advertisement
Using Novell Security Manager
4.5.3. Advanced
Connection Tracking Helpers
The Stateful Inspection Packet
Filter and the NAT function are provided by the iptables module in the Netfilter sub-system. All connections, operated with the packet filter, will be tracked by the Conntrack module: this is referred to as Connection
Tracking.
Some protocols, such as FTP or IRC require several communication channels, which cannot be connected through port numbers. In order to use these protocols with the Packet filter, or to replace an address through
NAT, the Connection Tracking Helpers are required. Helpers are structures, referring to so-called Conntrack Helpers. Generally speaking these are additional Kernel modules that help the Conntrack module to recognize existing connections.
For FTP data connections, a FTP Conntrack helper, for example, is necessary. It recognizes the data connections, belonging to the control connection (normally TCP Port 21), which can have any destination port and adds the respective expect structures to the expect list.
The following protocols are supported:
• FTP (File Transfer Protocol)
• H323
• IRC (for DCC)
• MMS (Microsoft Media Streaming)
• PPTP (Point to Point Tunneling Protocol)
• TFTP (Trivial File Transport Protocol)
Loading Helper Modules: By default, all Helper modules are loaded except for TFTP. The helper modules are loaded and deleted in the selection field.
A description of how to use the selection field can be found in chapter
3.3.2 on page 28.
SYN Rate Limiter
Denial-of-Service attacks (DoS) on servers, shall deny the service access to legitimate users. In the simplest case, the attacker overloads the server with useless packets, to overload its performance. Since a large bandwidth is required for such attacks, more and more attackers start
163
Using Novell Security Manager using so-called SYN-Flood attacks, which don't aim at overloading the bandwidth, but at blocking the system resources. For this purpose, they send so-called SYN packets to the TCP port of the service, i.e. in a web server to Port 80.
The SYN Rate Limiter function reduces the number of SYN packets, sent to the local network. This is disabled by default (status light shows red).
Click the Enable button to enable the function (status light shows green).
Protocol Handling
Strict TCP Session Handling:
To secure a reliable data transport, the Transmission Control
Protocol (TCP) that is in the transport layer is used. TCP then creates computer to computer connections and continues to send data, until it receives an affirmative answer that the data have been transmitted. This type of connection is called TCP Handshake and is executed in three steps. Before a client is able to exchange data, with a server, for example, he sends a
TCP packet, in the header of which there is also a so-called SYN-Bit
(sequence number). This is an order to the server, to set up a connection.
In addition, the client transmits the so-called window size. This value defines the maximum number of bytes for the usable data in the data package, so that they can be processed on the client. In the second step the server replies by setting an ACK-Bit (Acknowledge) to the header and also transmits the window size. In the last step, the client accepts this with the ACK-Bit and starts to send the data themselves.
The firewall accepts PSH packets without having received a TCP Hand-
shake. This is necessary, if, for example after a Restart of Novell Security
Manager or after a transfer of the second Novell Security Manager with a
High Availability system the existing connections shall be maintained.
If the Strict TCP Session Handling function is enabled, the connection set-up is done by TCP Handshake.
Validate Packet-Length: The Packet Filter checks the data packets for minimal length if the icmp, tcp or udp protocol is being used.
The minimal data lengths for the individual protocols are:
• icmp: 22 bytes
• tcp: 48 bytes
• udp: 28 bytes
If the data packets are shorter than the minimal values, they are blocked and recorded to the Packet Filter log file with the annotation
INVALID_PKT:.
164
Using Novell Security Manager
The log files are administered in the Local Logs/Browse menu.
Logging Options
Log Unique DNS Requests: DNS packets, which are sent to or through the Firewall and receive a
DNS request are recorded to the Packet Filter log file with the annotation
DNS_REQUEST:.
The log files are administered in the Local Logs/Browse menu.
Log FTP Data Connections: All FTP data connections – either in the
active or in the passive mode – are recorded to the Packet Filter log file with the annotation FTP_DATA:.
The log files are administered in the Local Logs/Browse menu.
System Information
Packet Filter Live Log: The
Packet Filter Live Log monitors the packet filter and NAT rules in place on the Security Manager. The window provides a real-time display of packets intercepted by the packet filter. This is especially useful in troubleshooting and debugging packet filter rules. If, after Novell Security
Manager starts, a networked application, such as online banking, is not accessible, the Packet Filter Live Log can help you reconstruct which packets are being blocked by the packet filter.
By clicking on the Show button, a new window will appear. This window displays rules violations in the order of their occurrence in real time and in table form.
The background color allows you to see which action has been performed for the respective violation of a rule:
• Red: The package was dropped.
Packages that have been blocked due to the Spoof Protection, Validate
Packet Length and SYN Rate Limiter functions also have a red background color.
• Yellow: The package was rejected.
• Green: The package was allowed through.
Setting/Resetting the Live Log Filter:
165
Using Novell Security Manager
With the help of the IP Address/Netmask and Port entry fields and of the Protocol drop-down menu, you can configure the Packet Filter Live Log such that only violations of rules with specific attributes are displayed in the table. The filter influences violations of rules that are logged after enabling this function. The filter is enabled by clicking on the Set button.
To reset the filter, click the Clear button. From this moment on, all violations of rules will be displayed in the Packet Filter Live Log again.
Clicking on the Pause Log check box interrupts or continues the update.
Note:
Please note that only those processed rules will be filed in a protocol, for which the Log function has been enabled under Packet Filter/ Rules!
Current System Packet Filter Rules: The Current Packet Filter rules window provides detailed information for expert administrators.
The table shows all rules in real time, including system generated ones, and is taken directly from the operating system kernel.
Current System NAT Rules: As with the current filter rules, Current NAT
rules displays all user- and system-defined NAT rules.
Connection Tracking Table: This menu shows a list of all current connections and the connection parameters.
166
advertisement
