Freedom9 freeGuard Blaze 2100 User manual

freeGuard Blaze 2100

Scenarios Guide

Version 3R2

COPYRIGHT NOTICE

Under the copyright law, this manual and the software described within can not be copied in

whole or part, without written permission of the manufacturer, except in the normal use of the

software to make a backup copy. The same proprietary and copyright notices must be affixed to

any permitted copies as were affixed to the original. An exception does not allow copies to be

made for others, whether or not sold, but all of the materials purchased can be sold, given, or

loaned to another person. Under the law, copying includes translating this information into

another language or format.

Information contained in this document is subject to change without notice.

TRADEMARKS

Products mentioned in this document may be trademarks and/or registered trademarks of their

respective companies and are the sole properties of their respective company.

Scenarios Guide 5

Contents

1. Preface...................................................................................................... 7

About This Document .........................................................................................................8

Document Conventions ......................................................................................................8

Command Line Interface (CLI) Conventions ............................................................................... 8

Illustration Conventions ............................................................................................................... 8

Frequently Used Acronyms ......................................................................................................... 9

2. Scenarios................................................................................................ 11

NAT Scenarios .................................................................................................................12

Source NAT from a DIP Pool with PAT ..................................................................................... 12

Source NAT from the Egress Interface IP Address ................................................................... 14

Destination NAT to a Single IP Address Using Port Mapping ................................................... 16

Destination NAT to a Single IP Address without Port Mapping ................................................. 18

Destination NAT to Multiple IP Addresses with Port Mapping ................................................... 19

Policy Scenarios...............................................................................................................22

Interzone Policies ...................................................................................................................... 22

Intrazone Policies ...................................................................................................................... 24

Global Policies ........................................................................................................................... 26

VPN Scenarios ................................................................................................................. 27

Site-to-site VPN with AutoKey ...................................................................................................27

Site-to-Site VPN with Manual Keying ........................................................................................ 29

Network Attack Prevention ........................................................................................................ 31

Defending Against DoS and DDoS Attacks...................................................................... 32

ICMP Flood Prevention.............................................................................................................. 32

UDP Flood Prevention ............................................................................................................... 32

SYN Flood Prevention ............................................................................................................... 33

FIN Flood Prevention................................................................................................................. 33

IP Fragment Prevention............................................................................................................. 33

TCP-FIN-no-ACK....................................................................................................................... 34

Additional Attack Detection and Prevention ..................................................................... 35

Viewing Attack Settings ............................................................................................................. 35

6 Scenarios Guide

Scenarios Guide 7

P

REFACE

1

Contents

•

About This Document on page 8

• Document Conventions on page 8

PREFACE

1

8 Scenarios Guide

About This Document

This guide contains supplemental information for network administrators who install and maintain

the freeGuard Blaze 2100 in a network. This document should be used with the User Guide and

the Command Line Interface Reference Manual. It addresses the most commonly used network

scenarios where the freeGuard Blaze 2100 is used.

Document Conventions

Command Line Interface (CLI) Conventions

The following conventions are used when presenting the syntax of the command line interface

(CLI):

• Values inside square brackets [ ] are optional.

• Values inside braces { } are required.

• For commands that require a selection from a pre-defined list of values, each value in the

list is separated by a pipe ( | ).

• Variables appear in italic.

When a CLI command appears within the context of a sentence in this document, it is in bold (ex-

cept for variables, which are always in italic). For example: "Use the get system command to

display general information about the freeGuard Blaze 2100."

Illustration Conventions

The following graphics are used in illustrations throughout this book:

. . . . .

PREFACE

Scenarios Guide 9

Frequently Used Acronyms

This guide assumes familiarity with the following acronyms. See the User Guide glossary for fur-

ther details about these terms.

NAT: Network Address Translation VPN: Virtual Private Network

DIP: Dynamic IP Address ESP: Encapsulating Security Payload

PAT: Port Address Translation 3DES: Triple Data Encryption Standard

LAN: Local Area Network SHA-1: Secure Hash Algorithm-1

VLAN: Virtual Local Area Network IKE: Internet Key Exchange

PREFACE

1

10 Scenarios Guide

Scenarios Guide 11

S

CENARIOS

2

This chapter lists and describes the following scenarios:

• NAT Scenarios on page 12

• Policy Scenarios on page 22

• VPN Scenarios on page 27

• Defending Against DoS and DDoS Attacks on page 32

• Additional Attack Detection and Prevention on page 35

SCENARIOS

2

12 Scenarios Guide

NAT Scenarios

There are many ways that source and destination NAT can be applied to packets as they traverse

through the appliance. The following source and destination NAT examples are included in this

section:

• Source NAT from a DIP Pool with PAT

• Source NAT from the Egress Interface IP Address

• Source NAT from a DIP Pool with Address Shifting

• Destination NAT to a Single IP Address Using Port Mapping

• Destination NAT to a Single IP Address without Port Mapping

• Destination NAT to Multiple IP Addresses with Port Mapping

• Destination NAT Many-to-many with Address Shifting

Source NAT from a DIP Pool with PAT

This section describes a scenario where clients on the private network behind a firewall need to

go on the public network to access an HTTP server. Since multiple clients exist behind the firewall,

they have to share the same public IP address as the source address for outgoing packets. For

security reasons, it is also desirable to hide the source IP addresses of the clients. This translates

into the following requirements:

• Permits all traffic from the trust zone to any host in the untrust zone.

• Hides all addresses in the trust zone from hosts in the untrust zone.

• Blocks any packets that originate from the untrust zone.

To meet these requirements, the administrator can configure the appliance by following these

steps:

1. Bind eth0 to the trust zone and assign eth0 an IP address of 10.0.0.200/24.

2. Bind eth1 to the untrust zone and assign eth1 an IP address of 4.4.4.1/24.

3. Create a DIP pool on the egress interface.

4. Create a policy that allows any traffic from trust to untrust and translates the source address of the egress packets

to the DIP pool addresses. The policy references the DIP pool created on the egress interface.

. . . . .

SCENARIOS

Scenarios Guide 13

5. Configure the default route to use eth1 and the gateway address: 4.4.4.254.

Figure 1. Source NAT with PAT

CLI Commands

The following commands apply to the source NAT with PAT scenario described in this section.

Interfaces

set interface eth0 zone trust

set interface eth0 ip 10.0.0.200/24

set interface eth0 nat

set interface eth1 zone untrust

set interface eth1 ip 4.4.4.1/24

set interface eth1 dip 10 4.4.4.10 4.4.4.15

Policy

set policy from trust to untrust any any any nat src dip 10 permit

Route

set route 0.0.0.0/0 interface eth1 gateway 4.4.4.254

B

LAZE

2100

SCENARIOS

2

14 Scenarios Guide

[NOTE] In this example, the DIP pool has six entries. The IP addresses in the DIP pool are used as a source

IP address for the outgoing packet based on a round-robin mechanism. It is also possible to have a DIP

pool with only one entry. In that case, the single IP address in the DIP pool is always used as the source

address for outgoing IP packets. The addresses used in the DIP need to be routable IP addresses provided

by an ISP. In both cases PAT is applied. ad

Source NAT from the Egress Interface IP Address

The network scenario in the previous section, Source NAT from a DIP Pool with PAT, is very similar

to the scenario in this section. The difference in this example is the source IP address of egress

IP packets is always the IP address of the egress interface. In the previous scenario, pictured in

Figure 1, the source address is picked from a DIP pool.

In this section, the scenario has the following requirements:

• Permits all traffic from the trust zone to any host in the untrust zone.

• Hides all address in the trust zone from hosts in the untrust zone.

• Blocks any packets that originate from the untrust zone.

• Uses only the IP address of the egress interface as the translated IP address.

To meet these requirements, the administrator can configure the appliance by following these

steps:

1. Bind eth0 to the trust zone and assign eth0 an IP address of 10.0.0.200/24.

2. Bind eth1 to the untrust zone and assign eth1 an IP address of 4.4.4.1/24.

3. Create a policy that allows any traffic from trust to untrust and translates the source address of the egress packets

to the IP address of the egress interface.

4. Configure the default route to use eth1 and a gateway of 4.4.4.254.

. . . . .

SCENARIOS

Scenarios Guide 15

Figure 2. Source NAT

CLI Commands

The following commands apply to the source NAT scenario described in this section.

Interfaces

set interface eth0 zone trust

set interface eth0 ip 10.0.0.200/24

set interface eth0 nat

set interface eth1 zone untrust

set interface eth1 ip 4.4.4.1/24

Policy

set policy from trust to untrust any any any permit

Route

set route 0.0.0.0/0 interface eth1 gateway 4.4.4.254

save

B

LAZE

2100

SCENARIOS

2

16 Scenarios Guide

Destination NAT to a Single IP Address Using Port Mapping

This section describes a scenario where a web server is behind a firewall and a client on the In-

ternet needs to get access to the web server. Since the web server does not have a public IP ad-

dress, HTTP traffic directed to the public IP address needs to be translated to the private IP

address of the server.

This scenario has the following requirements:

• Permits HTTP traffic from any host on the zone untrust to the webserver server on the trust

zone.

• Translates the destination IP address for all HTTP traffic from 4.4.4.1 to 10.0.0.200.

• Translates the destination port from 80 (HTTP) to 8080.

• Leaves the source port unchanged.

• Webserver should be configured with an internal IP address of 10.0.0.200

To meet these requirements, follow these steps to configure the policy for the network:

1. Bind eth0 to the trust zone and assign it an IP address: 10.0.0.1/24.

2. Bind eth1 to the untrust zone and assign it an IP address: 4.4.4.1/24.

3. Create an address object MTT1 and assign it an IP address: 4.4.4.200.

4. Create a policy allowing HTTP traffic from any host on the Internet to a server MTT1.

5. Configure the default route for zone trust to use the eth1 interface and a gateway of 4.4.4.254.

6. Create a host route for the MTT1 object on interface eth0

. . . . .

SCENARIOS

Scenarios Guide 17

Figure 3. Destination NAT with Port Mapping

CLI Commands

The following commands apply to the destination NAT with port mapping scenario described in

this section.

Interfaces

set interface eth1 zone untrust

set interface eth1 ip 4.4.4.1/24

set interface eth0 zone trust

set interface eth0 ip 10.0.0.1/24

Addresses

set address trust MTT1 4.4.4.200/32

Policy

set policy from untrust to trust any MTT1 http nat dst 10.0.0.200 port 8080

permit

SCENARIOS

2

18 Scenarios Guide

Route

set route 0.0.0.0/0 interface eth1 gateway 4.4.4.254

set route 4.4.4.200/32 interface eth0

save

Destination NAT to a Single IP Address without Port Mapping

The section describes an example of a network with the following requirements:

• Permits HTTP traffic from any host on the untrust zone to a host on the trust zone with the

IP address 10.0.0.200.

• Translates the destination IP address from 4.4.4.1 to 10.0.0.200.

• Leaves the destination port at 80 (HTTP) unchanged.

• Leaves the source port unchanged.

To meet these requirements, follow these steps to configure the policy for this network:

1. Bind the eth0 interface to zone trust with an IP address of 10.0.0.1/24.

2. Bind the eth1 interface to zone untrust with an IP address of 4.4.4.1/24.

3. Create an address object for the IP address 4.4.4.200 using the name MTT1.

4. Create a policy allowing HTTP traffic from any host on the Internet to a server MTT1.

5. Configure the default route for zone trust to use the eth1 interface and a gateway of 4.4.4.254.

6. Create a host route for the MTT1 object on interface eth0.

Figure 4. Destination NAT without Port Mapping

. . . . .

SCENARIOS

Scenarios Guide 19

CLI Commands

The following commands apply to the destination NAT without port mapping scenario described in

this section.

Interfaces

set interface eth1 zone untrust

set interface eth1 ip 4.4.4.1/24

set interface eth0 zone trust

set interface eth0 ip 10.0.0.1/24

Addresses

set address trust MTT1 4.4.4.200/32

Policy

set policy from untrust to trust any MTT1 http nat dst 10.0.0.200 permit

Route

set route 0.0.0.0/0 interface eth1 gateway 4.4.4.254

set route 4.4.4.200/32 interface eth0 gateway 0.0.0.0

save

Destination NAT to Multiple IP Addresses with Port Mapping

This section describes an example of a network with the following requirements:

• Permits HTTP traffic from any host on the zone untrust to an HTTP server on the zone trust.

• Permits FTP traffic from any host on the zone untrust to an FTP server on the zone trust.

• Translates the destination IP address from 4.4.4.1 to 10.0.0.200 using port 80 (HTTP).

• Translates the destination IP address from 4.4.4.1 to 10.0.0.210 using port 21 (FTP).

To meet these requirements, follow these steps to configure the policy for this network:

1. Bind the eth0 interface to the trust zone with an IP address of 10.0.0.1/24.

2. Bind the eth1 interface to the untrust zone with an IP address of 4.4.4.1/24.

3. Create an address object for the IP address 4.4.4.200 using the name MTT1.

4. Create a policy allowing HTTP traffic from any host on the Internet to a server MTT1.

5. Create a policy allowing FTP traffic from any host on the Internet to a server MTT1.

6. Configure the default route for zone trust to use the eth1 interface and a gateway of 4.4.4.254.

SCENARIOS

2

20 Scenarios Guide

7. Create a host route for the MTT1 object on interface eth0

Figure 5. Destination NAT with Port Mapping

CLI Commands

The following commands apply to the destination NAT with port mapping scenario described in

this section.

Interfaces

set interface eth1 zone untrust

set interface eth1 ip 4.4.4.1/24

set interface eth0 zone trust

set interface eth0 ip 10.0.0.1/24

Page is loading ...

Freedom9 freeGuard Blaze 2100 User manual

Freedom9 freeGuard Blaze 2100 User manual

Related papers

Other documents