Packet Filtering using Access Control Policies and Lists

Configuration Guide 5991-2119 April 2005 IP Firewall Packet Filtering using Access Control Policies and Lists This Configuration Guide is designed to provide you with a basic understanding of the concepts behind configuring your ProCurve Secure Router Operating System (SROS) product for IP firewall protection. For detailed information regarding specific command syntax, refer to the SROS Command Line Interface Reference Guide on your ProCurve SROS Documentation CD. This guide consists of the following sections: Understanding IP Firewall Protection on page 2 Configuring Your Secure Router on page 8 Verifying Your Configuration Using Show Commands on page 17 Managing Event Messages on page 19 61195880L1-29.1B Printed in the USA 1

Understanding IP Firewall Protection IP Firewall Configuration Guide Understanding IP Firewall Protection Use the ip firewall command to enable SROS security features including access control policies (ACPs) and access control lists (ACLs), network address translation (NAT), and the stateful inspection firewall. Use the no form of this command to disable the security functionality. Refer to the following sections for more information on the functionality enabled by this command: Firewall processing for all interfaces (refer to Firewall Processing on page 2) Network address translation (NAT) capabilities (refer to NAT on page 4) Stateful inspection firewall (refer to Stateful Policies versus Stateless Policies on page 5) Network traffic management when used in conjunction with ACLs and ACPs (refer to ACLs and ACPs on page 6) Firewall Processing Firewall processing protects the network by blocking attacks, filtering sessions from unrecognized origins, and monitoring session activity. The sections which follow describe this functionality in more detail. Attack Protection Detects and discards traffic that matches profiles of known networking exploits or attacks. Use the ip firewall command to enable firewall attack protection. The SROS blocks traffic (matching patterns of known networking exploits) from traveling through the device. Some of these attacks may be manually disabled, while other attack checks are always on any time the firewall is enabled. Table 1 on page 3 outlines the types of traffic discarded by the firewall. Many attacks use similar invalid traffic patterns; therefore, attacks other than the examples listed in the table may also be blocked by the firewall. 2 5991-2119

IP Firewall Configuration Guide Understanding IP Firewall Protection Table 1. Traffic Blocked by Firewall Attack Protection Engine Invalid Traffic Pattern SROS Firewall Response Common Attacks Larger than allowed packets Fragmented IP packets that produce errors when attempting to reassemble Smurf Attack IP Spoofing ICMP Control Message Floods and Attacks Attacks that send TCP URG packets Falsified IP Header Attacks Any packets that are longer than those defined by standards will be dropped. The firewall intercepts all fragments for an IP packet and attempts to reassemble them before forwarding to destination. If any problems or errors are found during reassembly, the fragments are dropped. The firewall drops any ping responses that are not part of an active session. The firewall drops any packets with a source IP address that appears to be spoofed. The IP route table is used to determine if a path to the source address is known (out of the interface from which the packet was received). For example, if a packet with a source IP address of 10.10.10.1 is received on interface fr 1.16 and no route to 10.10.10.1 (through interface fr 1.16) exists in the route table, the packet is dropped. The following types of ICMP packets are allowed through the firewall: echo, echo-reply, TTL expired, dest unreachable, and quench. These ICMP messages are only allowed if they appear to be in response to a valid session. All others are discarded. Any TCP packets that have the URG flag set are discarded by the firewall. The firewall verifies that the packet s actual length matches the length indicated in the IP header. If it does not, the packet is dropped. Ping of Death SynDrop, TearDrop, OpenTear, Nestea, Targa, Newtear, Bonk, Boink Smurf Attack IP Spoofing Twinge Winnuke, TCP XMAS Scan Jolt/Jolt2 Echo All UDP echo packets are discarded by the firewall. Char Gen Land Attack Broadcast Source IP Invalid TCP Initiation Requests Invalid TCP Segment Number IP Source Route Option Any packets with the same source and destination IP addresses are discarded. Packets with a broadcast source IP address are discarded. TCP SYN packets that have ack, urg rst, or fin flags set are discarded. The sequence numbers for every active TCP session are maintained in the firewall session database. If the firewall received a segment with an unexpected (or invalid) sequence number, the packet is dropped. All IP packets containing the IP source route option are dropped. Land Attack 5991-2119 3

Understanding IP Firewall Protection IP Firewall Configuration Guide Session Initiation Control Session initiation controls allow only sessions that match traffic patterns permitted by ACPs to be initiated through the router. Ongoing Session Monitoring and Processing The SROS continues monitoring session activity as described below: Each session that has been allowed through the router is monitored for any irregularities that match patterns of known attacks or exploits. Offending traffic is dropped. If NAT is configured, the firewall modifies all traffic associated with the session according to the translation rules defined in NAT ACPs. If sessions are inactive for a user-specified amount of time, the session is closed by the firewall. Application-Specific Processing Certain applications need special handling to work correctly in the presence of a firewall. SROS uses Application-level Gateways (ALGs) for these applications. ALGs are aware of protocols not easily integrated with NAT or firewalls that create associations which allow these protocols to work transparently. For example, the FTP ALG will not only create the associations to allow the control session (using TCP Port 21) to pass data, but will also create associations to allow the server-initiated data sessions to work (using TCP Port 20). This allows FTP clients to pass through the SROS firewall and ACPs without using passive mode. The SROS firewall includes ALGs for handling the following applications and protocols: AOL Instant Messenger VPN ALGS: ESP and IKE FTP H.323: H.245, Q.931, ASN1 PER decoding and encoding ICQ IRC Microsoft Games Net2Phone PPTP Quake Real-Time Streaming Protocol SMTP HTTP NAT Network Address Translation (NAT) is an Internet Engineering Task Force (IETF) standard method of preserving Internet address space. Additionally, it can be used to hide the structure of server farms behind a router in order to provide bandwidth sharing to Web, FTP, and application servers. Details on NAT configuration are beyond the scope of this document. For more information, refer to the SROS Command Line Interface Reference Guide on your ProCurve SROS Documentation CD. This document is also available on the ProCurve Networking Web site(www.procurve.com). 4 5991-2119

IP Firewall Configuration Guide Understanding IP Firewall Protection Stateful Policies versus Stateless Policies The SROS unit acts as an ALG and employs a stateful inspection firewall that protects an organization's network from common cyber attacks including TCP SYN-flooding, IP spoofing, ICMP redirect, land attacks, ping-of-death, and IP reassembly problems. It is important to point out the differences between the operation of SROS stateful policies and stateless filters. For example, consider an application where a host located behind a firewall device initiates an outbound session to a server on the Internet. If the firewall is configured to use stateless filters, two or more filters must be defined to do the following: Allow the outbound traffic from the host to the Internet Allow inbound traffic (responses from the initiated session) Typically, the inbound filter list needs to reject sessions initiated from the Internet, while allowing other responses to sessions initiated from the private network. Because the filter lists have no knowledge of the state of the session (sequence numbers, inactivity time, etc.), there is a possibility that an attacker will be able to fool the configured filter lists and direct malicious traffic through the firewall. With stateful policies, however, a single policy is configured that permits the traffic from the host to be initiated to the Internet. The SROS stateful inspection firewall creates an association for this session and stores it in an internal database. When the server on the Internet sends a response back to the host, the SROS stateful inspection firewall recognizes that this traffic is associated with an allowed session and permits the traffic. Since the firewall has detailed knowledge about the current state of every session flowing through the device, it is much more difficult for an attacker to generate traffic that is not blocked by the firewall. Session filtering based on inactivity may sometimes occur sooner than is desirable. Use the ip policy-timeout command to customize timeout intervals for protocols (TCP, UDP, ICMP) or specific services (by listing the particular port number). The default timeout for TCP protocols is 600 seconds, UDP protocols is 60 seconds, and ICMP is 60 seconds. The following example creates customized policy timeouts for the following: WWW (Internet traffic using TCP Port 80): timeout 24 hours (86,400 seconds) Telnet (TCP Port 23): timeout 20 minutes (1200 seconds) FTP (21): timeout 5 minutes (300 seconds) All other TCP services: timeout 8 minutes (480 seconds) (config)# ip policy-timeout tcp www 86400 (config)# ip policy-timeout tcp telnet 1200 (config)# ip policy-timeout tcp ftp 300 (config)# ip policy-timeout tcp all_ports 480 5991-2119 5

Understanding IP Firewall Protection IP Firewall Configuration Guide ACLs and ACPs ACLs and ACPs regulate traffic through the routed network. When designing your traffic flow configuration, it is important to keep the following in mind: An ACL is inactive until it is assigned to an active ACP. An ACP is inactive until it is assigned to an interface. Figure 1 illustrates the steps necessary for activating ACLs and ACPs. ACL Create an ACL and define permissions: (config)#ip access-list standard MATCHALL (config-std-nacl)#permit any ACP Create an ACP and assign the ACL to it: (config)#ip policy-class TRUSTED (config-policy-class)#allow list MATCHALL Interface Assign the ACP to an interface: (config)#interface eth 0/1 (config-eth 0/1)#access-policy TRUSTED Figure 1. Activating ACLs and ACPs Access Control Lists (ACLs) ACLs are used as packet selectors by ACPs. They must be assigned to an ACP in order to be active. ACLs are composed of an ordered list of entries. Each entry contains two parts: an action (permit or deny) and a packet pattern. A permit ACL is used to permit packets (meeting the specified pattern) to enter the router system. A deny ACL advances the SROS to the next ACP entry. The SROS provides two types of ACLs: standard and extended. Standard ACLs allow source IP address packet patterns only. Extended ACLs may specify patterns using most fields in the IP header and the TCP or UDP header. Access Control Policies (ACPs) ACPs are used to allow, discard, or manipulate (using NAT) data for each physical interface. Each ACP consists of a selector (i.e., an ACL) and an action (allow, discard, NAT). When packets are received on an interface, the configured ACPs are applied to determine whether the data is processed or discarded. Both ACLs and ACPs are order-dependent. When a packet is evaluated, the matching engine begins with the first entry in the list and progresses through the entries until it finds a match. The first entry that matches is executed. They both have an implicit deny at the end of the list. Typically, the most specific entries should be at the top and the most general at the bottom. 6 5991-2119

IP Firewall Configuration Guide Understanding IP Firewall Protection Packet Flow The Packet Flow section describes how packets are processed in several possible scenarios of ACP configuration. Scenario 1 Packets traveling from an interface with an assigned ACP to any other interface ACPs are applied when packets are received on an interface. If an interface has no assigned ACP, the interface allows all received traffic to pass through by default. If an interface has an assigned ACP, but the firewall has not been enabled with the ip firewall command, traffic flows normally from this interface with no ACP processing. Scenario 2 Packets traveling in and out of a single interface with an assigned ACP These packets are processed through the ACPs as if they are destined for another interface (identical to Scenario 1). Again, note that the ip firewall command must be enabled for ACP processing to take place. Scenario 3 Packets traveling from an interface without an assigned ACP to an interface with an assigned ACP These packets are routed normally and are not processed by the ACP. Scenario 4 Packets traveling from an interface without an assigned ACP to another interface without an assigned ACP This traffic is routed normally. The ip firewall command has no effect on this traffic other than to prevent attacks entering the interface. Packet In Interface Association List Access Control Polices (permit, deny, NAT) Route Lookup Packet Out If session hit, or no ACP configured 5991-2119 7

Configuring Your Secure Router IP Firewall Configuration Guide Configuring Your Secure Router The remainder of this document provides examples designed to clarify the use of access policies. The following section, Creating and Assigning ACLs and ACPs on page 8, gives an overview of the four basic steps necessary when creating ACLs and ACPs. Warning Before applying an ACP to an interface, verify your Telnet connection will not be affected by the policy. If a policy is applied to the interface you are connecting through and it does not allow Telnet traffic, your connection will be lost. Creating and Assigning ACLs and ACPs Creating ACLs and ACPs to regulate traffic through the routed network requires four steps: Step 1 Enable the security features of the SROS using the ip firewall command. Step 2 Create an ACL (using the ip access-list command) and configure it to permit or deny specified traffic. Standard ACLs provide pattern matching for source IP addresses only. (Use extended ACLs for more flexible pattern matching.) IP addresses can be expressed in one of three ways: Using the keyword any to match any IP address. Using the host <A.B.C.D> to specify a single host address. For example, entering permit host 196.173.22.253 allows all traffic from the host with an IP address of 196.173.22.253. Using the <A.B.C.D> <wildcard> format to match all IP addresses in a range. Wildcard masks work in reverse logic from subnet mask. Specifying a one in the wildcard mask equates to a don t care. For example, entering permit 192.168.0.0 0.0.0.255 permits all traffic from the 192.168.0.0/24 network. Step 3 Create an ACP using the ip policy-class command. Possible actions performed by the ACP are as follows: allow list <ACL names> All packets passed by the ACL(s) entered are allowed to enter the router system. discard list <ACL names> All packets passed by the ACL(s) entered are dropped from the router system. allow list <ACL names> policy <ACP name> All packets passed by the ACL(s) entered and destined for the interface using the ACP listed are permitted to enter the router system. This allows for configurations to permit packets to a single interface and not the entire system. discard list <ACL names> policy <ACP name> All packets passed by the ACL(s) entered and destined for the interface using the ACP listed are blocked from the router system. This allows for configurations to deny packets on a specified interface. nat source list <ACL names> address <IP address> overload All packets passed by the ACL(s) entered are modified to replace the source IP address with the entered IP address. The overload keyword allows multiple source IP addresses to be replaced with the single IP address entered. This hides private IP addresses from outside the local network. 8 5991-2119

IP Firewall Configuration Guide Configuring Your Secure Router nat source list <ACL names> interface <interface> overload All packets passed by the ACL(s) entered are modified to replace the source IP address with the primary IP address of the listed interface. The overload keyword allows multiple source IP addresses to be replaced with the single IP address of the specified interface. This hides private IP addresses from outside the local network. nat destination list <ACL names> address <IP address> All packets passed by the ACL(s) entered are modified to replace the destination IP address with the entered IP address. The overload keyword is not an option when performing NAT on the destination IP address. Each private address must have a unique public address. This hides private IP addresses from outside the local network. Step 4 Apply the ACP to an interface. To do this, enter access-policy <policy name> while in the desired interface s configuration mode. The following example assigns access policy MATCHALL to the Ethernet 0/1 interface: (config)# interface ethernet 0/1 (config-eth 0/1)# access-policy MATCHALL Configuration Examples To illustrate these basic steps, the following configurations are given in detail as examples: Outbound Internet Access on page 10 Step-by-Step Configuration: Outbound Internet Access on page 10 Sample Script on page 11 Inbound Internet Access on page 12 Step-by-Step Configuration: Inbound Internet Access on page 12 Sample Script on page 13 Network Address Translation (NAT) on the WAN Interface on page 14 Step-by-Step Configuration: NAT on the WAN Interface on page 14 Sample Script on page 16 The first example demonstrates the router configuration for a simple network that allows the LAN to get to the Internet, but blocks unwanted traffic from the Internet. The second example shows how to modify the same configuration to allow traffic to a web server from the Internet. The third example explains how to further modify the configuration to perform NAT from the Internet. Configuration steps for each example are provided in the tables which follow the configuration descriptions. You can follow the given steps by entering the command text shown in bold (modifying as needed for your application). Note Please note that these examples are given for your study and consideration only. They are to help you reach a better understanding of the fundamental concepts before configuring your own application. It will be necessary for you to modify these examples to match your own network s configuration. Use the sample scripts in this section as a shortcut to configuring your unit. Use the text tool in Adobe Acrobat to select and copy the scripts, paste them into any text editing program, modify as needed, and then paste them directly into your SROS command line. 5991-2119 9

Configuring Your Secure Router IP Firewall Configuration Guide Example 1: Outbound Internet Access This is a simple network configuration using public IP addresses on the LAN. This configuration allows the LAN traffic to reach the Internet, but does not allow traffic from the Internet to reach the LAN (unless it matches the outbound sessions already created). Table 2. Step-by-Step Configuration: Outbound Internet Access Step Action Command 1 Enter Enable Security mode. >enable 2 Enter Global Configuration mode. #configure terminal 3 Enable IP firewall functionality. (config)#ip firewall 4 Create the ACL MATCHALL and enter the standard ACL command set. (config)#ip access-list standard MATCHALL 5 Configure this ACL to permit all packets. (config-std-nacl)#permit any 6 Exit to Global Configuration mode. (config-std-nacl)#exit 7 Add a default route to the route (config)#ip route 0.0.0.0 0.0.0.0 63.12.1.1 table. 8 Create the ACP TRUSTED and enter its access control policy command set. 9 Configure this ACP to allow any traffic that matches the ACL MATCHALL to enter the router system. (config)#ip policy-class TRUSTED (config-policy-class)#allow list MATCHALL 10 Exit to Global Configuration mode. (config-policy-class)#exit 11 Create the ACP UNTRUSTED and enter its access control policy command set. (config)#ip policy-class UNTRUSTED 12 Configure this ACP to discard any traffic that matches the ACL MATCHALL. (config-policy-class)#discard list MATCHALL 13 Exit to Global Configuration mode. (config-policy-class)#exit 14 Access configuration parameters (config)#interface eth 0/1 for the Ethernet port. 15 Assign an IP address and subnet mask to the Ethernet port. (config-eth 0/1)#ip address 63.12.5.254 255.255.255.0 10 5991-2119

IP Firewall Configuration Guide Configuring Your Secure Router Sample Script Table 2. Step-by-Step Configuration: Outbound Internet Access (Continued) Step Action Command 16 Apply the ACP TRUSTED to the Ethernet port. ip firewall ip route 0.0.0.0 0.0.0.0 63.12.1.1 ip access-list standard MATCHALL permit any - Create the Access-List MATCHALL. - Permit any IP address. ip policy-class TRUSTED allow list MATCHALL - Create the Policy-Class TRUSTED. - For any interface using Policy-Class TRUSTED allow Access-List MATCHALL. - Since the Policy-Class TRUSTED allows anything matching Access-List MATCHALL - and MATCHALL permits Any, Any incoming packets will be Allowed by this - Policy-Class. ip policy-class UNTRUSTED discard list MATCHALL - Create the Policy-Class UNTRUSTED. - For any interface using Policy-Class UNTRUSTED discard Access-List MATCHALL. interface eth 0/1 ip address 63.12.5.254 255.255.255.0 access-policy TRUSTED - Apply the Policy-Class TRUSTED to the Ethernet interface. (config-eth 0/1)#access-policy TRUSTED Note: Since the ACP TRUSTED allows anything matching ACL MATCHALL (and MATCHALL permits any traffic), all incoming packets to this interface will be allowed by this ACP. 17 Exit to Global Configuration mode. (config-eth 0/1)#exit 18 Access configuration parameters (config)#interface ppp 1 for the PPP interface. 19 Assign an IP address and subnet mask to the WAN interface. 20 Apply the ACP UNTRUSTED to the WAN interface. (config-ppp 1)#ip address 63.12.1.2 255.255.255.248 (config-ppp 1)#access-policy UNTRUSTED Note: Since the ACP UNTRUSTED discards anything matching ACL MATCHALL (and MATCHALL permits any traffic), all incoming packets to this interface will be discarded by this ACP. 21 Exit to Global Configuration mode. (config-ppp 1)#exit 5991-2119 11

Configuring Your Secure Router IP Firewall Configuration Guide interface ppp 1 ip address 63.12.1.2 255.255.255.248 access-policy UNTRUSTED - Apply the Policy-Class UNTRUSTED to the WAN interface. - Since the Policy-Class UNTRUSTED discards anything matching Access-List MATCHALL - and MATCHALL permits Any, Any incoming packets will be Discarded by this - Policy-Class. Example 2: Inbound Internet Access This example is a simple network configuration using public IP addresses on the LAN. This configuration allows outbound access to the Internet and inbound access to the web server. This configuration is similar to the previous example (all changes are shown in bold text in the Sample Script on page 13). Table 3. Step-by-Step Configuration: Inbound Internet Access Step Action Command 1 Enter Enable Security mode. >enable 2 Enter Global Configuration mode. #configure terminal 3 Enable IP firewall functionality. (config)#ip firewall 4 Create the ACL MATCHALL and enter the standard ACL command set. (config)#ip access-list standard MATCHALL 5 Configure this ACL to permit all packets. (config-std-nacl)#permit any 6 Exit to Global Configuration mode. (config-std-nacl)#exit 7 Create the extended ACL INWEB and enter the extended access-list command set. (config)#ip access-list extended INWEB 8 Permit any TCP traffic with a destination address of 63.12.5.253 and a destination port of 80 (HTTP). (config-ext-nacl)#permit tcp any host 63.12.5.253 eq 80 9 Add a default route to the route table. (config)#ip route 0.0.0.0 0.0.0.0 63.12.1.1 10 Create the ACP TRUSTED and enter its (config)#ip policy-class TRUSTED access control policy command set. 11 Configure this ACP to allow any traffic that matches the ACL MATCHALL to enter the router system. (config-policy-class)#allow list MATCHALL 12 Exit to Global Configuration mode. (config-policy-class)#exit 13 Create the ACP UNTRUSTED and enter its access control policy command set. (config)#ip policy-class UNTRUSTED 14 Configure this ACP to allow any traffic that matches the ACL INWEB to enter the router system. (config-policy-class)#allow list INWEB 12 5991-2119

IP Firewall Configuration Guide Configuring Your Secure Router 15 Configure this ACP to discard any traffic that matches the ACL MATCHALL. Sample Script Table 3. Step-by-Step Configuration: Inbound Internet Access (Continued) Step Action Command (config-policy-class)#discard list MATCHALL Note: The ACP UNTRUSTED will now allow packets matching ACL INWEB (prior to discarding incoming packets matching the ACL MATCHALL). 16 Exit to Global Configuration mode. (config-policy-class)#exit 17 Access configuration parameters for the (config)#interface eth 0/1 Ethernet port. 18 Assign an IP address and subnet mask to the Ethernet port. 19 Apply the ACP TRUSTED to the Ethernet port. (config-eth 0/1)#ip address 63.12.5.254 255.255.255.0 (config-eth 0/1)#access-policy TRUSTED Note: Since the ACP TRUSTED allows anything matching ACL MATCHALL (and MATCHALL permits any traffic), all incoming packets to this interface will be allowed by this ACP. 20 Exit to Global Configuration mode. (config-eth 0/1)#exit 21 Access configuration parameters for the (config)#interface ppp 1 PPP interface. 22 Assign an IP address and subnet mask to the WAN interface. 23 Apply the ACP UNTRUSTED to the WAN interface. (config-ppp 1)#ip address 63.12.1.2 255.255.255.248 (config-ppp 1)#access-policy UNTRUSTED Note: Since the ACP UNTRUSTED discards anything matching ACL MATCHALL (and MATCHALL permits any traffic), all incoming packets to this interface will be discarded by this ACP. 24 Exit to Global Configuration mode. (config-ppp 1)#exit ip firewall ip access-list standard MATCHALL permit any ip access-list extended INWEB permit tcp any host 63.12.5.253 eq 80 - Create Extended Access-List INWEB - Permit any TCP traffic with a destination address of 63.12.1.253 and a destination port of 80 (HTTP). ip route 0.0.0.0 0.0.0.0 63.12.1.1 ip policy-class TRUSTED allow list MATCHALL 5991-2119 13

Configuring Your Secure Router IP Firewall Configuration Guide ip policy-class UNTRUSTED allow list INWEB discard list MATCHALL - Allow any traffic that matches Access-List INWEB, - Before discarding any traffic that matches Access-List MATCHALL. interface eth 0/1 ip address 63.12.5.254 255.255.255.0 access-policy TRUSTED interface ppp 1 ip address 63.12.1.2 255.255.255.248 access-policy UNTRUSTED Example 3: Network Address Translation (NAT) on the WAN Interface This example is a simple network using private IP addresses on the LAN and providing NAT on the WAN interface to the Internet. The configuration allows the LAN traffic to reach the Internet by performing NAT. Traffic from the Internet is discarded unless it matches the outbound sessions already created (or has a destination address and port that match the web server). Changes to the previous configuration are shown in bold text in the Sample Script on page 16. Table 4. Step-by-Step Configuration: NAT on the WAN Interface Step Action Command 1 Enter Enable Security mode. >enable 2 Enter Global Configuration mode. #configure terminal 3 Enable IP firewall functionality. (config)#ip firewall 4 Create the ACL MATCHALL and enter the standard access-list command set. (config)#ip access-list standard MATCHALL 5 Permit all packets through the configured ACL. (config-std-nacl)#permit any 6 Exit to Global Configuration mode. (config-std-nacl)#exit 7 Create the extended ACL INWEB and enter the extended access-list command set. (config)#ip access-list extended INWEB 8 Permit any TCP traffic with a destination address of 63.12.1.3 and a destination port of 80 (HTTP). 9 Add a default route to the route table. 10 Create the ACP TRUSTED and enter its ACP command set. (config-ext-nacl)#permit tcp any host 63.12.1.2 eq 80 (config)#ip route 0.0.0.0 0.0.0.0 63.12.1.1 (config)#ip policy-class TRUSTED 14 5991-2119

IP Firewall Configuration Guide Configuring Your Secure Router Table 4. Step-by-Step Configuration: NAT on the WAN Interface (Continued) Step Action Command 11 Enable NAT for traffic that matches the ACL MATCHALL and change the source address to 63.12.1.2. (config-policy-class)#nat source list MATCHALL address 63.12.1.2 overload 12 Exit to Global Configuration mode. (config-policy-class)#exit 13 Create the ACP UNTRUSTED and (config)#ip policy-class UNTRUSTED enter its ACP command set. 14 Enable NAT for traffic that matches the ACL INWEB and change the destination address to 192.168.0.253. 15 Configure this ACP to discard any traffic that matches the ACL MATCHALL. (config-policy-class)#nat destination list INWEB address 192.168.0.253 (config-policy-class)#discard list MATCHALL 16 Exit to Global Configuration mode. (config-policy-class)#exit 17 Access configuration parameters for (config)#interface eth 0/1 the Ethernet port. 18 Assign an IP address and subnet mask to the Ethernet port. 19 Apply the ACP TRUSTED to the Ethernet port. (config-eth 0/1)#ip address 192.168.0.254 255.255.255.0 (config-eth 0/1)#access-policy TRUSTED Note: Since the ACP TRUSTED allows anything matching ACL MATCHALL (and MATCHALL permits any traffic), all incoming packets to this interface will be allowed by this ACP. 20 Exit to Global Configuration mode. (config-eth 0/1)#exit 21 Access configuration parameters for (config)#interface ppp 1 the PPP interface. 22 Assign an IP address and subnet mask to the PPP interface. 23 Apply the ACP UNTRUSTED to the WAN interface. (config-ppp 1)#ip address 63.12.1.2 255.255.255.248 (config-ppp 1)#access-policy UNTRUSTED Note: Since the ACP UNTRUSTED discards anything matching ACL MATCHALL (and MATCHALL permits any traffic), all incoming packets to this interface will be discarded by this ACP. 24 Exit to Global Configuration mode. (config-ppp 1)#exit 5991-2119 15

Configuring Your Secure Router IP Firewall Configuration Guide Sample Script ip firewall ip access-list extended INWEB permit tcp any host 63.12.1.3 eq 80 - Create Extended Access-List INWEB - Allow any TCP traffic with a destination address of 63.12.1.3 with a destination port of 80 (HTTP). ip route 0.0.0.0 0.0.0.0 63.12.1.1 ip policy-class TRUSTED nat source list MATCHALL address 63.12.1.2 overload - Enable NAT for traffic that matches Access-List MATCHALL and change - the source address 63.12.1.2 ip policy-class UNTRUSTED nat destination list INWEB address 192.168.0.253 discard list MATCHALL - Enable NAT for traffic that matches Access-List INWEB and change - the destination address to 192.168.0.253. ip access-list standard MATCHALL permit any interface eth 0/1 ip address 192.168.0.254 255.255.255.0 access-policy TRUSTED - The IP address is changed to the private address scheme. interface ppp 1 ip address 63.12.1.2 255.255.255.248 access-policy UNTRUSTED 16 5991-2119

IP Firewall Configuration Guide Verifying Your Configuration Using Show Commands Verifying Your Configuration Using Show Commands Use the following SROS show commands to display information regarding your configuration. Enter show commands at any prompt using the do command. For example: (config-eth 0/1)#do show ip policy-session Table 5. Show Commands Command Description Sample Output show ip access-list Displays all configured IP ACLs in the system. Standard IP access list MATCHALL permit 192.168.1.0, wildcard bits 0.0.0.255 (31337 matches) Standard IP access list SERVER1_OUT permit host 192.168.1.100 (0 matches) Extended IP access list CORPORATE_TRAFFIC permit ip 192.168.1.0, wildcard bits 0.0.0.255 192.168.3.0, wildcard bits 0.0.0.255 (432829 matches) Extended IP access list CORPORATE_TRAFFIC_IN permit ip 192.168.3.0, wildcard bits 0.0.0.255 192.168.1.0, wildcard bits 0.0.0.255 (2194 matches) Extended IP access list REMOTE_USER_TRAFFIC permit ip 192.168.1.0, wildcard bits 0.0.0.255 10.10.10.0, wildcard bits 0.0.0.255 (178 matches) Extended IP access list REMOTE_USER_TRAFFIC_IN permit ip 10.10.10.0, wildcard bits 0.0.0.255 192.168.1.0, wildcard bits 0.0.0.255 (11 matches) show ip policy-class Displays a list of currently configured ACPs. ip policy-class max-sessions 30000 Policy-class TRUSTED : 1 current sessions (10000 max) Entry 1 - allow list CORPORATE_TRAFFIC Entry 2 - allow list REMOTE_USER_TRAFFIC Entry 3 - nat source list SERVER1_OUT address 141.158.13.58 overload Entry 4 - nat source list MATCHALL address 141.158.13.62 overload Policy-class UNTRUSTED : 2 current sessions (10000 max) Entry 1 - allow list CORPORATE_TRAFFIC_IN Entry 2 - allow list REMOTE_USER_TRAFFIC_IN 5991-2119 17

Verifying Your Configuration Using Show Commands IP Firewall Configuration Guide show ip policy-session show ip policy-stats Table 5. Show Commands (Continued) Command Description Sample Output Displays a list of current ACP associations. Displays a list of current ACP statistics. Protocol (TTL) Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port ----------------- -------- Policy class TRUSTED : tcp (523) 192.168.1.70 3790 152.155.209.24 80s 141.160.13.62 29008 Policy class UNTRUSTED : tcp (600) 208.25.151.99 1141 141.158.56.142 23 Policy class self : Policy class default : Global 3 current sessions (30000 max) Policy-class TRUSTED : 1 current sessions (10000 max) Entry 1 - allow list CORPORATE_TRAFFIC 10211717 in bytes, 1184 out bytes, 1140 hits Entry 2 - allow list REMOTE_USER_TRAFFIC 0 in bytes, 0 out bytes, 0 hits Entry 3 - nat source list SERVER1_OUT address 141.158.56.58 overload 0 in bytes, 0 out bytes, 0 hits Entry 4 - nat source list MATCHALL address 141.158.56.62 overload 66422200 in bytes, 230583087 out bytes, 31332 hits Policy-class UNTRUSTED : 2 current sessions (10000 max) Entry 1 - allow list CORPORATE_TRAFFIC_IN 1306324 in bytes, 139295 out bytes, 2194 hits Entry 2 - allow list REMOTE_USER_TRAFFIC_IN 1051 in bytes, 128 out bytes, 11 hits 18 5991-2119

IP Firewall Configuration Guide Managing Event Messages Managing Event Messages The SROS provides multiple levels of event messages. You can manage these messages in several ways, based on their assigned priority level. The levels are listed below, from least to most critical. Priority Level Number Priority Level 5 4 3 2 Warning 1 0 Fatal There are two management options for the event messages displayed on the console. The default behavior is to display levels 0 to 3 (i.e.,, Warning,, and Fatal messages). To display all levels, turn debug on (using the debug firewall command). If you turn debug off (no debug firewall), you fall back to displaying levels 0 to 3 (i.e., everything but and ). There are additional management options available for event history storage, email notification, and syslog forwarding. If the event history storage is enabled (using the event-history on command), by default the SROS logs all messages with priority levels 0 through 3 (i.e., Warning,, and Fatal messages). You can use the following commands to change the default behavior and set an explicit priority level for the following options: event-history priority <priority level#>: Sets the threshold for events stored in the event history. The event log is displayed using the show event-history command. logging email priority-level <priority level#>: Sets the threshold for events sent to the configured email addresses (specified using the logging email address-list command). logging forwarding priority-level <priority level#>: Sets the threshold for events sent to the configured syslog server (specified using the logging forwarding receiver-ip command). When setting the <priority level#>, keep the following in mind: When priority 4 is selected, all events (priorities 0 through 4) are logged. When priority 3 is selected, events with priority 3, 2, 1, or 0 are logged. When priority 2 is selected, events with priority 2, 1, or 0 are logged. When priority 1 is selected, events with priority 1 or 0 are logged. When priority 0 is selected, only events with priority 0 are logged. Table 6 on page 20 provides a list of event messages related to the firewall (along with the designated priority levels). 5991-2119 19

Managing Event Messages IP Firewall Configuration Guide Table 6. Firewall Events Event Message Modified Ack: <#> *Generated with changes to an incoming ACK. Attempt to login with a wrong name <username> from <ip address> Attempt to login through browser by <username> from <ip address> Invalid password supplied by <username> from <ip address> Attempt to login through Site Authentication by <username> Unable to allocate memory for RTSP Control Connection No memory for RTSP control connection No Empty record to store new data Nat Port not available Unexpected End of packet Client Port and NatPort do not match Unable to create new connection IGWbuf allocation failed *Generated when buffer allocation fails. Memory not allocated for RTSP data connection NatPort and Client ports do not match Unable to allocate memory for RTSP Data connection in creating new connection Attacks: SynAck: No memory buffers Attacks: SynAck: Header formation error ADCreateAssoc: This should not happen *Generated with an invalid user name on a dynamic NAT address. ADCreateAssoc: Failure in getting IpAddress from Dim UDB found bad user name while retrieving from DBM UDB failed in allocating memory while loading UDB failed in allocating memory for New User <username> is an invalid user Invalid password, auth failed for user <username> Authentication failed for user <username> UDB got an authentication req for user name: <username> Auth successful for <username> :: priv: <privilege level> Incat tmr: <#> Priority Level 20 5991-2119