BASIC FIREWALL SERVICES

Transcription

1 BASIC FIREWALL SERVICES Course #

2 Services! NTP Network Time! DHCP Relay Server! DNS Proxy Server! Dynamic DNS! High Availability! Remote Logging! SNMP 2

3 NTP Network Time Service! NTP server will synchronize the firewall time and is important to prevent drift in time which may cause VPN issues. accurate syslog time stamps.! Changing the Time Zone requires a reboot to be fully effective.! GTA is a member of pool.ntp.org which is a virtual cluster of timeservers providing NTP service.! Peers Typically not implemented. Instead of client server mode the firewalls will act in a peer mode where a key can be configured between peers. 3

4 GB-250 & GB-Ware! GB-250 Older GB-250 Firewalls does not have a battery and the initial boot time is: :00:00 The time will be properly adjusted after NTP synchronization.! GB-Ware The start up time of GB-Ware is either acquired from the on board battery backed up clock or will have the fixed start up time of :00:00 in the event the hardware does not contain a battery backed clock. GB- Ware default system time will vary depending on the hardware manufacturer and if the system has a functioning battery. 4

5 Network Time Server Making firewall an NTP Server! Go to the Inbound Policies! Configure a policy to allow connections to the firewall for NTP. 5

6 DRDoS / Amplification Attack using ntpdc monlist command! GTA has an update in regards to NTP vulnerability in pending v6.1.6 Pre-release. For more information on in regards to the NTP issue go to support.ntp.org/bin/view/main/ SecurityNotice#DRDoS_Amplification_Attack_using.!! Until the final release of v6.1.6 or v6.2.0, GTA recommends; Configuring your firewall so that it only serves trusted hosts and does not respond to untrusted or external IP addresses. This is controlled by your Inbound Security Policies. By default, GTA firewalls do not allow NTP requests from clients. 6

7 Network Time Server Trouble Shooting! Confirm NTP servers specified resolve and allow synchronization.! Confirm the an explicit or Automatic Remote Access Policy is created for the Servers 7

8 GB-OS DHCP Relay Server 8

9 DHCP Relay Requirements! GB-OS or above! Supports both IPv4 and IPv6 Relay (GB-OS 6.0 and Up)! DHCP Server with a scope to be assigned that is on the same network as a GTA firewall interface upon which the DHCP Client broadcast messages are received. Or the firewall has a route to the network the client will connect from. Based on! RFC tools.ietf.org/rfc/ rfc3046.txt! RFC rfc2131.txt 9

10 How it works! The firewall will listen for DHCP client broadcast messages and changes these request to unicast messages and forward them to the configured DHCP server(s).! Once the client has a DHCP address and reaches it s renewal time it will connect directly to the DHCP server to renew the lease. 10

11 Configuring DHCP Relay" 2 Steps! Configure DHCP Relay Server IP Address or Addresses for multiple servers! Configure the DHCP server scopes.! If from PSN to Protected or PSN to another PSN add IP Pass Through Host networks and policies. 11

12 DHCP Relay Configuration Firewall! Go to Configure -> Services -> DHCP -> Relay enter the DHCP server IP address or select an object with the DHCP servers IP addresses.! In the Advanced section automatic policies when enabled will create an automatic remote access policy as needed to accept DHCP responses from the configured DHCP server(s) and accept requests for addresses. Example Automatic Policies Accept notice ANY nolog udp/67->67 from to Accept notice ANY nolog report <DHCPS> from <ANY_IP> to <ANY_IP> 12

13 Known Issue DHCP Relay! Update of the Network services (Interfaces, Alias) when configured on a VLAN interface requires DHCP relay to be manually restarted.! Patch scheduled to be in v6.0.4 or later. 13

14 DHCP Server Configuration! Configured Scope must match an interface IP Address/network on the firewall or a network reachable from the firewall.! Configure any other options DHCP options as needed. 14

15 Security Policies DHCP Relay Protected to Protected! Default All access is allowed between Protected networks.! If corporate policy requires strict control of all access then connections must be allowed for DHCP server and client DHCP Relay PSN to Protected, PSN to PSN! By default PSN Networks are not allowed direct access to Protected networks or other PSN networks.! IP Pass Through Host networks must be defined and IP Pass Through Security Policies must be set to allow DHCP from clients to server and server to the client. Please See GB-OS Users Guide for information on configuring Security Policies and IP Pass Through. 15

16 ! DHCP Basic Features Description Beginning Address Netmask Lease Duration Default gateway Domain Name Servers (3) WINS Servers (3) NTP Servers (3)! DHCP Advanced Features MTU (v5.0) TFTP Server Assign by MAC address Exclusion Ranges! DHCP starts on the interface which matches the network defined in service. Common issue is the network defined in the DHCP server does not match a network defined on the firewall.! Multiple DHCP servers can be configured on a system. This is usually limited by the number of interfaces or VLAN s! Only one DHCP server will run on each interface or VLAN DHCP Server IPv4

17 DHCP Server IPv6! DHCP Basic Features Description Beginning Address Prefix Lease Duration Domain Name Servers (3)!! DHCP Advanced Features Assign by Client DUID Exclusion Ranges! DHCP starts on the interface which matches the network defined in service. Common issue is the network defined in the DHCP server does not match a network defined on the firewall.! Requires Prefix Advertisement to be enabled for network/prefix and gateway.! Covered further in Advanced Network IPv6.

18 Monitor -> Activity-> Services -> DHCP! Flush Leases clears the DHCP lease table.! Displays all leases and time to expire.! Statically assigned leases will not have an expire time.

19 DHCP Trouble Shooting! Firewall logs server disabled after enabling. Check that the scope defined for the DHCP server matches a network assigned to the firewall.! Verification -ERROR: DHCP Relay and DHCP Server are both enabled DHCP relay and DHCP server are mutually exclusive.! Firewall logs - May 10 08:39:50 pri=3 msg="dhcrelay: Packet to bogus giaddr " type=mgmt The network requesting the relay is not reachable from the firewall. Check the local routing. 19

20 DNS Proxy! Name Servers External - 2 Internal - 2 Very important these respond well. Most services depend on DNS being enabled. Slow or poorly responding DNS servers adversely effect firewall services.! DNS Proxy Available on all products Basic DNS proxy with no caching. If DNS server is enabled the proxy is not used.! Automatic policy allows connection from Internal networks to the DNS Proxy.! DNS Proxy will learn all DNS servers and use them learned via DHCP, PPPoE or PPTP. 20

21 DNS Server! Supports both IPv4 and IPv6 (v6.0 or later)! Limited DNS configuration Server name Secondary Name Servers (4) Forwarders (3) Domain number is based on the product Domain Name IP address Mail exchanger Hosts - RDNS Subnets with reverse zones In most cases firewall will create these automatically so no in.addr.arp entry is required. 21

22 DNS Server Trusted Networks! Object which specifies the network which are allowed to perform recursive searches.! If network is not a member of the Trusted Networks Object then the firewall will only respond to DNS look ups for the Domain it is Authoritative for. 22

23 Allowing Access to DNS server or DNS Proxy Externally. If using the firewall DNS server it s default automatic policy is to allow connections via the internal interfaces of type PSN and Protected. A specific remote access policy will need to be created to allow access for look ups from External untrusted networks. 23

24 DNS Server Trouble Shooting! Local Hosts are not able to perform recursive lookups. Check that the local networks referenced as Trusted Networks.! DNS Proxy - WARNING: External name server set to IP address ( ) assigned to firewall Firewall DNS server points to it s self. Using an inbound tunnel for DNS.! Confirm an explicit or Automatic Remote Access Policy allows DNS lookups. 24

25 Dynamic DNS! Automates the process of updating DNS servers when a dynamically assigned IP has changed.! Use one of four services: DynDNS ( ChangeIP ( EasyDNS ( NoIP ( Configure up to 5 Dynamic DNS servers.! Requirements Account on either service DNS configure in the Services -> DNS section. ChangeIP Only Supports IPv4 25

26 Dynamic DNS Trouble Shooting! Login Failures Confirm log independent of the firewall.! IPv6 not yet fully supported by the services.! Firewall will log each time the DNS is updated. 26

27 Remote Logging! Standard UNIX syslog service Default UDP Send syslog to UDP port 514 Change the port by adding :port# behind the IP/Name example: :513! Advanced - Binding Interface Used to send the syslog data through a VPN. Select the local Interface that is a member of the Local Network for the VPN. The firewall will source the syslog packets from this Interface IP. Facilities standard UNIX facilities 27

28 Syslog! WELF format! Log is always sent in UTC format! Log File Policy Type Notation/Tags OBP IBP PTP VPN PPTP SSL! Users Guide Contains additional tags.! Example: Aug 8 14:50:30 pri=4 pol_type=ibp pol_action=block count=2 msg="block IBP" rule=7 proto=3289/udp src= srcport="47107 (1), (1)" dst= dstport="3289 (1), 1124 (1)" interface="external" attribute="alarm,report" 28

29 Remote Logging Trouble Shooting! No responses required so there is no automatic policy.! Logs not reaching server If reached via VPN use binding Interface Use sniffer on log server to see if packets arrive to server. 29

30 Firewall Monitoring & Log Analyzers! Log Analyzers Syslog Watch: syslogwatcher/ Kiwi Syslog: ManageEngine: products/firewall/ Sawmill: LinkLogger: Splunk : Monitoring PRTG : Nagios: 30

31 SNMP! GB-OS supports version 2 and 3! Read only does not allow writes.! Runs on UDP/TCP port 161! Custom MIBS can be downloaded from the GTA Online Support Center. 31

32 SNMP Trouble Shooting! Confirm Security Policies allow connection. Automatic Policies allow connection only via the Protected Interface.!! SNMP not working via a VPN SNMP through a VPN requires TCP 32

33 High Availability GTA High Availability for Firewalls. Allows for failover in event of hardware Problems. It is an active passive HA group. Covered in debt in course #

34 References! NTP Pool Project - en/! GTA Documentation support/documents/ 34

35 If you require additional assistance or have additional questions please contact GTA Technical Support. Support Phone: Free User Support 35