Documente Academic
Documente Profesional
Documente Cultură
Introduction
For individuals, the Internet heralds a different lifestyle living in a virtual world. For
corporations, the Internet offers a whole new way of doing business online and new
avenues of making money.
As companies wire up to the Internet, they are actually establishing physical links
between their private networks with the tens of thousands of unknown networks out
there in cyberspace. This affords a wealth of information, through data-sharing, to
just about anyone with access.
In today’s wired context, networking is more than just about efficient connectivity.
More importantly, it is about making data transmission safe and secure for the
delivery of services over the Internet.
The primary means for most companies for securing their private networks against
unauthorized public access is to set up a firewall.
One challenge of setting up any firewall is to configure the right amount of security
to sufficiently “immunize” the network against external hacking without the
imposition of unacceptable limitations on internal users or undue management
complexity.
Stateful Packet Inspection Firewall
A simpler, yet more rigorous method of access control is to implement a firewall like
a Stateful Packet Inspection Firewall (SPI) that analyzes packets in terms of
sessions. How the SPI Firewall works is it will examine all incoming data transmission
– if a packet is deemed a legitimate reply to a previous request from within the
network, the SPI Firewall would permit its passage through. Otherwise, access is
denied. Such an approach allows relatively unrestricted transmission from within the
network, and selective but flexible access from the outside.
The SPI Firewall also uses a monitoring algorithm to track individual connections and
it is also enabled to grant open temporary access in the firewall under appropriate
conditions. For example, packets are allowed to pass only if associated with a valid
session initiated from within the network.
Configuration of Compex’s SPI Firewall
All Compex NetPassage routers are built with SPI Firewall capability. In order to
access the Compex Firewall feature, users need to acquire an access key from the
two Compex websites at www.compex.com.sg or www.cpx.com.
Compex SPI Firewall can stop IP Spoofing, Port Scanning, Ping of Death and
SynFlood.
The Firewall access key can be purchased from the Compex website.
Upon acquiring the Firewall access key, users will need to input the Firewall
parameters before the full Firewall features can be activated. The configuration page
is shown in Figure 1.
By default, the Firewall features have been disabled. To activate the SPI Firewall
capability, please select the Enable radio button.
Compex provides a simple and easy setup of the firewall properties. There are 3
radio buttons which allow users to select the security level that they want to have for
their network. The three levels are namely, Low, Medium, and High level. Each of
these selections provides a different level of security.
Support x-stop
The UDP packets uses source port 334 and 1645
*Does not allow ICMP packets that are initiated from outside the network.
Compex SPI Firewall allows you to keep a log file on the handling of the data
packets. To set the information that is recorded in the log file, please click on the
check boxes of the data types.
Rule Description
Number
21 Allows ICMP packets into the network
22 Allows UDP packet generated from
23 Allows TCP packets generated from Port 80 to 83 into the network.
Disposition Policy
The value in this parameter would determine the data packet would be accepted or
denied by firewall. Users are allow to select between Accept or Deny to determine
the handling of the data packet by the firewall
Protocols
Users are allowed to select the type of data packet that are allowed into the network.
Users are able to choose from
1. TCP
2. UDP
3. ICMP
4. IGMP
5. All
User Datagram Protocol (UDP), a connectionless protocol that, like TCP, runs on
top of IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery services,
offering instead a direct way to send and receive datagrams over an IP network. It's
used primarily for broadcasting messages over a network.
Note:
If users select either ICMP or IGMP, they are require to make further selection in the
ICMP Types or IGMP Types respectively.
ICMP Types
This protocol is actually part of an IP implementation and is used to report errors in
IP datagram routing. ICMP serves as a form of flow control, although ICMP messages
are neither guaranteed to be received or transmitted. It is merely a way to provide
feedback to the sender of IP datagrams.
Echo request Determines whether an IP node (a host or a router) is available on the network.
Echo reply Replies to an ICMP echo request.
Destination
Informs the host that a datagram cannot be delivered.
unreachable
Informs the host to lower the rate at which it sends datagrams because of
Source quench
congestion.
Redirect Informs the host of a preferred route.
Time exceeded Indicates that the Time-to-Live (TTL) of an IP datagram has expired.
Parameter Problem Informs that host that there is a problem in one the ICMP parameter.
Timestamp Request Information that is from the ICMP data packet.
Information Request Information that is from the ICMP data packet.
Information Reply Information that is from the ICMP data packet.
IGMP Types
This protocol is actually part of an IP implementation and is used to establish host
memberships in particular multicast groups on a single network. The mechanisms of
the protocol allow a host to inform its local router, using Host Membership Reports.
Host Membership Report Information that is from the IGMP data packet.
Host Membership Query Information that is from the IGMP data packet.
Leave Host Message Information that is from the ICMP data packet.
Source IP
This parameter determines the set of workstations that generate the data packets.
Users can either set to a single IP address or set as a range of IP addresses.
Destination IP
This parameter determines the set of workstations that receive the data packets.
Users can either set to a single IP address or set as a range of IP addresses.
Source Port
This parameter determines the application from the specified port number from the
source. Users can either set to a single port number or a range of port numbers.
Port numbers are from 0 to 65536. Ports 0 to 1024 are reserved for use by certain
privileged services. For example, the port number for Telnet is 23 and the port
number for http is 80.
Destination Port
This parameter determines the application from the specified port number from the
destination. Users can either set to a single port number or a range of port numbers.
Check Options
This parameter would determine the check options. The available selection options
are
Abbreviation
SEC Security
LSRR Loose Source Route
Timestamp Timestamp
RR Record Packet Route
SID Satnet ID
SSRR Strict Source Route
RA Router Alert
Check TTL
This parameter would set the checking rule for TTL. It would determine whether the
parameter is equal, less then, greater than or not equal to the TTL value. The
available selection options are
1. Equal
2. Less than
3. Greater than
4. Not equal
Careful planning is always advised prior to the setting up of any firewall as any
incorrect configuration might result in undesirable behavior of the network. This
document has discussed the configuration of the Compex SPI Firewall.
For users who prefer more stringent checks on the data packets that enter their
networks, multiple rules can be set so that users can have a tight secure network.
Please visit our web site at www.compex.com.sg or www.cpx.com to find out more
on our products and firmware updates.