1. Manuals
  2. Brands
  3. Freedom9 Manuals
  4. Firewall
  5. freeGuard Blaze 2100
  6. Manual

Freedom9 freeGuard Blaze 2100 Manual

Scenarios guide
Hide thumbs Also See for freeGuard Blaze 2100:
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual, Cli Reference Manual

freeGuard Blaze 2100

Scenarios Guide
Version 3R2

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the freeGuard Blaze 2100 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Freedom9 freeGuard Blaze 2100

Summary of Contents for Freedom9 freeGuard Blaze 2100

  • Page 1: Freeguard Blaze 2100

    Blaze 2100 Scenarios Guide Version 3R2...
  • Page 2 COPYRIGHT NOTICE © Copyright 2007 Freedom9 Inc. ALL RI GHTS RESERV ED. Under the copyright law, this manual and the software described within can not be copied in whole or part, without written permission of the manufacturer, except in the normal use of the software to make a backup copy.

  • Page 5: Table Of Contents

    Contents 1. Preface... 7 About This Document ... 8 Document Conventions ... 8 Command Line Interface (CLI) Conventions ... 8 Illustration Conventions ... 8 Frequently Used Acronyms ... 9 2. Scenarios... 11 NAT Scenarios ... 12 Source NAT from a DIP Pool with PAT ... 12 Source NAT from the Egress Interface IP Address ...
  • Page 6 Scenarios Guide...

  • Page 7: Preface

    REFACE Contents • About This Document on page 8 • Document Conventions on page 8 Scenarios Guide...

  • Page 8: About This Document

    This guide contains supplemental information for network administrators who install and maintain the freeGuard Blaze 2100 in a network. This document should be used with the User Guide and the Command Line Interface Reference Manual. It addresses the most commonly used network scenarios where the freeGuard Blaze 2100 is used.

  • Page 9: Frequently Used Acronyms

    Frequently Used Acronyms This guide assumes familiarity with the following acronyms. See the User Guide glossary for fur- ther details about these terms. NAT: Network Address Translation DIP: Dynamic IP Address PAT: Port Address Translation LAN: Local Area Network VLAN: Virtual Local Area Network VPN: Virtual Private Network ESP: Encapsulating Security Payload 3DES: Triple Data Encryption Standard...
  • Page 10 P R E F A C E Scenarios Guide...

  • Page 11: Scenarios

    CENARIOS This chapter lists and describes the following scenarios: • NAT Scenarios on page 12 • Policy Scenarios on page 22 • VPN Scenarios on page 27 • Defending Against DoS and DDoS Attacks on page 32 • Additional Attack Detection and Prevention on page 35 Scenarios Guide...

  • Page 12: Nat Scenarios

    S C E N A R I O S NAT Scenarios There are many ways that source and destination NAT can be applied to packets as they traverse through the appliance. The following source and destination NAT examples are included in this section: •...

  • Page 13: Cli Commands

    Configure the default route to use eth1 and the gateway address: 4.4.4.254. CLI Commands The following commands apply to the source NAT with PAT scenario described in this section. Interfaces set interface eth0 zone trust set interface eth0 ip 10.0.0.200/24 set interface eth0 nat set interface eth1 zone untrust set interface eth1 ip 4.4.4.1/24...

  • Page 14: Source Nat From The Egress Interface Ip Address

    S C E N A R I O S [NOTE] In this example, the DIP pool has six entries. The IP addresses in the DIP pool are used as a source IP address for the outgoing packet based on a round-robin mechanism. It is also possible to have a DIP pool with only one entry.
  • Page 15 CLI Commands The following commands apply to the source NAT scenario described in this section. Interfaces set interface eth0 zone trust set interface eth0 ip 10.0.0.200/24 set interface eth0 nat set interface eth1 zone untrust set interface eth1 ip 4.4.4.1/24 Policy set policy from trust to untrust any any any permit Route...

  • Page 16: Destination Nat To A Single Ip Address Using Port Mapping

    S C E N A R I O S Destination NAT to a Single IP Address Using Port Mapping This section describes a scenario where a web server is behind a firewall and a client on the In- ternet needs to get access to the web server. Since the web server does not have a public IP ad- dress, HTTP traffic directed to the public IP address needs to be translated to the private IP address of the server.
  • Page 17 Figure 3. Destination NAT with Port Mapping CLI Commands The following commands apply to the destination NAT with port mapping scenario described in this section. Interfaces set interface eth1 zone untrust set interface eth1 ip 4.4.4.1/24 set interface eth0 zone trust set interface eth0 ip 10.0.0.1/24 Addresses set address trust MTT1 4.4.4.200/32...

  • Page 18: Destination Nat To A Single Ip Address Without Port Mapping

    S C E N A R I O S Route set route 0.0.0.0/0 interface eth1 gateway 4.4.4.254 set route 4.4.4.200/32 interface eth0 save Destination NAT to a Single IP Address without Port Mapping The section describes an example of a network with the following requirements: •...

  • Page 19: Destination Nat To Multiple Ip Addresses With Port Mapping

    CLI Commands The following commands apply to the destination NAT without port mapping scenario described in this section. Interfaces set interface eth1 zone untrust set interface eth1 ip 4.4.4.1/24 set interface eth0 zone trust set interface eth0 ip 10.0.0.1/24 Addresses set address trust MTT1 4.4.4.200/32 Policy set policy from untrust to trust any MTT1 http nat dst 10.0.0.200 permit...
  • Page 20 S C E N A R I O S Create a host route for the MTT1 object on interface eth0 Figure 5. Destination NAT with Port Mapping CLI Commands The following commands apply to the destination NAT with port mapping scenario described in this section.
  • Page 21 Addresses set address trust MTT1 4.4.4.200/32 Policy set policy from untrust to trust any MTT1 http nat dst 10.0.0.200 port 80 permit set policy from untrust to trust any MTT1 ftp nat dst 10.0.0.210 port 21 permit Route set route 0.0.0.0/0 interface eth1 gateway 4.4.4.254 set route 4.4.4.200/32 interface eth0 gateway 0.0.0.0 save S C E N A R I O S...

  • Page 22: Policy Scenarios

    S C E N A R I O S Policy Scenarios This section describes different policy scenarios you can configure for the freeGuard Blaze 2100. The following policy samples are included in this section: • Interzone Policies • Intrazone Policies •...
  • Page 23 • Everyone can access the mail and web server located in the DMZ. Figure 6. Example of Network for Interzone Policies CLI Commands The following commands apply to the interzone policy scenario described in this section: Interfaces set interface eth0 ip 10.0.0.1/32 set interface eth0 zone trust set interface eth1 ip 4.4.4.1/32 set interface eth1 zone untrust...

  • Page 24: Intrazone Policies

    S C E N A R I O S set address trust office 10.0.100.0/24 Services set group service snetservices add http set group service snetservices add dns set group service snetservices add ftp set group service snetservices add ssl set group service snetservices add smtp Policies set policy from trust to untrust snet any snetservices permit set policy from trust to untrust office any any permit...
  • Page 25 Figure 7. Example of Network for Intrazone Policy CLI Commands The following commands apply to the intrazone policy scenario described in this section. Interfaces set interface eth1.100 zone trust set interface eth1.100 ip 192.168.100.1/32 set interface eth1.100 nat set interface eth1.200 zone trust set interface eth1.200 ip 192.168.200.1/32 tag 200 set interface eth1.200 nat Zones...

  • Page 26: Global Policies

    Global Policies This section describes an example where the freeGuard Blaze 2100 is configured to allow all hosts in every zone the ability to hit a company website with the domain name “www.123Systems.com.” Global policies are better used if there are many zones.

  • Page 27: Vpn Scenarios

    VPN Scenarios This section describes examples of VPN scenarios you can configure for the freeGuard Blaze 2100. The following sample scenarios are included in this section: • Site-to-site VPN with Autokey • Site-to-site VPN with Manual Keying Site-to-site VPN with AutoKey...
  • Page 28 S C E N A R I O S Amsterdam Interfaces set interface eth0 zone trust set interface eth0 ip 10.1.1.1/24 set interface eth0 nat set interface eth1 zone untrust set interface eth1 ip 1.1.1.1/24 Addresses set address trust local_lan 10.1.1.0/24 set address vpn paris_lan 10.2.2.0/24 VPN Pre-shared Key set ike gateway to_sanjose address 2.2.2.2 main outgoing-interface eth0...

  • Page 29: Site-To-Site Vpn With Manual Keying

    set vpn sanjose_amster gateway to_amsterdam proposal g2-esp-des-md5 Route set route 0.0.0.0/0 interface eth1 gateway 2.2.2.250 Policies set policy from trust to untrust local_lan amsterdam_lan any tunnel vpn sanjose_amster set policy from untrust to trust amsterdam_lan local_lan any tunnel vpn sanjose_amster save Site-to-Site VPN with Manual Keying In this example, a manual key tunnel provides a secure communication channel between offices...
  • Page 30 S C E N A R I O S CLI Commands The following commands apply to the site-to-site VPN scenario described in this section. The com- mands are divided into Amsterdam and San Jose categories, corresponding to the fictional offices specified in the example above.

  • Page 31: Network Attack Prevention

    Network Attack Prevention This section describes examples of various network attack prevention scenarios you can configure for the freeGuard Blaze 2100 The following sample scenarios are included in this section: • Preventing Network Port Attacks • Defending Against DOS and DDOS Attacks...

  • Page 32: Defending Against Dos And Ddos Attacks

    S C E N A R I O S Defending Against DoS and DDoS Attacks Rate limiting is the most common way to defend against DoS and DDoS attacks. You can configure options on the appliance to apply various rate limits to ICMP, TCP and UDP traffic. Rate limiting is a function in which a network interface limits the number of packets sent or re- ceived allowing traffic that is less than or equal to the rate to be sent, any traffic that exceeds the limit may be dropped or delayed.

  • Page 33: Syn Flood Prevention

    allowed through the zone to a specific host per second. The maximum threshold for the udp- flood attack-threshold is 64,000. set zone {zone name} screen udp-flood threshold {number} Example: Set the UDP threshold Set the UDP threshold to 1,000 on the zone untrust: set zone untrust screen udp-flood threshold 1000 save SYN Flood Prevention...

  • Page 34: Tcp-Fin-No-Ack

    S C E N A R I O S Example: Set the IP fragment threshold Set the ip-frag threshold to 1,000 on the untrust zone: set zone untrust screen ip-frag threshold 1000 save TCP-FIN-no-ACK To filter packets that have a TCP-FIN bit set, but no ACK, use the set zone command: set zone {zone name} screen fin-no-ack Example: TCP-FIN-no-ACK To filter packets that have a TCP-FIN bit set, but no ACK for the zone untrust:...

  • Page 35: Additional Attack Detection And Prevention

    Additional Attack Detection and Prevention In addition to the configurable attack settings the appliance will detect and prevent the network and DoS attacks listed in Figure Land Attack IRDP Ping of Death Unknown IP Protocol Figure 12. Additional Attack Prevention Viewing Attack Settings To view the current attack settings per zone, use the get zone command with the screen and zone name to view the current settings:...
  • Page 36 S C E N A R I O S Scenarios Guide...

Table of Contents