E-tech FIREWALL Configuration

1. Firewall Configuration

A firewall is a method of implementing common as well as user defined security
policies in an effort to keep intruders out. Firewalls work by analyzing and
filtering out IP packets that violate a set of rules defined by the firewall
administrator. The firewall is located at the point of entry for the network. All
data inbound and outbound must pass through the firewall for inspection.

Advanced Options: This section contains options for protecting against
particular wellknown attacks as well as documenting those attacks as they occur.

Firewall Databases: This section allows you to create groups based on IP
addresses, subnet masks, ports, and time. These groups are used when creating
inbound and outbound policies.

Inbound/Outbound Policies: This section allows you to create rules for
incoming and outgoing IP packets. The IP packets are compared against the rules
and are allowed or denied accordingly.

Firewall Enable/Disable: This option enables/disables all the protection
provided on these pages.

1.1 Protection Policy

Protection Policies defend against common methods of attacking a network and
computers within the network. Some of these attacks are classified as a DoS
(Denial of Service). DoS is an attack in which a network or components of a
network are disabled, usually by overloading traffic on the network, in order to
prevent authorized and legitimate users to access network resources.

Basic Protection:

• IP Spoofing checking: IP spoofing is when an unauthorized user inserts the IP
address of an authorized user into the IP packets in order to gain access to a
network. Selecting this option will allow the firewall to check for and filter out this
discrepancy.

• Ping of Death checking: Ping of Death is a type of DoS attack that uses a
malformed ICMP data packet that contains unusually large amounts of data that
causes TCP/IP to crash or behave irregularly. Enabling this will allow the firewall
to filter out packets containing Ping of Death properties.

• Land Attack checking: Land attack is a type of DoS attack that works by
sending a spoofed packet containing the same source and destination IP address
and port (the victim’s IP address). This packet contains a connection request,
resulting in a handshake process. At the end of the handshake, the victim sends
out an ACK (ACKnowledge) request. Since the source and the destination are the
same, the victim receives the ACK request it just sent out. The received data
does not match what the victim is expecting, so it retransmits the ACK request.
This process repeats until the network crashes. Enabling this will allow the firewall
to filter out possible Land Attack packets.

• Reassembly Attack checking: Reassembly Attack is a type of DoS attack that
exploits the weakness of the IP protocol reassembly process. As discussed earlier

in this user guide, packets undergo fragmentation when they exceed a certain
maximum size. Certain criteria define the packet fragmentation process so that
packets can be reassembled properly. In Reassembly Attack, the subpackets have
malformed criteria (fragment offset), which can easily cause a system to crash,
freeze, or reboot. Enable this option to check for and filter out Reassembly Attack
packets.

Advanced Protection:

• SYN Flooding checking: SYN Flooding is a type of DoS attack that is
accomplished by not sending the final acknowledgement to the receiving server’s
SYN-ACK (SYNchronize-ACKnowledge) in the final part of the handshake process.
This causes the serve to keep signaling until it is timed out. When a flood (many)
of these attacks are sent simultaneously, the server will probably overload and
crash. Enable SYN Flooding checking to filter out possible SYN flood packets.

• ICMP Redirection checking: Also known as an ICMP storm attack or smurf
attack, ICMP Redirection is another form of DoS. This attack is performed by
sending ICMP echo requests to a broadcast network node. The return IP address
is spoofed and replaced by the victim’s own address, causing it to send the
request back to itself. This causes the broadcast address to send it out to all the
network nodes in the broadcast area (usually the entire LAN). In turn, all those
recipients resend it back to the broadcast. The process repeats itself, gaining
more amplitude through each iteration and eventually causing a traffic overload
and crashing the network. Enable ICMP Redirection checking to filter out packets
containing the threat.

• Source Routing checking: Source routing gives the sender of a packet the
ability to determine the exact route that an IP packet takes to get to the
destination. However, source routing can be used for malicious reasons. Using a
source routed packet, the sender could find out important information about
nodes in a network, making it easy to exploit any weakness. Enabling Source
Routing checking will cause the firewall to filter out any packet with Source
Routing properties.

• WinNuke Attack checking: WinNuke exploits a large networking bug found in
Windows 95 and NT. WinNuke sends erroneous OOB (Out-of-Band) data that
Windows is unable to process, causing the target computer to crash. Enable this if
you are running an early (95 or NT) version of Windows that is vulnerable to this
attack.

1.2 Hacker Log

This page allows you to configure which Protection Policy (see previous section)
violations to log for admin viewing.

Alert Log: Enable/Disable for SYN Flooding, Ping of Death, IP Spoofing, and Win
Nuke (all of these are explained in the previous section). Enable to log violations
of individual policies.

General Log:

• Deny Policies: Enabling this will add Deny Policy violations to the log. Deny
Policies are discussed later in the Inbound/Outbound policy section.

• Allow Policies: Enabling this will add Allow Policy acceptances to the log. Allow
Policies are discussed later in the Inbound/Outbound policy section.

Log Database Properties:

• Log Frequency: This field lets you specify how many records to keep of each
event. Default is 100. Range for Log Frequency Field is 1-65535.

1.3 Service Filtering

Service Filtering allows you to disable service requests from certain sources.
These are the Service Request sources that can be disabled:

• Ping from External Network

• Telnet from External Network

• FTP from External Network

• DNS from External Network

• IKE from External Network

• RIP from External Network

• DHCP from External Network

1.4 IP Group

The IP Group lets you specify IP Addresses (Single or Range) and Subnet Masks
and assign them to a group name for easy use when configuring inbound and
outbound policies for the firewall.

IP Entry Name: This is the name you assign to the group of IP addresses and
subnet masks. The IP Entry Name can be up to 19 characters.

IP addr. 1: This is the IP address or subnet mask you are specifying when
creating a group.

IP addr. 2: This field is only active if you select to group a range of IP addresses
or subnet masks, in which case this is the end address of that range whereas the
IP addr 1 is the first address of that range.

IP/Mask: This field allows you to specify the address type assigned to the group.

• Single IP: This will let you specify one IP address for a given group.

• IP Range: This will let you specify a range of IP addresses for a given group,

starting with IP addr 1 and ending with IP addr 2.

• Subnet Mask: This will let you specify a range of subnet masks for a given
group.