Firewall - Rule Summary

Click here to go to the table that describes the labels in this screen .

If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network. Make sure you test your rules after you configure them

For example, you may create rules to:

¨      Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the Internet.

¨      Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN.

¨      Allow everyone except your competitors to access a Web server.

¨      Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.

Rule Logic Overview

Study these points carefully before configuring rules.

Rule Checklist

1.      State the intent of the rule. For example, “This restricts all IRC access from the LAN to the Internet.?Or, “This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server.?/span>

2.      Is the intent of the rule to forward or block traffic?

3.      What direction of traffic does the rule apply to?

4.        What IP services will be affected?

5.      What computers on the LAN or DMZ are to be affected (if any)?

6.        What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN.

Security Ramifications

Once the logic of the rule has been defined, it is critical to consider the security ramifications created by the rule:

1.      Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service?

2.      Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective?

3.      Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers.

4.        Does this rule conflict with any existing rules?

Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens.

Key Fields for Configuring Rules

Action

Should the action be to Block or Forward?

“Block? means the firewall silently discards the packet.

Service

Select the service from the Service scrolling list box. If the service is not listed, it is necessary to first define it.

Source Address

What is the connection’s source address; is it on the LAN, DMZ or WAN? Is it a single IP, a range of IPs or a subnet?

Destination Address

What is the connection’s destination address; is it on the LAN, DMZ or WAN? Is it a single IP, a range of IPs or a subnet?

Connection Directions

LAN to LAN/ Router, WAN to WAN/ Router and DMZ to DMZ/Router rules applies to packets coming in on the associated interface (LAN, WAN, or DMZ respectively). LAN to LAN/ Router means policies for LAN-to-Prestige (the policies for managing the Prestige through the LAN interface) and policies for LAN-to-LAN (the policies that control routing between two subnets on the LAN). Similarly, WAN to WAN/ Router and DMZ to DMZ/ Router polices apply in the same way to the WAN and DMZ ports.

LAN to WAN Rules

The default rule for LAN to WAN traffic is that all users on the LAN are allowed non-restricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN.

WAN to LAN Rules

The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it.

Configuring Rules

Your custom rules work by comparing the Source IP address, Destination IP address and IP protocol type of network traffic to rules set by the administrator. Your customized rules take precedence and override the Prestige's default rules.

Alerts

Alerts are reports on events, such as attacks, that you may want to know about right away. In the Edit Rule screen, you can choose to generate an alert when a rule is matched.

Configure the Log Settings screen to have the Prestige send an immediate e-mail message to you when an event generates an alert. Refer to the chapter on logs in the User's Guide for details.

Label

Description

Firewall Rules Storage Space in UseThis read-only bar shows how much of the Prestige's memory for recording firewall rules it is currently using.
Packet DirectionUse the drop-down list box to select a direction of travel of packets for which you want to configure firewall rules.
Default PolicyThis field displays the default action and log policy you selected in the Default Policy screen for the packet direction shown in the field above.
The following read-only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction. The firewall rules that you configure (summarized below) take priority over the general firewall action settings above.
RuleThis is your firewall rule number. The ordering of your rules is important as rules are applied in turn. Click a rule's number to edit the rule.
ActiveThis field displays whether a firewall is turned on (Y) or not (N).
Source IPThis drop-down list box displays the source addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any.
Destination IPThis drop-down list box displays the destination addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any.
ServiceThis drop-down list box displays the services to which this firewall rule applies. Please note that a blank service type is equivalent to Any.
ActionThis is the specified action for that rule, either Block or Forward. Note that Block means the firewall silently discards the packet.
ScheduleThis field tells you whether a schedule is specified (Yes) or not (No).
LogThis field shows you whether a log is created when packets match this rule (Enabled) or not (Disable).
AlertThis field tells you whether this rule generates an alert (Yes) or not (No) when the rule is matched.
Insert

Type the index number for where you want to put a rule. For example, if you type "6", your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.

Click Insert to display this screen and refer to the following table for information on the fields.

AppendClick Append to add a new rule at the end of the rule list.
MoveType a rule's index number and the number for where you want to put that rule. Click Move to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering.
BackClick Back to return the Firewall Functions screen.
ApplyClick Apply to save your changes back to the Prestige.
CancelClick Cancel to begin configuring this screen afresh.
Back to top