Tài liệu Firewall and Smart Defense Administration Guide Version NGX R65 pdf

Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connect

Firewall and SmartDefense

Administration Guide Version NGX R65

All rights reserved This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

©2003-2007 Check Point Software Technologies Ltd All rights reserved Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal,

SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-

1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd or its affiliates ZoneAlarm is a Check

Preface Who Should Use This Guide 16

Summary of Contents 17

Section 1: Network Access 17

Section 2: Connectivity 18

Section 3: SmartDefense 19

Section 4: Application Intelligence 19

Section 5: Web Security 21

Section 6: Appendices 21

Related Documentation 22

More Information 25

Feedback 26

Network Access Chapter 1 Access Control The Need for Access Control 30

Solution for Secure Access Control 31

Access Control at the Network Boundary 31

The Rule Base 32

Example Access Control Rule 33

Rule Base Elements 33

Implied Rules 34

Preventing IP Spoofing 35

Multicast Access Control 37

Cooperative Enforcement 40

End Point Quarantine (EPQ) - Intel(r) AMT 42

Special Considerations for Access Control 44

Spoofing Protection 44

Simplicity 44

Basic Rules 45

Rule Order 45

Topology Considerations: DMZ 45

Activating EPQ 52

Connection Authentication Data 53

Quarantine Policy Data 54

Encrypting the Password 55

Malicious Activity Script and Alert 55

Logging Activity 57

To Quarantine a Machine Manually 57

Chapter 2 Authentication The Need for Authentication 60

The VPN-1 Solution for Authentication 61

Introduction to VPN-1 Authentication 61

Authentication Schemes 62

Authentication Methods 64

Configuring Authentication 73

Creating Users and Groups 73

Configuring User Authentication 75

Configuring Session Authentication 76

Configuring Client Authentication 81

Configuring Authentication Tracking 87

Configuring a VPN-1 Gateway to use RADIUS 87

Granting User Access Using RADIUS Server Groups 90

Associating a RADIUS Server with a VPN-1 Gateway 92

Configuring a VPN-1 Gateway to use SecurID 93

Configuring a VPN-1 Gateway to use TACACS+ 95

Configuring Policy for Groups of Windows Users 96

Connectivity Chapter 3 Network Address Translation (NAT) The Need to Conceal IP Addresses 100

Check Point Solution for Network Address Translation 101

Public and Private IP addresses 101

NAT in VPN-1 102

Static NAT 103

Hide NAT 104

Automatic and Manual NAT Rules 105

Automatic Hide NAT for Internal Networks 106

Address Translation Rule Base 107

Bidirectional NAT 108

Understanding Automatically Generated Rules 109

Disabling NAT in a VPN Tunnel 113

Planning Considerations for NAT 114

Hide Versus Static 114

Automatic Versus Manual Rules 114

Choosing the Hide Address in Hide NAT 115

Configuring NAT 116

General Steps for Configuring NAT 116

Basic Configuration (Network Node with Hide NAT) 117

Sample Configuration (Static and Hide NAT) 118

Sample Configuration (Using Manual Rules for Port Translation) 120

Configuring Automatic Hide NAT for Internal Networks 121

Advanced NAT Configuration 122

Allowing Connections Between Translated Objects on Different Gateway Interfaces 122 Enabling Communication for Internal Networks with Overlapping IP Addresses 123 SmartCenter Behind NAT 127

IP Pool NAT 131

Chapter 4 ISP Redundancy The Need for ISP Link Redundancy 138

Solution for ISP Link Redundancy 139

ISP Redundancy Overview 139

ISP Redundancy Operational Modes 140

Monitoring the ISP Links 141

How ISP Redundancy Works 141

ISP Redundancy Script 143

Manually Changing the Link Status (fw isp_link) 143

ISP Redundancy Deployments 144

ISP Redundancy and VPNs 147

Considerations for ISP Link Redundancy 149

Choosing the Deployment 149

Choosing the Redundancy Mode 149

Configuring ISP Link Redundancy 150

Introduction to ISP Link Redundancy Configuration 150

Registering the Domain and Obtaining IP Addresses 150

DNS Server Configuration for Incoming Connections 151

Dialup Link Setup for Incoming Connections 152

SmartDashboard Configuration 152

Configuring the Default Route for the ISP Redundancy Gateway 154

Server Availability 166

Load Measuring 166

Configuring ConnectControl 167

Chapter 6 Bridge Mode Introduction to Bridge Mode 170

Limitations in Bridge Mode 171

Managing a Gateway in Bridge Mode 171

Configuring Bridge Mode 172

Bridging Interfaces 172

Configuring Anti-Spoofing 172

Displaying the Bridge Configuration 173

SmartDefense Chapter 7 SmartDefense The Need for SmartDefense 178

SmartDefense Solution 180

Introducing SmartDefense 180

Defending Against the Next Generation of Threats 181

Network and Transport Layers 182

Web Attack Protection 182

How SmartDefense Works 183

Online Updates 184

Categorizing SmartDefense Capabilities 184

SmartDefense Profiles 186

Monitor-Only Mode 187

Network Security 188

Japanese Language Support for SmartDefense Protections 188

SmartDefense Single Profile View 189

Denial of Service 190

IP and ICMP 191

TCP 191

Fingerprint Scrambling 192

Successive Events 192

DShield Storm Center 192

Port Scan 193

Dynamic Ports 194

Application Intelligence 195

Mail 195

FTP 195

DNS 196

VoIP 196

SNMP 197

Web Intelligence 198

Web Intelligence Protections 198

Web Intelligence Technologies 199

Web Intelligence and ClusterXL Gateway Clusters 199

Web Content Protections 200

Customizable Error Page 200

Connectivity Versus Security Considerations 201

Web Security Performance Considerations 203

Backward Compatibility Options for HTTP Protocol Inspection 205

Web Intelligence License Enforcement 205

Understanding HTTP Sessions, Connections and URLs 207

Configuring SmartDefense 210

Updating SmartDefense with the Latest Defenses 210

SmartDefense Services 211

Download Updates 211

Advisories 212

Security Best Practices 213

Configuring SmartDefense Profiles 214

Creating Profiles 214

Assign a Profile to the Gateway 214

View Protected Gateways by a Profile 215

SmartDefense StormCenter Module 216

The Need for Cooperation in Intrusion Detection 216

Check Point Solution for Storm Center Integration 217

Planning Considerations 221

Configuring Storm Center Integration 222

Application Intelligence Chapter 8 Content Inspection Anti Virus Protection 228

Introduction to Integrated Anti Virus Protection 228

Architecture 229

VPN-1 UTM Edge Anti Virus 242

Web Filtering 243

Introduction to Web Filtering 243

Terminology 244

Architecture 244

Configuring Web Filtering 245

Chapter 9 Securing Voice Over IP (VoIP) The Need to Secure Voice Over IP 248

Introduction to the Check Point Solution for Secure VoIP 249

Control Signalling and Media Protocols 250

VoIP Handover 251

When to Enforce Handover 252

VoIP Application Intelligence 253

Introduction to VoIP Application Intelligence 253

Restricting Handover Locations Using a VoIP Domain 254

Controlling Signalling and Media Connections 255

Preventing Denial of Service Attacks 255

Protocol-Specific Application Intelligence 256

VoIP Logging 257

Protocol-Specific Security 258

Securing SIP-Based VoIP 259

SIP Architectural Elements in the Security Rule Base 260

Supported SIP RFCs and Standards 261

Secured SIP Topologies and NAT Support 262

Application Intelligence for SIP 264

Configuring SmartDefense Application Intelligence Settings for SIP 265

Synchronizing User Information 267

SIP Services 267

Using SIP on a Non-Default Port 268

ClusterXL and Multicast Support for SIP 268

Securing SIP-Based Instant Messenger Applications 268

Configuring SIP-Based VoIP 269

Troubleshooting SIP 278

Securing H.323-Based VoIP 279

H.323 Architectural Elements in the Security Rule Base 279

Supported H.323 RFCs and Standards 280

Secured H.323 Topologies and NAT Support 280

Application Intelligence for H.323 283

SmartDefense Application Intelligence Settings for H.323 284

H.323 Services 286

Configuring H.323-Based VoIP 287

Securing MGCP-Based VoIP 303

The Need for MGCP 303

MGCP Protocol and Devices 304

Configuring MGCP-Based VoIP 309

Securing SCCP-Based VoIP 311

The SCCP Protocol 311

SCCP Devices 312

SCCP Network Security and Application Intelligence 312

ClusterXL Support for SCCP 313

Configuring SCCP-Based VoIP 313

Chapter 10 Securing Instant Messaging Applications The Need to Secure Instant Messenger Applications 320

Introduction to Instant Messenger Security 321

Understanding Instant Messenger Security 322

NAT Support for MSN Messenger over SIP 323

NAT Support for MSN Messenger over MSNMS 324

Logging Instant Messenger Applications 324

Configuring SIP-based Instant Messengers 325

Configuring MSN Messenger over MSNMS 327

Configuring Skype, Yahoo and ICQ and Other Instant Messengers 328

Chapter 11 Microsoft Networking Services (CIFS) Security Securing Microsoft Networking Services (CIFS) 330

Restricting Access to Servers and Shares (CIFS Resource) 331

Chapter 12 FTP Security Introduction to FTP Content Security 334

FTP Enforcement by the VPN-1 Kernel 334

FTP Enforcement by the FTP Security Server 335

Control Allowed Protocol Commands 335

Maintaining Integrity of Other Protected Services 335

Avoiding Vulnerabilities in FTP Applications 335

Content Security via the FTP Resource 336

Configuring Restricted Access to Specific Directories 337

Chapter 13 Content Security The Need for Content Security 340

Check Point Solution for Content Security 341

Introduction to Content Security 341

Security Servers 342

Configuring URL Filtering with a UFP Server 356

Performing CVP or UFP Inspection on any TCP Service 360

Advanced CVP Configuration: CVP Chaining and Load Sharing 361

Introduction to CVP Chaining and Load Sharing 361

CVP Chaining 361

CVP Load Sharing 363

Combining CVP Chaining and Load Sharing 364

Configuring CVP Chaining and Load Sharing 364

Chapter 14 Services with Application Intelligence Introduction to Services with Application Intelligence 368

DCE-RPC 368

SSLv3 Service 369

SSHv2 Service 369

FTP_BASIC Protocol Type 369

Domain_UDP Service 370

Point-to-Point Tunneling Protocol (PPTP) 371

Configuring for PPTP 371

Blocking Visitor Mode (TCPT) 373

Introduction to TCPT 373

Why Block Visitor Mode and Outgoing TCPT? 373

How VPN-1 Identifies TCPT 373

When to Block Outgoing TCPT 373

Configuration of Visitor Mode Blocking 374

Web Security Chapter 15 Web Content Protection Introduction to Web Content Protection 378

Web Content Security via the Security Rule Base 379

What is a URI Resource? 379

Filtering URLs, Schemes and Methods by Source and Destination 379

Basic URL Filtering 380

URL Logging 380

Java and ActiveX Security 381

Securing XML Web Services (SOAP) 382

Understanding HTTP Sessions, Connections and URLs 383

HTTP Request Example 383

HTTP Response Example 384

HTTP Connections 384

Understanding URLs 385

Factors Affecting HTTP Security Server Performance 388

The Number of Simultaneous Security Server Connections 388

How To Run Multiple Instances of the HTTP Security Server 389

Configuring Web Content Protection 390

Blocking URL-based Attacks Using a URI Resource 390

Configuring URL Logging 391

Configuring Basic URL Filtering 392

Appendices Appendix A Security Before VPN-1 Activation Achieving Security Before VPN-1 Activation 396

Boot Security 396

Control of IP Forwarding on Boot 396

The Default Filter 397

The Initial Policy 399

Default Filter and Initial Policy Configuration 402

Verifying Default Filter or Initial Policy Loading 402

Change the Default Filter to a Drop Filter 403

User-Defined Default Filter 403

Using the Default Filter for Maintenance 404

To Unload a Default Filter or an Initial Policy 404

If You Cannot Complete Reboot After Installation 404

Command Line Reference for Default Filter and Initial Policy 405

Appendix B Command Line Interface Index 417

Preface PPreface

In This Chapter

Who Should Use This Guide

This guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support.This guide assumes a basic understanding of the following:

• System administration

• The underlying operating system

• Internet protocols (for example, IP, TCP and UDP)

Summary of Contents

This guide describes the firewall and SmartDefense components of VPN-1 It contains the following sections and chapters:

Section 1: Network Access

This section describes how to secure the networks behind the VPN-1 gateway by allowing only permitted users and resources to access protected networks

Chapter 1, “Access Control” Describes how to set up a security policy to fit

organizational requirements

Chapter 2, “Authentication” Describes the VPN-1 authentication schemes

(for username and password management) and authentication methods (how users

authenticate)

Chapter 4, “ISP

Redundancy”

Describes the ISP Redundancy feature, which assures reliable Internet connectivity by allowing

a single or clustered VPN-1 gateway to connect

to the Internet via redundant Internet Service Provider (ISP) links

Chapter 5, “ConnectControl -

Server Load Balancing”

Describes the ConnectControl server load balancing solution, which distributes network traffic among a number of servers and thereby reduces the load on a single machine, improves network response time and ensures high

availability

Section 3: SmartDefense

This section provides an overview of SmartDefense This VPN-1 component enables customers to configure, enforce and update network and application attack defenses The DShield StormCenter is also described in detail in this section For additional information about specific protections, refer to the SmartDefense HTML pages and the online help

Section 4: Application Intelligence

This section describes Check Point Application Intelligence features, which are

a set of advanced capabilities integrated into VPN-1 and SmartDefense to detect and prevent application-level attacks The chapters in this section

Chapter 7, “SmartDefense” Describes the SmartDefense component, which

actively defends your network, even when the protection is not explicitly defined in the Security Rule Base SmartDefense unobtrusively analyzes activity across your network, tracking potentially threatening events and optionally sending notifications It protects your organization from all known (and most unknown) network attacks using intelligent security

technology

describe how to protect against application-level attacks for each application protocol, and how to work with anti-virus (CVP) and URL filtering (UFP) applications.

Chapter 9, “Securing Voice

Chapter 12, “FTP Security” Describes how to provide FTP content security

and configure restricted access to specific directories

Chapter 13, “Content

Security”

Describes how to integrate with third party OPSEC-certified antivirus applications and URL filtering applications

Chapter 14, “Services with

Application Intelligence”

Describes how to configure protection for some

of the predefined TCP services that perform content inspection

Section 5: Web Security

This section describes the VPN-1 Web Intelligence feature, which provides high performance attack protection for Web servers and applications, and VPN-1 Web Content capabilities

Section 6: Appendices

This section describes how a VPN-1 gateway protects itself and its networks during activation and provides a summary of VPN-1 command line interface commands

Appendix B, “Command Line

Interface”

Describes command line interface commands that relate to VPN-1 firewall components

Related Documentation

This release of VPN-1 includes the following related documentation:

TABLE P-1 VPN-1 Power documentation suite documentation

Internet Security Product

Suite Getting Started

Guide

Contains an overview of NGX R65 and step by step product installation and upgrade procedures This document also provides information about What’s New, Licenses, Minimum hardware and software requirements, etc

Upgrade Guide Explains all available upgrade paths for Check Point

products from VPN-1/FireWall-1 NG forward This guide is specifically geared towards upgrading to NGX R65

Virtual Private Networks

Administration Guide

This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure

Eventia Reporter

Administration Guide

Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense

Provider-1/SiteManager-1

Administration Guide

Explains the Provider-1/SiteManager-1 security management solution This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments

TABLE P-2 Integrity Server documentation

TABLE P-1 VPN-1 Power documentation suite documentation (continued)

Check Point is engaged in a continuous effort to improve its documentation Please help us by sending your comments to:

cp_techpub_feedback@checkpoint.com

This section describes how to secure the networks behind the VPN-1 gateway

by allowing only permitted users and resources to access protected networks

Chapter 1

Access Control

In This Chapter

Special Considerations for Access Control page 44

The Need for Access Control

Network administrators need the means to securely control access to resources such as networks, hosts, network services and protocols Determining what

resources can be accessed, and how, is the responsibility of authorization, or Access Control Determining who can access these resources is the responsibility of User Authentication (for additional information, refer to Chapter 2,

“Authentication”)

Solution for Secure Access Control

In This Section

Access Control at the Network Boundary

A VPN-1 gateway at the network boundary inspects and provides access control for all gateway traffic Traffic that does not pass though the gateway is not controlled

Figure 1-1 VPN-1 Gateway Traffic Inspection at the Network Boundary

A security administrator is responsible for implementing company security policy

Access Control at the Network Boundary page 31

End Point Quarantine (EPQ) - Intel(r) AMT page 42

SmartDashboard is a SmartConsole client application that administrators use to define and apply security policies to gateways Granular security policy control is possible by applying specific rules to specific gateways.

VPN-1 provides secure access control because of its granular understanding of all underlying services and applications traveling on the network Stateful Inspection technology provides full application level awareness and comprehensive access control for more than 150 predefined applications, services and protocols as well

as the ability to specify and define custom services

Stateful Inspection extracts state-related information required for security decisions from all application levels and maintains this information in dynamic state tables that are used to evaluate subsequent connection attempts For additional technical information on Stateful Inspection, refer to the Check Point Technical Note at:

http://www.checkpoint.com/products/downloads/firewall-1_statefulinspection.pdf

The Rule Base

A security policy is implemented by means of ordered set of rules in the security Rule Base A well defined security policy is essential to an effective security solution

The fundamental principle of the Rule Base is that all actions that are not explicitly permitted are prohibited The Rule Base is a collection of rules that determine which communication traffic is permitted and which is blocked Rule parameters include the source and destination of the communication, the services and

protocols that can be used and at what times, and tracking options Reviewing SmartView Tracker traffic logs and alerts is an crucial aspect of security

management

VPN-1 inspects packets in a sequential manner Once VPN-1 receives a packet from a connection, it inspects it according to the first rule in the Rule Base, and then the second and so on Once VPN-1 finds an applicable rule, it stops

inspecting and applies that rule to the packet If no applicable rule is found in the

Rule Base, the packet is blocked It is important to understand that the first

matching rule applies to the packet, not necessarily the rule that best applies

Example Access Control Rule

Figure 1-2 displays a typical access control rule It states that HTTP connections that originate from any of the Alaska_LAN group hosts, and directed to any destination will be accepted and logged

Figure 1-2 Example Access Control Rule

Rule Base Elements

A rule is made up of the following Rule Base elements (not all fields are relevant in

You can negate source and destination parameters, which means that a given

rule applies to all connection sources/destinations except the specified

location You may, for example, find it more convenient to specify that the a

rule applies to any source that is not in a given network To negate a

connection source or destination, right click on the appropriate rule cell and select Negate Cell from the options menu

VPN Allows you to configure whether the rule applies to any connection (encrypted

or clear) or only to VPN connections To limit a rule to VPN connections, double-click on the rule and select one of the two VPN options

Service Allows you to apply a rule to specific predefined protocols or services or

applications You can define new, custom services

Action Determines whether a packet is accepted, rejected, or dropped If a

connection is rejected, VPN-1 sends an RST packet to the originator of the connection and the connection is closed If a packet is dropped, no response

is sent and the connection eventually times out (For information on actions that relate to authentication, refer to Chapter 2, “Authentication”

Implied Rules

Apart from those rules defined by an administrator, VPN-1 also creates implied rules, which are derived from the Policy > Global Properties definitions Implied rules enable certain connections to occur to and from the gateway using a variety of different services Examples of implied rules include rules that enable

VPN-1 control connections and outgoing packets originating from the VPN-1 gateway

VPN-1 implied rules are placed first, last, or before last in the Rule Base and can

be logged Implied rules are processed in the following order:

1 First: This rule cannot be modified or overwritten in the Rule Base because the

first rule that matches is always applied to the packet and no rules can be placed before it

2 Explicit: These are the administrator-defined rules, which may be located

between the first and the before last rules

3 Before Last: These are more specific rules that are enforced before the last rule

is applied

4 Rule n: The last defined rule.

5 Last: A rule that is enforced after the last rule in the Rule Base, which normally

rejects all packets and has no effect

6 Implicit Drop Rule: No logging occurs.

Track Provides various logging options (for additional information, refer to the

SmartCenter Administration Guide).

Install-On Specifies the VPN-1 gateways on which the rule is installed There may be no

need to enforce certain rules on every VPN-1 gateway For example, a rule may allow certain network services to cross only one particular gateway In this case, the specific rule need not be installed on other gateways (For

additional information, refer to the SmartCenter Administration Guide.)

Time Specifies the days and the time of day to enforce this rule

Table 1-1 Rule Base Elements

Preventing IP Spoofing

IP spoofing occurs when an intruder attempts to gain unauthorized access by changing a packet's IP address to appear as though it originated from network node with higher access privileges

Note - It is important to ensure that all communication originates from its apparent source

Anti-spoofing protection verifies that packets originate from and are destined to the correct interfaces on the gateway It confirms which packets actually come from the specified internal network interface It also verifies that once a packet is routed, it goes through the proper interface

A packet coming from an external interface, even if it has a spoofed internal IP address, is blocked because the VPN-1 anti-spoofing feature detects that the packet arrived from the wrong interface Figure 1-3 illustrates the anti-spoofing process

Figure 1-3 Anti-Spoofing Process

On Alaska_GW, VPN-1 ensures that:

• All incoming packets to interface IF1 come from the Internet

On Alaska_RND_GW, VPN-1 ensures that:

• All incoming packets to interface IF3 come from Alaska_LAN, Florida_LAN or the Internet

• All incoming packets to interface IF4 come from Alaka_RND_LAN

When configuring anti-spoofing, you need to specify in the interface topology definitions whether the interfaces lead to the Internet (defined as External) or an internal network (defined as Internal) Figure 1-3 illustrates whether the gateway interfaces are internal or external in the interface topology definitions

Excluding Specific Internal Addresses from

Anti-Spoofing Protection

In some cases, it may be necessary to allow packets with source addresses that belong to an internal network to enter the gateway through an external interface This may be useful if an external application assigns internal IP addresses to external clients In this case, you can specify that anti-spoofing checks are not made on packets from specified internal networks For example, in Figure 1-3, it is possible to specify that packets with source addresses in Alaska_RND_LAN are allowed to enter interface IF1

What Are Legal Addresses?

Legal addresses are those addresses that are permitted to enter a VPN-1 gateway interface Legal addresses are determined by the network topology When

configuring VPN-1 anti-spoofing protection, the administrator specifies the legal IP

addresses behind the interface The Get Interfaces with Topology option

automatically defines the interface and its topology and creates network objects VPN-1 obtains this information by reading routing table entries

Multicast Access Control

In This Section

Introduction to Multicast IP

Multicast IP transmits a single message to a predefined group of recipients an example of this is distributing real-time audio and video to a set of hosts that have joined a distributed conference

Multicast is similar to radio and TV where only those people who have tuned their tuners to a selected frequency receive the information With multicast you hear the channel you are interested in, but not the others

IP multicasting applications send one copy of each datagram (IP packet) and address it to a group of computers that want to receive it This technique sends datagrams to a group of recipients (at the multicast address) rather than to a single recipient (at a unicast address) The routers in the network forward the datagrams

to only those routers and hosts that want to receive them

The Internet Engineering Task Force (IETF) has developed multicast communication standards that define:

• Multicast routing protocols

• Dynamic registration

• IP multicast group addressing

Multicast Routing Protocols

Multicast routing protocols communicate information between multicast groups

Dynamic Registration Using IGMP

Hosts use the Internet Group Management Protocol (IGMP) to let the nearest multicast router know if they want to belong to a particular multicast group Hosts can leave or join the group at any time IGMP is defined in RFC 1112

IP Multicast Group Addressing

The IP address area has four sections: Class A, Class B, Class C, and Class D Class

A, B, and C addresses are used for unicast traffic Class D addresses are reserved for multicast traffic and are allocated dynamically

The multicast address range 224.0.0.0 through 239.255.255.255 is used only for the group address or destination address of IP multicast traffic Every IP datagram whose destination address starts with 1110 is an IP multicast datagram

(Figure 1-4)

Figure 1-4 Multicast Address Range

Just as a radio is tuned to receive a program that is transmitted at a certain frequency, a host interface can be tuned to receive datagrams sent to a specific multicast group This process is called joining a multicast group

The remaining 28 bits of the multi-case address range identify the multicast group

to which the datagram is sent Membership in a multicast group is dynamic (hosts can join and leave multicast groups) The source address for multicast datagrams is always the unicast source address

Reserved Local Addresses

Multicast group addresses in the 224.0.0.0 through 224.0.0.255 range are assigned by the Internet Assigned Numbers Authority (IANA) for applications that are never forwarded by a router (they remain local on a particular LAN segment)

These addresses are called permanent host groups Table 1-2 provides examples of reserved Local Network Multicast Groups.

For additional information on reserved multicast addresses, refer to:

http://www.iana.org/assignments/multicast-addresses

Per-Interface Multicast Restrictions

A multicast enabled router forwards multicast datagrams from one interface to another When you enable multicast on a VPN-1 gateway running on

SecurePlatform, you can define multicast access restrictions on each interface (refer to Figure 1-5) These restrictions specify which multicast groups (addresses

or address ranges) to allow or to block Enforcement is performed on outbound multicast datagrams

When access is denied to a multicast group on an interface for outbound IGMP packets, inbound packets are also denied

Table 1-2 Local Network Multicast Groups Examples

Multicast Address Purpose

224.0.0.1 All hosts An ICMP Request (ping) sent to this group

should be answered by all multicast capable hosts on the network Every multicast capable host must join this group

at start up on all of its multicast capable interfaces

224.0.0.2 All routers All multicast routers must join this group on all

of its multicast capable interfaces

224.0.0.4 All DVMRP routers

224.0.0.5 All OSPF routers

224.0.0.13 All PIM routers

Figure 1-5 Gateway with Per Interface Multicast Restrictions

When access restrictions for multicast datagrams are not defined, inbound

multicast datagrams entering a gateway from one interface are allowed out of all other interfaces

In addition to defining per interface access restrictions, you must define a rule in the Rule Base that allows multicast traffic and services, and the destination defined in this rule must allow the required multicast groups

For additional information, refer to “Configuring Multicast Access Control” on page 50