172 | Lesson 8 At this point, you can have the router forward PPTP requests to a server for example, the VPN server we set up in the previous exercise. Or, you could simply enter a user- name and password.

8. Enter a username and password. Then verify the password.

9. Save the configuration. This doesn’t really save any information because it is an

emulator, but this would work the same way on an actual router. At this point, external users would not be able to connect to your network without a username, password, and VPN adapter utilizing PPTP.

10. Log off the DIR-655.

This is one way for small offices and home offices to create an intranet of their own. By only accepting secure connections from users who know the proper username and password, you weed out the public Internet users. This, in addition to security devices and zones on the perimeter of your network, can help keep your data safe. ■ Understanding Security Devices and Zones Security devices such as firewalls are the main defense for a company’s networks, whether they are LANs, WANs, intranets, or extranets. Perimeter security zones such as demilitarized zones DMZs help keep certain information open to specific users or to the public while keeping the rest of an organization’s data secret. THE BOTTOM LINE CERTIFICATION READY How do you define and configure a firewall? 1.1 Defining Firewalls and Other Perimeter Security Devices Firewalls are used to protect a network from malicious attack and unwanted intrusion. They are the most commonly used type of security device in an organization’s perimeter. Firewalls are primarily used to protect one network from another. They are often the first line of defense in network security. There are several types of firewalls; some run as software on server computers, some run as stand-alone dedicated appliances, and some work as just one function of many on a single device. They are commonly implemented between the LAN and the Internet, as shown in Figure 8-7. Figure 8-7 A firewall 10.254.254.249 Firewall LAN 87.69.11.124 Generally, there is one firewall, with the network and all associated devices and computers residing “behind” it. By the way, if a device is “behind” the firewall, it is also considered to be “after” the firewall, and if the device is “in front of ” the firewall, it is also considered to be “before” the firewall. In Figure 8-7, you can see that the firewall has a local address of 10.254.254.249, which connects it to the LAN. It also has an Internet address of 87.69.11.124, which allows Defining Network Infrastructures and Network Security | 173 connectivity for the entire LAN to the Internet. The firewall also hides the LAN IP addresses. By default, the IP address 87.69.11.124 should be completely shielded. This means that all inbound ports are effectively closed and will not allow incoming traffic, unless a LAN com- puter initiates a session with another system on the Internet. Regardless, you should check this with third-party applications such as Nmap or with a web-based port scanning utility like ShieldsUP. We will show these in upcoming exercises. If any ports are open, or unshielded, they should be addressed immediately. Then, the firewall should be rescanned for vulnerabilities. Many of today’s firewalls have two types of firewall technologies built into them: SPI and NAT. However, there are a couple other types of firewall methodologies of which you should be aware: • Packet filtering inspects each packet that passes through the firewall and accepts or rejects it based on a set of rules. There are two types of filtering: stateless packet inspec- tion and stateful packet inspection SPI. A stateless packet filter, also known as pure packet filtering, does not retain memory of packets that have passed through the firewall. Because of this, a stateless packet filter can be vulnerable to IP spoofing attacks. However, a firewall running stateful packet inspection is normally not vulnerable to this because it keeps track of the state of network connections by examining the header in each packet. It should be able to distinguish between legitimate and illegitimate packets. This function operates at the network layer of the OSI model. • NAT filtering, also known as NAT endpoint filtering, filters traffic according to ports TCP or UDP. This can be done in three ways: using basic endpoint connections, by matching incoming traffic to the corresponding outbound IP address connection, or by matching incoming traffic to the corresponding IP address and port. • Application-level gateway ALG supports address and port translation and checks whether the type of application traffic is allowed. For example, your company might allow FTP traffic through the firewall, but it may decide to disable Telnet traffic. The ALG checks each type of packet coming in and discards those that are Telnet packets. This adds a layer of security; however, it is resource intensive. • Circuit-level gateway works at the session layer of the OSI model when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Circuit-level gateways hide information about the private network, but they do not filter individual packets. Examples of network firewalls include the following: • The D-Link DIR-655 SOHO routerfirewall used previously • Cisco PIXASA firewalls • Juniper NetScreens • Microsoft’s Internet Security and Acceleration Server ISA and Forefront CONFIGURE A SOHO FOUR-PORT FIREWALL GET READY. Let’s explore where to go on a SOHO router to turn on SPI and NAT filtering firewalls. To do so, perform these steps:

1. Access the D-Link DIR-655 router at the following link:

http:support.dlink.comemulatorsdir655133NAlogin.html

2. Log in no password is required.

3. On the main Device Information page, click the Advanced link near the top of the

window. This should bring up the Advanced page.

4. On the left side, click the Firewall Settings link. This should display the Firewall

Settings window. Scan whatever fire- wall you are running with Nmap or an online scanner such as ShieldsUP TAKE NOTE