Configuring BaySecure FireWall-1 BayRS Version 13.20 Site Manager Software Version 7.20 BCC Version 4.20 Part No.
Bay Networks, Inc. 4401 Great America Parkway Santa Clara, CA 95054 Copyright © 1999 Bay Networks, Inc. All rights reserved. Printed in the USA. April 1999. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document.
THIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS UNDER WHICH BAY NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE. If you do not accept these terms and conditions, return the product, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price. 1. License Grant. Bay Networks, Inc.
IF BAY NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL THE LIABILITY OF BAY NETWORKS RELATING TO THE SOFTWARE OR THIS AGREEMENT EXCEED THE PRICE PAID TO BAY NETWORKS FOR THE SOFTWARE LICENSE. 5. Government Licensees. This provision applies to all Software and documentation acquired directly or indirectly by or on behalf of the United States Government.
Contents Preface Before You Begin .............................................................................................................. xi Text Conventions ..............................................................................................................xii Acronyms .........................................................................................................................xiii Bay Networks Technical Publications .............................................................
Installation Options ..........................................................................................2-13 Sample Installation ..........................................................................................2-13 Customizing the FireWall-1 Installation ...........................................................2-17 Installing a License on the Management Station .............................................2-18 Starting and Stopping the FireWall-1 Daemons ...................................
Chapter 4 Customizing a Firewall on a Router Specifying FireWall-1 Memory ........................................................................................4-2 Setting the Firewall Filter Timer ......................................................................................4-3 Setting the Log Timer .....................................................................................................4-3 Specifying a Timeout Period for an Inactive TCP Connection ....................................
Figures Figure 2-1. Choose Destination Location Window .....................................................2-6 Figure 2-2. Selecting Product Type Window ..............................................................2-7 Figure 2-3. Licenses Window .....................................................................................2-7 Figure 2-4. Administrators Window ............................................................................2-8 Figure 2-5. Add Administrator Window ..............
Preface This guide describes BaySecure FireWall-1 and what you do to install, start, and customize BaySecure FireWall-1 services on a Bay Networks® router. You can use the Bay Command Console (BCC™) to configure BaySecure FireWall-1 services on a router. Before You Begin Before using this guide, you must complete the following procedures. For a new router: • Install the router (see the installation guide that came with your router).
Configuring BaySecure FireWall-1 Text Conventions This guide uses the following text conventions: angle brackets (< >) Indicate that you choose the text to enter based on the description inside the brackets. Do not type the brackets when entering the command. Example: If the command syntax is: ping , you enter: ping 192.32.10.12 bold text Indicates command names and options and text that you need to enter. Example: Enter show ip {alerts | routes}. Example: Use the dinfo command.
Preface Acronyms GUI graphical user interface IP Internet Protocol LAN local area network MIB management information base ISO International Organization for Standardization TCP/IP Transmission Control Protocol/Internet Protocol Bay Networks Technical Publications You can now print Bay Networks technical manuals and release notes free, directly from the Internet. Go to support.baynetworks.com/library/tpubs/. Find the Bay Networks product for which you need documentation.
Configuring BaySecure FireWall-1 How to Get Help For product assistance, support contracts, information about educational services, and the telephone numbers of our global support offices, go to the following URL: http://www.baynetworks.com/corporate/contacts/ In the United States and Canada, you can dial 800-2LANWAN for assistance.
Chapter 1 Overview of the BaySecure FireWall-1 Software The BaySecure™ FireWall-1 software builds firewall security features into Bay Networks router software. It does this by integrating the stateful inspection module from Version 2.1 of the Check Point Software Technologies FireWall-1 software into the Bay Networks router operating system (BayRS) of Bay Networks BN®, ASN™, and ARN™ routers. BaySecure FireWall-1 is a firewall only, and does not include the entire suite of Check Point features.
Configuring BaySecure FireWall-1 How the Firewall Software Works The management station downloads the policy information to the stateful inspection module in the Bay Networks router software. The stateful inspection module inspects all data packets traveling between the data link and network layers, and communicates the results to the management station. (Note that the management station does not inspect the packets.
Overview of the BaySecure FireWall-1 Software Selecting a Backup Management Station A router connects to a backup firewall management station upon termination of the TCP connection (with TCP_ABORT) between the current firewall management station and the router. Note: When an event, such as a LAN failure, prevents communication between the router and the firewall management station, the firewall management station closes the TCP connection from its end when data does not flow from the idle TCP connection.
Configuring BaySecure FireWall-1 Where to Go Next To get a firewall up and running on your Bay Networks router: For information about how to Go to page Obtain licenses from Check Point 2-1 Install the Check Point Management software 2-5 Create a firewall 3-1 Enable the firewall on the router 3-7 Establish a relationship between the management station and 3-3 the router 1-4 Enable the router on specific interfaces 3-7 Activate the firewall 3-10 Configure a firewall security policy 3-10, and
Chapter 2 Installing the FireWall-1 Management Software To install the FireWall-1 software, see the following sections: Topic Page Obtaining Software Licenses 2-1 Installing and Running the FireWall-1 Management Software 2-5 Transferring Security Policy and Configuration Files 2-20 Obtaining Software Licenses Before you can install the FireWall-1 software and create a firewall on the router, you must first obtain a permanent software license from Check Point Software Technologies for: • The firewa
Configuring BaySecure FireWall-1 Obtaining a FireWall-1 License for the Management Station To obtain a FireWall-1 license for the firewall management station, follow these instructions: Note: You need one license for each FireWall-1 management station. To obtain a license for each additional management station, you must repeat the steps outlined in this section. 1. Locate your certificate key.
Installing the FireWall-1 Management Software Sample Response from Check Point Your license request with the following details has been accepted. Below you will find the corresponding license string. We recommend printing this page and saving it in your files for future reference. Request Details --------------Certificate Key: Customer Name: Product: Version: Host ID: 5xxx 5xxx fxxx Bay Networks CPFW-ESC-U 3.0 123.123.123.123 License(s) Issued ----------------Host ID: Features: License String: 123.123.
Configuring BaySecure FireWall-1 Obtaining a FireWall-1 License for the Router To obtain a FireWall-1 license for a router you plan to protect with a firewall, follow these instructions: Note: You need one license for each router that you plan to protect with a firewall. You need an additional license for each router if you want to use the backup management station. To obtain additional licenses, you must repeat the steps outlined in this section. 1. Locate your certificate key.
Installing the FireWall-1 Management Software Sample Response from Check Point The following license was generated: We recommend printing this page and saving it in your files for future reference. Request Details --------------Certificate Key: Customer Name: Product: Version: Host ID: 7xxx dxxx 1xxx Bay Networks BABN-IM-U 3.0 012.012.012.012 License Issued -------------Host ID: Features: License String: 012.012.012.
Configuring BaySecure FireWall-1 Sample Installation The following sample installation takes the Check Point FireWall-1 software from a CD and installs it onto a PC running Windows NT. Use this sample installation to familiarize yourself with a basic FireWall-1 installation. Note: This sample installation shows only those screens necessary for a basic installation. Your installation may be different. Installing the Management Software 1.
Installing the FireWall-1 Management Software The Selecting Product Type window (Figure 2-2) opens. Figure 2-2. Selecting Product Type Window 4. Choose FireWall-1 Enterprise Management Product as the FireWall-1 component you want to install. 5. Click on Next. The Licenses window (Figure 2-3) opens. Figure 2-3.
Configuring BaySecure FireWall-1 6. Enter the license information you obtained from Check Point. 7. Click on Next. The Administrators window (Figure 2-4) opens. Figure 2-4. Administrators Window You must specify at least one administrator. 8. Click on Add. The Add Administrator window (Figure 2-5) opens. Figure 2-5.
Installing the FireWall-1 Management Software 9. Enter the administrator’s user name and password (limited to eight characters), and a password confirmation, then click on OK. You return to the Administrators window. 10. Click on Next. The GUI Clients window opens. Do not enter any GUI clients at this time. 11. Click on Next. The Remote Modules window appears. Do not enter any remote modules at this time. 12. Click on Next. The Key Hit Session window (Figure 2-6) opens. Figure 2-6.
Configuring BaySecure FireWall-1 14. Click on Next. The CA Key window opens. 15. Click on Generate to generate a new key. The host uses the RSA key to generate a digital signal for authenticating its communications in its capacity as a Certificate Authority. Generating the key may take several minutes. 16. Click on Finish. Installing the GUI Client 1. Insert the CD into the CD-ROM drive and run the setup.exe file.
Installing the FireWall-1 Management Software 3. Click on Next. The Select Components window (Figure 2-8) opens. Figure 2-8. 4. Select Components Window Install the Security Policy, System Status, and Log Viewer components by clicking on each item. Customizing the FireWall-1 Installation You can customize your FireWall-1 installation by running the FireWall-1 Configuration file.
Configuring BaySecure FireWall-1 Installing on a UNIX Platform Use the following sections as a guide to installing the FireWall-1 software on a computer running UNIX. For more details, refer to your Check Point FireWall-1 documentation. Before You Install Before you attempt to install the Check Point FireWall-1 software, be sure that you have completed these tasks: • Obtain a FireWall-1 license for each firewall management station and router that you plan to protect with a firewall.
Installing the FireWall-1 Management Software For HP-UX mount -r /dev/dsk/c1t2d0 (or your specific CD-ROM address) /cdrom cd /tmp tar xvf “/cdrom/HPUX/FW1/FW.HPUX.TAR;1” lab# lab# lab# Installing the Check Point FireWall-1 Software Once you have extracted the Check Point FireWall-1 files, you can install the management software. To install the software, change directories so that you’re in the directory where you put the extracted files and then issue the fwinstall command.
Configuring BaySecure FireWall-1 **************** FireWall-1 v3.0 Installation **************** Reading fwinstall configuration. Please wait. Configuration loaded. This might take a while. Running FireWall-1 Setup. Checking available options. Please wait.....................
Installing the FireWall-1 Management Software The following evaluation License key is provided with this FireWall-1 distribution Eval 15Mar97 3.x pfmx controlx routers connect motif Do you want to use this evaluation FW-1 license (y/n) [y]? n Do you wish to start FireWall-1 automatically from /etc/rc.
Configuring BaySecure FireWall-1 Configuring Groups... ===================== FireWall-1 access and execution permissions ------------------------------------------Usually, FireWall-1 is given group permission for access and execution. You may now name such a group or instruct the installation procedure to give no group permissions to FireWall-1. In the latter case, only the Super-User will be able to access and execute FireWall-1.
Installing the FireWall-1 Management Software **************** FireWall-1 is now installed. **************** Do you wish to start FW-1 now (y/n) [y] ? n ****************************************************************** DO NOT FORGET TO: 1. add the line: setenv FWDIR /etc/fw to .cshrc or FWDIR=/etc/fw; export FWDIR to .profile 2. add /etc/fw/bin to path 3.
Configuring BaySecure FireWall-1 Installing a License on the Management Station To install a FireWall-1 license, enter the license installation command listed in the response message that Check Point displayed when you requested the license. (See the sample Check Point responses on page 2-3 and page 2-5.
Installing the FireWall-1 Management Software Synchronizing the Management Station and the Router Passwords Once you have installed licenses on the firewall management station and the router, you must synchronize your password on the two systems.
Configuring BaySecure FireWall-1 Transferring Security Policy and Configuration Files Firewall backup management stations must have the same security policies and configuration files that the primary firewall management station uses. Bay Networks has provided script files to make it easy to synchronize firewall management stations. The script files enable you to use a single command, fwfilex, to package files associated with a management station’s security environment.
Installing the FireWall-1 Management Software From the World Wide Web You can also download the files from the World Wide Web. Complete the following steps: 1. Use your browser to go to the customer service Web page at this URL: http://support.baynetworks.com/software 2. Scroll down to Bay Networks Routers. 3. Select Router_Software_v_13.x. 4. Click on Go. 5. Scroll down to the Firewall Scripts banner and click on the tar file for UNIX platforms or the zip file for Windows NT.
Configuring BaySecure FireWall-1 3. Using FTP, copy, or another transfer utility, manually transfer the file .zip to the FireWall-1 bin directory on the secondary Windows NT backup station. 4. To unpackage the firewall environment, on the destination machine, enter: c:\WINNT\FW\BIN> fwfilex -o .
Chapter 3 Configuring a Firewall on a Router To configure a firewall on the router, see the following topics: Topic Page Creating a Firewall on a Router 3-1 Disabling and Reenabling a Firewall on a Router 3-3 Setting Up Communications Between the Firewall Management Station and the Router 3-3 Enabling the Firewall on Router Interfaces 3-7 Activating the Firewall 3-10 Defining a Firewall Security Policy 3-10 Installing the Security Policy on the Router and Its Interfaces 3-11 Troubleshooting
Configuring BaySecure FireWall-1 You can also use the Technician Interface, which lets you modify parameters by issuing set and commit commands that specify the MIB object ID. This process is equivalent to modifying parameters using the BCC. For more information about using the Technician Interface to access the MIB, see Using Technician Interface Software. Caution: The Technician Interface does not verify that the value you enter for a parameter is valid.
Configuring a Firewall on a Router Disabling and Reenabling a Firewall on a Router By default, a firewall is enabled when you first create it on the router.
Configuring BaySecure FireWall-1 Establishing a Static Route You may need to establish a static route between the router and the management station before you configure the firewall parameters. By default, FireWall-1 filters in-bound routing protocol packets from RIP or OSPF.
Configuring a Firewall on a Router Identifying the First Backup Firewall Management Station If your router loses communication with its firewall management station, the router automatically establishes communication with the first backup firewall management station so that firewall security remains intact.
Configuring BaySecure FireWall-1 Use the BCC to specify the second backup firewall management station. Navigate to the firewall prompt (for example, box; ip; firewall) and enter: log-host-2backup ip_address is the address of the second backup firewall management station in the event that the router loses communication with its firewall management station and the first backup firewall management station.
Configuring a Firewall on a Router Enabling the Firewall on Router Interfaces After you have created a firewall on the router, use the BCC to enable it on one or more interfaces. For each interface on which you want to enable the firewall, do the following: 1. Navigate to the IP interface-specific prompt. 2. Add a firewall to the interface. 3. Optionally, specify a firewall name. 4. Optionally, set the policy index.
Configuring BaySecure FireWall-1 For example, the following command invokes the prompt for IP interface 2.2.2.2/ 255.0.0.0 (which has been configured on Ethernet slot 2, connector 2): ethernet/2/2# ip address 2.2.2.2 mask 255.0.0.0 ip/2.2.2.2/255.0.0.0# Adding a Firewall to an Interface When you add a firewall to an IP interface, the firewall is automatically enabled on that interface. To add a firewall to an IP interface, enter: firewall The firewall prompt appears.
Configuring a Firewall on a Router For example, the following command assigns the name “offsite” to the firewall on IP interface 2.2.2.2/255.0.0.0: firewall/2.2.2.2# firewall/2.2.2.2# firewall-name offsite Setting the Policy Index The policy index allows multiple circuits to share the same instance of Firewall-1. You can have up to 32 instances of Firewall-1, with many circuits making up each Firewall-1 instance. All circuits in a grouping must share the same security policy.
Configuring BaySecure FireWall-1 Activating the Firewall Before the FireWall-1 security policy can take effect on the router, you must first activate the firewall by booting the router using the Technician Interface on the management station. Booting a router warm-starts every processor module in the router. Pressing the Reset button on the front panel of the router performs the same procedure. For information about using the Technician Interface boot command, see Using Technician Interface Software.
Configuring a Firewall on a Router Installing the Security Policy on the Router and Its Interfaces Once you have defined a security policy, you must install it on the router. Installing a security policy means downloading it to the firewalled objects that will enforce it.
Configuring BaySecure FireWall-1 Troubleshooting Checklist If you experience problems with the FireWall-1 software, verify that you have performed these steps: • Enabled IP on the router • Enabled TCP on all slots on the router • Created a firewall using the BCC • Created a static route if the router and firewall management stations are on different subnets • Synchronized the router and management station passwords by executing the fwputkey command on both the router and the firewall management st
Chapter 4 Customizing a Firewall on a Router To customize a firewall on the router, see the following topics: Topic Page Specifying FireWall-1 Memory 4-2 Setting the Firewall Filter Timer 4-3 Setting the Log Timer 4-3 Specifying a Timeout Period for an Inactive TCP Connection 4-4 Deleting a Firewall 4-6 Effective with the release of BayRS 13.20, the Bay Command Console (BCC) is the sole means of managing the BaySecure FireWall-1.
Configuring BaySecure FireWall-1 Specifying FireWall-1 Memory You can specify the maximum and minimum amount of memory that FireWall-1 uses. By default, the minimum amount of memory is 50,000 bytes. The maximum amount of memory is 100,000 bytes. Caution: We recommend that you accept the default memory allocation settings. If you change them, you may see unexpected and undesired results.
Customizing a Firewall on a Router Setting the Firewall Filter Timer The firewall filter timer is the number of seconds between attempts to download the firewall security policy from the backup management station if the download is not successful from the primary firewall management station. The default interval is 40 seconds. You can use the BCC to specify a new value for the filter timer.
Configuring BaySecure FireWall-1 Specifying a Timeout Period for an Inactive TCP Connection If a TCP connection is inactive for a certain period of time, the router sends a TCP keepalive message, and expects an acknowledgment (ACK) from the management station. If the router does not receive the ACK from the management station, it retransmits the keepalive message. If after retransmitting the keepalive message the router does not receive an ACK from the management station, the TCP connection is disabled.
Customizing a Firewall on a Router For example, the following command disables the keepalive feature: firewall# idle-time-keepalive 0 firewall# Setting the Keepalive Retransmit Timer The keepalive retransmit timer specifies the interval, in seconds, at which a router retransmits unacknowledged keepalive messages to the management station. The default keepalive timer value is 5 seconds. You can use the BCC to specify a new value.
Configuring BaySecure FireWall-1 For example, the following command sets the keepalive retransmit timer to 5 seconds: firewall# retries-keepalive 5 firewall# Deleting a Firewall You can use the BCC to delete the global firewall (removing the firewall from all interfaces on the router) or to delete a firewall from specific interfaces. Caution: Deleting the global firewall deletes the MIB. This action disables the FireWall-1 functionality on the router.
Appendix A Monitoring the Firewall Using BCC show Commands This appendix describes how to use the BCC show command to obtain BaySecure FireWall-1 statistical data from the management information base (MIB). The type and amount of data displayed depend on the specific settings you want to view.
Configuring BaySecure FireWall-1 show firewall interfaces The show firewall interfaces command displays information about the interfaces on which firewall is configured. The output includes the following information: A-2 IP Address Internet address of the interface on which a firewall is configured. Cct Name Name of the circuit associated with the IP interface. Policy Index Value that lets circuits share the same virtual machine.
Monitoring the Firewall Using BCC show Commands show firewall summary The show firewall summary command displays the current firewall configuration. The output includes the following information: State State of the firewall on the router: enabled or disabled. Version Firewall protocol version number. Firewall Operational State State of the interface: Up, Down, Init (initializing), or Not Pres (not present). Local Host IP address of the router protected by the firewall.
Appendix B Upgrading to BayRS Version 13.20 This appendix describes the procedure you must follow if you are upgrading to BayRS Version 13.20 from an earlier version of BaySecure FireWall-1. To upgrade to FireWall-1 in BayRS Version 13.20, complete the following steps: 1. Familiarize yourself with the Bay Command Console (BCC). Starting with BayRS Version 13.20, FireWall-1 no longer supports Site Manager as a configuration tool. You must use the BCC to manage FireWall-1.
Configuring BaySecure FireWall-1 To reenable firewall on each IP interface, use the BCC to navigate to the prompt for the slot/connector on which you have configured the IP interface (for example, box; eth 2/2). Then enter: ip address mask ip_address is the IP address you have assigned to the interface. address_mask is the mask associated with the IP address. The prompt for the IP interface appears. For example, the following command invokes the prompt for IP interface 2.2.2.
Upgrading to BayRS Version 13.20 If you are using FireWall-1 on more than 32 circuits, you must group circuits with the same security policy and assign those circuits the same policy index number. For example, you might have a group of five IP interfaces to which you assign policy index 1. Those five IP interfaces count as one instance of firewall on the router; they all share the same security policy.
Index A acronyms, xiii D activating a firewall, 3-10 daemons, stopping and starting, 2-18 adding administrators, 2-17 groups, 2-17 GUI clients, 2-11, 2-17 license, 2-11, 2-17 remote modules, 2-11, 2-17 disabling a firewall on a router, 3-3 B E educational services, xiv enabling a firewall on a router, 3-3 on an interface, 3-7 backup management station, 3-5, 3-6 selecting, 1-3 extracting tar files, 2-12 BCC show commands, A-1 F booting the router, 3-10 C files, transferring between workstation
G P groups, adding, 2-17 policy index, setting, 3-9 GUI clients, adding, 2-11, 2-17 policy-index command, 3-9 primary-log-host command, 3-2, 3-4 I product support, xiv idle-time-keepalive command, 4-4 publications, Bay Networks, xiii inspection code, 3-11 installation options, 2-13 sample, 2-6, 2-13 installing the management software, 2-13 interface adding firewall to, 3-8 enabling a firewall on, 3-7 firewall name on, 3-8 policy index for, 3-9 L license adding, 2-11, 2-17 installing on management
