Using a Firewall General Configuration Guide



Similar documents
Cisco RV082 Dual WAN VPN Router Cisco Small Business Routers

Chapter 8 Router and Network Management

Chapter 9 Monitoring System Performance

Chapter 4 Firewall Protection and Content Filtering

Chapter 4 Security and Firewall Protection

Total solution for your network security. Provide policy-based firewall on scheduled time. Prevent many known DoS and DDoS attack

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Multi-Homing Dual WAN Firewall Router

Chapter 4 Firewall Protection and Content Filtering

Appendix C Network Planning for Dual WAN Ports

Chapter 6 Basic Virtual Private Networking

How To Use A Cisco Wvvvdns4400N Wireless-N Gigabit Security Router For Small Businesses

Gigabit SSL VPN Security Router

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Network Security. Protective and Dependable. Pioneer of IP Innovation

Network Security. Network Security. Protective and Dependable. > UTM Content Security Gateway. > VPN Security Gateway. > Multi-Homing Security Gateway

SonicWALL Advantages Over WatchGuard

LevelOne. User Manual. FBR-1430 VPN Broadband Router, 1W 4L V1.0

your Gateway Windows network installationguide b wireless series Router model WBR-100 Configuring Installing

About Firewall Protection

Sweex Wireless BroadBand Router + 4 port switch + print server

Gigabit Multi-Homing VPN Security Router

Small Business Server Part 2

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Securing Networks with PIX and ASA

WATCHGUARD FIREBOX SOHO 6TC AND SOHO 6

Cisco WRVS4400N Wireless-N Gigabit Security Router: Cisco Small Business Routers

Security Technology: Firewalls and VPNs

Firewall Firewall August, 2003

Cisco SR 520-T1 Secure Router

How To Build A Network Security Firewall

Chapter 1 Introduction

74% 96 Action Items. Compliance

Using Innominate mguard over BGAN

Chapter 6 Using Network Monitoring Tools

INTRODUCTION TO FIREWALL SECURITY

McAfee.com Personal Firewall

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Deploying Secure Internet Connectivity

Chapter 6 Using Network Monitoring Tools

Gigabit Content Security Router

Gigabit Multi-Homing VPN Security Router

Lab Configuring Access Policies and DMZ Settings

Licenses are not interchangeable between the ISRs and NGX Series ISRs.

Firewall. User Manual

Chapter 4 Customizing Your Network Settings

SSL VPN Technical Primer

VPN Wizard Default Settings and General Information

TW100-BRV204 VPN Firewall Router

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Chapter 2 Introduction

BR-6104K / BR-6104KP Fast Ethernet Broadband Router User s Manual

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

Firewalls. Chapter 3

Broadband Router ALL1294B

Load Balance Router R258V

Fundamentals of Network Security Graphic Symbols

REDCENTRIC MANAGED FIREWALL SERVICE DEFINITION

Network Defense Tools

How To Check If Your Router Is Working Properly

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Barracuda Link Balancer

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

TW100-BRF114 Firewall Router. User's Guide. Cable/DSL Internet Access. 4-Port Switching Hub

FortKnox Personal Firewall

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

SSL-VPN 200 Getting Started Guide

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

NEFSIS DEDICATED SERVER

Broadband Firewall Router with 4-Port Switch/VPN Endpoint

UIP1868P User Interface Guide

User Manual. Page 2 of 38

Service Managed Gateway TM. How to Configure a Firewall

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Using SonicWALL NetExtender to Access FTP Servers

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Chapter 6 Virtual Private Networking

BROADBAND FIREWALL ROUTER WITH 1-USB + 1-PARALLEL PRINT SERVER PORT

Network Security Firewall

SOLUTION GUIDE. Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management.

Chapter 4 Customizing Your Network Settings

Source-Connect Network Configuration Last updated May 2009

KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.4 REVIEWER S GUIDE. (Updated April 14, 2008)

Thank you for purchasing our innovative all-in-one solution---soho Server appliance for your networking needs.

Chapter 4 Firewall Protection and Content Filtering

Chapter 3 LAN Configuration

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

Chapter 2 Connecting the FVX538 to the Internet

Security from the Ground Up eblvd uses a hybrid-asp model designed expressly to ensure robust, secure operation.

The CIX VFR Club Flight Training Notes Exercise. Configuring a Router to Host a Multiplayer Session

Chapter 3 Security and Firewall Protection

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

- Introduction to PIX/ASA Firewalls -

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Wireless Cable Gateway CG3100Dv3

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

Transcription:

Using a Firewall General Configuration Guide Page 1

1 Contents There are no satellite-specific configuration issues that need to be addressed when installing a firewall and so this document looks instead at some of the more popular commercially-available software and hardware firewall implementations that might be used with an Inmarsat service. 2 Introduction Any always-on Internet connection is a potential target for computer hackers. This is not a satellite-specific issue but a problem that exists for any computer or network that is permanently connected to the Internet. The obvious solution to address this risk is to equip your computer or network with some sort of user-provided firewall. A remote network will typically use a scaled-down version of the type of hardware firewall that large corporate networks use whereas a software firewall is ideal for a single remote user where portability is paramount. All firewall software gives at least the most basic protection. It blocks unauthorised inbound access to the PC, on various port numbers, from the Internet. The PC shouldn t respond at all (e.g. stealth mode ) and it should appear invisible. All unsolicited inbound access attempts are blocked regardless of source. Outbound traffic is monitored and only responses from contacted hosts are permitted back in. Firewalls can also filter outbound connections (from the PC to the Internet). Some viruses and Trojans (see the section on viruses in Inmarsat document, Install a Firewall Background Information) try to make surreptitious outbound connections sometimes to transfer information like passwords or credit-card data and sometimes to allow someone else to connect to the PC through the back door. The effective use of anti-virus software will minimise the need for outbound filtering. If you are in doubt about the protection your firewall offers there is a Webbased utility available at http://www.pcflank.com/, which tests firewalls (benignly fortunately). Connect to the site and check your protection on-line! 3 Software firewalls 3.1 Agnitum Outpost This is an example of a software firewall showing all the logical protocol connections running under Windows 2000 Pro, whilst downloading a file via Regional BGAN. Outpost can be downloaded from http://agnitum.com/. Built-in firewall profiles are pre-set to model the safe behaviour of download managers (e.g. FTP), Web browsers (HTTP), standard Microsoft Office products etc. All NetBIOS activity can be blocked. Additional add-ins support the blocking of content such as web site adverts, Active X controls, Java scripts, pop-up windows, cookies and potentially malicious email attachments. An optional DNS server is also provided. There is also an attack detector, which monitors and logs any connection requests to your PC from unauthorised sources. This software firewall also offers a full stealth-mode as described above. Page 2

Whenever a new IP or NetBIOS connection is requested the firewall prompts the user whether the connection type, port number and application is authorised. See below: As can be seen from the software firewall s Allowed list (below) every parameter of the connection can be set up in the customised rules wizard to be allowed or blocked according to protocol, direction, IP address, local port number, remote port and application name. Page 3

These can be modified and updated at will as more knowledge is gained of the behaviour of your applications. 3.2 Zone Alarm Other software firewalls such as Zone Alarm from can be downloaded from http://www.zonelabs.com/. This firewall is similar to Outpost and an example of how this is presented is shown below: Each known application can be permitted access to the Internet or the trusted intranet. The firewall learns the users profile of common applications and has profiles built-in for easy initial set-up. Programmes access can thereafter be added and deleted under user control and unknown connections are flagged to the user, who has the opportunity to add them to the permitted applications or block them. Unexpected connections or attacks, which are clearly not genuine applications, are reported to the user via an alert window as shown below. Page 4

4 Hardware firewalls 4.1 General Many commercially off-the-shelf routers and hubs now come with built-in Firewalls, VPNs etc. If the routing functions of these devices are working, then it is likely that the other options in particular firewall and network access management will also work. Some examples of typical compact hardware firewalls are described below: 4.2 Symantec Symantec Firewall/VPN appliances are integrated hardware and software systems that provide secure connections via the Internet. Symantec Firewall/VPN offers remote sites a method of securing inbound and outbound web, email, FTP and other network traffic. For VPN access, they can provide firewall protection and VPN access to satellite locations and branch offices. The appliance utilizes Stateful Packet Inspection (SPI) firewall to monitor and cleanse traffic to and from the Internet. It uses IPSec VPN technology to provide the gateway-to-gateway authentication, confidentiality, and encryption required to ensure the integrity of data across public connections. The VPN Global Tunnel offers data traffic control and tunnelling between local sites and the central office or ISPs. 4.3 Netgear The NETGEAR ProSafe Firewall/Print Servers provide users with security; Denial of Service (DoS) protection and Intrusion Detection using Stateful Packet Inspection (SPI), URL access and content filtering, logging, reporting, and real-time alerts. VPN pass-through maintains network security with access control and encryption. A built-in print server is available. With 4 auto-sensing, switched LAN ports and Network Address Translation (NAT) routing, up to 253 users can access your Inmarsat connection at the same time. There is also a 100 Page 5

Mbps WAN port for high-speed services. Software tools are provided to assist in getting a network up and running. 4.4 Cisco PIX 501 The Cisco PIX 501 Firewall provides security for small offices and teleworkers. Suitable for securing highspeed always on broadband environments (such as Regional BGAN), the Cisco PIX 501 Firewalls provide security capabilities, small office networking features and remote management capabilities. The Cisco PIX 501 Firewall includes Stateful Packet Inspection (SPI) firewalling, virtual private networking (VPN) and intrusion protection. It uses the Cisco Adaptive Security Algorithm (ASA) and PIX operating system. PIX 501 administrators can enforce customized policies on network traffic traversing through the firewall. The Cisco PIX 501 Firewall can also secure network communications from remote offices to corporate networks across the Internet using Internet Key Exchange (IKE)/IP security (IPSec) VPN capabilities. It supports data encryption with 56-bit Data Encryption Standard (DES) or optional 168-bit Triple DES (3DES) encryption. 4.5 SMC Barricade The SMC Barricade is another popular hardware firewall / router which supports an Internet firewall, print serving and Network Address Translation for up to 253 PCs on your LAN. It also features four 10/100 Mbps RJ-45 ports, a WAN port, a DB-25 printer port and a DHCP server. There is also a DB-9 port for PSTN/ISDN connections. The Barricade also supports VPN. The print server feature can be accessed from any PC on the network. Configuration and management is Web-based. 5 Active content protection & network access controls 5.1 SurfinGuard Other software products have been developed which create a safe Sandbox within which active content or PC applications can operate, but from which any suspicious behaviour will be reported for user approval. These are complimentary to virus checking software, as the protection offered does not completely overlap. One such application, for example, is SurfinGuard from Finjan Software, downloadable from http://www.finjan.com/. SurfinGuard flags any active content coming from the Internet. This flagged active content is forced to run in SurfinGuard 's Sandbox, where it is monitored for security breaches. The user can set various protection levels as shown below: Page 6

Any active content downloaded from the web prior to SurfinGuard installation can still be forced to run in the Sandbox by dragging it onto a desktop Safe Zone icon, or by using a Run Safe menu option. Many normal applications, however, cause a security breach when they are run inside a Sandbox (e.g., the Microsoft Word executable winword.exe, will attempt to read/write from the registry to/from a file as part of its normal operation). 5.2 NetNanny Other popular content-control software is available such as NetNanny, which applies WEB filtering through means of black lists and white lists. This is downloadable from http://www.netnanny.com/. This supports the latest browser software and can match key words to block undesired URLs. You can block pop-up windows and cookies. Although this is also available through Internet Explorer 6 for example NetNanny also enables time limits against individual account holders and the ability to block some popular WEB messenger clients. Detailed user access reports are also captured. One feature that may be useful in the Internet café application is a kiosk mode for PC s shared by members of the public. When any content or URL is detected (including Internet Chat session words), which breach set content or security guidelines, a warning message is displayed and the opportunity is presented for an administrator to log-in. See below: Page 7

Page 8 Inmarsat Customer Services & Operations