of 28
DMZ Firewall Solution Intel Express Route rs 9515, 9525 an d 9535.
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECT ION WITH INTEL PRODUCTS. NO L ICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERT Y RIGHTS IS GRANTED BY TH IS DOCUMENT.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 2 Table of Contents 1 Introduction ............................................................................................................................ 3 1.1 About This Document .
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 3 1 Introduction 1.1 A bout This Document This docum ent explains h ow to config ure a secure I nternet solution u sing the se cond LAN interface of the I ntel Express router as a DMZ.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 4 The purpose of this se tup is to p rohibit any direct da ta transm ission betwee n the I nternet and the secure ne twork.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 5 2.2 Routing Setup Do not use R IP on the WAN interf ace or the D MZ in terface. This prev ents intr uders from corrupting the rou ting table.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 6 3 DMZ Single IP A ddress Solution This solu tion explains h ow to set up a D MZ solut ion when the I nternet serv ice provide r (ISP) has assigned a single I P address to y our netwo rk.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 7 Note The order o f the NA T en tries is importan t. NAT entr ies are de fined as f ollows : Entry Functi on Settings 1 Directs all in coming HTTP requests to the Web server. Mapping type: Static Po rt (Sing le IP) Internal a ddress: 10.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 8 Filters are de fined as fol lows: Filter Functi on Settings — Prohibit use rs on th e secure ne twork access to th e I nternet Default Action: Discar d 1 Allows access to t he HTTP /F TP proxy serv er on the DMZ .
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 9 Filter Functi on Settings Src. address : 10.2.0.2 Src. port: = 80 2 Allows FTP (on ly passiv e connections ) from secur e LAN to the F TP proxy server on the DMZ (see note 1). Two filte rs are req ui red.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 10 Filter Functi on Settings Dest. address : 10.5.0.2 Dest. port: > 1023 Src. addre ss type: Host Src. address : 10.2.0.4 Src. port: = 119 8 Sends all pack ets genera ted by the r outer to the se cure LAN (LA N1).
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 11 Filters are de fined as fol lows: Filter Functi on Settings — Pass all pack ets dest ined for D MZ Default A ction: Pass 1 Prevents RI P updates from entering the DMZ network Acti on: Discar d Protocol: UDP Dest.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 12 Filter Functi on Settings Scr. addre ss type: Host Src. address : <LAN1 I P address> Src. port : All 9 Discards all I CMP packets en tering th e DMZ network . This prev ents the ro uter from repor ting the I P netm ask.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 13 3.3.3 Internet Co nnection Fi lters 3.3.3.1 Receive (Rx) Filters on the connection to the Interne t Configure these rece ive fil ters for the Intern et connect ion, shown as th ey appear in Adva nced Setup .
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 14 Filter Functi on Settings 2 Allows FTP (bo th activ e and passiv e) from the I nterne t to the H TTP/F TP server on the DMZ . Three fi lters are r equired. Action : Pass Protocol: TCP TCP flags: All Dest.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 15 Filter Functi on Settings Dest. address : 10.2.0.2 Dest. port > 1023 Src. addre ss type: All Src. port: > 1023 9 Allows D NS reply to the HT TP/F TP proxy serv er on the DMZ .
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 16 Filter Functi on Settings Dest. addr ess type: Host Dest. address : 10.2.0.3 Dest. port > 1023 Src. addre ss type: All Src. port: = 25 15 Allows incom ing News (NNTP) from a specified external N ews serv er to the DMZ (see no te 2).
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 17 4 DMZ Multiple IP A ddress Solution This solu tion explains h ow to set up a D MZ when the I SP supplies y ou with mult iple IP addresses. I n the exam ple, the I SP has assig ned the si te a range o f IP addresses: 193.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 18 4.3 Network Address Trans lation (NA T) Because the se cure priv ate netwo rks on LAN1 use public IP addresses (8 9.20.0.0 and 90.20.0.0 ), configure N AT to tr anslate t hese addres ses to priv ate I P addresses.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 19 Filters are de fined as fol lows: Filter Functi on Settings — Prohibit interna l users acc ess to the Int e r ne t Defaul t Action: Defaul t 1 Allow s access to the H TTP /FTP pro xy server on the DMZ .
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 20 Filter Functi on Settings Src. port: = 80 2 Allows F TP (only pass ive conne ctions) from secur e LAN to the F TP proxy server on the DMZ (see note 1). Two filte rs are req ui red. Action : Pass Protocol: TCP TCP flags: ACK Dest.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 21 Filter Functi on Settings Dest. port: > 1023 Src. addre ss type: Host Src. address : 193.84.251.4 Src. port: 119 8 Sends a ll packets g enerated by the router to t he intern al LAN (LAN1 ).
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 22 Filter Functi on Settings Src. addre ss type: All Src. port: All 2 Prev ents tunnel p ackets from entering the DMZ network Acti on: Discar d Protocol: TCP Dest. addr ess type: All Dest port: Tunnel Src.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 23 Filter Functi on Settings 9 Discards all I CMP packets en tering th e DMZ network . This prev ents the ro uter from repor ting the I P netm ask. These filters m ust inc lude all I P addresses on the router, including the WAN IP address if the rou ter is usin g num bered links.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 24 4.4.2. 2 Transmit (Tx) filters on LAN2 Set the de fault ac tion to Pass . 4.4.3 Internet Co nnection Fi lters 4.4.3.1 Receive (Rx) Filters on the Connection to the Internet The requi red receiv e filters f or the I nternet connection, s hown as they appear in Advanced Setup .
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 25 Filter Functi on Settings Src. port: > 1023 2 Allows F TP (both act ive and pass ive) from the I nterne t to the H TTP/F TP server on the DMZ . Three fi lters are r equired. Action : Pass Protocol: TCP TCP flags: All Dest.
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 26 Filter Functi on Settings Dest. addr ess type: Host Dest. address : 193.84.251.2 Dest. port > 1023 Src. addre ss type: All Src. port: = 21 9 Allow s DNS r eply to the HTTP /FTP proxy serv er on the DMZ .
DMZ Firewall Solution fo r the Express Router 07-12-99 Version 1.0 27 Filter Functi on Settings 14 Allows outg oing m ail (SMTP) to any host on th e Interne t from the DMZ. Action : Pass Protocol: TCP TCP flags: ACK Dest. addr ess type: Host Dest. address : 193.