Firewall policies | IP Addresses and Characteristics
This article is part of “Firewalls and Firewall Policy in your Network” series. The starting article is Firewalls and Network Architectures.
Firewall policies should only permit appropriate source and destination IP(Internet Protocol) addresses to be used. Specific recommendations for IP addresses include:
- Traffic with invalid source or destination addresses should always be blocked, regardless of the firewall location. Examples of relatively common invalid IPv4 (Internet Protocol version 4) addresses are 127.0.0.1 (also known as the localhost address) and 0.0.0.0 (interpreted by some operating systems as a localhost or a broadcast address). These have no legitimate use on a network.
- Traffic with an invalid source address for incoming traffic or destination address for outgoing traffic (an external address) should be blocked at the network perimeter. This traffic is often caused by malware, spoofing, denial of service attacks, or misconfigured equipment. Two types of invalid external addresses are:
- An IPv4 address within the ranges in RFC 1918, Address Allocation for Private Internets, that are reserved for private networks. These ranges are 10.0.0.0 to 10.255.255.255 (10.0.0.0/8 in CIDR [Classless Inter-Domain Routing] notation), 172.16.0.0 to 172.31.255.255 (172.16.0.0/12), and 192.168.0.0 to 192.168.255.255 (192.168.0.0 /16).
- An address that is not in an Internet Assigned Numbers Authority (IANA)-designated assigned range. Many organizations publish lists of address ranges that are not valid for Internet use with the scope of helping administrators in filtering invalid external IPv4 addresses. This lists are called bogon lists and are based on are based on close monitoring of IANA-assigned ranges.
It is very important, if you use lists for blocking traffic, to update them at least weekly, because failing to do this will probably prevent your users from being able to communicate with new, legitimate sites whose IP addresses were assigned from numbers that appeared on the older lists.
- At the network perimeter should be blocked the traffic with a private destination address for incoming traffic or source address for outgoing traffic (an internal address). To permit internal hosts with private addresses to communicate through the perimeter, the perimeter devices can perform address translation services, but private addresses should not be passed through the network perimeter.
- Incoming traffic with a destination address of the firewall itself should be blocked unless the firewall is offering services for incoming traffic that require direct connections—for example, if the firewall is acting as an application proxy.
Organizations should also block the following types of traffic at the perimeter:
- Traffic containing IP source routing information, which allows a system to specify the routes that packets will employ while traveling from source to destination. This could potentially permit an attacker to construct a packet that bypasses network security controls. IP source routing is rarely used on modern networks, and valid applications are even less common on the Internet.
- Traffic containing directed broadcast addresses, which are broadcast addresses that are not in the same subnet as the originator. Any system that responds to the directed broadcast will then send its response to the system specified by the source, rather than to the source system itself. These packets can be used to create huge “storms” of network traffic for denial of service attacks.Firewalls at the network perimeter should block all incoming traffic to networks and hosts that should not be accessible from external networks.
These firewalls should also block all outgoing traffic from the organization’s networks and hosts that should not be permitted to access external networks.Deciding which addresses should be blocked is often one of the most time-consuming aspects of developing firewall IP policies. It is also one of the most error-prone, because the IP address associated with an undesired entity often changes over time.
10 Responses to “Firewall policies | IP Addresses and Characteristics”
How can I transfer Norton Internet Security to my computer from laptop without a cd?
My laptop came installed with Symantec Norton Internet Security Suite and it says I can use it on up to 3 computers, the problem is, the software came didn’t came also with a disc.
Go to Symantec site download a trial version of your software and download, the install and use your serial to activate the software.
I am moving from dial-up to Comcast.What should I use for online security with Comcast internet cable ? I have Norton Internet Security Suite.
It is good you have already a security suite you can buy a firewalled router because a hardware firewall is better then a software one.
What are the primary vectors for compromising Windows systems remotely ?
1. Authentication spoofing
2. Network services
3. Client vulnerabilities
4. Device drivers
What is LIDS?
LIDS (Linux Intrusion Detection System) is a program that you can use as a preventative measure for your Linux systems against hackers attacks.
What are the Cyber Crimes?
Unlawful access to information
Illegal interception of information
Unlawful use of telecommunication equipment.
Forgery with use of computer measures
Intrusions of the Public Switched and Packet Network
Network integrity violations
Privacy violations
Industrial espionage
Pirated computer software
Fraud using a computing system
Internet/email abuse
Using computers or computer technology to commit murder, terrorism,
pornography, and hacking.
interesting post
a very good article about Firewall policies | IP Addresses and Characteristics