Allied-Telesis AT-iMG624A Router Manual PDF (Setup & Configuration Guide)

Page 406 / 998 Scroll up to view Page 401 - 405

Security

Security command reference

iMG/RG Software Reference Manual (IPNetwork Functions)

4-104

4.2.7.1.58 SECURITY SET AEMLOGGINGINTERVAL

Syntax

SECURITY SET AEMLOGGINGINTERVAL <number>

Description

This command sets the alarm logging interval value

Options

The following table gives the range of values for each option that can be specified with

this command and a Default Value (if applicable).

Example

--> security set IDS MaxPING 25

See also

security show

4.2.7.1.59 SECURITY SHOW IDS

Syntax

SECURITY SHOW IDS

Description

This command displays the following information about IDS settings:

•

IDS enabled status (true or false)

•

Blacklist status (true or false)

•

Use Victim Protection status (true or false)

•

DOS attack block duration (in seconds)

•

Scan attack block duration (in seconds)

•

Victim protection block duration (in seconds)

•

Maximum TCP open handshaking count allowed (per second)

•

Maximum ping count allowed (per second)

•

Maximum ICMP count allowed (per second)

Example

--> security show IDS

Firewall IDS:

IDS Enabled: false

Use Blacklist: false

Use Victim Protection: false

Dos Attack Block Duration: 1800

Scan Attack Block Duration: 86400

Malicious Attack Block Duration: 86400

Option

Description

Default Value

number

The interval between each AEM logging message.

5

Page 407 / 998

Overview

Firewall

4-105

iMG/RG Software Reference Manual (IPNetwork Functions)

Victim Protection Block Duration: 600

Scan Detection Threshold: 5

Scan Detection Period: 10

Port Flood Detection Threshold: 10

Host Flood Detection Threshold: 20

FloodDetectPeriod : 10

Max TCP Open Handshaking Count: 5

Max PING Count: 15

Max ICMP Count: 100

4.3

Firewall

4.3.1

Overview

The AT-iMG Models security system implements a

stateful

Firewall providing high security by blocking certain

incoming traffic based on

stateful

information.

Each time outbound packets are sent from an internal host to an external host, the following information is

logged by the Firewall:

•

source and destination addresses

•

Port number

•

Sequencing information

•

Additional flags for each connection associated with that particular internal host

All inbound packets are compared against this logged information and only allowed through the Firewall if it can

be determined that they are part of an existing connection. This makes it very difficult for hackers to break

through the

stateful

Firewall, because they would need to know addresses, port numbers, sequencing informa-

tion and individual connection flags for an existing session to an internal host.

The firewall module manages firewall behaviour. The firewall module offers the ability to:

•

Control what kind of Firewall activity is logged

•

Protect the internal network using

stateful

firewall functionality

•

Create policies

•

Add

validators

to policies

•

Add

portfilters

to policies

•

Enable/disable and configure Intrusion

Detection Settings

(IDS)

In order to access firewall features, the firewall module must be enabled using the firewall enable command.

Figure 9 shows the entities involved in the firewall module and their relationships.

Page 408 / 998

Firewall

Firewall command reference

iMG/RG Software Reference Manual (IPNetwork Functions)

4-106

4.3.1.1 Policy

A policy is a relationship between two security interfaces where it is possible to assign

portfilter

and

validator

rules between them.

There are three different security interface combinations that Firewall policies can be created between:

•

The

external interface

and the

internal interface

•

The

external interface

and the

DMZ

interface

•

The

DMZ

interface and the

internal interface

To add a policy between one of the three above interface combinations use the FIREWALL ADD POLICY com-

mand.

4.3.1.2 Portfilter

A

portfilter

is a rule that determines how the Firewall should handle packets being transported between two

security interfaces that are defined in an existing policy. The rules define:

•

What protocol type is allowed

•

Which TCP/UDP port numbers the packets are allowed to be transported on

•

the name of the well-known protocol, service or application allowed to be transported

•

source and destination addresses

Whichever type of filter rule you use, you must also determine which direction packets should be allowed to

travel in:

•

inbound; permitted traffic is transported from the outside interface to the inside interface

•

outbound; permitted traffic is transported from the inside interface to the outside interface

•

both; inbound and outbound rules apply

To add a

portfilter

to an existing policy use the FIREWALL ADD PORTFILTER command.

More than one

portfilter

object can be added to the same policy.

4.3.2

Firewall command reference

This section describes the commands available on AT-iMG Models to enable, configure and manage the

Fire-

wall

module

The table below lists the

firewall

commands provided by the CLI:

Page 409 / 998

Firewall command reference

Firewall

4-107

iMG/RG Software Reference Manual (IPNetwork Functions)

TABLE 4-3

Firewall commands and Product Type

Commands

Fiber

A

Fiber

B

Fiber

C

Fiber

D

Fiber

E

Modular

ADSL

A

ADSL

B

ADSL

C

FIREWALL ENABLE|DISABLE

X

FIREWALL ENABLE|DISABLE IDS

X

FIREWALL ENABLE|DISABLE BLOCKINGLOG|INTRUSION-

LOG|SESSIONLOG

X

FIREWALL SET SECURITYLEVEL

X

FIREWALL STATUS

X

FIREWALL LIST POLICIES

X

FIREWALL SHOW POLICY

X

FIREWALL LIST PROTOCOL

X

FIREWALL ADD DOMAINFILTER

X

FIREWALL SET DOMAINFILTER

X

FIREWALL DELETE DOMAINFILTER

X

FIREWALL ADD PORTFILTER

X

FIREWALL SET PORTFILTER

X

FIREWALL CLEAR PORTFILTERS

X

FIREWALL DELETE PORTFILTER

X

FIREWALL LIST PORTFILTERS

X

FIREWALL SHOW PORTFILTER

X

FIREWALL ADD VALIDATOR

X

FIREWALL DELETE VALIDATOR

X

FIREWALL LIST VALIDATORS

X

FIREWALL LIST VALIDATORS

X

FIREWALL SHOW VALIDATOR

X

FIREWALL SET IDS VICTIMPROTECTION

X

FIREWALL SET IDS DOSATTACKBLOCK

X

Page 410 / 998

Firewall

Firewall command reference

iMG/RG Software Reference Manual (IPNetwork Functions)

4-108

4.3.2.0.1 FIREWALL ENABLE|DISABLE

Syntax

firewall {enable | disable}

Description

This command enables/disables the entire

Firewall

module except for the IDS portion of

the module (see the command FIREWALL ENABLE|DISABLE IDS).

When the Firewall is enabled, all IP traffic on existing security interfaces that are NOT

featured in a Firewall policy is blocked. For details on setting default policy security levels

on security interfaces, see the FIREWALL SET SECURITYLEVEL command.

If you disable the Firewall during a session, any configuration changes made when the

Firewall was enabled remain in the Firewall, so that you can re-enable them later in the

session. If you need to reboot your system but want to save the Firewall configuration

between sessions, use the SYSTEM CONFIG SAVE command.

Options

The following table gives the range of values for each option that can be specified with

this command and a Default Value (if applicable).

Example

--> firewall enable

FIREWALL SET IDS MAXICMP

X

FIREWALL SET IDS MaxPING

X

FIREWALL SET IDS MAXTCPOPENHANDSHAKE

X

FIREWALL SET IDS SCANATTACKBLOCK

X

FIREWALL SET IDS FLOODPERIOD

X

FIREWALL SET IDS FLOODTHRESHOLD

X

FIREWALL SET IDS PORTFLOODTHRESHOLD

X

FIREWALL SET IDS SCANPERIOD

X

FIREWALL SET IDS SCANTHRESHOLD

X

FIREWALL SHOW IDS

X

Option

Description

Default Value

enable

Enables the

Firewall

module.

Disable

disable

Disables the

Firewall

module.

TABLE 4-3

Firewall commands (Continued)and Product Type

Commands

Fiber

A

Fiber

B

Fiber

C

Fiber

D

Fiber

E

Modular

ADSL

A

ADSL

B

ADSL

C

Rate

Popular Allied-Telesis Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share