Upload
secpoint-aps
View
49
Download
0
Embed Size (px)
DESCRIPTION
http://www.secpoint.com
Citation preview
SecPoint® Protector
Firewall and VPN Tunneling Setup
ProtectorTM Unified threat management
http://www.secpoint.com/protector.html
Copyright © 1999-‐2012 SecPoint® Page 2 of 9
Protector – Firewall and VPN Tunneling setup Introduction The new Protector with firmware level 12.5.2 comes with a built-‐in Firewall and VPN Tunneling system. The default configuration of the firewall has been especially designed for the standard network environment where the Protector is usually placed. For this reason, the only setup that is usually needed, depends on the additional rules that are required by the customer. Basic concepts In order to work properly, the Firewall must have the knowledge of the network environment where it’s going to work. To do this, it is necessary to define first of all the zones it is going to deal with and the network cards (interfaces) connected to these zones. Typically the Protector is delivered with 2 network cards, br0 and br1, the first one connected to the external network, the second one connected to the local area network.
Once the basic setup is done, the firewall must be instructed on how to deal with these zones. To do this, it’s possible to define some default policies, that the firewall uses to decide what to do with network packets flowing through it, going from a zone to the other. These default policies, however can be overridden by special rules that can take care of packets to/from specific addresses/ports. Summary: Zones The zones define represent the different networks reachable from
your system. These entries are needed to define policies and rules.
Interfaces These are the physical network interfaces on your system that should be controlled by the firewall. Each interface has to be
Copyright © 1999-‐2012 SecPoint® Page 3 of 9
associated to the zone it's connected to.
Default Policies Policies represent the default action the firewall will perform for any network request from/to the specified firewall zones. These policies be overridden for particular hosts or types of traffic by defining specific Rules.
Rules Rules are the exceptions to the default policies for certain types of traffic, sources or destinations. The chosen action will be applied to packets matching the chosen criteria, instead of the default action.
Default configuration By default the firewall is configured as the picture above: the network interfaces br0 and br1 are defined by default and the zones net and loc are defined too, and associated to these network cards. Default policies are already been built in to allow the traffic from the local area network (zone “loc”) to the external zone, and to block the traffic coming in. èThe pre-‐existing set of network rules, previous to the existence of the Protector’s firewall, is left unchanged by the new firewall. These rules are loaded at startup and added to the set of rules that can be defined within the firewall itself. Here is the complete list of default settings: Zones
There are three zones defined.
• net: the network external to the firewall • loc: the local area network, protected by the firewall • fwall: a special zone that identifies the firewall itself
Copyright © 1999-‐2012 SecPoint® Page 4 of 9
Interfaces
The physical network interfaces of the protector, connected to the network zones above.
• br0: the network card connected to the external zone • br1: the network card connected to the protected zone
Policies
These are the default policies the firewall will adopt for packets coming from a Source zone and going to a Destination zone. Any stays for “any zone”. The policies that involve the firewall are needed for the firewall to know what to do with packets directed to itself (the Protector). Rules There are no default rules defined in the Protector’s firewall. Changing the configuration There is a basic setting and an advanced setting. Port blocking The basic setting allows to easily block packets coming from whatever address/port and going to the specified port of the protected zone. You just need to enter the port number that has to be blocked and the protocol (TCP by default).
Copyright © 1999-‐2012 SecPoint® Page 5 of 9
Advanced setting The Advanced setting gives full power over the capabilities of the firewall. è Warning: If misused, the advanced settings may result in a nonfunctional firewall or may cause the local area network be isolated from the outside network. If this should occur, please restore the settings as described in “Default configuration”. It is strongly recommended that you don’t alter the settings in Zones, Interfaces and Default Policies. Rules The rules defined here override the behavior of the Default Policies. When creating a new rule or changing an existing rule, you will see the following window:
Copyright © 1999-‐2012 SecPoint® Page 6 of 9
Action: The action the firewall will perform when the condition stated by
this rule is true
Macro Action Parameter Is the action that has to be selected when the field Action is a Macro. Macros are especially designed for the most common application and can simplify the setting of a rule for the specific application.
Source zone Is the zone packets are coming from. Here you can also specify if packets have to be filtered based on the source IP address. You can enter a list of IP addresses separated by comma, or a range of IP’s in the CIDR notation
Destination zone or port Same as above, for the destination. Protocol The rule is evaluated only for this protocol Source ports Any by default, means that the rule is evaluated whatever the
source port of the packet. If you select Ports or ranges, the rule is valid only for the specified port or set of ports. Port ranges can be specified with the ‘:’, as in ‘25:110’. Multiple ports can be separated with a comma.
Copyright © 1999-‐2012 SecPoint® Page 7 of 9
Destination ports Same as above, for the destination. Original destination address
This field is used only if Action is DNAT or REDIRECT. In this case, if this column is included and is different from the IP address given as Destination, then connections destined for this address will be forwarded to the IP and port specified as Destination.
Rate limit expression This is the maximum rate acceptable, for packets filtered by this rule. Syntax is: rate/{sec|min|hour|day}[:burst] Example: 10/sec:20 rate is the number of connections per interval (sec, min, etc.) and burst is the largest burst permitted. If no burst is given, a value of 5 is assumed. No whitespaces are allowed.
Rule applies to user set This field is optional and may only be non-‐empty if the Source is the firewall itself. When this field is non-‐empty, the rule applies only if the program generating the packets is running under the effective user and/or group specified (or is NOT running under that id if "!" is given). Syntax is: [!][user][:group]
Firewall Control Panel The Control Panel displays the current state of the Firewall. The normal state is when the firewall is running with an up-‐to-‐date configuration. This can be seen when both the green icons are shown.
A red icon means that the firewall is not active, and the reason can be that it is trying to start with a wrong configuration (e.g. after a reboot). In this case, please click on "Validate firewall
Copyright © 1999-‐2012 SecPoint® Page 8 of 9
configuration". If the configuration had been validated previously, you just have to restart the firewall by clicking “Restart Firewall”.
Yellow icons are shown after a change in any of the configuration files. If the green icon is displayed, it means that the firewall is running, but with an old configuration. To activate the new one, you have to validate it and restart the firewall.
When you validate a firewall configuration, the validation result will be shown in the panel as well. If the validation is unsuccessful, the panel will display the error message, otherwise will display a successful message.
A grey icon means that the firewall module is off. You can turn it on by clicking the "Enable firewall module" button.
Copyright © 1999-‐2012 SecPoint® Page 9 of 9
VPN Tunneling The Protector has the capability to create tunnels for VPN connections from/to the protected zone and the external zone. This is an encapsulated and usually encrypted traffic.
VPN Type This is one of the possible tunneling modes:
• IPsec • IPsec with NAT Traversal (UDP port 4500) • IPsec no AH (without Authentication Headers protocol) • IPsed with NAT no AH • IP • GRE (Generalized Routing Encapsulation) • PPTP client (runs on the firewall) • PPTP server (runs on the firewall) • L2TP (Layer 2 Tunneling Protocol -‐UDP port 1701)
Zone for interface The zone through which tunnel traffic passes. This is typically the “net” zone.
Remote gateway This is the IP address of the remote tunnel gateway. Leave Default if not needed.
Gateway Zones If the Remote gateway is a standalone machine, this column should contain a comma-‐separated list of the names of the zones that the host might be in. Applies only to IPSEC VPN.