Policies are Rules for Your Network Traffic
Policy is a rule which can manage packet transfer in the network. This will include all the content and other relevant details,such as which ports should be open for whom and which data should access by whom..etc.
further It can mange access of the network and manage resources for internal / External parties.
Sunday, January 6, 2013
Friday, January 4, 2013
How to Configure External Interface with Static IP
Some times you may have a lease line or ADSL link with static IP to configure firebox.In such scenario, you should have more details such as sub net mask with correct slash notations, gateway IP addresses etc. Lets look at how to implement external port with static IP address.
1. Select the policy manager tab
2. Select "Network" tab
3.Select "Configuration" tab
4. Select "Interface" tab
5. Select Internet connection Interface 0
6. Select "Configure" Button
7. Select "Use Static IP"
8. You have to put the Static IP address which is relevant to the link and then default gateway , which is provided by the ISP.
9. Then Click "OK"
1. Select the policy manager tab
2. Select "Network" tab
3.Select "Configuration" tab
4. Select "Interface" tab
5. Select Internet connection Interface 0
6. Select "Configure" Button
7. Select "Use Static IP"
9. Then Click "OK"
Wednesday, January 2, 2013
How to use Dynamic DNS
Dynamic DNS for External Interface
If you use dynamically assigned IP addresses for the external interface of your XTM box, you should maintain a connection between your existing IP address and the domain name. to fulfill above requirement , we need to configure DynDNS service. You can follow these steps to configure DynDNS service.
1. Select Policy Manager Tab
2. Select -> Network -> Configuration tab
3. Select Enable "Dynamic DNS" Dialog box.
4. Select Interface List -> External Interface (Interface 0) -> Configure
5. Key in relevant fields such as User Name / Password / Domain
6. Service type -> dyndns
7. Make sure that Option field is empty.
8 Click OK
Tuesday, January 1, 2013
How to configure external interface using PPPoE
How to configure external interface using PPPoE ?
We will be discussing basics of configuration relevant to point-to-point protocol over Ethernet. To do this process , you will need that username and the password which is given by the service provider. Basically , all the relevant details to the PPPoE connection will be needed.
1. Select Policy Manager tab
2. Network -> Configuration -> Interfaces
3. Then you have to select Optional 2 (Interfaces 3)
4. Select Configure Option
5. Then you will be needed to key in necessary details relevant to the connection.
6. Select OK.
1. Select Policy Manager tab
2. Network -> Configuration -> Interfaces
3. Then you have to select Optional 2 (Interfaces 3)
4. Select Configure Option
5. Then you will be needed to key in necessary details relevant to the connection.
6. Select OK.
Monday, August 27, 2012
.........FirewallTips.........
Lets share our knowledge relevant to network security! We will discuss here about how to secure your network in proper manner. But our website mainly consider about firewalls and its technology. further , we would like to discuss here about open source firewalls such as pf Sense and Untangle. This will help you to configure your own open source firewall without having any issue.
Our Q&A page mainly consider about problems heighlighted by users. We will give you an optimum solution with expertise help. You can raise any number of cases , and our expertise will help you very sooner .
Our Q&A page mainly consider about problems heighlighted by users. We will give you an optimum solution with expertise help. You can raise any number of cases , and our expertise will help you very sooner .
How to configure a firewall
Firewall Configuration
According to the user manual, you have to identify external and internal ports available in the firewall. Most of the time, you will be able to configure internal port as an external port. Further external ports can configure DHCP , Static or PoPE connections. There are firewalls available which provides load balancing and failover features. Basic idea is packet filtering but these days there are more features available in firewalls to get the best performance. After you have configured the external port, you can configure internal ports which should connect with the local area network (LAN). You should have a free IP from LAN IP block. When you design your infra-structure , you must plan how many IP addresses needed and how many users will be login to the network (Internal and External).
There are applications servers can be place in the network. If it is for internal purpose, you can connect them to the Local area network. Because you will not going to allow external people to access or work on it. But if you have web servers and e-mail servers in your network, you better connect them in another separate network call DMZ. DMZ (demilitarized zone ) is a secure zone which can allow for external users. Because , you can configure this secure zone outside of your local area network. The advantage behind this implementation is, if someone able to hack your server which is in the DMZ, will not be able to access your local area network.
When you consider the LAN port, basically we configure it as a trusted port. There are few internet connections can be connect with the fire wall through external ports. Further, if you have another network which needed to be with separate IP block, you can bind that IP block also to the existing LAN port. After you have configured internal, external and DMZ you have to save this configuration on your firewall, before you logged out.
Firewall Policies
There are several default policies available with each firewall and you can use default configuration to allow web access through the firewall. But you should have to configure more policies to secure your network properly. You can control access to port level and can assign user groups to access each port. That means , through the firewall you can monitor deep user access and deny user access to relevant ports which is more important.
Some firewalls, they have proxy policies too. Therefore, they can control web access and URL filtering also available. Eg- Watchguard
Not like other firewalls , watchguard firewall has very important feature , that is it can filter sub domains as well. We call it as “web blocker” service. Therefore if someone wants to block face book mails, he can block face book mails only. Users can access face book main page, but they cannot use face book mails.
NAT
NAT is very important because you can have more control over the network. Using NAT you can bind internal IP address with External or real IP address. Therefore, most of network administrators use this feature in their networks.
There are three major methods such as
1. Dynamic NAT
2. Static NAT
3. 1 to 1 NAT
1 to 1 NAT mainly use in situation like traffic flow going inside as well as outside too. That means if you need to manage traffic in both ways, you need to use 1 to 1 NAT option. Basically this implies data transfer from one range of network to another range of network. And if you need to concern on traffic which goes to outside from inside, you better go for dynamic NAT. If you need to setup your network to manage outside traffic to inside, you need to go for static NAT.
Eg- ABC (pvt) ltd has a domain call www.abc.com and they have their email addresses such as xyz@abc.com . So they have real IP address which is interconnected with their domain. Further their mail server located in their network and it is implemented in DMZ zone of the firewall. They have assigned a local IP address to the mail server and such scenario, they can use NAT rule in their firewall.
Firewall Policy – Firewall Rules
Once you add a policy in your firewall, it will guide the firewall to allow or deny traffic through the firewall. There are several possible ways to create a policy to allow or deny traffic according to the destination IP address or source IP address or based on the protocol.
There are basically two types of policies available such as packet filter policy and proxy policy. Packet filter mainly monitor the IP header of each packet transfer through the firewall. Proxy policies examine entire packet content and protocol with the connection too. Proxy works with application, network and transport layers in OSI model. But packet filter will works only with network and transport layers.
Packet filter is the easiest way to manage large amount of traffic. Proxies can use to block or deny protocol wise. Other than that we can define custom policies according to our requirement such as port numbers and protocols.
How to create a custom policy in watchguard WSM
Create a policy for VNC port number is 5900 and trusted network is 10.0.1.201
1. Select Edit > Add Policy
2. Click New
3. Type VNC in the Name text box
4. Type Virtual Network Computing in the Description text box
5. Select Packet Filter for the Type Option
6. Click Add to define protocol and ports
7. Select Single Port in the Type drop-down list
8. Select TCP in Protocol drop-down list
9. Type 5900 in the Server Port text box
10. Click OK to close Add Protocol dialog box
11. Click OK to close New Policy Template dialog box
Tuesday, August 21, 2012
Examples
Example 1
Case Study - ABC (Pvt) ltd , they have a lease line with a router which use for web based e-mail and internet browsing too. They do not have any firewall and they have planned to implement a filrewall in their infra structure. Mentioned router has provided by the ISP and ABC company does not have any control on that router. They cannot change their LAN block too.
Option 1
We can configure the fire wall in tranceparancy mode. (Bridge Mode). There are sevaral advantages and disadvantages in this method. when we consider the bridge mode, all the interfaces are in the same network. Therefore you will not be able to get more control on it. Only thing is you can monitor all the packets transfer in-bound and out-bound.
Further, you can implement other security features which firewall has such as application control and URL filtering etc.
Example 2
Option 1
We can configure the fire wall in tranceparancy mode. (Bridge Mode). There are sevaral advantages and disadvantages in this method. when we consider the bridge mode, all the interfaces are in the same network. Therefore you will not be able to get more control on it. Only thing is you can monitor all the packets transfer in-bound and out-bound.
Further, you can implement other security features which firewall has such as application control and URL filtering etc.
Example 2
Watchguard X1250e is really out dated box which is not available in the market right now. After this series of firewalls, watchguard has introduced an XTM box which has more features than that. X1250e comes with firm ware version 10.2 and you can upgrade it up to XTM version 11.5 as you upgraded in existing firewall. But you will not be able to upgrade 10.2 to 11.5 in one steps. First of all you have to upgrade it to firmware version 11.3b and then you can upgrade it to firmware version 11.5.
In your case, you have to upgrade new watchguard X1250e box to firmware version 11.5 and then you can configure firebox clustering.
Watchguard high availability feature (HA) can identify as “firecluster” which you would going to implement in your network. There are two options call “Active / Active” and “Active / Passive” fire clustering. When you consider “Active/Active” fire cluster , you can have load balancing feature and when you consider “Active/Passive” fire cluster , you will get the redundancy.
Subscribe to:
Posts (Atom)