Security Policies at a Glance | Compatible Systems 5.4 guide

138	Chapter 8 - IntraGuard Firewall Configuration

Security Policies at a Glance:

The following chart shows how each of the 31 protocols is treated by each of the five sets of security policies. The protocol BGPUse, for example, is assigned the security policy None by the Blocked policy set, but it is assigned the security policy Both by the Open policy set.


				SECURITY POLICY
		PROTOCOL	Blocked	Strict	Standard	Lenient	Open

		BGPUse	None	None	None	Both	Both
		BSDUse	None	None	Out	Out	Both

		CompatiViewUse	None	Out	Out	Both	Both

		DNSUse	None	Out	Out	Both	Both

		FTPUse	None	Out	Out	Both	Both

		H323Use	None	None	Out	Out	Both

		ICMPUse	None	None	Out	Out	Both

		IPSecUse	None	Out	Out	Both	Both

		IRCUse	None	None	Out	Out	Both

		LPRUse	None	None	Out	Out	Both

		MailUse	None	Out	Out	Both	Both

		NFSUse	None	None	Out	Out	Both

		NetBIOSUse	None	None	Out	Out	Both

		NewsUse	None	None	Out	Out	Both

		NonIPUse	None	None	Out	Out	Both

		OSPFUse	None	None	Out	Out	Both

		POPUse	None	None	Out	Out	Both

		RIPUse	None	None	Out	Out	Both

		RealAudioUse	None	None	Out	Out	Both

		SunRPCUse	None	None	Out	Out	Both

		TelnetUse	None	Out	Out	Out	Both

		TFTPUse	None	Out	Out	Out	Both

		TunnelUse	None	None	Out	Out	Both

		WebUse	None	Out	Out	Both	Both

		XWinUse	None	None	None	In	Both

		ISAKMPUse	None	Out	Out	Both	Both

		GopherUse	None	Out	Out	Out	Both

		NTPUse	None	None	Out	Both	Both

		OtherTCPUse	None	None	Out	Out	Both

		OtherUDPUse	None	None	Out	Both	Both

		OtherUse	None	None	Out	Both	Both

Image 144

Compatible Systems 5.4 manual Security Policies at a Glance

Contents

CompatiView 5.4 Reference Guide Page Installation and Overview Table of Contents Iii Table of Contents VPN Ports and LAN-to-LAN Tunnels TCP/IP Filtering 183 Ospf Installation and Overview CompatiView Quickstart CompatiView Installation Notes About this ManualSystem Requirements for Windows Selecting IP or IPX Operation with Windows CompatiView’s Menus and Main Windows Device View and the Main Window Device View Right-Clicking in the Device View New Config Open Config FileFile Menu Open Device Download Config to Device Dialog Box Save / Restart Options Save To File SubinterfaceVPN Port Firewall Path Database Menu Options Database Options Dialog BoxGeneral Tab Confirmations Tab Save/Restart Tab Control Menu Advanced Tab Download Software Tftp DownloadRestart Device Output Window Statistics MenuCompatiView Output Window Ethernet WAN StateSerial Statistics PPP Statistics Ospf Configuration IP Route TableIP Routing IPX Route Table Command Line Edit Box Moving and Customizing the Windows View menuCustomize Commands Window MenuCustomize Window View Dialog Box ToolbarsPage TCP/IP Routing Ethernet Configuration Dialog Box TCP/IP Routing Ethernet Dialog BoxIP Routing & Bridging IP Routing/Bridging/Off IP Address Network IP Subnet MaskNetwork IP Broadcast Address Routing Protocol RIP Split Horizon Output RIP Input RIP IP Routing & Bridging Directed Broadcast Ospf TCP/IP Routing WAN Configuration Dialog Box TCP/IP Routing WAN Configuration Dialog Box Numbered Interface Network IP Broadcast Address Update Method RIP Split Horizon TCP/IP Routing VPN Configuration Dialog Box IP Routing & Bridging Options IP Routing/IP Bridging/IP Off IP Address Routing Protocol Update Method Ospf TCP/IP Routing Bridge Configuration Dialog Box Bridge Logical Diagram TCP/IP Routing Bridge 0 Configuration Dialog Box IP Routing/Off Network IP Subnet Mask IP Routing & Bridging Ospf IP Subinterface Dialog Box IP Connection Dialog Box IP Connection Dialog BoxIP On/IP Off IP Address IP Static Routing Dialog Box Destination MaskGateway Metric Redistribute via Ethernet IP Options Bridge IP Options Ethernet or Bridge TCP/IP Options Dialog BoxIP Proxy ARP UDP Forwarding Agents Relays UDP Forwarding Agents Dialog Box WAN IP Options Server IP AddressUDP Ports/Protocols WAN IP Options Dialog Box Send IP Address Configure Request Van Jacobson Header Compression RIP V2 Password TCP/IP Routing OptionsIP Multiprotocol Precedence Dialog Box Protocol Precedence IP Route Redistribution IP Route Redistribution Dialog Box Ospf Route AggregationRIP to Ospf Default into Ospf Ospf to RIPBGP to Ospf BGP to RIP IP Routing & Bridging IPX Routing Ethernet Configuration Dialog Box IPX Routing Ethernet Configuration Dialog BoxIPX Ethernet Frame Types IPX Routing & Bridging IPX Routing/Bridging/Off Seed Status per Frame Type RIP Update Timer SAP Update TimerNetwork Number per Frame Type Block IPX Type 20 Output Packets IPX Routing WAN Configuration Dialog Box IPX Routing WAN Configuration Dialog Box Network Number Optional Remote Node Network Number IPX Routing & Bridging Use Ethernet Port as End-Node Proxy IPX Routing VPN Configuration Dialog Box IPX Routing VPN Configuration Dialog Box IPX Routing/Bridging/Off RIP Update Timer IPX Routing Bridge Configuration Dialog Box IPX Routing Bridge 0 Configuration Dialog Box IPX Frame Types IPX Routing/Off Network Number per Frame Type AppleTalk Routing Ethernet Configuration Dialog Box AppleTalk Phase 1 ConfigurationAppleTalk Routing Ethernet Configuration Dialog Box AppleTalk Routing & Bridging Phase 1 Routing/Bridging/Off Phase 1 Seed Status Phase 1 Net # Phase 1 ZonePhase 1 Node NBP Lookup Filters Filtering AppleTalk Phase 2 Configuration Phase 2 Routing/Bridging/OffPhase 2 Seed Status Phase 2 Net # Range Phase 2 ZonesPhase 2 Default Zone Phase 2 Node AppleTalk Routing WAN Configuration Dialog Box AppleTalk Routing WAN Configuration Dialog Box AppleTalk Routing & Bridging AppleTalk On/Bridging/Off Zone NodeOptional Remote End-Node Network Number AppleTalk Routing VPN Configuration Dialog Box AppleTalk Routing VPN Configuration Dialog BoxOptional Remote End-Node Node Number Optional Remote End-Node Proxy AppleTalk On/Bridging/Off AppleTalk Zone AppleTalk Routing Bridge Configuration Dialog Box AppleTalk Routing Bridge 0 Configuration Dialog Box Phase 1 Routing/Off AppleTalk Routing & Bridging Phase 1 Net # Phase 2 Routing/Off Phase 2 Zones NBP Filtering Configuration Dialog Box NBP FilteringNetwork Filters Zone Filters AppleTalk Options Configuration Dialog Box Phase 2 Aarp Probe Time Main DECnet Routing Configuration Dialog Box Main DECnet Routing Configuration Dialog BoxDECnet Routing & Bridging DECnet On Hello Timer Routing TimerArea DECnet Ethernet Configuration Dialog Box DECnet Routing & Bridging Max Addresses DECnet Ethernet Configuration Dialog Box DECnet Routing/Bridging/Off DECnet WAN Configuration Dialog Box DECnet WAN Configuration Dialog BoxDECnet On/Bridging/Off Hello Timer Add VPN Port Dialog Box Add VPN Port Dialog Box Tunnel Partner VPN Configuration Dialog Box VPN Ports and LAN-to-LAN TunnelsPartner Address Bind To Interface IKE Key Management IKE Key Management Dialog BoxKey Manage Shared Key TransformPerfect Forward Secrecy IKE Configuration Dialog Box Authentication101 Encryption Enable Authentication Authentication MethodAuthentication Secret Manual Key Management Interoperability Settings Dialog Box Enable Encryption103 Encryption Method Local and Peer Settings Interoperability Settings Dialog BoxMode Local / Access Peer / Access105 Local / Protocol Peer / Port 107 108 VPN Group Configuration Dialog Box VPN Group Configuration Dialog Box and General TabVPN Client Tunnels 109 VPN Group Configuration General Tab VPN Client Tunnels 111 Inactivity Timeout SLA Enable ClientMinimumVersion Exclude Local LAN VPN Group Configuration IKE Configuration Tab VPN Group Configuration IKE Configuration Tab VPN Client Tunnels 113 Save Secrets VPN Group Configuration Manual Tab VPN Group Configuration Manual Tab VPN Group Configuration IP Connection Tab VPN Group Configuration IP Connection TabVPN Client Tunnels 115 Start IP Address Local IP Net Assign IP Radius VPN Client Tunnels 117 Allow Connections To AddAdd IP Address Dialog Box Edit VPN Group Configuration IP Filters Tab VPN Config IP Filters TabInput Filters Output Filters VPN Group Configuration IPX Connection Tab VPN Config IPX Connection TabVPN Client Tunnels 119 Local IPX Net VPN Group Configuration IPX Filters Tab VPN Group Configuration IPX Filters TabAssign IPX Radius VPN Group Configuration Rollover Tab VPN Group Configuration Rollover TabVPN Client Tunnels 121 Input Filters Alternate IntraPort Addresses VPN Group Configuration SecurID Tab VPN Group Configuration SecurID TabSecurID Required SecurID User Name VPN Group Configuration DNS Redirection Tab VPN Group Configuration Wins Redirection Tab VPN Group Configuration Wins TabAdd Local Domain Dialog Box Local Domain Name VPN User Configuration Dialog Box VPN User Configuration Dialog BoxVPN Client Tunnels 125 STEP/STAMP Authentication Secret VPN User Dialog BoxName VPN Group IKE Policy VPN Client Tunnels 127 STEP/STAMP Encryption SecretIKE Policy Global Dialog Box IPSec Gateway Configuration Dialog Box IPSec Gateway Dialog BoxIPSec Gateway VPN Client Tunnels 129 130 IntraGuard Firewall Configuration 131 Settings FirewallPath Dialog Box IntraGuard Firewall ConfigurationInterfaces Inside/Outside 133 ‘AND’ Filters‘OR’ Filters Advanced Settings Firewall Path Dialog Box ResetRedirectsSendTCPReset Advanced Options SendICMPReset 135SynRejectOnly ICMPtoTCPsession Security Policies Firewall Path Dialog Box Current Security Policy 137 Security Policies at a Glance Security Policy Protocol Setting Dialog Box Security Policy Protocol Setting Dialog Box139 Policy 140 141 Allow Ports/Protocols Dialog Box Port/ProtocolPort/Protocol Number Firewall Logging Dialog Box 143Firewall Logging Dialog Box IP Timeouts TCP TimeoutsTCP Resets Rejects Icmp Resets 145Redirects General Firewall Settings Dialog Box Firewall Settings Dialog BoxSYN Timer FIN Timer TCPTimeout UDPTimeoutHalfShutTimer DynamicTimerPage Global Bridging Configuration Dialog Box Bridging 149 Bridging Bridge OnLearning/IEEE Spanning Tree Table Size Fwd Delay Spanning Tree Bridging 151 Aging TimePriority Spanning Tree Max Age Spanning Tree Interface Configuration Dialog Box Bridging 153 Bridging On PriorityPath Cost Spanning Tree Exclude Non-Routed Protocols Link Configuration WAN Dialog Box Link Configuration WAN Dialog BoxWAN Link Protocols 155 WAN On WAN Link Protocols Link TypeFailover Type Backup Port TimersWAN Link Protocols 157 Allow Dial Out Allow Dial Always Keep Link UpDrop Link If Inactive For Dialing Method WAN Link Protocols 159 Dial-Out / Connect ScriptDial-back Script Retry Delay Setting Script TimeoutDialing Retries / Connect Retries Failover Timers Configuration Dialog Box Backup Enable TimerBackup Disable Timer Backup Init Timer Frame Relay Configuration Dialog Box Frame Relay Configuration Dialog BoxMaintenance Protocol WAN Link Protocols 163 Polling Frequency Home Dlci Dlci Database Configuration Dialog Box Dlci Entry Dialog Box Dlci Database Dialog Box WAN Link Protocols 165 Dlci #AppleTalk Address Chap Configuration Dialog Box Chap Configuration Dialog BoxIPX Address DECnet Address Request Chap Authentication WAN Link Protocols 167Respond to Chap Challenges PAP Configuration Dialog Box PAP Configuration Dialog BoxSecret Request PAP Authentication WAN Link Protocols 169Respond to PAP Requests Password Smds Dialog BoxSmds Dialog Box Station Address PPP Options Dialog Box WAN Link Protocols 171 IP MulticastPPP Options Dialog Box PPP Link Quality Configuration Dialog Box Sequenced Predictor CompressionEcho Packets On LCP Options Configuration Dialog Box LCP Options Configuration Dialog BoxWAN Link Protocols 173 Frequency in Seconds Echo Packets Multilink PPP Dialog Box Address/Control CompressionProtocol Compression Enable WAN Link Protocols 175Mppp Bundle Name Linked Ports WAN Chat Script Editor Dialog Box MPQualWAN Chat Script Editor Dialog Box WAN Link Protocols 177 Chat Script Editor Dialog Box Buttons & ControlsChat Script Rules and Syntax 178 WAN Link Protocols 179 To connect to an Internet Service Provider using a modem Chat Script Examples User Authentication Database Dialog Box WAN Link Protocols 181 Password/Secret Remote NameInterfaces Dial-back Chat Main TCP/IP Filtering Dialog Box TCP/IP Filtering 183Route Filters Button Packet Filters Button TCP/IP Filter Editor Window TCP/IP FilteringBlock IP Source Routing Log Rejected Source-Routed Packets TCP/IP Route Filter Rules Basic IP Route Filter Rules and Syntax TCP/IP Filtering 187 IP Route Filter Rule Options IP Route Filter Rule Modifiers TCP/IP Packet Filter Rules IP Route Filter Rule NotificationIP Route Filter Rule Examples TCP/IP Filtering 189 Basic IP Packet Filter Rules and Syntax IP Packet Filter Rule Operators and Port Names TCP/IP Filtering 191 TCP Ports Icmp Types IP Packet Filter Rule Modifiers TCP/IP Filtering 193 UDP IP Packet Filter Rule Notification Simple IP Packet Filter Rule Examples TCP/IP Filtering 195 IP Packet Filter Rule Set Examples Interface TCP/IP Packet Filtering Configuration Dialog Box TCP/IP Packet Filtering Bridge Dialog Box Main IPX Filtering Configuration Dialog Box Main IPX Filtering Dialog BoxIPX Filtering 197 IPX Route Filters IPX Filter Editor Window IPX FilteringIPX Filter Editor Window Filter Editor Window Buttons and Controls IPX Packet Filter Rules IPX Filtering 199Basic IPX Packet Filter Rules and Syntax IPX Packet Filter Options IPX Filtering 201 IPX Packet Filter Rule Notification IPX Route Filter Rules IPX Packet Filter Rule Examples IPX Filtering 203 Basic IPX Route Filter Rules and Syntax IPX Route Filter Rule Options IPX Route Filter Rule Modifiers IPX SAP Filter Rules IPX Filtering 205IPX Route Filter Rule Notification IPX Route Filter Rule Examples Basic IPX SAP Filter Rules and Syntax IPX SAP Filter Options IPX Filtering 207 IPX SAP Filter Rule Modifiers IPX SAP Filter Rule NotificationIPX SAP Filter Rule Examples Interface IPX Packet Filtering Configuration Dialog Box IPX Filtering 209 210 Main AppleTalk Filtering Editor Window AppleTalk Filtering 211Main AppleTalk Filter Editor Window AppleTalk Packet Filter Rules AppleTalk FilteringGeneral Packet Filtering AppleTalk Filtering 213 Get Zone ListRouting Filters Rtmp Basic AppleTalk Filter Rules and Syntax 214 AppleTalk Filtering 215 Simple AppleTalk Packet Filter Rule Examples AppleTalk Get Zone List Filter Rule Set ExamplesAppleTalk Rtmp Filter Rule Set Examples Interface AppleTalk Filtering Configuration Dialog Box AppleTalk Filtering 217Input Rtmp Filters Output Rtmp Filters Zone List FiltersInput Packet Filters Output Packet Filters Physical RS-232 Configuration WAN Dialog Box Physical RS-232 Configuration WAN Dialog BoxGeneral 219 Async/Sync Tx Clock Internal Sync Only Baud RateFlow Control Async Only Physical T1 WAN Configuration Dialog Box General 221Clock Scheme Fractional T1 Enabled FramingLine Encoding Start Channel & Number of Channels General 223 Contiguous Channels or Alternate Channels Channel Data RateInvert Data PRM Transmit Physical V.35 Configuration WAN Dialog Box Tx Clock Internal Physical DS3 Configuration WAN Dialog Box General 225 System Configuration Dialog Box System Configuration Dialog BoxBandwidth Allocation Confirm Password Enable PasswordConfirm Enable Password General 227 Snmp Configuration Snmp System Info Configuration Dialog BoxName of Administrator and How to Contact Administrative Name Advanced Snmp Configuration Dialog Box Snmp EnabledSets Enabled Traps Enabled Snmp Community Strings Configuration Dialog Box Snmp Community Strings Configuration Dialog BoxCommunity String Snmp Traps Configuration Dialog Box General 231 AccessSnmp Traps Dialog Box Host IP Address Domain Name Server DNS Dialog Box Domain Name Server Dialog BoxPrimary DNS Server Secondary DNS Server Search Order Time Server Configuration Dialog Box Time Server Dialog BoxGeneral 233 Add TCP/IP DNS Server Backup IP Address ProtocolOffset from Server Radius Configuration Dialog Box Radius Configuration Dialog BoxGeneral 235 Authentication Port AccountingAccounting Port VPN Real IP Address VPN Authentication PAP Authentication SecretGeneral 237 VPN Tunnel Secret VPN Group Info Use Secret in Checksum Secondary Server IP AddressSecondary Server Retries SecurID Configuration Dialog Box Enable SecurIDGeneral 239 Port Backup Server Timeout NAT Configuration Dialog Box NAT Configuration Dialog Box New Button Modify ButtonGeneral 241 Internal Range External RangePassThru Range Addresses General 243 TCP Timeout UDP TimeoutTCP Syn Timeout TCP Fin Timeout NAT Range Dialog Box NAT Range Dialog Box NAT Mapping Dialog Box General 245NAT Mapping Dialog Box NAT Range Dialog Box Internal IP address NAT Mapping Translation Pair Examples Logging Configuration Dialog Box Logging Configuration Dialog BoxGeneral 247 Logging On Send Log to Aux Port Syslogd OnIP Address Syslogd On Only File Syslogd On Only Ldap Configuration Ldap Server Dialog BoxGeneral 249 Ldap Server Dialog Box Ldap Config Name Enable LdapPrimary Server Primary Password Add Ldap Server Dialog Box General 251 Secondary Server Secondary Password Base Ldap Authentication Dialog Box Ldap Authentication Dialog BoxEnable Ldap Authentication General 253 Primary Server Primary Password Secondary Server Secondary PasswordVPN Group Attribute VPN Shared Secret Attribute 254 Ospf Dialog Box Ospf 255Ospf Dialog Box Ospf Enabled OspfArea ID Cost Ospf Area Ospf Area Dialog Box Add Ospf Area Dialog Box Ospf Authentication Type Enable Stub AreaStub Default Cost Ospf 259 Ospf Area Name Ospf Virtual Link Net Range Dialog Box Enable Virtual Link Ospf 261Ospf Virtual Link Dialog Box Add Ospf Virtual Link Dialog Box Virtual Transit Delay Ospf Packet Authentication KeyTransit Area Virtual Retransmission Enable BGP BGP 263BGP General Dialog Box BGP General Dialog Box BGP Aggregates Dialog Box BGPBGP Local Preference Use IPR Filters BGP Peer Configs Dialog Box BGP Peer Configs Dialog BoxBGP 265 Add BGP Aggregate Dialog Box BGP Peer Config Name Enable Ebgp MultihopInput Route Map Output Route Map IP Loopback Dialog Box BGP Peers Dialog Box IP LoopbackBGP Peers Dialog Box Add BGP Peer Dialog Box BGP Route Maps Editor Dialog Box BGP 269 BGP Route Maps Dialog Box BGP Route Map Editor Dialog Box Buttons & Controls BGP Route Mapping Rules BGP 271Enter Data Dialog Box Action Direction Options/Output Modifiers BGP 273 Special Communities Options/Input Modifiers BGP Networks BGP Networks Dialog BoxBGP Network Dialog Box BGP 275 Subnet Mask 276 Appendices 277 IP Addresses Chart 1 IP Address Classes Chart 2 Standard IP SubnetsAppendices Subnet Masks Chart 3 Subnetted Class C Host Ranges Appendices 279Broadcast Addresses Chart 4 Broadcast Address Examples Assigning an IP addressAssigning a Subnet Mask Assigning a Broadcast Address IPX Appendices 281 Static Routes & Routing ProtocolsIPX Routing Basics 282 Service Advertising Protocol Appendices 283Client Machine Addressing AppleTalk AppleTalk Routing Basics Appendices 285 Non-extended and Extended AppleTalk NetworksSeeding a Network Segment Probing Zones Router Autoconfiguration BridgingAppendices 287 Bridging Basics Transparent Bridging Spanning Tree Bridging Multiport Bridges/Switches and Bridge Groups Appendices 289Simple Bridging Example Bridge Groups on a Multiport Router Frame Relay Appendices 291Virtual Circuits Addressing Local & Global DLCIs Local Management Interface LMIEncapsulation and Fragmentation Network/Protocol Addressing and Virtual Interfaces Appendices 293 Frame Relay ExampleFrame Relay Example Page Symbols Index 295 Index Index 297 IPX Index 299 TCP/IP See also, TCP/IP Index 301 NAT Index 303 RIP UDP Index 305 Dlci Index 307 Radius