advertisement
Introduction to Network Security
About IP addresses
To send ordinary mail to a person, you must know his or her street address. For one computer on the Internet to send data to a different computer, it must know the address of that computer. a computer address is known as an Internet Protocol (IP) address . All devices on the Internet have unique IP addresses, which enable other devices on the Internet to find and interact with them.
An IP address consists of four octets (8-bit binary sequences) expressed in decimal format and separated by periods. Each number between the periods must be within the range of 0 and 255. Some examples of
IP addresses are:
206.253.208.100
4.2.2.2
10.0.4.1
Private addresses and gateways
Many companies create private networks that have their own address space. The addresses 10.x.x.x and
192.168.x.x are set aside for private IP addresses. Computers on the Internet cannot use these addresses. If your computer is on a private network, you connect to the Internet through a gateway device that has a public
IP address.
Usually, the default gateway is the router that is between your network and the Internet. After you install the
Firebox on your network, it becomes the default gateway for all computers connected to its trusted or optional interfaces.
About subnet masks
Because of security and performance considerations, networks are often divided into smaller portions called subnets. All devices in a subnet have similar IP addresses. For example, all devices that have IP addresses whose first three octets are 50.50.50 would belong to the same subnet.
A network IP address’s subnet mask, or netmask, is a string of bits that mask sections of the IP address to show how many addresses are available and how many are already in use. For example, a large network subnet mask might look like this: 255.255.0.0. Each zero shows that a range of IP addresses from 1 to 255 is available.
Each decimal place of 255 represents an IP address range that is already in use. In a network with a subnet mask of 255.255.0.0, there are 65,025 IP addresses available. A smaller network subnet mask is 255.255.255.0.
Only 254 IP addresses are available.
About slash notation
The Firebox uses slash notation for many purposes, including policy configuration. Slash notation is a compact way to show the subnet mask for a network. To write slash notation for a subnet mask:
1. First, find the binary representation of the subnet mask.
For example, the binary representation of
255.255.255.0
is
11111111.11111111.11111111.00000000
.
2. Count each 1 in the subnet mask.
This example has twenty-four (24) of the numeral 1.
3. Add the number from step two to the IP address, separated by a forward slash (/).
The IP address 192.168.42.23/24 is equivalent to an IP address of 192.168.42.23 with a netmask of
255.255.255.0.
User Guide 3
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 13 Introduction to Network Security
- 13 About networks and network security
- 13 About Internet Connections
- 14 About protocols
- 14 How Information Travels on the Internet
- 15 About IP addresses
- 15 Private addresses and gateways
- 15 About subnet masks
- 15 About slash notation
- 16 About entering IP addresses
- 16 Static and dynamic IP addresses
- 16 About DHCP
- 16 About PPPoE
- 17 About Domain Name Service (DNS)
- 17 About services and policies
- 18 About ports
- 19 About Firewalls
- 20 The Firebox X Edge and your Network
- 21 Installation
- 21 Before you begin
- 21 Verify basic requirements
- 22 Identify your network settings
- 23 Find your TCP/IP Properties
- 24 Find PPPoE settings
- 25 Disable the HTTP proxy
- 25 Disable the HTTP proxy in Internet Explorer 6.x or 7.x
- 26 Disable the HTTP proxy in Firefox 2.x
- 26 Disable the HTTP proxy in Safari
- 26 Disable pop-up blocking
- 26 Disable the pop-up blocker in Internet Explorer 6.x or 7.x
- 26 Disable the pop-up blocker in Firefox 2.x
- 26 Disable the pop-up blocker in Safari
- 28 Add computers to the trusted network
- 28 Connect the Edge to more than four devices
- 29 Set your computer to connect to the Edge
- 29 Use DHCP
- 30 Use a static IP address
- 33 Configuration Pages Overview
- 33 About Edge Configuration Pages
- 33 Connect to the Firebox X Edge
- 35 Navigating the Firebox X Edge User Interface
- 35 System Status page
- 36 Network page
- 37 Firebox Users page
- 38 Administration page
- 39 Firewall page
- 40 Logging page
- 41 WebBlocker page
- 42 spamBlocker page
- 43 Gateway AV/IPS page
- 44 VPN page
- 44 Wizards page
- 45 ARP table
- 46 Authentications
- 46 Connections
- 46 Proxy filter connections
- 46 Packet filter connections
- 47 Components list
- 47 DHCP leases
- 48 Dynamic DNS
- 48 Hostile sites
- 48 Interfaces
- 49 License
- 49 LiveSecurity
- 49 Memory
- 49 Processes
- 50 Protocols
- 50 Routes
- 51 Security Services
- 51 Syslog
- 51 Traffic Control
- 52 Wireless statistics
- 53 Configuration and Management Basics
- 53 About basic configuration and management tasks
- 53 About the Edge backup configuration file
- 54 Before You Begin
- 54 See the Configuration File
- 55 Create a backup configuration file
- 55 Restore your Edge configuration
- 55 Before You Begin
- 55 Restore your configuration from a backup file
- 56 Reconnect the Firebox X Edge to a management server
- 57 Related questions
- 59 About feature keys
- 59 When you purchase a new feature
- 59 Get a current feature key
- 60 Get a feature key
- 61 Restart the Firebox locally
- 61 Using the web browser
- 61 Disconnecting the power supply
- 63 To set the system time
- 65 SNMP polls
- 65 Enable SNMP Polling
- 65 About MIBs
- 66 About selecting HTTP or HTTPS for management
- 66 Use HTTP instead of HTTPS
- 67 Change the HTTP server port
- 67 About WatchGuard System Manager access
- 67 Rename the Firebox X Edge e-series in WSM
- 68 Enable centralized management with WSM
- 69 Enable remote management with WFS v7.3 or earlier
- 70 Allow traffic from a management server
- 70 About managing the Edge from a remote location
- 72 About updating the Firebox X Edge software
- 72 Method 1: Install software automatically
- 72 Method 2: Install software manually
- 73 About upgrade options
- 73 Available upgrade options
- 73 Add a feature to your Firebox X Edge
- 74 Upgrade your Firebox X Edge model
- 75 Network Settings
- 75 About network interface setup
- 77 If your ISP uses DHCP
- 80 Advanced PPPoE settings
- 81 Configure your external interface as a wireless interface
- 82 About advanced external network settings
- 82 Change the MAC address of the external interface
- 83 About configuring the trusted network
- 84 About changing the IP address of the trusted network
- 84 Change the IP address of the trusted network
- 86 Set trusted network DHCP address reservations
- 87 Make the Firebox a DHCP relay agent for the trusted interface
- 88 Use static IP addresses for trusted computers
- 88 Allow wireless connections to the trusted interface
- 88 About restricting access to an interface by MAC address
- 89 Restrict access to the trusted interface by MAC address
- 90 Find the MAC address of a computer
- 92 Enable the optional network
- 94 Set optional network DHCP address reservations
- 94 About DHCP relay agents
- 95 Make the Firebox a DHCP relay agent for the optional interface
- 95 Use static IP addresses for optional computers
- 95 Add computers to the optional network
- 95 Allow wireless connections to the optional interface
- 96 About restricting access to an interface by MAC address
- 96 Restrict access to the optional interface by MAC address
- 96 About static routes
- 97 Add a static route
- 98 About the Dynamic DNS service
- 98 Create a DynDNS account
- 98 Set up the Firebox X Edge for Dynamic DNS
- 99 Configure the Firebox to use BIDS
- 100 About using multiple external interfaces
- 100 Multiple WAN configuration options
- 100 WAN Failover
- 100 Multi-WAN load balancing
- 101 About multiple external interfaces and DNS
- 101 Configure a second external interface for a broadband connection
- 103 Configure the Edge to use round-robin load balancing
- 104 Configure WAN failover
- 104 Enable WAN failover with the Setup Wizard
- 105 Configure the Edge for serial modem failover
- 108 About virtual local area networks (VLANs)
- 108 Add a VLAN tag to the External Interface
- 109 Add a VLAN tag to the Trusted or Optional Interface
- 111 Wireless Setup
- 111 About wireless setup
- 111 Before you begin
- 112 About wireless configuration settings
- 112 Change the SSID
- 112 Enable/disable SSID broadcasts
- 113 Log authentication events
- 113 Change the fragmentation threshold
- 113 About the frame size
- 113 Change the RTS threshold
- 114 About wireless security settings
- 114 Set the wireless authentication method
- 114 Set the encryption level
- 115 WPA and WPA2 PSK authentication
- 115 About wireless connections to the trusted interface
- 116 Allow wireless connections to the trusted interface
- 117 Allow wireless connections to the optional interface
- 118 Enable a wireless guest network manually
- 120 About wireless radio settings
- 120 Set the operating region and channel
- 120 Set the wireless mode of operation
- 121 Configure the wireless card on your computer
- 123 Firewall Policies
- 123 About policies
- 123 Packet filter and proxy policies
- 125 Common Proxy Policies
- 125 Common Packet Filter Policies
- 126 Policy rules
- 126 Incoming and outgoing traffic
- 129 Editing common packet filter policies
- 129 Set access control options (incoming)
- 130 Set access control options (outgoing)
- 131 Add a custom policy using a wizard
- 132 Add a custom packet filter policy manually
- 132 Filter incoming traffic for a custom policy
- 133 Filter outgoing traffic for a custom policy
- 134 Control traffic from the trusted to optional network
- 135 Disable traffic filters between trusted and optional networks
- 135 About policy precedence
- 137 Proxy Settings
- 137 About proxy policies
- 138 Enable a common proxy policy
- 138 Add or Edit a Proxy Policy
- 139 Set access control options
- 139 Use a policy to manage manual VPN network traffic
- 140 About the HTTP proxy
- 140 HTTP proxy: Proxy Limits
- 141 HTTP requests: General settings
- 141 HTTP responses: General settings
- 142 Configure the HTTP proxy policy deny message
- 143 Define exceptions
- 143 To add an HTTP proxy exception
- 143 HTTP responses: Content types
- 144 HTTP requests: URL paths
- 144 Block unsafe URL path patterns
- 144 HTTP responses: Cookies
- 144 Block cookies from a site
- 145 About the FTP proxy
- 145 Edit the FTP proxy
- 145 Set access control options
- 146 FTP proxy: Proxy limits
- 147 About the POP3 proxy
- 147 Edit the POP3 proxy
- 148 Set access control options
- 148 POP3 proxy: Proxy limits
- 150 POP3 proxy: Content types
- 150 POP3 proxy: Allow only safe content types
- 151 About the SMTP proxy
- 152 Set access control options
- 154 SMTP Proxy: Filter email by address pattern
- 155 SMTP proxy: Email content
- 155 Allow only safe content types
- 155 Add or remove a content type
- 155 Add or remove file name patterns
- 156 Deny unsafe file name patterns
- 156 About the HTTPS proxy
- 159 About the Outgoing Proxy
- 159 Settings tab
- 159 Content tab
- 159 About additional security subscriptions for proxies
- 161 Default Threat Protection
- 161 About intrusion prevention
- 162 About blocked sites
- 162 Permanently blocked sites
- 162 Auto-blocked sites/Temporary Blocked Sites list
- 163 Block a site permanently
- 164 Block sites temporarily
- 165 About blocked ports
- 165 Default blocked ports
- 166 Block a port
- 167 Drop DoS flood attacks
- 168 Distributed denial-of-service prevention
- 169 Configure firewall options
- 171 Chapter 10 Traffic Management
- 171 About Traffic Management
- 171 About network traffic
- 171 Causes for slow network traffic
- 172 Traffic Categories
- 172 Interactive traffic
- 172 High priority
- 172 Medium priority
- 172 Low priority
- 173 Traffic Marking
- 174 About Traffic Control Options
- 175 Enable Traffic Control
- 176 Related Questions
- 177 Types of NAT
- 177 NAT behavior
- 177 Secondary IP addresses
- 178 About dynamic NAT
- 178 About static NAT
- 178 About 1-to-1 NAT
- 179 About 1-to-1 NAT and VPNs
- 179 Enable 1-to-1-NAT
- 179 Three steps are necessary to enable 1-to-1 NAT
- 180 Add a secondary external IP address for 1-to1 NAT mapping
- 180 Add or edit a policy for 1-to-1 NAT
- 180 Enable secondary addresses
- 180 Add or edit a policy for 1-to-1 NAT
- 181 Chapter 11 Logging
- 181 About logging and log files
- 181 Log Servers
- 182 Event Log and System Status Syslog
- 182 Logging and notification in applications and servers
- 182 About log messages
- 182 See the event log file
- 182 To see the event log file
- 183 Send your event logs to the Log Server
- 185 Send logs to a Syslog host
- 187 Chapter 12 Certificates
- 187 About certificates
- 187 Certificate authorities and signing requests
- 187 About certificates and the Firebox X Edge
- 188 Create a certificate
- 188 Use OpenSSL to generate a CSR
- 188 Use Microsoft CA to create a certificate
- 188 Send the certificate request
- 189 Issue the certificate
- 189 Download the certificate
- 189 About using certificates on the Firebox X Edge
- 189 Import a certificate
- 189 Use a local certificate
- 190 Remove a certificate
- 190 Examine the properties of a certificate
- 190 Related questions
- 190 Can I sign my own certificates?
- 190 I have a certificate or CSR that is not in the format I need. What do I do?
- 190 What is the maximum number of certificates I can import on the Firebox X Edge?
- 190 If I make a backup of my Firebox X Edge configuration, are my certificates saved?
- 191 Chapter 13 User and Group Management
- 191 About user licenses
- 191 When a user license is used
- 192 Managing user sessions
- 193 How users authenticate
- 194 Set authentication options for all users
- 195 Configure an individual user account
- 196 Require users to authenticate to the Edge
- 197 Authenticate a session without administrative access
- 197 Create a read-only administrative account
- 198 Use the built-in administrator account
- 198 Set a WebBlocker profile for a user
- 199 Change a user account name or password
- 200 About using third-party authentication servers
- 201 Configure the LDAP/Active Directory authentication service
- 202 Use the LDAP authentication test feature
- 202 Configure groups for LDAP authentication
- 203 Add a group for LDAP authentication
- 204 Set a WebBlocker profile for an LDAP group
- 204 LDAP authentication and Mobile VPN with IPSec
- 204 About Single Sign-On (SSO)
- 205 Before You Begin
- 206 Install the WatchGuard Single Sign-On (SSO) agent
- 206 Download the SSO agent software
- 207 Install the SSO agent service
- 209 See active sessions and users
- 209 Firebox user settings
- 209 Active sessions
- 210 Local User account
- 211 Editing a user account
- 211 Deleting a user account
- 211 Allow internal devices to bypass user authentication
- 213 Chapter 14 WebBlocker
- 213 About WebBlocker
- 216 Download the server software
- 216 Install Quarantine Server and WebBlocker Server
- 216 About WebBlocker profiles
- 219 See whether a site is categorized
- 220 Add, remove, or change a category
- 221 Add an allowed site
- 222 Add a denied site
- 223 Allow internal hosts to bypass WebBlocker
- 225 Chapter 15 spamBlocker
- 225 About spamBlocker
- 225 spamBlocker requirements
- 226 About Virus Outbreak Detection (VOD)
- 226 spamBlocker actions, tags, and categories
- 226 spamBlocker tags
- 227 Enable spamBlocker
- 227 Configure spamBlocker
- 229 Set POP3 email actions
- 229 Set SMTP email actions
- 230 About spamBlocker exceptions
- 230 Create exceptions
- 230 Change the order of exceptions
- 231 About using spamBlocker with multiple proxies
- 231 Create rules for your email reader
- 231 Send spam or bulk email to special folders in Outlook
- 232 Send a report about false positives or false negatives
- 233 Use RefID record instead of message text
- 233 Find the category a message is assigned to
- 234 Add Trusted Email Forwarders
- 235 Chapter 16 Quarantine Server
- 235 About the Quarantine Server
- 236 Install the Quarantine Server and WebBlocker Server
- 236 Download the server software
- 236 Install Quarantine Server and WebBlocker Server
- 237 Install server components
- 237 Run the Setup Wizard
- 237 Define the server location
- 238 Set general server parameters
- 239 Change expiration settings and user domains
- 240 Change notification settings
- 242 Enable or disable logging
- 242 Add or prioritize Log Servers
- 242 Send messages to the Windows Event Viewer
- 242 Send messages to a file
- 245 Open the messages dialog box
- 246 Save messages or send to a user’s inbox
- 246 Delete messages manually
- 246 Delete messages automatically
- 247 Open the messages dialog box
- 249 Add users
- 249 Remove users
- 249 Change the notification option for a user
- 250 Get statistics on Quarantine Server activity
- 250 See statistics from specific dates
- 250 See specific types of messages
- 250 Group statistics by month, week, or day
- 250 Export and print statistics
- 251 Chapter 17 Gateway AntiVirus and Intrusion Prevention Service
- 251 About Gateway AntiVirus and Intrusion Prevention
- 252 About Gateway AntiVirus settings
- 252 POP3 proxy deny messages and Gateway AV/IPS
- 254 About Intrusion Prevention Service settings
- 257 Chapter 18 Branch Office Virtual Private Networks
- 257 Process required to create a tunnel
- 258 About VPN Failover
- 259 About managed VPNs
- 259 Set up manual VPN tunnels
- 259 What you need for Manual VPN
- 260 Sample VPN address information table
- 261 Create Manual VPN tunnels on your Edge
- 262 Phase 1 settings
- 267 See VPN statistics
- 268 Why do I need a static external address?
- 268 How do I get a static external IP address?
- 268 How do I troubleshoot the connection?
- 268 Why is ping not working?
- 268 How do I set up more than the number of allowed VPN tunnels on my Edge?
- 269 Chapter 19 About Mobile VPN with PPTP
- 270 Enable PPTP on the Edge
- 271 Configure DNS and WINS settings
- 273 Prepare the client computers
- 273 Create and connect a PPTP Mobile VPN for Windows Vista
- 273 Create a PPTP connection
- 273 Establish the PPTP connection
- 274 Create and connect a PPTP Mobile VPN for Windows XP
- 274 Create the PPTP Mobile VPN
- 274 Connect with the PPTP Mobile VPN
- 275 Create the PPTP Mobile VPN
- 275 Connect with the PPTP Mobile VPN
- 276 Default-route VPN
- 276 Split tunnel VPN
- 276 Default-route VPN setup for Mobile VPN with PPTP
- 276 Split tunnel VPN setup for Mobile VPN with PPTP
- 277 Chapter 20 About Mobile VPN with IPSec
- 277 Client requirements
- 278 Enable Mobile VPN for a Firebox user account
- 279 Enable Mobile VPN for a group
- 280 About Mobile VPN Client configuration files
- 280 Configure global Mobile VPN with IPSec client settings
- 281 WINS/DNS Settings for Mobile VPN with IPSec
- 281 Get the user’s .wgx file
- 283 Client Requirements
- 283 Import the end-user profile
- 284 Select a certificate and enter the PIN
- 284 Uninstall the Mobile VPN client
- 285 Connect and disconnect the Mobile VPN client
- 285 Disconnect the Mobile VPN client
- 286 Control connection behavior
- 287 Mobile User VPN client icon
- 287 See Mobile VPN log messages
- 287 Secure your computer with the Mobile VPN firewall
- 287 Enable the link firewall
- 288 About the desktop firewall
- 290 Create firewall rules
- 291 General tab
- 294 Applications tab
- 295 Chapter 21 About Mobile VPN with SSL
- 295 Before You Begin
- 295 Steps required to set up your tunnels
- 295 Options for Mobile VPN with SSL tunnels
- 296 Client requirements
- 296 Enable Mobile VPN with SSL for a Firebox user
- 297 Enable Mobile VPN with SSL for a group
- 299 SSL VPN General Tab
- 300 SSL VPN Advanced tab
- 301 Download the client software
- 302 Install the Mobile VPN with SSL client software (Windows Vista and Windows XP)
- 303 Connect to the Firebox with the Mobile VPN with SSL client (Mac OS X)
- 304 Mobile VPN with SSL client controls
- 304 Uninstall the Mobile VPN with SSL client
- 304 Mobile VPN with SSL client for Windows Vista and Windows XP
- 304 Mobile VPN with SSL client for Mac OS X