Interactive Firewall ExerciseWe are assuming a generic ACL language for this
exercise. Our ACL will only be capable of filtering IP addresses and TCP
or UDP port numbers. ACL rules will look like what you see in the
image to the right.
Remember: Routers evaluate each rule in an ACL in order from top to bottom.
Once a packet meets the criteria of a rule, the prescribed action is
taken (forward or drop) and the remaining rules in the list are ignored.
If the packet does not meet the criteria of any rule, then the packet is
dropped by default. The next packet received is scanned and evaluated
against the ACL starting over with the first rule in the list. This
process repeats for each packet received by the router.
Secnario: You are a network administrator responsible for an HTTP server at
10.10.10.8, a DNS server at 10.10.10.16, and a SMB file server at
10.10.10.32 and you are tasked with designing an ACL for your
organization's firewall for inbound Internet traffic. Your ACL must
enforce the following criteria:
- The file server is used for storage of important documents and
should not be accessible to external IP addresses.
- The web server hosts the organization website, which must be
accessible to all IP addresses.
- The DNS server provides name resolution for the organization's
domain, which must be available to all IP addresses.
- IP addresses 126.96.36.199 and 188.8.131.52 are prohibited from
accessing any host on your network due to suspected hacking activity
(this overrides any other rule).
Below is your ACL. Initially it just has a rule that forwards
everything (how secure is this??). You can add rules, remove rules and
move rules with the controls below. Build an ACL that meets your
network's requirements, and test with the "Test Firewall" button.
Note: Please review
Service/Protocol/Port Table to remind yourself of the port
numbers and protocols associated with the services you are providing.