User`s guide
338 XSR User’s Guide
Pre-configuring the Firewall Chapter 13
Configuring Security on the XSR
Pre-configuring the Firewall
We recommend you consider the following suggestions to set up the firewall:
Establish a security plan by:
– Examining your network topology
– Determining exactly what resources you want to protect
– Deciding where on the network to enable the firewall and plan
on writing a Telnet or SSH policy for remote administration if
you are configuring an XSR located in the field
– Making a list of internal addresses
– Forming an inventory of desirable applications the firewall will
allow between protected and external networks
Look up official port numbers of well-known applications at:
http://www.iana.org/assignments/protocol-numbers
The
show ip firewall session command also lists these numbers.
Refer to “Firewall Limitations” on page 335 before configuration
Steps to Configure the Firewall
Follow the procedure below to configure the firewall:
Specify the network objects
Specify network-group, service and service group objects
Specify policies for TCP and UDP. Remember, the order is important
and objects and names are case-sensitive
Specify filters for other protocols (ICMP, OSPF, ESP, etc.)
Set miscellaneous parameters such as:
– TCP, UDP or ICMP session timeouts
– Logging event-levels 0-7
– Authentication service for users
– Java and ActiveX filtering
– IP options filtering on the interface such as time-stamps, route
recording, and loose or strict routing through the Internet
– Multicast or broadcast filtering for routing and communications
protocol filtering
Perform a trial or delayed load to check for configuration errors