Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
361362363364365366367368369370
330 XSR Users Guide
Firewall CLI Commands Chapter 13
Configuring Security on the XSR
2 The XSR’s AAA functionality talks to an authentication server or
consults a local database based on the users credentials.
3 If authentication is successful, AAA informs the firewall engine of the
users source IP address and an authentication entry is created within
the firewall engine.
4 Policy rules specified for the firewall allow the user access to a server
after consultation with the firewall engine’s authentication cache.
Authentication failures are tracked using logs or traps and entries
time out after an inactive period. If authentication fails, all packets
that match policy rules with allow-auth for that source IP are dropped.
Firewall and NAT - On outgoing packets, stateful inspection is done before NAT
because NAT modifies the source address of all packets to that of the XSR and
policy rules are defined with respect to internal and external addresses. On
incoming packets, NAT is preformed before firewall inspection.
Firewall and VPN - VPN tunnels are implemented as virtual interfaces that
“sit” on physical interfaces. Stateful inspection is applied before encryption
and encapsulation on outgoing packets and after de-capsulation and
decryption on incoming packets.
ACLs and Firewall - Access Control Lists are available as a basic filter on a per
interface basis to pass or drop packets going in or out of a port. In the
outbound direction, a packet is subjected to firewall inspection before
filtering by an ACL. Inbound, a packet is filtered by an ACL then the firewall.
NOTE
Be aware that if the firewall is enabled on an interface, ACLs should not
be used on that interface so that all checks can be performed in one place.
Firewall CLI Commands
The XSR provides configuration objects which, used in policy rules, can be
specified at the CLI. These and other firewall commands are, as follows:
Network - Identifies a network or host. A network with a subnet
address or a host with an address and 32-bit mask is specified with
ip
firewall network
. The command also configures a network or host
residing on the trusted/internal or un-trusted/ external network.