“Holiday Quest” is a Sri Lankan based hotel booking company which has two branches in Sri Lanka, Head office at Colombo and another Branch office at Kandy. The main business function of Holiday Quest is to provide a web based booking engine for large number of hotels in Sri Lanka and to provide a Web based booking system for worldwide customers. They mainly focus on the inventories (hotel details, prices, available rooms) supplied by third party inventory providers using web.
Complete network diagram
2. Risk analysis
When designing firewall policies the risks associated with each network element is important.
A special consideration should be taken when the email is accessed from the external networks, for example when on travel or at conferences, one method for protecting the organizational email server from direct external access is to run an SSL proxy on the main firewall. The main firewall would forward the SSL connection to the internal proxy/email server, which would serve the email over the web. The solution prevents direct external access to the mail server.
Internal Servers: The servers should be highly protected because all the sensitive data about the company and all the business critical applications are in those servers.
A firewall policy dictates how the firewall should handle applications traffic such as web, email, or telnet. The policy should describe how the firewall is to be managed and updated. Some form of risk analysis must be performed on the applications that are necessary for accomplishment of the organization’s mission. The results of this analysis will include a list of the applications and how those applications will be secured.
Application
|
Vulnerability
|
Impact if sensitive data is compromised
|
Cost benefit
|
Booking Engine software
|
Dos attacks, SQL injections.
|
Very high risk for all the business functionalities of the organization.
|
Can get a cost advantage of preventing malicious attacks rather than giving remedies after being attacked.
|
Call Centre application
|
Internal attacks, DOS attacks. pishing attacks.
|
Organizations internal data such as customer information may be leaked to external parties. A high impact on the company reputation in the inefficient functionality of the call center functions.
|
By keeping company reputation up company can gain more revenue. When the customer information is secure people will have more trust on the company.
|
HR application
|
Internal attacks,
|
Sensitive employee details such as salary, personal information will be compromised and employee satisfaction will go down.
|
Without good employee satisfaction the productivity of the employees will decrease.
|
2.1 Firewall policies
The following kind of network traffic should be always being blocked in both the branch office and the head office. Each of the kinds of traffic tends to introduce an attack to the internal network. Hence always should be blocked. Following kinds of traffic should never be allowed in the network.
1) Inbound traffic from a non-authenticated source system with a destination address of the firewall system itself may be blocked.( This type of packet normally represents some type of probe or attack against the firewall. )
2) Inbound traffic with a source address indicating that the packet originated on a network behind the firewall. (This type of packet likely represents some type of spoofing attempt)
3) Inbound traffic containing ICMP (Internet Control Message Protocol) traffic from any un-trusted network or internet should be blocked.
4) Inbound traffic with these source addresses which belongs to private address range typically indicates the beginning of a denial-of-service attack involving the TCP SYN flag. This kind of inbound traffic should be blocked.
5) Inbound traffic from a non-authenticated source system containing SNMP (Simple Network Management Protocol) traffic. (These packets can be an indicator that an intruder is probing a network)
6) Inbound or Outbound network traffic containing a source or destination address of 127.0.0.1 (localhost) should be blocked. Such traffic is usually some type of attack against the firewall system itself.
7) Inbound or Outbound network traffic containing a source or destination address of 0.0.0.0 should be blocked
8) Inbound or Outbound traffic containing directed broadcast addresses should be blocked. A directed broadcast is often used to initiate a broadcast propagation attack such as SMURF.
9) Inbound traffic containing IP Source Routing information
3. Head office branch and firewall policies
Most of the technical operations are handled by the Head office including the following:
3.4. Server based firewall policy rule-set
1) Accept SMTP traffic from the head office mail-server to the branch office network. Accept SMTP connections and then pass them off to a dedicated proxy/email server located on the internal branch network.
- Booking Engine software design and development
- Handling Customer calls through VoIP technology (Main VoIP server)
- Maintaining the company mail server
- Maintaining a secondary DNS server
- Main VPN server – Kandy branch will be connected to the Head office VPN server to access the Main MIS system.
- Maintaining the call center application.
- Maintain the company HR application.
- Normal Office work of the organization(Salary, Leave)
Head office network diagram
3.1. Main router/External firewall policies
1) SMTP traffic is allowed (Incoming/Outgoing) from Head office mail server (port 25) to any host and TCP port 80 is allowed from any host.
2) TCP and UDP port 53 (incoming/Outgoing) is allowed in the router access control list. This is to transfer DNS files (TCP ) and UDP is allowed to query the DNS servers (UDP). Secondary DNS server is located in Branch office and TCP port 53 is allowed to Primary DNS server in Head. This is to update the zone files.
3) TCP 1723 is allowed in the router (incoming/outgoing) for initiate VPN connection to the server.
4) Branch office VoIP IP addresses are allowed to connect to the Head office VoIP server. To Transfer the Traffic router need to allow UDP traffic from port. Because voice data will go through any UDP dynamic ports (10,000 to 65536). UDP incoming traffic is allowed from Branch office VoIP IP addresses to Head office VOIP server.
5) Allow incoming /outgoing HTTP requests from/to Branch office.
6) Other incoming and outgoing traffic will be denied. (Router Deny ALL at the end)
3.2. Server based firewall policies (DMZ)
1) Proxy Server (Act as a reverse Proxy with authentication) –This will accept incoming connections on port 80 from Branch office IP subnet on the LAN interface. Allow SSH (TCP port 22) from local subnet. LAN interface policy will allow connecting to the MIS server (Company Intranet Cluster) only; other traffic will be blocked from the reverse proxy server.
2) Mail Server –This will allow out going/Incoming traffic from TCP port 25 to any host and On the LAN interface allow TCP port 110 connections from Head office subnet. And web mail is enabled on the server and TCP port 80 is allowed to out side. SSH (TCP port 22) is allowed from Local subnet.
3) VPN server – On the WAN interface incoming traffic from Branch office is allowed and TCP port 1723 (Incoming traffic from Branch office) and on the LAN interface TCP port 22 is allowed for LAN users. Output Policy will allow accessing any LAN subnet via VPN.
4) DNS server – On the WAN interface TCP port 53 is fully allowed to US primary DNS server and UDP port 53 is allowed for outgoing requests.
5) VoIP server – On the WAN interface connections from Branch office VoIP incoming/outgoing is allowed. (UDP port range 10,000-65536). And on the LAN interface TCP port 22 (SSH) and TCP port 5060 (SIP) is enabled. LAN users IP phone registration is going through the TCP port 5060.
6) Web/Database server cluster - Allowed TCP port 80 from the LAN side.
3.3. Router based firewall policy rule-set
Policy
|
Direction
|
Src Addr
|
Dest Addr
|
Protocol
|
Src Port
|
Dest Port
|
Action
|
1
|
IN
|
ANY
|
Mail Server
|
TCP
|
> 1023
|
25
|
ALLOW
|
OUT
|
Mail Server
|
ANY
|
TCP
|
> 1023
|
25
|
ALLOW
| |
IN
|
ANY
|
Web server
|
TCP
|
> 1023
|
80
|
ALLOW
| |
OUT
|
Web Server
|
ANY
|
TCP
|
80
|
> 1023
|
ALLOW
| |
2
|
IN
|
ANY
|
Primary DNS
|
UDP
|
53
|
53
|
ALLOW
|
OUT
|
Primary DNS
|
ANY
|
UDP
|
53
|
53
|
ALLOW
| |
IN
|
ANY
|
Primary DNS
|
UDP
|
> 1023
|
53
|
ALLOW
| |
OUT
|
Primary DNS
|
ANY
|
UDP
|
53
|
> 1023
|
ALLOW
| |
IN
|
Secondary DNS
|
Primary DNS
|
TCP
|
> 1023
|
53
|
ALLOW
| |
OUT
|
Primary DNS
|
Secondary DNS
|
TCP
|
> 1023
|
53
|
ALLOW
| |
3
|
IN
|
Branch office
|
VPN Server
|
TCP
|
> 1023
|
> 1023
|
ALLOW
|
OUT
|
VPN Server
|
Branch office
|
TCP
|
1723
|
1723
|
ALLOW
| |
4
|
IN
|
Branch VoIP
|
VoIP Server
|
UDP
|
> 10000
|
> 10000
|
ALLOW
|
OUT
|
VoIP
|
Branch VoIP
|
UDP
|
> 10000
|
> 10000
|
ALLOW
| |
5
|
IN
|
HTTP
|
ANY
|
TCP
|
80
|
> 1023
|
ALLOW
|
OUT
|
ANY
|
HTTP
|
TCP
|
> 1023
|
80
|
ALLOW
| |
6
|
IN
|
ANY
|
ANY
|
ANY
|
ANY
|
ANY
|
DENY
|
OUT
|
ANY
|
ANY
|
ANY
|
ANY
|
ANY
|
DENY
|
3.4. Server based firewall policy rule-set
Policy
|
Direction
|
Src Addr
|
Dest Addr
|
Protocol
|
Src Port
|
Dest Port
|
Action
|
1
|
IN
|
Branch subnet
|
Proxy
|
TCP
|
> 1023
|
80
|
ALLOW
|
OUT
|
Proxy
|
Branch subnet
|
TCP
|
80
|
> 1023
|
ALLOW
| |
IN
|
LAN subnet
|
Proxy
|
TCP
|
> 1023
|
22
|
ALLOW
| |
OUT
|
Proxy
|
LAN subnet
|
TCP
|
22
|
> 1023
|
ALLOW
| |
2
|
IN
|
LAN subnet
|
Mail server
|
TCP
|
> 1023
|
22
|
ALLOW
|
OUT
|
Mail server
|
LAN subnet
|
TCP
|
22
|
> 1023
|
ALLOW
| |
IN
|
LAN subnet
|
Mail server
|
TCP
|
> 1023
|
110
|
ALLOW
| |
OUT
|
Mail server
|
LAN subnet
|
TCP
|
110
|
> 1023
|
ALLOW
| |
IN
|
ANY
|
Mail server
|
TCP
|
> 1023
|
80
|
ALLOW
| |
OUT
|
Mail server
|
ANY
|
TCP
|
80
|
> 1023
|
ALLOW
| |
3
|
IN
|
LAN subnet
|
VPN
|
TCP
|
> 1023
|
22
|
ALLOW
|
OUT
|
VPN
|
LAN subnet
|
ANY
|
ANY
|
ANY
|
ALLOW
| |
IN
|
LAN subnet
|
ANY
|
TCP
|
> 1023
|
1723
|
ALLOW
| |
4
|
IN
|
LAN subnet
|
DNS server
|
TCP
|
> 1023
|
22
|
ALLOW
|
OUT
|
DNS server
|
LAN subnet
|
TCP
|
22
|
> 1023
|
ALLOW
| |
5
|
IN
|
LAN subnet
|
VoIP Server
|
TCP
|
> 1023
|
22/5060
|
ALLOW
|
OUT
|
VoIP Server
|
LAN subnet
|
TCP
|
22/5060
|
> 1023
|
ALLOW
| |
IN
|
LAN subnet
|
VoIP Server
|
UDP
|
> 10000
|
> 10001
|
ALLOW
| |
6
|
IN
|
LAN subnet
|
MIS server
|
TCP
|
> 1023
|
80
|
ALLOW
|
OUT
|
MIS server
|
LAN subnet
|
TCP
|
80
|
> 1023
|
ALLOW
|
4. Branch office at Kandy and its operations
Branch office handles most all the marketing functions and customer calls are diverted to Head office customer care call center which gives all time service through VoIP technology. And its employees are connecting to the Sri Lankan VPN server to access MIS reports.
- Maintaining Primary DNS servers
- Maintaining Secondary Email server
- Maintaining Backup Database Server
- Function as the Storage place for tape backups.
- Call center Functionality.
Branch office network diagram
4.1. Branch office firewall policies
1) Accept SMTP traffic from the head office mail-server to the branch office network. Accept SMTP connections and then pass them off to a dedicated proxy/email server located on the internal branch network.
2) Outbound/inbound HTTP (web) traffic permitted to the internal firewall where it is passed to the HTTP proxy server, and then onto external websites.
3) Outgoing VPN connections for head office VPN server is allowed.
4) UDP outgoing traffic is allowed from Branch office VoIP IP addresses to Head office VOIP server.
5) TCP and UDP port 53 (incoming/Outgoing) is allowed in the router access control list. This is to transfer DNS files (TCP) and UDP is allowed to query the DNS servers (UDP). Primary DNS server is located in head office and TCP port 53 is allowed to Primary DNS server in Head office.
6) All other inbound traffic blocked.
4.2 Router based firewall policy rule-set
Policy
|
Direction
|
Src Addr
|
Dest Addr
|
Protocol
|
Src Port
|
Dest Port
|
Action
|
1
|
IN
|
ANY
|
Mail Relay
|
TCP
|
> 1023
|
25
|
ALLOW
|
2
|
IN
|
HTTP
|
ANY
|
TCP
|
80
|
> 1023
|
ALLOW
|
OUT
|
ANY
|
HTTP
|
TCP
|
> 1023
|
80
|
ALLOW
| |
OUT
|
Branch Office
|
ANY
|
HTTP
|
53
|
53
|
ALLOW
| |
3
|
OUT
|
Branch office
|
VPN Server
|
TCP
|
> 1023
|
> 1023
|
ALLOW
|
IN
|
VPN Server
|
Branch office
|
TCP
|
1723
|
1723
|
ALLOW
| |
4
|
OUT
|
Branch VoIP
|
VoIP Server
|
UDP
|
> 10000
|
> 10000
|
ALLOW
|
IN
|
VoIP
|
Branch VoIP
|
UDP
|
> 10000
|
> 10000
|
ALLOW
| |
5
|
IN
|
ANY
|
Secondary DNS
|
UDP
|
53
|
53
|
ALLOW
|
OUT
|
Secondary DNS
|
ANY
|
UDP
|
53
|
53
|
ALLOW
| |
IN
|
ANY
|
Secondary DNS
|
UDP
|
> 1023
|
53
|
ALLOW
| |
OUT
|
Secondary DNS
|
ANY
|
UDP
|
53
|
> 1023
|
ALLOW
| |
IN
|
Primary DNS
|
Secondary DNS
|
TCP
|
> 1023
|
53
|
ALLOW
| |
OUT
|
Secondary DNS
|
Primary DNS
|
TCP
|
> 1023
|
53
|
ALLOW
| |
6
|
IN
|
ANY
|
ANY
|
ANY
|
ANY
|
ANY
|
DENY
|
OUT
|
ANY
|
ANY
|
ANY
|
ANY
|
ANY
|
DENY
|
4.3. Server based firewall policies
1) Proxy Server (Act as a reverse Proxy with authentication) –This will accept incoming connections on port 80 from Branch office IP subnet on the LAN interface. Allow SSH (TCP port 22) from local subnet. LAN interface policy will allow connecting to the MIS server (Company Intranet Cluster) only; other traffic will be blocked from the reverse proxy server.
2) Mail Relay –This will allow out going/Incoming traffic from TCP port 25 to any host and On the LAN interface allow TCP port 110 connections from Head office subnet. And web mail is enabled on the server and TCP port 80 is allowed to outside. SSH (TCP port 22) is allowed from Local subnet.
3) DNS server – On the WAN interface TCP port 53 is fully allowed to use secondary DNS server and UDP port 53 is allowed for outgoing requests.
4) Database backup server - Allowed TCP port 5112 from the LAN side and the head office side.
4.4. Server based firewall policy rule-set
Policy
|
Direction
|
Src Addr
|
Dest Addr
|
Protocol
|
Src Port
|
Dest Port
|
Action
|
1
|
IN
|
Head office subnet
|
Proxy
|
TCP
|
> 1023
|
80
|
ALLOW
|
OUT
|
Proxy
|
Head office subnet
|
TCP
|
80
|
> 1023
|
ALLOW
| |
IN
|
LAN subnet
|
Proxy
|
TCP
|
> 1023
|
22
|
ALLOW
| |
OUT
|
Proxy
|
LAN subnet
|
TCP
|
22
|
> 1023
|
ALLOW
| |
2
|
IN
|
LAN subnet
|
Mail Relay
|
TCP
|
> 1023
|
22
|
ALLOW
|
OUT
|
Mail Relay
|
LAN subnet
|
TCP
|
22
|
> 1023
|
ALLOW
| |
IN
|
LAN subnet
|
Mail server
|
TCP
|
> 1023
|
110
|
ALLOW
| |
OUT
|
Mail Relay
|
LAN subnet
|
TCP
|
110
|
> 1023
|
ALLOW
| |
IN
|
ANY
|
Mail Relay
|
TCP
|
> 1023
|
80
|
ALLOW
| |
OUT
|
Mail Relay
|
ANY
|
TCP
|
80
|
> 1023
|
ALLOW
| |
3
|
IN
|
LAN subnet
|
DNS server
|
TCP
|
> 1023
|
22
|
ALLOW
|
OUT
|
DNS server
|
LAN subnet
|
TCP
|
22
|
> 1023
|
ALLOW
| |
4
|
IN
|
LAN subnet
|
DB backup server
|
TCP
|
> 1023
|
80
|
ALLOW
|
OUT
|
DB backup server
|
LAN subnet
|
TCP
|
80
|
> 1023
|
ALLOW
|
5. Choosing a firewall for the design
When determining what type of firewall should be used for the organization it is important to identify what the specific requirements are, analyze the current network infrastructure and use that information as a basis for the decision.
Most of the high-quality firewalls today, such as the above 5 firewalls, provide basic functionalities.
- All of them provide NAT capabilities with different categories of NAT support.
- Protection against viruses and malicious code is also an important thing that is provided, where the payload or the content of the packet is inspected.
- Support defining of firewall rules, which specifies the firewall on what types of traffic should come in and go out of the network. This is the most important configuration file on a firewall. The flexibility of the defined rules change in different types of firewalls.
- VPN capabilities with encryption schemes such as IPSec, OpenVPN, SSL
Providing control access is also an important functionality of firewalls. Authentication allows network administrators to control access by specific users to specific services and resources. Authentication also allows network administrators to track specific user activity and unauthorized attempts to gain access to protected networks or services. From the above 5 firewalls, only GB-2000X and SmoothWall provides this functionality, which is very surprising.
Another important feature of firewall is auditing and logging capabilities. Configuring a firewall to log an audit activity, information may be kept and analyzed at a later date. Firewalls can generate statistics based on information they collect. These statistics can be useful in making policy decisions that relate to network utilization. Out of the above said firewalls only GB-2000X and pfSense provides logging capabilities. Not having such an important feature should be considered as a drawback of the firewall.
One of the most important requirements of the organization is to be able to handle customer calls through VOIP technology. Using voice, video and messaging has allowed organizations to reach new levels of productivity and customer care. Along with these benefits comes a load of IT and security challenges, such as DoS, call hijacking and service theft. Therefore, it is important that firewalls provide security to voice applications. From the above specified firewalls, only Check Point Power-1 and BorderWare provide VOIP security.
Throughput is an important performance measurement in firewall devices. Normally vendors do not present firewall performance measures, they would just blindly specify that the firewall is high in performance. Even in the above five firewalls; only Check Point Power-1 has mentioned about its throughput, which is 14Gbps and intrusion prevention throughput up to 6.1Gbps. If we look at BorderWare, the next contestant, it is an application-level proxy firewall. This means that all incoming and outgoing traffic is inspected at the application level. Therefore, BorderWare would invariably be slower in performance wise.
According to the above mentioned features and facts Check Point Power-1 is the most suitable firewall for ’Holiday Quest’. Apart from the above, Check Point Power-1 contains,
- A well designed GUI interface, which enables less IT-literate users to setup and manage the firewall.
- Supports a large number of 3rd party add-ons making it the most feature-rich firewall software.
- Upgrades of the software are supported for users with support contracts.
