Scribd Logo
Upload

Welcome to Scribd!

  • Incoming Access: Service Groups

    Uploaded by

    Mukesh Sharma
    32 views39 pages
    This document discusses firewall configuration options including incoming access, service groups, packet filtering, connection tracking, intrusion detection systems, and access control. It provides details on configuring incoming access to the firewall appliance through administration services and web management. It also describes creating service groups and administrative users, and defines various network services like DNS, IMAP, IRC, NNTP, and NTP that can be configured in service groups and packet filtering rules.

    Original Description:

    configuration

    Original Title

    Firewall Configurations

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses firewall configuration options including incoming access, service groups, packet filtering, connection tracking, intrusion detection systems, and access control. It provides details on configuring incoming access to the firewall appliance through administration services and web management. It also describes creating service groups and administrative users, and defines various network services like DNS, IMAP, IRC, NNTP, and NTP that can be configured in service groups and packet filtering rules.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    32 views39 pages

    Incoming Access: Service Groups

    Uploaded by

    Mukesh Sharma
    This document discusses firewall configuration options including incoming access, service groups, packet filtering, connection tracking, intrusion detection systems, and access control. It provides details on configuring incoming access to the firewall appliance through administration services and web management. It also describes creating service groups and administrative users, and defines various network services like DNS, IMAP, IRC, NNTP, and NTP that can be configured in service groups and packet filtering rules.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 39

    FIREWALL CONFIGURATIONS

    INCOMING ACCESS

    SERVICE GROUPS

    PACKET FILTERING

    CONNECTION TRACKING

    INTRUSION DETECTION SYSTEMS

    ACCESS CONTROL
    INCOMING ACCESS
     THE INCOMING ACCESS MENU OPTION ALLOWS
    YOU TO CONTROL ACCESS TO THE SNAPGEAR
    APPLIANCE ITSELF, SUCH AS FOR REMOTE
    ADMINISTRATION

     THE FOLLOWING PAGES ARE AVAILABLE FROM


    THE INCOMING ACCESS MENU OPTION:

     ADMINISTRATION SERVICES PAGE

     WEB MANAGEMENT CONFIGURATION PAGE


    INCOMING ACCESS
    INCOMING ACCESS
     BY DEFAULT, THE SNAPGEAR APPLIANCE RUNS A WEB
    ADMINISTRATION SERVER

    A TELNET, AND AN SSH SERVICE ARE USED

    SSH IS NOT APPLICABLE TO THE SG300 MODEL

     ACCESS TO THESE SERVICES CAN BE RESTRICTED TO SPECIFIC


    INTERFACES

    TYPICALLY, ACCESS TO THE EB MANAGEMENT CONSOLE (WEB/SSL WEB)


    IS RESTRICTED TO HOSTS ON YOUR LOCAL NETWORK (LAN INTERFACES)

    ADMINISTRATION SERVICES ARE ALLOWED ON LAN INTERFACE

    PROVIDING ADMINISTRATION SERVICES ON OTHER INTERFACES


    ADDITIONAL SECURITY PRECAUTIONS ARE REQUIRED TO BE TAKEN ,LIKE
    SETTING UP PACKET FILTER RULES
    TELNET
    CONTROLS ACCESS TO THE SNAPGEAR APPLIANCE VIA AT TELNET
    COMMAND LINE INTERFACE.

    ONLY ADMINISTRATIVE USERS WITH THE LOGIN ACCESS CONTROL


    ENABLED ARE ABLE TO CONNECT VIA TELNET

    TELNET IS COMPLETELY UNENCRYPTED

    DISABLING TELNET SERVICES IS RECOMMENDED FOR INCREASED


    SECURITY
    CREATING AN ADMINISTRATIVE USER

    2.CLICK AT NEW

    1.CLICK AT USERS
    CREATING AN ADMINISTRATIVE USER

    1.ENTER USERNAME
    1.PROVIDE VARIOUS 2.ENTER DESCRIPTION
    ACCESS CONTROL TO 3.ENTER PASSWORD
    USER 4.CONFIRM PASSWORD
    CREATING AN ADMINISTRATIVE USER
    LOGIN: TO PROVIDE THE USER WITH TELNET ACCESS TO THE
    COMMAND-LINE ADMINISTRATION INTERFACE

    ADMINISTRATION:

     TO GIVE THE USER THE ABILITY TO MAKE CHANGES TO THE


    SNAPGEAR APPLIANCE’S CONFIGURATION VIA THE WEB-BASED
    ADMINISTRATION INTERFACE

     THIS SHOULD ONLY BE PROVIDED TO TRUSTED USERS WHO ARE


    PERMITTED TO CONFIGURE AND RECONFIGURE THE APPLIANCE

    DIAGNOSTIC:

     TO PROVIDE THE USER WITH THE ABILITY TO VIEW RESTRICTED


    DIAGNOSTIC INFORMATION VIA THE WEB-BASED ADMINISTRATION
    INTERFACE

     THIS ACCESS CONTROL CAN BE GIVEN TO TECHNICAL SUPPORT USERS


    SO THEY CAN ATTEMPT TO DIAGNOSE BUT NOT FIX ANY PROBLEMS
    THAT OCCUR.
    CREATING AN ADMINISTRATIVE USER
    ENCRYPTED SAVE / RESTORE ALL

     TO PROVIDE THE USER WITH THE ABILITY TO SAVE AND RESTORE


    THE CONFIGURATION OF THE SNAPGEAR APPLIANCE VIA THE
    SAVE/RESTORE PAGE

     THIS ACCESS CONTROL CAN BE GIVEN TO A TECHNICIAN TO WHOM


    YOU WANT THE ABILITY TO RESTORE THE APPLIANCE TO A KNOWN
    GOOD CONFIGURATION BUT TO WHOM YOU DO NOT WANT TO GRANT
    FULL ADMINISTRATION RIGHTS

    CHANGE PASSWORD: TO PROVIDE THE USER WITH THE ABILITY TO


    CHANGE THEIR PASSWORD VIA THE WEB MANAGEMENT CONSOLE
    WEB (HTTP)/ SSL WEB(HTTPS)
    CONTROLS ACCESS TO THE SNAPGEAR APPLIANCE VIA THE SNAPGEAR
    WEB MANAGEMENT CONSOLE

    TO USE THE CONSOLE, ENSURE THAT THE SNAPGEAR APPLIANCE'S WEB
    SERVER IS CONFIGURED APPROPRIATELY IN THE WEB MANAGEMENT PAGE
    WEB MANAGEMENT CONFIGURATION
     YOU CAN ENABLE OR DISABLE HTTP PROTOCOLS, CHANGE HTTP PORT
    NUMBERS, AND CREATE OR UPLOAD CERTIFICATES FOR SECURING ACCESS TO
    THE WEB MANAGEMENT CONSOLE VIA HTTPS ON THE WEB MANAGEMENT PAGE
    ACCEPT ECHO REQUEST (INCOMING PORT)
    TO ALLOW ECHO REQUESTS ON INTERNET INTERFACES

    DISALLOWING ECHO REQUESTS MAY MAKE IT MORE


    DIFFICULT FOR EXTERNAL ATTACKERS SCANNING FOR
    HOSTS TO DISCOVER YOUR APPLIANCE
    SERVICE GROUPS
    USED TO GROUP TOGETHER SIMILAR SERVICES

     CREATE A GROUP OF SERVICES THAT WE WANT TO ALLOW, AND THEN


    USE A SINGLE RULE TO ALLOW THEM ALL AT ONCE
    NEW SERVICE GROUPS
    NEW SERVICE GROUPS
    ADDRESSES
    NEW SERVICE GROUPS
    ADDRESSES:

    ADDRESSES ARE A SINGLE IP ADDRESS, OR


    RANGE OF IP ADDRESSES, OR A DNS
    HOSTNAME

    NETWORK PACKETS CAN BE MATCHED BY


    SOURCE OR DESTINATION ADDRESS
    NEW SERVICE GROUPS
    INTERFACES

     USE THE INTERFACES PAGE TO DEFINE, EDIT, AND DELETE


    INTERFACE GROUPS. PACKETS CAN ALSO BE MATCHED BY INCOMING
    AND OUTGOING INTERFACE. YOU CAN GROUP THE APPLIANCE NETWORK
    INTERFACES INTO INTERFACE GROUPS TO SIMPLIFY YOUR FIREWALL
    RULE SET.
    VARIOUS SERVICES
     DOMAIN( UDP) / DNS UDP
     USER DATAGRAM PROTOCOL

     COMMUNICATIONS PROTOCOL THAT OFFERS A LIMITED AMOUNT OF SERVICE


    WHEN MESSAGES ARE EXCHANGED BETWEEN COMPUTERS IN A NETWORK
    THAT USES THE INTERNET PROTOCOL (IP)

     UNLIKE TCP, HOWEVER, UDP DOES NOT PROVIDE THE SERVICE OF DIVIDING A
    MESSAGE INTO PACKETS (DATA GRAMS) AND REASSEMBLING IT AT THE OTHER
    END. SPECIFICALLY, UDP DOESN'T PROVIDE SEQUENCING OF THE PACKETS
    THAT THE DATA ARRIVES IN. THIS MEANS THAT THE APPLICATION PROGRAM
    THAT USES UDP MUST BE ABLE TO MAKE SURE THAT THE ENTIRE MESSAGE HAS
    ARRIVED AND IS IN THE RIGHT ORDER

     NETWORK APPLICATIONS THAT WANT TO SAVE PROCESSING TIME BECAUSE THEY


    HAVE VERY SMALL DATA UNITS TO EXCHANGE (AND THEREFORE VERY LITTLE
    MESSAGE REASSEMBLING TO DO) MAY PREFER UDP TO TCP

     UDP PROVIDES TWO SERVICES NOT PROVIDED BY THE IP LAYER. IT


    PROVIDES PORT NUMBERS TO HELP DISTINGUISH DIFFERENT USER REQUESTS
    AND, OPTIONALLY, A CHECKSUM CAPABILITY TO VERIFY THAT THE DATA
    ARRIVED INTACT.
     DNS PRIMARILY USES USER DATAGRAM PROTOCOL(UDP) ON PORT NUMBER 53 TO
    SERVE REQUESTS. DNS QUERIES CONSIST OF A SINGLE UDP REQUEST FROM THE
    CLIENT FOLLOWED BY A SINGLE UDP REPLY FROM THE SERVER
    VARIOUS SERVICES
     DOMAIN(TCP) / DNS TCP

    THE DNS USES TCP AND UDP ON PORT 53


    TO SERVE REQUESTS. ALMOST ALL DNS
    QUERIES CONSIST OF A SINGLE UDP
    REQUEST FROM THE CLIENT FOLLOWED BY
    A SINGLE UDP REPLY FROM THE SERVER.
    TCP TYPICALLY COMES INTO PLAY ONLY
    WHEN THE RESPONSE DATA SIZE EXCEEDS
    512 BYTES
    VARIOUS SERVICES
    IMAP4 

    INTERNET MESSAGE ACCESS PROTOCOL, 

    A PROTOCOL FOR RETRIEVING E-MAIL MESSAGES.


    THE LATEST VERSION, IMAP4, IS SIMILAR
    TO POP3 BUT SUPPORTS SOME ADDITIONAL FEATURES.
    FOR EXAMPLE, WITH IMAP4, YOU CAN SEARCH
    THROUGH YOUR E-MAIL MESSAGES
    FOR KEYWORDS WHILE THE MESSAGES ARE STILL ON
    MAIL SERVER. YOU CAN THEN CHOOSE WHICH
    MESSAGES TO DOWNLOAD
    VARIOUS SERVICES
    IRC

    INTERNET RELAY CHAT (IRC)

    IT IS A FORM OF REAL-TIME INTERNET


    TEXT MESSAGING (CHAT)

     IT IS MAINLY DESIGNED FOR GROUP


    COMMUNICATION IN DISCUSSION FORUMS
    VARIOUS SERVICES
    NNTP (NEWS)

    NETWORK NEWS TRANSFER PROTOCOL

    IT IS A  PROTOCOL USED TO POST, DISTRIBUTE, AND


    RETRIEVE USENET MESSAGES

      USENET IS A WORLDWIDE BULLETIN BOARD SYSTEM THAT CAN


    BE ACCESSED THROUGH THE INTERNET OR THROUGH MANY ONLINE
    SERVICES. THE USENET CONTAINS MORE THAN 14,000 FORUMS,
    CALLED NEWSGROUPS, THAT COVER EVERY IMAGINABLE INTEREST
    GROUP. IT IS USED DAILY BY MILLIONS OF PEOPLE AROUND THE
    WORLD
    VARIOUS SERVICES
    NTP (TIME)

    NETWORK TIME PROTOCOL (NTP)

    IT IS A PROTOCOL FOR SYNCHRONIZING THE CLOCKS OF COMPUTER


    SYSTEMS OVER PACKET-SWITCHED, VARIABLE-LATENCY DATA NETWORKS

     NTP USES THE USER DATAGRAM PROTOCOL(UDP) ON PORT


    NUMBER 123
    PACKET FILTERING
    MAJORITY OF FIREWALL CUSTOMIZATION IS
    TYPICALLY ACCOMPLISHED BY CREATING
    PACKET FILTER AND NAT (NETWORK ADDRESS
    TRANSLATION) RULES

    PACKET FILTER RULES MATCH NETWORK


    PACKETS BASED ON A COMBINATION OF
    INCOMING AND OUTGOING INTERFACE, SOURCE
    AND DESTINATION ADDRESS, AND
    DESTINATION PORT AND PROTOCOL
    PACKET FILTERING

    ONCE A PACKET IS MATCHED, IT CAN BE

     ALLOWED: ALLOW THE PACKET TO PASS

     DISALLOWED (DROPPED):DISCARD THE PACKET AS IF IT HAD


    NEVER RECEIVED 

     REJECTED: MUCH LIKE DENY, BUT THE FILTER WILL TELL


    THE SOURCE OF THE PACKET THAT IT HAS REJECTED IT

     LOGGED:

     RATE LIMITED: RATE LIMITING IS USED TO CONTROL THE


    RATE OF TRAFFIC SENT OR RECEIVED ON A NETWORK
    INTERFACE. TRAFFIC THAT IS LESS THAN OR EQUAL TO THE
    SPECIFIED RATE IS SENT, WHEREAS TRAFFIC THAT EXCEEDS
    THE RATE IS DROPPED OR DELAYED. A DEVICE THAT
    PERFORMS RATE LIMITING IS A RATE LIMITER.

    You might also like