Page 46 / 131 Scroll up to view Page 41 - 45
46
Protocol-independent settings
Allow ICMP errors from the destination to the source
– ICMP error messages are sent
in several situations: for example, when an IP packet cannot reach its destination. The
purpose of these error control messages is to provide feedback about problems in the
communication environment.
However, ICMP error messages and firewalls are usually not a very good combination; the
ICMP error messages are initiated at the destination host (or a device within the path to the
destination) and sent to the originating host. The result is that the ICMP error message will be
interpreted by the firewall as a new connection and dropped, if not explicitly allowed by the
firewall rule-set. Now, allowing any inbound ICMP message to be able have those error
messages forwarded is generally not a good idea.
To solve this problem, DFL-700 can be instructed to pass an ICMP error message only if it
is related to an existing connection. Check this option to enable this feature for connections
using this service.
ALG
– Like other stateful inspection based firewalls, DFL-700 filters on information found
in packet headers, for instance in IP, TCP, UDP and ICMP headers.
In some situations though, filtering on header data only is not sufficient. The FTP protocol,
for instance, includes IP address and port information in the protocol payload. In these cases,
the firewall needs to be able to examine the payload data and carry out appropriate actions.
DFL-700 provides this functionality using Application Layer Gateways, also known as ALGs.
To use an Application Layer Gateway, the appropriate Application Layer Gateway
definition is selected in the dropdown menu. The selected Application Layer Gateway will thus
manage network traffic that matches the policy using this service.
Currently, DFL-700 supports two Application Layer Gateways, one is used to manage the
FTP protocol and the other one is a HTTP Content Filtering ALG. For detailed information
about how to configure the HTTP Application Layer Gateway, please see the Content Filtering
chapter.
Page 47 / 131
VPN
Introduction to IPsec
This chapter introduces IPsec, the method, or rather set of methods used to provide VPN
functionality. IPSec, Internet Protocol Security, is a set of protocols defined by the IETF,
Internet Engineering Task Force, to provide IP security at the network layer.
An IPsec based VPN, such as DFL-700 VPN, is made up by two parts:
Internet Key Exchange protocol (IKE)
IPSec protocols (ESP)
The first part, IKE, is the initial negotiation phase, where the two VPN endpoints agree on
which methods will be used to provide security for the underlying IP traffic. Furthermore, IKE
is used to manage connections, by defining a set of Security Associations, SAs, for each
connection. SAs are unidirectional, so there will be at least two SAs per IPSec connection.
The other part is the actual IP data being transferred, using the encryption and authentication
methods agreed upon in the IKE negotiation. This can be accomplished in a number of ways;
by using the IPSec protocol ESP.
To set up a Virtual Private Network (VPN), you do not need to configure an Access Policy
to enable encryption. Just fill in the following settings: VPN Name, Source Subnet (Local Net),
Destination Gateway (If LAN-to-LAN), Destination Subnet (If LAN-to-LAN) and Authentication
Method (Pre-shared key or Certificate). The firewalls on both ends must use the same Pre-
shared key or set of Certificates and IPSec lifetime to make a VPN connection.
Page 48 / 131
48
Introduction to PPTP
PPTP, Point-to-Point Tunneling Protocol, is used to provide IP security at the network
layer.
A PPTP based VPN is made up by these parts:
Point-to-Point Protocol (PPP)
Authentication Protocols (PAP, CHAP, MS-CHAP v1, MS-CHAP v2)
Microsoft Point-To-Point Encryption (MPPE)
Generic Routing Encapsulation (GRE)
PPTP uses TCP port 1723 for it's control connection and uses GRE (IP protocol 47) for
the PPP data. PPTP supports data encryption by using MPPE.
Introduction to L2TP
L2TP, Layer 2 Tunneling Protocol, is used to provide IP security at the network layer.
An L2TP based VPN is made up by these parts:
Point-to-Point Protocol (PPP)
Authentication Protocols (PAP, CHAP, MS-CHAP v1, MS-CHAP v2)
Microsoft Point-To-Point Encryption (MPPE)
L2TP uses UDP to transport the PPP data, this is often encapsulated in IPSec for
encryption instead of using MPPE.
Point-to-Point Protocol
PPP (Point-to-Point Protocol) is a standard for transporting datagram’s over point-to-point
links. It is used to encapsulate IP packets for transport between two peers.
PPP consists of these three components:
Link Control Protocols (LCP), to negotiate parameters, test and establish the link.
Network Control Protocol (NCP), to establish and negotiate different network
layer protocols (DFL-700 only supports IP)
Data encapsulation, to encapsulate datagram’s over the link.
To establish a PPP tunnel, both sides send LCP frames to negotiate parameters and test
the data link. If authentication is used, at least one of the peers has to authenticate itself
before the network layer protocol parameters can be negotiated using NCP. During the LCP
and NCP negotiation optional parameters such as encryption, can be negotiated. When LCP
and NCP negotiation is done, IP datagram’s can be sent over the link.
Page 49 / 131
Authentication Protocols
PPP supports different authentication protocols, PAP, CHAP, MS-CHAP v1 and MS-
CHAP v2 is supported. Which authentication protocol to use is negotiated during LCP
negotiation.
PAP
PAP (Password Authentication Protocol) is a simple, plaintext authentication scheme,
which means that user name and password are sent in plaintext. PAP is therefore not a
secure authentication protocol.
CHAP
CHAP
(Challenge
Handshake
Authentication
Protocol)
is
a
challenge-response
authentication protocol specified in RFC 1994. CHAP uses a MD5 one-way encryption
scheme to hash the response to a challenge issued by the DFL-700. CHAP is better then
PAP in that the password is never sent over the link. Instead the password is used to create
the one-way MD5 hash. That means that CHAP requires passwords to be stored in a
reversibly encrypted form.
MS-CHAP v1
MS-CHAP v1 (Microsoft Challenge Handshake Authentication Protocol version 1) is
similar to CHAP, the main difference is that with MS-CHAP v1 the password only needs to be
stored as a MD4 hash instead of a reversibly encrypted form. Another difference is that MS-
CHAP v1 uses MD4 instead of MD5.
MS-CHAP v2
MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 1) is more
secure then MS-CHAP v1 as it provides two –way authentication.
MPPE, Microsoft Point-To-Point Encryption
MPPE is used is used to encrypt Point-to-Point Protocol (PPP) packets. MPPE uses the
RSA RC4 algorithm to provide data confidentiality. The length of the session key to be used
for the encryption can be negotiated. MPPE currently supports 40-bit, 56-bit and 128-bit RC4
session keys.
Page 50 / 131
50
L2TP/PPTP Clients
General parameters
Name
– Specifies a name for
the PPTP/L2TP Client.
Username
- Specify the
username to use for this
PPTP/L2TP Client.
Password/Confirm
Password - The password to use
for this PPTP/L2TP Client.
Interface IP
.
-
Specifies if the
L2TP/PPTP Client should try to
use a specified IP or get one from
the server.
Remote Gateway
- The IP
address of the PPTP/L2TP
Server. To connect to
Dial on demand
is used
when the tunnel should only be used when needed, if diabled the tunnel will always try to be
up.
Authentication protocol
Specify if, and what
authentication protocol to use,
read more about the different
authentication protocols in the
Authentication Protocol
Introduction
chapter.
MPPE encryption
If MPPE encryption is going to
be used, this is where the
encryption level is configured.
If L2TP or PPTP over
IPSec
is going to be used it has to be
enabled and configured to either
use a Pre-Shared Key or a
Certificate.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top