Download presentation
Presentation is loading. Please wait.
Published bySolomon Gordon Modified over 9 years ago
1
Sepehr Firewalls Sepehr Sadra Tehran Co. Ltd. Ali Shayan December 2008
2
2 Introduction GOS3 (GateMAN Operating System v3) User Interfaces: –GUI (GateSetUP) –CLI Log Log Analyzers –SLAT v2,3 (Sepehr Log Analysis Tool) –CBLR (Client Based Log Report) –Caser (Content Analysis System Extended Revision) LAN User Accounting –Authentication Server : gateauthd –Authentication Client : LAN Authenticator (web-based), GateAUTH (Windows Application) RAMA (Remote Access Monitoring Agent)
3
3 Firewall Platform Types Sepehr4100 Series –Sepehr4110 –Sepehr4108 –Sepehr4106 –Sepehr4104 –Sepehr4102 Sepehr3400
4
4 Sepehr4100 Series Hardware Specification 2 x 10/100/1000 Mbps UTP Ethernet Ports. 2 x GBICs PCI-Express Card. 4 x 10/100/1000 Mbps UTP Ethernet PCI-Express Card Bypass Module Fault Tolerant in Router Mode VPN Accelerator 3.2 GHz XEON CPU 2 GB RAM LCD Panel for limited configurations 19 inches rack mountable chassis with 1U height
6
6 Sepehr4110 Hardware Specification 10 x 10/100/1000 Mbps UTP Ethernet Ports. Fault Tolerant in Router Mode VPN Accelerator 3.2 GHz XEON CPU 2 GB RAM LCD Panel for limited configurations 19 inches rack mountable chassis with 1U height
7
7 Sepehr4108 Hardware Specification 6 x 10/100/1000 Mbps UTP Ethernet Ports. 2 x GBICs/SFPs PCI-Express Card. Fault Tolerant in Router Mode VPN Accelerator 3.2 GHz XEON CPU 2 GB RAM LCD Panel for limited configurations 19 inches rack mountable chassis with 1U height
8
8 Sepehr4106 Hardware Specification 2 x 10/100/1000 Mbps UTP Ethernet Ports. 4 x GBICs/SFPs PCI-Express Card. Fault Tolerant in Router Mode VPN Accelerator 3.2 GHz XEON CPU 2 GB RAM LCD Panel for limited configurations 19 inches rack mountable chassis with 1U height
9
Sepehr4100 Final Hardware
10
10 Sepehr 4104 Hardware Specification 4 x 10/100/1000 Mbps UTP Ethernet Ports. 3.2 GHz PIV CPU 1 GB RAM Bypass Module Fault Tolerant in Router Mode LCD Panel for limited configurations 19 inches rack mountable chassis with 1U height
11
11 Sepehr 4102 Hardware Specification 2 x 10/100 Mbps UTP Ethernet Ports 2 x 10/100/1000 Mbps UTP Ethernet Ports 2.8 GHz PIV CPU 1 GB RAM Bypass Module Fault Tolerant in Router Mode LCD Panel for limited configurations 19 inches rack mountable chassis with 1U height
12
12 Sepehr 3400 Hardware Specification 4 x 10/100 Mbps UTP Ethernet Ports 1 GHz CPU 1 GB RAM Fault Tolerant in Router Mode VPN Accelerator 19 inches rack mountable chassis with 1U height
13
13 Firewall Engine Types Without any Extension FL : Full Log –Firewall with all features –Logging the Header of the Packets (Log Packet, Log Connection, Log NAT) –Logging the Content of Packet FLV : Full Log Visualize –Firewall with all features –Logging the Header of the Packets (Log Packet, Log Connection, Log NAT) –Logging the Content of Packet –Events Visualizer (
14
14 Sepehr 4100 Series, Sepehr 3400 Firewall with ALL Firewalling Features Logging the Header of the Packets and Connections -Log Packet -Log Connection -Log NAT Statistical Log Analyzer (SLAT 2) Client Based Log Analyzer (CBLR) Authentication
15
15 Sepehr 4100 FL Series, Sepehr 3400 FL Firewall with ALL Firewalling Features Logging the Header of the Packets and Connections Log Packet Log Connection Log NAT Logging the Body of the Packets and Connections –Log Content Statistical Log Analyzer (SLAT 2) Client Based Log Analyzer (CBLR) Authentication RAMA
16
16 Sepehr 4100 FLV Series, Sepehr 3400 FLV Firewall with ALL Firewalling Features Logging the Header of the Packets and Connections Log Packet Log Connection Log NAT Logging the Body of the Packets and Connections –Log Content Statistical Log Analyzer (SLAT 2) Client Based Log Analyzer (CBLR) Events Visualizer (Caser) Authentication RAMA
17
17 Working Modes Bridge Router Compound Mode
18
18 Traffic Shaping Per Firewall Network Interface Frames per second limitation on input/output frames per port Bits per second limitation on input/output bits per port. By Protocol Type By Source/Destination MAC address By Source/Destination IP address By Source/Destination Port Number Per TCP connection bandwidth limitation
19
19 Packet Filtering Packet filtering based on input/output directions. Packet filtering based on input/output interfaces.
20
20 Packet Filtering (continued) Mac Protocol filtering by type (ARP, Reverse ARP, IP, IPX, …, and RAW frames) Internet Protocol filtering by type (ICMP, IGMP, TCP, …, and RAW packets) and Source/Destination address TCP/UDP filtering by Source/Destination port ICMP filtering by type and code
21
21 Checksum Full IP Datagram filtering with Automatic IP Checksum Control ( Layer 2 ) Checksum Checking (inbound) on TCP, UDP or ICMP Packets ( Layer 3 ) –Accept if correct –Drop if incorrect –Accept if incorrect Checksum Calculating (outbound) on TCP, UDP or ICMP Packets ( Layer 3 )
22
22 Tight TCP State-full Inspection TCP Checksum Checking TCP Sequence Number Checking and Tracing in Stream Syn/Ack/Fin State Transition Control and Violation Avoidance Out of sequence TCP packet alignment.
23
23 Application Layer Filtering Application layer protocol monitoring and violation control. -HTTP -SMTP -FTP -TELNET
24
24 HTTP URL Filtering URL filtering with user defined URL database to filter: -Domains -Sub-domains -Directories White list URL databases Regular expression databases
25
25 SMTP Filtering SMTP filtering with respect expressions of -username -domain-name - username@domain-name sender/receiver databases.
26
26 FTP Filtering Downloading files Uploading files
27
27 VPN IPSec, IKE Gateway to Gateway –Sepehr to Sepehr –Sepehr to Cisco –Sepehr to Windows 2003 Server Gateway to workstation –Sepehr to Windows 2000, XP
28
28 NAT Hide Source NAT with replacing –Source IP Address (Single, Subnet, Range, Database) –Source Port Number (Single, Range, Database) Hide Destination NAT with replacing –Destination IP Address (Single, Subnet, Range, Database) –Destination Port Number (Single, Range, Database) Hide Source and Destination Simultaneously –Source/Destination IP Address (Single, Subnet, Range, Database) –Source/Destination Port Number (Single, Range, Database) NATing on Router and Bridge Mode
29
29 VLAN VLAN definition on Ethernet Ports –Bridging between Ethernet ports which have same Cluster ID –Routing between VLANs Truncking Support (802.1q) Multi Point Installation and configuration
30
30 Fault Tolerance Routing Mode Virtual Routing Redundancy Protocol (VRRP)
31
31 Log Server Remote Log Archiving Directly or Indirectly Connection to Firewall Specific Protocol Log Archiving –Time –Volume FIFO for Archived Log Files
32
32 References [1] Sepehr S. T. Co. LTD, Sepehr Firewalls, October 2008.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.