Before You Configure Filters And Firewalls; Specific Overview - Alcatel-Lucent OmniAccess 700 Cli Configuration Manual

B Y C
EFORE OU ONFIGURE
1. The identification of the risk level and the type of access required of each network
system forms the basis before setting up the firewall.
2. Create Usage Policy Statements: Create Usage Policy Statements that outline
users' roles and responsibilities with regard to security. Start with a general policy
that covers all network systems and data.
3. Before you configure firewall, keep in mind to maintain a workable balance
between security and required network access.
4. You should also be sure that you have a thorough understanding of the IP
protocol, port numbers, host address mapping, and other related basic firewall
technologies.
5. Configure the common classifiers first based on the usage policy statements.
(Refer to the
6. Configure the firewall with necessary parameters for scheduling, policy
statements, stateful inspection, session management, etc.
OA-700 S O
PECIFIC VERVIEW
•
For OA-700, the default action for a filter is "deny". However, you can change this
option by using the keyword "permit".
•
OA-700, by default, supports "stateful inspection". To convert it to a stateless
inspection firewall, use the keyword "stateless".
•
If no rules (match cases) are defined, the default keyword can be used to just
configure a permit or deny on all incoming and outgoing traffic.
•
Filtering takes place only when filters are bound to interfaces - physical and
virtual. If a virtual interface is created, the rules attached to the real interface is
copied to the ruleset for the virtual interface. This can be modified. In the packet
filter sequence, only the virtual interface ruleset will be used for the packets exiting
from a virtual interface. The physical interface rules will have no effect on these
packets.
•
In contrast to other products, OA-700 differentiates between the classification and
the actions. The classification on OA-700 is done by the use of match-lists and the
actions are done by the use of filters.
•
Our product is not a "pure" firewall appliance. In fact, it is an unified device of
routing, Firewall, IDS/IPS, and voice. Firewall is only one component in the
system, and is not enabled by default. So the "proper installation" to enable
firewall is for you to create a default ACL policy, and bind it to untrusted interfaces
to deny all traffic, such as the following commands:
CLI Configuration Guide
Beta
Except on the first page, right running head:
Heading1 or Heading1NewPage text (automatic)
F F
ILTERS AND IREWALLS
"Common Classifiers" chapter in this guide).
Alcatel-Lucent
Network Security - An overview
651
Beta