Assume you have configured your firewall to allow users to access the Internet without restriction. Because of a change in corporate security policy, you must now place some restrictions on what sites employees can visit. The Gauntlet Firewall includes the ability to restrict access to certain destinations.
This chapter discusses the concepts of creating destination access rules and explains how to configure the firewall to use the destination access rules. The chapter consists of these sections:
The Gauntlet Firewall allows you to specify the sites you do or do not want users to connect to. You can permit or deny access to a destination by:
You can also permit or deny access by service or service group. For example, Yoyodyne's security policy restricts access to several systems on the development network inside their firewall. They are concerned about employees accessing these systems when they come in through the firewall. To implement the security policy, Yoyodyne could create a destination restriction rule that denies access to these systems for the untrusted service group. Or, they could create destination access rules that deny access to these systems for specific services.
 | Note: The SMTP, X Window System, and SNMP proxy services do not use destination access rules. The SMTP service simply delivers mail between the internal and external mail servers. You cannot permit or deny access to a particular host. |
When the firewall receives a request for a particular service, it uses the source address of the request to determine which rule applies. Once the firewall has determined which rule applies (and which service group), it then checks the destination of the request against the destination access rules.
The firewall reads the destination access rules from top to bottom. The firewall uses the first rule that matches. If the destination host in the request matches one of the destination access rules, and that rule indicates that the destination is denied, the firewall denies the request and logs the attempt. If the destination host matches a rule that explicitly permits that destination, the firewall passes the request to the destination host.
Destination access rules follow the rule “That which is not expressly permitted is denied.” This is an important concept to remember, especially when creating access rules that deny access to a particular destination. For example, you want to deny access from your Accounting network to all hosts at Big University. You create a destination access rule that denies access from the accounting service group to *.bigu.edu. This denies access to all hosts at Big University. This rule has the effect of denying access from the Accounting network to all other destinations as well. You have not created a rule that expressly permits access to other destinations, so the firewall denies these requests.
The Gauntlet Firewall includes two default destination access rules. These destination access rules permit the trusted network service group and the untrusted network service group to access any destination.
Order of precedence is extremely important when dealing with destination rules. Applications and services read tables from top to bottom. They use the first rule that applies for a particular attribute. If there are multiple rules that could apply for an attribute in the table, the first one found is the one used. Any subsequent conflicting rules are ignored.
Rules that are higher in the list have a higher order of precedence than rules that are lower in the list. In other words, a higher rule will be interpreted by the firewall before rules further down, and if two rules are encountered that match a given situation but contradict each other, the first one encountered will apply. In general, the more specific rules need to be listed first.
For example, consider the list of destination access rules in Table 4-1.
Table 4-1. Destination Access Rules 1
Rule | Name | Destination | Access |
|---|---|---|---|
1 | Trusted (Group) | *.bigu.edu | Deny |
2 | Trusted(Group) | * | Permit |
Rule 1 denies access from the trusted service group to all of the hosts in the bigu.edu domain. Rule 2 permits access for the trusted service group to every other destination.
If Rule 2 were not included, access from the trusted service group would also be denied to every other host. There would be no other rule that explicitly permits this access.
Consider what happens if the rules are reversed (see Table 4-2)
Table 4-2. Destination Access Rules 2
Rule | Name | Destination | Access |
|---|---|---|---|
1 | Trusted(Group) | * | Permit |
2 | Trusted (Group) | *.bigu.edu | Deny |
The hosts in the trusted service group can access any host. Because the firewall reads the rules from top to bottom, and stops when it reaches the first match, it never uses Rule 2.
You can specify the destination address by IP address or hostname, or by using the keyword unknown. The firewall converts the destination to the same format as the destination access rule and then compares the values. For example, you create a rule that denies access to ftp.bigu.edu. The firewall receives a request with a destination of 192.168.1.33. The firewall uses DNS to convert 192.168.1.33 into a hostname. DNS reports that this IP address maps to ftp.bigu.edu, and the firewall denies the request.
The following table summarizes the behavior of the firewall.
Table 4-3. Firewall Destination Access Behavior
Destination in Packet | Destination in Access Rule | Behavior |
|---|---|---|
IP address | IP address | Compare IP address to IP address. |
IP address | hostname | Convert IP address to hostname using DNS reverse lookup. Compare hostname to hostname. |
hostname | IP address | Convert hostname to IP address. Compare IP address to IP address. |
hostname | hostname | Compare hostname to hostname. |
Every system must have an IP address, but it does not necessarily have a hostname. If a system has no hostname, a DNS lookup on its IP address fails. The lack of a registered hostname may be intentional or it may simply be a misconfigured DNS. When there is no hostname for an IP address, the firewall returns unknown as the hostname.
You can create access rules to permit or deny access to these destinations by using the keyword unknown as the destination. For example, you create an access rule that denies access to destination unknown. The firewall receives a request with a destination of 192.33.112.45. The firewall looks up this IP address, and determines there is no hostname registered in the DNS database for this IP address. The firewall returns unknown as the hostname. The firewall then compares the destination in the request (unknown) to the destination in the access rule (unknown). Because these values match, the firewall denies the request.
You can create destination access rules that apply to particular services or to service groups. Similarly, you can configure destination restrictions from these two areas of the Gauntlet Firewall Manager.
To access destination rules configuration:
From within the Gauntlet Firewall Manager, select Firewall Rules.
Select the Service Groups tab.
The Service Groups window displays.
Click Destinations.
or
From within the Gauntlet Firewall Manager, select Services.
Select a service that supports configuration sets (such as HTTP or TELNET).
Click Add to create a new configuration set or Modify to modify an existing configuration set.
The Add or Modify window for the selected service displays.
Click Destinations.
The Destination Access window displays.
Configuring destination access rules are discussed in these sections:
When planning destination access rules:
Remember that the rules follow the paradigm “That which is not expressly permitted is denied.” Make sure your rules do not deny access unintentionally.
Consider whether you wish to create destination restrictions by IP address or by hostname.
To create destination access rules:
Indicate whether you are creating this destination restriction for a single service or for a service group.
Service
Specifies the service for which this destination access rule applies. Select All to make this rule apply to all services.
Service Group
Specifies the service group for which this destination access rule applies.
If you wish to create the same destination access rule for several services or service groups, consider creating one service group to which you can apply the destination access rule. Or, create the same destination access rules for each service or service group.
Indicate whether you are creating a permit or deny access rule.
Permit
Specifies that you are explicitly permitting access to this site as a destination.
Deny
Specifies that you are explicitly denying access to this site as a destination.
Enter information about the destination.
Address
Enter the IP address or hostname of the system or network to which this rule applies. Specify by IP address, IP address and mask, or hostname. The wildcard * is valid.
Enter unknown if you want to permit or deny access to hosts that do not have registered hostnames for their IP addresses.
Description
Enter a description for this destination access rule.
Click Add.
Order your new destination access rule, as described in “Changing Order of Precedence”, so the firewall uses your new rule in the right order.
To modify destination access rules:
Select the destination access rule you want to modify.
Modify the information.
Click Modify to change the rule.
Reorder the rule if necessary.
To delete destination access rules:
Select the destination access rule you want to delete.
Click Delete.
Reorder your remaining rules if necessary.
Remember that the order in which you place your destination access rules is important. The firewall reads the rules from top to bottom and applies the first one that matches. You generally want to place the most restrictive rules first.
To change the order of precedence:
Select the destination access rule you want to move.
Click Move Up or Move Down as many times as necessary to move the rule to the desired position.