DMZ Firewall Solution Intel Express Routers 9515, 9525 and 9535
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT.
DMZ Firewall Solution for the Express Router Table of Contents 1 Introduction ............................................................................................................................3 1.1 About This Document ..........................................................................................................3 1.2 References ............................................................................................................................3 1.3 What is a DMZ................
DMZ Firewall Solution for the Express Router 1 Introduction 1.1 About This Document This document explains how to configure a secure Internet solution using the second LAN interface of the Intel Express router as a DMZ. The DMZ setup is explained through the use of two example solutions, a Single IP Address Solution and Multiple IP Address. It assumed that you have a solid understanding of networking concepts and experience in using the Express Router. 1.
DMZ Firewall Solution for the Express Router The purpose of this setup is to prohibit any direct data transmission between the Internet and the secure network. All data must go through proxy servers on the DMZ. We recommend that you set up the DMZ on the LAN2 (10 Mbps) port and your secure network on the LAN1 (100/10 Mbps) port.
DMZ Firewall Solution for the Express Router 2.2 Routing Setup Do not use RIP on the WAN interface or the DMZ interface. This prevents intruders from corrupting the routing table. If there is more than one internal network, the router must not be used as primary gateway because the router configuration only allows the router to forward packets to the DMZ network. 2.3 DNS Setup Some of the services on the DMZ network require external DNS queries.
DMZ Firewall Solution for the Express Router 3 DMZ Single IP Address Solution This solution explains how to set up a DMZ solution when the Internet service provider (ISP) has assigned a single IP address to your network. News (proxy) server 10.2.0.4 HTTP/FTP HTTP/FTP (Web) proxy SMTP server server server 10.2.0.1 10.2.0.2 10.2.0.3 DMZ 10.2.0.0 DNS server 194.25.6.4 News (NNTP) server 196.24.5.8 Mail server 10.5.0.1 LAN2 port 10.2.0.10 LAN1 port Internet News server 10.5.0.2 Intel Express 10.5.0.
DMZ Firewall Solution for the Express Router Note The order of the NAT entries is important. NAT entries are defined as follows: Entry 1 Function Directs all incoming HTTP requests to the Web server. 2 Directs all incoming FTP requests to the Web server. 3 Directs all incoming SMTP requests to the SMTP server 4 Directs all incoming NNTP requests to the News server. 5 Directs all other incoming traffic to the DMZ. 3.
DMZ Firewall Solution for the Express Router Filters are defined as follows: Filter — 1 Function Prohibit users on the secure network access to the Internet Allows access to the HTTP /FTP proxy server on the DMZ. 2 Allows access to the SMTP server on the DMZ. 3 Allows access to News (proxy) server on the DMZ. 4 Allows access to the router from the private LAN. Settings Default Action: Discard Action: Protocol: Dest. address type: Dest. address: Src. address type: Action: Protocol: Dest.
DMZ Firewall Solution for the Express Router Filter 2 Function Allows FTP (only passive connections) from secure LAN to the FTP proxy server on the DMZ (see note 1). Two filters are required. 3 4 Allows incoming mail (SMTP) from DMZ to secure LAN. 5 Allows outgoing mail (SMTP) from secure LAN to DMZ. 6 Allows incoming News (NNTP) from DMZ to secure LAN (see note 2). 7 Allows outgoing News (NTTP) to DMZ from secure LAN. 07-12-99 Version 1.0 Settings Src. address: Src.
DMZ Firewall Solution for the Express Router Filter 8 Function Sends all packets generated by the router to the secure LAN (LAN1). Settings Dest. address: Dest. port: Src. address type: Src. address: Src. port: Action: Protocol: TCP flags: Dest. address type: Dest. port: Src. address type: Src. address: Src. port: 10.5.0.2 > 1023 Host 10.2.0.4 = 119 Pass TCP All All All Host All Note 1: Some proxy servers, such as Microsoft Proxy* 2.
DMZ Firewall Solution for the Express Router Filters are defined as follows: Filter — 1 2 3 4 5 6 7 8 07-12-99 Function Pass all packets destined for DMZ Prevents RIP updates from entering the DMZ network Settings Default Action: Action: Protocol: Dest. address type: Dest. port: Src. address type: Src. port: Prevents tunnel packets from entering Action: the DMZ network Protocol: Dest. address type: Dest. port: Src. address type: Src.
DMZ Firewall Solution for the Express Router Filter Function 9 Discards all ICMP packets entering the DMZ network. This prevents the router from reporting the IP netmask. 10 Discards all packets to open router ports. Four filters are required. 11 12 13 Settings Scr. address type: Src. address: Src. port : Action: Protocol: Dest. address type: Scr. address type: Action: Protocol: Dest. address type: Dest. address: Dest. port: Src. address type: Src. port: Action: Protocol: Dest. address type: Dest.
DMZ Firewall Solution for the Express Router 3.3.3 Internet Connection Filters 3.3.3.1 Receive (Rx) Filters on the connection to the Internet Configure these receive filters for the Internet connection, shown as they appear in Advanced Setup. × Filters are defined as follows: Filter — 1 07-12-99 Function Prohibit users on the secure network from accessing the Internet. Allows HTTP from the Internet to the HTTP/FTP server on the DMZ. Settings Default Action: Discard Action: Protocol: TCP flags: Dest.
DMZ Firewall Solution for the Express Router Filter 2 Function Allows FTP (both active and passive) from the Internet to the HTTP/FTP server on the DMZ. Three filters are required. 3 4 5 Allows external ping to HTTP/FTP server on the DMZ. 6 Allows external HTTP from HTTP/FTP proxy on the DMZ. 7 Allows external FTP from the HTTP/FTP proxy server on the DMZ (see note 1). Two filters are required. 8 07-12-99 Settings Action: Protocol: TCP flags: Dest. address type: Dest. address: Dest. port: Src.
DMZ Firewall Solution for the Express Router Filter 9 Function Allows DNS reply to the HTTP/FTP proxy server on the DMZ. Two filters are required. 10 11 Allows DNS reply to the SMTP server on the DMZ. Two filters are required. 12 13 Allows incoming mail (SMTP) from any host on the Internet to the DMZ. 14 Allows outgoing mail (SMTP) to any host on the Internet from the DMZ. 07-12-99 Settings Dest. address: Dest. port Src. address type: Src. port: Action: Protocol: TCP flags: Dest.
DMZ Firewall Solution for the Express Router Filter Function 15 Allows incoming News (NNTP) from a specified external News server to the DMZ (see note 2). 16 Allows outgoing News (NNTP) to a specified external News server from the DMZ. Settings Dest. address type: Dest. address: Dest. port Src. address type: Src. port: Action: Protocol: TCP flags: Dest. address type: Dest. address: Dest. port: Src. address type: Src. address: Src. port: Action: Protocol: TCP flags: Dest. address type: Dest.
DMZ Firewall Solution for the Express Router 4 DMZ Multiple IP Address Solution This solution explains how to set up a DMZ when the ISP supplies you with multiple IP addresses. In the example, the ISP has assigned the site a range of IP addresses: 193.84.251.0 to 193.84.251.7 (subnet mask 255.255.255.248). HTTP/FTP HTTP/FTP proxy server server 193.84.251.1 193.84.251.2 SMTP News server server 193.84.251.3 193.84.251.4 DMZ 193.84.251.0 DNS server 194.25.6.4 News (NNTP) server 196.24.5.8 Mail server 89.
DMZ Firewall Solution for the Express Router 4.3 Network Address Translation (NAT) Because the secure private networks on LAN1 use public IP addresses (89.20.0.0 and 90.20.0.0), configure NAT to translate these addresses to private IP addresses. For example, NAT will translate the E-mail server address from 89.20.0.1 to 10.1.0.1, the NNTP server address from 89.20.0.2 to 10.1.0.2, and the LAN1 address from 89.20.0.10 to 10.1.0.10. Note: When adding filter entries, the internal addresses must be used.
DMZ Firewall Solution for the Express Router Filters are defined as follows: Filter — 1 Function Prohibit internal users access to the Internet Allows access to the HTTP /FTP proxy server on the DMZ. 2 Allows access to the SMTP server on the DMZ. 3 Allows access to News (proxy) server on the DMZ. 4 Allows access to the router from the private LAN. Settings Default Action: Default Action: Protocol: Dest. address type: Dest. address: Src. address type: Action: Protocol: Dest. address type: Dest.
DMZ Firewall Solution for the Express Router Filter 2 Function Allows FTP (only passive connections) from secure LAN to the FTP proxy server on the DMZ (see note 1). Two filters are required. 3 4 Allows incoming mail (SMTP) from DMZ to the secure LAN. 5 Allows outgoing mail (SMTP) from secure LAN to the DMZ. 6 Allows incoming News (NNTP) from the DMZ to the secure LAN (see note 2). 7 Allows outgoing News (NNTP) to DMZ from secure LAN. 07-12-99 Settings Src.
DMZ Firewall Solution for the Express Router Filter 8 Function Sends all packets generated by the router to the internal LAN (LAN1). Settings Dest. port: Src. address type: Src. address: Src. port: Action: Protocol: TCP flags: Dest. address type: Dest. port: Src. address type: Src. address: Src. port: > 1023 Host 193.84.251.4 119 Pass TCP All All All Host All Note 1: Some proxy servers, such as Microsoft Proxy* 2.0, do not support FTP proxy using the FTP protocol.
DMZ Firewall Solution for the Express Router Filter Function 2 Prevents tunnel packets from entering the DMZ network 3 Prevents RSVP packets from entering the DMZ network/router. Three separate filters are required. 4 5 6 Prevents BootP updates from entering the DMZ network/router.
DMZ Firewall Solution for the Express Router Filter 9 Function Discards all ICMP packets entering the DMZ network. This prevents the router from reporting the IP netmask. These filters must include all IP addresses on the router, including the WAN IP address if the router is using numbered links. 10 Two filters are required. 11 Discards all packets to open router ports. Four filters are required. 12 13 14 07-12-99 Settings Action: Protocol: Dest. address type: Dest. address: Scr.
DMZ Firewall Solution for the Express Router 4.4.2.2 Transmit (Tx) filters on LAN2 Set the default action to Pass. 4.4.3 Internet Connection Filters 4.4.3.1 Receive (Rx) Filters on the Connection to the Internet The required receive filters for the Internet connection, shown as they appear in Advanced Setup. × Filters are defined as follows: Filter — 1 Function Prohibit users on the secure network from accessing the Internet Allows HTTP from the Internet to the HTTP/FTP server on the DMZ.
DMZ Firewall Solution for the Express Router Filter 2 Function Allows FTP (both active and passive) from the Internet to the HTTP/FTP server on the DMZ. Three filters are required. 3 4 5 Allows external ping to HTTP/FTP server on the DMZ. 6 Allows external HTTP from HTTP/FTP proxy on the DMZ. 7 Allows external FTP from HTTP/FTP proxy server on the DMZ (see note 1). Two filters are required. 8 07-12-99 Settings Src. port: Action: Protocol: TCP flags: Dest. address type: Dest.
DMZ Firewall Solution for the Express Router Filter 9 Function Allows DNS reply to the HTTP/FTP proxy server on the DMZ. Two filters are required. 10 11 Allows DNS reply to the SMTP server on the DMZ. Two filters are required. 12 13 Allows incoming mail (SMTP) from any host on the Internet to the DMZ. 07-12-99 Settings Dest. address type: Dest. address: Dest. port Src. address type: Src. port: Action: Protocol: TCP flags: Dest. address type: Dest. address: Dest. port Src. address type: Src.
DMZ Firewall Solution for the Express Router Filter 14 Function Allows outgoing mail (SMTP) to any host on the Internet from the DMZ. 15 Allows incoming News (NNTP) from a specified external News server to the DMZ (see note 2). 16 Allows outgoing News (NNTP) to a specified external News server from the DMZ. Settings Action: Protocol: TCP flags: Dest. address type: Dest. address: Dest. port Src. address type: Src. port: Action: Protocol: TCP flags: Dest. address type: Dest. address: Dest. port: Src.
