XSR Firewall Feature Set Functionality

Figure 16-12illustrates the process by which a user accesses a server after authentication by the XSR firewall, as explained below:

1.A user Telnets to the firewall presenting a name and password.

2.The XSR’s AAA functionality talks to an authentication server or consults a local database based on the user’s credentials.

3.If authentication is successful, AAA informs the firewall engine of the user’s source IP address and an authentication entry is created within the firewall engine.

4.Policy rules specified for the firewall allow the user access to a server after consultation with the firewall engine’s authentication cache.

Authentication failures are tracked using logs or traps and entries time out after an inactive period. If authentication fails, all packets that match policy rules with allow-authfor that source IP are dropped.

Firewall and NAT

On outgoing packets, stateful inspection is done before NAT because NAT modifies the source address of all packets to that of the XSR and policy rules are defined with respect to internal and external addresses. On incoming packets, NAT is preformed before firewall inspection.

Beginning with Release 7.0, the XSR supports IPSec NAT traversal according to draft-ietf-ipsec-nat-t-ike-02. The XSR sends IKE messages from UDP port 4500 when 1), a NAT is present between IKE peers and 2), the peer has implemented draft-ietf-ipsec-nat-t-ike-02. So, you need to allow traffic to UDP port 4500 to pass through the firewall if you want to allow users to build IPSec SAs that traverse the firewall. Refer to XSR with Firewall and VPN” on page 16-27for a sample configuration.

Firewall and VPN

VPN tunnels are implemented as virtual interfaces that “sit” on physical interfaces. Stateful inspection is applied before encryption and encapsulation on outgoing packets and after de- capsulation and decryption on incoming packets.

ACLs and Firewall

Access Control Lists are available as a basic filter on a per interface basis to pass or drop packets going in or out of a port. In the outbound direction, a packet is subjected to firewall inspection before filtering by an ACL. Inbound, a packet is filtered by an ACL then the firewall.

Note: Be aware that if the firewall is enabled on an interface, ACLs should not be used on that interface so that all checks can be performed in one place.

Dynamic Reconfiguration

The XSR lets you apply new or remove old policies without restarting the firewall code. Dynamic reconfiguration is accomplished by checking the current firewall stateagainst newly configured rules. Sessions which do not satisfy these rules are removed leaving other sessions intact.

16-18 Configuring Security on the XSR

Page 404
Image 404
Enterasys Networks X-PeditionTM manual Firewall and NAT, Firewall and VPN, ACLs and Firewall, Dynamic Reconfiguration