FIREWALL CONFIGURATIONS
INCOMING ACCESS SERVICE GROUPS PACKET FILTERING CONNECTION TRACKING INTRUSION DETECTION SYSTEMS ACCESS CONTROL
INCOMING ACCESS
THE INCOMING ACCESS MENU OPTION ALLOWS YOU TO CONTROL ACCESS TO THE SNAPGEAR APPLIANCE ITSELF, SUCH AS FOR REMOTE ADMINISTRATION
THE FOLLOWING PAGES ARE AVAILABLE FROM THE INCOMING ACCESS MENU OPTION:
ADMINISTRATION SERVICES PAGE WEB MANAGEMENT CONFIGURATION PAGE
INCOMING ACCESS
INCOMING ACCESS
BY DEFAULT, THE ADMINISTRATION SERVER SNAPGEAR APPLIANCE RUNS A WEB A TELNET, AND AN SSH SERVICE ARE USED SSH IS NOT APPLICABLE TO THE SG300 ACCESS TO INTERFACES THESE SERVICES CAN BE MODEL RESTRICTED TO SPECIFIC
TYPICALLY, ACCESS TO THE EB MANAGEMENT CONSOLE (WEB/SSL WEB) IS RESTRICTED TO HOSTS ON YOUR LOCAL NETWORK (LAN INTERFACES) ADMINISTRATION SERVICES ARE ALLOWED ON LAN INTERFACE PROVIDING ADMINISTRATION SERVICES ON OTHER INTERFACES ADDITIONAL SECURITY PRECAUTIONS ARE REQUIRED TO BE TAKEN ,LIKE SETTING UP PACKET FILTER RULES
TELNET
CONTROLS ACCESS TO THE COMMAND LINE INTERFACE. SNAPGEAR APPLIANCE VIA AT TELNET ONLY ADMINISTRATIVE USERS WITH THE ENABLED ARE ABLE TO CONNECT VIA TELNET TELNET IS COMPLETELY UNENCRYPTED DISABLING SECURITY TELNET SERVICES IS RECOMMENDED FOR INCREASED LOGIN ACCESS CONTROL
CREATING AN ADMINISTRATIVE USER
LOGIN: TO PROVIDE THE USER WITH TELNET ACCESS TO THE COMMAND-LINE ADMINISTRATION INTERFACE ADMINISTRATION: TO GIVE THE USER THE ABILITY TO MAKE SNAPGEAR APPLIANCE¶S CONFIGURATION VIA ADMINISTRATION INTERFACE CHANGES TO THE THE WEB-BASED
THIS SHOULD ONLY BE PROVIDED TO TRUSTED USERS WHO ARE PERMITTED TO CONFIGURE AND RECONFIGURE THE APPLIANCE DIAGNOSTIC: TO PROVIDE THE USER WITH THE ABILITY TO VIEW RESTRICTED DIAGNOSTIC INFORMATION VIA THE WEB-BASED ADMINISTRATION INTERFACE THIS ACCESS CONTROL CAN BE GIVEN TO TECHNICAL SUPPORT USERS SO THEY CAN ATTEMPT TO DIAGNOSE BUT NOT FIX ANY PROBLEMS THAT OCCUR.
CREATING AN ADMINISTRATIVE USER
ENCRYPTED SAVE / RESTORE ALL TO PROVIDE THE USER WITH THE ABILITY TO SAVE AND RESTORE THE CONFIGURATION OF THE SNAPGEAR APPLIANCE VIA THE SAVE/RESTORE PAGE THIS ACCESS CONTROL CAN BE GIVEN TO A TECHNICIAN TO WHOM YOU WANT THE ABILITY TO RESTORE THE APPLIANCE TO A KNOWN GOOD CONFIGURATION BUT TO WHOM YOU DO NOT WANT TO GRANT FULL ADMINISTRATION RIGHTS
CHANGE PASSWORD: TO PROVIDE THE USER WITH THE ABILITY TO CHANGE THEIR PASSWORD VIA THE WEB MANAGEMENT CONSOLE
WEB (HTTP)/ SSL WEB(HTTPS)
CONTROLS ACCESS TO THE SNAPGEAR APPLIANCE VIA THE SNAPGEAR WEB MANAGEMENT CONSOLE TO USE THE CONSOLE, ENSURE THAT THE SNAPGEAR APPLIANCE'S WEB SERVER IS CONFIGURED APPROPRIATELY IN THE WEB MANAGEMENT PAGE
WEB MANAGEMENT CONFIGURATION
YOU CAN ENABLE OR DISABLE HTTP PROTOCOLS, CHANGE HTTP PORT NUMBERS, AND CREATE OR UPLOAD CERTIFICATES FOR SECURING ACCESS TO THE WEB MANAGEMENT CONSOLE VIA HTTPS ON THE WEB MANAGEMENT PAGE
ACCEPT ECHO REQUEST (INCOMING PORT)
TO ALLOW ECHO REQUESTS ON INTERNET INTERFACES DISALLOWING ECHO REQUESTS MAY MAKE IT MORE DIFFICULT FOR EXTERNAL ATTACKERS SCANNING FOR HOSTS TO DISCOVER YOUR APPLIANCE
SERVICE GROUPS
USED TO GROUP TOGETHER SIMILAR SERVICES CREATE A GROUP OF SERVICES THAT WE WANT TO ALLOW, AND THEN USE A SINGLE RULE TO ALLOW THEM ALL AT ONCE
NEW SERVICE GROUPS
NEW SERVICE GROUPS
ADDRESSES
NEW SERVICE GROUPS
ADDRESSES: ADDRESSES ARE A SINGLE IP ADDRESS, OR RANGE OF IP ADDRESSES, OR A DNS HOSTNAME NETWORK PACKETS CAN BE MATCHED SOURCE OR DESTINATION ADDRESS BY
NEW SERVICE GROUPS
INTERFACES USE THE INTERFACES PAGE TO DEFINE, EDIT, AND DELETE INTERFACE GROUPS. PACKETS CAN ALSO BE MATCHED BY INCOMING AND OUTGOING INTERFACE. YOU CAN GROUP THE APPLIANCE NETWORK INTERFACES INTO INTERFACE GROUPS TO SIMPLIFY YOUR FIREWALL RULE SET.
VARIOUS SERVICES
DOMAIN( UDP) / DNS UDP
USER DATAGRAM PROTOCOL COMMUNICATIONS PROTOCOL THAT OFFERS A LIMITED AMOUNT OF SERVICE WHEN MESSAGES ARE EXCHANGED BETWEEN COMPUTERS IN A NETWORK THAT USES THE INTERNET PROTOCOL (IP) UNLIKE TCP, HOWEVER, UDP DOES NOT PROVIDE THE SERVICE OF DIVIDING A MESSAGE INTO PACKETS (DATA GRAMS) AND REASSEMBLING IT AT THE OTHER END. SPECIFICALLY, UDP DOESN'T PROVIDE SEQUENCING OF THE PACKETS THAT THE DATA ARRIVES IN. THIS MEANS THAT THE APPLICATION PROGRAM THAT USES UDP MUST BE ABLE TO MAKE SURE THAT THE ENTIRE MESSAGE HAS ARRIVED AND IS IN THE RIGHT ORDER NETWORK APPLICATIONS THAT WANT TO SAVE PROCESSING TIME BECAUSE THEY HAVE VERY SMALL DATA UNITS TO EXCHANGE (AND THEREFORE VERY LITTLE MESSAGE REASSEMBLING TO DO) MAY PREFER UDP TO TCP UDP PROVIDES TWO SERVICES NOT PROVIDED BY THE IP LAYER. IT PROVIDES PORT NUMBERS TO HELP DISTINGUISH DIFFERENT USER REQUESTS AND, OPTIONALLY, A CHECKSUM CAPABILITY TO VERIFY THAT THE DATA ARRIVED INTACT. DNS PRIMARILY USES USER DATAGRAM PROTOCOL(UDP) ON PORT NUMBER 53 TO SERVE REQUESTS. DNS QUERIES CONSIST OF A SINGLE UDP REQUEST FROM THE CLIENT FOLLOWED BY A SINGLE UDP REPLY FROM THE SERVER
VARIOUS SERVICES
DOMAIN(TCP) / DNS TCP
THE DNS USES TCP AND UDP ON PORT 53 TO SERVE REQUESTS. ALMOST ALL DNS QUERIES CONSIST OF A SINGLE UDP REQUEST FROM THE CLIENT FOLLOWED BY A SINGLE UDP REPLY FROM THE SERVER. TCP TYPICALLY COMES INTO PLAY ONLY WHEN THE RESPONSE DATA SIZE EXCEEDS 512 BYTES
VARIOUS SERVICES
IMAP4
INTERNET MESSAGE ACCESS PROTOCOL, A PROTOCOL FOR RETRIEVING E-MAIL MESSAGES. THE LATEST VERSION, IMAP4, IS SIMILAR TO POP3 BUT SUPPORTS SOME ADDITIONAL FEATURES. FOR EXAMPLE, WITH IMAP4, YOU CAN SEARCH THROUGH YOUR E-MAIL MESSAGES FOR KEYWORDS WHILE THE MESSAGES ARE STILL ON MAIL SERVER. YOU CAN THEN CHOOSE WHICH MESSAGES TO DOWNLOAD
VARIOUS SERVICES
IRC
INTERNET RELAY CHAT (IRC) IT IS A FORM OF REAL-TIME INTERNET TEXT MESSAGING (CHAT) IT IS MAINLY DESIGNED FOR GROUP COMMUNICATION IN DISCUSSION FORUMS
VARIOUS SERVICES
NNTP (NEWS) NETWORK NEWS TRANSFER PROTOCOL IT IS A PROTOCOL USED RETRIEVE USENET MESSAGES TO POST, DISTRIBUTE, AND
USENET IS A WORLDWIDE BULLETIN BOARD SYSTEM THAT CAN BE ACCESSED THROUGH THE INTERNET OR THROUGH MANY ONLINE SERVICES. THE USENET CONTAINS MORE THAN 14,000 FORUMS, CALLED NEWSGROUPS, THAT COVER EVERY IMAGINABLE INTEREST GROUP. IT IS USED DAILY BY MILLIONS OF PEOPLE AROUND THE WORLD
VARIOUS SERVICES
NTP (TIME) NETWORK TIME PROTOCOL (NTP) IT IS A PROTOCOL FOR SYNCHRONIZING THE CLOCKS OF COMPUTER SYSTEMS OVER PACKET-SWITCHED, VARIABLE-LATENCY DATA NETWORKS NTP USES NUMBER 123 THE USER DATAGRAM PROTOCOL(UDP) ON PORT
PACKET FILTERING
MAJORITY OF FIREWALL CUSTOMIZATION IS TYPICALLY ACCOMPLISHED BY CREATING PACKET FILTER AND NAT (NETWORK ADDRESS TRANSLATION) RULES
PACKET FILTER RULES MATCH NETWORK PACKETS BASED ON A COMBINATION OF INCOMING AND OUTGOING INTERFACE, SOURCE AND DESTINATION ADDRESS, AND DESTINATION PORT AND PROTOCOL
PACKET FILTERING
ONCE A PACKET IS MATCHED, IT CAN BE ALLOWED: ALLOW THE PACKET TO PASS DISALLOWED (DROPPED):DISCARD THE PACKET AS IF IT HAD NEVER RECEIVED REJECTED: MUCH LIKE DENY, BUT THE FILTER WILL TELL THE SOURCE OF THE PACKET THAT IT HAS REJECTED IT LOGGED: RATE LIMITED: RATE LIMITING IS USED TO CONTROL THE RATE OF TRAFFIC SENT OR RECEIVED ON A NETWORK INTERFACE. TRAFFIC THAT IS LESS THAN OR EQUAL TO THE SPECIFIED RATE IS SENT, WHEREAS TRAFFIC THAT EXCEEDS THE RATE IS DROPPED OR DELAYED. A DEVICE THAT PERFORMS RATE LIMITING IS A RATE LIMITER.