| IP Firewalling |
|
| In large IP networks, particularly those with a connection to the Internet, it is highly likely that you will want to restrict access to your network or at the very minimum to specific hosts storing sensitive data on your network. Using the IP firewalling option, you can filter data by source and/or destination address to limit access to your network from remote sites. |
 |
| IP networks rarely use a single IP protocol and it is possible that you do not wish all protocols to be passed across your ISDN or WAN link. The IP Firewalling option allows you to Accept or Deny different types of IP frame. |
|
| How Does It Work? |
|
| An IP Firewall table consists of entries that are inspected and acted on in a top to bottom order when any packet is received from any physical interface, LAN, WAN or ISDN. The entries allow you to specify the source and destination characteristics of interest and to set an operation parameter of Accept or Deny. You can also wildcard the entry with the Ignore parameter. |
|
| By carefully selecting parameters to be specifically Denied or Accepted, you can build a profile of the data and users allowed to access hosts on your network. |
|
| In most cases you will only need to implement IP Firewalling at the central site, provided all remote users have common access rights to the network. However, if some users require greater access, you must implement a central site firewall which restricts access to the common hosts or data types. Then you must implement firewalls at the remote sites to prevent access to any additional hosts or data types. |
|
| By changing the password of the remote unit, you can ensure that the firewall is not changed locally so that security at the central site is not compromised. |
|
| Setting Up an IP Firewall |
|
To set up an IP firewall, from the main menu enter CO RO IPF The screen shown in Figure 2-42 is displayed. |
|
| Figure 2-42 |  IP Firewall |
| If you have existing IP firewall entries, these are shown and can be edited if required. Highlight an entry and choose one of the following commands: |
|
| APpend Adds an entry after the highlighted entry. |
|
| INsert Inserts an entry before the highlighted entry. |
|
| EDit Allows you to change the highlighted entry. |
|
| DElete Deletes the highlighted entry. |
|
| The order of entries in this table is critical to the operation of your firewall. Each table entry is processed in order, starting at the top. The results of each operation are passed to the next entry so that with each operation the data set grows smaller. |
|
| Each entry in the table shows the following: |
|
| Type The IP frame type that is part of the data set. |
|
| Source The IP address of the source host and the subnet mask applied. |
|
| Destination The IP address of the destination network host and the subnet mask applied. |
|
| Action Deny or Accept the data. |
|
| Bidir Shows whether frames that match the criteria of the operation can be passed in both directions. |
|
| Packets Shows the number of frames acted upon by this operation. |
|
| Appending, Inserting or Editing an Entry |
|
Enter AP or IN or ED to display the screen similar to the one illustrated in Figure 2-43 |
|
| Figure 2-43 | Adding An IP Firewall Entry |
| Complete the fields as follows: |
|
| Src Address Type the IP address of the source host. |
|
| Src Mask Type a suitable IP mask, depending whether you want to include/exclude this host only or all hosts on this subnet. |
|
| For example, if you use the subnet mask 255.255.255.255 this firewall entry applies only to the given source IP address. |
|
| Src Ports The default is the range 0-65535 which is all ports. Enter an IP port or a range of ports number to be acted upon. |
|
| Dest Address Type the IP address of the destination host. |
|
| Dest Mask Type a suitable IP mask, depending whether you want to include/exclude this host only or all hosts on this subnet. |
|
| For example, if you use the subnet mask 255.255.255.255 this firewall entry applies only to the given destination IP address. |
|
| Dest Ports The default is the range 0-65535 which is all ports. Enter an IP port or a range of ports number to be acted upon. |
|
| Remote Router Enter the name of a remote router if the operation is only to be carried out on frames from and/or to this router. Leave this field blank if the operation applies to all routers in your network. |
|
| Type Select the type of IP frame to be acted upon. |
|
 |
All - All IP frames are routed. |
|
|
TCP - Only TCP frames are routed. |
|
|
UDP - Only UDP frames are routed. |
|
|
ICMP - Only ICMP frames are routed. |
|
| Action Set this parameter to ACCEPT or DENY depending whether you want to include or exclude the data set defined above. |
|
| Bidirectional Allows frames that match the criteria defined above to be passed in both directions if set to ENABLED. |
|
| TcpSYN If set to DISABLE, this parameter prevents Telnet or FTP connections via another host. Only direct connections can be made. |
|
| For example, if the TcpSYN is set to DISABLE, you cannot open a Telnet session to one host and then carry out a further Telnet session to this unit. You must Telnet directly to the unit. |
|
| Deleting an Entry |
|
Highlight an entry and enter DEL at the command prompt. The entry is deleted. |
|
![[previous]](../../../graphics/prev.gif) |
 |
![[next]](../../../graphics/next.gif) |
© 3Com Corporation