User guide
Provisioning the iMG/RG Creating RG Profiles with Field Descriptions
682
AlliedView NMS Administration Guide
• Session Chaining - Some applications spawn their own secondary sessions. This process is known as session chaining.
When secondary sessions are successfully established, the source/destination addresses of the session will also be added
to the table of currently open primary sessions.
• Firewall - The Firewall feature ensures that only traffic that has been already defined is allowed to access the internal
network. This is done by provisioning the following:
• Port Filters - These are port attributes that define:
- What protocol type is allowed (specified using the protocol number or the protocol name)
- The range of source and destination port numbers allowed
- The direction that packets are allowed to travel in (inbound, outbound, neither, or both)
• Validators - how the Firewall handles packets based on the source/destination IP address.
• Intrusion Detection System (IDS) - This protects the system from the following kinds of attacks:
• DOS (Denial of Service) attacks - a DOS attack is an attempt by an attacker to prevent legitimate hosts from accessing a
service.
• Port Scanning - an attacker scans a system in an attempt to identify any open ports.
• Web Spoofing - an attacker creates a 'shadow' of the World Wide Web on their own machine, however legitimate host
sees this as the 'real' WWW. The attacker uses the shadow WWW to monitor the host's activities and send false data to
and from the host's machine.
There are parameters that are filled out to configure each type.
• Network Address Translation (NAT) - The basic NAT feature is that the devices in the internal network have their own
IP addresses and yet access the external network using a separate internet address, and this is the only address devices
on the external network see. Doing this provides both a conservation of public IP addresses and security. Security is
provided by keeping an internal table of the source IP address and source port as well as a substitute source port
number. Packets coming from the external network must include the substitute port number or the packet is dropped.
In some cases, the user needs to set up static IP addresses/port mappings. This is done using Global Pools and Reserved
Mappings.
• A Global Pool is a range of external IP addresses that are available, rather than one. The reason global pools are used is
so that you can map an outside address to a specific internal interface. This is called reserve mapping.
• Reserved Mapping is used for mapping an IP address from the Global Pool to an individual address of a device in the
internal network. When NAT receives a message, it uses its internal interface to forward the packet to the same port
number on a selected internal computer, as well as any responses from the internal computer that are forwarded to the
requesting external computer. Reserved mappings can also be used so that different internal hosts can share the same
global address by mapping different ports to different hosts. For example, Host A is an FTP server and Host B is a Web
server, and by mapping the FTP port to host A and an http port on Host B, both hosts can use the same external address.
• Internet Key Exchange (IKE) - To supports NAT IPSec traversal, you specify how Internet Key Exchange (IKE) packets
are translated. IKE establishes a shared security policy and authenticates keys for services that require keys, such as IPSec.
Before any IPSec traffic can be passed, each router/firewall/host must verify the identity of its peer. The user specifies
whether the source port will be translated for IKE packets, or IKE cookies are used to identify IKE sessions.
7.4.3.2 General Internet Info Tab
This form controls whether a Bridged or Routed Service is to be configured. Refer to the following figure.