BayRS Version 14.00 Part No. 308613-14.
Copyright © 1999 Nortel Networks All rights reserved. Printed in the USA. September 1999. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document.
Nortel Networks NA Inc. Software License Agreement NOTICE: Please carefully read this license agreement before copying or using the accompanying software or installing the hardware unit with pre-enabled software (each of which is referred to as “Software” in this Agreement). BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS UNDER WHICH NORTEL NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE.
for the security of its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files, data, or programs. 4. Limitation of liability.
Contents Preface Before You Begin .............................................................................................................. xi Text Conventions ..............................................................................................................xii Acronyms .........................................................................................................................xiii Hard-Copy Technical Manuals .....................................................................
Installation Options ..........................................................................................2-13 Sample Installation ..........................................................................................2-13 Customizing the FireWall-1 Installation ...........................................................2-17 Installing a License on the Management Station .............................................2-18 Starting and Stopping the FireWall-1 Daemons ...................................
Chapter 4 Customizing a Firewall on a Router Specifying FireWall-1 Memory ........................................................................................4-2 Setting the Firewall Filter Timer ......................................................................................4-3 Setting the Log Timer .....................................................................................................4-3 Specifying a Timeout Period for an Inactive TCP Connection ....................................
Figures Figure 2-1. Choose Destination Location Window .....................................................2-6 Figure 2-2. Selecting Product Type Window ..............................................................2-7 Figure 2-3. Licenses Window .....................................................................................2-7 Figure 2-4. Administrators Window ............................................................................2-8 Figure 2-5. Add Administrator Window ..............
Preface This guide describes BaySecure™ FireWall-1 and what you do to start and customize BaySecure FireWall-1 services on a Nortel Networks router. You can use the Bay Command Console (BCC™) to configure BaySecure FireWall-1 services on a router. Before You Begin Before using this guide, you must complete the following procedures. For a new router: • Install the router (see the installation guide that came with your router).
Configuring BaySecure FireWall-1 Text Conventions This guide uses the following text conventions: angle brackets (< >) Indicate that you choose the text to enter based on the description inside the brackets. Do not type the brackets when entering the command. Example: If the command syntax is: ping , you enter: ping 192.32.10.12 bold text Indicates command names and options and text that you need to enter. Example: Enter show ip {alerts | routes}. Example: Use the dinfo command.
Preface separator ( > ) Shows menu paths. Example: Protocols > IP identifies the IP option on the Protocols menu. vertical line ( | ) Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command. Example: If the command syntax is: show ip {alerts | routes}, you enter either: show ip alerts or show ip routes, but not both.
Configuring BaySecure FireWall-1 You can purchase selected documentation sets, CDs, and technical publications through the collateral catalog. The catalog is located on the World Wide Web at support.baynetworks.com/catalog.html and is divided into sections arranged alphabetically: • The “CD ROMs” section lists available CDs. • The “Guides/Books” section lists books on technical topics. • The “Technical Manuals” section lists available printed documentation sets.
Chapter 1 Overview of the BaySecure FireWall-1 Software The BaySecure FireWall-1 software builds firewall security features into Nortel Networks router software. It does this by integrating the stateful inspection module from Version 2.1 of the Check Point Software Technologies FireWall-1 software into the Nortel Networks router operating system (BayRS) of Nortel Networks BN®, ASN™, and ARN™ routers. BaySecure FireWall-1 is a firewall only, and does not include the entire suite of Check Point features.
Configuring BaySecure FireWall-1 How the Firewall Software Works The management station downloads the policy information to the stateful inspection module in the Nortel Networks router software. The stateful inspection module inspects all data packets traveling between the data link and network layers, and communicates the results to the management station. (Note that the management station does not inspect the packets.
Overview of the BaySecure FireWall-1 Software Selecting a Backup Management Station A router connects to a backup firewall management station upon termination of the TCP connection (with TCP_ABORT) between the current firewall management station and the router. Note: When an event, such as a LAN failure, prevents communication between the router and the firewall management station, the firewall management station closes the TCP connection from its end when data does not flow from the idle TCP connection.
Configuring BaySecure FireWall-1 Where to Go Next To get a firewall up and running on your Nortel Networks router, see the following table: For information about how to Go to page Obtain licenses from Check Point 2-1 Install the Check Point Management software 2-5 Create a firewall 3-1 Enable the firewall on the router 3-7 Establish a relationship between the management station and 3-3 the router 1-4 Enable the router on specific interfaces 3-7 Activate the firewall 3-10 Configure a firewal
Chapter 2 Installing the FireWall-1 Management Software To install the FireWall-1 software, see the following topics: Topic Page Obtaining Software Licenses 2-1 Installing and Running the FireWall-1 Management Software 2-5 Transferring Security Policy and Configuration Files 2-20 Obtaining Software Licenses Before you can install the FireWall-1 software and create a firewall on the router, you must first obtain a permanent software license from Check Point Software Technologies for: • The firewall
Configuring BaySecure FireWall-1 Obtaining a FireWall-1 License for the Management Station To obtain a FireWall-1 license for the firewall management station, follow these instructions: Note: You need one license for each FireWall-1 management station. To obtain a license for each additional management station, you must repeat the steps outlined in this section. 1. Locate your certificate key.
Installing the FireWall-1 Management Software Sample Response from Check Point Your license request with the following details has been accepted. Below you will find the corresponding license string. We recommend printing this page and saving it in your files for future reference. Request Details --------------Certificate Key: Customer Name: Product: Version: 4.0 Host ID: License(s) Issued ----------------Host ID: Features: License String: 5xxx 5xxx fxxx Nortel Networks CPFW-ESC-U 123.123.123.123 123.
Configuring BaySecure FireWall-1 Obtaining a FireWall-1 License for the Router To obtain a FireWall-1 license for a router you plan to protect with a firewall, follow these instructions: Note: You need one license for each router that you plan to protect with a firewall. You need an additional license for each router if you want to use the backup management station. To obtain additional licenses, you must repeat the steps outlined in this section. 1. Locate your certificate key.
Installing the FireWall-1 Management Software Sample Response from Check Point The following license was generated: We recommend printing this page and saving it in your files for future reference. Request Details --------------Certificate Key: Customer Name: Product: Version: Host ID: 7xxx dxxx 1xxx Nortel Networks BABN-IM-U 4.0 012.012.012.012 License Issued -------------Host ID: Features: License String: 012.012.012.
Configuring BaySecure FireWall-1 Sample Installation The following sample installation takes the Check Point FireWall-1 software from a CD and installs it onto a PC running Windows NT. Use this sample installation to familiarize yourself with a basic FireWall-1 installation. Note: This sample installation shows only those screens necessary for a basic installation. Your installation may be different. Installing the Management Software 1.
Installing the FireWall-1 Management Software The Selecting Product Type window (Figure 2-2) opens. Figure 2-2. Selecting Product Type Window 4. Choose FireWall-1 Enterprise Management Product as the FireWall-1 component you want to install. 5. Click on Next. The Licenses window (Figure 2-3) opens. Figure 2-3. 308613-14.
Configuring BaySecure FireWall-1 6. Enter the license information you obtained from Check Point. 7. Click on Next. The Administrators window (Figure 2-4) opens. Figure 2-4. Administrators Window You must specify at least one administrator. 8. Click on Add. The Add Administrator window (Figure 2-5) opens. Figure 2-5. 2-8 Add Administrator Window 308613-14.
Installing the FireWall-1 Management Software 9. Enter the administrator’s user name and password (limited to eight characters), and a password confirmation, then click on OK. You return to the Administrators window. 10. Click on Next. The GUI Clients window opens. Do not enter any GUI clients at this time. 11. Click on Next. The Remote Modules window appears. Do not enter any remote modules at this time. 12. Click on Next. The Key Hit Session window (Figure 2-6) opens. Figure 2-6.
Configuring BaySecure FireWall-1 14. Click on Next. The CA Key window opens. 15. Click on Generate to generate a new key. The host uses the RSA key to generate a digital signal for authenticating its communications in its capacity as a Certificate Authority. Generating the key may take several minutes. 16. Click on Finish. Installing the GUI Client 1. Insert the CD into the CD-ROM drive and run the setup.exe file.
Installing the FireWall-1 Management Software 3. Click on Next. The Select Components window (Figure 2-8) opens. Figure 2-8. 4. Select Components Window Install the Security Policy, System Status, and Log Viewer components by clicking on each item. Customizing the FireWall-1 Installation You can customize your FireWall-1 installation by running the FireWall-1 Configuration file.
Configuring BaySecure FireWall-1 Installing on a UNIX Platform Use the following sections as a guide to installing the FireWall-1 software on a computer running UNIX. For more details, refer to your Check Point FireWall-1 documentation. Before You Install Before you attempt to install the Check Point FireWall-1 software, be sure that you have completed these tasks: • Obtain a FireWall-1 license for each firewall management station and router that you plan to protect with a firewall.
Installing the FireWall-1 Management Software For HP-UX mount -r /dev/dsk/c1t2d0 (or your specific CD-ROM address) /cdrom cd /tmp tar xvf “/cdrom/HPUX/FW1/FW.HPUX.TAR;1” lab# lab# lab# Installing the Check Point FireWall-1 Software Once you have extracted the Check Point FireWall-1 files, you can install the management software. To install the software, change directories so that you’re in the directory where you put the extracted files and then issue the fwinstall command.
Configuring BaySecure FireWall-1 **************** FireWall-1 v4.0 Installation **************** Reading fwinstall configuration. Please wait. Configuration loaded. This might take a while. Running FireWall-1 Setup. Checking available options. Please wait.....................
Installing the FireWall-1 Management Software The following evaluation License key is provided with this FireWall-1 distribution Eval 15Mar97 3.x pfmx controlx routers connect motif Do you want to use this evaluation FW-1 license (y/n) [y]? n Do you wish to start FireWall-1 automatically from /etc/rc.
Configuring BaySecure FireWall-1 Configuring Groups... ===================== FireWall-1 access and execution permissions ------------------------------------------Usually, FireWall-1 is given group permission for access and execution. You may now name such a group or instruct the installation procedure to give no group permissions to FireWall-1. In the latter case, only the Super-User will be able to access and execute FireWall-1.
Installing the FireWall-1 Management Software **************** FireWall-1 is now installed. **************** Do you wish to start FW-1 now (y/n) [y] ? n ****************************************************************** DO NOT FORGET TO: 1. add the line: setenv FWDIR /etc/fw to .cshrc or FWDIR=/etc/fw; export FWDIR to .profile 2. add /etc/fw/bin to path 3.
Configuring BaySecure FireWall-1 Installing a License on the Management Station To install a FireWall-1 license, enter the license installation command listed in the response message that Check Point displayed when you requested the license. (See the sample Check Point responses on page 2-3 and page 2-5.
Installing the FireWall-1 Management Software Synchronizing the Management Station and the Router Passwords Once you have installed licenses on the firewall management station and the router, you must synchronize your password on the two systems.
Configuring BaySecure FireWall-1 Transferring Security Policy and Configuration Files Firewall backup management stations must have the same security policies and configuration files that the primary firewall management station uses. Nortel Networks has provided script files to make it easy to synchronize firewall management stations. The script files enable you to use a single command, fwfilex, to package files associated with a management station’s security environment.
Installing the FireWall-1 Management Software From the World Wide Web You can also download the files from the World Wide Web. Complete the following steps: 1. Use your browser to go to the customer service Web page at this URL: http://support.baynetworks.com/software 2. Scroll down to Nortel Networks Routers. 3. Select Router_Software_v_13.x. 4. Click on Go. 5. Scroll down to the Firewall Scripts banner and click on the tar file for UNIX platforms or the zip file for Windows NT.
Configuring BaySecure FireWall-1 3. Using FTP, copy, or another transfer utility, manually transfer the file .zip to the FireWall-1 bin directory on the secondary Windows NT backup station. 4. To unpackage the firewall environment, on the destination machine, enter: c:\WINNT\FW\BIN> fwfilex -o .
Chapter 3 Configuring a Firewall on a Router To configure a firewall on the router, see the following topics: Topic Page Creating a Firewall on a Router 3-1 Disabling and Reenabling a Firewall on a Router 3-3 Setting Up Communications Between the Firewall Management Station and the Router 3-3 Enabling the Firewall on Router Interfaces 3-7 Activating the Firewall 3-10 Defining a Firewall Security Policy 3-10 Installing the Security Policy on the Router and Its Interfaces 3-11 Troubleshooting
Configuring BaySecure FireWall-1 You can also use the Technician Interface, which lets you modify parameters by issuing set and commit commands that specify the MIB object ID. This process is equivalent to modifying parameters using the BCC. For more information about using the Technician Interface to access the MIB, see Using Technician Interface Software. Caution: The Technician Interface does not verify that the value you enter for a parameter is valid.
Configuring a Firewall on a Router Disabling and Reenabling a Firewall on a Router By default, a firewall is enabled when you first create it on the router.
Configuring BaySecure FireWall-1 Establishing a Static Route You may need to establish a static route between the router and the management station before you configure the firewall parameters. By default, FireWall-1 filters in-bound routing protocol packets from RIP or OSPF.
Configuring a Firewall on a Router Identifying the First Backup Firewall Management Station If your router loses communication with its firewall management station, the router automatically establishes communication with the first backup firewall management station so that firewall security remains intact.
Configuring BaySecure FireWall-1 Use the BCC to specify the second backup firewall management station. Navigate to the firewall prompt (for example, box; ip; firewall) and enter: backup2-log-host ip_address is the address of the second backup firewall management station in the event that the router loses communication with its firewall management station and the first backup firewall management station.
Configuring a Firewall on a Router Enabling the Firewall on Router Interfaces After you have created a firewall on the router, use the BCC to enable it on one or more interfaces. For each interface on which you want to enable the firewall, do the following: 1. Navigate to the IP interface-specific prompt. 2. Add a firewall to the interface. 3. Optionally, specify a firewall name. 4. Optionally, set the policy index.
Configuring BaySecure FireWall-1 For example, the following command invokes the prompt for IP interface 2.2.2.2/ 255.0.0.0 (which has been configured on Ethernet slot 2, connector 2): ethernet/2/2# ip address 2.2.2.2 mask 255.0.0.0 ip/2.2.2.2/255.0.0.0# Adding a Firewall to an Interface When you add a firewall to an IP interface, the firewall is automatically enabled on that interface. To add a firewall to an IP interface, enter: firewall The firewall prompt appears.
Configuring a Firewall on a Router For example, the following command assigns the name “offsite” to the firewall on IP interface 2.2.2.2/255.0.0.0: firewall/2.2.2.2# firewall/2.2.2.2# firewall-name offsite Setting the Policy Index The policy index allows multiple circuits to share the same instance of Firewall-1. You can have up to 32 instances of Firewall-1, with many circuits making up each Firewall-1 instance. All circuits in a grouping must share the same security policy.
Configuring BaySecure FireWall-1 Activating the Firewall Before the FireWall-1 security policy can take effect on the router, you must first activate the firewall by booting the router using the Technician Interface on the management station. Booting a router warm-starts every processor module in the router. Pressing the Reset button on the front panel of the router performs the same procedure. For information about using the Technician Interface boot command, see Using Technician Interface Software.
Configuring a Firewall on a Router Installing the Security Policy on the Router and Its Interfaces Once you have defined a security policy, you must install it on the router. Installing a security policy means downloading it to the firewalled objects that will enforce it.
Configuring BaySecure FireWall-1 Troubleshooting Checklist If you experience problems with the FireWall-1 software, verify that you have performed these steps: • Enabled IP on the router • Enabled TCP on all slots on the router • Created a firewall using the BCC • Created a static route if the router and firewall management stations are on different subnets • Synchronized the router and management station passwords by executing the fwputkey command on both the router and the firewall management st
Chapter 4 Customizing a Firewall on a Router To customize a firewall on the router, see the following topics: Topic Page Specifying FireWall-1 Memory 4-2 Setting the Firewall Filter Timer 4-3 Setting the Log Timer 4-3 Specifying a Timeout Period for an Inactive TCP Connection 4-4 Deleting a Firewall 4-6 Effective with the release of BayRS 13.20, the Bay Command Console (BCC) is the sole means of managing the BaySecure FireWall-1.
Configuring BaySecure FireWall-1 Specifying FireWall-1 Memory You can specify the maximum and minimum amount of memory that FireWall-1 uses. By default, the minimum amount of memory is 50,000 bytes. The maximum amount of memory is 100,000 bytes. Caution: We recommend that you accept the default memory allocation settings. If you change them, you may see unexpected and undesired results.
Customizing a Firewall on a Router Setting the Firewall Filter Timer The firewall filter timer is the number of seconds between attempts to download the firewall security policy from the backup management station if the download is not successful from the primary firewall management station. The default interval is 40 seconds. You can use the BCC to specify a new value for the filter timer.
Configuring BaySecure FireWall-1 Specifying a Timeout Period for an Inactive TCP Connection If a TCP connection is inactive for a certain period of time, the router sends a TCP keepalive message, and expects an acknowledgment (ACK) from the management station. If the router does not receive the ACK from the management station, it retransmits the keepalive message. If after retransmitting the keepalive message the router does not receive an ACK from the management station, the TCP connection is disabled.
Customizing a Firewall on a Router For example, the following command disables the keepalive feature: firewall# idle-time-keepalive 0 firewall# Setting the Keepalive Retransmit Timer The keepalive retransmit timer specifies the interval, in seconds, at which a router retransmits unacknowledged keepalive messages to the management station. The default keepalive timer value is 5 seconds. You can use the BCC to specify a new value.
Configuring BaySecure FireWall-1 For example, the following command sets the keepalive retransmit timer to 5 seconds: firewall# retries-keepalive 5 firewall# Deleting a Firewall You can use the BCC to delete the global firewall (removing the firewall from all interfaces on the router) or to delete a firewall from specific interfaces. Caution: Deleting the global firewall deletes the MIB. This action disables the FireWall-1 functionality on the router.
Appendix A Monitoring the Firewall Using BCC show Commands This appendix describes how to use the BCC show command to obtain BaySecure FireWall-1 statistical data from the management information base (MIB). The type and amount of data displayed depend on the specific settings you want to view.
Configuring BaySecure FireWall-1 show firewall interfaces The show firewall interfaces command displays information about the interfaces on which firewall is configured. The output includes the following information: A-2 IP Address Internet address of the interface on which a firewall is configured. Cct Name Name of the circuit associated with the IP interface. Policy Index Value that lets circuits share the same virtual machine.
Monitoring the Firewall Using BCC show Commands show firewall summary The show firewall summary command displays the current firewall configuration. The output includes the following information: State State of the firewall on the router: enabled or disabled. Version Firewall protocol version number. Firewall Operational State State of the interface: up, down, init (initializing), or not pres (not present). Local Host IP address of the router protected by the firewall.
Appendix B Upgrading to BayRS Version 14.00 This appendix describes the procedure you must follow if you are upgrading to BayRS Version 14.00 from an earlier version of BaySecure FireWall-1. To upgrade to FireWall-1 in BayRS Version 14.00, complete the following steps: 1. Familiarize yourself with the Bay Command Console (BCC). Starting with BayRS Version 13.20, FireWall-1 no longer supports Site Manager as a configuration tool. You must use the BCC to manage and configure FireWall-1.
Configuring BaySecure FireWall-1 To reenable firewall on each IP interface, use the BCC to navigate to the prompt for the slot/connector on which you have configured the IP interface (for example, box; eth 2/2). Then enter: ip address mask ip_address is the IP address you have assigned to the interface. address_mask is the mask associated with the IP address. The prompt for the IP interface appears. For example, the following command invokes the prompt for IP interface 2.2.2.
Upgrading to BayRS Version 14.00 If you are using FireWall-1 on more than 32 circuits, you must group circuits with the same security policy and assign those circuits the same policy index number. For example, you might have a group of five IP interfaces to which you assign policy index 1. Those five IP interfaces count as one instance of firewall on the router; they all share the same security policy.
Configuring BaySecure FireWall-1 Preventing Spoofing with FireWall-1 You can configure FireWall-1 to eliminate the possibility of spoofing, that is, someone violating the firewall by sending a packet with a source address from within the network. To configure FireWall-1 to eliminate spoofing, complete the following steps: 1. Make sure that each firewalled interface has a unique policy index number. For best results, make sure that each circuit has a unique policy index number.
Index A acronyms, xiii D activating a firewall, 3-10 daemons, 2-18 adding administrators, 2-17 groups, 2-17 GUI clients, 2-11, 2-17 license, 2-11, 2-17 remote modules, 2-11, 2-17 daemons, stopping and starting, 2-18 B enabling a firewall on a router, 3-3 on an interface, 3-7 backup management station, 3-5, 3-6 selecting, 1-3 BCC show commands, A-1 booting the router, 3-10 C disabling a firewall on a router, 3-3 E extracting tar files, 2-12 F files, transferring between workstations, 2-20 filte
fwstop command, 2-18 P fwui& command, 2-19 policy-index command, 3-9 G primary-log-host command, 3-2, 3-4 product support, xiv groups, adding, 2-17 publications, hard copy, xiii GUI clients, adding, 2-11, 2-17 I R remote modules, adding, 2-11, 2-17 idle-time-keepalive command, 4-4 inspection code, 3-11 installation options, 2-13 sample, 2-6, 2-13 installing the management software, 2-13 interface adding firewall to, 3-8 enabling a firewall on, 3-7 firewall name on, 3-8 L license adding, 2-11, 2-1
