|
|
There are three pre-set paths in the IntraGuard Firewall. A path defines a route for packets through the firewall. Each of the three paths already has a name, a security policy and interface definitions. While the names and parameters of the firewall paths can be modified, the default settings should work for many installations.
Firewall paths can be added to the edit area of a device, renamed or deleted.
The IntraGuard Firewall currently supports up to three firewall paths. Any additional paths may cause configuration problems. It is recommended that you add firewall paths only if you have previously deleted a path, so that no more than three paths exist at a time.
To Rename a path, right-click on the path's icon, then choose Firewall Path/Rename Firewall Path
To Delete a path, right-click on the path's icon, then choose Firewall Path/Delete Firewall Path.
These functions are also available in the File menu.
To access this dialog box, select FirewallPath/Settings from the Device View.
These checkboxes control which interfaces will be specified as inside interfaces or outside interfaces for each path. Typically, Inside interfaces are secure while Outside interfaces are less secure.
If more than one interface is designated as an inside or outside interface on a particular path, those interfaces are considered to be open multiplexed and traffic will flow freely between them. For example, in the default configuration, both Ethernet 0 and the Bridge interface are inside interfaces on the Green-Red Path. Traffic between those two interfaces will not be subjected to firewall screening.
Use the New button to add a named filter to the list or to select a named filter from a pull-down list.
Use the Delete button to remove a named filter from the list.
Use the Move Up and Move Down buttons to move the filters into the desired application order.
Use the New button to add a named filter to the list or to select a named filter from a pull-down list.
Use the Delete button to remove a named filter from the list.
Use the Move Up and Move Down buttons to move the filters into the desired application order.
To access this dialog box, select FirewallPath/Settings from the Device View, then click on the Advanced button.
These settings allow detailed control of how certain packet types and sessions will be handled on the path.
This checkbox sets whether the path will permit TCP sessions for which the IntraGuard did not see the SYN flag. The SYN flag is included in the header of the first couple of TCP packets and indicates that a session is being established. When checked, this allows established connections to continue after rebooting the device, but it is also a less secure option. The default is unchecked.
This checkbox sets whether the device will terminate sessions on a firewall path where ICMP redirects have been sent. ICMP redirects are generated when a device cannot route a packet correctly on its own. The effect can be that three firewall path sessions will be created to route the packet correctly, two of which will not be needed after the first packet gets delivered. The default is unchecked.
This checkbox sets whether the device will send a TCP reset message to the client when a TCP session has been rejected. The default is unchecked.
This checkbox sets whether the device will limit itself to sending TCP reset messages only when a TCP packet containing the SYN flag has been rejected. This can be useful when ICMP redirects are being sent, which could cause sessions to terminate prematurely. The default is checked.
This checkbox sets whether the device will send an ICMP message to the client when an IP or UDP packet has been rejected. The default is unchecked.
This checkbox sets whether the device will send an ICMP message to the client when a TCP packet has been rejected. This is in addition to sending a TCP reset message, if it has been enabled using the SendTCPReset checkbox. The default is unchecked.
This checkbox sets whether the device will reject source-routed IP packets. The default is checked.
This field sets the minimum acceptable length of IP packets. Raising the minimum packet length can be useful in preventing "frag" attacks, which can take advantage of the use of partial header information in fragmented packets. The IntraGuard protects against overlapping fragmentation attacks, even when the MinIPFragLen is set to the minimum value of 40. Values may range between 40 and 1,500. The default is 40.
This dialog box can be accessed by selecting FirewallPath/Security Policies from the Device View. This dialog box displays the overall security policy for an IntraGuard Firewall path and the individual policy settings for each protocol. It can be used to change the overall security policy, but not the individual protocol policy settings. To change individual protocol settings, see the Security Policy Protocol Setting Dialog Box.
This pull-down menu sets the overall Security Policy for the path. There are five general policy sets, each of which has an associated list of protocol settings which define how the interfaces belonging to the path will handle those types of packets.
Definitions of the five sets of security policies follow:
Changing the Current Security Policy will override any individually made protocol settings.
The following chart shows how each of the 31 protocols is treated by each of the five sets of security policies. The protocol BGPUse, for example, is assigned the security policy None by the Blocked policy set, but it is assigned the security policy Both by the Open policy set.
Protocol | Security Policy
| ||||
Blocked | Strict | Standard | Lenient | Open | |
BGPUse | None | None | None | Both | Both |
BSDUse | None | None | Out | Out | Both |
CompatiViewUse | None | Out | Out | Both | Both |
DNSUse | None | Out | Out | Both | Both |
FTPUse | None | Out | Out | Both | Both |
H323Use | None | None | Out | Out | Both |
ICMPUse | None | None | Out | Out | Both |
IPsecUse | None | Out | Out | Both | Both |
IRCUse | None | None | Out | Out | Both |
LPRUse | None | None | Out | Out | Both |
MailUse | None | Out | Out | Both | Both |
NFSUse | None | None | Out | Out | Both |
NetBIOSUse | None | None | Out | Out | Both |
NewsUse | None | None | Out | Out | Both |
NonIPUse | None | None | Out | Out | Both |
OSPFUse | None | None | Out | Out | Both |
POPUse | None | None | Out | Out | Both |
RIPUse | None | None | Out | Out | Both |
RealAudioUse | None | None | Out | Out | Both |
SunRPCUse | None | None | Out | Out | Both |
TelnetUse | None | Out | Out | Out | Both |
TFTPUse | None | Out | Out | Out | Both |
TunnelUse | None | None | Out | Out | Both |
WebUse | None | Out | Out | Both | Both |
XWinUse | None | None | None | In | Both |
ISAKMPUse | None | Out | Out | Both | Both |
GopherUse | None | Out | Out | Out | Both |
NTPUse | None | None | Out | Both | Both |
OtherTCPUse | None | None | Out | Out | Both |
OtherUDPUse | None | None | Out | Both | Both |
OtherUse | None | None | Out | Both | Both |
To change the individual protocol settings, select a protocol in the Security Policies: Firewall Path Dialog Box and then click the Modify... button. The Security Policy Dialog Box will appear in the Main Window.
Changing the Current Security Policy will override any individually made protocol settings.
This pull-down menu allows you to set how the selected protocol's packets will be handled on the path.
To access the Allow Ports/Protocols Dialog Box, select the Add... button to the right of the Allow Ports/Protocols list in the Security Policies: Firewall Path Dialog Box.
This dialog box allows you to specify a handling method for any numbered port or named protocol which isn't already an explicit Security Policy option. All Security Policy protocol settings take precedence over the Allow Ports/Protocols options. For example, if the OtherTCPUse option is set to In in the Security Policy settings, then it would be unnecessary to specify any particular TCP port using the TCPInPort option below.
The port or protocol number must be specified as a decimal number between 0 and 65,535. RFC 1700 "Assigned Numbers" contains a listing of all currently assigned IP protocol numbers.
To access this dialog box, select Global/Firewall Logging from the Device View.
The logging settings define the level at which specific events are logged. The nine logging levels are listed below in descending order of importance.
The IntraGuard "tags" the log messages associated with each type of event with the specified log level. The Off setting will disable log messages for the event.
The event log messages will appear in the log buffer (or wherever log messages are being sent), only if the global log level is at the same level or a lower level of importance. This allows you to closely monitor certain events while excluding events you do not wish to closely monitor from the log.
Logging parameters for the device, including the global log level, are set in the Logging Configuration Dialog Box, which can be accessed by selecting Logging from the Device View.
Using the default configuration as an example, if you wish to see log messages for TCP Resets, which have a default setting of Notice, you would need to set the Log Level in the Logging Configuration Dialog Box to Notice, Info or Debug. Any other setting would mean that TCP Resets would not appear in the log.
Rejects messages are created by the firewall whenever an IP packet is rejected for any reason. The default is Info.
TCP EST Reject messages are created by the firewall whenever an established TCP session is rejected. These messages are also created when a TCP session for which the firewall has not seen the SYN flag is established. The default is Error.
Sessions messages are created by the firewall whenever an IP session is established. The default is Error.
TearDown messages are created by the firewall whenever an IP session is torn down. The default is Warning.
IP Timeouts messages are created by the firewall whenever a non-TCP session (i.e. IP or UDP session) is timed out. The default is Warning.
TCP Timeouts messages are created by the firewall whenever a TCP session is timed out due to inactivity. The default is Alert.
TCP Resets messages are created by the firewall whenever a TCP session is reset. The default is Notice.
ICMPResets messages are created by the firewall whenever a non-TCP session (i.e. UDP or ICMP session) is reset. The default is Notice.
TCP SYN messages are created by the firewall whenever a TCP connection cannot be completed because it was timed out. The default is Critical.
TCP FIN messages are created by the firewall whenever a TCP connection cannot be properly torn down and is instead timed out. The default is Critical.
Redirects messages are created by devices on the network when they receive a misdirected packet. These messages sometimes indicate route instability or the presence of an incorrectly configured IP host, but they do not necessarily indicate a problem on the network. The default is Critical.
General messages are created when errors occur within the IntraGuard. This might include running out of memory or internal state errors, and should be infrequent. The default is Critical.
To access this dialog box, select Global/Firewall Settings from the Device View. The dialog box Firewall Settings appears on the Main Screen.
This dialog box is used to set global timers for the firewall.
This field sets the number of seconds the firewall will wait without receiving a response to a SYN TCP packet before clearing a TCP session. The SYN flag is included in the header of the first couple of TCP packets and indicate that a session is being established. If the SYN Timer is set too low, half-open sessions may accumulate. If the SYN Timer is set too high, there may not be enough time to complete the handshake and establish a session. Values may range from 0 to 120. The default is 20 seconds.
This field sets the number of seconds the firewall will wait without receiving a response to a FIN TCP packet before clearing a TCP session. TCP specifies that for a session to be fully closed down, both ends of the connection must send out a FIN packet. If the FIN Timer is too high, half-shut sessions may accumulate. If the FIN Timer is too low, sessions may be shut down too quickly. Values may range from 0 to 120. The default is 10 seconds.
This field sets the number of seconds the firewall will wait before shutting down an inactive TCP session. Values may range from 0 to 0xFFFFFFFF. The default is 172,800 seconds (48 hours).
This field sets the number of seconds the firewall will wait before shutting down an inactive non-TCP session. Values may range from 0 to 0xFFFFFFFF. The default is 60 seconds.
This field sets the number of seconds the firewall will wait to close down a half-shut, inactive TCP session. TCP specifies that for a session to be fully closed down, both ends of the connection must send out a FIN packet. If the firewall has not received a FIN packet from the other end and there has been no activity during the specified length of time, the firewall will clear the session. Values may range from 0 to 0xFFFFFFFF. The default is 120 seconds. Setting a value of 0 will disable the timer.
This field sets the number of seconds the firewall will wait before shutting down an inactive dynamic session. Dynamic sessions are created by the firewall to allow TCP sessions or non-TCP packets to come through the firewall. The firewall does this by monitoring packet headers and data, and then opening permitted sessions only when necessary. Values may range from 0 to 300. The default is 60 seconds.
This field sets the number of seconds the firewall will keep track of rejected packets after the packet flow has ended. The firewall tallies the different types of rejected packets and summarizes the information in a display using the show firewall rejects command (see firewall(show) in the Text-Based Configuration and Command Line Reference Guide). Values may range from 0 to 0xFFFFFFFF. The default is 300 seconds. If the Reject Timer is set to 0, the firewall will log every rejected packet individually, without summarizing them in a tally.
Posted: Wed Sep 27 12:08:34 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.