Enterasys Networks X-PeditionTM manual Application Level Commands, Application Level Gateway

XSR Firewall Feature Set Functionality

Application Level Commands

A special action option - Command Level Security (CLS) - to filter inter-protocol actions within several protocols. The CLS examines the message type produced by the application being filtered and either passes or drops specific application commands. For example, FTP GETs can be allowed but PUTs denied. These protocols are supported:

•File Transfer Protocol (FTP)

•Simple Mail Transport Protocol (SMTP) and NNTP

•Hypertext Transfer Protocol (HTTP)

Application Level Gateway

Support is provided for FTP and H.323 version 2 protocols, and Remote Procedure Call (RPC) - based applications. The XSR ALG works with two types of RPCs: Sun’s (and most Unix systems) and Microsoft’s. The following pre-defined services are available for RPC and can be configured with the ip firewall service-groupcommand:

–SunRPCTCP and SunRPCUDP

–MsftRPCTCP and MsftRPCUDP

RPC-based links are built in a client-server framework and RPC clients connect to RPC servers. A machine that hosts RPC server applications runs a daemon called the PortMapper using well- defined ports for TCP and UDP: Sun RPC uses 111, Microsoft uses 135. RPC operates as follows:

•RPC-based server applications register with the PortMapper, providing their listening port and application identifier. Because identifiers are issued by the IANA, they are unique.

•The client connects to the PortMapper and passes the application identifier along.

•In return, the PortMapper replies with the server's listening port.

•The client then initiates a connection to the server application using the listening port and the destination port.

The XSR’s ALG inspects RPC messages between the client and PortMapper, storing the port numbers returned by the PortMapper in a cache. It then allows the client to connect to the ports that were returned. Once the connection is up, the ALG examines both TCP and UDP traffic.

The XSR ages out RPC cache entries if the client link does not occur or is idle bound the default period. You can reset the default with ip firewall {microsoft-rcpsun-rpc}timeout.

Note: Once you permit RPC sessions between two hosts or networks, all TCP- or UDP-based RPC applications will be able to connect. Enterasys recommends that TCP-based RPC applications alone be allowed to pass through the Firewall since the session would be closed as soon as the connection terminates. RPC sessions are timed out using UDP and are therefore less secure than those using TCP.

The XSR limits the sum of stored UDP request cache entries which are used by other ALGs such as DHCP relay agent ALG. If no free UDP request cache entries exist then no more RPC-based connections are allowed until entries are freed. Assuming no other UDP packets pass through the Firewall, the maximum number of UDP request cache entries enforce the limit on number of RPC cache entries that the system can support.

For each RPC-based connection, two sessions are created. The first is a TCP or UDP session from the client to the PortMapper. The second is the application connection between the RPC client and the server. Both sessions are displayed by the show ip firewall sessions command and the RPC sessions can be identified by their destination ports of 111 or 135.

XSR User’s Guide 16-13