companies have started to spend their budget for
new applications, projects, procedures, products but most of it, to new and more
secure mechanisms for all these anonymous threats and attacks.
There are many types of attacks, some of them are:

Scanning and Spoofing

DoS attacks

Trojans, worms and viruses

Software attacks
All the above, along with other types of attacks, have to be stopped from the
beginning of their attempt. A virus in a network structure is something like a virtual
intruder which is unstoppable and invisible.
Before giving a brief description of what firewalls are and what this thesis will give
to the audience, it is necessary to present the preliminaries. Before the
implementation of a firewall, there is a need to design an appropriate and compatible
security policy. This step is so important because all the mapping analysis with the
access permissions and deny rules for the incoming and outgoing traffic is here.
Anything wrong in the design may have vital sequences for the security of the
organization.
5
From an engineering perspective (Ralph et al.2002), an efficient policy has the
following characteristics:

States its purpose and what or who it covers.

Is realistic and easy to implement.

Has a long-term focus—in other words, does not contain specifications that
will change often.

Is clear and concise.

Is up to date, with provisions for regular review.

Is communicated effectively to all affected parties, including regular
awareness training.

Is balanced between security of assets and ease of use.
In a booklet, Tina Darmohray (1983) emphasized that in 1988 a worm with the name
“Morris” hit the internet very hard. After the worm, the attention turned to secure the
network for the first time. This event was the starting idea of the “Network Access
Control”. From all the interesting and useful books, white papers and technical
reports, it is common acceptable that there is not a single term of the word “Firewall”
and apart from that, there is not a general model that will describe the idea of a
firewall technology.
In the architectonic terminology the word bricks & mortar is the beginning of what
exactly the firewall is. A firewall in buildings is a good structured wall with the
power of stopping fire or any other things that want to pass through. A network
firewall is exactly what it is mentioned above, it is, somehow, a wall that protects, in
general, the inside secured and trusted network (users, machines and applications)
from the outside, unsecured and dangerous malicious Internet (Robert J. Shimonski
et al, 2003). In other words, it is the software or hardware machines that allow or
reject the access to the incoming or outgoing traffic.
Figure 1: Firewall Diagram I (West IT Solutions, 1980)
6
1.1. Thesis Statement
Even if there is not a certain consolidation for a firewall model, this paper will try to
give not only a brief review of the up-today bibliography but will also present a TestBed network design. Through this implementation all the traffic from inside and
outside of the network will be filtered with the use of a proper security policy.
This network security policy will come from theory into practice through one of the
most popular firewall mechanisms, namely the CheckPoint firewall (Gonðcalves,
Marcus, 2000). This firewall holds one of the top positions in vendors firewall
market including Symantec, Cisco and of course Secure Computing.
From the implementation of this Test-Bed environment, a firewall model comes to
give real evidences across the design of the structure, sub-networks, network zones,
security levels, rules and polices.
The main goal in every research is to examine and analyze all the possible
perspective of the subject and through an implementation to give answers to all the
unanswerable wonders.
1.2. Terminology
The right place to include all the key-words that dissertations use or the words that a
subject thesis refers to, is the Terminology Chapter.
L. Morales (2010) described the word network as the inter-connection of cables and
other communications media, connectivity equipment such as switches and routers,
electronic devices such as computers, printers, scanners, plotters, etc., for the purpose
of sharing data and resources.
With the helpful data, from Information Technology Security Evaluation Criteria
[ITSEC] (1991), which is a recognized place with security and product evaluation
from a lot of European countries, the terminology of security policy and more
specific the corporate security policy is the set of laws, rules, and practices that
regulates how assets including sensitive information are managed, protected, and
distributed within a user organization.
A Test-Bed environment is a configured platform or in other words a summary of
software, hardware equipment that has been configured in a way of helping a team of
researchers to test their projects and take their results.
7
Subnetworks and network zones and their definitions will occupy us in the following
Chapter during the implementation of the firewall.
1.3. Thesis Outline
The organization of Chapters is the following. Chapter 1 has the introduction along
with the thesis statement and terminology. In Chapter 2 the background of firewalls
in general and a small history flash back will introduce all type of firewalls, the
advantages and disadvantages and not to forget the firewall policies. In Chapter 3 we
present the design of the Test-Bed environment. This includes the evaluation of
different solutions, a presentation of the Test-Bed structure, the network details and
the encountered problems that appears in the middle of this thesis. Chapter 4 includes
the network security policy which is one step back from the process of
implementation. In this Chapter we have ready all the available information about
groups, users, networks, security zones and finally basic and extending policy rules.
In Chapter 5 will bring the process of implementation during the data that come from
the security policy. In this setup all the virtual machines will transform to an
imaginary but real organization. Finally this thesis will end with the configuration of
the most powerful firewall console. This console “Checkpoint Smart Console R70”,
will be analyzed in Chapter 6. In other words CheckPoint Smart Console R70 will
give a brief view of what this firewall can do in real conditions.
Figure 2: Firewall (Shutterstock, 2010)
8
2. Related Work – Background
2.1. Firewall Concepts
It is about some years now the existence of internet is considered to be a very
promising tool and a great chance offered to business in order to develop their
relationships with customers and organizations. (Stackpole B., 2004). These
appropriate relationships can also include any channel of services delivery in the
context of exchange, while those could exist in business or any other entertainment
service.
Some people have also said that there is a number of about 60,000,000 users and
their predictions estimate this to be increased into 1,100,000 in 2011. Moreover, Bill
Gates has mentioned that information gained through internet is considered to be
changed in near future and actually the way that internet services will be offered to
users. These predictions are considered to be true, with Adams Smith’s views about
the idea of free capitalism and the trading through web, they will come true real
soon. Despite the enthusiasm that will actually come along with many internet users
in our days, there are also some organizations which do not operate through the
existence of internet use. As Howard Rheingold has stated, in our era there is a great
number of prophets who profit by the use of internet, through organizations and
businesses.
However and according to all those trends and phenomena, all these could change in
near future. Various specialists to that field have stated that any proposition that
exists right now, is about to change the size or effect of any virtual community as
also the creation of different channels for the distribution service through the web
upon a way that communication will be organized much better. What should also be
noticed here about is the various arguments concerning the case of virtual
communities which can become very critical on the fact that customers will also be
served to develop any relation. Some organizations can also have the control of very
popular websites and by consequence to dominate a great number of daily
transactions talking about a place inside the channels of World Wide Web.
By far, it could therefore be said that any individual network could also lead to a
digital platform of provision information as also could set all those standards for any
9
new and updated conduits of trading as also business’ purposes. Finally, there also
some different opinions which mention that any revolution of virtual communities in
the world web and the sector of organization services and especially on the indirect
and direct channels, could also be used extensive e-commerce, trading or even social
relationships.
As was already mentioned above, it is actually a fact in our days that the aspect of
Internet has evolved and provided support to a considerable small community of
some users who have actually valued great openness for the details of collaboration
and sharing (Habtamu, 2000). Particular opinion was also challenged by Morris
Warm. Although, still without opinion of Morris Worm, providing trust to
community could cause some serious thoughts of variegation. Remarkable examples
of some successful or mutual attempted intrusions, almost in the same period and
time, could include the discovery made by Stroll as to the German spies tampering
inside this particular system. Moreover, Steven M. Bellovin (1994) proceeded to the
description of a specific collection of attacks where he noticed those while he was
monitoring the firewall of AT&T and the various networks around this case.
As a result it was found that there were some different malicious as also
untrustworthy users on the web. Due to the fact that not all of those could be trusted
and by the time that networks are connected together, a slight different level of trust
has to exist on both sides of the connection. The term trust refers to the aspect that
some organizations could believe that software as also the users on the computers,
are not perceived as malicious one. To that point, it could be said that firewalls are
used so as to enforce trust boundaries and which those are imposed for a great variety
of reasons, like the security problems in the operation of systems where those
mentioned to the Windows 95 and Windows 98 as also to many others
configurations. In advance, file sharing turned to be a default where a collection of
serious viruses could also exploit such vulnerability.
For the above mentioned reasons, it should be noticed that individuals could protect
their computers by connecting to the web and just purchasing a personal owned
firewall. In most of the times by trying to underlie some operating systems,
appropriate firewalls can simply provide a security to users when those proceed to
communications through internet. All the above firewalls can also be used in
10
personal laptops and home computers. At this particular case, the aspect of trust
boundary is considered to be the actual network interface of the preventing machine
(Ingham and Forrest, 2002, p. 1-2). Firewalls can also work in a way with which they
could prevent access to information. National firewalls are just one example of this
case where they protect people from attacks on their computers and appropriate
activities.
The aspect of enforcing a policy is just one aspect of firewalls. It could be mentioned
that technology of firewalls is used so as to protect networks by just installing it in a
specific way at some single security screen stations and in cases when intranets or
private networks are being connected to the web, making it just easier to ensure
monitor traffic, security and audit as also to trace some break in attempts (Ingham
and Forrest, 2002, p. 1-2). Moreover, it has to be noticed that firewalls are used to
isolate specific sub-networks within a business. Packet filtering (Ariane Keller,
2006), application proxy (Fortinet, 2000) and circuit proxy (uCertify Articles, 2010)
are just three basic approaches used in firewalls in order to provide protection to
network. Finally, there are authors like Habtamu, who classifies these into two kinds
of approaches, the application and transport levels.
2.2. What is a Firewall?
Trying to provide the definition of firewall, it could be said that a firewall is a
network device that can enforce a security policy within a network. By the time that
those were developed, some various methods have been used in order to implement
these irrespectively (Ingham and Forrest, 2002, p. 1-2). Particular methods could
operate in a way that filter the network traffic to all seven layers of OSI network
model and most specific, at the specific application of data link, transport and
network levels. In advance, specialists have also developed some recent methods like
the distributed firewalls and protocol normalization but these have not been adopted
widely in our days.
11
Figure 3: 7 OSI Layers (OSI Layers, 2010)
From the beginning, the area of firewalling was only for a small number of people
with expert knowledge, specialized in programming environment and administrative
skills. They put firewall in a place between the internal local network and the outside
world which is the Internet. But day after day, things have been changed and
networks have been getting bigger with more complex departments. This was the
start of transformation the building configuration of firewalls.
Due to the fact that some appropriate data has to be able to pass in and out of a
firewall and in order to protected the network to be considered as useful, we have to
focus on some various attacks that must stop by the firewalls, straightforward. In
order to be achieved this goal, technologies like the VPN – Virtual Private Network
(Netgear Inc, 2005) and peer-to-peer (Dejan S. Milojicic et all, 2003) networking
may pose some completely new challenges for the firewalls. There are actually some
different devices and appliances sold in the market which could provide connectivity
to a firewall network. This is known as subscriber unit. Moreover, it should be said
that there is an extremely increasing focus on the portable units where this could
include the handsets, the Smart phones, the PC peripherals and the USB dongles. All
these devices could be embedded to laptops which in our days are available with WiFi services. In advance, it should be noticed that the operators emphasised in the
consumption of the electronics appliances like the gaming consoles, MP3 players and
all the similar devices where firewall is considered to be more similar to the Wi-Fi
that the 3G cellular technologies.
Some papers and books have noticed that the first type of firewall has been
developed and written in the early of 1990s, from a well-known those days
researcher called Marcus Ranum. He was working for TIS those days and the name
of his firewall was Firewall-Toolkit or in other words FWTK. It was an application
12
proxy type and was playing the intervener between servers and Users. For all the
deployments – researches, the main goal was to make something easy and of course,
definitely working in real-time.
Those aspects of firewalls were actually developed from the specific outset for the
main delivery of the broadband services including also the voice, data, and video
accordingly. Upon the use of the fast air link, the asymmetric downlink/uplink
capability and the flexible resource allocation mechanism, the use of firewalls can
also meet the QoS requirements for a wide range of the whole data services and
various applications. Inside the aspect of firewall layers, the QoS (Quality of
Service) is also been provided via the service flows.
In the following Chapter, the different and flexible types of firewall will give the
answers to the complexity and tricky development structure.
2.3. Types of Firewall
From previous Chapters, Firewall-Toolkit was the first application proxy firewall.
With the helpful structure of OSI layers, everyone could realize that there are
firewalls with a different approach and ways to be developed. Some of them are
Packet filters, Stateful inspection packet filter, Hybrid and of course the application
proxies. A few words in the following sub-Chapters will solve all the unanswered
questions.
2.3.1. Packet Filters
The packet filters is something like the access-list in Cisco Routers. They applied to
specific interfaces, either in or out. The “in” or “out” mean that it filters the incoming
or outgoing traffic. The IP packet filter can be based on the source / destination IP
address and source / destination Port Number.
Some simple packet filter examples are the following:

In the following example, suppose that you a have a network, 194.215.3.0/24.
With the following rule you are able to stop anyone from the internet to send
ping packets to this network.
Iptables –A FORWARD –d 194.215.3.0/24 –p ICMP –j DROP
13

In this example, imaging that you have a private network and you don’t want
the internet to watch the shared files. So the only thing that you have to do is
to put the following rule.
Iptables –A FORWARD –p UDP –sport 137:139 –j DROP
It must be highlighted here that the real job of packet filter is to compare IP header,
of one by one packets with a table to see if the packet is allowed to continue to the
next hop or not. If the rule permits it then the packet goes in the next one until
finishing all the rest rules. It is extremely inexpensive as much flexible and fast.
So why people don’t trust packet filter like other firewalls? The answer is a little bit
difficult. As we will see in the following Chapter, packet filtering has some
disadvantages to deal with. The most important is that it cannot keep track of session.
This is something very important because IP spoofing attacks is a vital enemy for
them. Further more it has to be with a lot of applications that dynamically allocate
port numbers and this can cause problems with deny rules.
At the end, UTP traffic makes things 100 times harder than TCP traffic.
2.3.2. Stateful Inspection Packet Filter
The idea of stateful inspection came after some better concepts about improving the
process of packet filtering. Now the disadvantage of the above firewall type has been
here a great advance and benefit.
A packet filter is able to track all the network sessions. So when a packet is on, our
interesting interface, it specifies its rightness by matching the packet in the
connection table. This table is a place where all connections have been written until
the end of the standard time.
When an entry is written on this table and the firewall recognizes the first SYN
packet then the TCP session starts. From that time, that entry has been record and it
plays the role of a reference for the up following packets.
Something similar but not so stateful are things with UDP. A good example of UDP
packets is FTP or in other words File Transfer Protocol. Although stateful inspection
packet filter is the quickest firewall, it will always be less secured than the
followings.
14
2.3.3. Application
A network-based application layer is considered to be a computer networking
firewall at the most appropriate protocol stack, and is also known as a proxy-based or
reverse-proxy firewall. Application firewalls specific relate a particular kind of
network traffic that may be titled with the service name, such as a web application
firewall (Yeng N., 2009). They might be implemented through software running on a
host or even a stand-alone piece of network hardware. Most of the times, it is a host
using various forms of the well known proxy servers so as to proxy the traffic before
passing it on to the client or server. Due to the fact that it acts on the application
layer, it may inspect the contents of traffic and block specific content such as certain
websites, viruses that attempts to exploit known logical flaws in client software.
Finally, it should be noticed that network-based application-layer firewalls work on
the application level of the network stack, and it might intercept all the appropriate
packets by travelling to or from an application. In other words, application firewalls
can also prevent all the unwanted outside traffic from the reaching protected
machines. Modern application firewalls may also offload encryption from the
servers, by just blocking the application of input/output from the detected intrusions
or malformed communication, manage or consolidate authentication, or the block
content which violates the accumulative (Vacca A. J., 2010).
2.3.4. Hybrid
It is worth mentioning that, this Chapter could complete the analysis of different
firewall categories and it is necessary to work-out the last but most common type of
firewall, which is the hybrid.
Previous Chapters have all the required elements and reasons of firewall necessity.
That’s why the security of a private network even if it is a home or a company has
been the primary and most important objective for system and network administrator.
In 2011, the best ways of creating a firewall is to invest and construct not only one of
the above types but a combination of all these. With this product the network will
have a strong and capable security.
The best example of a hybrid firewall model is Netfilter / IPtables.
15
For their helpful website, “www.netfilter.org “, they make clear of the main role, the
combination of what well-known types of firewall they use along with main features.
So, it is good to mention that Netfilter supports the three following basic functions:

packet filtering

network address and port translation (NAT/PAT)

flexible and extensible infrastructure
From Chapter (2.3.2), packet filtering had a clear and full understandable analysis.
-
But what about NAT?
Network Address Translation (NAT) is one of the most well-known access-control
mechanisms in the first line of defence. As everybody knows, most broadband
connections come with a single IP address which is sometimes static or dynamic. If
more than one machine from outside wants to connect with the internal network,
NAT is the only way that will work with. It enables LAN to use one set of IP
addresses for internal traffic and a second set of addresses for external traffic.
The three main purposes that NAT serves are:
a) It is one of the best security services, after packet filter.
b) It enables to use more internal IP addresses.
c) It allows a combination of multiple connections to create singe faster Internet
connections.
Some of the disadvantages of NAT are the followings:
a) Can be run with static address services but not from dynamic.
b) With UDP dynamic allocation requires state information and this is not
available.
c) Embedded IP addresses are a problem and NAT boxes only know certain
protocols like VPNs, SNMP, BOOT, etc.
d) Dynamic allocation of ports may interfere with packet filtering.
2.4. Mentioned Firewall Advantages
Concerning technologies like the Triple-play, it is good to say that is supported by
Firewall, as QoS – Quality of Service and Multicasting can be obtained. It should be
mentioned that on May 7th, 2008, companies of Google, Intel, Comcast, Time
16
Warner and House proceeded to the announcement of a pooling of an average 120
MHz of spectrum and merged upon Clear wire so as to form a business which could
receive the name “Clear” (Wang, F., 2008).
This new business hoped to benefit from the combined services offerings as also the
network resources and as a major springboard to all its competitors. The cable
companies would also be able to provide some media services to any other partners
while those would gain access to the present wireless network upon provision of
triple –play services (Blanding S., 2004).
There are various analysts who have actually wondered whether this deal works out
due to the fact that although the fixed and mobile convergence has been recognized
in particular industry, there are some prior attempts so as to form partnerships among
the cable and wireless companies have generally failed to lead to some specific
advantages for all the participants (Gregory, An., 2000).
Moreover, a firewall in network is considered to be partitioned into the three
independent architectural components, where those are the Radio Access Network,
the user equipment and the network which provides an IP connectivity in the rest of
the internet. It is presented then that this model can allow a single operator to a freely
mix as also to match the offerings from the different manufacturers for those three
parts and at least after the case where the interoperable equipment, can become
readable in a specific way (Hosny, 2006).
By far, each of those components and in the case of the operational network can also
be deployed and be managed accordingly by the various service providers also.
It has also to be mentioned that with some previous data networks, the IP is
considered to be fundamental manufactured in a network of firewall. By far, the IP
can currently “play” a basic role in the actual state of the telecommunications
industry accordingly (Hosny, 2006). Finally, the protocols, which are standardized
by the Internet Engineering Task Force, are also preferred over the proprietary
solutions and there are also adopted in the reference model.
17
2.5. Firewall Interfaces: Inside, Outside and DMZ
In the most of the cases, a type of firewall is consisted by two network interfaces,
known as inside and outside. Those actual labels are mentioned to the appropriate
level of trust in the case of an attached network, where the outside interface is being
connected to the intranet as also the inside interface will be connected to the
appropriate trusted network
Moreover, it should be noticed that a business internet access needed also to become
some more complex and all the limitations of just having two interfaces becoming
apparent. For example, where a company to put his web server for its customers and
in what position. Let’s say that if someone places it on the outside of the firewall, the
web server is considered to be fully exposed to the various attacks and only one
screening router so as to provide some minimal protection. For such reason, people
have to rely on the aspect of security of the host system in that case (Cisco PT Guide
to Firewalls, 2010).
Some other possibilities exist in the two interface firewall scenario which is to place
the web server inside the firewall and on an actual internal segment. This will
actually protect some direct honesty for the internal network by an attacker but the
question that arises is: What if a person is able to compromise his /her web server
through port 80 so as to gain remote super user access?
Particular solution would allow for some establishment of intermediate zones for the
trust that are considered to be either inside or outside. Those are referred actually to
the DMZs (Cisco PT Guide to Firewalls, 2010).
Such a DMZ network is actually protected by a case of firewall to the actual same
extent like the internal network which is spitted in order to access from the DMZ to
the internal network and this will also be filtered. There is also another design where
sometimes deployed by using two possible firewalls. The first makes a word for the
outer one and like an inner one, upon the DMZ which lies between these.
Although, particular evidence has shown that all firewall breaches come from the
aspect of mis-configuration, not from the errors in the firewall code itself. Therefore
this design can only increases the management and the expense overhead but without
providing some additional security. Some appropriate sites would have also
implemented various DMZs, where each would have a different purpose or scope
18
and would correspond to a specific level of trust. For such case, one DMZ sector
would contain only the aspect of servers for the public access, whereas someone else
could host particular servers for basic customers.
In a case of more complex e-commerce environment, web server might also need to
access some customer data by a backend database server on the internal LAN. In
particular case, a basic firewall could also be configured so as to allow Hypertext
Transfer Protocol (HTTP) connections from the outside of the web server and after
that some specific connections to the relative IP addresses and ports as those needed
from the web server to the actual inside data server accordingly.
2.6. Firewall Policies
Firewall policies used actually as a basic part of the security of an assessment
process and where people should appraise a clear idea for the various business
sections and for the various communications allowed via the existence of firewall.
For such case, it could be said that each of those protocols carry some certain risks
and some far more that some others (Yeng N., 2009). These particular risks should
be balanced upon business chances but they have also to be balanced upon people’s
business benefits.
On the other hand, a drop box of File Transfer Protocol (FTP) server for the sharing
of files upon customers who might also satisfy those specifications. Therefore most
of the times occur that a firewall rule base can grow organically over the time so as
to reach a point where the administrator no longer can fully understand the reasons
for everything in that case.
For particular reason, it is considered to be well documented that a firewall policy
should be implemented within a business justification for each of the rules clearly
mentioned in that case. Any changes to a firewall policy should have as a result a
serious impact it the analysis – configuration of the firewall. If these kinds of
changes are vital for the company, this may put in a great danger the local unsafe, for
that moment, data.
19
3. Designing the Test-Bed Environment
3.1. Evaluation of different solutions
To find the best firewall solution for our structure and continue with the design, we
have to check and specify the advantages and disadvantages of the alternative
solutions. So after a brief analysis we have to decide which firewall technology is the
best for our implementation Test-Bed. The choices we examined are the following:
a. IPTables
IPTables (Oskar Andreasson, 2001) is a firewall technology for the Linux
environment. Even if it was one of the most accurate firewalls, for people without
knowledge on Linux kernel a little bit trouble and tricky. At the same time, it has a
demanding environment with all the well-known improvements of firewalls like:

Reliable and stable with the requirements of factory specifications

Network Translation

Filtering in IP and Mac addresses

Packet inspection and real-time monitoring

Report and Sys-logging.
In this case, the greatest disadvantage is the lack of knowledge from the creator about
the command and scripting configuration.
b. Cisco-PIX
Cisco-PIX (Peter J. Welcher, 2002) is a well-known firewall technology which was
developed by Cisco Systems. It is a stand-alone hardware machine with a special
operating system called PIX OS with a lot of certifications and evaluation status.
It has a lot of services that make it unbeatable, with the combination of the graphical
user interface, like:

IPSec VPN

DHCP client +server

URL filtering

PPPoE

Tacacs (AAA)

NAT & PAT
20
c. CheckPoint
Finally, examine the CheckPoint firewall (Gonðcalves, Marcus, 2000). For a Cisco
network administrator the idea of a new existing type of firewall, apart from Cisco
Firewall, access-lists and VPN encryption was something strange and not acceptable
sometimes.
But, it was wrong. After some tries with CheckPoint tutorials, guides and during the
setup, configuration and tests, it was clear that it was something new and interesting
for a pliable environment.
CheckPoint supports all the available firewall policies. It has a real time activation of
the rules and policies and, of course, a real monitoring application that helps to
understand what goes wrong in the last update policy.
3.2. Test-Bed Environment
It is impossible to accomplish the implementation and design of a firewall in an
active network environment. Because in real life it is impossible for a person in real
time to arrange all the necessary procedures – instructions.
That’s why a new method that completes all the above have been developed. The
name of this method is the “Test-Bed” environment. A Test-Bed is a combination of
hardware – software and network equipment where all the possible tests are taking
place. It is like a virtual separated place that offers the credential that the creator
wants, like physical memory, processes and hard drives for a real time test and
project.
All the well-known programs and technologies have been tested in a Test-Bed
platform before take the final approval and proceed for publication. In other words it
is something like a LAB where published and rejected projects have definitely
passed through. So for the hardware implementation our Test-Bed structure will be
on a “Server IBM XSeries 206”.
On the other hand, in terms of software, there is a very good and free downloaded
program that in a few minutes is able to scan your computer and finally presents in
front of you the summary of your server – workstation profile.
21
This program, except for the specification of the server, can give, as the most of the
programs, updates and all the peripheral units that you have connected on the
scanning workstation. The name of this program is “Belarc Advisor”.
And the output for the IBM Server is the following figure.
Figure 4: Main IBM Server Specification
Closing the Chapter about the hardware and software parts of a Test-Bed and going
to deeper specifications, we have to present the program that will help us arrange and
create the virtual machines for our imaginary network.
This program’s name is “VMware workstation” and the following Figure (5) will
help in its understanding.
Figure 5: VMware information
This Chapter contains all the necessary equipment (software and hardware) along
with the main idea and the know-how of this implementation.
22
3.3. Security Network Design
The final structure diagram of the network Test-Bed will be presented in this
Chapter.
Figure 6: Network Design Diagram
From figure 6 it is obvious that it has both some easy and some difficult parts for
being developed. This range of difficulties has to do with the experience and the
knowledge on some new methods and structures. But let’s see and collect some other
information first.
3.4. Network Details
Figure 6, represents a real network with 4 different subnets. Each subnet gives the
following main procedure:
a. User Network, where all users workstations through wireless or not take
access to the other 3 network places. The IP of this network is: 192.168.1.0
/24.
b. DMZ Web, where there is the main Web Server, this machine may react with
the User Network and the Internet. The IP for this network is: 192.168.2.0 /24
23
c. DMZ Email, where the central Email Server exists and interacts with the User
Network and the Internet. For this network we have the IP: 192.168.3.0 /24.
d.
The internet has nothing to contrast with all the other ways of connecting
methods. In this case, we have a router with a unique Username and
Password from a Provider, like for example Wind, OTE, HOL or Forthnet.
The internet providers give the access to communicate with other networks
not private but public in all over the world. The IP for this router is
192.168.82.1.
The CheckPoint Firewall can be directly connected with all the other 4 networks, in
this case, we need available 4 Ethernet network cards and the settings for these are:
Ethernet
Eth0
Eth1
Eth2
Eth3
Default Gateway
IP
192.168.82.122
192.168.1.1
192.168.2.1
192.168.3.1
192.168.82.1
Broadcast
192.168.82.255
192.168.1.255
192.168.2.255
192.168.3.255
Mask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Table 1: Networks
3.5. VMware Machines
In this section, we will present the characteristics of all the machines in the VMware
Workstation program.
There are Workstations in the User Network. Both machines work with Windows XP
professional with Service Pack 3. They have 1 processor, 512 MB memory and 20
Gbytes hard disk.
On the other side, there are 2 stations with similar specifications like the User’s
Network and each one of them will play the role of a Web and Email Server. Their
Operating System is Windows XP professional with Service Pack 3. They have the
minimum requirements for their job and more specific 1 processor, 512 Mb memory
and a 20 Gbytes available hard disk capacity.
The difficult part that I faced, were the configuration of the CheckPoint Firewall R70
because the operating System is in Red Hat Enterprise Linux 4. The process wasn’t
as tough as I was expecting, but it has some tricky ways of setting the Network
Adapters. This happens because the Linux image file of CheckPoint during the
installation has a wizard method of setting the network cards.
24
A useful snapshot of all the necessary settings in the CheckPoint virtual machine is
the following:
Figure 7: CheckPoint Virtual Machine
3.6. Encountered Problems
Last but not least, we have all the problems that we faced during the implementation.
As a final mark I could say that the installation of the CheckPoint either the
configuration was not easy. Now, I have a very positive status because I am in front
of the configuration of the rules, methods and generally final setting for update the
policy that we expect.
The most major problems that I faced were two:
1. The first one has to do with the license of CheckPoint software. Since the cost
of a working license is unaffordable for the purposes of the thesis, I used 6
trial license of a 30-day period. So if I couldn’t find this way, it could be
impossible to follow this method.
2. The second problem is the performance of my virtual machines and as a
result my central IBM server. This happened when all the VMware machines
are working together at the same time. There was not enough memory space
for a better performance and the hard drive was full. The only solution is to
configure one by one the machines without trying to start more than 3 of
them together.
25
“But what will happen in the final test when everything will be ready for the last test?”
This will be a real problem. That’s why this IBM machine has no chance even if
we extended the resources with 2 more GB of Ram Memory and 1 hard disk of
120 G-bytes for available hard space.
The only solution is a brand new machine which cost was affordable and it has
recommended part (hardware and software) characteristics. The following figure
will give finally the best environment for our virtual machines.
Figure 8: Main HP Workstation New Specifications
26
4. Network Security Policy
In this Chapter, we will try to work on a “real” step-by-step implementation of a
firewall model.
This won’t be as easy as it looks like because the following sections will describe the
phases along with the various methods that a firewall designer need to accomplish,
all the processes, till the end.
To design a firewall capable to secure an organization, you firstly need to scan and
record the network domain along with their policies. In our case, Chapter (3.2)
“Network Details” has already achieved something like that.
This step is so important because without that, the firewall designer is not able to
know:

The internal Zone

The external Zone

The Wireless Zone

The Group of Users

The Services
Before the description of the implementation process in Chapter 5, it is important to
add, analyze and describe some interesting information. This information is the
requirement settings that have to do with the general traffic relation or in other words:
«Who talks with whom? ».
Until now, generally speaking, the relations are:
a. The Internet with everyone but of course not directly, only through the
firewall.
b. The Web Server with the Internet and the User Network
c. The User Network with the Web Server only to port 80 for Internet, FTP and
port 443.
d. Email Server with Internet through POP3 and SMTP services and the User
Network.
27
Now that the preparation of the Test-Bed environment had been finished, it could be
helpful and more descriptive to focus and start the analysis through the following
figure.
Figure 9: Network Objects in “CheckPoint”
Figure (9) has all the requirement features – objects that will be useful and be the
start point to describe more specific our Test-Bed network security policy.
This figure will be the start connector for a better describe of the:
a) Groups and Nodes.
b) Networks.
c) Security Zone Objects
d) Basic Firewall Configuration & Policy Rules.
e) Extending Firewall Configuration
4.1. Groups and Nodes
After a full network scan and a good security policy design, it is time for register the
users of the organization and if it is possible to put them in group for a better
response time of encounter difficult situations. So, for the implementation we have:


1 Group and
3 Users or Nodes. Those are:
28
GROUP:
Internal_Nets: which include the internal networks 192.168.1.0/32, 192.168.2.0/32
and 192.168.3.0/32
NODES:
Srv_Mail_192.168.3.2 : Email Server with IP 192.168.3.2.
Srv_Web_192.168.2.2 : Web Server with IP 192.168.2.2.
Ws_192.168.1.2 : The only one Workstation in the Users subnet with IP 192.168.1.2.
4.2. Networks
One sub-category of Network Objects is Networks. This category plays a great role,
from the beginning of the firewall setup. It is critical to know from the beginning the
number of network interfaces that the organization’ Firewall will need to have for all
the necessary networks because one of the first steps during the setup – configuration
of CheckPoint firewall, has to do with this.
As a result, in this implementation the networks that will be required are:
Networks
IP
Admin-Users
192.168.1.0/32
DMZ_WebServer
192.168.2.0/32
DMZ_EmailServer
192.168.3.0/32
Internet
192.168.82.0/32
Table 2: Network Specifications
4.3.
Security Zone Objects
In CheckPoint, a security zone is a logical network object which brings forward all
the rules and interfaces with similar policy. This is a way of teaming and grouping a
great number of rules under a main network security zone. To group rules under
zones, make the security administrator to have a clear view of what is going on and
response swiftly. In our Test-Bed implementation our Standard Firewall Police has 6
Zones. Every zone has a main idea, moving from a general rule to more specific
points.
The traffic with an incoming or outgoing direction, to our network, is filtered through
all the security zones of firewall from top to bottom. This is a common working idea
like Cisco access-list policy. Every access-list goes to a specific interface inner or
outer of it and every packet passes through this list.
29
If a packet has a similarity with this rule, it follows the certain actions of the rule
otherwise it goes through the end till having something in common with one of them.
The following figure is a good example of all the above.
Figure 10: Example of an inbound Access-list
Our presentation will be continued with the zones and their additional rules that our
network and security administrator have finally created.
Figure 11: Test-Bed Smart Map
From figures No 6, 9 and 11 we have the structure of our implementation zones:

DMZ for Web Server

DMZ for Email Server

External Zone for Network_192.168.82.0/32

Internal Zone for Networks_192.168.1.0/32_192.168.2.0/32_192.168.3.0/32
Table 3: Zone Specification
From previews Chapters, it has been mentioned that DMZ plays the role of an
individual network with an extension security policy. Every DMZ rule work like a
separate for all their adding network object even if it is source or destination.
30
4.4. Basic Firewall Configuration & Policy Rules
Before continuing with the policies of our implementation Test-Bed environment, it
is good to introduce a capture image of our final Graphical User Interface
CheckPoint firewall. In Chapter 5, we will explain in more details the most important
steps of the implementation process.
But let’s see the sub-categories under the Basic Configuration.

Determination of Network Services

Determination of Internal services

Delimitation of Internal trusted Zones, LANs, DMZ and external network.

Access policy for each network area

Configure of Network Address Translation (NAT) and Access Lists (ACL).
For now, this figure presents all the numbered rules with their names, sources and all
the other information that is needed to complete all the used rules for a successful
secured organization. All off them implement the sub-categories of the Basic
configuration except the NAT option.
Figure 12: Capture Icon of Standard Firewall Policy
31
A detailed description of each rule from figure (12) is the following:
a. General ICMP Rule for all the Internal network, where all internal users and
specific the Group “Internal_Nets” (Figure 9) have the availability to accept
and answer to any echo-request from all the internal users.
This is rule number (1), the most general rule, without a specific section title.
b. Management Rules, where the access is permitted only in specific
Workstations to see and configure the Firewall settings for more and better
protection.
This is rule number (2) and it is developed in a way of providing security.
c. Firewall Protection Rules, where these rules have to do with the access
services from and to the firewall it self.
These are also rules number (3) to (5). To sum up all these three rules, we could say
that we stop for both directions any traffic that has to do with the firewall except the
Domain Name System (DNS) as a service. This exception is going to help with the
matching process of internet names with public IP addresses.
d. From LAN Rules, where in this group we have the aggregation of rules that
the Network of Users (192.168.1.0/32) have, in and out of the organization.
These rules are counting from number (6) to (9). The Network design diagram in
figure (6), wants to explain that Users from subnet 192.168.1.0/32 have access to all
the other networks except the internal, any time and with services like HTTP,
HTTPS, FTP and DNS and for Web and Email Server their additional services which
is HTTP for Web and SMTP for Mail. Any other service is getting a prohibit
reaction.
e. From Internet Rules, which rules have to do with the permission – restriction
of DMZ zones with the External Zone (Internet).
Both Web and Email Servers in their DMZ interfaces want proportionally their
Service Port open for right reaction and good corresponding. So, everyone has access
to the Web server only for HTTP service port 80 and something similar for the Email
server with SNMP service. For a better cooperation, we definitely need to permit
access from Email server to everyone for services DNS and SMTP.
32
f. Clean up Rule, which is the last but so important at the same time. This rule
implements one of the most essential ideas. It cuts and drops every other
uncategorized try.
-
But what about the NAT configuration?
The answer will come with the following image.
Figure 13: NAT structure
NAT is a service that transforms or in other words, hides the internal addresses
behind the Firewall. It gives a fake IP address and not the real internal one. As figure
(13) shows, all the internal network addresses are hided behind the firewall and the
Web Server behind an internal IP address for our virtual environment, in real
structure will be a public IP address.
4.5. Extending Firewall Configuration
From the beginning of this virtual implementation, a lot of situations were impossible
to be configured without a real medium. For example, the NAT translation of Web
and Email Servers can’t be real without a public IP.
As an extending firewall configuration we have enable the following:

Anti-spam & Mail

Antivirus & URL Filtering

QoS
None of the above could be proved unless we would try to receive a spam email or
trying to access a URL which is not permitted from our firewall list.
The following figures have been captured to underline how to modify in a proper
way those three extending firewall tools. The figure 14, shows the main control
33
window where all the available tool are ready to be modified. In the next one, you
have the successful status of updating the database with all the new information.
Figure 16 gives the settings for the HTTP protocol and 17 the URL filter Policy
about the denied and accepted URLs.
Figure 14
Figure 15
Figure 16
Figure 17
34
5. The Process of Implementation
We have to point out here that all the steps of a firewall configuration, from the first
one till the end, has to do with the success of the project accomplishment.
Of course, if everything goes as we were expecting and the design comes to an end,
the final structure will start a long variety of tests and debugs capable to bring in
surface all the wrong settings and the unsafe rules. This step which is a vital part of
this process will be succeeded only if the organization starts to work, in real time,
through the firewall.
It is definitely clear that firewall, to continue being part of the organization’s
protection chain against danger, must follow the circle of real life. The circle of life
has to do with the necessity of changing plans and settings to encounter any
dangerous changes. In other words, the firewall has to make changes whenever it is
necessary due to the threading plans of the outdoor medium.
So, in the following Chapter, it is time to introduce you, all the materials along with
the procedure that this thesis followed to give this CheckPoint firewall
implementation.
5.1. Brief description of the Virtual Machines
VMware software is the program that will create a Team of virtual machines and
make this implementation comes true. From Chapter (3), we saw the specification of
VMware workstation’s software and the diagram of the structure. So the following 4
figures have the specification of our 4 necessary machines. These are:
a) CheckPoint Firewall. (Figure 18)
b) Administrator’s Workstation. (Figure 19)
c) Web Server. (Figure 20)
d) Email Server. (Figure 21)
35
Figure 18: CheckPoint Firewall – Linux 4
Figure 19: Administrator’s Workstation – Windows XP – GUI of CheckPoint
Figure 20: Web Server – Windows XP + IIS
Figure 21: Mail Server – Windows XP – Ability Mail Server Software
36
All these virtual machines, with the settings of their peripherals, will work as a team
under a main building and cooperate like real organization unit.
Let’s see how to setup each machine, one by one.
5.2. The Setup of Virtual Machines
We will try to give a briefly description, starting in reverse this time. I captured of
the most important steps during the procedure setup of each machine and this will
give a clear manual configuration.
5.2.1. Mail Server
For the mail Server, the only useful information for this machine is that it works on
an operation system Windows XP and it only needs to setup a software Mail server
of your choice. In our structure we have downloaded and setup a trial version of a
software mail server with the name: “Ability Mail Server”. With this software and
some easy steps, your Mail Server is ready for action.
Figure 22: Email Server useful setup process
5.2.2. Web Server
For the Web Server things were easier. Windows XP have the ability to setup, after
installation of the Internet Information Services (IIS) which is a Windows
Component, a flexible and reliable Web Server. In our structure, we have uploaded a
simple web site of an imaginary company with the name “Infostore”.
37
Figure 23: Web Server useful setup process
Although we said that the introduction will be in reverse, here we will start first with
the setup of Firewall and after that the setup and configuration of the Graphical User
Interface of CheckPoint in the Administrator’s workstation. All these changes in the
writing order for one and only reason, to present how things happened in real time.
5.2.3. Firewall
The most important, useful and interesting part of this implementation starts during
this setup machine. I believe that it is the most important part of this manual. In the
following figures, will be represented the most important steps of the wizard setup
configuration.
Figure 24
Figure 25
38
Figure 26
Figure 27
Figure 28
From figure 24 – 28, we have some of the most important wizard steps of
CheckPoint setup. This has to do with some general information at the beginning like
some useful drivers and the available products that are available for setup. After that
we have to choose the type of Secure platform and the keyboard language which are
the final general information.
All the next steps have to do with more critical information like the IP address that
will have the primary network interface and the web based port that will listen. The
setup will end with an interesting and useful notification. This notification (figure 36)
has all the login information for the graphical interface through browser and this is:
https://192.168.1.1:4433
With:
Login name: admin and
Password: admin, for the first login time.
After the first installation login, the system wants you immediately install a new
login username & password. This is a security policy of CheckPoint.
For configure the CheckPoint platform we have 2 ways.
39
The first one is with telnet. Linux has a complicated language and need a lot of time
to learn it. But some times, it has more clear steps and if you get use to it, everything
can be configured really fast.
The other way is with the helpful graphical interface. This platform works with all
Windows versions and has a manageable, native medium.
5.2.4. Administrator’s Workstation
On this machine, the only thing that we are doing is to continue the process of the
Firewall configuration setup but through the workstation of the firewall
administrator. This machine even if it is one workstation like all the other, it has
something unique, something that change everything. But what is that?
It is the privilege of been the only one that has the credentials of access, manage and
read / write the platform of CheckPoint firewall. In the following steps we introduce
you this configuration.
Figure 29
Figure 30
In figures 29 and 30, we can see that after the new login name: admin and
password:fwadmin, we have access to a real time board status with all the available
information of CheckPoint R70 and the interface of the virtual machine, one for each
network.
Figure 31
Figure 32
40
Figure 33
Figure 34
From figure 31 – 34, we have the network configuration. In this area we are able to
change any IP address of our network interfaces and set up our Domain Name
System (DNS).
Figure 35
Figure 36
In figures 35 and 36, we have the list of all the GUI clients who have the
management of firewall machine, and the product category of setting all the available
and legal licenses.
For the license section we have to say something important. CheckPoint software
without a license, doesn’t work at all. Something like that makes it, one of the best
firewall equipment. All the licenses can be generated only by CheckPoint Web site
and only by authorized login users.
41
6. CheckPoint Smart Console R70 Programs
Figures number 37 – 40 that follow will take us to the real console of CheckPoint.
The only way of setting these consoles is via the website and the downloaded
instructions. That’s why it is necessary to follow these steps.
Figure 37
Figure 38
Figure 39
Figure 40
Something that we have to mention here and especially in figure 40 is the 3 most
important programs of CheckPoint. These are:
a. SmartDashboard
b. SmartView Tracker
c. SmartView Monitor
These programs are doing solid processes, which are management, debugging and
monitoring. The following figures give an idea of what each program is doing.
Of course, the power and the abilities of these programs can’t be understandable
through a captured video or a number of figures. Only with following a setup
procedure and a real time processes users could absolutely understand the program
practically.
42
6.1.Smart Dashboard
Figure 41
Figure 42
In figure 42 we are capable to modify and configure the tools that we want to add or
remove from CheckPoint platform. We have already analyzed all our policy rules in
Chapter (4.4) so let’s continue with the analysis of the other important programs.
6.2.SmartView Tracker
Figure 43
SmartView Tracker is a program that gives a debug of all the processes that come
and go in the CheckPoint firewall. It has a variety of filters and it works like a
storage database for past time history events. This is an undoubtedly necessary tool
for all the network administrators who use CheckPoint equipment.
43
6.3.SmartView Monitor
Figure 44
Finally, the SmartView Monitor is a helpful program that monitors the status of the
firewall in general, the hardware sections and the section of services and protocols.
Ever if it is not opened, all of the time, in front of the User’s screen, it works as a
background program and record everything, 24 hours a day. This is useful if we want
to know for example, what time a service stopped or what the process during an
update installation.
44
7. Summary, Conclusion and Future Directions
This thesis presents an effort to match 2 different views. The first one is the history
of firewall, what it is exactly, the complicated categories along with advantages and
disadvantages.
On the other part, it is the implementation of a Test-Bed environment. This was a
difficult task of this dissertation because I had to face tricky and sometimes
complicated conditions.
The design of this Test-Bed structure had to pass through and complete successfully
a number of tests and finally give correct results.
Along with the network details and the preparation of the VMware machines, a
parallel task was performing a research about the network security policy of our test
organization. The number of groups, nodes and networks has to be checked from the
beginning and without any mistakes.
Finally the CheckPoint Console R70 as a program can be categorized to a medium
difficulty software tool. A person with a network background and with the help of
CheckPoint adminGuides may have a chance to configure a firewall platform of a
small – medium organization.
All the implementation Chapters are trying to give all the creation procedure. It is
obvious that we can’t present all buttons and processes because this essay will never
come to an end.
This manual will provide all the needed information for the installation and
configuration of this Test-Bed environment.
As a future idea could be the extension of internal users in the wireless sector. The
best solution for this type of users is the creation of a new DMZ with a different
subnet IP address. Something like that will put all the wireless users in a policy with
better and more secure rules and zones because as we all know that wireless network
is more susceptible to intruders.
45
References
Ralph Troupe,Vitaly Osipov, Mike Sweeney, Woody Weaver, Charles E. Riley &
2002, Cisco Security Specialist’s Guide to PIX Firewalls, Syngress Publishing, Inc.
Umer Khan,
Darmohray Tina, 1913, ‘Firewalls and fairy tales’ , LOGIN, vol.30, no.1, pp. 20.
Robert J. Shimonski, Debra Littlejohn Shinder, Dr. Thomas W.Shinder & Anne
2003, Best Damn Firewall Book Period, Syngress Publishing, Inc
Carasik-Henmi,
West IT Solutions, 1980, SECURITY. [Online Image] Available from: http://westitsolutions.com
[accessed 19/3/2011].
Shutterstock, 2010, FIREWALL. [Online Image] Available from: http://www.faqs.org/photodict/phrase/9017/firewall.html [accessed 19/3/2011].
L. Morales, 2010, What is Network Security? Simplified Definition, Ezine articles,
http://ezinearticles.com/?What-is-Network-Security?-Simplified-Definition&id=4556878
Fortinet, 2000, Application Proxy, http://www.fortinet.com/solutions/firewall.html
Ariane Keller, 2006, Manual tc Packet Filtering and netem, ETH Zurich
ITSEC, 1991, Information Technology Security Evaluation Criteria (ITSEC), Luxembourg: Office for
Official
Publications
of
the
European
Communities,
Available
from:
http://www.ssi.gouv.fr/site_documents/ITSEC/ITSEC-uk.pdf [accessed 19/3/2011].
uCertify Articles, 2010, WHAT IS A CIRCUIT-LEVEL PROXY?.[Online web] Available from:
http://www.ucertify.com/article/what-is-a-circuit-level-proxy.html.
Stackpole B., 2004, “Application Layer Security Protocols for Networks”, in Tipton H. & Krause M.
(eds), Information Security Management Handbook, New York, CRC Press Company
Zygmunt J. Haas, Marc R. Pearlman, 2000
http://arnetminer.org/viewperson.do?naid=81805&keyword=Marc%20R.%20Pearlman#year2000
Habtamu A., 2000, “An Overview of Firewall Technologies”, Norwegian Computer Center
Netgear Inc, 2005, “Virtual private networking basics”, Santa Clara CA 95054 USA
Steven M. Bellovin , William R. Chiswick, 1994, Network Firewalls, IEEE Communications
Magazine
Ingham K., Forrest St., 2002, “History and Survey of Network Firewalls”, University of New Mexico
7_OSI Layers (2010) [Online image] Available from:
http://wahyu-note.blogspot.com/2010/09/model-jaringan-7-osi-layer.html [Accessed 1/10/ 11].
Vacca A. J., 2010, “Network and Security System”, Elsevier Inc.
Dejan S. Milojicic et all, 2003, “Peer-to-Peer Computing” HP Laboratories Palo Alto
Tiller J., 2004, “Message Authentication”, in Tipton H. & Krause M. (eds), Information Security
Management Handbook, New York, CRC Press Company
Yeng N., 2009, “Secure Computers and Network Systems”, Wiley
46
Wang, F., 2008, ‘Firewall systems: Performance and evolution’ .
Blanding S., 2004, “An Introduction to LAN/WAN Security”, in Tipton H. & Krause M. (eds),
Information Security Management Handbook, New York CRC Press Company.
Gregory, An., 2000, “Applying Communication Theories to the Internet”, Journal of Communication
Management.
Hosny, W., 2006, ’Key Additions in Firewalls’.
Cisco PT Guide to Firewalls, 2010.
Cisco System. (2008). Cisco PIX Firewall Release Notes Version 6.3(5).
Peter J. Welcher. (2002). Cisco PIX Firewall Basics.
Oskar_Andreasson(2001).Iptables_Tutorial_1.2.2_www.kiloxray.com/Linux/Iptables_Tutorial_1.2.pdf
Gonðcalves, Marcus.; Brown, Steven A..(2000). CheckPoint FireWall-1 : Administration Guide Site:
http://www.checkpoint.com .
Man Young Rhee, “Internet Security, Cryptographic principles, algorithms and protocols” Published
2003 by John Wiley & Sons Ltd, The Artium, Southern Gate, Chichester, West Sussex, England.
Richard A. Deal, “Cisco Firewall Security”: Published August 10, 2004 by Cisco Press.
Vitaly Osipov, Mike Sweeney, Woody Weaver, Charles E. Riley and Umer Khan, “Cisco Security
Specialist’s Guide to PIX Firewalls” : Published 2002 by Syngress Publishing, Inc.
Jim Noble, Doug Maxwell, Kyle X.Hourihan, Bobert Stephens, Barry J. Stiefel, Cherie Amon and
Chris Tobkin, “CheckPoint NG VPN-1/FireWall-1” :Published in 2003 by Syngress Publishing Inc.
Robert J. Shimonski, Debra Littlejohn Shinder, Dr. Thomas W.Shinder and Anne Carasik-Henmi,
“Best Damn Firewall Book Period” : Published 2003 by Syngress Publishing, Inc.
Habtamu Abie, Norwegian Computing Center, “An Overview of Firewall Technologies”: Published
January 2000.
Nong Ye, “Security Computer and Network Systems Modeling, Analysis and Design”: Published
2008 by Wiley.
“Cisco IOS Security Configuration Guide” Release 12.2: Published Corporate Headquarters Cisco
Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA.
47

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz