Page 51 / 139 Scroll up to view Page 46 - 50
Services
A service is basically a definition of a specific IP protocol with corresponding parameters.
The service http, for instance, is defined as to use the TCP protocol with destination port 80.
Services are simplistic, in that they cannot carry out any action in the firewall on their own.
Thus, a service definition does not include any information whether the service should be
allowed through the firewall or not. That decision is made entirely by the firewall policies, in
which the service is used as a filter parameter.
Adding TCP, UDP or TCP/UDP Service
For many services, a single destination port is sufficient. The http service, for instance, is
using destination port 80. To use a single destination port, enter the port number in the
destination ports text box. In most cases, all ports (0-65535) have to be used as source ports.
The second option is to define a port range, a port range is inclusive, meaning that a range
137-139 covers ports 137, 138 and 139.
Multiple ranges or individual ports may also be entered, separated by commas. For
instance, a service can be defined as having source ports 1024-65535 and destination ports
80-82, 90-92, 95. In this case, a TCP or UDP packet with the destination port being one of 80,
81, 82, 90, 91, 92 or 95, and the source port being in the range 1024-65535, will match this
service.
Follow these steps to add a TCP, UDP or TCP/UDP service.
Step 1.
Go to Firewall and Service and choose add new.
Step 2.
Enter a Name for the service in the name field. This name will appear in the
service list when you add a new policy. The name can contain numbers (0-9) and upper
and lower case letters (A-Z, a-z), and the special characters - and _. No other special
characters and spaces are allowed.
Step 3.
Select TCP/UDP Service.
Step 4.
Select the protocol (either TCP, UDP or both TCP/UDP) used by the service.
Step 5.
Specify a source port or range for this service by typing in the low and high port
numbers. Enter 0-65535 for all ports, or a single port like 80 for only one source port.
Step 6.
Specify a destination port or range for this service by typing in the low and high
port numbers. Enter 0-65535 for all ports, or a single port like 80 for only one destination
port.
Step 7.
Enable the Syn Relay checkbox if you want to protect the destination from SYN
flood attacks.
Click the
Apply
button below to apply the change or click
Cancel
to discard changes.
Page 52 / 139
52
Adding IP Protocol
When the type of the service is IP Protocol, an IP protocol number may be specified in the
text field. To have the service match the GRE protocol, for example, the IP protocol should be
specified as 47. A list of some defined IP protocols can be found in the appendix named “IP
Protocol Numbers”.
IP protocol ranges can be used to specify multiple IP protocols for one service. An IP
protocol range is similar to the TCP and UDP port range described previously; the range 1-4,
7 will match the protocols ICMP, IGMP, GGP, IP-in-IP and CBT.
Follow these steps to add a TCP, UDP or TCP/UDP service.
Step 1.
Go to Firewall and Service and choose new.
Step 2.
Enter a Name for the service in the name field. This name will appear in the
service list when you add a new policy. The name can contain numbers (0-9) and upper
and lower case letters (A-Z, a-z), and the special characters - and _. No other special
characters and spaces are allowed.
Step 3.
Select IP Protocol.
Step 4.
Specify a comma-separated list of IP protocols.
Click the
Apply
button below to apply the change or click
Cancel
to discard changes.
Grouping Services
Services can be grouped in order to simplify configuration. Consider a web server using
standard http as well as SSL encrypted http (https). Instead of having to create two separate
rules allowing both types of services through the firewall, a service group named, for instance,
Web, can be created, with the http and the https services as group members.
Follow these steps to add a group.
Step 1.
Go to Firewall and Service and choose new.
Step 2.
Enter a Name for the service in the name field. This name will appear in the
service list when you add a new policy. The name can contain numbers (0-9) and upper
and lower case letters (A-Z, a-z), and the special characters - and _. No other special
characters and spaces are allowed.
Step 3.
Select Group.
Step 4.
Specify a comma-separated list of existing services.
Click the
Apply
button below to apply the change or click
Cancel
to discard changes.
Page 53 / 139
Protocol-independent settings
Allow ICMP errors from the destination to the source
– ICMP error messages are sent
in several situations: for example, when an IP packet cannot reach its destination. The
purpose of these error control messages is to provide feedback about problems in the
communication environment.
However, ICMP error messages and firewalls are usually not a very good combination; the
ICMP error messages are initiated at the destination host (or a device within the path to the
destination) and sent to the originating host. The result is that the ICMP error message will be
interpreted by the firewall as a new connection and dropped, if not explicitly allowed by the
firewall rule-set. Now, allowing any inbound ICMP message to be able have those error
messages forwarded is generally not a good idea.
To solve this problem, DFL-1100 can be instructed to pass an ICMP error message only if
it is related to an existing connection. Check this option to enable this feature for connections
using this service.
ALG
– Like other stateful inspection based firewalls, DFL-1100 filters on information found
in packet headers, for instance in IP, TCP, UDP and ICMP headers.
In some situations though, filtering on header data only is not sufficient. The FTP protocol,
for instance, includes IP address and port information in the protocol payload. In these cases,
the firewall needs to be able to examine the payload data and carry out appropriate actions.
DFL-1100 provides this functionality using Application Layer Gateways, also known as ALGs.
To use an Application Layer Gateway, the appropriate Application Layer Gateway
definition is selected in the dropdown menu. The selected Application Layer Gateway will thus
manage network traffic that matches the policy using this service.
Currently, DFL-1100 supports two Application Layer Gateways, one is used to manage the
FTP protocol and the other one is a HTTP Content Filtering ALG. For detailed information
about how to configure the HTTP Application Layer Gateway, please see the Content Filtering
chapter.
Page 54 / 139
54
VPN
Introduction to IPSec
This chapter introduces IPSec, the method, or rather set of methods used to provide VPN
functionality. IPSec, Internet Protocol Security, is a set of protocols defined by the IETF,
Internet Engineering Task Force, to provide IP security at the network layer.
An IPSec based VPN, such as DFL-1100 VPN, is made up by two parts:
Internet Key Exchange protocol (IKE)
IPSec protocols (ESP)
The first part, IKE, is the initial negotiation phase, where the two VPN endpoints agree on
which methods will be used to provide security for the underlying IP traffic. Furthermore, IKE
is used to manage connections, by defining a set of Security Associations, SAs, for each
connection. SAs are unidirectional, so there will be at least two SAs per IPSec connection.
The other part is the actual IP data being transferred, using the encryption and authentication
methods agreed upon in the IKE negotiation. This can be accomplished in a number of ways;
by using the IPSec protocol ESP.
To set up a Virtual Private Network (VPN), you do not need to configure an Access Policy
to enable encryption. Just fill in the following settings: VPN Name, Source Subnet (Local Net),
Destination Gateway (If LAN-to-LAN), Destination Subnet (If LAN-to-LAN) and Authentication
Method (Pre-shared key or Certificate). The firewalls on both ends must use the same Pre-
shared key or set of Certificates and IPSec lifetime to make a VPN connection.
Page 55 / 139
Introduction to PPTP
PPTP, Point-to-Point Tunneling Protocol, is used to provide IP security at the network
layer.
A PPTP based VPN is made up by these parts:
Point-to-Point Protocol (PPP)
Authentication Protocols (PAP, CHAP, MS-CHAP v1, MS-CHAP v2)
Microsoft Point-To-Point Encryption (MPPE)
Generic Routing Encapsulation (GRE)
PPTP uses TCP port 1723 for it's control connection and uses GRE (IP protocol 47) for
the PPP data. PPTP supports data encryption by using MPPE.
Introduction to L2TP
L2TP, Layer 2 Tunneling Protocol, is used to provide IP security at the network layer.
An L2TP based VPN is made up by these parts:
Point-to-Point Protocol (PPP)
Authentication Protocols (PAP, CHAP, MS-CHAP v1, MS-CHAP v2)
Microsoft Point-To-Point Encryption (MPPE)
L2TP uses UDP to transport the PPP data, this is often encapsulated in IPSec for
encryption instead of using MPPE.
Point-to-Point Protocol
PPP (Point-to-Point Protocol) is a standard for transporting datagram’s over point-to-point
links. It is used to encapsulate IP packets for transport between two peers.
PPP consists of these three components:
Link Control Protocols (LCP), to negotiate parameters, test and establish the link.
Network Control Protocol (NCP), to establish and negotiate different network
layer protocols (DFL-1100 only supports IP)
Data encapsulation, to encapsulate datagram’s over the link.
To establish a PPP tunnel, both sides send LCP frames to negotiate parameters and test
the data link. If authentication is used, at least one of the peers has to authenticate itself
before the network layer protocol parameters can be negotiated using NCP. During the LCP
and NCP negotiation optional parameters such as encryption, can be negotiated. When LCP
and NCP negotiation is done, IP datagram’s can be sent over the link.

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top