Configuring BaySecure Firewall-1 BayRS Version 13.00 Site Manager Software Version 7.00 Part No.
4401 Great America Parkway Santa Clara, CA 95054 8 Federal Street Billerica, MA 01821 Copyright © 1998 Bay Networks, Inc. All rights reserved. Printed in the USA. October 1998. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty.
Bay Networks, Inc. Software License Agreement NOTICE: Please carefully read this license agreement before copying or using the accompanying software or installing the hardware unit with pre-enabled software (each of which is referred to as “Software” in this Agreement). BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS UNDER WHICH BAY NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE.
its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files, data, or programs. 4. Limitation of liability.
Contents Preface Before You Begin .............................................................................................................. ix Text Conventions ............................................................................................................... x Acronyms .......................................................................................................................... xi Bay Networks Technical Publications .............................................................
Customizing the FireWall-1 Installation ...........................................................2-18 Installing a License on the Management Station .............................................2-19 Starting and Stopping the FireWall-1 Daemons ..............................................2-19 Synchronizing the Management Station and the Router Passwords ...............2-19 Starting FireWall-1 ...........................................................................................
Figures Figure 2-1. Choose Destination Location Window .....................................................2-6 Figure 2-2. Selecting Product Type Window ..............................................................2-7 Figure 2-3. Licenses Window .....................................................................................2-8 Figure 2-4. Administrators Window ............................................................................2-9 Figure 2-5. Add Administrators Window .............
Preface This guide describes BaySecure™ FireWall-1, and the steps you need to take to install, configure, and activate a firewall on a Bay Networks® router. Before You Begin Before using this guide, you must complete the following procedures. For a new router: • Install the router (refer to the installation guide that came with your router).
Configuring BaySecure FireWall-1 Text Conventions This guide uses the following text conventions: angle brackets (< >) Indicate that you choose the text to enter based on the description inside the brackets. Do not type the brackets when entering the command. Example: If the command syntax is: ping , you enter: ping 192.32.10.12 bold text Indicates text that you need to enter and command names and options. Example: Enter show ip {alerts | routes} Example: Use the dinfo command.
Preface Acronyms GUI graphical user interface IP Internet Protocol LAN local area network MIB management information base OSI Open Systems Interconnection TCP/IP Transmission Control Protocol/Internet Protocol Bay Networks Technical Publications You can now print Bay Networks technical manuals and release notes free, directly from the Internet. Go to support.baynetworks.com/library/tpubs/. Find the Bay Networks product for which you need documentation.
Configuring BaySecure FireWall-1 How to Get Help For product assistance, support contracts, or information about educational services, go to the following URL: http://www.baynetworks.
Chapter 1 BaySecure FireWall-1 BaySecure™ FireWall-1 builds firewall security features into Bay Networks router software. It does this by integrating the stateful inspection module from Version 2.1 of the Check Point Software Technologies FireWall-1 software into the Bay Networks router operating system of Bay Networks BN®, ASN™ and ARN™ routers. BaySecure FireWall-1 provides all of the security features from Version 2.
Configuring BaySecure FireWall-1 How the Firewall Software Works The stateful inspection module in the Bay Networks router software inspects all data packets traveling between the data link and network layers and communicates the results to the management station. If the data packets meet the security requirements specified in the security policy, the router forwards the data.
Chapter 2 Installing FireWall-1 Management Software To install the FireWall-1 software, see the following sections: Topic Page Obtaining Software Licenses 2-1 Installing and Running the FireWall-1 Management Software 2-5 Obtaining Software Licenses Before you can install the FireWall-1 software and create a firewall on the router, you must first obtain a permanent software license from Check Point Software Technologies for: • The firewall management station You need one software license for the fire
Configuring BaySecure FireWall-1 Obtaining a FireWall-1 License for the Management Station To obtain a FireWall-1 license for the firewall management station, follow these instructions: Note: You need one license for each FireWall-1 management station. To obtain a license for each additional management station, you must repeat the steps outlined in this section. 1. Locate your certificate key.
Installing FireWall-1 Management Software Sample Response from Check Point Your license request with the following details has been accepted. Below you will find the corresponding license string. We recommend printing this page and saving it in your files for future reference. Request Details --------------Certificate Key: Customer Name: Product: Version: Host ID: 5xxx 5xxx fxxx Bay Networks CPFW-ESC-U 3.0 123.123.123.123 License(s) Issued ----------------Host ID: Features: License String: 123.123.123.
Configuring BaySecure FireWall-1 Obtaining a FireWall-1 License for the Router To obtain a FireWall-1 license for a router you plan to protect with a firewall, follow these instructions: Note: You need one license for each router that you plan to protect with a firewall. To obtain a license for each additional router, you must repeat the steps outlined in this section. 1. Locate your certificate key.
Installing FireWall-1 Management Software Sample Response from Check Point The following license was generated: We recommend printing this page and saving it in your files for future reference. Request Details --------------Certificate Key: Customer Name: Product: Version: Host ID: 7xxx dxxx 1xxx Bay Networks BABN-IM-U 3.0 012.012.012.012 License Issued -------------Host ID: Features: License String: 012.012.012.
Configuring BaySecure FireWall-1 Sample Installation The following sample installation takes the Check Point FireWall-1 software from a CD and installs it onto a PC running Windows NT. Use this sample installation to familiarize yourself with a basic FireWall-1 installation. Note: This sample installation shows only those screens necessary for a basic installation. Installing the Management Software 1. Insert the CD into the CD-ROM drive and run the Setup program, setup.exe.
Installing FireWall-1 Management Software The Selecting Product Type window (Figure 2-2) opens. Figure 2-2. 4. 303515-A Rev 00 Selecting Product Type Window Choose the FireWall-1 component you want to install. To be compatible with BaySecure FireWall-1, choose FireWall-1 Enterprise Management Console Product.
Configuring BaySecure FireWall-1 5. Click on Next. The Licenses window (Figure 2-3) opens. Figure 2-3. 6. 2-8 Licenses Window Enter the license information you obtained from Check Point.
Installing FireWall-1 Management Software 7. Click on Next. The Administrators window (Figure 2-4) opens. Figure 2-4. Administrators Window You must specify at least one administrator. 8. Click on Add. The Add Administrator window (Figure 2-5) opens. Figure 2-5. 9. 303515-A Rev 00 Add Administrators Window Enter the administrator’s user name and password, which is limited to eight characters, and a password confirmation, and click on OK. You return to the Administrators window.
Configuring BaySecure FireWall-1 10. Click on Next. The GUI Clients window opens. Do not enter any GUI clients at this time. 11. Click on Next. The Remote Modules window appears. Do not enter any remote modules at this time. 12. Click on Next. The Key Hit Session window (Figure 2-6) opens. Figure 2-6. Key Hit Session Window 13. Follow the directions in the window and enter random characters, with a delay of a few seconds between them, until the indicator bar is full.
Installing FireWall-1 Management Software 14. Click on Next. The CA Key window opens. 15. Click on Generate to generate a new key. The host uses the RSA key to generate a digital signal for authenticating its communications in its capacity as a Certificate Authority. Generating the key may take several minutes. 16. Click on Finish. Installing the GUI Client 1. Insert the CD into the CD-ROM drive and run the setup.exe file.
Configuring BaySecure FireWall-1 3. Click on Next. The Select Components window (Figure 2-8) opens. Figure 2-8. 4. Select Components Window Install the Security Policy, System Status, and Log Viewer components by clicking on each item. Customizing the FireWall-1 Installation You can customize your FireWall-1 installation by running the FireWall-1 Configuration file.
Installing FireWall-1 Management Software Installing on a UNIX Platform Use the following sections as a guide to installing the FireWall-1 software on a computer running UNIX. For more details, refer to your Check Point FireWall-1 documentation. Before You Install Before you attempt to install the Check Point FireWall-1 software, be sure that you have completed these tasks: • Obtain a FireWall-1 license for each firewall management station and router that you plan to protect with a firewall.
Configuring BaySecure FireWall-1 For HPUX lab# lab# lab# mount -r /dev/dsk/c1t2d0 (or your specific CD-ROM address) /cdrom cd /tmp tar xvf “/cdrom/HPUX/FW1/FW.HPUX.TAR;1” Installing the Check Point FireWall-1 Software Once you have extracted the Check Point FireWall-1 files, you can install the management software. To install the software, change directories so that you’re in the directory where you put the extracted files and then issue the fwinstall command.
Installing FireWall-1 Management Software **************** FireWall-1 v3.0 Installation **************** Reading fwinstall configuration. Please wait. Configuration loaded. This might take a while. Running FireWall-1 Setup. Checking available options. Please wait.....................
Configuring BaySecure FireWall-1 The following evaluation License key is provided with this FireWall-1 distribution Eval 15Mar97 3.x pfmx controlx routers connect motif Do you want to use this evaluation FW-1 license (y/n) [y]? n Do you wish to start FireWall-1 automatically from /etc/rc.local (y/n) [y] ? n Welcome to FireWall-1 Configuration Program =========================================== This program will guide you through several steps where you will define your FireWall-1 configuration.
Installing FireWall-1 Management Software Configuring Groups... ===================== FireWall-1 access and execution permissions ------------------------------------------Usually, FireWall-1 is given group permission for access and execution. You may now name such a group or instruct the installation procedure to give no group permissions to FireWall-1. In the latter case, only the Super-User will be able to access and execute FireWall-1.
Configuring BaySecure FireWall-1 Configuration ended successfully **************** FireWall-1 is now installed. **************** Do you wish to start FW-1 now (y/n) [y] ? n ****************************************************************** * DO NOT FORGET TO: 1. add the line: setenv FWDIR /etc/fw to .cshrc or FWDIR=/etc/fw; export FWDIR to .profile 2. add /etc/fw/bin to path 3.
Installing FireWall-1 Management Software Installing a License on the Management Station To install a license on the firewall management station, use the following command: fw putlic pfmx controlx routers motif embedded The is the host ID of the management station. The is a string of alphanumeric characters that Check Point provides with your FireWall-1 license.
Configuring BaySecure FireWall-1 Starting FireWall-1 To start FireWall-1, enter the fwui& command. For example, at the system prompt, enter: lab# fwui& Optionally, you can use the FireWall-1 XMotif GUI. For instructions on how to install and start the XMotif GUI, see you Check Point documentation.
Chapter 3 Configuring a Firewall on a Router To configure a firewall on the router, see the following topics: Topic Page Creating a Firewall on the Router 3-1 Enabling or Disabling the Firewall on the Router 3-4 Setting Up Communications Between the Firewall Management Station and the Router 3-4 Enabling the Firewall on Router Interfaces 3-6 Activating the Firewall 3-9 Defining a Firewall Security Policy 3-11 Installing the Security Policy on the Router and Its Interfaces 3-11 Deleting Fire
Configuring BaySecure FireWall-1 You can also use the Technician Interface, which lets you modify parameters by issuing set and commit commands that specify the MIB object ID. This process is equivalent to modifying parameters using Site Manager. For more information about using the Technician Interface to access the MIB, refer to Using Technician Interface Software. Caution: Unlike using Site Manager, the Technician Interface does not verify that the value you enter for a parameter is valid.
Configuring a Firewall on a Router 2. If local or remote mode is selected, open a configuration file. 3. Create a firewall: Site Manager Procedure You do this System responds 1. From Configuration Manager, choose Platform. The Platform menu opens. 2. Choose FireWall. The FireWall menu opens. 3. Choose Create. A dialog box opens. See Figure 3-2. 4. Click on OK You return to the Configuration Manager window. By default, the firewall is automatically enabled on the router.
Configuring BaySecure FireWall-1 Enabling or Disabling the Firewall on the Router Note: When you first create a firewall, it is enabled by default. To enable or disable the firewall on the router: Site Manager Procedure You do this System responds 1. From Configuration Manager, choose Platform. The Platform menu opens. 2. Choose FireWall. The FireWall menu opens. 3. Choose Global. The FireWall Enable window opens. 4. Set the Enable parameter.
Configuring a Firewall on a Router To identify the management station to the router: Site Manager Procedure You do this System responds 1. From Configuration Manager, choose Platform. The Platform menu opens. 2. Choose FireWall. The FireWall menu opens. 3. Choose FireWall Parameters. 4. Set the Log Host IP Address parameter. Click on Help or see the parameter description on page A-2. 5. Click on OK. You return to the Configuration Manager window.
Configuring BaySecure FireWall-1 Site Manager Procedure (continued) You do this System responds 4. Set the Local Interface IP Address parameter. Click on Help or see the parameter description on page A-2. 5. Click on OK. You return to the Configuration Manager window. Enabling the Firewall on Router Interfaces After you have created a firewall on the router, you can enable it on one or more interfaces. To enable a firewall on router interfaces: Site Manager Procedure You do this System responds 1.
Configuring a Firewall on a Router Site Manager Procedure (continued) You do this System responds 9. Set the Disable parameter. Click on Help or see the parameter description on page A-3. 10. Click on Done. Figure 3-3. 303515-A Rev 00 You return to the Configuration Manager window.
Configuring BaySecure FireWall-1 Note: Once the firewall is protecting your router, if you put firewall protection on a new interface, the new interface will use the default security policy supplied by Check Point, which prevents the new interface from communicating with the router. You can download your customized security policy to the new interface using the Check Point FireWall-1 command line. You can also use the Check Point FireWall-1 graphical user interface (GUI) download the security policy.
Configuring a Firewall on a Router Once you enable the firewall on an interface and reboot the router, you will not be able to communicate with the router through Site Manager until you change the FireWall-1 default security policy. For more information, see “Defining a Firewall Security Policy” on page 3-11.
Configuring BaySecure FireWall-1 To reboot the router using Site Manager: 1. From the main Site Manager window, choose Administration > Boot Router. The Boot Router window opens (Figure 3-5). Figure 3-5. Boot Router Window 2. Specify the correct volume and boot image. 3. Select the correct router volume and configuration file. Then click on Boot. A confirmation window appears. 4. Click on OK in the confirmation window and wait a few minutes to give the router time to reboot. 5.
Configuring a Firewall on a Router Defining a Firewall Security Policy A security policy is a collection of rules that define the way the firewall operates. The default FireWall-1 security policy drops all attempts at communication with the router. This security policy goes into effect when you first activate the firewall on the router. You must establish a security policy that explicitly defines acceptable communication to the router, based on the source address, destination address, and type of service.
Configuring BaySecure FireWall-1 Deleting Firewall from the Router You can use Site Manager to delete a firewall from the router. To dynamically delete a firewall from the router, you must use the Technician Interface. Deleting Firewall Locally or Remotely Using Site Manager Site Manager allows you to delete a firewall from the entire router in local and remote modes only. To delete a firewall: Site Manager Procedure You do this System responds 1. From Configuration Manager, choose Platform.
Configuring a Firewall on a Router Deleting Firewall Dynamically Using the Technician Interface To delete a firewall dynamically, you must use the Technician Interface. The Technician Interface allows you to delete a firewall on a slot/port basis, or from all ports on the router. firewall delete [ | _all] Deletes a firewall from a specific slot/port combination. _all Deletes a firewall from the router entirely. Warning: The firewall delete all command deletes the MIB.
Configuring BaySecure FireWall-1 Troubleshooting Checklist If you experience problems with FireWall-1, verify that you have performed these steps: • Enabled IP on the router • Enabled TCP on all slots on the router • Created a firewall using Site Manager • Created a static route if the router and firewall management stations are on different subnets • Synchronized the router and management station passwords by executing the fwputkey command on both the router and the firewall management station •
Appendix A Parameter Descriptions This appendix contains parameter descriptions for BaySecure FireWall-1 parameters. FireWall Enable Parameter Parameter: Enable Path: Default: Options: Function: Instructions: 303515-A Rev 00 Platform > FireWall > Global Enable Enable | Disable Enables or disables the firewall on the entire router. Choose Enable to allow the firewall to be active on the router. Choose Disable to disable the firewall on the router.
Configuring BaySecure FireWall-1 FireWall Parameters Parameter: Log Host IP Address Path: Default: Options: Function: Instructions: Platform > FireWall > FireWall Parameters 0.0.0.0 Any valid IP address. Identifies the IP address of the primary firewall management station. Enter the IP address of the PC or UNIX workstation where you installed the Check Point FireWall-1 management software.
Parameter Descriptions List FireWall Interfaces Parameters Parameter: Name Path: Default: Options: Function: Instructions: Protocols > IP > FIREWALL None Any string of alphanumeric characters. Identifies an interface by name. Enter a meaningful name in alphanumeric characters. Parameter: Disable Path: Default: Options: Function: Instructions: 303515-A Rev 00 Protocols > IP > FIREWALL Disable Enable | Disable Enables or disables the firewall on one or more interfaces.
Index A acronyms, xi E activating FireWall-1, 3-9 educational services, xii adding administrators, 2-18 groups, 2-18 GUI clients, 2-12, 2-18 license, 2-12, 2-18 remote modules, 2-12, 2-18 enabling the firewall on an interface, 3-6 on the router, 3-4 B extracting tar files, 2-13 F booting the router, 3-9 FireWall-1 License for the Management station, obtaining, 2-1 for the router, obtaining, 2-1 C fw putlic command, 2-19 fwconfig command, 2-18 Check Point, contacting, 2-2, 2-4 fwinstall comman
L T license adding, 2-12, 2-18 installing on management station, 2-19 tar files, extracting, 2-13 M Technician Interface, 3-2 technical publications, xi technical support, xii text conventions, x management station, 3-4 primary, 3-5 modules firewall stateful inspection, 1-2 mounting a CD drive, 2-13 P product support, xii publications, Bay Networks, xi R refreshing the display, 3-10 remote modules, adding, 2-12, 2-18 Reset button, 3-9 rule base, verifying, 3-11 S security policy configuring, 3-11
