اخیرا مهندس رضا مقدم مدرس و مشاور بین المللی میکروتیک مقاله جدیدی در وب سایت ویکی میکروتیک در شاخه امنیت و فایروال منتشر کرده اند که در آن به معرفی ساده و مختصر انواع فایروال میپردازد و در نهایت ساختار عملکرد فایروال به صورت ناحیه ( Zone ) در کنترل ترافیک را مورد بحث قرار میدهد که این مدل امروزه در تمامی فایروال ها و UTM های بنام مورد استفاده قرار میگیرد از این رو نام آن را Zone Based Firewall و به اختصار ZBF مینامند.
این مقاله به زبان لاتین و به طور کاملا شیوا و روان نوشته شده است بگونه ایی که به راحتی با مطالعه آن و مشاهده تصاویر میتوانید متوجه شیوه عملکرد و پیاده سازی آن شوید.
برای مشاهده مقاله اصلی در وب سایت ویکی میکروتیک اینجا کلیک نمایید.
آموزش Zone Based Firewall در میکروتیک
Firewall is a network security software or hardware that uses to secure incoming and outgoing network traffic and prevent unauthorized access to or from different networks by monitor , control , inspection of them. there are many various models and brands which they are provide security tools such as MikroTik ROS Firewall , Windows Firewall , Microsoft ISA/TMG , Cisco ASA/IPFire , Juniper Security and etc.
Types of firewalls :
since 1990 to present there are different types and generation of firewall and network security devices provided.
۱ – Packet Filtering Firewalls The first type of firewalls functioned as packet filters, inspecting the packets that are moving between clients , servers , internet. When a packet passes through a packet-filter firewall, its source/destination address, protocol, and source/destination port number are checked by firewall’s rules ( conditions ). Any packets that aren’t specifically allowed onto the network are dropped (i.e., not forwarded to their destination). For example, if a firewall is configured to block Winbox traffic, then the firewall will drop packets destined for TCP port number 8291.
Packet Filtering Firewall are very simple and can have basic conditions to allow or deny network traffic and can’t be uses for complex decisions and attacks.
Basic MikroTik Firewall Rule
/ IP Firewall Filter Add Chain=Forward Src-Address=192.168.1.0/24 Dst-Address=126.96.36.199/24 Protocol=TCP Dst-Port=8291 Action=Drop
۲ – Proxy Firewalls
Proxy Firewall operate security functions and behaviors by controlling requests , acting as an intermediary for requests from one network to another for a specific network application. A proxy firewall prevents direct connections between either sides of the firewall; both sides are forced to conduct the session through the proxy, which can block or allow traffic based on its rule set. A proxy service must be run for each type of Internet application the firewall will support, such as an HTTP proxy for Web services.
Proxy Firewalls can be achieved by MikroTik Web Proxy services and Access rules. for example you can filter web request from a network to a website and etc…
Basic MikroTik Proxy Firewall Rule
/ IP Proxy Access Add Action=Deny Dst-Address=188.8.131.52/24 Src-Address=192.168.1.0/24 Add Action=Deny Dst-Host=www.IPExperts.ir Redirect-To=www.Tik-Trainer.Com Src-Address=192.168.1.0/24
۳ – Stateful Firewall Stateful Firewalls perform their operation by make a Table which it can be uses to store and record connections and their states. all of connection passing through Statefull Firewalls are inserted into that connection tables , this additional information can be used to grant or reject access based on the packet’s history in the state table, and to speed up packet processing; that way, packets that are part of an existing connection based on the firewall’s state table can be allowed through without further analysis.
Stateful Firewalls monitors all activity from the opening of a connection until it is closed by connection tables history. Connection table in MikroTik is known as Connection Tracking ( ConTrack ) and can stores all Connections States.
Basic MikroTik Statefull Firewall Rule
/ IP Firewall Filter Add Chain=Forward Src-Address=184.108.40.206/24 Dst-Address=192.168.1.0/24 Connection-State=New Protocol=TCP Action=Drop
MikroTik Connection Tracking
/ IP Firewall Connection Print
Summary : There are also another types of firewall models provided but in this article we talk about that three main models.
IPExperts Company Scenario
According to the image there is network infrastructure of IPExperts Company , as you can see there are two interfaces connected to Clients , two interface connected to Servers , one interface connected to the Internet.
Ether 1 : Internet
Ether 2 , Ether 3 : Servers
Ether 4 , Ether 5 : Clients
Clients : Using Internet and have to work with Servers. Some of them have IPv4 Public and the rest using IP Private.
Clients IPs : ۱۰٫۱٫۱٫۰/۲۴ , ۱۰٫۱۰٫۱۰٫۰/۲۴ , ۱۰٫۲۰٫۲۰٫۰/۲۴ , ۱۷۲٫۱۶٫۱٫۰/۲۴ , ۱۷۲٫۱۶٫۲۰٫۰/۲۴ , ۱۹۲٫۱۶۸٫۱٫۰/۲۴ , ۱۹۲٫۱۶۸٫۲۰٫۰/۲۴ , ۱۰۰٫۱۰۰٫۱۰۰٫۰/۲۴
Servers : Must be accessible from Internet and Clients. All of them have IPv4 Public.
Servers IPs : ۱۰۰٫۲۰۰٫۲۰۰٫۰/۲۴ , ۱۰۰٫۵۰٫۵۰٫۰/۲۴ , ۱۸۵٫۱۸۶٫۱۸۷٫۰/۲۴ , ۲۱۷٫۲۱۸٫۲۱۹٫۰/۲۴ , ۹۱٫۹۲٫۹۳٫۰/۲۴
Currently without any security and firewall configuration Clients to Clients/Servers/Internet is permit , Servers To Clients/Servers/Internet is permit , Internet To Clients/Servers is permit . these situation is not secure and acceptable.
it may be have some operation system bug’s in Clients side therefor accessible on Internet is very vulnerability risk. also these risks may be present in Servers Side , but accessible from Internet for our Servers is necessary.
IPExperts Company Objectives
Network Administrator of IPExperts Co. is decided to secure their network and connectivities , their idea is allow necessary connectivities for Clients and prevent unauthorized access or any access to Clients from Internet or Servers. Servers must have connectivity to Internet and also accessible by Clients and Internet Users.
Alls IP’s of Clients and Interfaces must have connectivity to Internet and Servers.
All IP’s of Servers and Interfaces must have connectivity to Internet.
All Internet Users Must have access to Servers
Servers should NOT be able to start new connection with Clients , maybe servers infected by Virus , Worm , Trojan or they are controlled by hackers.
Also Internet Users should NOT be able to start new connection with Clients , maybe they are attempts to Hacking or attacking clients systems.
So what is your solution to solve this scenario !?
Are you thinking about making a Address List for Clients IP’s , Another for Servers IP’s ?
or uses In-Interface / Out-Interface and Drop / Accept actions ?
With how many firewall rules you think we can solve this ?
How about process and performance ?
If you want to use common ways to solve this problem there are several issues you have to consider before perform action. Number of rules , complexity of rules condition , problems in connectivities , increase overhead of rules and decrease performance and throughput . and finally i’m sure you can’t solve that properly. actually we’ve to uses Stateful Behavior to Inspect Connections with ZBF ( Zone Base Firewall ) .
ZBF – Zone Based Firewall
Zone Based Firewall (also known as Zone Policy Firewall ) upgrade you firewall configuration from the older models to a more flexible, secure , more easily understood zone based model.In this model Interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones. Inter-zone policies offer considerable flexibility and granularity, so different inspection policies can be applied to multiple host groups connected to the same interface. A security zone is a group of interfaces which are intended to be treated similarly from a security perspective. For example, if you have two or more redundant connections to your servers, both could be placed into a shared “DMZ” zone. A connection into the internal network, however, would be assigned to a separate, TRUST zone. Additional zones can also be created with levels of trust which might fall in between the two.
With ZBFs, interfaces are placed into zones. Zones are created by the network administrator, using any naming convention that makes sense (although names such as INSIDE/TRUST, OUTSIDE/UNTRUST, and SERVERS/DMZ). Then policies are specified as to what transit (user) traffic is allowed to be initiated (for example, from users on the TRUST destined to resources on the UNTRUST) and what action the firewall should take, such as Accept or Drop (it means to do stateful inspection of the traffic by Connection-State condition). After traffic is Tracked, the reply traffic is allowed back through the firewall because of the stateful filtering feature. The policies are implemented in a single direction (for example, TRUST to UNTRUST). If you want to allow initial traffic in both directions, you create two unidirectional policies for traffic to be allowed and inspected from the TRUST to the UNTRUST, and also from the UNTRUST to the TRUST. You implement two separate policies because the policies themselves are unidirectional.
So Designing of Zones and Interfaces must be carefully, name of Zones does not matter.
In this scenario i’m decide to using TRUST zone for Client Interfaces ( Ether 4 , Ether 5 ) , DMZ zone for Server Interfaces ( Ether 2 , Ether 3 ) , UNTRUST zone for Internet Interface ( Ether 1 )
Zones are Logical Area and based on our decision we can make them and chose security level for them. so our network Logics is same as bellow image .
MikroTik in RouterOS Version 6.36 added a new feature as name Interface List which that allows to define set of interfaces for easier interface management in firewalls and … , this feature enable us to Group Interfaces together and make same logic as Zones.
To make your Interface Lists ( Zones )
Interface Menu > Interface List Tab > List Button > +
First , Make your Zones.
/ Interface List Add Name=TRUST Add Name=UNTRUST Add Name=DMZ
Second , you have to Assign interfaces to zones.
Interface Menu > Interface List Tab > +
/ Interface List Member Add Interface="Ether 1 - Internet" List=UNTRUST Add Interface="Ether 4 - Clients I" List=TRUST Add Interface="Ether 5 - Clients II" List=TRUST Add Interface="Ether 2 - Servers I" List=DMZ Add Interface="Ether 3 - Servers II" List=DMZ
Firewall Configuration …
By default in MikroTik Firewall all traffic are allowed to transit in any direction and chain. regard to our scenario access on Internet to Clients should not be permit, so simply we have to Drop all New connection state from UNTRUST ( Internet ) to TRUST ( Clients ) Zone. with this configuration Clients can start new session and request to Internet and access is Permit , but Access from Internet to Clients will be drop.
Also Client must to have connection and contact with Servers, but servers should not be start a new session to clients. for this reason we have to Drop new connection states from Server ( DMZ ) to Clients ( TRUST ) zone.
/ IP Firewall Filter Add Action=Drop Chain=Forward Connection-State=New IN-Interface-List=UNTRUST OUT-Interface-List=TRUST Add Action=Drop Chain=Forward Connection-State=New IN-Interface-List=DMZ OUT-Interface-List=TRUST
As you can see with just two simple rule by using ZBF and Inspect Connections we solve security risks. this scenario can be changed or solved with another Rules and configurations. and also can be secured more with controlling Protocols , Ports and etc …
Reza Moghadam | MikroTik Certified Trainer/Academy Trainer/Academy Coordinator/Consultant