FIREWALLING SOLUTION IN OMNIPCX OFFICE by yaofenji

VIEWS: 10 PAGES: 14

									FIREWALLING SOLUTION IN OMNIPCX OFFICE

NICOLAS PFLEGER


                                                                                   Security !

   Introduction

This white paper details the security mechanisms employed by Alcatel OmniPCX Office to
protect its trusted network (the LAN) from the untrusted Internet.
Readers of this white paper should be familiar with IP networking and Linux 2.2 Operating
System.


   Alcatel OmniPCX Office



                       Alcatel OmniPCX Office is an e-communication appliance that covers
                       the needs of companies from 6 to 200 employees and provides the core
                       of today and tomorrow's communication solutions. OmniPCX Office is
                       an All-In-One server that offers access to the Internet world and
                       delivers state of the art voice features.
                          It is designed to provide a turnkey solution that allows High-grade
                       services without requiring an IT or telephony expert in house.

                         Alcatel OmniPCX Office is making use of Linux Operating System (2.2
                         release). It offers the following services:
   Internet Access through ISDN trunks shared with telephony application (max 128 kbps) or
    external DSL modem or router.
   E-mail server.
   Proxy / Cache.
   Firewall.
   VPN Server (IPSEC / PPTP).
   Voice server (legacy and VoIP telephony, Voicemail, Wireless mobility).

Internet Access services are declined in 2 packages: the Basic and the Complete.

Basic package includes:
 Access to the Internet (demand-dial, callback, permanent)
 Bandwidth management
 NAT/ PAT (Port Address Translation)
 Firewall
 DHCP and DNS Server
 VPN Client-to-LAN and LAN-to-LAN

Complete package includes:
 All Basic package
 Email Server or Email caching
 Web caching
 Web access control

OmniPCX Office also comes in 2 different hardware flavors: Mono CPU and MultiCPU.

MonoCPU is used to handle small configurations under 28 ports.

MultiCPU is used to handle higher configurations up to 200 ports.




FIREWALLING SOLUTION IN OMNIPCX OFFICE                                               Page 1 of 14
   About Firewall solutions

Firewalls consist in hardware and software used to protect a computer network from un-
authorized access. It must provide the following means:
 IP flow filtering.
    It must forbid IP data to enter the private network or go out to the Internet if not explicitly
    authorized by the firewall policy settings.
 Hide Internal topology.
    Not disclosing internal IP Topology makes hackers' attacks more complex to perform.
 Log of pertinent activities.
    These logs are useful for 2 reasons:
     It logs operational events that will help in preventing and recovering from failures.
     The logs are useful to detect attempted, failed and eventually succeeded attacks. Their
        analysis will help in reinforcing the firewall security policy.


Methods to filter IP flows:

Packet filtering:
IP packets are analyzed individually. Decision to let a packet go through or to discard it is
based on information contained into its header, such as the source and destination address,
the port number, some flags… For accepted IP flows, the connection between the outside host
and the internal PC is direct.

Packet filtering does not help a private network with private IP addresses (see RFC1918). This
kind of solution provides a high level of security but is hard to configure due to the low level it
works on. It requires a very good understanding of protocols and applications hosted behind
the firewall.

Packet filtering does not require a lot of CPU to process and does not introduce long latencies.

Application proxies:
An Application Proxy is a program that runs on the firewall system. Its purpose is to handle
connections to the Internet on behalf of the internal hosts. With application proxies, when a
client program requests a connection to the Internet, this client program instead establishes a
connection to the application proxy. This last can eventually check some user/global policies to
accept or reject the request. If accepted, the application proxy will on its own and in its name
establish a connection to the requested service on the Internet. There are then 2 connections:
one connection between the client and the application proxy and another between the
application proxy and the Internet.

Thanks to policy rules it is possible to control access to the Internet on a user basis, what is
not obvious with packet filtering. The application proxy also masks the private addresses to the
Internet because the only connections to the Internet are made by the proxy itself which uses
the public IP address assigned to its Internet WAN interface.

The application proxy is also able to perform more complex filtering and could also perform
transformations into the data transmitted. This type of operation is currently performed by web
proxies to emulate FTP flows into HTTP to allow any web browser to consult ftp servers without
the need for an ftp client on the client PC.

Application proxies requires a lot of CPU and can introduce long latencies.

Stateful inspection or dynamic packet filtering:
Stateful inspection or dynamic packet filtering refer to a more capable set of filtering functions.
Packet filtering is restricted to make its filtering decisions based on information contained into
individual packets without considering any prior packets. Stateful inspection allows both
complex combinations of payload (message content) and context established by prior packets.

Stateful inspection is aware of protocols above IP and is thus able to detect non conforming or
abnormal packets sequences. An IP packet could have been accepted by packet filtering
because it respects the rules set on IP headers but rejected by a stateful inspection system
because it does not match the normal flow of packets.

FIREWALLING SOLUTION IN OMNIPCX OFFICE                                                   Page 2 of 14
Thanks to that ability, a much more complex access control criteria can be specified on stateful
inspection systems.

Stateful inspection is much closer to packet filtering than to application proxies in terms of
CPU and induced latencies.

No stateful inspection functionnality is available into Linux 2.2.

Methods to hide internal network topology:

Network Address Translation (NAT):
To send packets to the Internet, a PC must own a public IP address. Also, most private
networks make use of private IP address (see RFC 1918). For these networks, a special
processing must be set in order to transform the header of all IP packets that will end on the
Internet. The headers are transformed so that its IP source address contains a valid public
address. This address is generally the IP address assigned to the Internet Gateway. This
translation between private and public address is the job of NAT systems.

With a NAT system, a client PC that sends a packet to the Internet is unaware that his packets
will be intercepted by the NAT system. The client packet contains its private address in source
address and a public address on the Internet as destination. Once the NAT has performed its
translation, this packet is sent out to the Internet with the Gateway public address as source
and still the Public IP address on the Internet as destination. The host on the Internet that will
process this packet thinks that this packet comes from the Gateway. It has no mean to know
the original private host that initially sent this packet.

The answered packets are sent back by the Internet host to the gateway. This last will replace
the destination IP address (that contained its own public address) by the private address of the
host that initiated that flow.

Associations between private hosts and an IP flow coming back is achieved thanks to the local
port number the NAT system selects when forwarding packet to the Internet. As answers come
back to that local port, the NAT is able to retrieve the original private host.

NAT system does not require a lot of CPU and does not introduce much latency.

Application proxies:
Application proxies, as described before are also used to allow a local network running private
IP addresses to access the Internet.


   THE SECURITY ENABLERS

This section only deals with the solutions implemented into the OmniPCX Office R1.0 and
therefore based on Linux 2.2.

IP Firewalling and IPChains

IP firewalling is a facility implemented into the kernel of Linux 2.2. It consists in ckecking IP
packets against rules to allow or forbid them. These rules are set with IPChains tool.

INPUT, FORWARD and OUTPUT chains
Depending on the source and destination of a packet, different rules can be applied to check it.

INPUT chain contains a set of rules to be applied to each packet entering the system. This is
true whatever the input interface. It can even come from the loopback interface (lo).

FORWARD chain contains a set of rules that are applied to packets attempting to pass through
this system. This chain is not applied to packets destinated to this system or sent by this
system.

OUTPOUT chain contains a set of rule to be applied to any packet sent out. This also applies to
packets sent out on the loopback interface (lo).

FIREWALLING SOLUTION IN OMNIPCX OFFICE                                                  Page 3 of 14
DENY, REJECT and ACCEPT targets
Each rule can lead to either:

ACCEPT the packet and let it continue its processing.

DENY the packet and simply drop it. No packet is sent back to the sender.

REJECT the packet by dropping it and sending an appropriate reject message back to the
source IP address.

A TARGET is also associated to the INPUT, FORWARD and OUTPUT chain. It is applied when
matching rules were found in a chain.

CRITERIONS of a rule
The following items can be specified to define the rule's criterions.
 Source address and port range
 Protocol above IP layer
 Interface name

Other criterions also exist for ICMP, TCP and UDP that are not mentionned here.

When an IP packet matches a rule's criterions, the TARGET of this rule is applied to this
packet and no further rule (for that chain) is processed. If the packet fails to match any rules of
a chain, the TARGET defined for that chain is applied.

Flow of an IP packet through the Chains
The following figure shows the flow of a IP packet through the kernel.

                                                                                       loopback (lo) interface
                         Sanity checks
             checksum




                                         INPUT                   Routing     FORWARD       OUTPUT
                                                  Masquerading




                                          chain                  decision      chain        chain
any                                                                                                              any
interface                                                                                                  interface



                                                                               DENY
                                                                              REJECT
            DENY        DENY
                                          DENY                                                DENY
                                         REJECT                                              REJECT



                                                                   Local
                                                                 processes



For instance, an IP packet entering this system and destinated to a local process will only go
through the INPUT chain.

An IP packet generated by a local process whatever its destination will only go through the
OUTPUT chain.

How to configure these rules:
IPChains tool is used to set the rules into the kernel. It has a command line interface.

Howto configure rules when running dynamic IP address on the Internet gateway?
Linux 2.2 firewall is based on rules checking IP addresses (among others). Also, when
connecting to the Internet, the IP address provided by the ISP may be different at each
connection. To cope with such a configuration, scripts must be executed when the dial-up
interface goes up and down. The script that run when the connection goes up must read back
the IP address allocated by the ISP and configure all the rules necessary to the firewall. The


FIREWALLING SOLUTION IN OMNIPCX OFFICE                                                               Page 4 of 14
script executed when the connection comes down must forbid any further access (in or out) by
setting drastic rules in the firewall. This last script is necessary to forbid any unauthorized ip
flow right after the dial-up connection gets established and before the "up"firewall script is
executed.

What rules shall be implemented to build a STRONG firewall?
Create a default settings script to forbid all connections with/from the Internet. This script
must be executed during kernel initialisation before network interfaces are setup. Not doing
this may leave the firewall open the few seconds, until the real configuration could be restored
(action performed from the USER level, only done after full kernel initialisation).

Reject packets not explicitelly accepted. This leads to set a DENY or REJECT target to at least
the INPUT and OUTPUT chains.

Always defragment IP packets before processing rules. This is a kernel option. It is not possible
with packet filtering to detect malicious IP framents such as overlapping packets. Also they are
not harmful on a Linux 2.2 system, some clients behind the firewall may be less robust to this
kind of attack and may crash. By defragmenting into the firewall, these kind of attack will fail.

IP Masquerading

IP masquerading is a facility implemented into the kernel to perform a simple NAT (Network
Address Translation). It is said a 1:MANY because it can hide many private addresses behind
only one public address.

Masquerading is activated into the kernel by setting rules in the FORWARD chain with a target
set to MASQ. Configuration is achieved with IPChains tool.

Masquerading must typically be configured to allow private clients surf the WEB or run ftp
connections when there is no WEB proxy. When WEB proxy software is used, the HTTP
masquerading is no more necessary.

Masquerading in Linux 2.2 supports the following client softwares:
 Archie
 FTP
 Gopher client
 HTTP
 IRC
 NNTP (USENET)
 PING
 POP3
 SSH
 SMTP
 TELNET
 TRACEROUTE
 VRML
 WAIS client
 All H.323 programs
 Alpha Worlds
 CU-SeeMe
 ICQ
 Internet Phone 3.2
 Internet Wave Player
 Powwow
 Real Audio Player
 True Speech Player 1.1b
 VDOLive
 Worlds Chat 0.9a
 Linux net-acct package
 NCSA Telnet 2.3.08
 PC-anywhere for Windows
 Socket Watch


FIREWALLING SOLUTION IN OMNIPCX OFFICE                                                  Page 5 of 14
Clients that do not have full support in IP MASQ:
 Intel Streaming Media Viewer Beta 1
 Netscape CoolTalk
 WebPhone

IP Port Forwarding and ipmasqadm

Port forwarding is a way to allow connections established from the Internet to reach a host that
do not have a public IP address. This makeS it possible to host a WEB or email server on
private hosts and still make them reachable from the Internet. Port forwarding can only deal
with tcp connections.

The connection from the Internet is made toward the system's public IP address (the Internet
gateway). The system then replaces the destination address with the private host address and
forwards the packet on the LAN. Answers from the private host will endure the reverse
mechanism to replace the host private source address with the system's public address.

IP forwarding cannot be configured with IPChains. It needs ipmasqadm.

IP port forwarding is realized thanks to the IP masquerading feature into Linux kernel. When
configuring the forwarding of a specific port, a fake entry is created into the masquerading
feature to create an association between this port and a host's private address. Then, when an
incoming packet packet is received from the Internet on that port, the masquerading feature
looks into its association table and finds out that this packet must be rewritten TO reach the
private host. The masquerading behaves as it it were an answers to a packet sent by the
private host to that Internet address.

ipfwd and Protocol Forwarding

Protocol forwarding is apllicative software that allows forwarding all packets dealing with a
specific protocol form one network to another. It is used for protocols other than tcp, for which
port forwarding can be used, but offers the same services.

rp_filter and Anti Spoofing

It performs anti-spoofing by validating source IP addresses. It rejects packets with a source
address incompatible the network it comes from. For instance, reject packets coming from the
Internet with a source address in the private range. This operation can also be achieved by
some ip routing function, avoiding the need to add complicated rules into the firewall.

rp_filter works by running packets into the routing function of Linux to see if it would leave the
system on the same interface it entered. If not, the packet is droped.

tcp_syncookies and TCP SYN Cookie Protection

A SYN Attack is a denial of service DoS attack that consumes all the resources on your
machine, forcing you to reboot. Denial of service attacks -attacks which incapacitate a server
due to high traffic volume or ones that tie-up system resources enough that the server cannot
respond to a legitimate connection request from a remote system) are easily achievable from
internal resources or external connections via extranets and Internet.

When attacked, the recipient will be left with multiple half-open connections that are occupying
limited resources. Usually, these connection requests have forged source addresses that specify
nonexistent or unreachable hosts that cannot be contacted. Thus, there is also no way to trace
the connections back. ...

This kind of attack can be avoided by activating tcp_syncookies into Linux kernel.

Consult http://cr.yp.to/syncookies.html for further information about how the attack proceeds
and how it is solved.




FIREWALLING SOLUTION IN OMNIPCX OFFICE                                                  Page 6 of 14
SQuid

Squid is an application proxy that serves as a WEB proxy and Cache. It is the purpose of
another Alcatel OmniPCX Office R1.0 White Paper and will not be discussed here.

The use or no use of Squid on the firewall system impacts the firewall configuration because
application proxies somehow bypasses firewall settings.


                                                    FIREWALL
                                                                       111.222.123.12
                                                                                            INTERNET                         HOST
                                                    NO SQUID                                                     222.3.4.5
           HOST

                                                         192.168.0.1
               192.168.0.123



                    LAN with private IP addresses


                                                          DENY by
                    S=192.168.0.123 D=222.3.4.5           Firewall



    If INPUT chain's rules forbid any private host to go to the Internet, this packet is rejected and connection refused.




                                                    FIREWALL
                                                                       111.222.123.12
                                                                                            INTERNET                         HOST
                                                WITH SQUID                                                       222.3.4.5
           HOST

                                                         192.168.0.1
               192.168.0.123



                    LAN with private IP addresses


                                                         SQUID
                   S=192.168.0.123 D=192.168.0.1                                  S=111.222.123.12 D=222.3.4.5


     If INPUT chain's rules forbid any private host to go to the Internet, this connection can however be established.
      This is because the private host does not go directly to the Internet but to the proxy, which is also a local host.




FIREWALLING SOLUTION IN OMNIPCX OFFICE                                                                                       Page 7 of 14
   A TURNKEY SOLUTION

This section deals with the security policy implemented on OmniPCX Office Firewall system. It
mainly lists authorized or restricted protocols and ports. However, this list is not exhaustive as
it only shows ports and protocols related to commercial (or sold) services. The protocols and
ports used by services deserving internal and propietary tasks do not appear in this list.

Design considerations

Alcatel OmniPCX Office is designed to offer high-level services in a ready-to-use product.
Although it makes use of powerful security softwares to build STRONG security policies, the
Alcatel OmniPCX Office does not require any expertise in these softwares. A set of predefined
policies is available to reach the needed level of security. Each policy has been throroughly
tested against attacks to validate its efficiency. Answering to comprehensive questions makes
the selection between the different policies. These questions only requires to know what
services to run and how, but does not require the understanding of the underlying protocols.

The STRONG filrewalling settings mean:
 Drastic firewalling rules are setup during kernel initialization to avoid leaving the firewall
   open until applicative scripts (in USER level, not kernel) can run to set the definitive firewall
   configuration.
 Any packet not explicitely ACCEPTED is rejected.
 IP packets are always defragmented before entering the firewall rules.

Supported Software

OmniPCX Office R1.0 makes use of the following software services:
 Linux kernel 2.2 for packet filtering.
 Linux kernel 2.2 for ip_masquerading (NAT functionnality).
 Linux kernel 2.2 for ip port forwarding to make private Email or VPN server visible from the
  Internet.
 Linux kernel 2.2 for rp_filter, which is in charge of anti spoofing by validating source IP
  addresses into IP packets.
 Linux kenel 2.2 for tcp_syncookies to perform SYN cookies protection.
 ipchains 1.3.9 to set packet filtering rules and configure NAT.
 ipmasqadm 0.4.2.2 to adminsiter ip forwarding.
 ipfwd 1.0.0 for protocol forwarding such as GRE (for pptp).
 squid is used as WEB proxy and cache.




FIREWALLING SOLUTION IN OMNIPCX OFFICE                                                    Page 8 of 14
A Pre-configured Product

Alcatel OmniPCX Office comes out of the box with a predefined configuration. This initial
setting already takes into account the hardware configuration and the Internet Access package
(Basic or Complete) that have been ordered. The default configuration is:



              Services Activated by Default                          BASIC pack-        COMPLETE
                                                                        age              package
Web Proxy and Caching                                               NO              YES
Built-in Mail server                                                NO              NO
DHCP Server                                                         YES             YES
DNS Server                                                          YES             YES
VPN Server                                                          NO              NO



         Firewall                  Protocols Allowed by the Firewall      BASIC pack-     COMPLETE
                    Internet




                                  From the Private LAN to the Internet       age           package
 LAN

HTTP                                                                     MASQ            DENY
HTTPS                                                                    MASQ            DENY
GOPHER                                                                   MASQ            DENY
WAIS                                                                     MASQ            DENY
FTP (passive mode, no cnx established from the srv)                      MASQ            DENY
Anything else…                                                           DENY            DENY



         Firewall                   Protocols Allowed by the Firewall     BASIC pack-      COMPLETE
                       Internet




                                    From Internet to the Private LAN         age            package
 LAN

Everything                                                                DENY            DENY
The only IP flows allowed are to the Firewall system itself.



         Firewall                   Protocols Allowed by the Firewall     BASIC pack-      COMPLETE
                       Internet




                                     From the Firewall to the Internet       age            package
 LAN

Everything                                                                ACCEPT          ACCEPT



         Firewall                  Protocols Allowed by the Firewall      BASIC pack-      COMPLETE
                       Internet




                                  From the Firewall to the Private LAN       age            package
 LAN

Everything                                                   ACCEPT          ACCEPT
Any IP flow can be sent from the Firewall system to the Internet or the LAN. The Firewall
system is considered SECURE. The set of applications running on top of it have been validated
by Alcatel and are also considered secure. They are then allowed to establish the IP flow they
want.




FIREWALLING SOLUTION IN OMNIPCX OFFICE                                                           Page 9 of 14
         Firewall               Protocols Allowed by the Firewall     BASIC pack-    COMPLETE




                    Internet
                                 From the Internet to the Firewall       age          package
 LAN

Answers to SQUID                                                     DENY           ACCEPTED
ICMP                                                             for ACCEPT         ACCEPT
pong, destination-unreachable, source-quench,                 time-
exceeded, parameter-problem
ICMP for ping                                                         DENY          DENY
HTTP (answers to Masquerading)                                        ACCEPT        DENY
HTTPS (answers to Masquerading)                                       ACCEPT        DENY
GOPHER (answers to Masquerading)                                      ACCEPT        DENY
WAIS (answers to Masquerading)                                        ACCEPT        DENY
FTP (answers to Masquerading)                                         ACCEPT        DENY
Anything else…                                                        DENY          DENY



         Firewall               Protocols Allowed by the Firewall     BASIC pack-    COMPLETE
                    Internet




                               From the Private LAN to the Firewall      age          package
 LAN

Browser-based configuration (port 80)                                 ACCEPT        ACCEPT
Proxy server (port 8000)                                              DENY          ACCEPT
DNS                                                                   ACCEPT        ACCEPT
                                                                      ACCEPT        ACCEPT
DHCP
Everything else…                                                      DENY          DENY



Secure All the Time

OmniPCX Office permanently maintains a secured policy setting. It adapts the policy rules to
take into account events on the fly. Changes into dial-up connection state, modification of the
hardware configuration or changes into the Internet Access package are automatically followed
by the necessary actions into the firewalling policy.

Easy-to-use Browser-based Management

An easy-to-use, browser-based management tool allows adapting firewall rules to the
customer's configuration. As mentionned earlier, no dedicated knowledge is necessary to
configure Alcatel's OmniPCX Office security. All the complexity to deal with each security
softwares and protocols is left the OmniPCX Office's internals. Only a pragmatic view is
rendered through the management screens. Not giving direct access to the configuration of
Linux's firewalling rules also makes it impossible to unintentionally open a breach into the
OmniPCX Office security settings. Using the built-in management tool is a guarantee of
security.

Configuration can be made by setting individual options or by running Wizards.

The purpose of the Wizards is to perform the first configuration for specific services. This is
normally done right after installation of OmniPCX Office. They are built to display pages with
just the needed questions to run the service. It allows a rapid and simple setup phase. Wizards
exist for setting up the Internet access, the Email server, the users and the VPN functionnality.

The option settings are to make small modifications to an existing configuration. It also goes
deeper into configuration details.

Option settings concerning security are accessible from the "Security" screen:




FIREWALLING SOLUTION IN OMNIPCX OFFICE                                                     Page 10 of 14
Details about "Security" screen options:
         Option               State                               Effect
Firewall                    Enabled      Firewalling rules are applied as described in this
                            (default)    document
                            Disabled     Allow      quite     any     flow…       no     controls…
                                         Only Firewall system's integrity is maintained.
                                         LAN to Internet:       Pass everything through MASQ
                                                 ACCEPT everything (if NAT disabled)
                                         Internet to LAN:       ACCEPT everything
                                         FW to Internet:        ACCEPT everything
                                         Internet to FW:        no changes to existing rules.
                                         LAN to FW:      no changes (still no telnet accepted)
NAT                         Enabled      LAN to Internet: Use MASQ rules
                            (default)
                            Disabled     LAN to Internet: Use ACCEPT rules
                                         Masquerading is no more performed. If the LAN runs
                                         private IP address, these will go out. The system just
                                         act as a router here.
Access to Configuration     Intranet     Access to management is allowed from even behind a
                            (default)    router on the private network side. It is also accessible
                                         from VPN remote clients.
                                         LAN to FW in HTTP with any source address: ACCEPT
                             Subnet      Access to managemeny is authorized only from a PC
                                         hosted on the same LAN than the Firewall.
                                         LAN to FW in HTTP with source address from the same
                                         subnet as the FW: ACCEPT
Access to Services          Intranet     Same as for the Access configuration.
Email                       (default)    No specific rules is sent to filter LAN to FW packets
WEB Proxy                                based on their source address. The regular/existing
DNS                                      rules on ports/protocols are applied.
DHCP                         Subnet      Sets an entry in the LAN to FW rules to DENY any
                                         packets coming from a subnet different from the
                                         Firewall's subnet.
Web Access                  Checked      If WEB Proxy server is running (Complete package):
                            (default)    LAN to FW:      ACCEPT     packets      to    port   8000
                                         Internet to FW:        ACCEPT answers to squid.
                                         When       no     WEB      proxy      (Basic     Package):
                                         LAN to FW: MASQ http, https, opher and wais packets


FIREWALLING SOLUTION IN OMNIPCX OFFICE                                                  Page 11 of 14
        Option              State                                 Effect
                          Unchecked     If WEB Proxy server is running (Complete package):
                                        LAN to FW:     ACCEPT       packets    to   port    8000
                                        Internet to FW:        ACCEPT answers to squid.
                                        The denial of service is done by the Proxy server itself.
                                        When       no    WEB        proxy    (Basic    Package):
                                        LAN to FW: DENY http, https, gopher and wais
                                        packets
File Transfer Protocol     Checked      If WEB Proxy server is running (Complete package):
                           (default)    LAN to FW:     ACCEPT       packets    to   port    8000
                                        Internet to FW:        ACCEPT answers to squid.
                                        When       no    WEB        proxy    (Basic    Package):
                                        LAN to FW: MASQ ftp packets
                          Unchecked     If WEB Proxy server is running (Complete package):
                                        LAN to FW:     ACCEPT       packets    to   port    8000
                                        Internet to FW:        ACCEPT answers to squid.
                                        The denial of service is done by the Proxy server itself.
                                        When       no    WEB        proxy    (Basic    Package):
                                        LAN to FW: DENY ftp packets
Multimedia                 Checked      LAN to Internet: MASQ packets for the following
                                        protocols:
                                        RTSP      /    PNA      (realAudio    and    Quicktime)
                                        CuSeeMe (in UDP and TCP)
                          Unchecked     DENY these protocols in LAN to Internet.
                           (default)
News                       Checked      LAN to Internet: MASQ NNTP / SNEWS
                          Unchecked     LAN to Internet: DENY NNTP / SNEWS
                           (default)
Remote Connection          Checked      LAN to Internet: MASQ Telnet / SSH
                          Unchecked     Lan to Internet: DENY Telnet / SSH
                           (default)
Mail                       Checked      Does not change FW rules. This configuration only
                           (default)    impacts the Email server. It tells if the Email server is
                          Unchecked     allowed to send mail on the Internet.

Options related to security and found in other management screens:
        Option                State                               Effect
PPTP for Client to LAN      Activated   If      Built-in      VPN       Server      is     used:
(VPN Settings)                          Internet to FW: ACCEPT protocol GRE and PPTP
                                        Control.
                                        if       VPN        server       on       the      LAN:
                                        Set Port forwarding for pptp ctrl to VPN server's @IP
                                        Set Protocol Forwarding fro GRE to VPN server's @IP
                           Deactivated Internet to FW: DENY both GRE and pptp ctrl
                            (default)
IPSEC for LAN to LAN        Activated   Internet to FW: ACCEPT ESP and ISAKMP protocols
(VPN Settings)             Deactivated Internet to FW: DENY both ESP and ISAKMP
                            (default)
Email Server Location Integrated The              Built-in     Email      server     is    used:
(Email Settings)                        Internet to FW: ACCEPT mail protocols depending on
                                        Email Server Mode setting.
By default, the Email       External    An    Email      server   on    the    LAN     is  used:
server is not running,                  LAN to Internet: MASQ SMTP and POP3 coming from
then every email flows                  the email server's IP address.
are denied.                             Internet to LAN: Port forward SMTP.
                                        The host running the email server is DENY for any
                                        other protocols (LAN to Internet, LAN to FW). It won't
                                        be able to surf the WEB; it won't be able to host a VPN
                                        server.




FIREWALLING SOLUTION IN OMNIPCX OFFICE                                                 Page 12 of 14
        Option              State                                Effect
                           No Server     No Email server at all. Client can connect directly to
                                         ISP for email.
                                         LAN to Internet: MASQ SMTP, POP3, IMAP4
                                         Internet to LAN: ACCEPT answers to SMTP, POP3,
                                         IMAP4
Email    Server    Mode       POP3       Internet to FW or Internet to LAN (depending on Server
(Email Settings)                         location):
                                         ACCEPT answers to POP3 and SMTP
                             SMTP        Internet to FW or Internet to LAN (depending on Server
                                         location):
                                         ACCEPT       answers     to     POP3     and    SMTP
                                         ACCEPT SMTP connections established from the
                                         Internet.



Audit

The OmniPCX Office maintains a log file. This log file contains as well operational events such
as dial-up establishments or users logging in that all rejected IP packet coming from the
Internet. This log file can be consulted with the management tool. The last 5 events are always
displayed on the tool's home page. The complete list of events can be displayed in an
independent window. Events are marked with a severity TAG.

The TAG is "I" for non-critical information. That is the TAG typical operational event gets.

The TAG is "W" for warnings such as a connection from the Email server to the ISP that fails
due to a wrong login/password configuration.

The TAG "C" is given to critical events such as rejected IP packets, failed loggings…

Events can be sorted by date or severity.




FIREWALLING SOLUTION IN OMNIPCX OFFICE                                                  Page 13 of 14
   CHECKMARK CERTIFIED


The Alcatel OmniPCX Office has successfully passed the Chekmark Firewall L-1 Certification.

            This certificate ensures that OmniPCX Office's firewall achieves a basic level of
            protection against a number of common hostile attacks, from both inside and
            outside the data network it manages.

              The Checkmark has been developed by West Coast lab as an independent testing
              and standards organisation delivering a high degree of confidence that those
              products and services, which contain the Checkmark, can be relied upon to an
identified standard.

The certification process consists in a range of tests that are carried out using a firewall
scanning tool configured with full knowledge of both the firewall and network configuration.
Visit Checkmark Web site for further information at www.check-mark.com.




FIREWALLING SOLUTION IN OMNIPCX OFFICE                                             Page 14 of 14

								
To top