Avaya Router - IP Firewall BCM50 Rls 6.0 User Manual

BCM50 Rls 6.0

Router - IP Firewall

Task Based Guide

IP Firewall

Notices

While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes.

Documentation disclaimer

Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of this documentation unless such modifications, additions, or deletions were performed by Avaya. End User agree to indemnify and hold harmless Avaya, Avaya’s agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation, to the extent made by End User.

Link disclaimer

Avaya is not responsible for the contents or reliability of any linked Web sites referenced within this site or documentation(s) provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that these links will work all the time and has no control over the availability of the linked pages.

Warranty

Avaya provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the

limited warranty. In addition, Avaya’s standard warranty language, as well as information regarding support for

this product, while under warranty, is available to Avaya customers and other parties through the Avaya Support Web site: http://www.avaya.com/support

Please note that if you acquired the product from an authorized reseller, the warranty is provided to you by said reseller and not by Avaya.

Licenses

THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE,

HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ ARE APPLICABLE TO ANYONE WHO DOWNLOADS,

USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER (AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER, AND AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER REFERRED TO INTERCHANGEABLY AS "YOU" AND "END USER"), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE ("AVAYA").

Except where expressly stated otherwise, no use should be made of the Documentation(s) and Product(s) provided by Avaya. All content in this documentation(s) and the product(s) provided by Avaya including the selection, arrangement and design of the content is owned either by Avaya or its licensors and is protected by copyright and other intellectual property laws including the sui generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in whole or in part, including any code and software. Unauthorized reproduction, transmission, dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil offense under the applicable law.

Third Party Components

Certain software programs or portions thereof included in the Product may contain software distributed under third party agreements ("Third Party Components"), which may contain terms that expand or limit rights to use certain portions of the Product ("Third Party Terms"). Information regarding distributed Linux OS source code (for those Products that have distributed the Linux OS source code), and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply to them is available on the Avaya Support Web site:

http://support.avaya.com/Copyright.

Trademarks

The trademarks, logos and service marks ("Marks") displayed in this site, the documentation(s) and product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its affiliates, or other third parties. Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the documentation(s) and product(s) should be construed as granting, by implication, estoppel, or otherwise, any license or right in and to the Marks without the express written permission of Avaya or the applicable third party. Avaya is a registered trademark of Avaya Inc. All non-Avaya trademarks

are the property of their respective owners.

2 NN40011-045 Issue 1.2 BCM50 Rls 6.0

IP Firewall

Downloading documents

For the most current versions of documentation, see the Avaya Support. Web site: http://www.avaya.com/support

Contact Avaya Support

Avaya provides a telephone number for you to use to report problems or to ask questions about your product. The support telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see

the Avaya Web site: http://www.avaya.com/support

be reproduced in any form without the prior written permission of a duly authorised representative of ITEL.

NN40011-045 Issue 1.2 BCM50 Rls 6.0 3

IP Firewall

Table of Contents

IP Firewall .......................................................................... 5

Overview .................................................................................................. 5

BCM50 Integrated Router and Firewalls ................................................... 5

Stateful Packet Filters ........................................................................................ 5

Denial of Service (DoS) Attacks ........................................................................ 6

Default Configuration ......................................................................................... 6

Firewall Rules ........................................................................................... 6

Rule Direction .................................................................................................... 6

Rule Order ......................................................................................................... 7

Required Information ................................................................................ 7

Flow Chart ................................................................................................ 8

Accessing the Web Router GUI ................................................................ 9

From Element Manager ..................................................................................... 9

Access Directly via a Web Browser ................................................................. 14

BCM50 Integrated Router Firewall Configuration .................................... 16

Configuring the Firewall ................................................................................... 16

Inserting a Firewall Rule .................................................................................. 17

Editing Custom Ports ....................................................................................... 20

Enabling the Firewall ....................................................................................... 21

Additional Configuration ................................................ 22

Attack Alerts ........................................................................................... 22

Configuring Attack Alerts ................................................................................. 22

Attack Alert Destinations .................................................................................. 24

Firewall Considerations .......................................................................... 25

Avaya Documentation Links .......................................... 26

4 NN40011-045 Issue 1.2 BCM50 Rls 6.0

IP Firewall

Note: This guide relates to the BCM50a/ba and BCM50e/be models only.

Note: Although the BCM50a/ba models will not be supplied with BCM 6.0, it is

possible to upgrade the variants of these models to BCM 6.0, if they were originally supplied with BCM50 R2 or BCM50 R3 software.

Note: The BCM50 Integrated Router is almost identical to the Business Secure Router (BSR) models. BCM50a/ba routers are based on the BSR252 and BCM50e/be routers are based on the BSR222.

IP Firewall

Overview

The BCM50 IP Firewall Filters feature is one of the security features BCM offers to protect your network against intruders. The security and firewall features are also used for controlling what outside resources your users will be able to access.

BCM50 Integrated Router and Firewalls

The BCM50 Integrated Router firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks. The BCM50 Integrated

Router’s purpose is to allow a private Local Area Network (LAN) to be

securely connected to the Internet. The BCM50 Integrated Router can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network. The BCM50 Integrated Router also has packet-filtering capabilities.

Stateful Packet Filters

BCM50 Integrated Router supports stateful packet filtering for IP protocols. Stateful packet filters monitor active sessions and record session information such as IP addresses and port numbers. They maintain state information for each flow (TCP, UDP or ICMP). Stateful filters use the state information to determine if a packet is responding to an earlier request that has been validated by the rule set. If the packet is in response to a previous request, the packet is treated in the same manner. It will either be blocked or allowed through.

Stateful packet filters protect your network against Internet attacks such as source spoofing, where an attacker pretends to be a trusted user by using an IP address that is within the accepted range of IP addresses of your internal network. BCM50 Integrated Router stateful packet filtering validates that addresses coming from outside the network are valid outside addresses. Stateful packet filters also protect your network from a denial-of-service

NN40011-045 Issue 1.2 BCM50 Rls 6.0 5

IP Firewall

attack, where an attacker tries to block valid users from accessing a resource or a server.

Stateful filtering supports TCP, UDP, IP, and ICMP. Stateful filtering supports the following applications: H.323, FTP, HTTP, POP3, Telnet, SMTP, DNS, DHCP, TFTP, GOPHER, FINGER, NNTP, NetBIOS, POP2, RPC, SNMP and SUNNFS.

Denial of Service (DoS) Attacks

Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The BCM50e/be Integrated Router is pre-configured to automatically detect and thwart all known DoS attacks.

Default Configuration

By default, the BCM50 Integrated Router firewall is configured to allow all traffic originating from the LAN and deny all traffic originating from the WAN. Any traffic responding to requests from the LAN to the WAN, e.g. http traffic is allowed through the firewall and returned to the request originator.

The exception to WAN originating traffic is IKE requests. IKE (Internet Key Exchange) is used to set up VPN’s (Virtual Private Network) connections.

Firewall Rules

Rule Direction

Rules can be configured for the direction of traffic in the following ways:

 LAN to WAN: This direction is designed to stop some or all users on

the network accessing some services on the Internet. For example, if certain users are less productive due to inappropriate usage of MSN Messenger, those users (essentially IP Addresses) can be blocked from using the MSN Messenger port (TCP port 1863).

 WAN to LAN: By default, all traffic except IKE requests are blocked

from the WAN to the LAN. It is possible to allow certain traffic, e.g. Element Manager, from a specific or multiple users based on their WAN IP Address.

 LAN to LAN: By default there are no rules configured for this option.

This allows computers on the LAN to manage the BCM50 Integrated Router and communicate between networks or subnets connected to the LAN interface.

 WAN to WAN: By default all packets are blocked for this option. This

prevents computers on the WAN from using the BCM50 Integrated Router as a gateway to communicate with other computers on the WAN and/or managing the BCM50 Integrated Router.

6 NN40011-045 Issue 1.2 BCM50 Rls 6.0

IP Firewall

Rule Order

Careful consideration should be given to the order in which rules should be applied. For example, you should configure rules to allow specific traffic or ports before more general rules that block traffic. Otherwise the specific traffic will not pass through the firewall as the more general rule blocking traffic will be applied first.

Required Information

Before configuring the Firewall, you may wish to obtain the following information:

 State the intent of the rule. For example, “This restricts all IRC access

from the LAN to the Internet.” Or, “This allows a remote Lotus Notes

server to synchronize over the Internet to an inside Notes server.”

 Is the intent of the rule to forward or block traffic?  What direction of traffic does the rule apply to?  What IP services will be affected?  What computers on the LAN are to be affected (if any)?  What computers on the Internet will be affected? The more specific, the

better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN.

 Which order should the rules be applied?

NN40011-045 Issue 1.2 BCM50 Rls 6.0 7

IP Firewall

Determine what firewall rules require configuring: refer to the Required Information section of this guide.

Configure the Firewall general settings: refer to the Configuring the Firewall section of this guide.

Configure the individual Firewall rules: refer to the Inserting a Firewall Rule section of this guide.

Do you need to define services (ports) not currently available in the Available Services list?

Add your custom service/port: refer to the

Editing Custom Ports

section of this guide.

Ensure the Firewall is enabled: refer to the

Enabling the Firewall

section of this guide.

Yes

Flow Chart

The flow chart below shows which sections of the guide you should use.

8 NN40011-045 Issue 1.2 BCM50 Rls 6.0

+ 18 hidden pages