Certificate Management - Motorola RFS7000 Series System Reference Manual

• TCP Bad Sequence number
Apart from detecting the above attacks, the firewall also performs sanity checks on every packet. These sanity
checks can drop a packet if the packet is malformed. A log message is generated whenever a packet gets
dropped due to these sanity checks. Logging provides details explaining the reason for dropping a packet along
with the packet information - source IP, destination IP, source port, destination port, IP protocol etc.
Stateful Layer 3 Packet Filtering Capabilities
In addition to guarding against protocol abuses and denial of service (DoS) attacks, the RFS7000 provides
powerful packet filtering capabilities. Standard IP and Extended IP ACLs are supported. These ACL's allow an
administrator to filter packets based on a source IP address, destination IP address, source port, destination
port, protocol type and even protocol options. For example, an administrator may choose to deny all UDP
packets originating from subnet 10.1.1.0, which contains port number 27960 (used by popular games like
Enemy Territory and Quake 3). When a packet matches a firewall rule, an administrator can choose to permit,
deny or mark the packet. Packet marking allows an administrator to modify the IP TOS field. A log entry can
also be created based on a firewall match.
Layer 2 Packet Filtering Capabilities
In some networks, a majority of the traffic flow could be switched rather than routed. In these instances, the
RFS7000 provides Layer 2 packet filtering allowing administrators to define MAC address based rules. MAC
ACL's can be defined based on a source MAC address, destination MAC address, VLAN ID, 802.1p priority or
ethertype (IPV4, ARP, RARP, AppleTalk, AARP, 802.1q, IPX) of the packet. For example, an administrator may
define a Layer 2 ACL that could deny all AppleTalk traffic originating from any MAC address. When a packet
matches a firewall rule, an administrator can choose to permit, deny or mark the packet. Packet marking allows
an administrator to modify the 802.1p or IP TOS field. A log entry can also be created based on a firewall match.
In addition to MAC based ACL's, Standard IP ACL and Extended IP ACL's can also be applied to Layer 2
interfaces.
The RFS7000 provides filtering capabilities to prevent Layer 2 bridging between wireless users. In addition, a
Standard IP ACL, Extended IP ACL or a MAC ACL can be applied to a WLAN interface. For example, this allows
an administrator to deny DHCP Discover packets from being broadcasted on the air thus saving RF bandwidth.
In summary, the RFS7000 contains:
• Built-in Firewall protection (always on)
• Easy to use stateful firewall with zero-config
• Powerful packet filtering capability at Layer 3, Layer 2 and wireless interfaces
• Real time notification of Live attack

1.2.5.15 Certificate Management

Certificate Management is used to provide a standardized procedure to:
• Generate a certificate request and upload the server certificate signed by a certificate authority (CA).
• Upload a CA's root certificate.
• Create a self-signed certificate.
Certificate management is used by the applications HTTPS, VPN, HOTSPOT and Radius. For information on
configuring switch certificate management, see Creating Server Certificates on page
1-29
Overview
6-86.