Freedom9 freeGuard Blaze 2100 Скачать руководство пользователя страница 89 | Manualshive

Страница: 89 / 224

background image

. . . . .

A T T A C K D E T E C T I O N A N D P R E V E N T I O N

Configuring the freeGuard Blaze 2100 to Defend Against DoS and DDoS Attacks

Version 3R2

Security Appliance User Guide

5-7

CONFIGURING ICMP FLOOD PREVENTION

To configure the rate limit for ICMP traffic for a specific zone, use the

set

zone

command with the

icmp-flood attack-threshold

option. This

enables you to set limits (per second) on the number of ICMP packets
allowed through that zone to a specific host.

set zone {zone name} screen icmp-flood attack-threshold
{number}

E X A M P L E : S E T T I N G T H E I C M P T H R E S H O L D

Set the ICMP threshold to

1,000

on the untrust zone:

set zone untrust screen icmp-flood attack-threshold 1000

save

G U I E X A M P L E : S E T T I N G T H E I C M P T H R E S H O L D

1

Policy > Attack Settings Edit Zone (for “unturst”)

2

Enter the following, then click

Apply

:

ICMP flood attack threshold: 1000

CONFIGURING UDP FLOOD PREVENTION

To configure the rate limit for UDP datagrams in a specific zone, use the

set zone

command with the

udp-flood attack-threshold

option:

set zone {zone name} screen udp-flood attack-threshold
{number}

This sets a rate limit for the number of UDP datagrams allowed through
the zone to a specific host per second. The maximum threshold for the

udp-flood attack-threshold

is 64,000.

CONFIGURING SYN FLOOD PREVENTION

A host or multiple hosts that sends a large number of invalid SYN packets
can overwhelm network devices. This causes network devices to allocate
more resources to process the invalid SYN requests, leaving fewer
resources available to process legitimate traffic requests. If you apply
rate limits to restrict the number of SYN packets allowed through a zone,
the appliance detects and protects against SYN flood attacks.

«
...
87
88
89
90
91
...
»

Содержание freeGuard Blaze 2100

Страница 1: ...freeGuard Blaze 2100 User Guide Version 3R2...

Страница 2: ...ot allow copies to be made for others whether or not sold but all of the materials purchased can be sold given or loaned to another person Under the law copying includes translating this information i...

Страница 3: ...ng the Power 2 2 Connecting the freeGuard Blaze 2100 to Other Network Devices 2 2 Configuring the freeGuard Blaze 2100 2 3 Configuring the Software 2 5 3 Security Zones and Interfaces 3 1 Security Zon...

Страница 4: ...3 33 PPPoE Point to Point Protocol over Ethernet 3 33 4 System Management 4 1 Using the Console to Manage the freeGuard Blaze 2100 4 1 About Console Cable Requirements 4 2 Accessing the Console 4 2 R...

Страница 5: ...Aliases 4 14 Deleting Aliases 4 15 Viewing Current Aliases 4 15 Configuring Domain Names 4 15 Deleting Domain Names 4 15 Configuring Host Names 4 16 Deleting Host Names 4 16 Using Network Time Protoco...

Страница 6: ...g Management 6 3 Log Module Settings 6 3 Setting Log Modules 6 3 Disabling Log Module Settings 6 4 Viewing the log module settings 6 4 Viewing the Traffic and Event Log 6 5 Admin Mail Server 6 6 Confi...

Страница 7: ...View the SNMP Community Settings 6 22 View the SNMP Statistics 6 23 Viewing the Interface Statistics 6 24 7 Virtual Private Networks 7 1 Virtual Private Networks 7 1 About IP Security IPsec 7 2 the Di...

Страница 8: ...ts with Non Zero Reserved Fields 8 9 9 Policy Configuration 9 1 About Security Policies 9 1 About Traffic Flow Among Policies 9 1 About Security Policy Types 9 2 Configuring Policies 9 4 Creating Poli...

Страница 9: ...ss Translation 10 1 Network Address Translation 10 1 Configuring Source Network Address Translation 10 2 About Port Address Translation PAT 10 2 Configuring Dynamic IP DIP Pools 10 3 Source NAT Config...

Страница 10: ...X 509 Digital Certificates 12 1 PKI Basics 12 2 A typical Digital Certificate 12 3 Self signed certificate 12 4 CLI Commands 12 4 Generating a Self Signed Certificate 12 4 Creating a Certificate Requ...

Страница 11: ...n IPsec VPN Prevention of 30 DoS and DDoS attacks Extensive Network Address Translation NAT features including one to one many to one many to many and port address translation PAT 802 1Q VLAN support...

Страница 12: ...Values inside braces are required For commands that require a selection from a pre defined list of values each value in the list is separated by a pipe Variables appear in italic When a WebGUI command...

Страница 13: ...U C T I O N About Document Conventions Version 3R2 Security Appliance User Guide 1 3 ILLUSTRATION CONVENTIONS Figure 1 1 shows the graphics used in illustrations in this guide Figure 1 1 Illustration...

Страница 14: ...I NT R O DU C T I O N About Document Conventions 1 4 Security Appliance User Guide Version 3R2 1...

Страница 15: ...serving these precautions can prevent injuries equipment failures and potential shutdown of the freeGuard Blaze 2100 WARNING Always assume the power supply for the freeGuard Blaze 2100 is connected to...

Страница 16: ...e 2 1 prepare to proceed with the actual installation To install the freeGuard Blaze 2100 perform the tasks described in the following sections Connecting the Power Connecting the freeGuard Blaze 2100...

Страница 17: ...eth0 interface is connected to a switch on your local area network LAN using another twisted pair Ethernet cable Figure 2 1 Connecting the freeGuard Blaze 2100 to other Network Devices CONFIGURING TH...

Страница 18: ...interface on a laptop or desktop machine 3 To access the freeGuard Blaze 2100 console interface launch a terminal emulation program NOTE Hyper Terminal by Hillgraeve Inc is a suitable terminal emulat...

Страница 19: ...HE A D M I N P A S S W O R D Because all Security Appliances are preconfigured with the same password you must change the admin password Use the set admin command to change the password set admin pass...

Страница 20: ...interface command to bind the eth0 interface to the trust zone with an IP address and netmask of 10 0 0 1 24 set interface eth0 ip 10 0 0 1 24 set interface eth0 zone trust save G U I E X A M P L E C...

Страница 21: ...o the eth1 interface you must configure network address translation NAT For additional information regarding NAT configurations refer to Chapter 10 Address Translation Use the set interface command to...

Страница 22: ...ts on the LAN connected to the trust zone to browse the Internet using a web browser Use the set policy command to create a policy allowing any traffic going from the trust zone to the untrust zone se...

Страница 23: ...G E T T I N G S T A R TE D Installing the freeGuard Blaze 2100 Version 3R2 Security Appliance User Guide 2 9 Policy set policy from trust to untrust any any any permit...

Страница 24: ...G E T T IN G S T A R T E D Installing the freeGuard Blaze 2100 2 10 Security Appliance User Guide Version 3R2 2...

Страница 25: ...Modes Advanced Interface Settings Authentication Using RADIUS Alternate Connection Methods SE CURITY ZONES Security zones are a logical grouping of physical and logical interfaces on an appliance A se...

Страница 26: ...o subinterfaces have been added in the DMZ zone VLAN 200 and 210 The eth1 interface is configured in Untrust zone Policies can be written to allow or deny traffic between zones Figure 3 2 Security Zon...

Страница 27: ...nes Figure 3 3 displays the security appliance with two security zones trust and untrust The trust zone is configured for the LAN and the untrust zone is configured for the WAN Security policies can n...

Страница 28: ...se the set zone command with the name_str option to create a custom security zone set zone name name_str E X A M P L E C R E A T I N G T H E S A L E S S EC U R I T Y Z O N E set zone name sales save G...

Страница 29: ...cified security zone set zone name_str block E X A M P L E E N A B L E I N T R A Z O N E B L O C K I N G ON T H E S A L E S S E C U R I T Y Z O N E set zone sales block save G U I E X A M P L E E N A...

Страница 30: ...s for each zone Zone name The name assigned to the interface Zone ID The ID number assigned to the zone Type The security settings on the zone Intrazone block On or off Interfaces bound Lists all phys...

Страница 31: ...red on the corresponding physical interface of the appliance Figure 3 6 displays the location of the Ethernet interfaces on the freeGuard Blaze 2100 Figure 3 6 Ethernet interface locations This sectio...

Страница 32: ...r additional information You can use additional set interface commands to bind the interface to a different zone or to set the interface mode to either NAT enabled route or Transparent mode BINDING IN...

Страница 33: ...llowing then click Apply Zone Name Trust CONFIGURING SUBINTERFACES A subinterface is a logical interface that uses an 802 1q tag to identify membership to a specific VLAN on a physical interface After...

Страница 34: ...120 on the physical interface eth0 Assign the subinterface to the trust zone with the IP address 192 168 100 1 24 set interface eth0 120 ip 192 168 100 1 24 set interface eth0 120 zone trust save G U...

Страница 35: ...d port address translation PAT through security policies For information on configuring NAT through security policies refer to Chapter 10 Address Translation CONFIGURING NAT ENABLED MODE Interfaces co...

Страница 36: ...ure 3 7 set interface eth0 nat save G U I E X A M P L E C ON FI G U R I N G N A T E N A B L E D M O D E 1 Network Interface Edit for eth0 2 Enter the following then click Apply Interface Mode NAT CONF...

Страница 37: ...interface eth1 route save G U I E X A M P L E C ON FI G U R I N G R O U T E M O D E 1 Network Interface Edit for eth0 2 Enter the following then click Apply Interface Mode Route 3 Network Interface Ed...

Страница 38: ...P Shows the IP address from which the interface can be managed Management Options Ping ssh http https snmp Mode NAT route transparent Use the get interface command to display information on a specific...

Страница 39: ...est IP MAC address information changed in the header allowing the freeGuard Blaze 2100 to be deployed in complex networks un obtrusively In Transparent mode the freeGuard Blaze 2100 can be deployed de...

Страница 40: ...y will be needed to deny ANY All from the Untrust to Trust zone In Figure 3 9 if Workstation A makes a request to www yahoo com the workstation performs a DNS query for www yahoo com the return addres...

Страница 41: ...within the appliance and cannot be modified In addition to configuring the br0 management interface a default route is required to be configured in order for the freeGuard Blaze 2100 to communicate to...

Страница 42: ...cer The freeGuard Blaze 2100 can be placed directly between the VLAN switch trunk and the external VLAN router it can then intercept recognize various VLAN tagged packets and apply zone based policies...

Страница 43: ...ity to filter various source dest address s zones based on the VLAN ID CLI Configuration set interface eth0 ip 0 0 0 0 0 set interface eth0 transparent set interface eth0 zone trust set interface eth1...

Страница 44: ...nce set zone name Lab set zone name Sales set address Finance webserver 192 168 200 10 32 set address Accounting SQLServer 192 168 100 100 32 set transparent vlan Engineering tag 100 zone Engineering...

Страница 45: ...2100 in order to accommodate their network needs These bypass functions are global and will be applied to both the ingress and egress interfaces NOTE For detailed information on the transparent comma...

Страница 46: ...erse the freeGuard Blaze 2100 The default behavior of the freeGuard Blaze 2100 is to bypass i e drop such packets G U I E X A M P L E B Y P A S S D O S A N D D D O S C H E C K I N G I N T R A N S P A...

Страница 47: ...appliance Use the set interface command with the mtu option to set the MTU size for a specific interface set interface interface name mtu size E X A M P L E S E T T I N G T H E M T U S I Z E ON T H E...

Страница 48: ...cess Control MAC addresses Use the get arp command to view the current ARP table entries get arp C L E A R I N G C U R R E N T A R P E N T R I E S Use the clear arp command to clear a specific entry o...

Страница 49: ...M EO U T T O 1 8 0 0 S E C O N D S 1 Network ARP 2 Enter the following then click Apply ARP Cache Entry Timeout Seconds 1800 ENABLING INTERFACE MANAGEMENT Use the set interface interface name with th...

Страница 50: ...ation Dial In User Service RADIUS authenticates the local users and remote users on a company network RADIUS works as a client server system that keeps the authentication information for users remote...

Страница 51: ...thentication 5 The RADIUS server verifies the username and password and if they are correct sends a RADIUS Challenge message to the security appliance 6 The security appliance sends the Challenge mess...

Страница 52: ...security appliance is 1812 RADIUS Timeout The time interval the security appliance must wait before sending another authentication request if the previous request had not been answered The default RAD...

Страница 53: ...r radius command with the timeout option set auth server auth_name radius timeout value NOTE The acceptable value for the RADIUS timeout is in the range of 3 180 seconds C O N F I G U R I N G T H E R...

Страница 54: ...ip_addr dom_name V I E W I NG T HE R A D I U S C O N F I GU R A T I O N To view the RADIUS configuration on the security appliance use the get auth server command and view all settings or by ID get a...

Страница 55: ...igure 3 12 shows a primary and secondary RADIUS server using the following attributes Figure 3 12 Configuring a Primary and Secondary RADIUS Server Auth_name security Primary RADIUS server IP 10 0 0 2...

Страница 56: ...ON FI G U R I N G A P R I M A R Y A N D S E C ON D A R Y R A D I U S S ER V ER 1 System Authentication Add Authentication Server 2 Enter the following RADIUS information and click Apply Type Name Tes...

Страница 57: ...are the same physical connection but access control billing and type of service are handled on a per user basis Some security devices support a PPPoE client allowing compatibly with DSL Ethernet Direc...

Страница 58: ...0 1 24 set interface ethernet1 zone untrust set pppoe interface ethernet1 set pppoe username name_str password pswd_str To test your PPPoE connection set pppoe enable get pppoe G U I E X A M P L E T O...

Страница 59: ...S E CU R IT Y Z O NE S AN D I N T E R F ACE S Alternate Connection Methods Version 3R2 Security Appliance User Guide 3 35 Select Interface PPPoE...

Страница 60: ...SE C U R I T Y Z O N E S A N D I N TE R FA C E S Alternate Connection Methods 3 36 Security Appliance User Guide Version 3R2 3...

Страница 61: ...e 2100 Additional System Management Tasks Using Network Time Protocol NTP Using Domain Name Service DNS Using Ping Using Traceroute US ING THE CONSOLE TO MANA GE TH E FRE EGUARD BLAZE 21 00 You must p...

Страница 62: ...interface For administration console access you must connect the null modem cable included in the packaging to configure the freeGuard Blaze 2100 To access the console 1 Connect the female 2x5 header...

Страница 63: ...assword NOTE Information for long commands might display incorrectly if the console window is resized to larger than 80 character columns RE ENABLING THE CONSOLE INTERFACE To re enable the console int...

Страница 64: ...S O L E T I M E O UT T O 1 5 M I N U T E S set console timeout 15 save EXITING THE CONSOLE To exit the console type exit US ING SSH TO MANA GE TH E FREE GU ARD BLAZE 2100 For secure remote management...

Страница 65: ...A C E 1 Network Interface Edit for ethernet0 2 Select the following then click Apply Management Option SSH E X A M P L E E N A B L E S S H O N A V L A N I N T E R F A C E E T H 0 1 0 0 set ssh enabled...

Страница 66: ...rity zones Perform asset recovery Reset the device to its default settings Update the firmware Load configuration files Clear all active sessions of additional read only users CHANGING YOUR ADMINISTRA...

Страница 67: ...N G I N G T HE A D M I N R P A S S W O R D 1 System Admin Administrators 2 Enter the following password information and click Apply Select the admin r user Type old password Type new password Confirm...

Страница 68: ...nce This can be obtained from your sales representative 2 Place a copy of the latest software for the appliance into the root directory of the TFTP server program 3 Make sure a TFTP server is running...

Страница 69: ...OR SECONDARY After you upload the new software image to the appliance you must set the image as the primary or secondary software image Use the set image command to set the software as primary or sec...

Страница 70: ...0 3 mttflash txt G U I E X A M P L E S A V I N G T H E C O N F I G U R A T I O N F I L E F OR E X P O R T 1 System Configuration 2 TFTP Server Address 192 168 0 3 3 File Name mttflash txt 4 Select the...

Страница 71: ...ess perform a hardware reset which erases the firmware and system settings Although the reset deletes the system configuration file you can access the appliance using the default login credentials Per...

Страница 72: ...e through the freeGuard Blaze 2100 management interface This section includes the following topics Viewing System Information Creating Aliases Deleting Aliases Viewing Current Aliases Configuring Doma...

Страница 73: ...etting vendor id 01 vendor name vendor vendor contact vendor manufacture code 00 manufacture date 2006 02 28 12 21 00 UTC product model Security Appliance product serial number 0001 02 0606 0074 ether...

Страница 74: ...temp controller passed test phy control dev passed test rtc device passed test external tcam passed test fiber ext loopback passed test copper ext loopback passed G U I E X A M P L E V I E W I N G S...

Страница 75: ...alias command get alias CONFIGURING DOMAIN NAMES To configure the freeGuard Blaze 2100 to respond to a specifically configured domain use the set domain command set domain name_str E X A M P L E C ON...

Страница 76: ...DELETING HOST NAMES To delete a previously configured host name use the unset hostname command unset host USING NETWORK TIME PROTOCOL NTP The freeGuard Blaze 2100 uses Network Time Protocol NTP to upd...

Страница 77: ...P R I M A R Y N T P S E R V E R I P A S 2 0 7 2 4 5 1 4 3 1 4 7 1 System Date Time 2 Enter the following then click Apply Primary NTP Server IP Name 207 245 143 147 NOTE You can use a fully qualified...

Страница 78: ...2 4 5 1 4 3 1 7 1 System Date Time 2 Remove the following then click Apply Primary NTP Server IP Name 207 245 143 147 NOTE You can configure multiple NTP server IP addresses to ensure the freeGuard Bl...

Страница 79: ...clock timezone number E X A M P L E C O N F I G U RI N G T H E C L O C K T I M E Z O N E T O P A C I F I C T I M E ZO NE G MT 8 set clock timezone 8 save G U I E X A M P L E C ON FI G U R I N G T HE...

Страница 80: ...D R E S S A S 2 0 6 1 3 2 8 1 2 set dns host dns2 206 13 28 12 save G U I E X A M P L E S E T T I N G T HE S E C ON D A R Y D N S H O S T I P A D D R E S S A S 2 0 6 1 3 2 8 1 2 1 Interface DNS 2 Ente...

Страница 81: ...m G U I E X A M P LE P I N G W W W Y A H O O C OM 1 System Tools 2 Enter the following then click Apply Diagnostic Tool Ping Ping www yahoo com US ING TRACEROUTE You can use traceroute to trace packet...

Страница 82: ...SY ST EM MA N AGEM E N T Using Traceroute 4 22 Security Appliance User Guide Version 3R2 4...

Страница 83: ...enting Network Port Attacks Additional Attack Detection and Prevention Viewing Attack Settings NE TWORK AT TACKS Attackers invade a protected network for any of the following reasons To gather informa...

Страница 84: ...g evidence of the attack DE TECTING AN ATTACK To prevent hackers from exploiting a network the appliance uses stateful inspection to dynamically filter and secure all network connections Stateful insp...

Страница 85: ...rmation launch a man in the middle attack or create a DoS by adding or restoring default routes Netbus Attack Affects Windows 95 98 and NT operating systems A netbus attack allows hackers to install a...

Страница 86: ...on a network This causes the real machine on the network to think that it sent the packet to itself causing a resource slowdown SYN Flood Uses packets that have an unreachable source address to estab...

Страница 87: ...ecific port attacks in the set policy command All Back orifice Ini killer Netbus Netspy Priority Ripper Senna spy Small server Seb seven Striker NOTE In addition you set the global port attack option...

Страница 88: ...attacks refer to Figure 5 1 for an example of a DoS attack You can configure options on the appliance to apply various rate limits to ICMP TCP and UDP traffic Figure 5 1 Example of a DoS Attack Rate l...

Страница 89: ...cy Attack Settings Edit Zone for unturst 2 Enter the following then click Apply ICMP flood attack threshold 1000 CONFIGURING UDP FLOOD PREVENTION To configure the rate limit for UDP datagrams in a spe...

Страница 90: ...H O L D 1 Policy Attack Settings Edit Zone for untrust 2 Enter the following then click Apply SYN flood attack threshold 5000 CONFIGURING FIN FLOOD PREVENTION Setting a rate limit for FIN packets all...

Страница 91: ...zone set zone untrust screen ip frag attack threshold 1000 save G U I E X A M P L E S E T T I N G T H E I P F R A GM E N T T H R E SH OL D 1 Policy Attack Settings Edit Zone for untrust 2 Enter the f...

Страница 92: ...f IRDP Teardrop attack TCP no flags set Ping of Death Smurf attack TCP no flags set Unknown IP protocol UDP bomb VIEWING ATTACK SETTINGS To view the current attack settings per zone use the get zone c...

Страница 93: ...T I O N Viewing Attack Settings Version 3R2 Security Appliance User Guide 5 11 G U I E X A M P L E V I E W I N G A T T A C K S E T T I N GS O N U N T R U S T Z O N E 1 Network Zone Edit for untrust 2...

Страница 94: ...A T T A C K D E T E C T I O N A N D P R E V E N T IO N Viewing Attack Settings 5 12 Security Appliance User Guide Version 3R2 5...

Страница 95: ...hrough a zone is considered an individual event Since the security appliance will be used to protect network infrastructures it becomes extremely important to record all events showing a possible secu...

Страница 96: ...ssages that include error conditions that may exist on the security appliance Critical Messages Events that could affect functionality of the security appliance Alert Messages Events that require imme...

Страница 97: ...SETTING LOG MODULE S To enable logging for a specific software module use the set log module command with the software module option the desired logging level and message destination set log module m...

Страница 98: ...DULE SETTINGS To disable the software module settings use the unset log module command unset log module module level all informational notification warning error critical alert emergency debug destina...

Страница 99: ...the 2Mb limit is reached the security appliance will over write the oldest event logs and replace them with newer events All messages logged will include date and time To view the event log you will...

Страница 100: ...l logs G U I E X A M P L E V I E W T HE T R A F F I C A N D E V E N T L O G S 1 Reports System Log Events Shows the current log messages stored in the flash ADMIN MAIL SERVER CONFIGURE THE SECURITY AP...

Страница 101: ...ver name REMOVING E MAIL ADDRESSES FROM THE ADMIN MAIL SERVER To remove an e mail address so messages are no longer sent to that e mail address use the unset admin mail address with the mail addr1 mai...

Страница 102: ...B O T H T R A F F I C A N D EV E N T M E S SA GE S T O B E S E N T U S I N G S Y SL O G T O A S ER V ER A T I P A D D R E S S 1 0 0 0 2 0 0 W I T H T HE F A C I L I T Y O F L O C A L 0 1 Logging Sysl...

Страница 103: ...ption Jun 02 Month and Day Stamp Displays the month and day when the message was generated 12 13 54 Time stamp Displays the time stamp when the message was generated The format is as follows HH MM SS...

Страница 104: ...13 Interface group 1 3 6 1 2 1 2 RFC 2233 Address Translation group 1 3 6 1 2 1 3 IP group 1 3 6 1 2 1 4 RFC 2011 ICMP group 1 3 6 1 2 1 5 RFC 1213 TCP group 1 3 6 1 2 1 6 RFC 2012 UDP group 1 3 6 1 2...

Страница 105: ...Translation Group Table 6 2 System Group Object Name Value Type sysDescr DisplayString sysObjectID OBJECT ID sysUpTime TimeTicks sysContact DisplayString sysName DisplayString sysLocation DisplayStri...

Страница 106: ...Counter32 ipInHdrErrors Counter32 ipInAddrErrors Counter32 ipForwDatagrams Counter32 ipInUnknownProtos Counter32 ipInDiscards Counter32 ipInDelivers Counter32 ipOutRequests Counter32 ipOutDiscards Co...

Страница 107: ...smMaxSize INTEGER Table 6 7 IP Route Table Object Name Value Type ipRouteDest IpAddress ipRouteIfIndex INTEGER ipRouteMetric1 INTEGER ipRouteMetric2 INTEGER ipRouteMetric3 INTEGER ipRouteMetric4 INTEG...

Страница 108: ...r Guide Version 3R2 6 IP NET TO MEDIA Table 6 8 shows the IP Net to Media Table Table 6 8 IP Net to Media Table Object Name Value Type ipNetToMediaIfIndex INTEGER ipNetToMediaPhysAddress PhysAddress i...

Страница 109: ...ter32 icmpInRedirects Counter32 icmpInEchos Counter32 icmpInEchoReps Counter32 icmpInTimestamps Counter32 icmpInTimestampReps Counter32 icmpInAddrMasks Counter32 icmpInAddrMaskReps Counter32 icmpOutMs...

Страница 110: ...tcpRtoMin Integer32 tcpRtoMax Integer32 tcpMaxConn Integer32 tcpActiveOpens Counter32 tcpPassiveOpens Counter32 tcpAttemptFails Counter32 tcpEstabResets Counter32 tcpCurrEstab Counter32 tcpInSegs Cou...

Страница 111: ...e Value Type udpInDatagrams Counter32 udpNoPorts Counter32 udpInErrors Counter32 udpOutDatagrams Counter32 Table 6 13 UDP Listener Table Object Name Value Type udpLocalAddress IpAddress udpLocalPort I...

Страница 112: ...unter32 snmpInGetResponses Counter32 snmpInTraps Counter32 snmpOutTooBigs Counter32 snmpOutNoSuchNames Counter32 snmpOutBadValues Counter32 snmpOutGenErrs Counter32 snmpOutGetRequests Counter32 snmpOu...

Страница 113: ...the SNMP listening port on the security appliance dot3StatsFCSErrors Counter32 dot3StatsSingleCollisionFrames Counter32 dot3StatsMultipleCollisionFrames Counter32 dot3StatsSQETestErrors Counter32 dot...

Страница 114: ...ith Type System Location Lab Type Listen Port 161 Type Trap Host 162 3 SNMP Community Edit 4 Enter the following SNMP Community settings and click Apply Type Name public Type Host 192 168 1 1 ENABLING...

Страница 115: ...ost IP address to be entered set snmp community string host host OID CONFIGURING THE SNMP LISTENER PORT To configure the SNMP listener port use the set snmp port command and specify the SNMP listener...

Страница 116: ...G THE SNMP SYSTEM CONTACT To delete the SNMP system contact use the unset snmp contact command unset snmp contact VIEWING THE SNMP SETTINGS To view the SNMP settings use the get snmp command with the...

Страница 117: ...nt SNMP statistics cli get snmp statistics In pkts 0 Out pkts 0 In bad versions 0 In bad community names 0 In bad community uses 0 In asn parse errors 0 In bad types 0 In too bigs 0 In no such names 0...

Страница 118: ...NG THE INTERFACE STATISTICS To view the interface statistics for a specific physical interface use the get counter command and specify the specific interface get counter statistics interface interface...

Страница 119: ...deny 1000 in no route 0 in no sa with policy 0 in policy permit 6 in no dip 0 in bad policy 0 in ipsec sa fail 0 in ipsec crypto err 0 in ipsec esp only 0 in ipsec esp na 0 in ipsec esp auth 0 in ips...

Страница 120: ...Appliance 6 26 Security Appliance User Guide Version 3R2 6 G U I E X A M P L E V I E W T H E I N T E R F A C E S T A T I S T I C S F O R T H E E T H 0 I N T ER FA C E 1 Reports Counters Hardware 2 Se...

Страница 121: ...Implementations Configuring Internet Key Exchange Advanced VPN Configuration Options VIRTUAL PRIVAT E NETWORKS Businesses can use a Virtual Private Network VPN to communicate and transfer information...

Страница 122: ...on of IPsec is seen in VPN deployments IPsec can be broken down into two different modes and protocols The modes include Transport and Tunnel and the protocols include AH and ESP T R A N S P O R T M O...

Страница 123: ...ing Transport Mode T U N N E L M O D E In tunnel mode refer to Figure 7 3 all data is encrypted including the IP header All of the original data is encapsulated into a new IP payload and includes a ne...

Страница 124: ...n code HMAC Table 7 1 explains MD5 and SHA 1 Table 7 1 MD5 and SHA 1 Description The ESP protocol ensures privacy encryption source authentication and content integrity authentication ESP includes the...

Страница 125: ...the Diffie Hellman DH group This value is secure so that the original message can be sent over an insecure medium without sending the secret message along with it There are a total of three DH groups...

Страница 126: ...d Blaze 2100 appliances requires the following configuration The static IP address is assigned to the eth1 interface on each of the appliances The trusted networks connect to the eth0 interface of the...

Страница 127: ...rs to configure one side of a manual key VPN tunnel Refer to the CLI Reference Guide and Command Descriptions for additional manual key parameters Table 7 2 Required Manual Key VPN Parameters Paramete...

Страница 128: ...parameters in this command Refer to the CLI Reference Guide and Command Descriptions for additional policy parameters key authentication_key Authentication Key Hexadecimal value 32 characters in leng...

Страница 129: ...Follow these steps to configure the required VPN tunnels in Figure 6 2 Define your security zone and interface IP service Specifies the services enabled to pass through the VPN tunnel tunnel Action t...

Страница 130: ...E Y V P N I M P L E M E N T AT I O N N E W Y O R K O FFIC E Refer to Figure 7 4 and Figure 7 5 for the following example of a manual key VPN implementation Interfaces set interface eth0 zone trust se...

Страница 131: ...N T AT I O N N E W Y O R K O FFIC E Interfaces 1 Network Interface Edit for ethernet0 2 Enter the following then click Apply Zone Name Trust IP Address Netmask 192 168 100 1 24 Interface Mode NAT 3 Ne...

Страница 132: ...1 Outgoing interface eth1 Local SPI 1230 Remote SPI 1230 Encryption Algorithm aes 128 Hex Key 1111222233334444 Authentication Algorithm sha 1 Hex Key 11112222333344445555666677778888 Routing 1 Networ...

Страница 133: ...Apply Enable Policy Location Top Action Tunnel Source Zone Untrust Destination Zone Trust Source Address San Francisco Destination Address NYO Service Any Tunnel VPN From SF E X A M P L E M A N U A L...

Страница 134: ...untrust sfo New York any tunnel vpn sfo_nyo set policy top name vpnfrom_newyork from untrust to trust New York sfo any tunnel vpn sfo_nyo save G U I E X A M P L E M A N U A L K E Y V P N I M P L E M...

Страница 135: ...ddress Netmask 192 168 100 0 24 Zone Untrust VPN 1 VPN Manual Key Edit 2 Enter the following then click Apply Tunnel Name to_newyork Gateway IP 4 4 4 1 Outgoing interface eth1 Local SPI 1230 Remote SP...

Страница 136: ...one Trust Destination Zone Untrust Source Address SFO Destination Address New York Service Any Tunnel VPN From SF 3 Policy Configuration Edit 4 Enter the following then click Apply Enable Policy Locat...

Страница 137: ...N uses a pre shared secret to allow the creation of a VPN tunnel between two or more VPN appliances During the IKE negotiation phase the pre shared secret creates keys that encrypt and decrypt packets...

Страница 138: ...N appliance IKE Identity IPv4 address e mail address or FQDN Phase 1 Exchange proposal to determine how to authenticate and secure the channel Mode Exchange Main or Aggressive DH Group 1 2 or 5 Protoc...

Страница 139: ...NG AN IKE TUNNEL USING A PRE SHARED SECRET Setting up a VPN tunnel using IKE requires the following steps Define your security zone interface IP Create address objects for the local and remote end poi...

Страница 140: ...2 168 100 1 24 set interface nat set interface eth1 zone untrust set interface eth1 ip 162 198 10 1 24 Addresses set address trust ny_local 192 168 100 0 24 set address untrust sf_destination 10 0 0 0...

Страница 141: ...untrust to trust sf_destination ny_local any tunnel vpn sfo_nyo save G U I E X A M P L E N E W Y O R K O F F I C E U S I N G I K E Interfaces 1 Network Interface Edit for ethernet0 2 Enter the followi...

Страница 142: ...llowing then click Apply Name encryptaesp1 Authentication Method PSK DH Group Group 5 Encryption Algorithm aes 128 Hash Algorithm SHA 1 3 VPN Phase 2 Proposal Edit 4 Enter the following then click App...

Страница 143: ...onfiguration Edit 2 Enter the following then click Apply Enable Policy Location Top Action Tunnel Source Zone Trust Destination Zone Untrust Source Address ny_local Destination Address sf_destination...

Страница 144: ...nation 192 168 100 0 24 VPN set ike p1 proposal encryptaesp1 preshare group5 esp aes128 sha 1 set ike p2 proposal encryptaesp2 preshare group5 esp aes 128 sha 1 seconds 28800 set ike gateway to_newyor...

Страница 145: ...pply Zone Name Trust IP Address Netmask 10 0 0 0 24 Interface Mode NAT 3 Network Interface Edit for eth1 4 Enter the following then click Apply Zone Name Untrust IP Address Netmask 4 4 4 1 24 Addresse...

Страница 146: ...orithm SHA 1 3 VPN Phase 2 Proposal Edit 4 Enter the following then click Apply Name encryptaesp2 PSF PSF Group5 Encryption Algorithm aes 128 Hash Algorithm SHA 1 Seconds 28800 5 VPN IKE Gateway Edit...

Страница 147: ...ation Address ny_destination Service Any Tunnel VPN From SF 3 Policy Configuration Edit 4 Enter the following then click Apply Enable Policy Location Top Action Tunnel Source Zone Untrust Destination...

Страница 148: ...k to New_York unset ike gateway to_newyork unset vpn sfo_nyo set ike gateway New_York address 162 198 10 1 main outgoing interface eth1 preshare password proposal encryptaesp1 set vpn sfo_nyo gateway...

Страница 149: ...0 0 0 0 2 Trust Peer_lan 172 16 10 0 24 Untrust Local_lan 172 16 10 0 24 Trust Peer_lan 10 0 0 0 24 Untrust IKE Gateway GWA 10 0 0 100 preshared password GWB 172 16 10 100 preshared password Policies...

Страница 150: ...route 0 0 0 0 0 interface br0 gateway 10 0 0 5 metric 1 set address trust local_lan 10 0 0 0 24 set address untrust peer_lan 172 16 10 0 24 set ike gateway gw1 address 172 16 10 100 main outgoing int...

Страница 151: ...eth1 ip 0 0 0 0 0 set interface eth1 transparent set interface eth1 zone untrust set route 0 0 0 0 0 interface br0 gateway 172 16 10 5 metric 1 set address trust local_lan 172 16 10 0 24 set address...

Страница 152: ...D option to set how many missed r u there message are allowed before the VPN tunnel is torn down the rebuilt set ike gateway name_str dpd always send set ike gateway name_str dpd interval number set i...

Страница 153: ...ed by default on all IKE VPN tunnels To disable replay protection use the set vpn command with the no replay option set vpn name_str gateway gw_address no replay VIEW A VPN TUNNEL To view the current...

Страница 154: ...get this information for a specific tunnel by specifying the tunnel name get ike gateway name_str V I E W I K E P H A S E 1 P R O P OS A L S To view the IKE phase 1 proposal information use the get i...

Страница 155: ...Zero Reserved Fields S T A T IC R OU T E S An implicit or explicit route must be defined in the routing table for traffic to move between interfaces on the appliance The destination network interface...

Страница 156: ...ptions to add a static route set route ip_addr mask gateway ip_addr interface interface name E X A M P L E A D D I N G A S T A T I C R O U T E In the network described in Figure 8 1 a static route is...

Страница 157: ...y with the desired route changes E X A M P L E M OD I F Y I N G A S T A TI C R OU T E Modify the gateway on a previously created static route from 10 0 0 100 to 10 0 0 20 unset route 10 0 100 0 24 gat...

Страница 158: ...name gateway ip_addr E X A M P L E S E T T I N G T H E D E F A U L T R OU T E Configure the default route on the appliance in Figure 8 1 to use the eth1 interface and a gateway of 4 4 4 1 which is th...

Страница 159: ...S Static A Auto Exported I Imported R RIP P Permanent iB IBGP eB EBGP O OSPF E1 OSPF external type 1 E2 OSPF external type 2 IP Prefix Interface Gateway P Distance Metri 64 79 127 64 32 eth1 0 0 0 0 C...

Страница 160: ...erred to as IP RIP is formally defined in two documents Request For Comments RFC 1058 and Internet Standard STD 56 As IP based networks became both more numerous and greater in size it became apparent...

Страница 161: ...s only one instance of RIP running at one time on a freeGuard Blaze 2100 This section describes the following basic steps to configure RIP on a freeGuard Blaze 2100 Enable the RIP instance globally En...

Страница 162: ...on G U I E X A M P L E R E J E C T D E F A U L T R O U T E L E A R N E D B Y R I P 1 Network Routing RIP 2 Enter the following RIP information then click Apply Select Reject Default Route Learned by R...

Страница 163: ...es to IGRP and RIP If an interface is configured with secondary IP addresses and split horizon is enabled updates might not be sourced by every secondary address One routing update is sourced per netw...

Страница 164: ...I N G Accepting Packets with Non Zero Reserved Fields 8 10 Security Appliance User Guide Version 3R2 8 nonzero values in the fields that must be zero This default behavior implements RIP v1 2 specific...

Страница 165: ...appliance is to deny traffic from one zone to another To permit communication from one zone to another you must configure a policy After you use the set policy command to create a policy the policy e...

Страница 166: ...ECURITY POLICY TYPES You can configure three types of policies for the appliance Interzone Policy Refer to Configuring Interzone Policies Intrazone Policies Refer to Configuring Intrazone Policies Glo...

Страница 167: ...U R I N G I N T R A ZO N E P O L I C I E S Intrazone policies control traffic to and from all hosts within the same zone By default all hosts configured in the same zone can communicate Therefore a p...

Страница 168: ...S Global policies are not assigned to a specific zone and either allow or deny packets to all zones Use the set zone command and specify global as the zone to create a global policy set policy global...

Страница 169: ...cies Creating a name or alias to the refer to the policy Parameter Description src_zone dst_zone The src_zone and dst_zone objects are used to define the direction of the policy and whether the traffi...

Страница 170: ...4 4 4 set policy from untrust to trust any FTPtrust ftp permit save G U I E X A M P L E C R E A T E A P OL I C Y 1 Objects Add Address Object 2 Enter the following then click Apply Name FTP Trust IP...

Страница 171: ...on Edit 2 Enter the following then click Apply Enable Policy Name ftpcorp Action permit Source Zone untrust Destination Zone trust Source Address any Destination 4 4 4 4 Service FTP REORDERING POLICES...

Страница 172: ...on Address Any Service FTP By default the freeGuard Blaze 2100 software assigns a newly created policy a policy ID and adds it to the bottom of the policy list To restrict FTP traffic from trust to un...

Страница 173: ...by specifying a policy number unset policy id number VIEWING POLICIES You can display policies using the get policy command get policy This displays all policies in the policy database with the excep...

Страница 174: ...following information about the policy with the specified ID number get policy id 202 ID 202 Name Action permit Status enabled From trust To trust Src any Dst any Service any NAT off Schedule N A Use...

Страница 175: ...et policy command with the log option set policy from src_zone to dst_zone src_addr dst_addr srvc permit deny reject For additional information about logging refer to Chapter 6 Logging CONFIGURING ADD...

Страница 176: ...ned by an IP address and subnet mask set address zone name_str ip_addr mask NOTE The pre defined address object any refers to all hosts in that zone E X A M P L E C R E A T I N G A N A D D R E S S OBJ...

Страница 177: ...bject 2 Enter the following then click Apply Name John IP Address Netmask 10 0 0 100 32 Zone Trust 3 Objects Add Address Object 4 Enter the following then click Apply Name Matt IP Address Netmask 10 0...

Страница 178: ...ailServerNY 10 200 0 0 24 save G U I E X A M P L E M O D I F Y A N A D D R E S S O B J E C T 1 Objects Address Objects 2 Select the following then click Apply Remove MailServer 3 Objects Add Address O...

Страница 179: ...s zone grp_name add adr_obj The following limitations apply to address groups Address groups cannot have the same name as an address object If the policy database references an address group you canno...

Страница 180: ...O U P 1 Objects Add Address Object 2 Enter the following then click Apply Name Finance_Subnet IP Address Netmask 10 0 1 0 24 Zone Trust 3 Objects Add Address Object 4 Enter the following then click Ap...

Страница 181: ...of the address objects out of an address group the address group name is not deleted ADDING COMMENTS TO ADDRESS GROUPS Use the set group command with the address and comment options to add a comment...

Страница 182: ...ring Custom Service Objects Deleting Service Objects Modifying Service Objects Configuring Service Timeouts VIEWING PREDEFINED SERVICE OBJECTS To view predefined service objects use the get service co...

Страница 183: ...rvice object first delete the object and then re create the object with the new settings E X A M P L E M OD I F Y I N G A C U S T OM S E R VI C E Change the destination port on Telnet_Custom to port 2...

Страница 184: ...save You can use the following options to define the additional properties of the service Code Values and Type for ICMP Services Timeout Value CONFIGURING SE RVICE GROUPS You can use service groups to...

Страница 185: ...PS Use the set group command with the service option to create a service group set group service name_str Use the set group command with the service and add options to add service objects to a service...

Страница 186: ...ons to remove a specific service from the group unset group service name_str remove name_str To remove all services in the group use the clear option MODIFYING SERVICE GROUPS To modify a service group...

Страница 187: ...oup that service group name is not deleted ABOUT SCHEDULE S A schedule is an object that defines the day and time a policy is action takes place This section describes how to create add view and delet...

Страница 188: ...by referring to the schedule name once The once option is used to define a one time event start Use the start option and specify a day and time to allow traffic matching the policy to pass through sto...

Страница 189: ...set policy command with the schedule option to add a schedule to a policy set policy from zone to zone src_adr dst_adr srvc schedule name_str day The day field requires an mm dd yyyy format start Use...

Страница 190: ...day start 00 00 stop 23 59 comment Block weekend Internet access set policy from trust to untrust any any any deny schedule weekend save G U I E X A M P L E C RE A T E A R E C U R R I N G S C H E D U...

Страница 191: ...e 9 27 DELETING SCHEDULES To delete a schedule use the unset scheduler command unset scheduler name_str VIEWING SCHEDULES Use the get scheduler command with the once recurrent or name options to view...

Страница 192: ...P OL IC Y CO NF I G URA T IO N About Schedules 9 28 Security Appliance User Guide Version 3R2 9...

Страница 193: ...NAT either on the interface or through the security policy database This chapter describes how to enable NAT through the security policy database For information on enabling NAT on the interface refer...

Страница 194: ...u configure the policy without specifying a DIP pool ID the policy uses the source address of the egress interface as the translated address Use the set policy command with the nat src and dip id opti...

Страница 195: ...e dip dip id start address end address Addresses in the DIP pool must be on the same subnet as the corresponding egress interface You can create multiple DIP pools created each identified with a diffe...

Страница 196: ...src permit CONFIGURING SOURCE NAT MANY TO MANY WITH PORT ADDRESS TRANSLATION In a source NAT many to many NAT configuration all source IP addresses translate to an IP address dynamically taken from a...

Страница 197: ...changing the destination port in one to one NAT and many to one NAT configurations Unlike port address translation which randomly assigns the port during translation port mapping uses a policy assign...

Страница 198: ...ith the nat dst ip option to specify destination NAT in the policy set policy from zone to zone src_addr dst_addr port nat dst ip nat_addr permit CONFIGURING DESTINATION NAT ONE TO ONE WITH PORT MAPPI...

Страница 199: ...licy from zone to zone src_addr dst_addr port nat dst ip nat_addr port prt_nbr permit CONFIGURING DESTINATION NAT MANY TO MANY Use the set policy command with the nat dst ip option to specify destinat...

Страница 200: ...10 8 Security Appliance User Guide Version 3R2 10 the first address from the destination NAT range The translated addresses maintain consistency Refer to Figure 10 5 for an example Figure 10 5 Destin...

Страница 201: ...sers when link and or node failures occur HA functionality interfaces with almost all subsystems of the product HA functionality includes three interacting state machines to provide heartbeat election...

Страница 202: ...lays HA link information set unset ha config sync Enables or disables synchronization between members of the vsd group set ha preempt Used to preempt the primary node and take over the role of primary...

Страница 203: ...ignated secondary set int eth0 ip 192 168 1 2 24 set int eth0 manage ip 192 168 1 102 24 set int eth1 ip 1 1 1 2 24 set int eth1 manage ip 1 1 1 102 24 NOTE manage ip on eth1 is only required to manag...

Страница 204: ...The priority of the device sets whether the device will be primary or secondary The number closest to 1 will be designated primary On Node1 set ha priority 10 hb interval 1000 hb threshold 3 grat arp...

Страница 205: ...A C E A N D W A N P O R T F OR N O D E 2 1 HA Configuration 2 Enter the following HA information then click Apply Select HA Interface eth0 Select WAN Port eth1 Type Peer ip 192 168 1 101 G U I E X A...

Страница 206: ...User Guide Version 3R2 11 G U I E X A M P L E S E T H A C O N F I G U R A T I O N S Y N C H R O N I Z AT I O N 1 HA Config Sync 2 Select the HA Configuration Synchronization button G U I E X A M P L...

Страница 207: ...Public Key Infrastructure and X 509 Digital Certificates PKI Basics CLI Commands ABOUT PUBLIC KEY INFRASTRUCT URE AND X 509 DIGITAL CERTIFICATES PKI is designed to be used with IPSec instead of PSK a...

Страница 208: ...C S PKI arrangements enable users to be authenticated to each other and to use the information in identity certificates Users are certified by a third party also known as a Certificate Authority Figur...

Страница 209: ...12 3 A TYPICAL DIGITAL CERTIFICATE The following figure shows a typical Digital Certificate Figure 12 2 Typical Digital Certificate The certificate contains Digital Certificate Version Serial Number S...

Страница 210: ...ting a certificate on page 12 6 Using a Certificate for a VPN tunnel on page 12 6 For more information on CLI Commands see the CLI Reference Guide GENERATING A SELF SIGNED CERTIFICATE First we need to...

Страница 211: ...in a PKCS10 certificate request based on the key pair generated get pki x509 pkcs10 1 The output of the command should provide the certificate request as follows BEGIN CERTIFICATE REQUEST MIIBCzCBtgIB...

Страница 212: ...ed by the IP Address of the TFTP server where the file is available and the test crt should be replaced with the actual file name for the certificate USING A CERTIFICATE FOR A VPN TUNNEL The following...

Страница 213: ...n 3R2 Security Appliance User Guide A 1 PRE DEFINED SERVICES A This appendix lists all of the pre defined services defined on the security appliance including the name protocol port group inactivity t...

Страница 214: ...defined FTP Put 6 21 remote Default Pre defined GOPHER 6 70 info seeking Default Pre defined HTTP 6 80 info seeking Default Pre defined HTTPS 6 443 security Default Pre defined ICMP INFO 1 0 65535 oth...

Страница 215: ...18 other Default Pre defined TCP ANY 6 0 65535 other Default Pre defined TELNET 6 23 remote Default Pre defined TFTP 17 69 remote Default Pre defined TRACEROUTE 1 0 65535 other Default Pre defined UDP...

Страница 216: ...P R E DEF I N E D SER V IC ES A 4 Security Appliance User Guide Version 3R2 A...

Страница 217: ...IP address network mask or other data Authentication Header AH A method that provides integrity and authentication but not privacy as IP data is not encrypted AH contains an authentication value base...

Страница 218: ...est an IP address from the DHCP server This protocol reduces the work necessary to administer a large IP network Encryption The ability for a network device to translate data into a secret code Encryp...

Страница 219: ...estination High Availability HA Provides the ability to service end users i e sessions with little or no interruption when failures occur Host Name A unique name that a host on a network is known as a...

Страница 220: ...n of IPsec is seen in virtual private network VPN deployments IPsec enables VPNs to take advantage of authentication integrity and confidentiality Internet Security Association and Key Management Prot...

Страница 221: ...255 0 10 0 0 0 24 refers to all hosts in the 10 0 0 0 subnet Network Address Translation NAT A standard that allows machines on a local area network LAN to use a set of IP addresses for internal use a...

Страница 222: ...Protocol RIP One of the most commonly used interior gateway protocol IGP routing protocols on internal networks and to a lesser extent networks connected to the Internet which helps routers dynamical...

Страница 223: ...is used to tag and identify the subinterface Subnet A network that shares a common address component Subnets are defined as all hosts whose IP addresses have the same prefix on a TCP IP network Subne...

Страница 224: ...Users on the VLAN are identified using tags in the frame header and are often referred to in the IEEE standard 802 1Q Virtual Private Networking VPN An easy cost effective way for business to use the...

Отзывы:

Нет отзывов

Похожие инструкции для freeGuard Blaze 2100

Бренд: Fortinet Страницы: 2

Бренд: BeyondTrust Страницы: 18

DFL-1660-WCF-12

Бренд: D-Link Страницы: 5

Бренд: Meiya Pico Страницы: 11

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды