Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 39 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
39
Dung lượng
1,89 MB
Nội dung
ConfiguringaRealFirewall This chapter is a visual tour through the configuration of a SonicWALL Pro VX, a powerful firewall from SonicWALL. As such, it shows every feature that this line of firewalls supports, and this line of firewalls represents the state of the art in device based firewalls.− − − − This chapter is not a review—the comparative review for SonicWALL devices can be found in Chapter 19. This chapter simply describes the features and configuration of this firewall as a complete introduction in case you've never dealt with afirewall before. If you have done it before, you'll probably just want to skim through this chapter. The SonicWALL Appliance Wizard SonicWALL devices come from the factory with the preconfigured IP address 192.168.168.168/24. This means that in order to attach to the device, your management workstation's IP address must be within the 192.168.168 subnet. In Windows 2000, you can simply set your IP address manually and plug the SonicWALL into the same Ethernet network in order to reach it. This graphic shows a management workstation's IP address set to 192.168.168.170 in order to begin the SonicWALL configuration. 200 After configuring your management workstation's IP address, open a web browser (Internet Explorer or Netscape) and direct it to http://192.168.168.168. When you do, the SonicWALL Appliance Wizard screen will appear as shown here. 201 To avoid the common problem of shipping a device with a standard default password that might never be changed, the SonicWALL Wizard requires you to change the administrative password as the first configuration step, as shown here. Of course, you should choose the strongest possible password and you should not use the password on any other non firewall devices to prevent its compromise. Although SonicWALL− devices can only be configured from the LAN port or by administrators who have authenticated with the VPN, there are many unobvious ways to get LAN access from outside the network. Opening port forwards for Terminal Services or VNC, connecting an improperly secured 802.11 wireless− bridge, or a user accidentally downloading a Trojan horse are just a few of the ways that a hacker might be able to gain access to the web based firewall management interface from the interior of− 202 the network. In fact, I frequently set up a temporary port forward on new SonicWALLs to facilitate the− establishment of a permanent VPN connection. I do this because it allows me to work simultaneously on both devices even though no VPN exists yet. Once the VPN is established, I remove the rule that forwards the dangerous service through to the internal network. You will probably find yourself doing this as well, so be certain you remove these dangerous rules. The next step is to set your time zone. SonicWALL devices automatically configure their internal time using the NTP (Network Time Protocol) to synchronize with the Universal Standard Time generated by the U.S. Naval Observatory. You have the option of changing the NTP time server in the administrative interface once the initial configuration is complete. It would be nice if the firewall could be configured as an NTP time server for the rest of the network, but it can't. The next pane is simply an information pane that asks you to gather your IP circuit network information from your ISP and informs you that the WAN port has not been connected if you have not connected it. You must have this information ready in order to proceed, and you should connect the WAN port now to ensure that everything works correctly during the configuration. 203 The SonicWALL Configuration Wizard then asks you what type of service you have from your ISP, and makes some assumptions about how you want to configure the device based on answer. For example, if you respond that you've received only a single IP address or that your device receives its address from a PPPoE (Point to Point Protocol over Ethernet) or DHCP server, the wizard assumes that you want to enable NAT. If you indicate that you've received multiple IP addresses, the device will ask you whether you want to enable NAT. In any case, just select the answer that comes closest to your grade of service. If you've selected the multiple IP address option, the wizard will prompt you whether or not you want Network Address Translation enabled. In the vast majority of cases, you do. Besides conserving your public IP addresses and allowing you to grow your network irrespective of the number of 204 addresses your ISP has assigned you, Network Address Translation has built in immunity to a− number of hacking attacks. But if you are really certain that you don't want NAT, select the Don't Use NAT option, shown here. After you've selected your service type and determined whether or not you want to use NAT, the wizard will prompt for your public IP address information provided by your ISP. This graphic shows the configuration for my company's firewall with the actual IP addresses blanked out. Normally your IP address would appear. After configuring the public IP address information, you will enter your private IP address information. You can choose any IP range you want, but you should never vary from using a 205 reserved IP block like the 10.0.0.0/8 range or the 192.168.0.0/16 range because if you do, you'll prevent your users from reaching any public IP services with coincidental IP addresses. You may want to avoid using the 10 range as well because it's used for internal routing by a number of second tier ISPs and could potentially cause conflicts for you. If you have strange routing problems− using the 10 reserved block, contact your ISP to determine if they're using any portion of it Here you can see the internal IP address configuration for afirewall configured to use NAT. The next pane asks you whether you want the SonicWALL device to provide DHCP addresses, and if so, what range you want DHCP to assign. I generally configure DHCP to be served by a solid state device in the networks I manage because it's somewhat more reliable than using− general purpose servers to provide DHCP. However, servers are usually a little more flexible and− easier to configure if you need to use a large number of static DHCP entries. In my experience, it's easiest to permanently assign static IP addresses to every device that will provide any sort of service, and then use DHCP for clients that provide no services. In this environment, firewalls make ideal DHCP servers. 206 After you've configured DHCP, the firewall initialization is complete and the wizard shows a summary page that looks like this. The final step in the configuration is to reboot the firewall. Once you do this, the firewall will come up on its new IP address, so you'll no longer be able to reach it until you reconfigure the IP address on your management workstation. Before clicking Restart, you can page back through the Wizard to check your settings and change anything that was entered incorrectly. It's crucial that you remember what the SonicWALL's NAT IP address is and that it is set correctly, because even if you flash the SonicWALL's firmware and reload its operating system from a binary image, the NAT address will not revert to 192.168.168.168. You'll have to use a sniffer and an ARP tool to determine its IP address if you've forgotten it. Here is the restart pane of the SonicWALL Configuration Wizard. 207 After you click restart, the SonicWALL Wizard displays an informational pane to keep you occupied for the 30 seconds it takes the device to restart. At this point, you've completed the SonicWALL Wizard and the firewall is ready for basic operation. To continue configuring the firewall, you'll use the built in web management interface.− SonicWALL Registration Once you've completed the Configuration Wizard and restarted the firewall, point your web browser 208 back to the SonicWALL's LAN IP address. This time, instead of the Configuration Wizard you'll get the SonicWALL Web Manager login prompt. If you're using Internet Explorer, the login prompt can be confusing because it won't actually work until the Java applet (the applet is that tiny grey dot on the right side of the screen) used by the device actually loads completely. This is indicated in the web browser status bar in the lower left hand corner of the screen. Until the status bar says "Done," any attempts to log in will be− responded to with a JavaScript error. Unless you know this, attempting to log in can be frustrating. Netscape does not exhibit this problem because it's a side effect of the way that Internet Explorer− supports Java. Once you've logged in, you'll see the General Status page. This page provides low level status of− the SonicWALL device, along with support information. Any internal problems the device is experiencing will show up as red text in the General Status page—for example, if the DMZ or WAN interfaces are not connected or if the SonicWALL is not registered. 209 [...]... how the firewall can be managed There's also a check box to indicate if you use Internet Explorer to manage the firewall, which will improve the download speed of the login Java applet 227 Advanced The Advanced topical area is used to configure the firewall beyond firewall access policy and basic network configuration The Advanced Proxy Relay page lets you specify a proxy server through which all HTTP... IP addresses that must be translated to a sequential block of reserved addresses or in the case where your organization standardized on a set of IP addresses that have been permanently assigned to another organization and it would be inordinately difficult to change them Using 1:1 NAT, you can simply translate them at the firewall 230 The Advanced Ethernet page, shown next, shows port connection status... to access the latest firmware upgrades for your device as well as keep track of your registration codes for value−added services that you subscribe to You'll need to enter these codes in the device to activate various features, and they'll be needed again if you ever have to clear the firewall 212 The Registration Status page shows the registration status and activation codes for a specific firewall. .. SonicWALL's WAN IP address as the address of the RRAS server and rely upon it to forward the PPPT streams to the interior server The General Time page, shown next, allows you to configure your time zone, enable automatic time updates via the Network Time Protocol, and set the time manually 215 The General Password page allows you to change the admin password for the firewall The standard built−in management... management account is called admin and it has the password you set previously, when you configured the firewall using the Configuration Wizard Log The Log section provides access to and settings for the SonicWALL firewall log SonicWALL firewalls provide a very complete logging mechanism, including automatic interpretation of numerous types of attacks Unfortunately, as with all automatic analysis systems,... the firewall You'll need to do this after performing certain updates The Tools Preferences page allows you to import and export your settings for the purpose of backup You can also clear the firewall settings (except the password and LAN IP address) and relaunch the Configuration Wizard if necessary 222 The Tools Firmware page, shown next, allows you to install a downloaded firmware update For the firewalls,... firewalls, SonicWALL typically releases new firmware about twice a year Each update typically includes a few minor (and some major) functional enhancements, and some bug fixes, and otherwise incrementally improves the device In the four years that I've used SonicWALL devices, I've seen their reliability and feature set improve noticeably due to firmware updates To install an update, go to the SonicWALL... help pages are essentially the product documentation in HTML format When you click the icon, a new browser window will appear with the specific section of the documentation for the current page showing This layout is clear and easy to navigate, and it is a major reason why these firewalls are so popular In the following sections, we'll discuss each of the navigation buttons, and the pages available... device, as shown next You'll need to copy the registration code on this page and paste it into the firewall' s general status page in order to clear the unregistered error condition on your firewall' s General Status page You'll also visit this page whenever you need to activate a new service or reactivate a service after clearing a firewall' s configuration; this is rare, but sometimes required in certain... broadcast name resolution, or to simply refer to extranet servers by IP address 225 You can also enable Stealth Mode scanning, where the firewall simply fails to respond to ICMP requests This keeps scanners from determining that anything exists on the IP address, and makes port and address scans take considerably longer if the hacker persists anyway However, if you are forwarding ports to the LAN that . Configuring a Real Firewall This chapter is a visual tour through the configuration of a SonicWALL Pro VX, a powerful firewall from SonicWALL. As such,. a number of hacking attacks. But if you are really certain that you don't want NAT, select the Don't Use NAT option, shown here. After you've