Name?

IS3220
[UNIT
5 DISCUSSION 1
Mr. ?
INGRESS AND EGRESS
FILTERING]

Ingress and
Egress Filtering

Name?
IS3220
30 Jan 2014

Based on the prosed layout of the network I have come up with a design for the
placement of the firewalls and decided what filters should be running on which ones. My
decisions have been made in order to best protect the network against malicious attacks and
unauthorized access to certain parts of the network without the proper permissions. The first line
of defense is between the internet and the companys network where I have placed the first
firewall which includes the following filters; Static Packet filtering, NAT, Content filtering,
Circuit Proxy, Application Proxy, and Dynamic Packet filtering. The reasoning behind this is;
Static packet filtering focuses on the network layer (layer 3), specifically the header contents and
will filter the bulk of packets making other filters operate more efficiently, this is why it should
be the first line of defense of the filters being used (Stewart, 2011). The next service that isnt a
filter but is common among firewalls is Network Address Translation (NAT); it helps translate
the internal addresses to external addresses and is usually listed as a filtering service. The next
filter is the Content filtering which can be used to intercept specific content in a packet leaving
the network before it reaches the internet because it looks at the domain name, URL, filename, or
file extension that are found at the Application Layer (Layer 7) (Stewart, 2011). Next I included
the Circuit Proxy as to keep anyone from initiating a session on the network that does not have
any business on the network and works on layers 3 5. The next filter added was the
Application Proxy which like the Circuit Proxy acts like a middleman between the client and
server, this filter inspects traffic completely at any layer including the header and the payload
unlike the Static Packet filter that can only check the header, with this filter active the client
never has a direct connection with the resource server adding a layer of protection. The last filter
that I included was the Dynamic Packet filter that addresses complex malicious traffic over the
Transport Layer (layer 4) and Layers 5 7 as well.
The next firewall that I placed on the network was between the router and the Web Server
which is part of the DMZ. The filters that are included with that firewall are as follows; NAT,

Ingress and
Egress Filtering

Name?
IS3220
30 Jan 2014

Content filter, Circuit Proxy, Application Proxy, and Dynamic Packet filtering. This firewalls
main focus is to filter Layers 5 7 the Application Layers but it also includes the Circuit Proxy
filter which operates on layers 3 5 as a middleman between a client and server to allow or deny
the initiation of a session based on a list of rules. The firewall emplaced between the
workstations and the router has the following filters; Static Packet filtering, NAT, Circuit Proxy,
Application Proxy, and Dynamic Packet filtering. This firewall focuses on the network
protection by using the Static Packet filtering that operates at the Network Layer (layer 3) and
the Transport Layer (layer 4), also using Circuit Proxy that uses Layers 3 5 to filter sessions,
the Application Proxy that can inspect traffic at any Layer, and the Dynamic Packet filter that
determines the virtual circuits using the three-way handshake at the Transport Layer (layer 4)
(Stewart, 2011).
The next firewall is placed between the workstations and the internal corporate servers in
order to protect the servers from unauthorized users from inside and outside the network. The
filters that are set on this firewall are as follows; Stateful Inspection, Content filtering, Circuit
Proxy, and Application Proxy, making the main focus of this firewalls protection the Application
Layers 5 7. The last firewall that I suggest emplacing with filters in place is to protect the
network from the Wireless Network connection. The filters that should be enabled are the
following; Static Packet, NAT, Content filtering, Circuit Proxy, Application Proxy, and Dynamic
Packet, the main focus here is the network. Just as with the first firewall between the internet
and the router it will use Static Packet filtering as a first line of defense because Wireless Access
points are a big vulnerability to begin with, and the rest of the filters can also filter packets at the
Lower Layers of the OSI Model as well, more specifically from the Network Layer (layer 3) up
to the Session Layer (layer 5).

Ingress and
Egress Filtering

Name?
IS3220
30 Jan 2014

Ingress and
Egress Filtering

Name?
IS3220
30 Jan 2014

References
Works Cited
Stewart, J. M. (2011). Network Security, Firewalls, and VPNs. Sudbury: Jones & Bartlett
Learning. Retrieved Jan 30, 2013