pag1_chapter_08_deploying the alteon switched firewall

8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall

1/18

Version 1.5

Chapter 8

Deploying the Firewalls

Prescriptive Architecture Guide

Abstract

The network architecture forms the basis for any e-commerce Web site. This document

describes the implementation process for installing the various Nortel Networks firewalls

that are required to provide security for the Microsoft Systems Architecture (MSA)

Internet Data Center (IDC) environment.


2/18

Copyright 2002 EMC Corporation. All rights reserved.

EMC believes the information in this publication is accurate as of its publication date.The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMCCORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANYKIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, ANDSPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in th is publicationrequires an applicable software license.

Trademark Information

EMC2, EMC, and Symmetrix are registered trademarks and EMC Enterprise

Storage, The Enterprise Storage Company, The EMC Effect, Connectrix, CLARiiON,EMC ControlCenter, ESN Manager,and EMC Navisphere are trademarks of EMCCorporation.

Microsoft, Windows, Windows NT, Act ive Directory, ActiveX, JScript, NetMeeting,SQL Server, and Visual Basic are either registered trademarks or trademarks ofMicrosoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be thetrademarks of their respective owners.


3/18

INTRODUCTION ..................................................................1Design Considerations 1

System Requirements 2

ALTEON SWITCHED FI REWALL ............................................3Procuring Hardware 3

Implementation 3

PERIMETER FIREWALL ........................................................3INTERNAL FI REWALL ..........................................................6VPN INSTALLATION ............................................................8VPN Network Configuration 9

VPN Install Checklist 9

Logging on to the Contivity 9

Configuring the Interfaces 9

CONTIVITY VPN CREATE A GROUP FOR

LDAP AUTHEN TI CATION .................................................10 ENABLE THE LDAP AUTHENTI CATION SERVER ...................11ADD LDAP AS AN I PSEC AUTHENTICATION OPTION ..........12CORPORATE NETW ORK FI REW ALL ....................................13SUMMARY .........................................................................14

Additional Information 14

CONTENTS


4/18


5/18

Prescriptive Architecture Guide, Chapter 8, Deploying the Firewalls 1

This chapter details the various firewall configurations that are used as

part of the Internet Data Center architecture and details how they are

deployed.

This chapter assumes that the reader has a basic understanding of

networking terminology and is experienced with networking techniques

and firewalls.

Note Due to several references to Web-based information resources, it

would be helpful to review this document with Web-browser access to

the Internet.

Design Considerations

The following are the three logical firewall configurations implemented as

part of the Internet Data Center architecture:

Perimeter firewall

Internal firewall Virtual private network (VPN ) firewallThe following diagram provides an overview of the logical positioning of

these firewalls in the Internet Data Center architecture.

DMZWeb Servers

DNS Servers

Internal

Firewall

(IFW01,02)

InfrastructureDomain Controllers

Data / Management

SQL Servers, Backup

Internet

PerimeterFirewall

(PFW01,02)

VPN

Firewall

(VPN01,02)

Figure 8.1 Firewall Logical Positioning

The Microsoft Internet Data Center Reference Architecture Guide

prescribes that the Perimeter and Internal firewalls be implemented on

separate physical devices to deliver the highest level of security. For this

Internet Data Center architecture, Nortel Networks implemented the

Internal and External firewalls through separate DMZs partitioned on

INTRODUCTION


6/18


7/18


The Alteon Switched Firewall is a multi-component solution managed as

a single system. It is a tight integration of two key components an

Alteon Switched Firewall Accelerator plus up to six Alteon Switched

Firewall Directors. For the Internet Data Center configuration, there are

two Alteon Switched Firewall Directors for high availability. Each pair

contains one Accelerator and one Director. The software is a combination

of the Alteon Switched Firewall OS, providing session acceleration and

switching functionality, Check Point FireWall-1 Next Generation software,

and Check Point's Secure XL technology.

Table 8.1 Procuring Hardw are

Quantity

Baseline +

Spare

Modules Part

Number

Description

2+1 SFD EB1639E01 iSD310-SFD Switched Firewall

Director. (Includes North

American power cord)

2+1 SFA EB1639E02 SFA-184 Switched Firewall

Accelerator. (Includes North

American power cord

1 Dedicated

Management

Server-

Windows

2000 SP2

Enterprise Management Console /

CheckPoint Window s 2000 Server

running SP2

Implementation

Due to the complex and customer specific nature of the Alteon Switched

Firewall (ASF), installations must be completed by a Nortel Networks

certified ASF installation team. Information in this chapter is provided

for architectural comprehension. It is not intended for use in

implementing the Alteon Switched Firewall configuration in the IDC

Architecture. Nortel Networks offers installation options that can be

negotiated by contacting your local Nortel Networks Sales

representative. Nortel Networks basic offerings may include the

following:

ALTEON SWITCHED

FIREWALL


8/18

4 Microsoft Systems Architecture Internet Data Center

Alteon Switched Firewall Install Services Offerings

Design Engineer Assist in design and validation of architecture Available for duration of project

Implementation Engineer Installation of hardware in the rack Configuration of equipment to architecture specification Test configured services for functionality Provide quick start training Responsible for deliverable (Network Diagram, IP List, and

Configurations)

Project Manager Oversees project end-to-end Handles engagement logistics Responsible for initial engagement


9/18


10/18


The internal firewall provides an additional layer of protection for all

systems and networks that reside behind the DMZ for the Internet Data

Center architecture. The purpose of this firewall is to filter all incoming

traffic from the DMZ and to allow only application-specific service calls to

reach specified systems and networks that support the Internet Data

Center architecture. These service calls may include calls and queries to

the SQL Server system, monitoring and logging queries specified by the

management systems, and calls to the Microsoft Active Directory

directory service. The Alteon Switched Firewall that serves as the

perimeter firewall also serves as the internal firewall using Alteons ability

to support virtual private firewalls within a single configuration.

The private side of the Alteon Switched Firewalls front-end interface

connects to the public ASF VLAN DMZ1 and its backend interface

connects to the private ASF VLAN DMZ2. Alteon Switched Firewall

provides an added level of security as an application layer firewall in

which inbound session traffic from the IIS and DNS servers destined to

internal servers, such as the domain controllers, will be established withthe Alteon Switched Firewall on its VLAN Infrastructure interface. Alteon

Switched Firewall will then verify that the TCP/IP packets are valid and

establish a new session to the destination server on behalf of IIS or DNS

through its DMZ interface. For outbound traffic initiated from internal

servers, such as DNS forwarding, the specific TCP or User Data gram

Protocol (UDP) ports must be configured on Alteon Switched Firewall to

allow the communication to take place. By default, all TCP and UDP ports

are blocked on the VLAN Data_Management network interface of the

Alteon Switched Firewall and are not allowed to pass through the firewall

until rules are created to open the appropriate ports.

In support of network high availability, in which multiple network

switches are implemented for redundancy, two Alteon Switched Firewalls

are deployed and clustered using VRRP.

INTERNAL FIREWALL


11/18


Creating Protocol Definitions

To support the Internet Data Center configuration, Alteon Switched

Firewall is configured to support the following ports and protocols.

Table 8.1 New Protocol Definitions

Protocol

Definition Name

Internal

Connection Port

Number

Initial

Protocol

Type

Initial

Direction

Direct Host (TCP) 445 TCP Inbound

Kerberos (UDP) 88 UDP Receive and

then Send

LDAP (TCP) 389 TCP Inbound

LDAP (UDP) 389 UDP Receive and

then Send

NTP (UDP)

Inbound

123 TCP Inbound

MOM (TCP) 1270 TCP Inbound

AppMgmt2 (TCP) 9998 TCP Inbound

AppMgmt3 (TCP) 9999 TCP Inbound


12/18


This firewall solution uses the Contivity 4600 as the VPN firewall, which

provides all VPN access both to and from the Internet Data Center

architecture. The purpose of this firewall is to allow VPN access for

secure inbound remote management access as well as partner extranet

access for maintaining databases and catalogs.

Nortel Contivity 4600

The Nortel Contivity 4600 solution is one of the options in the Contivity

product line. The Contivity 4600 provides Firewall, Advanced routing

features, Dual, redundant, auto-switching power supply system with dual

line cords Dual, redundant storage system. The Contivity also supports

Single port V.35/X.21, Dual-port v.35, T1 with integrated CSU/DSU,

High-speed Serial interface (HSSI), and Encryption accelerator cards.

Table 2.7 Nortel Contivity 4600 configuration

Quantity

Baseline +

Spare

Modules Part

Number

Description

2+1 Contivity 4600 DM1401061 Contivity 4600, 5000Tunnels, 5 PC

Exp slots, Dual 10/100 Ethernet LA

Ports, Dual Redundant power Supp

& Storage Sys, Svr S/W w/128-bit

Encryption, Unltd license for IPsec

Client S/W

2+1 Encryption

Accelerator

Card

DM0011051 Encryption Accelerator Card

(FACTORY INSTALL) for use in the

Contivity 2500/2600/4500 only

2 Contivity

Advanced

Routing

DM0016007 Contivity Advanced Routing License

including OSPF, VRRP, IETF

Differentiated Services, and

Bandwidth Management for the

Contivity 4X00 Series (Minimum

Required Software: V3.50).

2 Power Cord 7919 Model 7919 10A/110-120V North

America (U.S., Canada, Mexico,

South Korea)

VPN INSTALLATION


13/18


VPN Network Configuration

In the Internet Data Center architecture, two Contivity gateways were

deployed in support of remote management and extranet access. The

Contivity gateways were clustered for high availability on the public side

of the Alteon Web Switched Modules and their internal network interfaces

connected to VLAN Data Management. Load Balancing and stateful fail-

over are integral to the Contivity VPN to provide a high available

solution, ensuring that the Internet client will always connect through the

same VPN server.

VPN Install Checklist

To complete the VPN installation you will be required to provide three IP

addresses. You will need two IP addresses for Private subnet, and one

IP address for the Public Interface. You will need to know both the Public

and Private default routes (See Chapter 2 for network configuration).

You will need to know the DNS and or WINS Server IP addresses that wilbe used by your clients. Choose an addressing method (DHCP, Pool, or

Static) for clients.

Logging on to the Contivity

Use the provided serial cable to initially configure the Contivity. Set up a

terminal session (9600, N, 1) to the console port of the Contivity.

Configuring the Interfaces

After you have connected the console cable to the Contivity switch you

will need to configure the Public, Private, and Management Interfaces.

1. Login with the default Administrators Username and Password

2. Enter 1 to assign interface addresses. This screen shows both the

private and public interfaces with default configurations.

3. Select 0 for the Private Interface or 1 for the Public Interface.

Notes

One IP address is for Management traffic Second IP address, (on the same subnet), is for tunnel traffic RADIUS requests, traps, etc. will come from Management address

Rem emb er t h i s po in t w hen de f i n i ng Con t i v i t y as a RADI USc l ient

Tunnel address should be used for route to branch offices Can be advertised via RIP or OSPFType R to return to the mainmenu.

5. Type E to exit and save changes. You should now be able to access

the Contivity through your browser.


14/18


If a group does not already exist for this purpose, one may be created

using the following procedure:

1. Select Profiles, Groups, Add. Whether a group already exists or is

newly created, you also need to ensure the proper options are set

within the group profile.

2. Edit the appropriate group by selecting Profiles,Groups,Edit andthen select Configure (next to the IPSec section).

3. Select User NameandPassword authentication in the Radius

Authentication section.

4. The external LDAP authentication has the same requirements as

RADIUS for Group ID and Password, so these must be set as well.

5. Click OK at the bottom of the screen.

The Contivity VPN Client will be configured as if it were authenticating via

RADIUS. That is, the Group Security Authentication option needs to be

selected, the Group ID and Group Password fields filled in, and the Group

Password Authentication option selected.

CONTIVITY VPN

CREATE A GROUP FOR

LDAP AUTHENTICATION


15/18


After connecting to your Contivity, log in into the web interface, and

follow the steps below to configure the Contivity for LDAP Authentication.

The Servers / LDAP Auth page, illustrated below, is where the

information needed to bind to Active Directory is specified.

1. Select Enable Access to LDAP Authentication Server and then

the appropriate default group from the group pull down.2. Enter the IP address of the Active Directory server. Select the port

used to communicate with the LDAP server. The standard LDAP port

(389) is depicted in the screen shot below. However, you can use

SSL for communication between the Contivity and the LDAP.

3. Specify the Base DN from which to search for users.

Note The full name for the server in this deployment is

MSADC1.EMC.MSAIDC.COM. The domain is EMC.MSAIDC.COM. The

search base used was therefore dc=EMC, dc=MSAIDC, dc=com .

Here the Bind DN specified is cn=LDAP Authentication, cn=Users,

dc=EMC, dc=MSAIDC, dc=com. This is an account created under

the Windows 2000 Active Directory Users and Computers Usersgroups.

4. After entering the above information, scroll down this screen. The wil

Username/Password Access and the Policy Attributes is displayed.

Specify the field that contains the username. For Active Directory,

this is sAMAccountName. This is the minimum amount of

information required to make the external LDAP Authentication work

with Active Directory.

ENABLE THE LDAP

AUTHENTICATION

SERVER


16/18


On the Services IPsec screen, the order in which various

authentication options are attempted is specified. First, LDAP must be

added as an option, as shown in the screen captures below. After adding

LDAP Authentication as an option, the order in which the options are

tried may be adjusted.

Click the Swap Server Order 2 and 3 button to try LDAP beforeRADIUS.

ADD LDAP AS AN I PSEC

AUTHENTICATION

OPTION


17/18


You may want to use a firewall to provide secure access to Internet Data

Center for a connection to the company's own corporate network. The

firewall would be connected to its own VLAN and would manage all data

communications to Internet Data Center from the corporate network.

If your company requires a connection directly between the Internet

Data Center environment and its corporate network, Alteon SwitchedFirewall can provide the required performance, security, and flexibility for

this connection. Discuss this option with your Nortel Networks Alteon

Switched Firewall certified implementer.

CORPORATE NETWORK

FIREWALL


18/18


This chapter is intended to provide specifications and procedures

required to build the firewall configurations used in the Microsoft Internet

Data Center architecture.

By following the specifications and procedures in this document and

applying the site-specific aspects of your environment, you can build all

the firewall configurations required to secure your implementation ofInternet Data Center architecture.

Note A number of topics have been classed as beyond the scope of the

current version of this document and, therefore, were intentionally

excluded. Future documentation will provide guidance for implementing

these features.

Additional Information

For more information about Nortel Networks Alteon Switched Firewall

see:

http://www.nortelnetworks.com/products/01/alteon/asf/index.html

SUMMARY
http://www.nortelnetworks.com/products/01/alteon/asf/index.htmlhttp://www.nortelnetworks.com/products/01/alteon/asf/index.html

pag1_chapter_08_deploying the alteon switched firewall

Documents