Freedom9 freeGuard Blaze 2100 User manual

Freedom9
Brand
Freedom9
Model
freeGuard Blaze 2100
Type
User manual
freeGuard Blaze 2100
Scenarios Guide
Version 3R2
COPYRIGHT NOTICE
© Copyright 2007 Freedom9 Inc.
ALL RIGHTS RESERVED.
Under the copyright law, this manual and the software described within can not be copied in
whole or part, without written permission of the manufacturer, except in the normal use of the
software to make a backup copy. The same proprietary and copyright notices must be affixed to
any permitted copies as were affixed to the original. An exception does not allow copies to be
made for others, whether or not sold, but all of the materials purchased can be sold, given, or
loaned to another person. Under the law, copying includes translating this information into
another language or format.
Information contained in this document is subject to change without notice.
TRADEMARKS
Products mentioned in this document may be trademarks and/or registered trademarks of their
respective companies and are the sole properties of their respective company.
Scenarios Guide 5
Contents
1. Preface...................................................................................................... 7
About This Document .........................................................................................................8
Document Conventions ......................................................................................................8
Command Line Interface (CLI) Conventions ............................................................................... 8
Illustration Conventions ............................................................................................................... 8
Frequently Used Acronyms ......................................................................................................... 9
2. Scenarios................................................................................................ 11
NAT Scenarios .................................................................................................................12
Source NAT from a DIP Pool with PAT ..................................................................................... 12
Source NAT from the Egress Interface IP Address ................................................................... 14
Destination NAT to a Single IP Address Using Port Mapping ................................................... 16
Destination NAT to a Single IP Address without Port Mapping ................................................. 18
Destination NAT to Multiple IP Addresses with Port Mapping ................................................... 19
Policy Scenarios...............................................................................................................22
Interzone Policies ...................................................................................................................... 22
Intrazone Policies ...................................................................................................................... 24
Global Policies ........................................................................................................................... 26
VPN Scenarios ................................................................................................................. 27
Site-to-site VPN with AutoKey ...................................................................................................27
Site-to-Site VPN with Manual Keying ........................................................................................ 29
Network Attack Prevention ........................................................................................................ 31
Defending Against DoS and DDoS Attacks...................................................................... 32
ICMP Flood Prevention.............................................................................................................. 32
UDP Flood Prevention ............................................................................................................... 32
SYN Flood Prevention ............................................................................................................... 33
FIN Flood Prevention................................................................................................................. 33
IP Fragment Prevention............................................................................................................. 33
TCP-FIN-no-ACK....................................................................................................................... 34
Additional Attack Detection and Prevention ..................................................................... 35
Viewing Attack Settings ............................................................................................................. 35
6 Scenarios Guide
Scenarios Guide 7
P
REFACE
1
Contents
About This Document on page 8
Document Conventions on page 8
PREFACE
1
8 Scenarios Guide
About This Document
This guide contains supplemental information for network administrators who install and maintain
the freeGuard Blaze 2100 in a network. This document should be used with the User Guide and
the Command Line Interface Reference Manual. It addresses the most commonly used network
scenarios where the freeGuard Blaze 2100 is used.
Document Conventions
Command Line Interface (CLI) Conventions
The following conventions are used when presenting the syntax of the command line interface
(CLI):
• Values inside square brackets [ ] are optional.
• Values inside braces { } are required.
• For commands that require a selection from a pre-defined list of values, each value in the
list is separated by a pipe ( | ).
• Variables appear in italic.
When a CLI command appears within the context of a sentence in this document, it is in bold (ex-
cept for variables, which are always in italic). For example: "Use the get system command to
display general information about the freeGuard Blaze 2100."
Illustration Conventions
The following graphics are used in illustrations throughout this book:
. . . . .
PREFACE
Scenarios Guide 9
Frequently Used Acronyms
This guide assumes familiarity with the following acronyms. See the User Guide glossary for fur-
ther details about these terms.
NAT: Network Address Translation VPN: Virtual Private Network
DIP: Dynamic IP Address ESP: Encapsulating Security Payload
PAT: Port Address Translation 3DES: Triple Data Encryption Standard
LAN: Local Area Network SHA-1: Secure Hash Algorithm-1
VLAN: Virtual Local Area Network IKE: Internet Key Exchange
PREFACE
1
10 Scenarios Guide
Scenarios Guide 11
S
CENARIOS
2
This chapter lists and describes the following scenarios:
NAT Scenarios on page 12
Policy Scenarios on page 22
VPN Scenarios on page 27
Defending Against DoS and DDoS Attacks on page 32
Additional Attack Detection and Prevention on page 35
SCENARIOS
2
12 Scenarios Guide
NAT Scenarios
There are many ways that source and destination NAT can be applied to packets as they traverse
through the appliance. The following source and destination NAT examples are included in this
section:
• Source NAT from a DIP Pool with PAT
• Source NAT from the Egress Interface IP Address
• Source NAT from a DIP Pool with Address Shifting
• Destination NAT to a Single IP Address Using Port Mapping
• Destination NAT to a Single IP Address without Port Mapping
• Destination NAT to Multiple IP Addresses with Port Mapping
• Destination NAT Many-to-many with Address Shifting
Source NAT from a DIP Pool with PAT
This section describes a scenario where clients on the private network behind a firewall need to
go on the public network to access an HTTP server. Since multiple clients exist behind the firewall,
they have to share the same public IP address as the source address for outgoing packets. For
security reasons, it is also desirable to hide the source IP addresses of the clients. This translates
into the following requirements:
• Permits all traffic from the trust zone to any host in the untrust zone.
• Hides all addresses in the trust zone from hosts in the untrust zone.
• Blocks any packets that originate from the untrust zone.
To meet these requirements, the administrator can configure the appliance by following these
steps:
1. Bind eth0 to the trust zone and assign eth0 an IP address of 10.0.0.200/24.
2. Bind eth1 to the untrust zone and assign eth1 an IP address of 4.4.4.1/24.
3. Create a DIP pool on the egress interface.
4. Create a policy that allows any traffic from trust to untrust and translates the source address of the egress packets
to the DIP pool addresses. The policy references the DIP pool created on the egress interface.
. . . . .
SCENARIOS
Scenarios Guide 13
5. Configure the default route to use eth1 and the gateway address: 4.4.4.254.
Figure 1. Source NAT with PAT
CLI Commands
The following commands apply to the source NAT with PAT scenario described in this section.
Interfaces
set interface eth0 zone trust
set interface eth0 ip 10.0.0.200/24
set interface eth0 nat
set interface eth1 zone untrust
set interface eth1 ip 4.4.4.1/24
set interface eth1 dip 10 4.4.4.10 4.4.4.15
Policy
set policy from trust to untrust any any any nat src dip 10 permit
Route
set route 0.0.0.0/0 interface eth1 gateway 4.4.4.254
B
LAZE
2100
SCENARIOS
2
14 Scenarios Guide
[NOTE] In this example, the DIP pool has six entries. The IP addresses in the DIP pool are used as a source
IP address for the outgoing packet based on a round-robin mechanism. It is also possible to have a DIP
pool with only one entry. In that case, the single IP address in the DIP pool is always used as the source
address for outgoing IP packets. The addresses used in the DIP need to be routable IP addresses provided
by an ISP. In both cases PAT is applied. ad
Source NAT from the Egress Interface IP Address
The network scenario in the previous section, Source NAT from a DIP Pool with PAT, is very similar
to the scenario in this section. The difference in this example is the source IP address of egress
IP packets is always the IP address of the egress interface. In the previous scenario, pictured in
Figure 1, the source address is picked from a DIP pool.
In this section, the scenario has the following requirements:
• Permits all traffic from the trust zone to any host in the untrust zone.
• Hides all address in the trust zone from hosts in the untrust zone.
• Blocks any packets that originate from the untrust zone.
• Uses only the IP address of the egress interface as the translated IP address.
To meet these requirements, the administrator can configure the appliance by following these
steps:
1. Bind eth0 to the trust zone and assign eth0 an IP address of 10.0.0.200/24.
2. Bind eth1 to the untrust zone and assign eth1 an IP address of 4.4.4.1/24.
3. Create a policy that allows any traffic from trust to untrust and translates the source address of the egress packets
to the IP address of the egress interface.
4. Configure the default route to use eth1 and a gateway of 4.4.4.254.
. . . . .
SCENARIOS
Scenarios Guide 15
Figure 2. Source NAT
CLI Commands
The following commands apply to the source NAT scenario described in this section.
Interfaces
set interface eth0 zone trust
set interface eth0 ip 10.0.0.200/24
set interface eth0 nat
set interface eth1 zone untrust
set interface eth1 ip 4.4.4.1/24
Policy
set policy from trust to untrust any any any permit
Route
set route 0.0.0.0/0 interface eth1 gateway 4.4.4.254
save
B
LAZE
2100
SCENARIOS
2
16 Scenarios Guide
Destination NAT to a Single IP Address Using Port Mapping
This section describes a scenario where a web server is behind a firewall and a client on the In-
ternet needs to get access to the web server. Since the web server does not have a public IP ad-
dress, HTTP traffic directed to the public IP address needs to be translated to the private IP
address of the server.
This scenario has the following requirements:
• Permits HTTP traffic from any host on the zone untrust to the webserver server on the trust
zone.
• Translates the destination IP address for all HTTP traffic from 4.4.4.1 to 10.0.0.200.
• Translates the destination port from 80 (HTTP) to 8080.
• Leaves the source port unchanged.
• Webserver should be configured with an internal IP address of 10.0.0.200
To meet these requirements, follow these steps to configure the policy for the network:
1. Bind eth0 to the trust zone and assign it an IP address: 10.0.0.1/24.
2. Bind eth1 to the untrust zone and assign it an IP address: 4.4.4.1/24.
3. Create an address object MTT1 and assign it an IP address: 4.4.4.200.
4. Create a policy allowing HTTP traffic from any host on the Internet to a server MTT1.
5. Configure the default route for zone trust to use the eth1 interface and a gateway of 4.4.4.254.
6. Create a host route for the MTT1 object on interface eth0
. . . . .
SCENARIOS
Scenarios Guide 17
Figure 3. Destination NAT with Port Mapping
CLI Commands
The following commands apply to the destination NAT with port mapping scenario described in
this section.
Interfaces
set interface eth1 zone untrust
set interface eth1 ip 4.4.4.1/24
set interface eth0 zone trust
set interface eth0 ip 10.0.0.1/24
Addresses
set address trust MTT1 4.4.4.200/32
Policy
set policy from untrust to trust any MTT1 http nat dst 10.0.0.200 port 8080
permit
SCENARIOS
2
18 Scenarios Guide
Route
set route 0.0.0.0/0 interface eth1 gateway 4.4.4.254
set route 4.4.4.200/32 interface eth0
save
Destination NAT to a Single IP Address without Port Mapping
The section describes an example of a network with the following requirements:
• Permits HTTP traffic from any host on the untrust zone to a host on the trust zone with the
IP address 10.0.0.200.
• Translates the destination IP address from 4.4.4.1 to 10.0.0.200.
• Leaves the destination port at 80 (HTTP) unchanged.
• Leaves the source port unchanged.
To meet these requirements, follow these steps to configure the policy for this network:
1. Bind the eth0 interface to zone trust with an IP address of 10.0.0.1/24.
2. Bind the eth1 interface to zone untrust with an IP address of 4.4.4.1/24.
3. Create an address object for the IP address 4.4.4.200 using the name MTT1.
4. Create a policy allowing HTTP traffic from any host on the Internet to a server MTT1.
5. Configure the default route for zone trust to use the eth1 interface and a gateway of 4.4.4.254.
6. Create a host route for the MTT1 object on interface eth0.
Figure 4. Destination NAT without Port Mapping
. . . . .
SCENARIOS
Scenarios Guide 19
CLI Commands
The following commands apply to the destination NAT without port mapping scenario described in
this section.
Interfaces
set interface eth1 zone untrust
set interface eth1 ip 4.4.4.1/24
set interface eth0 zone trust
set interface eth0 ip 10.0.0.1/24
Addresses
set address trust MTT1 4.4.4.200/32
Policy
set policy from untrust to trust any MTT1 http nat dst 10.0.0.200 permit
Route
set route 0.0.0.0/0 interface eth1 gateway 4.4.4.254
set route 4.4.4.200/32 interface eth0 gateway 0.0.0.0
save
Destination NAT to Multiple IP Addresses with Port Mapping
This section describes an example of a network with the following requirements:
• Permits HTTP traffic from any host on the zone untrust to an HTTP server on the zone trust.
• Permits FTP traffic from any host on the zone untrust to an FTP server on the zone trust.
• Translates the destination IP address from 4.4.4.1 to 10.0.0.200 using port 80 (HTTP).
• Translates the destination IP address from 4.4.4.1 to 10.0.0.210 using port 21 (FTP).
To meet these requirements, follow these steps to configure the policy for this network:
1. Bind the eth0 interface to the trust zone with an IP address of 10.0.0.1/24.
2. Bind the eth1 interface to the untrust zone with an IP address of 4.4.4.1/24.
3. Create an address object for the IP address 4.4.4.200 using the name MTT1.
4. Create a policy allowing HTTP traffic from any host on the Internet to a server MTT1.
5. Create a policy allowing FTP traffic from any host on the Internet to a server MTT1.
6. Configure the default route for zone trust to use the eth1 interface and a gateway of 4.4.4.254.
SCENARIOS
2
20 Scenarios Guide
7. Create a host route for the MTT1 object on interface eth0
Figure 5. Destination NAT with Port Mapping
CLI Commands
The following commands apply to the destination NAT with port mapping scenario described in
this section.
Interfaces
set interface eth1 zone untrust
set interface eth1 ip 4.4.4.1/24
set interface eth0 zone trust
set interface eth0 ip 10.0.0.1/24
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36

Freedom9 freeGuard Blaze 2100 User manual

Freedom9
Brand
Freedom9
Model
freeGuard Blaze 2100
Type
User manual
Download PDF
report

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI

Related papers

Other documents