Ed. 00 GWIM. Firewall Handbook

Ed. 00 GWIM Firewall Handbook

COPYRIGHT This manual is proprietary to SAMSUNG Electronics Co., Ltd. and is protected by copyright. No information contained herein may be copied, translated, transcribed or duplicated for any commercial purposes or disclosed to third parties in any form without the prior written consent of SAMSUNG Electronics Co., Ltd. TRADEMARKS Adobe is a trademark and Adobe Acrobat is a registered trademark of Adobe Systems Incorporated. Install Shield is a registered trademark of Install Shield Software Corporation. Internet Explorer, Microsoft, Windows, Windows 2000, and Windows NT are registered trademarks of Microsoft Corporation. Netscape and Netscape Navigator are registered trademarks of Netscape Communication Corporation in the United States and other countries. All other company and product names may be trademarks of the respective companies with which they are associated. This manual should be read before the installation and operation, and the operator should correctly install and operate the product by using this manual. This manual may be changed for the system improvement, standardization and other technical reasons without prior notice. For further information on the updated manual or have a question for the content of manual, contact the address or homepage below. Address: Document Center 18th Floor IT Center. Dong-Suwon P.O. Box 105, 416, Maetan-3dong Yeongtong-gu, Suwon-si, Gyeonggi-do, Korea 442-600 Homepage: http://www.samsungdocs.com 2007 SAMSUNG Electronics Co., Ltd. All rights reserved.

GWIM Firewall Handbook INTRODUCTION Purpose This manual introduces the Firewall function and describes how to configure and use it. Document Content and Organization This manual comprises two Chapters and a list of Abbreviations as follows. CHAPTER 1. Overview This chapter introduces the Firewall and its functions. CHAPTER 2. Using the Firewall This chapter describes how the Firewall menu is structured and how to use it. ABBREVIATION This list provides explanations on the abbreviations used throughout this manual. SAMSUNG Electronics Co., Ltd. I

Ошибка! Стиль не определен. Conventions The following types of paragraphs contain special information that must be carefully read and thoroughly understood. Such information may or may not be enclosed in a rectangular box, separating it from the main text, but is always preceded by an icon and/or a bold title. WARNING Provides information or instructions that the reader should follow in order to avoid personal injury or fatality. CAUTION Provides information or instructions that the reader should follow in order to avoid a service failure or damage to the system. CHECKPOINT Provides the operator with checkpoints for stable system operation. NOTE Indicates additional information as a reference. Console Screen Output The lined box with Courier New font will be used to distinguish between the main content and console output screen text. Bold Courier New font will indicate the value entered by the operator on the console screen. II SAMSUNG Electronics Co., Ltd.

GWIM Firewall Handbook Reference OfficeServ 7400 GWIM (GWIMT) User Manual This manual introduces the OfficeServ 7400 GWIM (GWIMT) which is an OfficeServ 7400 application and describes how to set up and use it. Revision History EDITION DATE OF ISSUE REMARKS 00 08. 2007. First Edition SAMSUNG Electronics Co., Ltd. III

Ошибка! Стиль не определен. This page is intentionally left blank. IV SAMSUNG Electronics Co., Ltd.

GWIM Firewall Handbook TABLE OF CONTENTS INTRODUCTION I Purpose... I Document Content and Organization... I Conventions... II Console Screen Output... II Reference... III Revision History... III CHAPTER 1. Overview 5 What is the Firewall?... 5 Components of the Firewall... 5 CHAPTER 2. Using the Firewall 5 Configuring the Firewall... 5 Management... 5 Configuration... 5 Remote Access... 5 IP Filtering... 5 URL Filtering... 5 ICMP Filtering... 5 Firewall Example...5 Firewall Policy Configuration... 5 Firewall Policy Modify, Add, Delete... 5 ABBREVIATION 5 A ~ I... 5 L ~ V... 5 SAMSUNG Electronics Co., Ltd. V

TABLE OF CONTENTS This page is intentionally left blank. VI SAMSUNG Electronics Co., Ltd.

GWIM Firewall Handbook CHAPTER 1. Overview This chapter introduces the Firewall and its functions. What is the Firewall? The firewall uses packet filtering and enables you to allow or deny the packets that attempt to access your network using the information contained in their headers. The firewall is operated according to the rules in the Configuration List. The rules in the Configuration List are applied sequentially. Beware that if an upper rule does not match a packet, the rules lower than it are not applied. Components of the Firewall Packet filtering rules consist of source address, destination address, destination port, protocol, and action (Allow/Deny). The firewall checks the header of a packet that passes and determines whether to allow or deny it. Useful information on a packet can be obtained from the packet header. The firewall can allow legal and normal packets and deny illegal or abnormal packets by using this information. 0 16 Version Header length Type of service(tos) Total length(byte) Identification Flag Fragment offset Time to live(ttl) Protocol Header checksum Source IP address Destination IP address Option(if any) Data SAMSUNG Electronics Co., Ltd. 1

Ошибка! Стиль не определен. Source IP Enter the IP address of the source of the packet. Select an appropriate input method from the combo box. / means a network mask input, - means a range input, and * means all addresses. Destination IP Enter the IP address of the packet destination. Select an appropriate input method from the combo box. The input method is the same as in the Source IP item. Port Enter the destination port of the packet. You can select a well-known port or enter a port number(s) directly. When entering a port number(s), you can specify a specific port or a port range. 2 SAMSUNG Electronics Co., Ltd.

GWIM Firewall Handbook Protocol Select the packet protocol. The protocols that can be filtered are TCP and UDP. You can select all to filter both TCP and UDP. Time Set You can set a timer for the filtering rule. Once a time is specified, the filtering rule is configured so that it operates at the specified time. You can select a day(s) of the week and time. Select the day(s) of week check boxes. Select the 24 Hours radio button or select the radio button next to the first combo box and select a period of time. Target This item determines what happens to packets. Select whether to allow or deny the packets that match the rule defined. SAMSUNG Electronics Co., Ltd. 3

Ошибка! Стиль не определен. Index No. After defining the packet filtering rule, you should specify the Index No. which is the sequence in the Configuration List that contains all the packet filtering rules. Apply Firewall Rule Apply the packet filtering rule you defined to the firewall. ETC. The firewall operates according to the rules in the Configuration List. It determines whether to allow or deny a packet by applying the rules in the Configuration List sequentially. It continues to compare the filtering rules in the Configuration List with the packet from the first, until a matched rule is found or the last rule is reached. As the sequence of the packet filtering rules in the Configuration List is very important in the firewall, you should be careful when setting sequences. 4 SAMSUNG Electronics Co., Ltd.

GWIM Firewall Handbook CHAPTER 2. Using the Firewall This chapter describes how the Firewall menu is structured and how to use it. Configuring the Firewall The Firewall menu contains the Management, Configuration, Remote Access, IP Filtering, URL Filtering, and ICMP Filtering commands. You can configure the firewall using the Configuration command of the Firewall menu. SAMSUNG Electronics Co., Ltd. 5

Ошибка! Стиль не определен. You can manage the packets that are forwarded through the firewall using the Configuration, IP Filtering, and URL Filtering commands and the packets that come in to the firewall using the Remote Access and ICMP Filtering commands. Packet flow Packet Forward Routing Configuration IP/URL Filtering Packet Input Packet Output Remote Access ICMP Filtering Local Process Output Management If you do not want to use the firewall, select the Disable radio button and click OK. Configuration You can configure the filtering policy for the packets to be forwarded through the firewall. On the Configuration screen, you can select Basic Mode or Advanced Mode. Different components are provided depending on the selected mode. 6 SAMSUNG Electronics Co., Ltd.

GWIM Firewall Handbook Configuration in Basic Mode Basic mode provides a minimum set of components for the filtering configuration. Configuration in Advanced Mode Advanced mode provides additional components besides the components provided in Basic mode. You can configure the filtering conditions in detail using those additional components. SAMSUNG Electronics Co., Ltd. 7

Ошибка! Стиль не определен. Remote Access You can configure the filtering policy for the packets coming in to the firewall. On the Remote Access screen, you can configure the default policy and the remote IP configuration. The Default Policy is the function that allows you to deny all IP addresses except the administrator s IP address. The Remote IP Configuration allows you to create and apply filtering rules using the provided components. If the Default Policy is set to Deny and you enter the administrator s IP address incorrectly, you cannot access Web Management, as access to the network is denied by the firewall. In this case you have to reset the database to recover the problem. Therefore, you should always be careful when entering the settings. 8 SAMSUNG Electronics Co., Ltd.

GWIM Firewall Handbook IP Filtering You can specify the IP addresses of the packets forwarded through the firewall that you want to deny. The configuration method is the same as on the Configuration screen. It creates a rule that denies all packets from the specified IP addresses. During application of the rules, the IP filtering rule has a higher priority than the rules configured on the Configuration screen. URL Filtering You can specify the URLs of the packets forwarded through the firewall that you want to deny. If the specified key word matches the URL entered in the address box of the web browser, connection to that URL is denied. SAMSUNG Electronics Co., Ltd. 9

Ошибка! Стиль не определен. ICMP Filtering You can configure whether to allow the firewall to send ICMP reply messages or not. When set to Enable, the selected interface does not send ICMP reply messages. 10 SAMSUNG Electronics Co., Ltd.

GWIM Firewall Handbook Firewall Example To show how the firewall is applied, we assume an environment as shown in the figure below. There is a firewall between the two networks. We will explain how security can be activated by configuring the firewall. 20.0.2.0/24 Firewall 20.0.1.0/24 Firewall Policy Configuration When the firewall is located between hosts and the Internet, you can configure the level of security. In this case, you can consider the following security policy. Deciding the Security Policy 1. All traffic that comes in from outside of the firewall is denied. 2. All traffic that goes out from the internal network to the external network is allowed. 3. All traffic that comes in to the firewall except for the administrator is denied. SAMSUNG Electronics Co., Ltd. 11

Ошибка! Стиль не определен. Configuration Using the Configuration-Basic Mode Screen Deny all traffic that passes through the firewall. If you select *, it refers to all networks. Set both the Source IP and Destination IP items to * (all networks) and set the Target item to Deny. Then click OK to apply the rule. You can view the rule you configured in the Configuration List, as shown in the figure below. 12 SAMSUNG Electronics Co., Ltd.

GWIM Firewall Handbook Allow packets if their source address is 20.0.1.0/24. Configure the rule using the Configuration-Basic Mode screen. Allow all traffic that starts from inside the firewall regardless of its destination. You can allow all traffic regardless of protocol and port. SAMSUNG Electronics Co., Ltd. 13

Ошибка! Стиль не определен. Configuration Using the Configuration-Advanced Mode Screen The rule is applied only when the protocol is TCP or UDP. Allow all TCP and UDP traffic that starts from inside the firewall regardless of its destination. You can allow the traffic only if its protocol is TCP or UDP. 14 SAMSUNG Electronics Co., Ltd.

GWIM Firewall Handbook Remote Access/Default Policy Configuration The Default Policy is set to Allow by default. Click the Deny radio button to change the Default Policy to Deny. If you change the Default Policy to Deny, a screen where you can enter the administrator s IP address is displayed. Beware that if you enter the administrator s IP address incorrectly, you will be disconnected from the Web Management screen you are using, as your access to the network is denied by the firewall. SAMSUNG Electronics Co., Ltd. 15

Ошибка! Стиль не определен. Firewall Policy Modify, Add, Delete Add a new firewall security policy or delete an existing policy. Configuring the Security Policy 1. Allow external networks outside the firewall to connect to an internal server. 2. Deny all traffic from a specific user going out to the external network from an internal network inside the firewall. 3. Allow the administrator access to the firewall. Adding Firewall Rules Allow the external networks outside the firewall to connect to an internal web server. Allow incoming connections to the internal server regardless of their source addresses. (Assume that the IP address of the server is 20.0.1.200.) 16 SAMSUNG Electronics Co., Ltd.

GWIM Firewall Handbook Deny all traffic going out to external networks. Deny outgoing connections to external networks that have a specific source address. (Assume that the IP address of the source is 20.0.1.200.) Click the IP Filtering command. You can deny specific IP addresses by specifying the Target item on the Firewall Configuration screen. However, the rules configured on the IP Filtering screen have a higher priority than the rules configured on the Firewall Configuration screen. SAMSUNG Electronics Co., Ltd. 17

Ошибка! Стиль не определен. Deny all traffic passing through the firewall that has the source address of 20.0.1.201, regardless of its destination. Allow specific traffic that wants to access the firewall. Use the Remote Access command on the Firewall menu. Add a rule using the Remote Access configuration screen. (Assume that the IP address of the source is 20.0.1.200.) 18 SAMSUNG Electronics Co., Ltd.

GWIM Firewall Handbook You can allow or deny accesses to the firewall. Enter the source address of the internal or external network. Deleting a Firewall Rule To delete a rule(s) from the firewall, check the check box of the rule(s) you want to delete and click Delete. SAMSUNG Electronics Co., Ltd. 19

Ошибка! Стиль не определен. This page is intentionally left blank. 20 SAMSUNG Electronics Co., Ltd.

GWIM Firewall Handbook ABBREVIATION A AS ARP Autonomous System Address Resolution Protocol B BPDU Bridge Protocol Data Unit C CTI Computer Telephony Integration D DNS Domain Name Server G GPLIM GVRP Gigabit PoE LAN Interface Module GARP VLAN Registration Protocol H HTTP Hypertext Transfer Protocol I IGMP Internet Group Management Protocol SAMSUNG Electronics Co., Ltd. 21

Ошибка! Стиль не определен. L LAN Local Area Network M MAC Media Access Control N NAT NTP Network Address Translation Network Time Protocol P PD PoE PVC PVID Powered Device Power over Ethernet Permanent Virtual Circuit Port VLAN Identification Q QoS Quality of Service R RMON RSTP Realtime Monitoring Rapid Spanning Tree Protocol S SPQ STP SNMP Strict Priority Queuing Spanning Tree Protocol Simple Network Management Protocol T TFTP Trivial File Transfer Protocol V VLAN VoIP Virtual Local Area Network Voice Over IP 22 SAMSUNG Electronics Co., Ltd.

GWIM Firewall Handbook 2007 Samsung Electronics Co., Ltd. All rights reserved. Information in this manual is proprietary to SAMSUNG Electronics Co., Ltd. No information contained here may be copied, translated, transcribed or duplicated by any form without the prior written consent of SAMSUNG. Information in this manual is subject to change without notice.