User manual SECURE COMPUTING SNAPGEAR NETWORK GATEWAY SECURITY

[. . . ] ADMINISTRATION GUIDE SnapGear Network Gateway Security Version 3. 1. 5 www. securecomputing. com Copyright © 2007 Secure Computing Corporation. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Secure Computing Corporation. Trademarks Secure Computing, SafeWord, Sidewinder, Sidewinder G2, Sidewinder G2 Firewall, SmartFilter, Type Enforcement, CipherTrust, IronMail, IronIM, SofToken, Enterprise Strong, Mobile Pass, G2 Firewall, PremierAccess, SecureSupport, SecureOS, Bess, Cyberguard, SnapGear, Total Stream Protection, Webwasher, Strikeback and Web Inspector are trademarks of Secure Computing Corporation, registered in the U. S. G2 Enterprise Manager, SmartReporter, SecurityReporter, Application Defenses, Central Management Control, RemoteAccess, SecureWire, TrustedSource, On-Box, Securing connections between people, applications and networks and Access Begins with Identity are trademarks of Secure Computing Corporation. Software License Agreement CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE LOADING THE SOFTWARE. BY CLICKING "I ACCEPT" BELOW, OR BY INSTALLING, COPYING, OR OTHERWISE USING THE SOFTWARE, YOU ARE SIGNING THIS AGREEMENT, THEREBY BECOMING BOUND BY ITS TERMS. [. . . ] 287 Chapter 3: Firewall menu Connection tracking 3 If you have changed the current configuration, a message informs you custom changes will be lost and prompts you to confirm your selection. TCP network services The predefined Basic, Standard, and Strict settings are listed in Table 18. An `X' indicates the service is included in the setting; an em dash (--) indicates the service is not available in a setting. Table 18: TCP services settings Service 40421 40425 49724 bo2k dc discard echo Elite exec filenet-rmi finger gopher http ida-discover2 imap ingreslock ircd italk login nburn_id NetBus 288 Basic -- -- -- -- -- -- -- -- -- X -- -- -- -- X X -- X -- X X Standard X -- X X -- -- -- X -- X X -- -- -- X X X X -- X X Strict X X X X X X X X X X X X X X X X X X X X X Chapter 3: Firewall menu Connection tracking Service netstat newoak nntp pop2 pop3 printer rlzdbase shell sieve socket23 socks sometimes-rpc7 sometimes-rpc9 sometimes-rpc11 sunrpc systat tcpmux terabase uucp x11 x11-1 Basic X -- -- -- X -- X -- X -- X X X -- X X X -- X -- -- Standard X -- X -- X -- X -- X -- X X X X X X X -- X -- -- Strict X X X X X X X X X X X X X X X X X X X X X 289 Chapter 3: Firewall menu Connection tracking Selecting UDP dummy services Use this procedure to set the network ports scanned for TCP services. You can choose Basic, default Standard, or Strict settings, and add your own custom entries. To view a list of the services available for each setting, see Table 18 on page 288. Prerequisite: Detect UDP probes must be enabled in the IDB configuration for any scanning or blocking to occur. See "Configuring basic IDB" on page 285. 1 From the Firewall menu, click Intrusion Detection > UDP tab. The UDP page appears. Figure 217: IDB UDP tab 2 Select an option for the Network Ports scanned list: · Basic: Installs a minimal selection of ports to monitor while still providing sufficient coverage to detect many intruder scans. · Standard (default): Extends the Basic coverage by introducing additional monitored ports for early detection of intruder scans. · Strict: Installs a comprehensive selection of ports to monitor and should be sufficient to detect most scans. The Strict setting includes all services in Standard and Basic in addition to its own unique settings. Security Alert: The list of network ports can be freely edited; however, adding network ports used by services running on the SnapGear unit (such as telnet) may compromise the security of the device and your network. Secure Computing strongly recommends to use only the predefined lists of network ports (Basic, Standard, Strict). 290 Chapter 3: Firewall menu Connection tracking 3 If you have changed the current configuration, a message informs you custom changes will be lost and prompts you to confirm your selection. UDP network services The predefined Basic, Standard, and Strict settings are listed in Table 19. An `X' indicates the service is included in the setting; an em dash (--) indicates the service is not available in a setting. Table 19: UDP services settings Service BackOrifice bo2k discard echo entrust-sps epp-700 filenet-nch filenet-rmi mdqs mpm-flags nfs ntalk repcmd rlzdbase snmp snmptrap sometimes-rpc10 sometimes-rpc12 sometimes-rpc8 ssh sql*net Basic X X X X X X X X -- -- -- -- -- -- X X X X X X -- Standard X X X X X X X X -- -- -- -- X X X X X X X X -- Strict X X X X X X X X X X X X X X X X X X X X X 291 Chapter 3: Firewall menu Advanced Intrusion Detection and Prevention Service sunrpc talk tcpmux tftp who Basic -- -- X X X Standard -- -- X X X Strict X X X X X Advanced Intrusion Detection and Prevention Note: The SG565, SG580, SG640, and SG720 models provide Advanced Intrusion Detection and Blocking in addition to basic IDB. Advanced Intrusion Detection and Prevention is based on two variants of the tried and tested intrusion detection and prevention system Snort v2. Snort in IDS (Intrusion Detection System) mode resides in front of the firewall, and detects and logs a very wide range of attacks. Snort in IPS (Intrusion Prevention System) mode resides behind the firewall, and detects and blocks a wide range of attacks. The primary advantage of running Snort IDS (Snort) in front of the firewall is that it sees unfiltered network traffic, and is therefore able to detect a wider range of attacks. The primary advantage of running Snort IPS (IPS) behind the firewall is that suspicious network traffic can be disallowed rather than simply being flagged as suspicious and allowed to pass. Snort uses a combination of methods to perform extensive ad hoc network traffic analysis. These include protocol analysis, inconsistency detection, historical analysis, and rule-based inspection engines. Snort can detect many attacks by checking destination port number, TCP flags, and doing a simple search through the packet's data payload. Rules can be quite complex; allowing a trigger if one criterion matches but another fails and so forth. [. . . ] The process of renegotiating a new set of keys for encryption and authentication. 585 Phase 1 Phase 2 PPP PPPoE PPTP Preshared secret Quick Mode Rekeying Glossary Road warrior Router A remote machine with no fixed IP address. A router differs from hubs and switches because it is intelligent and can route packets to their final destination. The public keys need to be exchanged between the two parties in order to configure the tunnel. Security Parameter Index, an index used within IPSec to keep connections distinct. [. . . ]