10.5.8 Lab: Configure A Perimeter Firewall

In network security, a perimeter firewall acts as the first line of defense, controlling network access and protecting internal systems from external threats. Configuring this critical component requires careful planning, precise execution, and ongoing maintenance to ensure robust protection. This lab focuses on setting up a perimeter firewall to secure a network using a series of practical steps and essential considerations.

Understanding the Role of a Perimeter Firewall

A perimeter firewall sits at the boundary between a trusted internal network and an untrusted external network, typically the Internet. Its primary function is to filter network traffic based on predefined security rules. By examining incoming and outgoing packets, the firewall can block unauthorized access attempts, prevent malicious traffic from entering the internal network, and enforce security policies.

Key features of a perimeter firewall include:

• Packet Filtering: Inspects network packets based on source and destination IP addresses, port numbers, and protocols.
• Stateful Inspection: Tracks the state of network connections to ensure that traffic is legitimate and part of an established session.
• Network Address Translation (NAT): Translates internal private IP addresses to a single or a range of public IP addresses, hiding the internal network structure from the outside world.
• Virtual Private Network (VPN): Provides secure remote access to the internal network over the Internet.
• Intrusion Detection and Prevention Systems (IDS/IPS): Monitors network traffic for malicious activity and automatically takes action to block or mitigate threats.

Lab Objectives

This lab aims to provide hands-on experience in configuring a perimeter firewall. By the end of this lab, you should be able to:

• Install and configure a firewall appliance or software.
• Define and implement firewall rules to control network traffic.
• Set up Network Address Translation (NAT) to protect internal IP addresses.
• Configure basic Intrusion Detection and Prevention Systems (IDS/IPS).
• Test and verify the firewall configuration.

Prerequisites

Before starting the lab, ensure that you have the following:

• A virtualized environment (e.g., VMware, VirtualBox) or physical hardware for setting up the firewall and network.
• A firewall appliance or software (e.g., pfSense, Cisco ASA, iptables).
• A client machine for testing the firewall configuration.
• Basic knowledge of networking concepts, including IP addressing, routing, and protocols.

Lab Setup

The following network topology will be used for this lab:

• Perimeter Firewall: This device will act as the gateway between the internal and external networks. It has two network interfaces:
  • WAN (Wide Area Network): Connected to the Internet with a public IP address.
  • LAN (Local Area Network): Connected to the internal network with a private IP address (e.g., 192.168.1.1/24).
• Internal Network: This network consists of client machines that need to be protected by the firewall.
  • Client Machine IP Address: 192.168.1.10/24
  • Default Gateway: 192.168.1.1 (Firewall's LAN IP Address)
• External Network (Internet): Simulated by another virtual machine or a physical network with Internet access.

Step-by-Step Configuration Guide

Step 1: Install and Configure the Firewall Appliance/Software

1. Choose a Firewall Solution: Select a firewall appliance or software based on your requirements and resources. Popular options include pfSense, Cisco ASA, iptables, and Windows Firewall. For this lab, we will use pfSense as it is a powerful, open-source firewall solution.

2. Download pfSense:

   • Visit the pfSense website () and download the appropriate version for your virtualization platform.

3. Create a Virtual Machine:

   • Open your virtualization software (e.g., VMware, VirtualBox).
   • Create a new virtual machine with the following specifications:
     • Memory: 2GB
     • CPU: 2 cores
     • Disk Space: 20GB
     • Network Adapters: Two network adapters (one for WAN and one for LAN)

4. Install pfSense:

   • Mount the pfSense ISO image to the virtual machine.
   • Start the virtual machine and follow the on-screen instructions to install pfSense.
     • Accept the license agreement.
     • Choose the "Auto (ZFS)" installation method for simplicity.
     • Set a root password.
     • Configure the WAN and LAN interfaces. pfSense will automatically detect the interfaces.

5. Access the pfSense Web Interface:

   • Once the installation is complete, pfSense will display the IP addresses for the WAN and LAN interfaces.
   • Open a web browser on your client machine and enter the LAN IP address (e.g., 192.168.1.1).
   • Log in using the default username "admin" and the password you set during installation.

Step 2: Configure the WAN Interface

1. Navigate to Interfaces > WAN:

   • In the pfSense web interface, go to "Interfaces" and select "WAN".

2. Configure the WAN Interface:

   • Type: Choose the appropriate connection type (DHCP, Static IP, PPPoE). If you have a dynamic IP address from your ISP, select "DHCP". If you have a static IP address, select "Static IP".
   • IPv4 Configuration:
     • DHCP: If using DHCP, ensure that the "DHCP" option is selected.
     • Static IP: If using a static IP, enter the IP address, subnet mask, and gateway provided by your ISP.
   • IPv6 Configuration: Configure IPv6 settings if required.
   • Save Changes: Click "Save" at the bottom of the page.

Step 3: Configure the LAN Interface

1. Navigate to Interfaces > LAN:

   • In the pfSense web interface, go to "Interfaces" and select "LAN".

2. Configure the LAN Interface:

   • IPv4 Configuration:
     • Static IP: Set a static IP address for the LAN interface. This IP address will be the default gateway for your internal network. For example, set the IP address to "192.168.1.1" and the subnet mask to "24" (255.255.255.0).
   • IPv6 Configuration: Configure IPv6 settings if required.
   • DHCP Server: Enable the DHCP server on the LAN interface to automatically assign IP addresses to devices on your internal network.
     • Range: Set the IP address range for the DHCP server (e.g., 192.168.1.100 to 192.168.1.200).
     • Gateway: Ensure the gateway is set to the LAN IP address (192.168.1.1).
     • DNS Servers: Specify DNS server addresses (e.g., 8.8.8.8 and 8.8.4.4 for Google Public DNS).
   • Save Changes: Click "Save" at the bottom of the page.

Step 4: Configure Firewall Rules

1. Navigate to Firewall > Rules > LAN:

   • In the pfSense web interface, go to "Firewall", select "Rules", and then "LAN".

2. Create a Default Allow Rule:

   • By default, pfSense blocks all traffic from the LAN to the WAN. Create a rule to allow outbound traffic.
     • Click the "Add" button to create a new rule.
     • Action: Set to "Pass".
     • Interface: Set to "LAN".
     • Address Family: Set to "IPv4".
     • Protocol: Set to "Any".
     • Source: Set to "LAN net".
     • Destination: Set to "Any".
     • Description: Enter a description for the rule (e.g., "Allow outbound LAN traffic").
     • Save Changes: Click "Save" at the bottom of the page and then "Apply Changes".

3. Navigate to Firewall > Rules > WAN:

   • In the pfSense web interface, go to "Firewall", select "Rules", and then "WAN".

4. Block All Inbound Traffic:

   • By default, pfSense blocks all inbound traffic on the WAN interface. This provides a basic level of security. You can add specific rules to allow certain types of traffic if needed.
     • Example: Allow Inbound SSH Traffic (for remote access, use with caution):
       • Click the "Add" button to create a new rule.
       • Action: Set to "Pass".
       • Interface: Set to "WAN".
       • Address Family: Set to "IPv4".
       • Protocol: Set to "TCP".
       • Source: Set to "Any".
       • Destination: Set to "WAN address".
       • Destination Port Range: Set to "SSH" (22).
       • Description: Enter a description for the rule (e.g., "Allow inbound SSH traffic").
       • Save Changes: Click "Save" at the bottom of the page and then "Apply Changes".

Step 5: Configure Network Address Translation (NAT)

1. Navigate to Firewall > NAT > Outbound:

   • In the pfSense web interface, go to "Firewall", select "NAT", and then "Outbound".

2. Configure Outbound NAT:

   • By default, pfSense uses automatic outbound NAT. If you need to customize the NAT rules, switch to manual outbound NAT.
     • Mode: Set to "Automatic outbound NAT rule generation".
     • If you need to customize:
       • Mode: Set to "Manual outbound NAT rule generation".
       • Click "Add" to create a new NAT rule.
       • Interface: Set to "WAN".
       • Address Family: Set to "IPv4".
       • Protocol: Set to "Any".
       • Source: Set to "LAN net".
       • Destination: Set to "Any".
       • Translation / Target: Set to "Interface address".
       • Description: Enter a description for the rule (e.g., "NAT for LAN traffic").
       • Save Changes: Click "Save" at the bottom of the page and then "Apply Changes".

Step 6: Configure Basic Intrusion Detection and Prevention System (IDS/IPS)

1. Install Snort or Suricata:

   • pfSense supports Snort and Suricata as IDS/IPS solutions. For this lab, we will use Suricata.
   • Navigate to "System > Package Manager > Available Packages".
   • Find "Suricata" in the list and click "Install".

2. Configure Suricata:

   • After installation, go to "Services > Suricata".
   • Interfaces: Select the LAN and WAN interfaces to monitor.
   • Rulesets: Choose the appropriate rulesets to use. Emerging Threats and Snort GPLv2 Community Rules are popular choices.
   • Update Rules: Click "Update Rules" to download the latest rulesets.
   • Alert Settings: Configure alert settings to receive notifications when Suricata detects malicious activity.
   • Enable Suricata: Check the "Enable Suricata on selected interfaces" box and click "Save".

Step 7: Test and Verify the Firewall Configuration

1. Test Outbound Connectivity:

   • On the client machine in the internal network, open a web browser and try to access a website (e.g., ).
   • If the website loads successfully, outbound connectivity is working correctly.

2. Test Inbound Connectivity:

   • From the external network (Internet), try to ping the WAN IP address of the firewall.
   • By default, pfSense blocks ICMP (ping) requests on the WAN interface. If you want to allow ping requests for testing purposes, create a firewall rule on the WAN interface to allow ICMP traffic.
   • Example: Allow Inbound ICMP Traffic:
     • Click the "Add" button to create a new rule.
     • Action: Set to "Pass".
     • Interface: Set to "WAN".
     • Address Family: Set to "IPv4".
     • Protocol: Set to "ICMP".
     • Source: Set to "Any".
     • Destination: Set to "WAN address".
     • Description: Enter a description for the rule (e.g., "Allow inbound ICMP traffic").
     • Save Changes: Click "Save" at the bottom of the page and then "Apply Changes".

3. Check Firewall Logs:

   • Navigate to "Status > System Logs > Firewall" in the pfSense web interface.
   • Review the firewall logs to see if any traffic is being blocked or allowed based on your rules.

4. Test Suricata Alerts:

   • Generate some malicious traffic to trigger Suricata alerts. You can use tools like Nmap or Metasploit to simulate attacks.
   • Check the Suricata alerts by going to "Status > System Logs > Suricata".
   • Verify that Suricata is detecting and logging the malicious activity.

Additional Configuration Options

VPN Configuration

• OpenVPN: pfSense supports OpenVPN for secure remote access. Configure an OpenVPN server to allow users to connect to the internal network securely over the Internet.
• IPsec: pfSense also supports IPsec for site-to-site VPN connections. Configure an IPsec tunnel to connect two networks securely.

Traffic Shaping

• Limit Bandwidth: Use traffic shaping to limit the bandwidth used by certain types of traffic or users. This can help prevent network congestion and ensure that critical applications have enough bandwidth.

Web Filtering

• Squid and SquidGuard: Install Squid and SquidGuard packages to filter web traffic based on categories or URLs. This can help block access to malicious or inappropriate websites.

High Availability

• CARP (Common Address Redundancy Protocol): Configure CARP to create a high availability firewall setup. This allows you to have a backup firewall that automatically takes over if the primary firewall fails.

Troubleshooting Tips

• Connectivity Issues: If you are experiencing connectivity issues, check the firewall rules, NAT configuration, and routing settings.
• DNS Resolution: Ensure that the DNS server settings are correct on the client machines and the firewall.
• Firewall Logs: Review the firewall logs to identify any blocked traffic or error messages.
• Suricata Alerts: Investigate Suricata alerts to determine the cause of the alerts and take appropriate action.

Security Best Practices

• Regular Updates: Keep the firewall software and rulesets up to date to protect against the latest threats.
• Strong Passwords: Use strong passwords for all accounts and change them regularly.
• Least Privilege: Grant users only the necessary privileges to perform their tasks.
• Two-Factor Authentication: Enable two-factor authentication for remote access and administrative accounts.
• Regular Backups: Back up the firewall configuration regularly to prevent data loss in case of a failure.
• Monitor Logs: Monitor firewall logs regularly to detect and respond to security incidents.

Conclusion

Configuring a perimeter firewall is a critical step in securing a network. This lab provided a comprehensive guide to setting up a firewall using pfSense, configuring firewall rules, NAT, and basic IDS/IPS. By following the steps outlined in this lab and adhering to security best practices, you can create a robust perimeter defense to protect your network from external threats. Continuous monitoring, regular updates, and ongoing maintenance are essential to ensure the firewall remains effective over time.