Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | solomon-gordon |
View: | 241 times |
Download: | 2 times |
Sepehr Firewalls
Sepehr Sadra Tehran Co. Ltd.Ali Shayan
December 2008
2
Introduction • GOS3 (GateMAN Operating System v3)• User Interfaces:
– GUI (GateSetUP)– CLI
• Log • Log Analyzers
– SLAT v2,3 (Sepehr Log Analysis Tool)– CBLR (Client Based Log Report)– Caser (Content Analysis System Extended Revision)
• LAN User Accounting– Authentication Server : gateauthd– Authentication Client : LAN Authenticator (web-based),
GateAUTH (Windows Application)
• RAMA (Remote Access Monitoring Agent)
3
Firewall Platform Types
• Sepehr4100 Series– Sepehr4110– Sepehr4108– Sepehr4106
– Sepehr4104– Sepehr4102
• Sepehr3400
4
Sepehr4100 Series Hardware Specification
• 2 x 10/100/1000 Mbps UTP Ethernet Ports.• 2 x GBICs PCI-Express Card.• 4 x 10/100/1000 Mbps UTP Ethernet PCI-Express Card• Bypass Module• Fault Tolerant in Router Mode• VPN Accelerator• 3.2 GHz XEON CPU• 2 GB RAM• LCD Panel for limited configurations• 19 inches rack mountable chassis with 1U height
6
Sepehr4110 Hardware Specification
• 10 x 10/100/1000 Mbps UTP Ethernet Ports.• Fault Tolerant in Router Mode• VPN Accelerator• 3.2 GHz XEON CPU• 2 GB RAM• LCD Panel for limited configurations• 19 inches rack mountable chassis with 1U height
7
Sepehr4108 Hardware Specification
• 6 x 10/100/1000 Mbps UTP Ethernet Ports.• 2 x GBICs/SFPs PCI-Express Card.• Fault Tolerant in Router Mode• VPN Accelerator• 3.2 GHz XEON CPU• 2 GB RAM• LCD Panel for limited configurations• 19 inches rack mountable chassis with 1U height
8
Sepehr4106 Hardware Specification
• 2 x 10/100/1000 Mbps UTP Ethernet Ports.• 4 x GBICs/SFPs PCI-Express Card.• Fault Tolerant in Router Mode• VPN Accelerator• 3.2 GHz XEON CPU• 2 GB RAM• LCD Panel for limited configurations• 19 inches rack mountable chassis with 1U height
Sepehr4100 Final Hardware
10
Sepehr 4104 Hardware Specification
• 4 x 10/100/1000 Mbps UTP Ethernet Ports.• 3.2 GHz PIV CPU• 1 GB RAM• Bypass Module• Fault Tolerant in Router Mode• LCD Panel for limited configurations• 19 inches rack mountable chassis with 1U height
11
Sepehr 4102 Hardware Specification
• 2 x 10/100 Mbps UTP Ethernet Ports• 2 x 10/100/1000 Mbps UTP Ethernet Ports• 2.8 GHz PIV CPU• 1 GB RAM• Bypass Module• Fault Tolerant in Router Mode• LCD Panel for limited configurations• 19 inches rack mountable chassis with 1U height
12
Sepehr 3400 Hardware Specification
• 4 x 10/100 Mbps UTP Ethernet Ports• 1 GHz CPU• 1 GB RAM• Fault Tolerant in Router Mode• VPN Accelerator• 19 inches rack mountable chassis with 1U height
13
Firewall Engine Types
• Without any Extension
• FL : Full Log– Firewall with all features– Logging the Header of the Packets (Log Packet, Log Connection, Log NAT)
– Logging the Content of Packet
• FLV : Full Log Visualize– Firewall with all features– Logging the Header of the Packets (Log Packet, Log Connection, Log NAT)
– Logging the Content of Packet– Events Visualizer (
14
Sepehr 4100 Series, Sepehr 3400
• Firewall with ALL Firewalling Features• Logging the Header of the Packets and Connections
- Log Packet
- Log Connection
- Log NAT
• Statistical Log Analyzer (SLAT 2)• Client Based Log Analyzer (CBLR)• Authentication
15
Sepehr 4100 FL Series, Sepehr 3400 FL
• Firewall with ALL Firewalling Features• Logging the Header of the Packets and Connections
• Log Packet• Log Connection• Log NAT
• Logging the Body of the Packets and Connections– Log Content
• Statistical Log Analyzer (SLAT 2)• Client Based Log Analyzer (CBLR)• Authentication• RAMA
16
Sepehr 4100 FLV Series, Sepehr 3400 FLV• Firewall with ALL Firewalling Features• Logging the Header of the Packets and Connections
• Log Packet• Log Connection• Log NAT
• Logging the Body of the Packets and Connections– Log Content
• Statistical Log Analyzer (SLAT 2)• Client Based Log Analyzer (CBLR)• Events Visualizer (Caser)• Authentication• RAMA
17
Working Modes
• Bridge
• Router
• Compound Mode
18
Traffic Shaping
• Per Firewall Network Interface• Frames per second limitation on input/output frames per port• Bits per second limitation on input/output bits per port.
• By Protocol Type• By Source/Destination MAC address• By Source/Destination IP address• By Source/Destination Port Number• Per TCP connection bandwidth limitation
19
Packet Filtering
• Packet filtering based on input/output directions.
• Packet filtering based on input/output interfaces.
20
Packet Filtering (continued)
• Mac Protocol filtering by type (ARP, Reverse ARP, IP, IPX, …, and RAW frames)
• Internet Protocol filtering by type (ICMP, IGMP, TCP, …,
and RAW packets) and Source/Destination address
• TCP/UDP filtering by Source/Destination port
• ICMP filtering by type and code
21
Checksum
• Full IP Datagram filtering with Automatic IP Checksum Control ( Layer 2 )
• Checksum Checking (inbound) on TCP, UDP or ICMP Packets ( Layer 3 )– Accept if correct
– Drop if incorrect
– Accept if incorrect
• Checksum Calculating (outbound) on TCP, UDP or ICMP Packets ( Layer 3 )
22
Tight TCP State-full Inspection
• TCP Checksum Checking• TCP Sequence Number Checking and Tracing in
Stream• Syn/Ack/Fin State Transition Control and Violation
Avoidance• Out of sequence TCP packet alignment.
23
Application Layer Filtering
• Application layer protocol monitoring and violation control.
- HTTP
- SMTP
- FTP
- TELNET
24
HTTP URL Filtering
• URL filtering with user defined URL database to filter:- Domains- Sub-domains- Directories
• White list URL databases• Regular expression databases
25
SMTP Filtering
• SMTP filtering with respect expressions of
- username
- domain-name
- username@domain-name
sender/receiver databases.
26
FTP Filtering
• Downloading files
• Uploading files
27
VPN
• IPSec , IKE• Gateway to Gateway
– Sepehr to Sepehr– Sepehr to Cisco– Sepehr to Windows 2003 Server
• Gateway to workstation– Sepehr to Windows 2000, XP
28
NAT
• Hide Source NAT with replacing – Source IP Address (Single, Subnet, Range, Database)
– Source Port Number (Single, Range, Database)
• Hide Destination NAT with replacing– Destination IP Address (Single, Subnet, Range, Database)
– Destination Port Number (Single, Range, Database)
• Hide Source and Destination Simultaneously– Source/Destination IP Address (Single, Subnet, Range, Database)
– Source/Destination Port Number (Single, Range, Database)
• NATing on Router and Bridge Mode
29
VLAN
• VLAN definition on Ethernet Ports– Bridging between Ethernet ports which have same Cluster ID– Routing between VLANs
• Truncking Support (802.1q)
• Multi Point Installation and configuration
30
Fault Tolerance
• Routing Mode
• Virtual Routing Redundancy Protocol (VRRP)
31
Log Server
• Remote Log Archiving• Directly or Indirectly Connection to Firewall• Specific Protocol• Log Archiving
– Time– Volume
• FIFO for Archived Log Files
32
References
• [1] Sepehr S. T. Co. LTD, Sepehr Firewalls, October 2008.