Page 173 s1

FireWall-1 Version 4.0

Unit III-1
Security Policy
Rule Base and
Properties Setup
Page 173 s2
Security Policy Rule Base and
Properties Setup: Objectives
 Explain why it is important to correctly
set up a security policy
 Explain the order FireWall-1 matches policies
and rules
 Be able to name and define the rule base
elements
 Show how to create a rule base
 Show how to add rules to the rule base
(continued)
Page 173 s3

Objectives (continued)

 Identify the process of how security

policy rules are applied to a packet
 Define the ways rules can be applied to
interface direction
 Successfully define and configure
properties for a security policy
Page 175 s4
Creating the Security Policy

Select New
from the
File Menu
Page 176 s5
Name the Security Policy

Type the
name of the
new policy
Page 176 s6
Security Policy with No Rules

The columns in the Rule Base are

referred to as Rule Base “Elements”
Page 177 s7
Rule Base Elements

 Number
 Source
 Destination
 Services
 Track
 Install On
 Time
 Comment
Page 181 s8
Install On Element

 Security Policy Enforcement

• Enforced on all the interfaces of a
firewalled host or gateway.
• Enforced differently for incoming and
outgoing packets, depending on the rule’s
“Install On” field.
Page 182 s9
Creating the Rule Base

Select Add Rule from

the Edit Menu and
choose the location of
the new rule
Page 183 s10
Default Rule Base

These are the default

settings of the Rule
Base Elements when
you add a new rule.
Page 184 s11
Compare Default vs Cleanup

Default Rule has no tracking.

Add long tracking to

create the Cleanup Rule.
Page 185 s12
Stealth Rule

Add a new rule with your Be sure to add the

firewall added to the Stealth Rule above
Destination column. the Cleanup Rule.
Page 186 s13
Adding Additional Rules

Right-click in Add new rules below the

any column to Stealth Rule and above
define a the Cleanup Rule.
network object.
Page 186 s14
Add Objects to Rule

Add a network object to

the Source column.
Repeat for each column.
Page 187 s15
Complete the Rule Base
Select Install from
the Policy Menu.

Select Firewall
and click OK.
Page 188 s16
Defining Implicit (Pseudo) Rules

 Implicit (Pseudo) Rules:

• Derived from the properties setup
• Matched by designations:
First, Before Last and Last (Properties
Setup screen)
Page 188 s17
Defining Explicit Rules

 Explicit Rules:
Ÿ Created in the rule base
Ÿ Matched to packets in numerical order
Page 188 s18
Viewing Implicit (Pseudo)
and Explicit Rules
Page 190 s19

Rule Base Order

 Any Anti-spoofing Rules
 Security Policy properties labeled “First”
 Numbered Rules in numerical order
 Security Policy properties labeled “Before Last”
 Last Numbered Rule
 Security Policy property labeled “Last”
 Implicit Drop Rule
Page 190 s20
Rule Base Order Defined
(yellow refers to Pseudo rules)
Match
Order

1 IP Spoofing / IP Options

2 Security Policy “First” Rule

1 Any mail-svr tcp smtp accept Short fw

3 2 local-net Any
Rule Base
Any accept Short fw

4 Security Policy “Before Last” Rule

5 3 Any Any Last Rule

Any In Rule Base
drop Long fw

6 Security Policy “Last” Rule

7 Implicit Drop
Page 191 s21
Understanding Interface Direction
 Related to the firewall, not the network and
regardless of the packet’s source or destination
• INBOUND: Entering the machine
• OUTBOUND: Leaving the machine
• EITHERBOUND: Entering and leaving the machine

Outer NIC Inner NIC

Inbound Outbound
Security Security
Policy Policy

Outbound Inbound
Security Security
Policy Policy
Page 191 s22
Inbound Packet Filtering Direction

 Inspecting “Inbound” from the Internet

FireWall-1 Rule Base

and Inspect Engine
Intranet
Internet
INSPECTED HERE

Inbound Outer Inner

Packet
NIC NIC
Page 192 s23
Inbound Packet Filtering Direction

 Inspecting “Inbound” from the Intranet

FireWall-1 Rule Base

and Inspect Engine Intranet

Internet

INSPECTED HERE
Outer Inner Inbound
Packet
NIC NIC
Page 192 s24
Outbound Packet Filtering Direction

 Inspecting “Outbound” from the Internet

FireWall-1 Rule Base

and Inspect Engine
Intranet
Internet

INSPECTED HERE
Outer Outbound Inner
Packet
NIC NIC
Page 193 s25
Outbound Packet Filtering Direction

 Inspecting “Outbound” from the Intranet

FireWall-1 Rule Base

and Inspect Engine
Internet Intranet
INSPECTED HERE

Outer Outbound Inner

Packet
NIC NIC
Page 193 s26
Eitherbound Packet Filtering Direction

 Inspected “Eitherbound” from the Internet

FireWall-1 Rule Base

Internet and Inspect Engine
Intranet

INSPECTED HERE
INSPECTED HERE

Inbound Outer Inner

Packet
NIC NIC
Page 193 s27
Eitherbound Packet Filtering Direction

 Inspecting “Eitherbound” from the Intranet

FireWall-1 Rule Base

and Inspect Engine
Internet Intranet

INSPECTED HERE
INSPECTED HERE

Outer Inner Outbound

Packet
NIC NIC
Page 195 s28
Properties Setup

Select Properties from

the Policy menu

The Properties Setup

Screen with various
tabs appears.
Page 196 s29
Applying Gateway Interface
Direction when Configuring
Properties
 Most Common Errors
• Misunderstanding the importance of
direction when packets are inspected

• Misunderstanding how the Security

Policy and the Rule Base matching
Order work together
Page 196 s30
Security Policy

Security Policy
tab: properties
relating to the
Security Policy
as a whole
Page 198 s31
Services

Services tab:
properties
enabling
Services
Page 199 s32
Log and Alert

Log and Alert

tab: to be
covered in CCSE
Page 201 s33
Security Servers

Security
Servers tab: to
be covered in
CCSE
Page 204 s34
Authentication

Authentication
tab: properties
relating to User
and Client
Authentication
Page 205 s35
SYNDefender

SYNDefender
tab: properties
controlling the
SYN Attack
Defender
Page 207 s36
LDAP

LDAP: to be
covered in
CCSE
Page 209 s37
Encryption

Encryption: to
be covered in
CCSE
Page 212 s38
Miscellaneous

Miscellaneous
tab: properties
relating to load
balancing and
encryption
Page 213 s39
Access Lists

Access Lists
tab: properties
relating to
Router Control
Page 219 s40

FireWall-1 Version 4.0

Unit III-2
Administering
Security Policy
with Rule Base
Page 219 s41
Administering Security Policy
with Rule Base: Objectives

 Demonstrate how to use the FireWall-1

rule base editor to create a security policy
 Verify and install a security policy
Page 220 s42
Verify and Install a Security Policy

Select Verify from

the Policy Menu to
determine if any
rules are in conflict.

Select Install
from the Policy
Menu to apply the
Security Policy.
Page 221 s43
Install Security Policy Screen

Select Firewall
and click OK.
Page 222 s44
Spoofing in Action
Internal Network
FORGED SOURCE IP: 192.168.1.0
Packet
Source IP: 192.168.1.10
Destination IP:
207.158.64.10

Router
Internet

DMZ

www.company.com
207.158.64.10

The hacker gets packets through the router

and ACL by making packets appear to come
from an internal, trusted network.
Page 222 s45
Adding Anti-Spoofing

Modify the firewalled

object’s properties.
Select the object
from the Network
Objects Manager.
Click Edit and select
the Interfaces tab.
Click Edit on the
Interfaces tab.
Page 223 s46
Interface Properties

Define the Interfaces

properties.
Page 223 s47
Anti-Spoof Configuration (part 1 of 2)

 Any: Default. Does not allow spoof tracking.

 This net: Packets are allowed whose source IP addresses are part of
the network connected to this interface. Used on the Internal NIC,
mostly for DMZs, and only if there is one network.
 No security policy: No security policy is installed on this interface.
Used when the security policy is enforced on another interface of this
object.
 Others: Packets are allowed except those whose resource IP
addresses belong to the networks listed under Valid Addresses for
this objects interface. Use on the external NIC when you have
identified the network and
“Other” is anything other than the identified network.
Page 224 s48
Anti-Spoof Configuration (part 2 of 2)

Others +: Used to allow traffic for non-standard packet flow

such as with NAT. Packets are allowed except those whose
resource IP addresses belong to the networks listed under Valid
Addresses for this objects interface.
Used on the external NIC when you have identified the
network and “Other+” is anything other than the identified
network.
Specific: Packets are allowed only from this group.
This is typically a group of network objects.
Page 224 s49
Spoof Tracking

 None: No additional action is taken.

 Log: The spoofing attempt is logged.

 Alert: The action specified in the Anti Spoof

Alert command field in the Log and Alert tab of
the Properties Setup screen is taken.
Page 228 s50
Defining Basic Rules

 #1. Stealthing Rule

Drop all packets attempting to access the firewall,
protecting the firewall from attack.
 #2. E-mail Inbound Rule
External users can send to internal e-mail server
 #3. Web Inbound Rule
External users have access to internal web server
 #4. Anything Outbound Rule
Local users can access any service on the Internet
 #5. Clean-Up Rule
Reject and log all other packets
Page 229 s51
Basic Rules Sample
FireWall-1 Security Policy - Standard

File Edit View Manage Policy Window Help

Security Policy Address Translation

No. Source Destination Service Action Track Install On Time Comment

1 Any fw.detroit.com Any drop Long Gateways Any Stealthing Rule

2 Any email.detroit.com tc smtp accept Short Gateways Any E-mail Inbound

p

3 Any www.detroit.com tc http accept Short Gateways Any Web Inbound

p

4 detroit-net Any Any accept Short Gateways Any Anything Outbound

5 Any Any Any drop Long Gateways Any Clean-Up Rule

For Help, press F1 fw Read/Write NUM