Manualshelf

User guide

ManualsBrandsAllied Telesis ManualsComputer equipmentAT-iMG634 - R2
361362363364365366367368369370
Security Security interfaces
iMG/RG Software Reference Manual (IPNetwork Functions)
4-60
4.2.3.1 Security Triggers - Dynamic Port Opening
The Dynamic Port Opening (aka Security Trggers) feature solves a typical security problem related to Internet
applications that require secondary ports to be open in order for a session to operate or need to have binary
IP addresses in the payload translated and do not have an Application Level Gateway (ALG)
For example, an FTP control session operates on port 21, but FTP uses port 20 as a secondary port for the
data transfer process. The more ports that are open, the greater the security risk. So, the Dynamic Port Open-
ing service makes it possible to designate certain secondary ports that will only be opened when there is an
active session on their associated primary port.
AT-iMG Models use triggers to inform the security mechanism to expect secondary sessions and how to handle
them. Rather than allowing a range of port numbers, triggers handle the situation dynamically, allowing the sec-
ondary sessions only when appropriate.
The trigger mechanism works without having to understand the application protocol or reading the payload of
the packet, (although the payload does need to be read when using NAT if address replacement has to be per-
formed).
4.2.3.1.1 CONFIGURING TRIGGERS
To create a trigger for a TCP or UDP application, enter:
security add trigger <name> {tcp|udp} <startport> <endport> <maxactinterval>
The <startport> and <endport> attributes allow you to configure the port range used by the application to open
a primary session. Most applications use a single port to open a primary session, in which case you can enter
the same port value for both attributes. For example, to create a trigger for Windows Media Player, enter:
security add trigger WMP tcp 1755 1755 30000
In this command, notice that the <maxactinterval> attribute has been set to 30000. This attribute determines
the maximum interval time in milliseconds between the use of secondary port sessions. It prevents the security
threat posed by ports remaining open unnecessarily for long periods of time. If a secondary port remains inac-
tive for the duration set, the port is automatically closed.
4.2.3.1.2 CONFIGURING SESSION CHAINING
The majority of applications that require triggers only open one additional (secondary) session, however a small
number of rare applications (like WS NetMeeting) open a secondary session which in turn opens additional
sessions after the primary session has ended. This is called session chaining; multi-level session are triggered
from a single trigger. To configure session chaining, use the command:
security set trigger <name> sessionchaining {enable|disable}
This command enables session chaining for TCP packets only. If you also want to configure session chaining for
UDP packets, use the command:
security set trigger <name> UDPsessionchaining {enable|disable}