Cyberoam Certified Network & Security Professional (CCNSP) : Firewall

CyberoamCyberoam
Certified Network
& Security
Professional
(CCNSP)
Certified
Network
& Security
Profess
Module 3
Firewall
training.cyberoam.com
Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ
Cyberoam Certified Network & Security Professional (CCNSP)

Firewall > Agenda
Cyberoam Layer 8 Firewall

Access Control
Zone Management
Rule Management
Object Management
NAT (Inbound & Outbound)
Routing
Labs

Firewall

Firewall > Agenda

Access Control
Zone Management
Rule Management
Object Management
Routing
Labs

Access Control (Appliance Access)
Use Appliance Access to limit the Administrative access to the following

services from LAN/WAN/DMZ: (System -> Administration -> Appliance Access)
Admin Services (HTTP, HTTPS, Telnet, SSH)

Authentication Services (User Login options)
Network Services (DNS, Ping)
Other Services (Web Proxy, SSL VPN)

Access Control > Default Configuration
When Cyberoam appliance is powered up for the first time, it will have a
default Access configuration as specified below:
Admin Services
HTTPS (TCP port 443) and SSH (TCP port 22) services will be open for
administrative functions for LAN zone
Authentication Services
Cyberoam (UDP port 6060) and Captive Portal (TCP port 8090) will be open
for User Authentication Services for LAN zone.
User Authentication services are used by Layer-8 engine to authenticate and
authorize user to apply Layer-8 controls.

Access Control > IP address at each port of the security solution
The IP addresses assigned to each port on the appliance can be static or

dynamically obtained from DHCP server.
The appliance also functions as a DHCP/DHCPv6 server.
The IP addresses can be edited and virtual interfaces can be added by

adding aliases and VLANs.
The advantage of using an alias is that a single interface can have

multiple connections to a network.
In VLAN the hosts communicate as if they are attached to same

broadcast domain, regardless of their physical connectivity.

Firewall > Agenda

Access Control
Zone Management
Rule Management
Object Management
Routing
Labs

Zone Management > Default Zones
LAN
DMZ (De-Militarised Zone)
WAN
VPN
Local
Traffic destined for

Cyberoam falls under Local
Zone
WAN Zone
Local Zone
DMZ Zone
LAN Zone

Zone Management > Zone based Policies
Cyberoam being a Zone based firewall, allows zone based rules
For an example: different policies for Wifi Zone, LAN Zone, etc. This can be
achieved from firewall rule page which is discussed in the later part of this module.

Firewall > Agenda

Access Control
Zone Management
Rule Management
Object Management
Routing
Labs

Rule Management
Select FirewallRule to display the list of rules.
Choose IP Family IPv4/IPv6
Enable/Disable rule - Click to activate/deactivate the rule. If you do not want to

apply the firewall rule temporarily, disable rule instead of deleting.
ON Active Rule, OFF De-active Rule
Edit Rule - Click to edit the rule.
Insert Rule - Click to insert a new rule before the existing rule.
Move Rule - Click to change the order of the selected rule

Rule Management > Default IPv4 Firewall Rule #1

Rule Management > Default IPv4 Firewall Rule #2

Rule Management > Default IPv6 Firewall Rule
There are no IPv6 rules by default, User needs to create IPv6 as required by the
network

Firewall > Agenda

Access Control
Zone Management
Rule Management
Object Management
Routing
Labs

Managing Objects
Objects are global building blocks for all

modules/policies/rules of Cyberoam Layer 8 firewall
Cyberoam provides several standard objects and allows
creating:
Customized object definitions
Firewall rule for Customized service definitions

Defining Custom Services
Select Objects Services Add to open the create page

Managing Object > IP Host & MAC Host
By Default IP host for all the ports on the appliance is created.

MAC Host
In Cyberoam MAC address (Machine Address) is a decision parameter along

with Identity and IP Address for the firewall policies.

Managing Object > FQDN Host
FQDN (Fully Qualified Domain Name) host can be added to Cyberoam appliance.
The necessity for adding this host also makes it possible that a firewall rule can be
made to a particular FQDN.

Managing Object > Country Host
Cyberoam allows adding country based host to filter the traffic at the country level.
A country host can be defined at the firewall rule itself.

Firewall > Agenda

Access Control
Zone Management
Rule Management
Object Management
Routing
Labs

Outbound NAT (Source NAT)
Cyberoam has a predefined NAT policy called MASQ which NATs the outgoing
traffic with the outgoing ports IP Address.
Use NAT when you want to map a specific outbound traffic with a specific IP/IP
Range.
Cyberoam allows creating a NAT policy, which can be bound to a firewall rule.

Inbound NAT (Virtual Host)
Required to make internal resources available on the internet
Maps services of a public IP address to services of a host in a private network
Example: Web Server configured in LAN zone with 1.1.1.1, from internet users
are accessing www.abc.com which is resolving on 10.103.4.213.
Cyberoam will automatically respond to the ARP request received on the

WAN zone for the external IP address of Virtual host.
Default LAN to WAN (Any Host to Any Host) firewall rule will allow traffic to
flow between the virtual host and the network.
Cyberoam allows Inbound Load Balancing & Failover

Inbound NAT > Create Virtual Host
Select Firewall Virtual Host Add

Inbound NAT > Create Virtual Host with Load Balancing

Inbound NAT > Create Virtual Host with Load Balancing
Round Robin
Request will be served in sequential order where first request will go to first
server then to next and so on.
It will not consider any other parameter
First Alive
All requests will be served by first internal server.
The request will only go to next server if previous one is dead and so on.
Random
Request will be served in random order or rather we can say uniform random
method where all requests will be distributed evenly.
Sticky IP
Maps single source IP to a destination server. Any request from the same
source IP will always go to the same server.

Inbound NAT > Create firewall rule to include Virtual host
Create firewall rules to allow external host (from the Internet) to access a virtual
host that maps to internal servers.
You must add the virtual host to a firewall policy to actually implement the
mapping configured in the virtual host i.e. create firewall rule that allows or denies
inbound traffic to virtual host.

Inbound NAT > Loopback Firewall Rule
Once the virtual host is created successfully, Cyberoam automatically creates a

loopback firewall rule for the zone of the mapped IP address.
Loopback firewall rule is created for the service specified in virtual host.
If port forwarding is not enabled in virtual host then firewall rule with All Services
is created.
Loopback rules allow internal users to access the internal resources using its
public IP (external IP) or FQDN.

Inbound NAT > Reflexive Firewall Rule
In general scenario when any traffic is initiated from DMZ to WAN, there is a need
for reflexive rule.
For an example, in case of an email server, the private IP of the email server is
mapped with the public IP on the Internet. When an email is received (inbound)
the virtual host rule for inbound works, but when an email is sent (outbound) there
is a requirement to create a reflexive rule.
By Default, Cyberoam prompts for this rule while creating the virtual host.

Inbound Load Balancing with Virtual Host & DNS
Example: Webserver is published over two WAN links, Port B(10.206.1.12) & Port
C (10.10.1.2)
Website NS records should be Cyberoam IP. i.e 10.206.1.12 and 10.10.1.2

Inbound Load Balancing with Virtual Host & DNS
Create DNS Host Entry for server from Network DNS DNS Host Entry
Upon Failure of any WAN link (Port B or Port C), Cyberoam will do failover.
When both WAN links are functional, Cyberoam will do Load Balancing

Firewall > Agenda

Access Control
Zone Management
Rule Management
Object Management
Routing
Labs

Routing in Cyberoam > Static Routing
When you want to route traffic destined for specific network/host via a different
next hop instead of a default route.
A static route causes packets to be forwarded to a different next hop other than
the configured default gateway.

Scenario: Cyberoam is deployed in Gateway mode and L3

Switch is configured for inter-VLAN routing

Network -> Static Route -> Unicast -> IPv4 Unicast Route -> Add
VLAN ID 100
VLAN ID 101
VLAN ID 102

Routing in Cyberoam > Dynamic Routing
Cyberoam Supports Dynamic Routing configuration from GUI.
Go to Network Dynamic Route RIP/OSPF/BGP (Routing Information)
Note: In-depth Dynamic Routing is covered in CCNSE

Routing in Cyberoam > Policy based routing
Static routing method is limited to forwarding based on destination address only.
Policy based routing extends static routes which provide more flexible traffic
handling capabilities.
It allows for matching based upon source address, service/application, and

gateway weight for load balancing.
It offers granular control for forwarding packets based upon a number of user
defined variables like:
Destination
Source
Application
Combination of all of the above

Routing in Cyberoam > Policy based routing

Firewall > Agenda

Access Control
Zone Management
Rule Management
Object Management
Routing
Labs

Labs
Lab #6 Securing the Appliance
Lab #7 Create a DROP firewall rule for your machines IP address
Lab #8 Create an ACCEPT firewall rule for your machines IP address
Lab #9 Create Schedule & Apply in Firewall Rule
Lab #10 Create Firewall Rule to Allow DNS Traffic
Lab #11 Create Virtual Host to Publish a RDP Server residing in the LAN (Using
IPv4 & IPv6 address for RDP Server)

Next -> Module 4 (User Authentication)

Cyberoam Certified Network & Security Professional (CCNSP) : Firewall

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Cyberoam Certified Network & Security Professional (CCNSP) : Firewall

Caricato da

Copyright:

Formati disponibili

CyberoamCyberoam

Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Righ