This section includes the following topics:
This section provides a quick ?alk-through? where the security policy of a newly installed Amaranten Firewall is being modified. The walk-through assumes that a new Amaranten Firewall has been installed by following the steps outlined in the Getting Started guide.
In this walk-through, we will use the following names and IP addresses:
The interface chosen as management interface is if1.
The IP address of interface if1 is 192.168.101.240 with netmask 255.255.255.0.
The server or workstation running Amaranten Firewall Manager resides on the same subnet, for instance with IP address 192.168.101.100.
The firewall has been given the name Paris in Amaranten Firewall Manager.
Note: Naturally, you will have to substitute the information above with the interface name and IP addresses you are using in your specific installation.
When a Amaranten Firewall is first installed, its default rule-set is very restrictive:
The management server is allowed to remotely manage the firewall.
Hosts residing on networks connected to the if1 interface are allowed to send ICMP Echo Requests to the firewall.
The firewall will return ICMP Echo Replies to the requesting host.
All other traffic is unconditionally dropped.
In this walk-through, we will modify the rule-set so that we no longer allow ICMP Echo Requests to be sent to the firewall. Disabling ICMP Echo Requests may seem unnecessary, but the reason is that this modification to the security policy is easy to understand and to verify with standard tools available on all platforms.
We start by verifying that the firewall replies to ICMP Echo Requests. This is performed by using the ping utility. Open a standard Command Prompt on the management station and leave the Amaranten Firewall Manager running.
At the command prompt, type:
ping 192.168.101.240
If everything works, ping should return output similar to the one displayed in the window below. If ping returns a ?equest timed out?message, some part of the initial firewall configuration did not succeed. Please check the troubleshooting section in the Getting Started guide to try to locate the error.
|
Switch back to Amaranten Firewall Manager. Locate and select your firewall. Right-click the firewall, and choose Check out from the Version Control submenu. The firewall and all child nodes will appear with small red dots next to the icons. |
|
Locate and select the Rules node right below the firewall node. The rule-set of your firewall will be listed in the grid view as in the screen shot below. Notice the fourth rule, named BouncePing, in the list. This is the rule that permits ICMP Echo requests and replies to and from the firewall.
Select the BouncePing
rule by clicking anywhere in the row. Right-click and choose Properties...
from the menu shown. The dialog box below will be displayed. Notice
the Address Filter section, stating that this rule will only match
traffic received on interface if1 and with the core interface
as destination (The core interface represents the firewall core, and is
used for traffic that is destined for the firewall itself).
Click on the second tab of the dialog box. The Service page will be shown. Notice that this rule only applies to ICMP packets where Type is Echo Request.
Click on the first tab of the dialog box to switch back to the Rule page. Click the arrow button in the Action drop-down box to display the available actions. Select the action Drop. This changes the rule to be dropping all ICMP Echo Requests to the core, instead of allowing them. Close the rule dialog box by clicking the OK button.
Select the Paris firewall node in the tree view again. Right-click and choose Check In from the Version Control submenu. A dialog box similar to the one below will be shown. Enter a version comment and click OK to close the dialog.
Your firewall will now be displayed with a blue information icon. Select the Firewalls folder just above your firewall. The list to the right indicates that the firewall ?eeds deployment? The DB cfg column displays 2 while the Core cfg column displays 1. This means that the configuration version in the management database is more recent than the one running on the firewall.
Click the Deploy Configuration toolbar button.
A dialog box similar to the one shown below will be displayed. Click the Next button. The new configuration will now be uploaded to the firewall. When the upload is finished, the firewall will start using the new configuration. Click the Finish button to close the dialog box.
The information icon on your firewall and the ?eeds Deployment?status will now disappear. This indicates that the firewall is using the most recent configuration available.
Test the new security policy by repeating the ping test. Now, the firewall should disallow all ICMP Echo Request packets, and the ping utility will return a ?i>Request timed out?/i> message.
Congratulations! You have successfully modified your first Amaranten Firewall security policy.
Note: The attentive reader might have noticed that, as the firewall drops all traffic not explicitly allowed, the same result as above would have been achieved if we had simply removed the entire BounceICMP rule. However, there are many reasons to why you wish to explicitly drop specific traffic, logging for example.
