- Enterasys Security Router User's Guide
XSR Firewall Feature Set Functionality
16-18 Configuring Security on the XSR
Figure 16-12 illustrates the process by which a user accesses a server after authentication by the
XSR firewall, as explained below:
1. A user Telnets to the firewall presenting a name and password.
2. The XSR’s AAA functionality talks to an authentication server or consults a local database
based on the user’s credentials.
3. If authentication is successful, AAA informs the firewall engine of the user’s source IP address
and an authentication entry is created within the firewall engine.
4. Policy rules specified for the firewall allow the user access to a server after consultation with
the firewall engine’s authentication cache.
Authentication failures are tracked using logs or traps and entries time out after an inactive
period. If authentication fails, all packets that match policy rules with allow-auth for that
source IP are dropped.
Firewall and NAT
On outgoing packets, stateful inspection is done before NAT because NAT modifies the source
address of all packets to that of the XSR and policy rules are defined with respect to internal and
external addresses. On incoming packets, NAT is preformed before firewall inspection.
Beginning with Release 7.0, the XSR supports IPSec NAT traversal according to draft-ietf-ipsec-nat-
t-ike-02. The XSR sends IKE messages from UDP port 4500 when 1), a NAT is present between IKE
peers and 2), the peer has implemented draft-ietf-ipsec-nat-t-ike-02. So, you need to allow traffic to
UDP port 4500 to pass through the firewall if you want to allow users to build IPSec SAs that
traverse the firewall. Refer to “XSR with Firewall and VPN” on page 16-27 for a sample
configuration.
Firewall and VPN
VPN tunnels are implemented as virtual interfaces that “sit” on physical interfaces. Stateful
inspection is applied before encryption and encapsulation on outgoing packets and after de-
capsulation and decryption on incoming packets.
ACLs and Firewall
Access Control Lists are available as a basic filter on a per interface basis to pass or drop packets
going in or out of a port. In the outbound direction, a packet is subjected to firewall inspection
before filtering by an ACL. Inbound, a packet is filtered by an ACL then the firewall.
Dynamic Reconfiguration
The XSR lets you apply new or remove old policies without restarting the firewall code. Dynamic
reconfiguration is accomplished by checking the current firewall stateagainst newly configured
rules. Sessions which do not satisfy these rules are removed leaving other sessions intact.
Note: Be aware that if the firewall is enabled on an interface, ACLs should not be used on that
interface so that all checks can be performed in one place.