Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement.
AT&T Dedicated Internet on Demand
Configuring Your Stateful Firewall
For AT&T Dedicated Internet (formerly known as Managed Internet Service) on Demand
AT&T provides a default stateful firewall from Brocade Communications Systems that’s designed to meet the security needs of most users. When you order a new Internet connection from AT&T, the firewall is automatically included, but there is no option to configure it during the order process. Instead, you’ll see a notice saying that you can configure your firewall setting after you submit your order.
Figure 1 Stateful firewall notice
About Stateful Firewall
A stateful firewall is an efficient way to inspect network packets because it keeps track of the state of network connections and enables faster data transfer between established secure connections. The firewall maintains a dynamic state table that keeps a record of the network connection made and data about the incoming and outgoing packets for the connection. The stored connection and packet data provide a context for all packets coming through the connection. The firewall checks incoming packets against the dynamic state table so that data from established secure connections can move through the firewall more quickly. The stateful firewall makes its most intensive inspection when a new network connection is made. The packets for the new connection are screened using the firewall’s security policy and data is added to the dynamic state table. Once the connection is in an established state, further packets for the connection are allowed to pass through.
Administrator Firewall Rules In addition to the default security policy of the stateful firewall, you can define firewall rules for specific connections.
Inbound rules permit or deny connections that match the parameters in the rule. For example, you
could define a rule to deny traffic from a specific network or to permit traffic of only a specific transfer
protocol.
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 2
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
Outbound rules permit or deny connections that match the parameters in the rule; for example, to
specified destination IP addresses. By default, outbound traffic is always permitted. You need to set up a
specific rule to prevent it.
When you configure your firewall, you can do the following for IPv4, IPv6, and MAC addresses:
Add firewall rules
Move firewall rules up or down in the rule hierarchy
Delete firewall rules
Important: Configuring firewall rules is for advanced users. Incorrectly configuring a firewall rule can severely affect your network traffic by denying connections you want to permit or permitting connections you want to deny.
Accessing the Configuration Environment
To configure your firewall, you’ll need to access an environment outside of AT&T Business Center.
1. Open https://www.att.com/ebiz/sdnom and enter your AT&T Business Center user ID and password. An
inventory screen appears.
2. On the inventory page, next to the site you want, click the expand icon ( ).
3. Find the Internet connection you want, click the gear icon ( ), and then, from the menu, select
Configure Firewall.
Figure 2 Select Configure Firewall
The Firewall Management environment opens in a new browser window.
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 3
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
Figure 3 Firewall Management environment
Configuring LAN or WAN Rules You can set up configure three types of rules for the firewall: Rules that apply to a local area network (LAN), rules that apply to a wide area network (WAN), and rules that apply to a specific media access control (MAC) address. For LAN and WAN rules, you can specify rules for IPv4 and IPv6.
Adding a New LAN or WAN Rule
The process for adding a filter rule for a LAN or a WAN is the same. The settings are identical for IPv4 and IPv6, except for the format of the IP addresses and the internet mask. To add a new rule:
1. Select the IPv4 Filters tab or the IPv6 Filters tab. 2. Under LAN Rules or WAN Rules, click Add Rule.
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 4
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
Figure 4 Add a LAN rule
Figure 5 Add a WAN rule
A new line appears in the list of rules.
Specifying the Action for the Rule
The action for a firewall rule will be either to permit or deny a packet that matches the parameters of the firewall rule. The firewall parses the rule and applies the action if all the parameters match.
1. Double-click the line in the Action column.
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 5
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
2. From the list, select the action for the rule.
Figure 6 Select action type
Specifying the Source Address
The source address is the IP address of the incoming packet. The source address is used for an inbound rule. To specify a source address:
1. Double-click the line in the Src address column.
2. Enter the IP address for the source host. For IPv4, the address must be four blocks of numeric values
between 0 and 255.
Figure 7 Add IPv4 source address
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 6
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
For IPv6, the address must be correctly formed as eight 16-bit hexadecimal blocks separated by colons
(:) or as a collapsed address with consecutive blocks of zeros indicated by consecutive colons (::).
Figure 8 Add IPv6 source address
The configuration tool validates whether the IPv4 and IPv6 addresses are correctly formatted and displays an error message if the formatting is wrong.
Specifying the Source Mask
The source mask indicates which mask is applied to the source address. By providing a source mask, you can apply to firewall rule to an entire subnet. To specify a source mask for an IPv4 address:
1. Double-click the line in the Src mask column.
2. Type the subnet prefix value as a number between 16 and 32.
Figure 9 Add and IPv4 source mask
The configuration tool validates the prefix you enter and displays an error message if the value is
outside the 16 to 32 range.
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 7
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
To specify a source mask for an IPv6 address:
1. Double-click the line in the Src mask column.
2. From the list, select the subnet prefix you want.
Figure 10 Add IPv6 source mask
There is no validation error possible for an IPv6 mask because the entry is restricted to the values in the drop-down list.
Specifying a Source Port
The value in the Src port column indicates the port number for the source port and its associated protocol type. The values available for IPv4 and IPv6 are shown in the following table.
Port Number Protocol
20 File Transfer Protocol (Data)
21 File Transport Protocol (Control)
22 SSH – Secure Shell
23 Telnet
25 Simple Mail Transport Protocol (SMTP)
53 Domain Name System (DNS)
69 Trivial File Transfer Protocol (TFTP)
80 World Wide Web (HTTP)
110 Post Office Protocol v3 (POP3)
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 8
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
143 Internet Message Access Protocol v4 (IMAP4)
443 HTTPS – Hypertext Transfer Protocol over TLS/SSL
465 Simple Mail Transfer Protocol o/SSL (SMTP SSL) – Transport Layer Security/Secure
Socket Layer
587 SMTP Submission – Email submission
993 IMAP4 Protocol over TLS/SSL
995 POP3
8008 CalDAV & CardDAV (HTTP Alternative)
8443 CalDAV (PCsnc HTTPS)
Table 1 Port numbers and protocols
To specify a source port:
1. Double-click the line in the Src port column.
2. From the list, select a port number/protocol.
If you leave the Src port value empty, the rule applies to traffic from any port type.
Figure 11 Specify a source port
Adding a Destination Address, Mask, and Port For an outbound rule, you can specify a destination address, destination mask, and destination port the same way that you specify a source address, source mask, and source port. The values define the connection the same way as for an inbound rule, but serve to specifically permit or deny outgoing traffic to the defined address, subnet, or port.
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 9
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
To specify a destination address:
1. Double-click the line in the Dst address column.
2. Enter the IP address for the destination host.
For IPv4, the address must be four blocks of numeric values between 0 and 255.
For IPv6, the address must be correctly formed as eight 16-bit hexadecimal blocks separated by
colons (:) or as a collapsed address with consecutive blocks of zeros indicated by consecutive
colons (::).
To specify a destination mask for an IPv4 address:
1. Double-click the line in the Dst mask column.
2. Type the subnet prefix value as a number between 16 and 32.
To specify a destination mask for an IPv6 address:
1. Double-click the line in the Dst mask column.
2. From the list, select the subnet prefix you want.
To specify a destination port:
1. Double-click the line in the Dst port column.
2. From the list, select a port number/protocol.
If you leave the Dst port value empty, the rule applies to traffic from any port type.
Specifying a Protocol Type
The Protocol field is where you specify the protocol type for the packet being received or sent. If you specify a protocol type, only traffic that matches that type is affected by the rule. The Protocol value applies to inbound or outbound rules. The available values are shown in the following table.
Protocol Number Protocol
1 ICMP – Internet Control Message Protocol
6 TCP – Transmission Control Protocol
17 UDP – User Datagram Protocol
Table 2 Protocol numbers
To specify a protocol type:
1. Double-click the line in the Protocol column.
2. From the list, select the protocol type you want.
If you leave the Protocol field empty, any protocol type matches the rule.
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 10
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
Figure 12 Select protocol type
Specifying an ICMP Type The ICMP Type field is where you specify the Internet Control Message Protocol (ICMP) type used for sending error messages for connection issues. ICMP is an IP protocol, but unlike TCP and UDP, ICMP was intended as a troubleshooting mechanism for the Internet Protocol (IP). Typically, you would specify an ICMP type in a Deny action rule for inbound traffic in order to block specific error messages or troubleshooting traffic from your network. The values available are shown in the following table.
Type Name
0 Echo Reply – ping response
3 Destination Unreachable
8 Echo – ping request
11 Time Exceeded
Table 3 ICMP types
To specify an ICMP type:
1. Double-click the line in the ICMP Type column.
2. From the list, select the ICMP type you want.
If you want to specify more than one ICMP type, you need to configure multiple rules.
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 11
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
Figure 13 Select ICMP type
Putting the Rule Together A firewall rule must have at least one parameter besides the action. When the firewall applies the rule, it reads from left to right and looks for a match at each specified parameter. If all parameters in the rule apply to the inbound or outbound packet, the firewall applies the action. If any parameter does not match, the rule is not applied. It’s unlikely that a single rule will address all situations, so it’s a best practice not to try to define too much. If you configure an overly complicated rule, you may end up with it not being applied because the bar is set to high. Instead, you’ll get better results defining multiple simple rules. Typically, you’ll need to configure multiple rules because each rule can hold only one value for each parameter. For example, if you want to deny inbound ICMP traffic for echo and echo reply pings, you’d need to configure one rule with a deny action for the Echo Reply ICMP type and another one for the Echo ICMP type. You don’t need any other parameters.
Configuring MAC Filters
A Media Access Control (MAC) address identifies a network card for a device, such as a router or switch. A MAC filter in your firewall allows you to simply permit or deny inboard or outboard traffic to a specific MAC address. There are no other parameters other than the action and the address. To add a MAC filter:
1. Select the MAC Filters tab.
2. Under LAN Rules, click Add Rule.
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 12
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
Figure 14 Add a MAC filter rule
To specify the action for the MAC filter:
1. Double-click the line in the Action column.
2. From the list, select the action for the rule.
Figure 15 Specify action for MAC filter
To specify a MAC address:
1. Double-click the line in the MAC Address column.
2. Enter the MAC address. A MAC address is a 48-bit address in six two character hexadecimal blocks
separated by colons (:). The configuration tool validates for the proper format and displays an error
message if the format is wrong.
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 13
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
Figure 16 Specify a MAC address
Ordering Firewall Rules
When a packet arrives at the firewall, the firewall applies the rules in order from the top to bottom of the list. If a packet matches the parameters in the first rule in the list, the firewall takes the action specified and permits the packet to go through the firewall or denies it. If the packet doesn’t match the first rule, the firewall checks it against the second rule and so on. Whenever a packet matches a rule, the action is taken. If a packet matches none of the rules, it’s denied by default. The order of the rules is important because as soon as a match is made, the action in the rule is taken by the firewall and no other rules are checked. Because of this it’s important to place the most restrictive rules first. For example, if you want to specifically allow all HTTP traffic except for traffic from a specified subnet, you would create two rules in the following order:
A rule with a deny action with the Src address and Src mask values for the subnet you want to deny.
A rule with a permit action and 80-World Wide Web (HTTP) specified for the Src port value.
Any packets that don’t match the first rule are checked against the second rule, so any traffic that is not from the specified subnet gets checked to see if it’s in the HTTP port and then permitted through the firewall. If you specified the second rule first, any HTTP traffic from the subnet would be passed through the firewall because the first rule applies to it. To move a rule up:
1. In the list of rules, click the rule you want to move.
2. On the menu, click Move Rule Up. The rule moves up one line each time you click.
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 14
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
Figure 17 Move a rule up
To move a rule down:
1. In the list of rules, click the rule you want to move.
2. On the menu, click Move Rule Down. The rule moves down one line each time you click.
Figure 18 Move a rule down
Editing Firewall Rules
You can edit any existing firewall rule or MAC filter. The edit can be to change any parameter, remove a parameter, change the action, etc. To change a firewall rule parameter:
1. Double-click the value in the firewall rule that you want to change.
2. Enter the new value or, if the value is from a list, select a new value from the list.
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 15
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
Figure 19 Change a rule parameter
To delete a firewall rule parameter:
1. Double-click the value in the firewall rule that you want to change.
2. Clear the value or, if the value is from a list, select the blank item at the top of the list.
Figure 20 Select the empty line in the list
Deleting Firewall Rules
When a firewall rule or MAC filter is no longer needed, you can delete it. Be careful when deleting firewall rules that you don’t create an issue with the order in which rules are applied. To delete a firewall rule:
1. In the list of rules, click the rule you want to delete.
2. On the menu, click Delete Rule.
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 16
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
Figure 21 Delete a rule
Saving the Firewall Rules
At any time after you make a change or addition to your firewall configuration, you can save your changes. To save your firewall changes:
At the bottom left of the firewall configuration window, click Save.
Figure 22 Save the firewall rules
Closing the Configuration Environment
After you complete and save all changes or additions for your firewall configuration, you can exit the configuration environment. To exit the firewall configuration environment:
At the bottom left of the firewall configuration window, click Close.
May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 17
Firewall Guide
AT&T Business Division Name or AT&T Product or Offering Name
Figure 23 Close the configuration environment