pag1_chapter_08_deploying the alteon switched firewall
TRANSCRIPT
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
1/18
Version 1.5
Chapter 8
Deploying the Firewalls
Prescriptive Architecture Guide
Abstract
The network architecture forms the basis for any e-commerce Web site. This document
describes the implementation process for installing the various Nortel Networks firewalls
that are required to provide security for the Microsoft Systems Architecture (MSA)
Internet Data Center (IDC) environment.
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
2/18
Copyright 2002 EMC Corporation. All rights reserved.
EMC believes the information in this publication is accurate as of its publication date.The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMCCORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANYKIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, ANDSPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in th is publicationrequires an applicable software license.
Trademark Information
EMC2, EMC, and Symmetrix are registered trademarks and EMC Enterprise
Storage, The Enterprise Storage Company, The EMC Effect, Connectrix, CLARiiON,EMC ControlCenter, ESN Manager,and EMC Navisphere are trademarks of EMCCorporation.
Microsoft, Windows, Windows NT, Act ive Directory, ActiveX, JScript, NetMeeting,SQL Server, and Visual Basic are either registered trademarks or trademarks ofMicrosoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be thetrademarks of their respective owners.
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
3/18
INTRODUCTION ..................................................................1Design Considerations 1
System Requirements 2
ALTEON SWITCHED FI REWALL ............................................3Procuring Hardware 3
Implementation 3
PERIMETER FIREWALL ........................................................3INTERNAL FI REWALL ..........................................................6VPN INSTALLATION ............................................................8VPN Network Configuration 9
VPN Install Checklist 9
Logging on to the Contivity 9
Configuring the Interfaces 9
CONTIVITY VPN CREATE A GROUP FOR
LDAP AUTHEN TI CATION .................................................10 ENABLE THE LDAP AUTHENTI CATION SERVER ...................11ADD LDAP AS AN I PSEC AUTHENTICATION OPTION ..........12CORPORATE NETW ORK FI REW ALL ....................................13SUMMARY .........................................................................14
Additional Information 14
CONTENTS
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
4/18
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
5/18
Prescriptive Architecture Guide, Chapter 8, Deploying the Firewalls 1
This chapter details the various firewall configurations that are used as
part of the Internet Data Center architecture and details how they are
deployed.
This chapter assumes that the reader has a basic understanding of
networking terminology and is experienced with networking techniques
and firewalls.
Note Due to several references to Web-based information resources, it
would be helpful to review this document with Web-browser access to
the Internet.
Design Considerations
The following are the three logical firewall configurations implemented as
part of the Internet Data Center architecture:
Perimeter firewall
Internal firewall Virtual private network (VPN ) firewallThe following diagram provides an overview of the logical positioning of
these firewalls in the Internet Data Center architecture.
DMZWeb Servers
DNS Servers
Internal
Firewall
(IFW01,02)
InfrastructureDomain Controllers
Data / Management
SQL Servers, Backup
Internet
PerimeterFirewall
(PFW01,02)
VPN
Firewall
(VPN01,02)
Figure 8.1 Firewall Logical Positioning
The Microsoft Internet Data Center Reference Architecture Guide
prescribes that the Perimeter and Internal firewalls be implemented on
separate physical devices to deliver the highest level of security. For this
Internet Data Center architecture, Nortel Networks implemented the
Internal and External firewalls through separate DMZs partitioned on
INTRODUCTION
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
6/18
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
7/18
Prescriptive Architecture Guide, Chapter 8, Deploying the Firewalls 3
The Alteon Switched Firewall is a multi-component solution managed as
a single system. It is a tight integration of two key components an
Alteon Switched Firewall Accelerator plus up to six Alteon Switched
Firewall Directors. For the Internet Data Center configuration, there are
two Alteon Switched Firewall Directors for high availability. Each pair
contains one Accelerator and one Director. The software is a combination
of the Alteon Switched Firewall OS, providing session acceleration and
switching functionality, Check Point FireWall-1 Next Generation software,
and Check Point's Secure XL technology.
Table 8.1 Procuring Hardw are
Quantity
Baseline +
Spare
Modules Part
Number
Description
2+1 SFD EB1639E01 iSD310-SFD Switched Firewall
Director. (Includes North
American power cord)
2+1 SFA EB1639E02 SFA-184 Switched Firewall
Accelerator. (Includes North
American power cord
1 Dedicated
Management
Server-
Windows
2000 SP2
Enterprise Management Console /
CheckPoint Window s 2000 Server
running SP2
Implementation
Due to the complex and customer specific nature of the Alteon Switched
Firewall (ASF), installations must be completed by a Nortel Networks
certified ASF installation team. Information in this chapter is provided
for architectural comprehension. It is not intended for use in
implementing the Alteon Switched Firewall configuration in the IDC
Architecture. Nortel Networks offers installation options that can be
negotiated by contacting your local Nortel Networks Sales
representative. Nortel Networks basic offerings may include the
following:
ALTEON SWITCHED
FIREWALL
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
8/18
4 Microsoft Systems Architecture Internet Data Center
Alteon Switched Firewall Install Services Offerings
Design Engineer Assist in design and validation of architecture Available for duration of project
Implementation Engineer Installation of hardware in the rack Configuration of equipment to architecture specification Test configured services for functionality Provide quick start training Responsible for deliverable (Network Diagram, IP List, and
Configurations)
Project Manager Oversees project end-to-end Handles engagement logistics Responsible for initial engagement
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
9/18
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
10/18
6 Microsoft Systems Architecture Internet Data Center
The internal firewall provides an additional layer of protection for all
systems and networks that reside behind the DMZ for the Internet Data
Center architecture. The purpose of this firewall is to filter all incoming
traffic from the DMZ and to allow only application-specific service calls to
reach specified systems and networks that support the Internet Data
Center architecture. These service calls may include calls and queries to
the SQL Server system, monitoring and logging queries specified by the
management systems, and calls to the Microsoft Active Directory
directory service. The Alteon Switched Firewall that serves as the
perimeter firewall also serves as the internal firewall using Alteons ability
to support virtual private firewalls within a single configuration.
The private side of the Alteon Switched Firewalls front-end interface
connects to the public ASF VLAN DMZ1 and its backend interface
connects to the private ASF VLAN DMZ2. Alteon Switched Firewall
provides an added level of security as an application layer firewall in
which inbound session traffic from the IIS and DNS servers destined to
internal servers, such as the domain controllers, will be established withthe Alteon Switched Firewall on its VLAN Infrastructure interface. Alteon
Switched Firewall will then verify that the TCP/IP packets are valid and
establish a new session to the destination server on behalf of IIS or DNS
through its DMZ interface. For outbound traffic initiated from internal
servers, such as DNS forwarding, the specific TCP or User Data gram
Protocol (UDP) ports must be configured on Alteon Switched Firewall to
allow the communication to take place. By default, all TCP and UDP ports
are blocked on the VLAN Data_Management network interface of the
Alteon Switched Firewall and are not allowed to pass through the firewall
until rules are created to open the appropriate ports.
In support of network high availability, in which multiple network
switches are implemented for redundancy, two Alteon Switched Firewalls
are deployed and clustered using VRRP.
INTERNAL FIREWALL
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
11/18
Prescriptive Architecture Guide, Chapter 8, Deploying the Firewalls 7
Creating Protocol Definitions
To support the Internet Data Center configuration, Alteon Switched
Firewall is configured to support the following ports and protocols.
Table 8.1 New Protocol Definitions
Protocol
Definition Name
Internal
Connection Port
Number
Initial
Protocol
Type
Initial
Direction
Direct Host (TCP) 445 TCP Inbound
Kerberos (UDP) 88 UDP Receive and
then Send
LDAP (TCP) 389 TCP Inbound
LDAP (UDP) 389 UDP Receive and
then Send
NTP (UDP)
Inbound
123 TCP Inbound
MOM (TCP) 1270 TCP Inbound
AppMgmt2 (TCP) 9998 TCP Inbound
AppMgmt3 (TCP) 9999 TCP Inbound
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
12/18
8 Microsoft Systems Architecture Internet Data Center
This firewall solution uses the Contivity 4600 as the VPN firewall, which
provides all VPN access both to and from the Internet Data Center
architecture. The purpose of this firewall is to allow VPN access for
secure inbound remote management access as well as partner extranet
access for maintaining databases and catalogs.
Nortel Contivity 4600
The Nortel Contivity 4600 solution is one of the options in the Contivity
product line. The Contivity 4600 provides Firewall, Advanced routing
features, Dual, redundant, auto-switching power supply system with dual
line cords Dual, redundant storage system. The Contivity also supports
Single port V.35/X.21, Dual-port v.35, T1 with integrated CSU/DSU,
High-speed Serial interface (HSSI), and Encryption accelerator cards.
Table 2.7 Nortel Contivity 4600 configuration
Quantity
Baseline +
Spare
Modules Part
Number
Description
2+1 Contivity 4600 DM1401061 Contivity 4600, 5000Tunnels, 5 PC
Exp slots, Dual 10/100 Ethernet LA
Ports, Dual Redundant power Supp
& Storage Sys, Svr S/W w/128-bit
Encryption, Unltd license for IPsec
Client S/W
2+1 Encryption
Accelerator
Card
DM0011051 Encryption Accelerator Card
(FACTORY INSTALL) for use in the
Contivity 2500/2600/4500 only
2 Contivity
Advanced
Routing
DM0016007 Contivity Advanced Routing License
including OSPF, VRRP, IETF
Differentiated Services, and
Bandwidth Management for the
Contivity 4X00 Series (Minimum
Required Software: V3.50).
2 Power Cord 7919 Model 7919 10A/110-120V North
America (U.S., Canada, Mexico,
South Korea)
VPN INSTALLATION
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
13/18
Prescriptive Architecture Guide, Chapter 8, Deploying the Firewalls 9
VPN Network Configuration
In the Internet Data Center architecture, two Contivity gateways were
deployed in support of remote management and extranet access. The
Contivity gateways were clustered for high availability on the public side
of the Alteon Web Switched Modules and their internal network interfaces
connected to VLAN Data Management. Load Balancing and stateful fail-
over are integral to the Contivity VPN to provide a high available
solution, ensuring that the Internet client will always connect through the
same VPN server.
VPN Install Checklist
To complete the VPN installation you will be required to provide three IP
addresses. You will need two IP addresses for Private subnet, and one
IP address for the Public Interface. You will need to know both the Public
and Private default routes (See Chapter 2 for network configuration).
You will need to know the DNS and or WINS Server IP addresses that wilbe used by your clients. Choose an addressing method (DHCP, Pool, or
Static) for clients.
Logging on to the Contivity
Use the provided serial cable to initially configure the Contivity. Set up a
terminal session (9600, N, 1) to the console port of the Contivity.
Configuring the Interfaces
After you have connected the console cable to the Contivity switch you
will need to configure the Public, Private, and Management Interfaces.
1. Login with the default Administrators Username and Password
2. Enter 1 to assign interface addresses. This screen shows both the
private and public interfaces with default configurations.
3. Select 0 for the Private Interface or 1 for the Public Interface.
Notes
One IP address is for Management traffic Second IP address, (on the same subnet), is for tunnel traffic RADIUS requests, traps, etc. will come from Management address
Rem emb er t h i s po in t w hen de f i n i ng Con t i v i t y as a RADI USc l ient
Tunnel address should be used for route to branch offices Can be advertised via RIP or OSPFType R to return to the mainmenu.
5. Type E to exit and save changes. You should now be able to access
the Contivity through your browser.
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
14/18
10 Microsoft Systems Architecture Internet Data Center
If a group does not already exist for this purpose, one may be created
using the following procedure:
1. Select Profiles, Groups, Add. Whether a group already exists or is
newly created, you also need to ensure the proper options are set
within the group profile.
2. Edit the appropriate group by selecting Profiles,Groups,Edit andthen select Configure (next to the IPSec section).
3. Select User NameandPassword authentication in the Radius
Authentication section.
4. The external LDAP authentication has the same requirements as
RADIUS for Group ID and Password, so these must be set as well.
5. Click OK at the bottom of the screen.
The Contivity VPN Client will be configured as if it were authenticating via
RADIUS. That is, the Group Security Authentication option needs to be
selected, the Group ID and Group Password fields filled in, and the Group
Password Authentication option selected.
CONTIVITY VPN
CREATE A GROUP FOR
LDAP AUTHENTICATION
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
15/18
Prescriptive Architecture Guide, Chapter 8, Deploying the Firewalls 11
After connecting to your Contivity, log in into the web interface, and
follow the steps below to configure the Contivity for LDAP Authentication.
The Servers / LDAP Auth page, illustrated below, is where the
information needed to bind to Active Directory is specified.
1. Select Enable Access to LDAP Authentication Server and then
the appropriate default group from the group pull down.2. Enter the IP address of the Active Directory server. Select the port
used to communicate with the LDAP server. The standard LDAP port
(389) is depicted in the screen shot below. However, you can use
SSL for communication between the Contivity and the LDAP.
3. Specify the Base DN from which to search for users.
Note The full name for the server in this deployment is
MSADC1.EMC.MSAIDC.COM. The domain is EMC.MSAIDC.COM. The
search base used was therefore dc=EMC, dc=MSAIDC, dc=com .
Here the Bind DN specified is cn=LDAP Authentication, cn=Users,
dc=EMC, dc=MSAIDC, dc=com. This is an account created under
the Windows 2000 Active Directory Users and Computers Usersgroups.
4. After entering the above information, scroll down this screen. The wil
Username/Password Access and the Policy Attributes is displayed.
Specify the field that contains the username. For Active Directory,
this is sAMAccountName. This is the minimum amount of
information required to make the external LDAP Authentication work
with Active Directory.
ENABLE THE LDAP
AUTHENTICATION
SERVER
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
16/18
12 Microsoft Systems Architecture Internet Data Center
On the Services IPsec screen, the order in which various
authentication options are attempted is specified. First, LDAP must be
added as an option, as shown in the screen captures below. After adding
LDAP Authentication as an option, the order in which the options are
tried may be adjusted.
Click the Swap Server Order 2 and 3 button to try LDAP beforeRADIUS.
ADD LDAP AS AN I PSEC
AUTHENTICATION
OPTION
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
17/18
Prescriptive Architecture Guide, Chapter 8, Deploying the Firewalls 13
You may want to use a firewall to provide secure access to Internet Data
Center for a connection to the company's own corporate network. The
firewall would be connected to its own VLAN and would manage all data
communications to Internet Data Center from the corporate network.
If your company requires a connection directly between the Internet
Data Center environment and its corporate network, Alteon SwitchedFirewall can provide the required performance, security, and flexibility for
this connection. Discuss this option with your Nortel Networks Alteon
Switched Firewall certified implementer.
CORPORATE NETWORK
FIREWALL
-
8/6/2019 PAG1_Chapter_08_Deploying the Alteon Switched Firewall
18/18
14 Microsoft Systems Architecture Internet Data Center
This chapter is intended to provide specifications and procedures
required to build the firewall configurations used in the Microsoft Internet
Data Center architecture.
By following the specifications and procedures in this document and
applying the site-specific aspects of your environment, you can build all
the firewall configurations required to secure your implementation ofInternet Data Center architecture.
Note A number of topics have been classed as beyond the scope of the
current version of this document and, therefore, were intentionally
excluded. Future documentation will provide guidance for implementing
these features.
Additional Information
For more information about Nortel Networks Alteon Switched Firewall
see:
http://www.nortelnetworks.com/products/01/alteon/asf/index.html
SUMMARY
http://www.nortelnetworks.com/products/01/alteon/asf/index.htmlhttp://www.nortelnetworks.com/products/01/alteon/asf/index.html