ccnsp v3.0el

© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.training.cyberoam.com

Cyberoam Certified Network & Security Professional (CCNSP)



Module 3 Firewall



Firewall > Agenda

• Cyberoam Layer 8 Firewall

• Access Control

• Zone Management

• Rule Management

• Object Management

• NAT (Inbound & Outbound)

• Routing

• Labs



Firewall




Firewall > Agenda


• Access Control

• Zone Management

• Rule Management



• Routing

• Labs



Access Control (Appliance Access)

• Use Appliance Access to limit the Administrative access to the following services from LAN/WAN/DMZ: (System -> Administration -> Appliance Access)

– Admin Services (HTTP, HTTPS, Telnet, SSH)

– Authentication Services (User Login options)

– Network Services (DNS, Ping)

– Other Services (Web Proxy, SSL VPN)



Access Control > Default Configuration

• When Cyberoam appliance is powered up for the first time, it will have a default Access configuration as specified below:

• Admin Services

– HTTPS (TCP port 443) and SSH (TCP port 22) services will be open for administrative functions for LAN zone

• Authentication Services

– Cyberoam (UDP port 6060) and Captive Portal (TCP port 8090) will be open for User Authentication Services for LAN zone.

– User Authentication services are used by Layer-8 engine to authenticate and authorize user to apply Layer-8 controls.



Access Control > IP address at each port of the security solution

• The IP addresses assigned to each port on the appliance can be static or dynamically obtained from DHCP server.

• The appliance also functions as a DHCP/DHCPv6 server.

• The IP addresses can be edited and virtual interfaces can be added by adding aliases and VLAN’s.

• The advantage of using an alias is that a single interface can have multiple connections to a network.

• In VLAN the hosts communicate as if they are attached to same broadcast domain, regardless of their physical connectivity.



Firewall > Agenda


• Access Control

• Zone Management

• Rule Management



• Routing

• Labs



Zone Management > Default Zones

• LAN

• DMZ (De-Militarised Zone)

• WAN

• VPN

• LocalWAN Zone

LAN Zone

DMZ Zone

Local Zone

Traffic destined for Cyberoam falls under Local Zone



Zone Management > Zone based Policies

• Cyberoam being a Zone based firewall, allows zone based rules

• For an example: different policies for Wifi Zone, LAN Zone, etc. This can be achieved from firewall rule page which is discussed in the later part of this module.



Firewall > Agenda


• Access Control

• Zone Management

• Rule Management



• Routing

• Labs



Rule Management

• Select FirewallRule to display the list of rules.

• Choose IP Family – IPv4/IPv6

• Enable/Disable rule - Click to activate/deactivate the rule. If you do not want to apply the firewall rule temporarily, disable rule instead of deleting.

– ON – Active Rule, OFF – De-active Rule

• Edit Rule - Click to edit the rule.

• Insert Rule - Click to insert a new rule before the existing rule.

• Move Rule - Click to change the order of the selected rule



Rule Management > Default IPv4 Firewall Rule #1



Rule Management > Default IPv4 Firewall Rule #2



Rule Management > Default IPv6 Firewall Rule

• There are no IPv6 rules by default, User needs to create IPv6 as required by the network



Firewall > Agenda


• Access Control

• Zone Management

• Rule Management



• Routing

• Labs



Managing Objects

• Objects are global building blocks for all modules/policies/rules of Cyberoam Layer 8 firewall

• Cyberoam provides several standard objects and allows creating:– Customized object definitions

– Firewall rule for Customized service definitions



Defining Custom Services

• Select Objects Services Add to open the create page



Managing Object > IP Host & MAC Host

• By Default IP host for all the ports on the appliance is created.



MAC Host

• In Cyberoam MAC address (Machine Address) is a decision parameter along with Identity and IP Address for the firewall policies.



Managing Object > FQDN Host

• FQDN (Fully Qualified Domain Name) host can be added to Cyberoam appliance.

• The necessity for adding this host also makes it possible that a firewall rule can be made to a particular FQDN.



Managing Object > Country Host

• Cyberoam allows adding country based host to filter the traffic at the country level.

• A country host can be defined at the firewall rule itself.



Firewall > Agenda


• Access Control

• Zone Management

• Rule Management



• Routing

• Labs



Outbound NAT (Source NAT)

• Cyberoam has a predefined NAT policy called MASQ which NATs the outgoing traffic with the outgoing port’s IP Address.

• Use NAT when you want to map a specific outbound traffic with a specific IP/IP Range.

• Cyberoam allows creating a NAT policy, which can be bound to a firewall rule.



Inbound NAT (Virtual Host)

• Required to make internal resources available on the internet

• Maps services of a public IP address to services of a host in a private network

• Example: Web Server configured in LAN zone with 1.1.1.1, from internet users are accessing www.abc.com which is resolving on 10.103.4.213.

• Cyberoam will automatically respond to the ARP request received on the WAN zone for the external IP address of Virtual host.

• Default LAN to WAN (Any Host to Any Host) firewall rule will allow traffic to flow between the virtual host and the network.

• Cyberoam allows Inbound Load Balancing & Failover



Inbound NAT > Create Virtual Host

• Select Firewall Virtual Host Add



Inbound NAT > Create Virtual Host with Load Balancing



Inbound NAT > Create Virtual Host with Load Balancing

• Round Robin– Request will be served in sequential order where first request will go to first

server then to next and so on.

– It will not consider any other parameter

• First Alive– All requests will be served by first internal server.

– The request will only go to next server if previous one is dead and so on.

• Random– Request will be served in random order or rather we can say uniform random

method where all requests will be distributed evenly.

• Sticky IP– Maps single source IP to a destination server. Any request from the same

source IP will always go to the same server.



Inbound NAT > Create firewall rule to include Virtual host

• Create firewall rules to allow external host (from the Internet) to access a virtual host that maps to internal servers.

• You must add the virtual host to a firewall policy to actually implement the mapping configured in the virtual host i.e. create firewall rule that allows or denies inbound traffic to virtual host.



Inbound NAT > Loopback Firewall Rule

• Once the virtual host is created successfully, Cyberoam automatically creates a loopback firewall rule for the zone of the mapped IP address.

• Loopback firewall rule is created for the service specified in virtual host.

• If port forwarding is not enabled in virtual host then firewall rule with “All Services” is created.

• Loopback rules allow internal users to access the internal resources using its public IP (external IP) or FQDN.



Inbound NAT > Reflexive Firewall Rule

• In general scenario when any traffic is initiated from DMZ to WAN, there is a need for reflexive rule.

• For an example, in case of an email server, the private IP of the email server is mapped with the public IP on the Internet. When an email is received (inbound) the virtual host rule for inbound works, but when an email is sent (outbound) there is a requirement to create a reflexive rule.

• By Default, Cyberoam prompts for this rule while creating the virtual host.



Inbound Load Balancing with Virtual Host & DNS

• Example: Webserver is published over two WAN links, Port B(10.206.1.12) & Port C (10.10.1.2)

• Website NS records should be Cyberoam IP. i.e 10.206.1.12 and 10.10.1.2



Inbound Load Balancing with Virtual Host & DNS

• Create DNS Host Entry for server from Network DNS DNS Host Entry

• Upon Failure of any WAN link (Port B or Port C), Cyberoam will do failover.

• When both WAN links are functional, Cyberoam will do Load Balancing



Firewall > Agenda


• Access Control

• Zone Management

• Rule Management



• Routing

• Labs



Routing in Cyberoam > Static Routing

• When you want to route traffic destined for specific network/host via a different next hop instead of a default route.

• A static route causes packets to be forwarded to a different next hop other than the configured default gateway.




• Scenario: Cyberoam is deployed in Gateway mode and L3 Switch is configured for inter-VLAN routing




VLAN ID 100 VLAN ID 101

VLAN ID 102

Network -> Static Route -> Unicast -> IPv4 Unicast Route -> Add



Routing in Cyberoam > Dynamic Routing

• Cyberoam Supports Dynamic Routing configuration from GUI.

• Go to Network Dynamic Route RIP/OSPF/BGP (Routing Information)

• Note: In-depth Dynamic Routing is covered in CCNSE



Routing in Cyberoam > Policy based routing

• Static routing method is limited to forwarding based on destination address only.

• Policy based routing extends static routes which provide more flexible traffic handling capabilities.

• It allows for matching based upon source address, service/application, and gateway weight for load balancing.

• It offers granular control for forwarding packets based upon a number of user defined variables like:

– Destination– Source– Application– Combination of all of the above



Routing in Cyberoam > Policy based routing



Firewall > Agenda


• Access Control

• Zone Management

• Rule Management



• Routing

• Labs



Labs

• Lab #6 Securing the Appliance

• Lab #7 Create a DROP firewall rule for your machine’s IP address

• Lab #8 Create an ACCEPT firewall rule for your machine’s IP address

• Lab #9 Create Schedule & Apply in Firewall Rule

• Lab #10 Create Firewall Rule to Allow DNS Traffic

• Lab #11 Create Virtual Host to Publish a RDP Server residing in the LAN (Using

IPv4 & IPv6 address for RDP Server)



Next -> Module 4 (User Authentication)

ccnsp v3.0el

Documents