Table of Contents
Advertisement
Application Level Commands
A special action option - Command Level Security (CLS) - to filter inter-protocol actions within
several protocols. The CLS examines the message type produced by the application being filtered
and either passes or drops specific application commands. For example, FTP GETs can be allowed
but PUTs denied. These protocols are supported:
•
File Transfer Protocol (FTP)
•
Simple Mail Transport Protocol (SMTP) and NNTP
•
Hypertext Transfer Protocol (HTTP)
Application Level Gateway
Support is provided for FTP and H.323 version 2 protocols, and Remote Procedure Call (RPC) -
based applications. The XSR ALG works with two types of RPCs: Sun's (and most Unix systems)
and Microsoft's. The following pre-defined services are available for RPC and can be configured
with the
ip firewall service-group
–
SunRPCTCP and SunRPCUDP
–
MsftRPCTCP and MsftRPCUDP
RPC-based links are built in a client-server framework and RPC clients connect to RPC servers. A
machine that hosts RPC server applications runs a daemon called the PortMapper using well-
defined ports for TCP and UDP: Sun RPC uses 111, Microsoft uses 135. RPC operates as follows:
•
RPC-based server applications register with the PortMapper, providing their listening port
and application identifier. Because identifiers are issued by the IANA, they are unique.
•
The client connects to the PortMapper and passes the application identifier along.
•
In return, the PortMapper replies with the server's listening port.
•
The client then initiates a connection to the server application using the listening port and the
destination port.
The XSR's ALG inspects RPC messages between the client and PortMapper, storing the port
numbers returned by the PortMapper in a cache. It then allows the client to connect to the ports
that were returned. Once the connection is up, the ALG examines both TCP and UDP traffic.
The XSR ages out RPC cache entries if the client link does not occur or is idle bound the default
period. You can reset the default with
Note: Once you permit RPC sessions between two hosts or networks, all TCP- or UDP-based RPC
applications will be able to connect. Enterasys recommends that TCP-based RPC applications
alone be allowed to pass through the Firewall since the session would be closed as soon as the
connection terminates. RPC sessions are timed out using UDP and are therefore less secure than
those using TCP.
The XSR limits the sum of stored UDP request cache entries which are used by other ALGs such as
DHCP relay agent ALG. If no free UDP request cache entries exist then no more RPC-based
connections are allowed until entries are freed. Assuming no other UDP packets pass through the
Firewall, the maximum number of UDP request cache entries enforce the limit on number of RPC
cache entries that the system can support.
For each RPC-based connection, two sessions are created. The first is a TCP or UDP session from
the client to the PortMapper. The second is the application connection between the RPC client and
the server. Both sessions are displayed by the
RPC sessions can be identified by their destination ports of 111 or 135.
command:
ip firewall {microsoft-rcp | sun-rpc} timeout
show ip firewall sessions
XSR Firewall Feature Set Functionality
command and the
XSR User's Guide 16-13
.
Advertisement
Table of Contents
Troubleshooting
