Click here to go to the table that describes the labels in this screen . If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network. Make sure you test your rules after you configure them For example, you may create rules to: ¨ Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the Internet. ¨ Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN. ¨ Allow everyone except your competitors to access a Web server. ¨ Restrict use of certain protocols, such as Telnet, to authorized users on the LAN. Rule Logic Overview Study these points carefully before configuring rules. Rule Checklist1. State the intent of the rule. For example, “This restricts all IRC access from the LAN to the Internet.?Or, “This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server.?/span> 2. Is the intent of the rule to forward or block traffic? 3. What direction of traffic does the rule apply to? 4. What IP services will be affected? 5. What computers on the LAN or DMZ are to be affected (if any)? 6. What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN. Security RamificationsOnce the logic of the rule has been defined, it is critical to consider the security ramifications created by the rule: 1. Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service? 2. Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective? 3. Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers. 4. Does this rule conflict with any existing rules? Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens. Key Fields for Configuring RulesActionShould the action be to Block or Forward? “Block? means the firewall silently discards the packet. ServiceSelect the service from the Service scrolling list box. If the service is not listed, it is necessary to first define it. Source AddressWhat is the connection’s source address; is it on the LAN, DMZ or WAN? Is it a single IP, a range of IPs or a subnet? Destination AddressWhat is the connection’s destination address; is it on the LAN, DMZ or WAN? Is it a single IP, a range of IPs or a subnet? Connection DirectionsLAN to LAN/ Router, WAN to WAN/ Router and DMZ to DMZ/Router rules applies to packets coming in on the associated interface (LAN, WAN, or DMZ respectively). LAN to LAN/ Router means policies for LAN-to-Prestige (the policies for managing the Prestige through the LAN interface) and policies for LAN-to-LAN (the policies that control routing between two subnets on the LAN). Similarly, WAN to WAN/ Router and DMZ to DMZ/ Router polices apply in the same way to the WAN and DMZ ports. LAN to WAN RulesThe default rule for LAN to WAN traffic is that all users on the LAN are allowed non-restricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN. WAN to LAN RulesThe default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it. Configuring Rules Your custom rules work by comparing the Source IP address, Destination IP address and IP protocol type of network traffic to rules set by the administrator. Your customized rules take precedence and override the Prestige's default rules. Alerts Alerts are reports on events, such as attacks, that you may want to know about right away. In the Edit Rule screen, you can choose to generate an alert when a rule is matched. Configure the Log Settings screen to have the Prestige send an immediate e-mail message to you when an event generates an alert. Refer to the chapter on logs in the User's Guide for details. |
Description | ||
Firewall Rules Storage Space in Use | This read-only bar shows how much of the Prestige's memory for recording firewall rules it is currently using. | |
Packet Direction | Use the drop-down list box to select a direction of travel of packets for which you want to configure firewall rules. | |
Default Policy | This field displays the default action and log policy you selected in the Default Policy screen for the packet direction shown in the field above. | |
The following read-only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction. The firewall rules that you configure (summarized below) take priority over the general firewall action settings above. | ||
Rule | This is your firewall rule number. The ordering of your rules is important as rules are applied in turn. Click a rule's number to edit the rule. | |
Active | This field displays whether a firewall is turned on (Y) or not (N). | |
Source IP | This drop-down list box displays the source addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any. | |
Destination IP | This drop-down list box displays the destination addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any. | |
Service | This drop-down list box displays the services to which this firewall rule applies. Please note that a blank service type is equivalent to Any. | |
Action | This is the specified action for that rule, either Block or Forward. Note that Block means the firewall silently discards the packet. | |
Schedule | This field tells you whether a schedule is specified (Yes) or not (No). | |
Log | This field shows you whether a log is created when packets match this rule (Enabled) or not (Disable). | |
Alert | This field tells you whether this rule generates an alert (Yes) or not (No) when the rule is matched. | |
Insert |
Type the index number for where you want to put a rule. For example, if you type "6", your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7. Click Insert to display this screen and refer to the following table for information on the fields. | |
Append | Click Append to add a new rule at the end of the rule list. | |
Move | Type a rule's index number and the number for where you want to put that rule. Click Move to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering. | |
Back | Click Back to return the Firewall Functions screen. | |
Apply | Click Apply to save your changes back to the Prestige. | |
Cancel | Click Cancel to begin configuring this screen afresh. |