Firewalls - Getting Ready to configure the firewall

Getting Ready to Configure the Firewall

Developing a Security Policy

The key to successful implementation of the firewall is having a clear security policy that describes how to control access and use of the organization's network resources.
A security policy should have the support of the various departments and administrators responsible for its implementation and should be well understood by network users.

Planning an Implementation

Before you configure the firewall, use a tool such as Visio to sketch out a network diagram with IP addresses that you will assign to firewalls, routers, servers, etc...
Use the configuration forms below to help collect the information required.

Network Interface
Routing
inbound
nat
nat2
Outbound Access
Static Address

Setting a default route

A router discovers and stores the paths through the network, known as routes. When a router does not have a route to the destination address in a specific packet, it forwards the packet using a default route to another router, called the default router. To configure the default routes on the routers to forward traffic to the firewall by completing the following steps.

Telnet to the router that connects to the inside interface of the firewall, or connect to the router's console port.
If you are using a Windows PC, you can connect to the console port using the HyperTerminal program.
Run enable to access configuration mode.
Set the default route to the inside interface of the firewall with the following command:
ip route 0.0.0.0 0.0.0.0 pix_inside_interface_ip_address

Enter show ip route and verify that the connected firewall interface is listed as the "gateway of last resort."
Run clear arp,
Enter Cntrl-Z to exit configuration mode.
From the router, if you changed the default route, use the write memory command to store the configuration in Flash memory.
Connect to other routers on the inside and each perimeter interface of the firewall and repeat Steps 1 through 6 for each router.
If you have routers on networks subordinate to the routers that connect to the firewall's interfaces, configure them so that their default routes point to the router connected to the firewall and then clear their ARP caches as well.

Setting the Default Route for Network Hosts

Each host on the same subnet as the inside interface should have its default route pointing to the firewall.

Host Change Default Route View Default Route

Solaris or SunOS

Edit /etc/default
Reboot
netstat -nr

Linux route add default gw ip_address netstat -nr

Win2K Start | Settings | Control Panel | Network | TCP/IP | Gateway winipcfg

WinNT Control Panell | Network | Protocols tab | TCP/IP Protocol | Properties | IP Address ipconfig

MacOS 7.5+ Apple menu |Control Panels | TCP/IP Apple menu | Control Panels | TCP/IP

Host	Change Default Route	View Default Route
Solaris or SunOS	Edit /etc/default Reboot	netstat -nr
Linux	route add default gw ip_address	netstat -nr
Win2K	Start \| Settings \| Control Panel \| Network \| TCP/IP \| Gateway	winipcfg
WinNT	Control Panell \| Network \| Protocols tab \| TCP/IP Protocol \| Properties \| IP Address	ipconfig
MacOS 7.5+	Apple menu \|Control Panels \| TCP/IP	Apple menu \| Control Panels \| TCP/IP