Information Technology Reference
In-Depth Information
Figure 12-5 shows a diagram of a three-part firewall system. The outside filtering router restricts
Telnet access to itself, uses static routing, and encrypts passwords. It permits access to the
bastion hosts based on specific TCP/UDP port numbers. Use the
established
keyword to allow
inbound TCP packets from established TCP sessions. The inside filtering router also allows
inbound TCP packets from established TCP sessions. It permits access to bastion hosts in the
Isolation LAN, such as proxy services, Domain Name System (DNS), and web servers.
Firewall System
Figure 12-5
Internet
Outside filtering router
Bastion host
FTP
WWW
Isolation LAN
Inside filtering router
Internal Network
Access Lists in Firewall Implementations
The filtering routers are configured with access lists to restrict access to hosts. Extended IP
access lists (100 to 199) filter IP networks and transport ports. Chapter 10, “Administrative
Distance, Access Lists, Route Manipulation, and IP Multicast,” discusses IP access lists.
Cisco PIX Firewall
Sites that require strong security can use the Cisco Firewall in addition to or instead of packet-
filtering routers. Cisco's PIX Firewall is a hardware device that offers more robust security than
packet-filtering routers, provides Network Address Translation (NAT), and verifies inbound
traffic state information. NAT translations can be static or dynamic, and are verified on the
command line interface.
Search WWH ::
Custom Search