Knowledge Base  

New Search
References
Support

Orbitor NetSafe Firewall Tips

Article Number: I003
Article Type: Info
Modified: November 10, 1998

SUMMARY

When using the Orbitor's NetSafe Firewall facility, you will find that it is among the simplest to use, yet provides the power and flexibility of high-end firewalls. To make best use of this facility, we have created a few tips that should assist you in the proper configuration of the Orbitor under typical application conditions.

MORE INFORMATION

Basic Firewall Operation

The Firewall examines each incoming IP packet and decides whether it should be allowed to be passed onto the LAN or be discarded. The decision to forward or discard is based upon a set of rules configured in the firewall which you can modify to customise the firewalls operation.

The simplest operation is to simply enable the firewall function. When enabled, the firewall prevents all TCP connection requests from passing through the Firewall and entering your LAN.

For example; a potential intruder located somewhere on the Internet wants to Telnet to a host on your LAN. When the Telnet connection request is received at the firewall, the firewall will discard the Telnet request precluding access to the intruder.

The Firewall will also block all UDP and ICMP frames. Since all ICMP frames are blocked, a PING response will be blocked through the Firewall.

It is important to understand that the Firewall will not affect any data flowing from the local LAN to the Internet, or WAN links. As a result, internal LAN users may have unhindered access to the Internet without sacrificing basic security.

Considerations

When using the Firewall facility, you may have to adjust the rules that are used by the Orbitor to accommodate your network's configuration. Below, you will find a few examples of configuration changes that you may have to make in order to have a properly functioning firewall.

ICMP (Internet Control Message Protocol)

The most common way to test if an IP device is connected to the Internet is to issue an ICMP Echo or more commonly known as PING. The Firewall facility will not allow a PING to penetrate. The less the outside world knows about your internal network the less vulnerable it will be to attempted attacks by intruders.

It may be necessary for you to be able to allow PING's to your FTP and WWW servers. Once you have navigated to the Edit Firewall Entry menu you must use the following parameter values to properly configure the firewall for ICMP and PING operations:

  • Destination IP Address: <IP address of the FTP or WWW server>
  • Source IP Address: All
  • Protocol Type: 1

The above entry will allow PING to only the FTP or WWW servers. If you want to allow PING to your entire network an entry of All would be placed in the Destination IP Address.

DNS (Domain Name Service)

Devices connected to the Internet are not expected to remember the IP addresses of remote hosts. A hierarchical tree-like Domain Name System (DNS) has been established throughout the Internet to provide a well defined method to organise names and associated IP addresses. A Client PC will send a service name to the DNS and expect to receive an IP address in return.

With the evolution of the WEB, it is very common for a Client PC to constantly communicate with the DNS during normal WEB browsing activities. The structure of your network may incorporate a DNS on your local LAN that you can directly communicate, or you may access a DNS located at your ISP. If you have a local DNS, it will communicate with a peer DNS outside of your LAN on the Internet. If you do not have a local DNS you will need to communicate with the DNS in your service provider's location.

WEB Browsing through the NetSafe Firewall

If you have a DNS located on your LAN, you must specify the local DNS IP address under the Designated servers menu in the Firewall Set-Up Menu. This entry will open UDP port 53 destined for your DNS allowing DNS requests through the firewall.

If you do not have a local DNS, your ISP will provide you with the IP address of the DNS located in the ISP location. In this instance we must configure the firewall to allow DNS responses from the ISP's DNS through to the originating station. To accommodate this, you must allow UDP packets originating from the ISP DNS destined for UDP ports 1024 thru 65535. The DNS IP address must be entered as a Firewall entry which is definable in the Edit Firewall entry menu in the Firewall Set-Up Menu. You are able to define up to 15 different Firewall entries. Each Firewall entry will give the ability to open specified ports to specified destinations with specified protocol through the Firewall.

Once you have navigated to the Edit Firewall entry menu you must use the following parameter values to properly configure the firewall for DNS operations:

  • Source IP Address: <IP Address of the ISP DNS>
  • Protocol Type: UDP
  • Initial Port: 1024
  • Last Port: 65535

You should now be able to browse the WEB.

NOTE: DNS operations is required for any name resolution operation, and as such is not limited to WEB browsing. WEB browsing is only used as an example of where DNS operations is used.

Firewall Friendly FTP (File Transfer Protocol)

FTP sessions generally communicate by establishing one control session and a second session for transferring data. The FTP Client opens a control session to the FTP server, while the FTP server opens a data session to the Client. The server then conveys the TCP port of the data session back to the Client over the control session. This type of operation is not considered Firewall friendly and will be "blocked" by the firewall. In order for the Firewall to pass FTP data, the FTP application has to be configured correctly.

To accommodate the Internet and Firewalls a mode called PASV is incorporated into most FTP Clients. This mode instructs the FTP server that the data connection will be issued by the Client and not the server. Using PASV mode will now allow local FTP Clients to communicate out onto the Internet to FTP servers without difficulty.

If you have a FTP server on your local LAN that needs to be accessed through the Firewall from the Internet you must instruct the Firewall to let these packets through. You can instruct the Firewall to let these packets through to your FTP server by defining an FTP server under the Designated servers menu in the Firewall Set-Up Menu. FTP Clients on the Internet cannot use PASV mode when FTPing to the Designated FTP server. If PASV mode to your designated server is required, you must set a Firewall Entry.

In the Edit Firewall entry menu in the Firewall Set-Up Menu specify the Designated FTP server IP address under the Dest IP address. You may use the following parameters:

  • Source IP Address: All
  • Protocol type: TCP
  • Initial Port: 1024
  • Last Port: 65535

This will allow a PASV FTP Client to communicate with you local FTP server.

A Final Note

The use of a router-based firewall should be your front-line defense and be included in your security strategy. The proper configuration of the firewall is paramount to successfully securing your site. §
Keywords: Firewall, tips, netsafe
Product: Orbitor
Model: All

Copyright © 1998 Develcon Electronics Ltd.  All Rights Reserved.