- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

401

402

403

404

405

406

407

408

409

410

Pre-configuring the Firewall

XSR User’s Guide 16-23

cache will not automatically switch over. If the firewall is enabled on a slave router, then all

sessions would have to be re-established. You would have to re-authenticate users for access

to authentication-protected servers.

• Load Sharing - If two or more firewall-enabled XSRs are linked, load sharing is not supported.

Each XSR would act as a discrete firewall and monitor sessions that pass through it.

• Secondary IP Address/Firewall - The firewall does not interoperate with interface IP addresses,

so, a secondary interface address has no affect on firewall operations. Configure network

objects for the secondary address just as you would any primary IP address.

• Firewall Authentication over VPN - Firewall authentication is not supported over VPN tunnels.

Pre-configuring the Firewall

We recommend you consider the following suggestions to set up the firewall:

• Establish a security plan by:

– Examining your network topology

– Determining exactly what resources you want to protect

– Deciding where on the network to enable the firewall and plan on writing a Telnet or SSH

policy for remote administration if you are configuring an XSR located in the field

– Making a list of internal addresses

– Forming an inventory of desirable applications the firewall will allow between protected

and external networks

• Look up official port numbers of well-known applications at: http://www.iana.org/

assignments/protocol-numbers

The

show ip firewall session command also lists these numbers.

• Refer to “Firewall Limitations” on page 16-22 before configuration

Steps to Configure the Firewall

Follow the procedure below to configure the firewall:

• Specify the network objects

• Specify network-group, service and service group objects

• Write TCP/UDP policies. The order is important and objects and names are case-sensitive

• Specify filters for other protocols (ICMP, OSPF, ESP, etc.)

• Set miscellaneous parameters such as:

– TCP, UDP or ICMP session timeouts

– Logging event-levels 0-7

– Authentication service for users

– Java and ActiveX filtering

– IP options filtering on the interface such as time-stamps, route recording, and loose or

strict routing through the Internet