Ingress And Egress Filtering Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Provide best practice network egress and ingress filtering at the network perimeter. (Which router shall we choose, do we need a firewal? Why? Where? Is it more powerfull afterwards?

Ingress and egress filtering are used to filter large classes of networks that should not been seen at different parts of the network (1). Ingress filtering is used to eliminate routing of spoofed packets by discarding any packet that are coming from the outside (Internet) to the inside of the network. Egress filtering prevents the private network from being the source of forged communication used in DoS attacks (2).

Ingress and Egress filters must be placed on the edge router of the network in order to filter any packets going in and out the private network. Therefore, several types of traffic can be filtered, including RFC 1918, RFC 2827, RFC3330 and nonroutable addresses.

RFC1918 (3) provides the best practice to block private address coming in and out of the edge router. Private addresses are used by organisations inside the private network and then NAT is used to reach the public internet. Therefore, no private IP addresses should been seen by the edge router.

RFC2827 (4) defines methods to allow only the range of public IP addresses of the internal network to leave through the edge router (outbound traffic). Also, every inbound IP addresses that have a source address equal at the range of internal IP address will be rejected.

RFC3330 (5) states some special subnets that can be filtered from the network. All these kind of traffics should never been sent on the Internet and therefore, should never been received from the internet. This RFC is implemented on the inbound and outbound interfaces.

Nonroutable (6) addresses can be found using the that can be filtered on the Internet Assigned Numbers Authority (IANA) responsible for allocating IPv4 address space. This website is updated weekly and shows on one hand, the IP addresses that have been allocated for commercial use allowed on the internet and on the other hand, IP addresses that have not been allocated yet or IP addresses used by government that have no business being seen on the internet. However, this report will not contain these addresses because there is a big number of them which are able to change at any time.

Cisco offers 3 equipments which can be used as an edge router: ASR1000 Aggregation service routers, 7200 routers and Catalyst 6500 Switches. The actual network topology will be to have output to the ISP and one output to the internal network. The Catalyst 6500 switch doesn't correspond at this topology as it is more oriented one to many connections (switch-oriented). Therefore, between the Cisco 7200 and ASR1000 the Cisco website (7) shows that the ASR1000 got the most performance, reliability and efficiency. The ASR 1000 is the router which will be implemented at the edge of the network.

1.2 Perimeter firewall

Q.: Create a perimeter firewall, with an appropriate topology to provide the organisations services, including public web, and mail servers. The firewall should have a closed security stance, and provide public services in a secure way (DMZ and different kind of access to some zones).

The perimeter firewall refers to create different zones within the Napier network. Most of the time, 3 zones (perimeters) are created in the perimeter firewall: the trusted internet (inside), the demilitarized zone (DMZ) and the untrusted internet (outside).

The perimeter firewall provides to organisations a better security of their networks, especially when services as web/mail servers must be accessible from the untrusted internet. The implementation of multiples zones as inside/DMZ/outside are used to separate these, more or less, trusted networks. Aims of this topology are:

Provide accessibility to the DMZ from trusted and untrusted networks.

Provide accessibility from the inside (trusted network) to the outside (untrusted network).

Block accessibility from the outside to the inside.

The type of firewall needed to create a DMZ for Napier University will be at least one Network Device-based Firewall which is way faster and secure than Server-based and Software firewalls. Deviced-based firewalls are designed for big company in reason of their optimised Hardware and a hardened OS which can handle big amount of traffic. Moreover, the firewall needs to be a stateful firewall, as they keep trace established connection in both directions by looking at the packets flags. Therefore, stateful Firewalls allow traffic going in and out when initiated from the inside, but reject any traffic initiated from the outside/dmz.

Today, most of the firewalls on the market are built by Cisco and Juniper. Both of these ranges of firewalls are efficient and similar in many ways. However, Cisco is the market leader with the widest deployment of any firewall, so it is more recommended to use on of them. The Cisco ASA 5500 series (8) provide 3 firewalls: ASA 5505, ASA 5520 and ASA 5550. Napier University uses the range of IPs 146.176/16 which means 65000 IPs. Therefore, the ASA 5520 which has a throughput of 450Mbps, handle 280,000 connections for a fair price of £2,500 seems like a reasonable choice. In case of a heavier traffic, the choice of a ASA 5550 should be take in consideration.

1.3 Staff and Student access

Within the perimeter, staff and students should have access to different resources offered by the perimeter network. VLANs allow the creation of departments with their own independent network and broadcast domain not based on their physical location. Multiple of VLANs may be created in the network topology without interfering with each other.

The requirement shows that the students should have access to student labs and internet. Staff should have access to staff networks/servers, database server and internet. Students and Staff should not have access to each other datas. The creation of 5 VLANs is required to response to these requirements and creates 5 secure virtual networks within the perimeter. Some Access-list will be implemented, firstly, on the internal router to restrict the students to access Staff devices and secondly, on the firewall to restrict access to internet only for Students and Staff.

The topology of the network regarding the database server must be strategically placed. Since the data within the database server is not publicly accessible and may contain private information, it should not be placed within the DMZ. However, webservers may need to communicate with the database server, therefore an extra ACL within the firewall is needed. A Backup Server should be associated with the database Server in order to duplicate information and allow a fast recovery. This backup server will be used in case of disaster (flood, fire, earthquake…) therefore it must be placed in a different physical location.

The equipment recommended for this network topology depends on the number of hosts plugged into each Switch. Cisco proposes a range of switch (9) that corresponds to the needs of this network structure. These switches are flexible as it is possible to add multiples modules to improve the scalability of the network topology. To implement a Catalyst 6500 …..

1.4 Network Management

Prototype Implementation:

2.1 Ingress and egress filtering:

The implementation consists to apply Access List (ACLs) on the edge router interfaces to filters RFC 1918, RFC 2827, and RFC 3330.

The RFC1918 filters the following private intranets addresses 10/8 (, 172.16/12 ( and 192.168/16 ( These ranges of IPs will be denied and logged.

The RFC 2827 has different filter in function of the the inbound or outbound traffic. On the inbound traffic, only packets with a destination address equal at the internal public network of Napier (146.176/16 prefix) will be able to get through. On the outbound traffic, only packets with a source address from Napier (146.76/16) will be able to get through.

The RFC 3330 filters some special subnets. These subnets include the localhost subnet (, TEST-NET subnet allocated for documentation and test (, the multicast range (, the host ( and broadcast address ( These ranges of IPs will be denied and logged.

Everything else will be denied and logged.

2.2 Perimeter firewall

The perimeter firewall is connected to the untrusted internet, the DMZ and the internal network. The specifications of some access-lists (ACLs) on the perimeter firewall are going to be implemented in order to match the design section. Each interfaces (zones) gets attributed a security level which allows them to initiate communication from higher security levels to lower security levels.

2.2.1 Outside interface

The inbound traffic is allowed from any host to the DMZ subnet which include Email and Web server. Two ACLs are needed to send the appropriate traffic to each server. The traffic can be distinguished by the www and smtp/pop3 protocols within the packet which identify a web or mail request. The security level for the outside is by default the lowest one: 0, which means the outside interface cannot initiate connection across the network.

2.2.2 DMZ interface

The outbound traffic is blocked as the DMZ subnets should not initiate connections to the inside or the outside. The security level of the DMZ is by default 50 but initiating connection are denied by the ACL.

2.2.3 Inside interface

The inside interface has a security level of 100 (maximum), which means that the inside interface can initiate connection to anywhere in the network.

Four ACLs needs to be applied on the PIX outside interface in order to allow firstly, the Outside to contact the DMZ and secondly, to restrict the Inside to access the Outside for web/mail traffic only. Moreover, one ACL needs to be applied on the PIX DMZ interface, to restrict the DMZ to contact inside/outside.

2.3 Staff and Student access:

To implement the previous design, 5 VLANs need to be created, as seen on figure ?:

This design allows multiple of secure subnets to be created but any VLAN can contact any other. Therefore an ACL needs to be implemented to restrict the students labs to access lab servers and internet only. This ACL is going to be implemented on the GigabitEthernet0/0.10 of the internal router:

ip access-list extended 101

permit ip

permit ip

deny ip any

interface GigabitEthernet0/0.10

encapsulation dot1Q 10

ip address

ip access-group 101 in

Testing and Evaluation

3.1 Ingress and egress filtering:

Tests are done using Packet Tracer with 3 routers: Internal router, edge router and ISP.

Figure - Ping PC3 to PC1/PC0: Dropped Figure - Ping PC4 to PC1: Successful

Figure - Ping PC0 to PC4/PC 3: Dropped

The results show that only packets with a destination address equal at the internal public network of Napier (146.176/16 prefix) are able to get in. Moreover, only packets with a source address from Napier (146.76/16) are able to get out. All the other traffic is denied by the ACLs and dropped at the edge router.

The evaluation shows that the ACLs are being efficient. However, a couple of considerations must be taken by implementing those rules. Firstly, the logging of all the denied traffic can affect the hardware ACLs when the network is under attack. Therefore, some rules should be created to only log part of denied traffic to not overload the CPU. Secondly, the edge router provides a single point of failure in the network. Having an extra power socket for the router in case of problem will be a good idea. Moreover, it is possible to add a second router in case of failure of the main router to ensure the continuity of the traffic.

3.2 Perimeter Firewall

The test are done using GNS3 with a PIX Firewall, 2 Ubuntu VMs and 1 Windows OS. The Unbuntu VMs are used in the DMZ and Outside Network to allow the test of web, ssh and ftp traffic from the inside. Tests are done using private addressing but using Napier public addressing would have make no difference. The topology is shown figure ?.

Figure - Perimeter Firewall Networks

To see the test results, the PIX firewall is using the function "logging console" to print in the console which ACLs are used to allow or deny traffic, as seen Figure ? ,?, ?.

Figure - Inside to the Outside on port 80 OK

Figure - Inside to the Outside on port FTP DENIED

Figure - Alert DMZ to Outside DENIED

The results of the test are similar as the one expected and the ACLs are being efficient.

However, the weaknesse of Statefull firewalls concerns that their state-table (which remembers the established connections). If the state table become full up, most of the time under Denial of Service (DoS) attack, the firewall will dropped the return packets.

The Cisco ASA 5520 is a single point of failure in the network. The firewall should be equipped of redundant components to power supply the engine. A second solution can be adapted using active/passive fault tolerant firewalls which ensure communication in case if the first firewall fails all the traffic will be sent to the second firewall (11).

The topology uses a single firewall which is not the best solution when heavy traffic occurs between the inside and the DMZ. In that case, a multi firewall approach should be used to separate outside, perimeter and inside network (12).


3.3 Staff and Student Access

Tests are done using Packet tracer, as seen in figure ? :

To show the results, the student lab is going to ping the lab server, internet, staff network and database servers. A show access-list is then taped inside the router, seen figure ?

The result show that the student lab to the lab servers/internet has been permitted and all other traffic from the student lab has been denied.

This topology works fine but the security can be enhanced. Most of the time, web servers need to communicate with the data server to propose specialised services. This communication allows the DMZ to initiate communication to the inside, which must be handled carefully. Therefore, the use of an application firewall can ensure that no information sent by the web server could compromise the data server by stealing or manipulating the data (13). See Lecture 4 diapo13

4. Network Management

Q. Provide secure access to all devices, from the security management subnet.


Devices can be managed locally or remotely. The local management is done by connecting a machine on the serial port of the device in order to modify its configuration file. However, this technique could be really annoying, especially in a big organisation with multiple devices. Therefore, a remote management can be done in order to configure multiple devices from one place. This is done using whether Telnet or Secure Shell (SSH) protocols. However, Telnet lacks of security because it sends the data in clear text across the network and make it easy for an attacker listening to capture login usernames and passwords (14). An alternative protocol to Telnet is SSH which encrypts session traffic and uses digital certificates. SSH is declined in two versions SSHv1 and SSHv2 which are entirely different protocols. SSHv1 is able to defend a network against a casual hacker, however SSHv1 can now be decoded in real time with the program Ettercap (15). SSHv2uses Data Encryption Standard (DES) or triple DES (3DES) IPsec encryption and operate using asymmetric cryptography, proposed by Whitfield Diffie & Martin Hellman in 1977 (16). The Diffie-Hellman algorithm is a one-way function easy to perform in one direction but almost impossible to reverse. For that reason, this algorithm is very secure and protects the data sent over the network to be decrypted by a potential attacker. Therefore, it is reasonable to say that SSH1 is faster and weaker than SSH2 stronger and slower protocol.

The physical devices which manage the network (management subnet) should be placed inside a secure room with a restricted access to authorised staff only. Even if the SSH connection will be implemented using a secret username and password, the access of the hosts should be protected in case of an insider attack.

The Management subnet should be inaccessible from anywhere else in the network. Therefore ACLs needs to be implemented on the internal router to block any other device connecting to the Management subnet.

2. Implementation

SSHv2 is not supported by every Cisco devices IOS, therefore the next implementation will use SSHv1. The prototype of a SSH Server is going to be realised on the internal router by following the next steps:

Configuration of the SSH Server on the internal router

Configuration of username "cisco" and password "1234"

Configuration of the router with a hostname and DNS

Generating a RSA key pair for the router

Enable the SSH server and options (timeout and authentication-retries allowed)

The SSH Client does not need any configuration to access the SSH Client. The SSH Server can be easily access using the following command:

ssh -l cisco 'ip_address_internal_router'

Access list configuration

An access list needs to be implemented on the internal router, in order to allow only the Management subnet to access the router in ssh. Comment on fait pr bloquer le SSH de partout alors quon peut pas metre de ACL dans G0/0 directement.


Figure - Management Subnet Cisco Packet Tracer

Figure - SSH Connection Management -> Internal Router

The configuration of the SSH Server, seen figure?, needs to be repeated on every devices to allow the management subnet to administrate them. Moreover, ACLs needs to be implemented on router and firewalls in order to allow SSH traffic from the management subnet.


Q. Provide authentication for administrative access to all network devices.


The authentication for administration can be provided using basic password on the devices for the privileged command mode, console access and telnet access. However these basics passwords do not scale well for multiple administrators over many devices, which will result to have multiple different passwords saved inside the device configuration. Moreover, multiple administrators could have different rights to access the device in function of their status within the organisation. To solve these problems, the use of a framework for Authentication, Authorisation and Accounting (AAA) is suggested. This framework is able to control the administrators' rights to access the router, give them access to different services and log what they are doing (17). The authentication is centralised on a Server Authentication which has a list of username/passwords allowed to access each devices. Each administrator needs to communicate with that Authentication Server to be granted access to a device such as router, switch and firewall. Once the administrator successfully authenticate to the authentication server, the router will allow this user to enter in the configuration dialog.

The most popular AAA protocols are RADIUS and TACACS+. The TACACS+ protocol is well-known to be much more flexible and more secure than RADIUS. The flexibility offered by TACACS+ is to separate authentication and authorisation. Moreover it is possible to give some authorisation level to the users that give a limited access to the devices. However, the RADIUS protocol is an Open platform and can be installed on any device, in opposite to TACACAS+ which is Cisco proprietary and cannot be used on non-Cisco devices. The choice for a RADIUS protocol (18) will then give more ease to install any kind of devices on the network.


The prototype implementation of an AAA Server consists to provide a secure access to a network device (router) by authenticating any host of an administrator subnet, shown in figure X.

The Radius Authentication Server is configured using the freeware Winradius which is able to run a Radius Server on a Windows OS's. The configuration is pretty fast as its only needed usernames and password to be typed in. The username Ben and password benradius are going to be used in this prototype.

Once the username has been created, the internal router needs to be configured:

Creation of a new AAA model

Allow authentication to the router with a default password, in case the Authentication server cannot be contacted.

Specification of the IP address, default ports and secret key of the Authentication Server

Apply a method requiring a correct authentication to the Radius server to access to the SSH port.


remark Block local host address

deny ip any log

remark Block RFC 1918 Address Allocation for Private Internets

deny ip any log

deny ip any log

deny ip any log

remark Block link-local DHCP

deny ip any log

remark Block documentation/test network

deny ip any log

remark Block host *.0.0.0

deny ip any log

remark Block host

deny ip host any log

remark Block Multicast Traffic

deny ip any log

remark Permit Everything else to public networks only

permit ip any

remark Block everything else

deny ip any any log


remark Block local host address

deny ip any log

remark Block RFC 1918 Address Allocation for Private Internets

deny ip any log

deny ip any log

deny ip any log

remark Block link-local DHCP

deny ip any log

remark Block documentation/test network

deny ip any log

remark Block host *.0.0.0

deny ip any log

remark Block host

deny ip host any log

remark Block Multicast Traffic

deny ip any log

remark Permit Everything else to public networks only

permit ip any

remark Block everything else

deny ip any any log