PricingBlogAbout Us

Firewall Design and Implementation: Bastion Host and DMZ Architectures

Verified

Added on  2022/10/06

|17
|1394
|368
Report
AI Summary
This report delves into the critical aspects of firewall design and implementation, focusing on enhancing network security. It begins by establishing the fundamental concepts of information security, emphasizing the importance of firewalls in protecting data confidentiality, integrity, and availability. The report explores different types of firewalls, including packet filtering, stateful inspection, application-level gateways, and next-generation firewalls, highlighting their software-defined nature and hardware implementations like bastion hosts and demilitarized zones (DMZ). The core of the report details the design and configuration of a bastion host architecture using iptables in a Linux environment, including SSH hardening techniques to fortify server security. Furthermore, it introduces a more robust DMZ architecture, discussing its three zones: trusted, DMZ, and untrusted networks, and provides practical insights into configuring an internal firewall using OPNsense. The report concludes by emphasizing the importance of firewalls in preventing unauthorized access, reducing replay attacks, DDoS attacks, and spoofing attempts, and advocates for the use of DMZ and application-level firewalls to maintain information security.
Document Page
Running head: FIREWALLS
1
Firewalls
Name
University
Date:
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
FIREWALLS
2
Introduction
Confidentiality, integrity, and availability of data are some of the fundamental concepts
of information security. Traditional forms of security focused on keeping data away from
unauthorized individuals by locking them away in safe houses under key and lock (Gilman &
Barth, 2017). However, the digitization of data has made such walls inefficient in keeping
intruders from accessing confidential information (Pachghare, 2015). The goal of information
security is to enable an organization maintain high availability of data to authorized persons
while keeping it away from the unauthorized individuals maximally. The use of firewalls is
essential in this regard. There are different types of firewalls. Packet filtering firewalls, stateful
inspection firewalls, application-level gateway, and the next generation firewalls. They all
operate on a software-defined environment. Hardware implementations of firewalls include the
bastion host and the demilitarized zone (DMZ) (Lundgren & Möller, 2017). The bastion host
architecture is demonstrated in this project. Section 3 of this report will detail the design of the
demilitarized zone firewall architecture.
Assumptions
The case scenario has been provided with the network architecture detailed below.
Figure 1: The case scenario for the bastion host implementation
Document Page
FIREWALLS
3
The network consists of:
i. SSH Server
ii. Proxy server
iii. File Server
iv. Local area network
v. Layer 2 switch
vi. Firewall
The following assumptions were made in the design of the network:
i. The LAN does not have an internal firewall implementation
ii. An external firewall can be configured sufficiently to protect the file server from
unauthorized access.
iii. No virtual private network configuration has been implemented.
iv. The firewall adopted performs both packet-filtering and DDoS Detection.
External Firewall Configuration
Considering the assumptions of the case scenario stated above, the configuration of the
external firewall connecting the network to the wide area network/Internet will need to be robust
to ward off malicious attacks . The tool to be used in this exercise is the iptools software, which
is packaged in Linux distributions. Ubuntu 18.04 LTS distribution was utilized for this exercise.
Adding rules to the IP table
Find the virtual network server computer IP address using command prompt ifconfig command

This is a preview!

Do you want full access?

icon

Trusted by 1+ million students worldwide

Document Page
FIREWALLS
4
Send a ping request to the ping request to the server
Install nginx server onto the server firewall computer running on Ubuntu 18.04 LTS
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
FIREWALLS
5
Verify the server IP address is still operational
Start Nginx server service
Document Page
FIREWALLS
6
Look for the IP address of facebook using the nslookup directory command
This command returns the address details of the domain name, including both IPv4 and IPv6.
Use the web browser to check for the accessibility of Facebook on the guest network

This is a preview!

Do you want full access?

icon

Trusted by 1+ million students worldwide

Document Page
FIREWALLS
7
Apply IP Tables to block Facebook from the virtual network
Verify that the Facebook page has been blocked from the virtual network
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
FIREWALLS
8
Drop all packet requests from the addresses that are external to the virtual network
Restore default settings for the IPtables
Document Page
FIREWALLS
9
Allow ping requests from outside the network
Verify that the virtual network (Guest PC) has access to the Internet and WAN

This is a preview!

Do you want full access?

icon

Trusted by 1+ million students worldwide

Document Page
FIREWALLS
10
Allow ping requests from the host system (remote PC)
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
FIREWALLS
11
The ping request to the guest network does not drop any packets.
SSH Hardening
SSH hardening is a technique that enhances the security of a server by restricting the
functionality of remote users. This kind of procedure prevents direct root access thus preventing
dictionary attacks against the server. It can be done by changing the default listening port for
SSH and limiting root access.
Procedure:
i. Change the default listening port from the default port 22.
ii. Adopting the use of SSH2 instead of SSH1 as default for remote logins for stronger
authentication.
iii. Disable remote root login through SSH by setting PermitRootLogin to ‘no’
iv. Turn off password authentication by setting PasswordAuthentication to ‘no’ and
UsePAM to ‘no’
Document Page
FIREWALLS
12
v. Restrict server to known users e.g. AllowUsers ‘Username’
vi. Restart ssh with systemctl restart sshd
Figure 2: Editing SSH remote login rules
Improved Network Design
The network configuration performed in the previous section implements a bastion host
in which a single layer of abstraction is provided between the trusted and untrusted network.
Even though it is sufficiently secure in most of the cases, this kind of network is not immune
from attacks where an intruder gains physical access to internal devices. In the event of a
successful bypass of the firewall by a malicious individual or program, the LAN devices will be
completely exposed. A better network implements a demilitarized zone architecture, which
features three different zones: The trusted network, demilitarized zone (DMZ), and the untrusted
network, is shown in figure 2 below.

This is a preview!

Do you want full access?

icon

Trusted by 1+ million students worldwide

chevron_up_icon
1 out of 17
circle_padding
hide_on_mobile
zoom_out_icon
logo.png

Your All-in-One AI-Powered Toolkit for Academic Success.

  +13062052269
info@desklib.com

Available 24*7 on WhatsApp / Email

[object Object]
Unlock your academic potential

Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.