ADTRAN 1000R Series

Command Reference Guide Global Configuration Mode Command Set

Functional Notes

This command enables firewall processing for all interfaces with a configured policy class. Firewall

processing consists of the following functions:

Attack Protection: Detects and discards traffic that matches profiles of known networking exploits or

attacks.

Session Initiation Control: Allows only sessions that match traffic patterns permitted by access-control

policies to be initiated through the router.

Ongoing Session Monitoring and Process ing: Each session that has been allowed through the router is

monitored for any irregularities that matc h patterns of known attacks or exploits. This traffic will be

dropped. Also, if NAT is configured, the firewall modifi es all traf fic associated with the session a ccording to

the translation rules defined in NAT access policies. Finally, if sessions are inactive for a user-specified

amount of time, the session will be closed by the firewall.

Application Specific Processing: Certain applications need special handling to work correctly in the

presence of a firewall. AOS

uses application-level gateways (ALGs) for these applications.

The AOS

includes several security features to provide controlled access to your network. The following

features are available when security is enabled (using the ip firewall command):

1. Stateful Inspection Firewall

The AOS

(and your unit) act as an ALG and employ a stateful inspection firewall that protects an

organization's network from comm on cyber attacks includin g TCP syn-flooding, IP spoofing, ICMP redirect,

land attacks, ping-of-death, and IP reassembly problems. In addition, further security is added with use of

Network Address Translation (NAT) and Port Address Translation (PAT) capability.

2. Access Policies

AOS

access control policies (ACPs) are used to allow, discard, or manipulate (using NAT) data for each

physical interface. Each ACP consists of a selector (access list) and an action (allow, discard, NAT).

When packets are received on an in terface, the configured ACPs are applied to determine whether the

data will be processed or discarded.

3. Access Lists

Access control lists (ACLs) are used as packet selectors by ACPs; by themselves they do nothing. ACLs

are composed of an ordered list of entries. Each entry contains two parts: an action (permit or deny) and

a packet p attern. A p ermit ACL is used to permit p acket s (meeting the sp ecified pa ttern) to enter the router

system. A deny ACL advances the AOS

to the next access policy en try. The AOS

provides two types of

ACLs: standard and extended. Standard ACLs allow source IP address packet patterns only. Extended

ACLs may specify patterns using most fields in the IP header and the TCP or UDP header.

Usage Examples

The following example enable s the AOS

security featur es:

(config)#ip firewall