Question 3. Firewalls and iptables

Consider the scenario from Question 2. Your task is to protect the organisations’ network using a single iptables-based packet filtering firewall that supports SPI.

(a) Explain where you would locate the firewall, and justify that location.

(b) Assuming the firewall can be correctly configured to meet the security policy, discuss the weaknesses/limitations of using the firewall in the location you selected. Give examples of threats that highlight the weaknesses/limitations.

(c) Design a set of firewall rules for the organisation. For each rule, give a short justification for that rule.

(d) Implement the firewall rules in virtnet on node2 in topology 5 using iptables. If there are any rules from your design that you cannot implement in the limited virtnet environment with iptables, then explain why you cannot. Include the iptables rules in your report.

For the virtnet implementation of the firewall on topology 5, you obviously don’t have all internal devices or external devices. node1 is considered external, node3 is internal and node2 is the firewall. However, you should create the iptables-based firewall rules to match your design. You will not be able to test all rules, but you can do some basic testing with lynx, ping, netcat etc, between node1 and node3, and then change the IP addresses in those rules to match your design.