Sepehr Firewalls

Sepehr Sadra Tehran Co. Ltd.Ali Shayan

December 2008

2

Introduction • GOS3 (GateMAN Operating System v3)• User Interfaces:

– GUI (GateSetUP)– CLI

• Log • Log Analyzers

– SLAT v2,3 (Sepehr Log Analysis Tool)– CBLR (Client Based Log Report)– Caser (Content Analysis System Extended Revision)

• LAN User Accounting– Authentication Server : gateauthd– Authentication Client : LAN Authenticator (web-based),

GateAUTH (Windows Application)

• RAMA (Remote Access Monitoring Agent)

3

Firewall Platform Types

• Sepehr4100 Series– Sepehr4110– Sepehr4108– Sepehr4106

– Sepehr4104– Sepehr4102

• Sepehr3400

4

Sepehr4100 Series Hardware Specification

• 2 x 10/100/1000 Mbps UTP Ethernet Ports.• 2 x GBICs PCI-Express Card.• 4 x 10/100/1000 Mbps UTP Ethernet PCI-Express Card• Bypass Module• Fault Tolerant in Router Mode• VPN Accelerator• 3.2 GHz XEON CPU• 2 GB RAM• LCD Panel for limited configurations• 19 inches rack mountable chassis with 1U height

6

Sepehr4110 Hardware Specification

• 10 x 10/100/1000 Mbps UTP Ethernet Ports.• Fault Tolerant in Router Mode• VPN Accelerator• 3.2 GHz XEON CPU• 2 GB RAM• LCD Panel for limited configurations• 19 inches rack mountable chassis with 1U height

7

Sepehr4108 Hardware Specification

• 6 x 10/100/1000 Mbps UTP Ethernet Ports.• 2 x GBICs/SFPs PCI-Express Card.• Fault Tolerant in Router Mode• VPN Accelerator• 3.2 GHz XEON CPU• 2 GB RAM• LCD Panel for limited configurations• 19 inches rack mountable chassis with 1U height

8

Sepehr4106 Hardware Specification

• 2 x 10/100/1000 Mbps UTP Ethernet Ports.• 4 x GBICs/SFPs PCI-Express Card.• Fault Tolerant in Router Mode• VPN Accelerator• 3.2 GHz XEON CPU• 2 GB RAM• LCD Panel for limited configurations• 19 inches rack mountable chassis with 1U height

Sepehr4100 Final Hardware

10

Sepehr 4104 Hardware Specification

• 4 x 10/100/1000 Mbps UTP Ethernet Ports.• 3.2 GHz PIV CPU• 1 GB RAM• Bypass Module• Fault Tolerant in Router Mode• LCD Panel for limited configurations• 19 inches rack mountable chassis with 1U height

11

Sepehr 4102 Hardware Specification

• 2 x 10/100 Mbps UTP Ethernet Ports• 2 x 10/100/1000 Mbps UTP Ethernet Ports• 2.8 GHz PIV CPU• 1 GB RAM• Bypass Module• Fault Tolerant in Router Mode• LCD Panel for limited configurations• 19 inches rack mountable chassis with 1U height

12

Sepehr 3400 Hardware Specification

• 4 x 10/100 Mbps UTP Ethernet Ports• 1 GHz CPU• 1 GB RAM• Fault Tolerant in Router Mode• VPN Accelerator• 19 inches rack mountable chassis with 1U height

13

Firewall Engine Types

• Without any Extension

• FL : Full Log– Firewall with all features– Logging the Header of the Packets (Log Packet, Log Connection, Log NAT)

– Logging the Content of Packet

• FLV : Full Log Visualize– Firewall with all features– Logging the Header of the Packets (Log Packet, Log Connection, Log NAT)

– Logging the Content of Packet– Events Visualizer (

14

Sepehr 4100 Series, Sepehr 3400

• Firewall with ALL Firewalling Features• Logging the Header of the Packets and Connections

- Log Packet

- Log Connection

- Log NAT

• Statistical Log Analyzer (SLAT 2)• Client Based Log Analyzer (CBLR)• Authentication

15

Sepehr 4100 FL Series, Sepehr 3400 FL

• Firewall with ALL Firewalling Features• Logging the Header of the Packets and Connections

• Log Packet• Log Connection• Log NAT

• Logging the Body of the Packets and Connections– Log Content

• Statistical Log Analyzer (SLAT 2)• Client Based Log Analyzer (CBLR)• Authentication• RAMA

16

Sepehr 4100 FLV Series, Sepehr 3400 FLV• Firewall with ALL Firewalling Features• Logging the Header of the Packets and Connections

• Log Packet• Log Connection• Log NAT

• Logging the Body of the Packets and Connections– Log Content

• Statistical Log Analyzer (SLAT 2)• Client Based Log Analyzer (CBLR)• Events Visualizer (Caser)• Authentication• RAMA

17

Working Modes

• Bridge

• Router

• Compound Mode

18

Traffic Shaping

• Per Firewall Network Interface• Frames per second limitation on input/output frames per port• Bits per second limitation on input/output bits per port.

• By Protocol Type• By Source/Destination MAC address• By Source/Destination IP address• By Source/Destination Port Number• Per TCP connection bandwidth limitation

19

Packet Filtering

• Packet filtering based on input/output directions.

• Packet filtering based on input/output interfaces.

20

Packet Filtering (continued)

• Mac Protocol filtering by type (ARP, Reverse ARP, IP, IPX, …, and RAW frames)

• Internet Protocol filtering by type (ICMP, IGMP, TCP, …,

and RAW packets) and Source/Destination address

• TCP/UDP filtering by Source/Destination port

• ICMP filtering by type and code

21

Checksum

• Full IP Datagram filtering with Automatic IP Checksum Control ( Layer 2 )

• Checksum Checking (inbound) on TCP, UDP or ICMP Packets ( Layer 3 )– Accept if correct

– Drop if incorrect

– Accept if incorrect

• Checksum Calculating (outbound) on TCP, UDP or ICMP Packets ( Layer 3 )

22

Tight TCP State-full Inspection

• TCP Checksum Checking• TCP Sequence Number Checking and Tracing in

Stream• Syn/Ack/Fin State Transition Control and Violation

Avoidance• Out of sequence TCP packet alignment.

23

Application Layer Filtering

• Application layer protocol monitoring and violation control.

- HTTP

- SMTP

- FTP

- TELNET

24

HTTP URL Filtering

• URL filtering with user defined URL database to filter:- Domains- Sub-domains- Directories

• White list URL databases• Regular expression databases

25

SMTP Filtering

• SMTP filtering with respect expressions of

- username

- domain-name

- username@domain-name

sender/receiver databases.

26

FTP Filtering

• Downloading files

• Uploading files

27

VPN

• IPSec , IKE• Gateway to Gateway

– Sepehr to Sepehr– Sepehr to Cisco– Sepehr to Windows 2003 Server

• Gateway to workstation– Sepehr to Windows 2000, XP

28

NAT

• Hide Source NAT with replacing – Source IP Address (Single, Subnet, Range, Database)

– Source Port Number (Single, Range, Database)

• Hide Destination NAT with replacing– Destination IP Address (Single, Subnet, Range, Database)

– Destination Port Number (Single, Range, Database)

• Hide Source and Destination Simultaneously– Source/Destination IP Address (Single, Subnet, Range, Database)

– Source/Destination Port Number (Single, Range, Database)

• NATing on Router and Bridge Mode

29

VLAN

• VLAN definition on Ethernet Ports– Bridging between Ethernet ports which have same Cluster ID– Routing between VLANs

• Truncking Support (802.1q)

• Multi Point Installation and configuration

30

Fault Tolerance

• Routing Mode

• Virtual Routing Redundancy Protocol (VRRP)

31

Log Server

• Remote Log Archiving• Directly or Indirectly Connection to Firewall• Specific Protocol• Log Archiving

– Time– Volume

• FIFO for Archived Log Files

32

References

• [1] Sepehr S. T. Co. LTD, Sepehr Firewalls, October 2008.