beautypg.com

Pre-configuring the firewall, Steps to configure the firewall – Enterasys Networks Security Router X-PeditionTM User Manual

Page 409

background image

Pre-configuring the Firewall

XSR User’s Guide 16-23

cache will not automatically switch over. If the firewall is enabled on a slave router, then all
sessions would have to be re-established. You would have to re-authenticate users for access
to authentication-protected servers.

Load Sharing - If two or more firewall-enabled XSRs are linked, load sharing is not supported.
Each XSR would act as a discrete firewall and monitor sessions that pass through it.

Secondary IP Address/Firewall - The firewall does not interoperate with interface IP addresses,
so, a secondary interface address has no affect on firewall operations. Configure network
objects for the secondary address just as you would any primary IP address.

Firewall Authentication over VPN - Firewall authentication is not supported over VPN tunnels.

Pre-configuring the Firewall

We recommend you consider the following suggestions to set up the firewall:

Establish a security plan by:

Examining your network topology

Determining exactly what resources you want to protect

Deciding where on the network to enable the firewall and plan on writing a Telnet or SSH
policy for remote administration if you are configuring an XSR located in the field

Making a list of internal addresses

Forming an inventory of desirable applications the firewall will allow between protected
and external networks

Look up official port numbers of well-known applications at:

http://www.iana.org/

assignments/protocol-numbers

The

show ip firewall session

command also lists these numbers.

Refer to “

Firewall Limitations

” on page 16-22 before configuration

Steps to Configure the Firewall

Follow the procedure below to configure the firewall:

Specify the network objects

Specify network-group, service and service group objects

Write TCP/UDP policies. The order is important and objects and names are case-sensitive

Specify filters for other protocols (ICMP, OSPF, ESP, etc.)

Set miscellaneous parameters such as:

TCP, UDP or ICMP session timeouts

Logging event-levels 0-7

Authentication service for users

Java and ActiveX filtering

IP options filtering on the interface such as time-stamps, route recording, and loose or
strict routing through the Internet

See also other documents in the category Enterasys Networks Hardware: