User manual SECURE COMPUTING SNAPGEAR NETWORK GATEWAY SECURITY

[. . . ] ADMINISTRATION GUIDE SnapGear Network Gateway Security Version 3. 1. 5 www. securecomputing. com Copyright © 2007 Secure Computing Corporation. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Secure Computing Corporation. Trademarks Secure Computing, SafeWord, Sidewinder, Sidewinder G2, Sidewinder G2 Firewall, SmartFilter, Type Enforcement, CipherTrust, IronMail, IronIM, SofToken, Enterprise Strong, Mobile Pass, G2 Firewall, PremierAccess, SecureSupport, SecureOS, Bess, Cyberguard, SnapGear, Total Stream Protection, Webwasher, Strikeback and Web Inspector are trademarks of Secure Computing Corporation, registered in the U. S. Patent and Trademark Office and in other countries. G2 Enterprise Manager, SmartReporter, SecurityReporter, Application Defenses, Central Management Control, RemoteAccess, SecureWire, TrustedSource, On-Box, Securing connections between people, applications and networks and Access Begins with Identity are trademarks of Secure Computing Corporation. Software License Agreement CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE LOADING THE SOFTWARE. [. . . ] Tunneling-based attacks occur when an attacker masks traffic normally screened by the firewall rules by encapsulating it within packets corresponding to another network protocol. Application-based attacks occur when vulnerabilities in applications can be exploited by sending suspect packets directly with those applications. These attacks can potentially be detected and prevented using an intrusion detection system. 284 Chapter 3: Firewall menu Connection tracking Basic IDB Basic IDB operates by offering a number of services to the outside world that are monitored for connection attempts. Remote machines attempting to connect to these services generate a system log entry providing details of the access attempt, and the access attempt is denied. Since network scans often occur before an attempt to compromise a host, you can also deny all access from hosts that have attempted to scan monitored ports. Note: An attacker can easily forge the source address of UDP or TCP requests. A host that automatically blocks UDP or TCP probes might inadvertently restrict access from legitimate services. Proper firewall rules and ignored hosts lists significantly reduce the risk of restricting legitimate services. Configuring basic IDB 1 From the Firewall menu, click Intrusion Detection. The IDB Configuration page appears. Figure 215: IDB Configuration 285 Chapter 3: Firewall menu Connection tracking 2 [Optional] To monitor dummy TCP services, select the Detect TCP probes check box. 3 [Optional] To blocks hosts attempting to connect to TCP services, select the Block sites probing TCP ports check box. Connection attempts are logged under the Scanning Hosts pane. 4 [Optional] To monitor dummy UDP services, select the Detect UDP probes check box. 5 [Optional] To blocks hosts attempting to connect to UDP services, select the Block sites probing UDP ports check box. Connection attempts are logged under Scanning Hosts. 6 Specify the number of times a host is permitted to attempt to connect to a monitored service before being blocked in the Trigger count before blocking field. This option only takes effect when one of the blocking options is enabled. The trigger count value should be between 0 and 2 (zero represents an immediate blocking of probing hosts). Larger settings mean more attempts are permitted before blocking and although allowing the attacker more latitude; these settings reduce the number of false positives. · Default: 0 · Range: 0-2 7 [Optional] Enter the IP addresses of trusted servers and hosts in the Addresses to ignore for detection and block purposes text box. The IDB ignores the list of host IP addresses. You can freely edit the list; however, you cannot remove the addresses 0. 0. 0. 0 and 127. 0. 0. 1 since they represent the IDB host. 8 Click Submit. 286 Chapter 3: Firewall menu Connection tracking Selecting TCP dummy services Use this procedure to set the network ports scanned for TCP services. You can choose Basic, default Standard, or Strict settings, and add your own custom entries. [. . . ] A network device that is similar to a hub, but much smarter. Although not a full router, a switch particularly understands how to route Internet packets. A switch increases LAN efficiency by utilizing bandwidth more effectively. Transmission Control Protocol/Internet Protocol. [. . . ]