Allied-Telesis AT-iMG624A Router Manual PDF (Setup & Configuration Guide)

Home

Manuals

Allied-Telesis

AT-iMG624A

Page 361 / 998 Scroll up to view Page 356 - 360

Security interfaces

Security

4-59

iMG/RG Software Reference Manual (IPNetwork Functions)

•

Internal

interface

is an IP interface that is attached to a network that needs to be protected from the

network attached to the

External interface

. For example, an interface attached to a private LAN is an inter-

nal interface.

•

The

External interface

is an IP interface that is attached to a network, for example the Internet, containing

hosts that may pose a security threat to hosts on the

internal interfaces

•

DMZ

(demilitarized zone) is an IP interface serving a small network that acts as a neutral zone between

the inside network and the outside network. A DMZ is a portion of the local network that is almost com-

pletely open to the external network. There may be some restriction at external access to the DMZ, but

much less than the restriction of access to the

internal interface.

To define an IP interface use the IP ADD INTERFACE command. (ref to ip command list)

To define an existing IP interface as a

security

interface use the SECURITY ADD INTERFACE command.

To show the

security

interfaces currently defined, use the SECURITY LIST INTERFACES command.

Note:

Only one external security interface and one DMZ security interface can be defined

Note:

Security interfaces must be created before you can configure the majority of the features of the security

package

FIGURE 4-2

Security interfaces on AT-iMG Models

Internal interface

DMZ interface

External interface

Internal interface

External

Network

Internal

Network

DMZ

Network

Internal

Network

Internal

Network

Page 362 / 998

Security

Security interfaces

iMG/RG Software Reference Manual (IPNetwork Functions)

4-60

4.2.3.1 Security Triggers - Dynamic Port Opening

The

Dynamic Port Opening (aka Security Trggers)

feature solves a typical security problem related to Internet

applications that require secondary ports to be open in order for a session to operate or

need to have binary

IP addresses in the payload translated and do not have an Application Level Gateway (ALG)

For example, an FTP control session operates on port 21, but FTP uses port 20 as a secondary port for the

data transfer process. The more ports that are open, the greater the security risk. So, the

Dynamic Port Open-

ing

service makes it possible to designate certain secondary ports that will only be opened when there is an

active session on their associated

primary port

AT-iMG Models use triggers to inform the security mechanism to expect secondary sessions and how to handle

them. Rather than allowing a range of port numbers, triggers handle the situation dynamically, allowing the sec-

ondary sessions only when appropriate.

The trigger mechanism works without having to understand the application protocol or reading the payload of

the packet, (although the payload does need to be read when using NAT if address replacement has to be per-

formed).

4.2.3.1.1 CONFIGURING TRIGGERS

To create a trigger for a TCP or UDP application, enter:

security add trigger <name> {tcp|udp} <startport> <endport> <maxactinterval>

The

and

attributes allow you to configure the port range used by the application to open

a primary session. Most applications use a single port to open a primary session, in which case you can enter

the same port value for both attributes. For example, to create a trigger for Windows Media Player, enter:

security add trigger WMP tcp 1755 1755 30000

In this command, notice that the

attribute has been set to 30000. This attribute determines

the maximum interval time in milliseconds between the use of secondary port sessions. It prevents the security

threat posed by ports remaining open unnecessarily for long periods of time. If a secondary port remains inac-

tive for the duration set, the port is automatically closed.

4.2.3.1.2 CONFIGURING SESSION CHAINING

The majority of applications that require triggers only open one additional (secondary) session, however a small

number of rare applications (like WS NetMeeting) open a secondary session which in turn opens additional

sessions after the primary session has ended. This is called session chaining; multi-level session are triggered

from a single trigger. To configure session chaining, use the command:

security set trigger <name> sessionchaining {enable|disable}

This command enables session chaining for TCP packets only. If you also want to configure session chaining for

UDP packets, use the command:

security set trigger <name> UDPsessionchaining {enable|disable}

Page 363 / 998

Security interfaces

Security

4-61

iMG/RG Software Reference Manual (IPNetwork Functions)

Note:

TCP session chaining must be always enabled if UDP session chaining is to be used. It's not possible

define a UDP session chaining without previously enabling TCP session chaining.

Disabling TCP session chaining also automatically disables UDP session chaining.

Note:

For the majority of applications, you do not need to enable session chaining and should do so only if you

are certain that they are required: because NetMeeting is so commonly used, an apposite command-

macro is provided to create a NetMeeting trigger with minimal configuration requirements:

security add

trigger <name> netmeeting

. You do not have to set a port range or maximum activity interval for this

trigger; the security module automatically sets this for you.

4.2.3.1.3 CONFIGURING ADDRESS REPLACEMENT

If your device is configured as a NAT router, you may need to configure triggers for certain protocols to replace

the embedded binary IP addresses of incoming packets with the correct inside host IP addresses. This ensures

that addresses are translated correctly. To enable/disable binary address replacement, enter:

security set trigger <name> binaryaddressreplacement {enable|disable}

Once enabled, you can enable address replacement on TCP, UDP or both types of packet:

security set trigger <name> addressreplacement {none|tcp|udp|both}

4.2.3.1.4 CONFIGURING ADDRESS REPLACEMENT

By default, a trigger can only initiate a secondary session requested by the same host that initiated the primary

session. Certain applications, such as SSL, may initiate secondary sessions from different remote hosts. This is

called

multihosting

. To enable/disable multihosting, enter:

security set trigger <name> multihost {enable|disable}

The commands below allow you to determine the range of ports that a secondary session can use. In the

majority of cases, you

do not

need to configure the secondary port ranges because triggers will only open spe-

cific port numbers for secondary sessions within the range 1024 - 65535.

To configure a secondary port range, enter:

security set trigger <name> secondarystartport <portnumber> security

set trigger <name> secondaryendport <portnumber>

4.2.3.1.5 APPLICATION LEVEL GATEWAYS (ALGS)

Essentially, triggers and ALGs perform the same function; they deal with difficult applications that your NAT or

Firewall configuration cannot manage. However, certain applications prove too difficult for triggers and must be

handled by ALGs. The Security module is configured with ALGs for certain well-known applications (see table

below).

Security triggers can be configured to deal with some applications, but only when ALGs are not available

Page 364 / 998

Security

Intrusion Detection Settings

iMG/RG Software Reference Manual (IPNetwork Functions)

4-62

An ALG provides a service for a specific application such as FTP (File Transfer Protocol). Incoming packets are

checked against existing NAT rules or Firewall filters, IP addresses are evaluated and detailed packet analysis is

performed. If necessary, the contents of a packet is modified, and if a secondary port is required, the ALG will

open one. The ALG for each application does not require additional configuration.

4.2.4

Intrusion Detection Settings

Intrusion Detection

is a feature that looks for traffic patterns that correspond to certain known types of attack

from suspicious hosts that attempt to damage the network or to prevent legitimate users from using it.

The

Intrusion Detection

protects the system from the following kinds of attacks:

•

DOS (Denial of Service)

attacks - a DOS attack is an attempt by an attacker to prevent legitimate hosts

from accessing a service.

•

Port Scanning

- an attacker scans a system in an attempt to identify any open ports, that are listening for a

particular service

•

Web Spoofing

- an attacker creates a 'shadow' of the World Wide Web on their own machine, however a

legitimate host sees this as the 'real' WWW. The attacker uses the shadow WWW to monitor the host's

activities and send false data to and from the host's machine.

Intrusion Detection works differently for each type of attack.

Application

TCP Port

UDP Port

AOL Instant Messenger (AIM)

5190

N/A

File Transfer Protocol (FTP)

N/A

Internet Key Exchange (IKE)

N/A

500

Internet Locator Service (ILS) (a directory service based

on Lightweight Directory Access Protocol (LDAP))

389 (+1002)

N/A

Microsoft Networks (MSN)

1863

N/A

Point to Point Tunnelling Protocol (PPTP)

1723

N/A

Resource Reservation Protocol (RSVP (protocol 46))

N/A

Real Time Streaming Protocol (RTSP)

N/A

Layer Two Tunnelling Protocol (L2TP)

N/A

1701

Session Initiation Protocol (SIP)

(includes Session Description Protocol (SDP))

5060

Page 365 / 998

Intrusion Detection Settings

Security

4-63

iMG/RG Software Reference Manual (IPNetwork Functions)

Once an intrusion attempt is detected and the attacker is blocked and blacklisted for a set time limit. The length

of time that a blacklisted host remains blocked depends on the kind of attack:

•

For

Denial of

Service

attacks by the SECURITY SET IDS DOSATTACKBLOCK command and by the

SECURITY SET IDS MALICIOUSATTACKBLOC

(default is 30 minutes in both cases)

•

For

Port Scan

attacks by

the SESECURITY SET IDS SCANATTACKBLOCK command.(default is 24 hours)

•

For

Web Spoofing

attacks by the SECURITY SET IDS VICTIMPROTECTION command (default is 10 min-

utes.)

4.2.4.1 Port Scan Attacks

Scans are performed by sending a message to each port in turn with certain TCP flag headers set. The response

received from each port indicates whether the port is in use and can be probed further in an attempt to violate

the network. For example, if a weak port is found, the attacker may attempt to send a DoS attack to that port.

The Security module offers protection from the port scan attacks listed in the table below. Certain port scan

attacks are classed as

Trojan Horse

attacks. These are programs that may appear harmless, but once executed

they can cause damage to your computer and/or allow remote attackers access to it

The default protection measures are the same for each scan attack:

Scan Attack

Description

Echo scan

The attacker sends scanning traffic to the standard Echo port (TCP

port 7).

Xmas Tree scan

The attacker sends TCP packets with FIN, URG and PSH flags set. If a

port is closed, the device responds with an RST. If a port is open, the

device does not respond.

IMAP scan

The attacker exploits vulnerability of the IMAP port (TCP port 143)

once a TCP packet is received from the victim with the SYN and FIN

flag set.

TCP SYN ACK scan

The attacker sends a SYN packet and the device responds with a SYN

and ACK to indicate that the port is listening, or an RST if it is not lis-

tening.

TCP FIN RST scan

The attacker sends a FIN packet to close an open connection. If a port

is closed, the device responds with an RST. If a port is open, the device

does not respond

NetBus scan

NetBus is a Trojan Horse

attack for Windows 95/98/NT. Once

installed on the victim’s PC, the attacker uses TCP port 12345, 12346

or 20034 to remotely perform illicit activities.

Rate

Popular Allied-Telesis Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share