Firewall Configurations

FIREWALL CONFIGURATIONS
INCOMING ACCESS SERVICE GROUPS PACKET FILTERING CONNECTION TRACKING INTRUSION DETECTION SYSTEMS ACCESS CONTROL

INCOMING ACCESS
 THE INCOMING ACCESS MENU OPTION ALLOWS YOU TO CONTROL ACCESS TO THE SNAPGEAR APPLIANCE ITSELF, SUCH AS FOR REMOTE ADMINISTRATION

 THE FOLLOWING PAGES ARE AVAILABLE FROM THE INCOMING ACCESS MENU OPTION:
ADMINISTRATION SERVICES PAGE WEB MANAGEMENT CONFIGURATION PAGE

INCOMING ACCESS

INCOMING ACCESS
 BY DEFAULT, THE ADMINISTRATION SERVER SNAPGEAR APPLIANCE RUNS A WEB A TELNET, AND AN SSH SERVICE ARE USED SSH IS NOT APPLICABLE TO THE SG300  ACCESS TO INTERFACES THESE SERVICES CAN BE MODEL RESTRICTED TO SPECIFIC

TYPICALLY, ACCESS TO THE EB MANAGEMENT CONSOLE (WEB/SSL WEB) IS RESTRICTED TO HOSTS ON YOUR LOCAL NETWORK (LAN INTERFACES) ADMINISTRATION SERVICES ARE ALLOWED ON LAN INTERFACE PROVIDING ADMINISTRATION SERVICES ON OTHER INTERFACES ADDITIONAL SECURITY PRECAUTIONS ARE REQUIRED TO BE TAKEN ,LIKE SETTING UP PACKET FILTER RULES

TELNET
CONTROLS ACCESS TO THE COMMAND LINE INTERFACE. SNAPGEAR APPLIANCE VIA AT TELNET ONLY ADMINISTRATIVE USERS WITH THE ENABLED ARE ABLE TO CONNECT VIA TELNET TELNET IS COMPLETELY UNENCRYPTED DISABLING SECURITY TELNET SERVICES IS RECOMMENDED FOR INCREASED LOGIN ACCESS CONTROL

CREATING AN ADMINISTRATIVE USER

2.CLICK AT NEW

1.CLICK AT USERS

CREATING AN ADMINISTRATIVE USER

1.PROVIDE VARIOUS ACCESS CONTROL TO USER

1.ENTER USERNAME 2.ENTER DESCRIPTION 3.ENTER PASSWORD 4.CONFIRM PASSWORD

CREATING AN ADMINISTRATIVE USER
LOGIN: TO PROVIDE THE USER WITH TELNET ACCESS TO THE COMMAND-LINE ADMINISTRATION INTERFACE ADMINISTRATION: TO GIVE THE USER THE ABILITY TO MAKE SNAPGEAR APPLIANCE¶S CONFIGURATION VIA ADMINISTRATION INTERFACE CHANGES TO THE THE WEB-BASED

THIS SHOULD ONLY BE PROVIDED TO TRUSTED USERS WHO ARE PERMITTED TO CONFIGURE AND RECONFIGURE THE APPLIANCE DIAGNOSTIC: TO PROVIDE THE USER WITH THE ABILITY TO VIEW RESTRICTED DIAGNOSTIC INFORMATION VIA THE WEB-BASED ADMINISTRATION INTERFACE THIS ACCESS CONTROL CAN BE GIVEN TO TECHNICAL SUPPORT USERS SO THEY CAN ATTEMPT TO DIAGNOSE BUT NOT FIX ANY PROBLEMS THAT OCCUR.

CREATING AN ADMINISTRATIVE USER
ENCRYPTED SAVE / RESTORE ALL TO PROVIDE THE USER WITH THE ABILITY TO SAVE AND RESTORE THE CONFIGURATION OF THE SNAPGEAR APPLIANCE VIA THE SAVE/RESTORE PAGE THIS ACCESS CONTROL CAN BE GIVEN TO A TECHNICIAN TO WHOM YOU WANT THE ABILITY TO RESTORE THE APPLIANCE TO A KNOWN GOOD CONFIGURATION BUT TO WHOM YOU DO NOT WANT TO GRANT FULL ADMINISTRATION RIGHTS

CHANGE PASSWORD: TO PROVIDE THE USER WITH THE ABILITY TO CHANGE THEIR PASSWORD VIA THE WEB MANAGEMENT CONSOLE

WEB (HTTP)/ SSL WEB(HTTPS)
CONTROLS ACCESS TO THE SNAPGEAR APPLIANCE VIA THE SNAPGEAR WEB MANAGEMENT CONSOLE TO USE THE CONSOLE, ENSURE THAT THE SNAPGEAR APPLIANCE'S WEB SERVER IS CONFIGURED APPROPRIATELY IN THE WEB MANAGEMENT PAGE

WEB MANAGEMENT CONFIGURATION
 YOU CAN ENABLE OR DISABLE HTTP PROTOCOLS, CHANGE HTTP PORT NUMBERS, AND CREATE OR UPLOAD CERTIFICATES FOR SECURING ACCESS TO THE WEB MANAGEMENT CONSOLE VIA HTTPS ON THE WEB MANAGEMENT PAGE

ACCEPT ECHO REQUEST (INCOMING PORT)
TO ALLOW ECHO REQUESTS ON INTERNET INTERFACES DISALLOWING ECHO REQUESTS MAY MAKE IT MORE DIFFICULT FOR EXTERNAL ATTACKERS SCANNING FOR HOSTS TO DISCOVER YOUR APPLIANCE

SERVICE GROUPS
USED TO GROUP TOGETHER SIMILAR SERVICES  CREATE A GROUP OF SERVICES THAT WE WANT TO ALLOW, AND THEN USE A SINGLE RULE TO ALLOW THEM ALL AT ONCE

NEW SERVICE GROUPS

NEW SERVICE GROUPS
ADDRESSES

NEW SERVICE GROUPS
ADDRESSES: ADDRESSES ARE A SINGLE IP ADDRESS, OR RANGE OF IP ADDRESSES, OR A DNS HOSTNAME NETWORK PACKETS CAN BE MATCHED SOURCE OR DESTINATION ADDRESS BY

NEW SERVICE GROUPS
INTERFACES USE THE INTERFACES PAGE TO DEFINE, EDIT, AND DELETE INTERFACE GROUPS. PACKETS CAN ALSO BE MATCHED BY INCOMING AND OUTGOING INTERFACE. YOU CAN GROUP THE APPLIANCE NETWORK INTERFACES INTO INTERFACE GROUPS TO SIMPLIFY YOUR FIREWALL RULE SET.

VARIOUS SERVICES
 DOMAIN( UDP) / DNS UDP
USER DATAGRAM PROTOCOL COMMUNICATIONS PROTOCOL THAT OFFERS A LIMITED AMOUNT OF SERVICE WHEN MESSAGES ARE EXCHANGED BETWEEN COMPUTERS IN A NETWORK THAT USES THE INTERNET PROTOCOL (IP) UNLIKE TCP, HOWEVER, UDP DOES NOT PROVIDE THE SERVICE OF DIVIDING A MESSAGE INTO PACKETS (DATA GRAMS) AND REASSEMBLING IT AT THE OTHER END. SPECIFICALLY, UDP DOESN'T PROVIDE SEQUENCING OF THE PACKETS THAT THE DATA ARRIVES IN. THIS MEANS THAT THE APPLICATION PROGRAM THAT USES UDP MUST BE ABLE TO MAKE SURE THAT THE ENTIRE MESSAGE HAS ARRIVED AND IS IN THE RIGHT ORDER NETWORK APPLICATIONS THAT WANT TO SAVE PROCESSING TIME BECAUSE THEY HAVE VERY SMALL DATA UNITS TO EXCHANGE (AND THEREFORE VERY LITTLE MESSAGE REASSEMBLING TO DO) MAY PREFER UDP TO TCP UDP PROVIDES TWO SERVICES NOT PROVIDED BY THE IP LAYER. IT PROVIDES PORT NUMBERS TO HELP DISTINGUISH DIFFERENT USER REQUESTS AND, OPTIONALLY, A CHECKSUM CAPABILITY TO VERIFY THAT THE DATA ARRIVED INTACT. DNS PRIMARILY USES USER DATAGRAM PROTOCOL(UDP) ON PORT NUMBER 53 TO SERVE REQUESTS. DNS QUERIES CONSIST OF A SINGLE UDP REQUEST FROM THE CLIENT FOLLOWED BY A SINGLE UDP REPLY FROM THE SERVER

VARIOUS SERVICES
 DOMAIN(TCP) / DNS TCP

THE DNS USES TCP AND UDP ON PORT 53 TO SERVE REQUESTS. ALMOST ALL DNS QUERIES CONSIST OF A SINGLE UDP REQUEST FROM THE CLIENT FOLLOWED BY A SINGLE UDP REPLY FROM THE SERVER. TCP TYPICALLY COMES INTO PLAY ONLY WHEN THE RESPONSE DATA SIZE EXCEEDS 512 BYTES

VARIOUS SERVICES
IMAP4

INTERNET MESSAGE ACCESS PROTOCOL, A PROTOCOL FOR RETRIEVING E-MAIL MESSAGES. THE LATEST VERSION, IMAP4, IS SIMILAR TO POP3 BUT SUPPORTS SOME ADDITIONAL FEATURES. FOR EXAMPLE, WITH IMAP4, YOU CAN SEARCH THROUGH YOUR E-MAIL MESSAGES FOR KEYWORDS WHILE THE MESSAGES ARE STILL ON MAIL SERVER. YOU CAN THEN CHOOSE WHICH MESSAGES TO DOWNLOAD

VARIOUS SERVICES
IRC

INTERNET RELAY CHAT (IRC) IT IS A FORM OF REAL-TIME INTERNET TEXT MESSAGING (CHAT) IT IS MAINLY DESIGNED FOR GROUP COMMUNICATION IN DISCUSSION FORUMS

VARIOUS SERVICES
NNTP (NEWS) NETWORK NEWS TRANSFER PROTOCOL IT IS A PROTOCOL USED RETRIEVE USENET MESSAGES TO POST, DISTRIBUTE, AND

USENET IS A WORLDWIDE BULLETIN BOARD SYSTEM THAT CAN BE ACCESSED THROUGH THE INTERNET OR THROUGH MANY ONLINE SERVICES. THE USENET CONTAINS MORE THAN 14,000 FORUMS, CALLED NEWSGROUPS, THAT COVER EVERY IMAGINABLE INTEREST GROUP. IT IS USED DAILY BY MILLIONS OF PEOPLE AROUND THE WORLD

VARIOUS SERVICES
NTP (TIME) NETWORK TIME PROTOCOL (NTP) IT IS A PROTOCOL FOR SYNCHRONIZING THE CLOCKS OF COMPUTER SYSTEMS OVER PACKET-SWITCHED, VARIABLE-LATENCY DATA NETWORKS NTP USES NUMBER 123 THE USER DATAGRAM PROTOCOL(UDP) ON PORT

PACKET FILTERING
MAJORITY OF FIREWALL CUSTOMIZATION IS TYPICALLY ACCOMPLISHED BY CREATING PACKET FILTER AND NAT (NETWORK ADDRESS TRANSLATION) RULES

PACKET FILTER RULES MATCH NETWORK PACKETS BASED ON A COMBINATION OF INCOMING AND OUTGOING INTERFACE, SOURCE AND DESTINATION ADDRESS, AND DESTINATION PORT AND PROTOCOL

PACKET FILTERING
ONCE A PACKET IS MATCHED, IT CAN BE ALLOWED: ALLOW THE PACKET TO PASS DISALLOWED (DROPPED):DISCARD THE PACKET AS IF IT HAD NEVER RECEIVED REJECTED: MUCH LIKE DENY, BUT THE FILTER WILL TELL THE SOURCE OF THE PACKET THAT IT HAS REJECTED IT LOGGED: RATE LIMITED: RATE LIMITING IS USED TO CONTROL THE RATE OF TRAFFIC SENT OR RECEIVED ON A NETWORK INTERFACE. TRAFFIC THAT IS LESS THAN OR EQUAL TO THE SPECIFIED RATE IS SENT, WHEREAS TRAFFIC THAT EXCEEDS THE RATE IS DROPPED OR DELAYED. A DEVICE THAT PERFORMS RATE LIMITING IS A RATE LIMITER.