Services

A service is basically a definition of a specific IP protocol with corresponding parameters.

The service http, for instance, is defined as to use the TCP protocol with destination port 80.

Services are simplistic, in that they cannot carry out any action in the firewall on their own.

Thus, a service definition does not include any information whether the service should be

allowed through the firewall or not. That decision is made entirely by the firewall policies, in

which the service is used as a filter parameter.

Adding TCP, UDP or TCP/UDP Service

For many services, a single destination port is sufficient. The http service, for instance, is

using destination port 80. To use a single destination port, enter the port number in the

destination ports text box. In most cases, all ports (0-65535) have to be used as source ports.

The second option is to define a port range, a port range is inclusive, meaning that a range

137-139 covers ports 137, 138 and 139.

Multiple ranges or individual ports may also be entered, separated by commas. For

instance, a service can be defined as having source ports 1024-65535 and destination ports

80-82, 90-92, 95. In this case, a TCP or UDP packet with the destination port being one of 80,

81, 82, 90, 91, 92 or 95, and the source port being in the range 1024-65535, will match this

service.

Follow these steps to add a TCP, UDP or TCP/UDP service.

Step 1.

Go to Firewall and Service and choose add new.

Step 2.

Enter a Name for the service in the name field. This name will appear in the

service list when you add a new policy. The name can contain numbers (0-9) and upper

and lower case letters (A-Z, a-z), and the special characters - and _. No other special

characters and spaces are allowed.

Step 3.

Select TCP/UDP Service.

Step 4.

Select the protocol (either TCP, UDP or both TCP/UDP) used by the service.

Step 5.

Specify a source port or range for this service by typing in the low and high port

numbers. Enter 0-65535 for all ports, or a single port like 80 for only one source port.

Step 6.

Specify a destination port or range for this service by typing in the low and high

port numbers. Enter 0-65535 for all ports, or a single port like 80 for only one destination

port.

Step 7.

Enable the Syn Relay checkbox if you want to protect the destination from SYN

flood attacks.

Click the

Apply

button below to apply the change or click

Cancel

to discard changes.

52

Adding IP Protocol

When the type of the service is IP Protocol, an IP protocol number may be specified in the

text field. To have the service match the GRE protocol, for example, the IP protocol should be

specified as 47. A list of some defined IP protocols can be found in the appendix named “IP

Protocol Numbers”.

IP protocol ranges can be used to specify multiple IP protocols for one service. An IP

protocol range is similar to the TCP and UDP port range described previously; the range 1-4,

7 will match the protocols ICMP, IGMP, GGP, IP-in-IP and CBT.

Follow these steps to add a TCP, UDP or TCP/UDP service.

Step 1.

Go to Firewall and Service and choose new.

Step 2.

Enter a Name for the service in the name field. This name will appear in the

service list when you add a new policy. The name can contain numbers (0-9) and upper

and lower case letters (A-Z, a-z), and the special characters - and _. No other special

characters and spaces are allowed.

Step 3.

Select IP Protocol.

Step 4.

Specify a comma-separated list of IP protocols.

Click the

Apply

button below to apply the change or click

Cancel

to discard changes.

Grouping Services

Services can be grouped in order to simplify configuration. Consider a web server using

standard http as well as SSL encrypted http (https). Instead of having to create two separate

rules allowing both types of services through the firewall, a service group named, for instance,

Web, can be created, with the http and the https services as group members.

Follow these steps to add a group.

Step 1.

Go to Firewall and Service and choose new.

Step 2.

Enter a Name for the service in the name field. This name will appear in the

service list when you add a new policy. The name can contain numbers (0-9) and upper

and lower case letters (A-Z, a-z), and the special characters - and _. No other special

characters and spaces are allowed.

Step 3.

Select Group.

Step 4.

Specify a comma-separated list of existing services.

Click the

Apply

button below to apply the change or click

Cancel

to discard changes.

Protocol-independent settings

Allow ICMP errors from the destination to the source

– ICMP error messages are sent

in several situations: for example, when an IP packet cannot reach its destination. The

purpose of these error control messages is to provide feedback about problems in the

communication environment.

However, ICMP error messages and firewalls are usually not a very good combination; the

ICMP error messages are initiated at the destination host (or a device within the path to the

destination) and sent to the originating host. The result is that the ICMP error message will be

interpreted by the firewall as a new connection and dropped, if not explicitly allowed by the

firewall rule-set. Now, allowing any inbound ICMP message to be able have those error

messages forwarded is generally not a good idea.

To solve this problem, DFL-1100 can be instructed to pass an ICMP error message only if

it is related to an existing connection. Check this option to enable this feature for connections

using this service.

ALG

– Like other stateful inspection based firewalls, DFL-1100 filters on information found

in packet headers, for instance in IP, TCP, UDP and ICMP headers.

In some situations though, filtering on header data only is not sufficient. The FTP protocol,

for instance, includes IP address and port information in the protocol payload. In these cases,

the firewall needs to be able to examine the payload data and carry out appropriate actions.

DFL-1100 provides this functionality using Application Layer Gateways, also known as ALGs.

To use an Application Layer Gateway, the appropriate Application Layer Gateway

definition is selected in the dropdown menu. The selected Application Layer Gateway will thus

manage network traffic that matches the policy using this service.

Currently, DFL-1100 supports two Application Layer Gateways, one is used to manage the

FTP protocol and the other one is a HTTP Content Filtering ALG. For detailed information

about how to configure the HTTP Application Layer Gateway, please see the Content Filtering

chapter.

54

VPN

Introduction to IPSec

This chapter introduces IPSec, the method, or rather set of methods used to provide VPN

functionality. IPSec, Internet Protocol Security, is a set of protocols defined by the IETF,

Internet Engineering Task Force, to provide IP security at the network layer.

An IPSec based VPN, such as DFL-1100 VPN, is made up by two parts:

•

Internet Key Exchange protocol (IKE)

•

IPSec protocols (ESP)

The first part, IKE, is the initial negotiation phase, where the two VPN endpoints agree on

which methods will be used to provide security for the underlying IP traffic. Furthermore, IKE

is used to manage connections, by defining a set of Security Associations, SAs, for each

connection. SAs are unidirectional, so there will be at least two SAs per IPSec connection.

The other part is the actual IP data being transferred, using the encryption and authentication

methods agreed upon in the IKE negotiation. This can be accomplished in a number of ways;

by using the IPSec protocol ESP.

To set up a Virtual Private Network (VPN), you do not need to configure an Access Policy

to enable encryption. Just fill in the following settings: VPN Name, Source Subnet (Local Net),

Destination Gateway (If LAN-to-LAN), Destination Subnet (If LAN-to-LAN) and Authentication

Method (Pre-shared key or Certificate). The firewalls on both ends must use the same Pre-

shared key or set of Certificates and IPSec lifetime to make a VPN connection.

Introduction to PPTP

PPTP, Point-to-Point Tunneling Protocol, is used to provide IP security at the network

layer.

A PPTP based VPN is made up by these parts:

•

Point-to-Point Protocol (PPP)

•

Authentication Protocols (PAP, CHAP, MS-CHAP v1, MS-CHAP v2)

•

Microsoft Point-To-Point Encryption (MPPE)

•

Generic Routing Encapsulation (GRE)

PPTP uses TCP port 1723 for it's control connection and uses GRE (IP protocol 47) for

the PPP data. PPTP supports data encryption by using MPPE.

Introduction to L2TP

L2TP, Layer 2 Tunneling Protocol, is used to provide IP security at the network layer.

An L2TP based VPN is made up by these parts:

•

Point-to-Point Protocol (PPP)

•

Authentication Protocols (PAP, CHAP, MS-CHAP v1, MS-CHAP v2)

•

Microsoft Point-To-Point Encryption (MPPE)

L2TP uses UDP to transport the PPP data, this is often encapsulated in IPSec for

encryption instead of using MPPE.

Point-to-Point Protocol

PPP (Point-to-Point Protocol) is a standard for transporting datagram’s over point-to-point

links. It is used to encapsulate IP packets for transport between two peers.

PPP consists of these three components:

•

Link Control Protocols (LCP), to negotiate parameters, test and establish the link.

•

Network Control Protocol (NCP), to establish and negotiate different network

layer protocols (DFL-1100 only supports IP)

•

Data encapsulation, to encapsulate datagram’s over the link.

To establish a PPP tunnel, both sides send LCP frames to negotiate parameters and test

the data link. If authentication is used, at least one of the peers has to authenticate itself

before the network layer protocol parameters can be negotiated using NCP. During the LCP

and NCP negotiation optional parameters such as encryption, can be negotiated. When LCP

and NCP negotiation is done, IP datagram’s can be sent over the link.