Configuring BaySecure Firewall-1 BayRS Version 13.10 Site Manager Software Version 7.10 Part No.
4401 Great America Parkway Santa Clara, CA 95054 8 Federal Street Billerica, MA 01821 Copyright © 1998 Bay Networks, Inc. All rights reserved. Printed in the USA. November 1998. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty.
Bay Networks, Inc. Software License Agreement NOTICE: Please carefully read this license agreement before copying or using the accompanying software or installing the hardware unit with pre-enabled software (each of which is referred to as “Software” in this Agreement). BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS UNDER WHICH BAY NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE.
its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files, data, or programs. 4. Limitation of liability.
Contents Preface Before You Begin .............................................................................................................. ix Text Conventions ............................................................................................................... x Acronyms .......................................................................................................................... xi Bay Networks Technical Publications .............................................................
Customizing the FireWall-1 Installation ...........................................................2-18 Installing a License on the Management Station .............................................2-19 Starting and Stopping the FireWall-1 Daemons ..............................................2-19 Synchronizing the Management Station and the Router Passwords ...............2-19 Starting FireWall-1 ...........................................................................................
Figures Figure 2-1. Choose Destination Location Window .....................................................2-6 Figure 2-2. Selecting Product Type Window ..............................................................2-7 Figure 2-3. Licenses Window .....................................................................................2-8 Figure 2-4. Administrators Window ............................................................................2-9 Figure 2-5. Add Administrators Window .............
Preface This guide describes BaySecure FireWall-1 and what you do to install, start and customize BaySecure FireWall-1 services on a Bay Networks® router. Before You Begin Before using this guide, you must complete the following procedures. For a new router: • Install the router (see the installation guide that came with your router).
Configuring BaySecure FireWall-1 Text Conventions This guide uses the following text conventions: angle brackets (< >) Indicate that you choose the text to enter based on the description inside the brackets. Do not type the brackets when entering the command. Example: If the command syntax is: ping , you enter: ping 192.32.10.12 bold text Indicates command names and options and text that you need to enter. Example: Enter show ip {alerts | routes}. Example: Use the dinfo command.
Preface separator ( > ) Shows menu paths. Example: Protocols > IP identifies the IP option on the Protocols menu. vertical line ( | ) Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command. Example: If the command syntax is: show ip {alerts | routes}, you enter either: show ip alerts or show ip routes, but not both.
Configuring BaySecure FireWall-1 • The “CD ROMs” section lists available CDs. • The “Guides/Books” section lists books on technical topics. • The “Technical Manuals” section lists available printed documentation sets. Make a note of the part numbers and prices of the items that you want to order. Use the “Marketing Collateral Catalog description” link to place an order and to print the order form.
Chapter 1 BaySecure FireWall-1 BaySecure™ FireWall-1 builds firewall security features into Bay Networks router software. It does this by integrating the stateful inspection module from Version 2.1 of the Check Point Software Technologies FireWall-1 software into the Bay Networks router operating system of Bay Networks BN®, ASN™ and ARN™ routers. BaySecure FireWall-1 provides all of the security features from Version 2.
Configuring BaySecure FireWall-1 How the Firewall Software Works The stateful inspection module in the Bay Networks router software inspects all data packets traveling between the data link and network layers, and communicates the results to the management station. If the data packets meet the security requirements specified in the security policy, the router forwards the data.
Chapter 2 Installing FireWall-1 Management Software To install the FireWall-1 software, see the following sections: Topic Page Obtaining Software Licenses 2-1 Installing and Running the FireWall-1 Management Software 2-5 Obtaining Software Licenses Before you can install the FireWall-1 software and create a firewall on the router, you must first obtain a permanent software license from Check Point Software Technologies for: • The firewall management station You need one software license for the fire
Configuring BaySecure FireWall-1 Obtaining a FireWall-1 License for the Management Station To obtain a FireWall-1 license for the firewall management station, follow these instructions: Note: You need one license for each FireWall-1 management station. To obtain a license for each additional management station, you must repeat the steps outlined in this section. 1. Locate your certificate key.
Installing FireWall-1 Management Software Sample Response from Check Point Your license request with the following details has been accepted. Below you will find the corresponding license string. We recommend printing this page and saving it in your files for future reference. Request Details --------------Certificate Key: Customer Name: Product: Version: Host ID: 5xxx 5xxx fxxx Bay Networks CPFW-ESC-U 3.0 123.123.123.123 License(s) Issued ----------------Host ID: Features: License String: 123.123.123.
Configuring BaySecure FireWall-1 Obtaining a FireWall-1 License for the Router To obtain a FireWall-1 license for a router you plan to protect with a firewall, follow these instructions: Note: You need one license for each router that you plan to protect with a firewall. To obtain a license for each additional router, you must repeat the steps outlined in this section. 1. Locate your certificate key.
Installing FireWall-1 Management Software Sample Response from Check Point The following license was generated: We recommend printing this page and saving it in your files for future reference. Request Details --------------Certificate Key: Customer Name: Product: Version: Host ID: 7xxx dxxx 1xxx Bay Networks BABN-IM-U 3.0 012.012.012.012 License Issued -------------Host ID: Features: License String: 012.012.012.
Configuring BaySecure FireWall-1 Sample Installation The following sample installation takes the Check Point FireWall-1 software from a CD and installs it onto a PC running Windows NT. Use this sample installation to familiarize yourself with a basic FireWall-1 installation. Note: This sample installation shows only those screens necessary for a basic installation. Your installation may be different. Installing the Management Software 1.
Installing FireWall-1 Management Software The Selecting Product Type window (Figure 2-2) opens. Figure 2-2. 4. 117384-C Rev 00 Selecting Product Type Window Choose the FireWall-1 component you want to install. To be compatible with BaySecure FireWall-1, choose FireWall-1 Enterprise Management Product.
Configuring BaySecure FireWall-1 5. Click on Next. The Licenses window (Figure 2-3) opens. Figure 2-3. 6. 2-8 Licenses Window Enter the license information you obtained from Check Point.
Installing FireWall-1 Management Software 7. Click on Next. The Administrators window (Figure 2-4) opens. Figure 2-4. Administrators Window You must specify at least one administrator. 8. Click on Add. The Add Administrator window (Figure 2-5) opens. Figure 2-5. 9. 117384-C Rev 00 Add Administrators Window Enter the administrator’s user name and password (limited to eight characters), and a password confirmation, then click on OK. You return to the Administrators window.
Configuring BaySecure FireWall-1 10. Click on Next. The GUI Clients window opens. Do not enter any GUI clients at this time. 11. Click on Next. The Remote Modules window appears. Do not enter any remote modules at this time. 12. Click on Next. The Key Hit Session window (Figure 2-6) opens. Figure 2-6. Key Hit Session Window 13. Follow the directions in the window and enter random characters, with a delay of a few seconds between them, until the indicator bar is full.
Installing FireWall-1 Management Software 14. Click on Next. The CA Key window opens. 15. Click on Generate to generate a new key. The host uses the RSA key to generate a digital signal for authenticating its communications in its capacity as a Certificate Authority. Generating the key may take several minutes. 16. Click on Finish. Installing the GUI Client 1. Insert the CD into the CD-ROM drive and run the setup.exe file.
Configuring BaySecure FireWall-1 3. Click on Next. The Select Components window (Figure 2-8) opens. Figure 2-8. 4. Select Components Window Install the Security Policy, System Status, and Log Viewer components by clicking on each item. Customizing the FireWall-1 Installation You can customize your FireWall-1 installation by running the FireWall-1 Configuration file.
Installing FireWall-1 Management Software Installing on a UNIX Platform Use the following sections as a guide to installing the FireWall-1 software on a computer running UNIX. For more details, refer to your Check Point FireWall-1 documentation. Before You Install Before you attempt to install the Check Point FireWall-1 software, be sure that you have completed these tasks: • Obtain a FireWall-1 license for each firewall management station and router that you plan to protect with a firewall.
Configuring BaySecure FireWall-1 For HPUX mount -r /dev/dsk/c1t2d0 (or your specific CD-ROM address) /cdrom cd /tmp tar xvf “/cdrom/HPUX/FW1/FW.HPUX.TAR;1” lab# lab# lab# Installing the Check Point FireWall-1 Software Once you have extracted the Check Point FireWall-1 files, you can install the management software. To install the software, change directories so that you’re in the directory where you put the extracted files and then issue the fwinstall command.
Installing FireWall-1 Management Software **************** FireWall-1 v3.0 Installation **************** Reading fwinstall configuration. Please wait. Configuration loaded. This might take a while. Running FireWall-1 Setup. Checking available options. Please wait.....................
Configuring BaySecure FireWall-1 The following evaluation License key is provided with this FireWall-1 distribution Eval 15Mar97 3.x pfmx controlx routers connect motif Do you want to use this evaluation FW-1 license (y/n) [y]? n Do you wish to start FireWall-1 automatically from /etc/rc.local (y/n) [y] ? n Welcome to FireWall-1 Configuration Program =========================================== This program will guide you through several steps where you will define your FireWall-1 configuration.
Installing FireWall-1 Management Software Configuring Groups... ===================== FireWall-1 access and execution permissions ------------------------------------------Usually, FireWall-1 is given group permission for access and execution. You may now name such a group or instruct the installation procedure to give no group permissions to FireWall-1. In the latter case, only the Super-User will be able to access and execute FireWall-1.
Configuring BaySecure FireWall-1 **************** FireWall-1 is now installed. **************** Do you wish to start FW-1 now (y/n) [y] ? n ****************************************************************** DO NOT FORGET TO: 1. add the line: setenv FWDIR /etc/fw to .cshrc or FWDIR=/etc/fw; export FWDIR to .profile 2. add /etc/fw/bin to path 3. add /etc/fw/man to MANPATH environment ****************************************************************** You may configure FireWall-1 anytime, by running fwconfig.
Installing FireWall-1 Management Software Installing a License on the Management Station To install a license on the firewall management station, use the following command: fw putlic pfmx controlx routers motif embedded The hostid is the host ID of the management station. The lic_string is a string of alphanumeric characters that Check Point provides with your FireWall-1 license. Starting and Stopping the FireWall-1 Daemons To start the FireWall-1 daemons, use the fwstart command.
Configuring BaySecure FireWall-1 Starting FireWall-1 To start FireWall-1, enter the fwui& command. For example, at the system prompt, enter: lab# fwui& Optionally, you can use the FireWall-1 XMotif graphical user interface. For instructions on how to install and start the XMotif GUI, see you Check Point documentation.
Installing FireWall-1 Management Software To transfer files between between machines running UNIX, follow these steps: 1. Enter fwfilex -i .tar to compress the files before you transfer them. This command produces a file called .tar. 2. Copy .tar to the FireWall-1 bin directory on the destination machine. 3. On the destination machine, uncompress the files by entering fwfilex -o .
Chapter 3 Configuring a Firewall on a Router To configure a firewall on the router, see the following topics: Topic Page Creating a Firewall on the Router 3-1 Disabling or Reenabling the Firewall on the Router 3-4 Setting Up Communications Between the Firewall Management Station and the Router 3-4 Enabling the Firewall on Router Interfaces 3-8 Activating the Firewall 3-12 Defining a Firewall Security Policy 3-13 Installing the Security Policy on the Router and Its Interfaces 3-14 Deleting F
Configuring BaySecure FireWall-1 You can also use the Technician Interface, which lets you modify parameters by issuing set and commit commands that specify the MIB object ID. This process is equivalent to modifying parameters using Site Manager. For more information about using the Technician Interface to access the MIB, refer to Using Technician Interface Software. Caution: Unlike using Site Manager, the Technician Interface does not verify that the value you enter for a parameter is valid.
Configuring a Firewall on a Router 3. Create a firewall by completing the following tasks: Site Manager Procedure You do this System responds 1. From Configuration Manager, choose Platform. The Platform menu opens. 2. Choose FireWall. The FireWall menu opens. 3. Choose Create. A dialog box opens. See Figure 3-2. 4. Click on OK You return to the Configuration Manager window. By default, the firewall is automatically enabled on the router.
Configuring BaySecure FireWall-1 Disabling or Reenabling the Firewall on the Router By default, a firewall is enabled when you first create it on the router. To disable or reenable a firewall, complete the following tasks: Site Manager Procedure You do this System responds 1. From Configuration Manager, choose Platform. The Platform menu opens. 2. Choose FireWall. The FireWall menu opens. 3. Choose Global. The FireWall Enable window opens. 4. Set the Enable parameter.
Configuring a Firewall on a Router Establishing the Firewall Management Station The firewall management station is the PC or UNIX workstation where you installed the FireWall-1 software. You use the firewall management station to enforce the firewall security policy that you created for the router. The management station also logs all attempted violations of the security policy. (To define a security policy, see “Defining a Firewall Security Policy” on page 3-13.
Configuring BaySecure FireWall-1 Identify the First Backup Firewall Management Station If your router loses communication with its firewall management station, the first backup firewall management station automatically establishes communication with the router so that the firewall security remains intact. To identify the first backup firewall management station, complete the following tasks: Site Manager Procedure You do this System responds 1. From Configuration Manager, choose Platform.
Configuring a Firewall on a Router Identify the Second Backup Firewall Management Station If your router loses communication with its firewall management station and the first backup firewall management station, the second backup firewall management station automatically establishes communication with the router so that the firewall security remains intact. To identify the tertiary firewall management station, complete the following tasks: Site Manager Procedure You do this System responds 1.
Configuring BaySecure FireWall-1 Identifying the Router To identify the router protected by the firewall, complete the following tasks: Site Manager Procedure You do this System responds 1. From Configuration Manager, choose Platform. The Platform menu opens. 2. Choose FireWall. The FireWall menu opens. 3. Choose FireWall Parameters. The FireWall Parameters window opens. 4. Set the Local Interface IP Address parameter. Click on Help or see the parameter description on page A-3. 5. Click on OK.
Configuring a Firewall on a Router Site Manager Procedure (continued) You do this System responds 5. Click on All to display all router interfaces or choose a connection button to display router interfaces by connection type. Site Manager lists the interfaces at the top of the screen. 6. Click on Check All to highlight all listed interfaces, or highlight individual interfaces. 7. Click on OK. Site Manager returns you to the List FireWall Interfaces window. See Figure 3-3. 8.
Configuring BaySecure FireWall-1 Figure 3-3. List Firewall Interfaces Window Note: Once the firewall is protecting your router, if you put firewall protection on a new interface, the new interface will use the default security policy supplied by Check Point, which prevents the new interface from communicating with the router. You can download your customized security policy to the new interface using the Check Point FireWall-1 command line interface.
Configuring a Firewall on a Router Figure 3-4. Values Window Once you enable the firewall on an interface and reboot the router, you will not be able to communicate with the router through Site Manager until you change the FireWall-1 default security policy. For more information, see “Defining a Firewall Security Policy” on page 3-13.
Configuring BaySecure FireWall-1 Activating the Firewall Before the FireWall-1 security policy can take effect on the router, you must first activate the firewall by booting the router using Site Manager on the management station. Booting a router warm-starts every processor module in the router. Pressing the Reset button on the front panel of the router performs the same procedure.
Configuring a Firewall on a Router 4. Click on OK in the confirmation window and wait a few minutes to give the router time to reboot. 5. Choose View > Refresh Display from the main Site Manager window to verify that the router booted correctly. If the router booted correctly, system information appears in the main Site Manager window. If the router did not boot correctly, system information does not appear. In this case, make sure that you followed the procedures described in this section.
Configuring BaySecure FireWall-1 Installing the Security Policy on the Router and Its Interfaces Once you have defined a security policy, you must install it on the router. Installing a security policy means downloading it to the firewalled objects that will enforce it.
Configuring a Firewall on a Router Deleting Firewall from the Router You can use either Site Manager or the Technician Interface to delete a firewall from the router. Deleting a firewall using Site Manager does not affect internal resources that were originally allocated for the FireWall-1 application. To dynamically delete a firewall from the router and free up internal resources allocated for the FireWall-1 application, you must use the Technician Interface.
Configuring BaySecure FireWall-1 Deleting Firewall Dynamically Using the Technician Interface To delete a firewall dynamically, you must use the Technician Interface. The Technician Interface allows you to delete a firewall on a slot/port basis, or from all ports on the router. firewall delete [ | _all] slot port Identifies the location of the firewall to be deleted. _all Specifies to delete all instances of the firewall from the router.
Configuring a Firewall on a Router Troubleshooting Checklist If you experience problems with FireWall-1, verify that you have performed these steps: • Enabled IP on the router • Enabled TCP on all slots on the router • Created a firewall using Site Manager • Created a static route if the router and firewall management stations are on different subnets • Synchronized the router and management station passwords by executing the fwputkey command on both the router and the firewall management station
Appendix A Parameter Descriptions This appendix contains parameter descriptions for BaySecure FireWall-1 parameters. FireWall Enable Parameter Parameter: Enable Path: Default: Options: Function: Instructions: Platform > FireWall > Global Enable Enable | Disable Enables or disables the firewall on the entire router. Choose Enable to allow the firewall to be active on the router. Choose Disable to disable the firewall on the router.
Configuring BaySecure FireWall-1 FireWall Parameters Parameter: Log Host Address Path: Default: Options: Function: Instructions: Platform > FireWall > FireWall Parameters 0.0.0.0 Any valid IP address. Identifies the IP address of the primary firewall management station. Enter the IP address of the PC or UNIX workstation where you installed the Check Point FireWall-1 management software.
Parameter Descriptions Parameter: Log Host Backup 2 Path: Default: Options: Function: Instructions: Platform > FireWall > FireWall Parameters 0.0.0.0 Any valid IP address. Identifies the IP address of the second backup management station. Enter the IP address of the PC or UNIX workstation where you installed the Check Point FireWall-1 management software.
Configuring BaySecure FireWall-1 List FireWall Interfaces Parameters Parameter: Name Path: Default: Options: Function: Instructions: Protocols > IP > FIREWALL None Any string of alphanumeric characters. Identifies an interface by name. Enter a meaningful name in alphanumeric characters. Parameter: Disable Path: Default: Options: Function: Instructions: A-4 Protocols > IP > FIREWALL Disable Enable | Disable Enables or disables the firewall on one or more interfaces.
Index A acronyms, xi E activating FireWall-1, 3-12 educational services, xii adding administrators, 2-18 groups, 2-18 GUI clients, 2-12, 2-18 license, 2-12, 2-18 remote modules, 2-12, 2-18 enabling the firewall on an interface, 3-8 B file transfer, 2-20 backup management station, 3-6, 3-7 FireWall-1 License for the Management station, obtaining, 2-1 for the router, obtaining, 2-1 booting the router, 3-12 extracting tar files, 2-13 F fw putlic command, 2-19 C Check Point, contacting, 2-2, 2-4
L T license adding, 2-12, 2-18 installing on management station, 2-19 tar files, extracting, 2-13 M Technician Interface, 3-2 technical publications, xi technical support, xii transferring files, 2-20 management station, 3-4 primary, 3-5 secondary, 3-6 tertiary, 3-7 modules firewall stateful inspection, 1-2 mounting a CD drive, 2-13 P product support, xii publications, Bay Networks, xi R refreshing the display, 3-13 remote modules, adding, 2-12, 2-18 Reset button, 3-12 rule base, verifying, 3-14 S
