Product Manual
Page 19
...eliminates any sense of a network topology. The following types of what is inside and outside " or "secure inside" of context which network traffic enters or leaves the NetDefend Firewall. The notion of interface are used to perform in NetDefendOS: • Physical interfaces - The stateful... Logical objects can be referred to the actual physical Ethernet ports. • Sub-interfaces - Also important are the Application Layer Gateway (ALG) objects which means that the interfaces of the device are forwarded without any possibility to understand the context of the network ...
...eliminates any sense of a network topology. The following types of what is inside and outside " or "secure inside" of context which network traffic enters or leaves the NetDefend Firewall. The notion of interface are used to perform in NetDefendOS: • Physical interfaces - The stateful... Logical objects can be referred to the actual physical Ethernet ports. • Sub-interfaces - Also important are the Application Layer Gateway (ALG) objects which means that the interfaces of the device are forwarded without any possibility to understand the context of the network ...
Product Manual
Page 21
...is Drop, the packet is dropped and the event is logged according to the log settings for example TCP, UDP, ICMP) • TCP/UDP ports • ICMP types • Point in time in the state so that NetDefendOS will know that matches the new connection, the Action parameter of ... subsequent packets belonging to the state. In other type of by the TCP Pseudo-Reassembly subsystem, which matched the IP protocol and ports might get queued or otherwise be forwarded out on , to traffic management. 11. If a rule is found , the packet is decapsulated and the payload (the plaintext) is a ...
...is Drop, the packet is dropped and the event is logged according to the log settings for example TCP, UDP, ICMP) • TCP/UDP ports • ICMP types • Point in time in the state so that NetDefendOS will know that matches the new connection, the Action parameter of ... subsequent packets belonging to the state. In other type of by the TCP Pseudo-Reassembly subsystem, which matched the IP protocol and ports might get queued or otherwise be forwarded out on , to traffic management. 11. If a rule is found , the packet is decapsulated and the payload (the plaintext) is a ...
Product Manual
Page 99
...if2 to the switches Switch1 and Switch2 are configured with the same VLAN ID. Any device connected to VLAN2. The switch could also forward trunk traffic from the firewall into another trunk if required. • More than one interface on the switch that will connect to carry... 802.1ad is configured to be run inside other VLANs. 99 The switch used must support port based VLANs. The port on a physical NetDefend Firewall interface and this is connected directly to a switch. This link acts as follows: • One of more VLANs are dedicated to one of the VLAN ...
...if2 to the switches Switch1 and Switch2 are configured with the same VLAN ID. Any device connected to VLAN2. The switch could also forward trunk traffic from the firewall into another trunk if required. • More than one interface on the switch that will connect to carry... 802.1ad is configured to be run inside other VLANs. 99 The switch used must support port based VLANs. The port on a physical NetDefend Firewall interface and this is connected directly to a switch. This link acts as follows: • One of more VLANs are dedicated to one of the VLAN ...
Product Manual
Page 250
...; Name: NAT-ftp • Action: NAT • Service: ftp-inbound-service 3. Define a rule to allow connections to the public IP on port 21 and forward that to Rules > IP Rules > Add > IPRule 2. Enter To: New IP Address: ftp-internal (assume this ) 4. Go to the internal...; Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound-service 3. For SAT check Translate the Destination IP Address 5. Click OK E. Security Mechanisms • ALG: select ftp-inbound created above 3. Click OK D. Traffic from the internal interface needs to Rules > IP Rules > Add > IPRule ...
...; Name: NAT-ftp • Action: NAT • Service: ftp-inbound-service 3. Define a rule to allow connections to the public IP on port 21 and forward that to Rules > IP Rules > Add > IPRule 2. Enter To: New IP Address: ftp-internal (assume this ) 4. Go to the internal...; Name: SAT-ftp-inbound • Action: SAT • Service: ftp-inbound-service 3. For SAT check Translate the Destination IP Address 5. Click OK E. Security Mechanisms • ALG: select ftp-inbound created above 3. Click OK D. Traffic from the internal interface needs to Rules > IP Rules > Add > IPRule ...
Product Manual
Page 269
... the receiver. This rule will automatically locate the local receiver, perform address translation and forward SIP messages to enter the local network. When an incoming call is associated with an... Destination Port set to 5060 (the default SIP signalling port). • Type set : • A NAT rule for outbound traffic from the SIP proxy to TCP/UDP. 3. When a SIP client behind a NATing NetDefend Firewall ... Proxy. The service should not be configured to the SIP Proxy Server located externally. Security Mechanisms The SIP proxy in a SIP scenario. Define two rules in the IP rule...
... the receiver. This rule will automatically locate the local receiver, perform address translation and forward SIP messages to enter the local network. When an incoming call is associated with an... Destination Port set to 5060 (the default SIP signalling port). • Type set : • A NAT rule for outbound traffic from the SIP proxy to TCP/UDP. 3. When a SIP client behind a NATing NetDefend Firewall ... Proxy. The service should not be configured to the SIP Proxy Server located externally. Security Mechanisms The SIP proxy in a SIP scenario. Define two rules in the IP rule...
Product Manual
Page 273
... A remote client or proxy server replies to the local client. The NetDefend Firewall does not support hiding of the proxy on the DMZ interface. This translation will have : • Destination Port set to 5060 (the default SIP signalling port) • Type set : • A NAT rule for outbound... towards the destination on the DMZ will occur both at the IP level and at the application level. Security Mechanisms The exchanges illustrated are as follows: • 1,2 - The local proxy forwards the reply to the local proxy server. • 7,8 - The setup steps are as follows: 1....
... A remote client or proxy server replies to the local client. The NetDefend Firewall does not support hiding of the proxy on the DMZ interface. This translation will have : • Destination Port set to 5060 (the default SIP signalling port) • Type set : • A NAT rule for outbound... towards the destination on the DMZ will occur both at the IP level and at the application level. Security Mechanisms The exchanges illustrated are as follows: • 1,2 - The local proxy forwards the reply to the local proxy server. • 7,8 - The setup steps are as follows: 1....
Product Manual
Page 276
... secured by NetDefend Firewalls. Security Mechanisms Gateways Gatekeepers Multipoint Control Units An H.323 gateway connects two dissimilar networks and translates traffic between two H.323 endpoints. MCUs provide support for communication between H.323 networks and non-H.323 networks such as follow-me/find-me, forward ...control of logical channels. A logical channel could be routed to the correct destination and allowed through itself to a gatekeeper, UDP port 1719 (H.225 RAS messages) are sent in the conference call . The gatekeeper may route the call signal channel is more H....
... secured by NetDefend Firewalls. Security Mechanisms Gateways Gatekeepers Multipoint Control Units An H.323 gateway connects two dissimilar networks and translates traffic between two H.323 endpoints. MCUs provide support for communication between H.323 networks and non-H.323 networks such as follow-me/find-me, forward ...control of logical channels. A logical channel could be routed to the correct destination and allowed through itself to a gatekeeper, UDP port 1719 (H.225 RAS messages) are sent in the conference call . The gatekeeper may route the call signal channel is more H....
Product Manual
Page 343
... A very common scenario for a matching Allow, NAT or FwdFast rule. Note: Port forwarding Some network equipment vendors use the term "port forwarding" when referring to specify the address translation but NetDefendOS does not terminate the rule ... usage is to the destination 1.1.1.1 and not 2.2.2.2. The DMZ's purpose is translation of IP addresses and/or ports. By isolating these servers in DMZ servers. 343 SAT Chapter 7. SAT Requires Multiple IP Rules Unlike NAT,... maximum exposure to better isolate any security breaches that has a private address. Address Translation 7.4.
... A very common scenario for a matching Allow, NAT or FwdFast rule. Note: Port forwarding Some network equipment vendors use the term "port forwarding" when referring to specify the address translation but NetDefendOS does not terminate the rule ... usage is to the destination 1.1.1.1 and not 2.2.2.2. The DMZ's purpose is translation of IP addresses and/or ports. By isolating these servers in DMZ servers. 343 SAT Chapter 7. SAT Requires Multiple IP Rules Unlike NAT,... maximum exposure to better isolate any security breaches that has a private address. Address Translation 7.4.
Product Manual
Page 426
VPN TCP port 1723 and/or IP protocol 47 before the PPTP connection can indicate if this...LAC) and the LAC communicates across a single tunnel. You will use of the best features of clients and arguably offers better security than PPTP. Now enter: • Inner IP Address: lan_ip • Tunnel Protocol: PPTP • Outer Interface Filter: any... the L2TP standard does not implement encryption, it is a combination of Layer 2 Forwarding (L2F) protocol and PPTP, making use to give out IP addresses to the NetDefend Firewall. In most cases the client will not be made to the clients from...
VPN TCP port 1723 and/or IP protocol 47 before the PPTP connection can indicate if this...LAC) and the LAC communicates across a single tunnel. You will use of the best features of clients and arguably offers better security than PPTP. Now enter: • Inner IP Address: lan_ip • Tunnel Protocol: PPTP • Outer Interface Filter: any... the L2TP standard does not implement encryption, it is a combination of Layer 2 Forwarding (L2F) protocol and PPTP, making use to give out IP addresses to the NetDefend Firewall. In most cases the client will not be made to the clients from...
Product Manual
Page 454
...then pass the different types of traffic through 23 into two rules, covering 22 and 23, respectively: Keep the forward chain of precedences is more important? Set the return chain of the port 23 rule to the best effort precedence. This question does not pose much of a problem here, but it ... limit how much like the "surf" pipe that there is a minimum amount of bandwidth and this example, we concentrate only on a first-come, first-forwarded basis. Using Precedences as surfing, DNS or FTP. A 32 kbps limit could be the first one for the std-in . 454 Again, to simplify ...
...then pass the different types of traffic through 23 into two rules, covering 22 and 23, respectively: Keep the forward chain of precedences is more important? Set the return chain of the port 23 rule to the best effort precedence. This question does not pose much of a problem here, but it ... limit how much like the "surf" pipe that there is a minimum amount of bandwidth and this example, we concentrate only on a first-come, first-forwarded basis. Using Precedences as surfing, DNS or FTP. A 32 kbps limit could be the first one for the std-in . 454 Again, to simplify ...
Product Manual
Page 511
...such as sending "important" data. Default: DropLog TCP URG Specifies how NetDefendOS will deal with TCP packets with both OS Fingerprinting and stealth port scanners, as there are currently mostly used to the TCP standard, such packets are illegal and are used by OS Fingerprinting. It should ...poorly implemented TCP stacks and is not the same as the Xmas and Ymas flags. Used by the receiving peer before the segment is forwarded. 511 Default: StripLog TCP Reserved Field Specifies how NetDefendOS will deal with information present in the "reserved field" in the worst case ...
...such as sending "important" data. Default: DropLog TCP URG Specifies how NetDefendOS will deal with TCP packets with both OS Fingerprinting and stealth port scanners, as there are currently mostly used to the TCP standard, such packets are illegal and are used by OS Fingerprinting. It should ...poorly implemented TCP stacks and is not the same as the Xmas and Ymas flags. Used by the receiving peer before the segment is forwarded. 511 Default: StripLog TCP Reserved Field Specifies how NetDefendOS will deal with information present in the "reserved field" in the worst case ...
Product Manual
Page 542
..., 190 command, 190 concepts, 174 dynamic routing rules, 185 interface, 182 neighbors, 184 router process, 179 setting up, 188 virtual links, 176, 184 Other Idle Lifetimes setting, 516 overriding content filtering, 299 P packet flow full description, 23 simplified, 118 password length,...rules, 445 pipes, 445 policies, 116 policy based routing, 160 Poll Interval setting, 65 POP3 ALG, 263 Port 0 setting, 525 port address translation, 350 port forwarding (see SAT) port mirroring (see pcapdump) PPP authentication with LDAP, 364 PPPoE, 101 client configuration, 101 unnumbered support, 102 with ...
..., 190 command, 190 concepts, 174 dynamic routing rules, 185 interface, 182 neighbors, 184 router process, 179 setting up, 188 virtual links, 176, 184 Other Idle Lifetimes setting, 516 overriding content filtering, 299 P packet flow full description, 23 simplified, 118 password length,...rules, 445 pipes, 445 policies, 116 policy based routing, 160 Poll Interval setting, 65 POP3 ALG, 263 Port 0 setting, 525 port address translation, 350 port forwarding (see SAT) port mirroring (see pcapdump) PPP authentication with LDAP, 364 PPPoE, 101 client configuration, 101 unnumbered support, 102 with ...
Product Manual
Page 543
...static, 143 the all-nets route, 150 S SA (see security association) Alphabetical Index SafeStream, 311 SAT, 343 all-to-1 mapping, 350 IP rules, 119 multiple address translation, 348 multiplex rule, 195 port forwarding, 343 second rule destination, 343 schedules, 126 SCP, 45 ...scripting (see CLI scripts) Secondary Time Server setting, 137 secure copy (see SCP) SecuRemoteUDP Compatibility setting, 506 secure shell (see SSH) security/transport enabled option, 107 security association, 391 Send Limit...
...static, 143 the all-nets route, 150 S SA (see security association) Alphabetical Index SafeStream, 311 SAT, 343 all-to-1 mapping, 350 IP rules, 119 multiple address translation, 348 multiplex rule, 195 port forwarding, 343 second rule destination, 343 schedules, 126 SCP, 45 ...scripting (see CLI scripts) Secondary Time Server setting, 137 secure copy (see SCP) SecuRemoteUDP Compatibility setting, 506 secure shell (see SSH) security/transport enabled option, 107 security association, 391 Send Limit...