Firewall Management Interface Modern firewalls come with two administrative interfaces: • The CLI • The GUI typically, but not necessarily, web based This section provides an overvie
Trang 1Firewall Management Interface
Modern firewalls come with two administrative interfaces:
• The CLI
• The GUI (typically, but not necessarily, web based)
This section provides an overview and some examples of these interfaces
Managing Firewalls with a CLI
A CLI enables you to use a specific instruction set to configure the firewall Most
firewalls require the end user to do the initial configuration of the firewall (inputting in the basic network information such as IP address, net mask, default gateway, and
possibly an administrative password) via CLI before the end user can switch over to the GUI Linux's NetFilter is, for the most part, configured through a CLI, although there do exist several products that allow for configuration of NetFilter-based firewalls through a GUI
CLIs require knowledge of the command set in the firewall product For example, to configure NetFilter, use the IPTables CLI to allow inbound Secure Shell (SSH), e-mail, and web traffic (using TCP ports 22, 25, and 80, respectively) and deny all other traffic requires the configuration in Example 11-1
Example 11-1 Configuring NetFilter with IPTables
[View full width]
# iptables -P INPUT DENY
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 10.16.17.202 dport 22 -m state
state NEW -
j ACCEPT
# iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 10.16.17.202 dport 25 -m state
state NEW -j
ACCEPT
# iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 10.16.17.202 dport 80 -m state
Trang 2Example 11-2 provides a similar configuration with the PIX command set
Example 11-2 Configuring a PIX
gandalf(config)# access-list acl_test permit tcp any host 10.16.17.202 eq ssh
gandalf(config)# access-list acl_test permit tcp any host 10.16.17.202 eq smtp
gandalf(config)# access-list acl_test permit tcp any host 10.16.17.202 eq 80
gandalf(config)# access-list acl_test permit icmp any any
gandalf(config)# access-list acl_test deny ip any any
gandalf(config)# show access-list acl_test
access-list acl_test; 5 elements
access-list acl_test line 1 permit tcp any host 10.16.17.202 eq ssh (hitcnt=0)
access-list acl_test line 2 permit tcp any host 10.16.17.202 eq smtp (hitcnt=0)
access-list acl_test line 3 permit tcp any host 10.16.17.202 eq www (hitcnt=0)
access-list acl_test line 4 permit icmp any any (hitcnt=0)
access-list acl_test line 5 deny ip any any (hitcnt=0)
Knowledge of the command set is critical to effectively configure a firewall through a CLI Many vendors (and third parties) have worked hard to reduce the configuration of a firewall to a more simplistic method When the initial configuration is done (supplying the firewall software with an IP address and net mask), the end user can immediately switch to a more graphical method of configuring the firewall
Managing Firewalls with a GUI
A GUI provides a more-user-friendly interface to configure the firewall Some firewalls are configured through a direct interface on the host, such as Symantec Norton Internet Security shown in Figure 11-1 and Figure 11-2, before the firewall is active Some come with a preconfigured IP address and an administrative password to be used for access by the end user during initial configuration (such as Linksys or the PIX 501 and 506E series systems)
Figure 11-1 Symantec Internet Security Configuration
Trang 3Figure 11-2 Symantec Firewall Configuration
Trang 4The PIX Device Manager (for PIX operating systems up to versions 6.3(5)), known as the Cisco Adaptive Security Device Manager in PIX version 7.0, is a Java applet that is downloaded from the PIX or ASA device and runs locally through the client browser
Figure 11-3 Cisco PIX Device Manager
Trang 5The information is presented in a more natural fashion to the end user in the form of graphics and graphs for performance
Not to be outdone, there are GUIs for Linux's IPTables firewall software Some are web based (such as Webmin), and some are applications running on the Linux system itself (such as Firestarter or FW-Builder) Firestarter provides a simple, easy-to-use interface for IPTables, as shown in Figure 11-4
Figure 11-4 Firestarter for IPTables
Trang 6Webmin provides a method by which the firewall can be managed through a web browser interface, which is more convenient than an application that can only be viewed on an X Windows-enabled server Figure 11-5 shows this interface
Figure 11-5 Webmin IPTables Rules Interface
Trang 7Interface Preference
Whether it is through a CLI or through a GUI, the management of a firewall can range from the highly complex to the relatively easy Typically, novice users start by
administering the firewall through a GUI Over time, as their experience level and
comfort level with the firewall increase, they may find it more convenient to use a CLI One significant benefit of a CLI over a GUI is that the CLI is available through Telnet and SSH sessions as well as connected directly to the serial port This becomes important when considering how access to the firewall management interface will be controlled