Network Security Analyst for a company that manufacturers widgets.

  Introduction: You are a Network Security Analyst for a company that manufacturers widgets. As part of your role you must configure the enterprise firewall to support core business functions while ensuring that basic security principles are maintained. The network diagram below represents the relevant (to this assignment) parts of your enterprise network. Your supervisor, the Enterprise Security Manager, has approved the business requests described in the scenarios below (i.e. you don’t need to assess the validity or business need of the requests) and tasked you with developing solutions to implement them. Read the scenarios and provide solutions for the challenges presented. Your solutions should fully enable the intended functions without permitting any additional unintended access, while always maintaining the overall security posture of the network. You may enter your answers in the space provided, or on a separate sheet. Assumptions: 1. Normal business operations such as email, Internet access, etc. are currently working as intended. The scenarios below are new requirements to an already operational network. 2. Network Address Translation (NAT) is enabled and operational, and for the purposes of this assignment can be ignored. 3. Well-known ports are used unless otherwise noted. 4. For the purposes of simplicity of this assignment, you do not need to include any outbound rules. I.e. once traffic makes it inside the firewall, it is permitted to exit as needed. Key Concepts: Implicit Deny/Permit All – Each firewall interface is configured with two specific access control lists (ACL) - one for incoming traffic (traffic entering the firewall), and one for outgoing traffic (traffic leaving the firewall). Rules are assessed in sequence from first to last until a matching rule is encountered. Each outgoing ACL has an implicit “permit all” rule as the last rule – permitting all traffic not explicitly denied by a preceding rule. Each inbound ACL has an implicit “deny all” rule as the last rule - denying all traffic not explicitly permitted by a preceding rule. Implicit Deny/Permit all rules are always the last rules applied. Security Zones – Security Zones permit the enterprise to set “trust levels” per firewall interface to more effectively protect sensitive resources. For this lab, higher security levels indicate a more trusted resource. Resources in higher security zones can access resources in lower security zones unless denied by an explicit rule. Resources in lower security zones are denied access to higher security zones unless permitted by an explicit rule. For example, Human Resources (Level 100) can access the Internet (Level 0), but traffic from the Internet cannot access Human resources without an explicit rule. Security zones take precedence over Implicit Deny rules. Stateful Firewalls – Stateful firewalls track sessions initiated from high security zones to lower security zones and create temporary rules to permit two-way communication. For example, if a user in Human Resources initiates a session to access a web page on the Internet (http, tcp port 80), the a stateful firewall will automatically temporary create rules on both Interface 0 and Interface 3 permitting traffic from the target web server on port 80 to pass through Interface 0 (inbound), and interface 3 (outbound). When the HR user terminates the session, the firewall removes both rules, effectively denying further traffic from the web page. Stateful operation is required for Internet access because otherwise an explicit rule would have to be entered for every desired resource on the Internet! Stateful rules take precedence over security zones. The firewall in this assignment is stateful. Best Practice – Firewall rules should be configured on the interface closest to where the matching traffic originates. I.e. rules for traffic coming from the Internet should be configured on the interface 0. Rules for traffic originating from the DMZ should be configured on interface 1, etc. When discussing “inbound” and “outbound” traffic, we use the perspective of the firewall NOT the network. I.e. inside the firewall box itself. Inbound traffic permitted into a firewall interface then becomes outbound traffic as it exits the appropriate interface. See the arrows on the diagram for clarification. Answer Syntax: Specific syntax varies by firewall manufacturer, but generally must contain the same relevant information. Your answers should include each of the components shown below in the following format. <Interface number (int_X)> <direction (in/out)> <action (permit/deny)> <source network (CIDR)> <source port (tcp/udp_XX)> <destination network (CIDR)> <destination port (tcp/udp_XX)> For example, the following rule will allow incoming connections from a specific network through the Internet to access a device in the enterprise Manufacturing network using telnet. Int_0 in permit 63.130.150.32/29 any 10.10.100.0/24 TCP_23 The key word “any” may be used when no specific network or port is well-known or specified in the scenario.