WatchGuard®
Network Security
Handbook
Firebox™ System 5.0
ii WatchGuard Firebox System 5.0
Copyright
&RSULJKW ‹  :DWFK*XDUG 7HFKQRORJLHV ,QF
$OO ULJKWV UHVHUYHG
Notice to Users
,QI...
Network Security Handbook iii
Contents
CHAPTER 1 The Need for Network Security ................................ 1
The Conv...
iv WatchGuard Firebox System 5.0
Incoming services: security principles 17
Outgoing services 18
Other principles of securi...
Network Security Handbook v
Firebox authentication described 49
Windows NT authentication described 50
RADIUS authenticati...
vi WatchGuard Firebox System 5.0
Obtaining Summary Reports ........................................................ 78
Why...
Network Security Handbook 1
CHAPTER 1 The Need for Network
Security
O`]fmf]jlYcaf_f]logjck][mjalq$l`]^ajklkl]haklgo]a_`l`]...
CHAPTER 1: The Need for Network Security
2 WatchGuard Firebox System 5.0
h]j^gjeegj]j]k]Yj[`^jgeY`ge][gehml]joal`Afl]jf]lY...
The Conveniences and Dangers of Networking
Network Security Handbook 3
Security vs. convenience
Mk]jkYfkqkl]eYeafakljYlgjk...
CHAPTER 1: The Need for Network Security
4 WatchGuard Firebox System 5.0
œ Mk]jkg^l]f^afl`Yll`]q`Yn]Y[[]kk^j]]gekl`]qo]j]f...
What Makes a Good Network Security System?
Network Security Handbook 5
j]imaj]e]flk_Yafdalld][gehd]palqYkl`]kqkl]e_jgok9dl...
CHAPTER 1: The Need for Network Security
6 WatchGuard Firebox System 5.0
Dynamically secured against the latest security t...
What Makes a Good Network Security System?
Network Security Handbook 7
]f[jqhlagf$Yfkljgf_]f[jqhlagfk`gmdZ]YnYadYZd]^gjgl`...
CHAPTER 1: The Need for Network Security
8 WatchGuard Firebox System 5.0
Yml`]fla[Ylagfgj]f[jqhlagfk`gmdfglZ]mk]^gj[gfm[la...
The WatchGuard Solution
Network Security Handbook 9
Quick and responsive
9_ggk][mjalqkqkl]eYddgokl`]f]logjcYeafakljYlgjlge...
CHAPTER 1: The Need for Network Security
10 WatchGuard Firebox System 5.0
Assumptions
AfklYfYjk][mjalqhjY[la[]k$l`]^ajklkl...
The WatchGuard Solution
Network Security Handbook 11
Separation of key security system components
AfYfq^aj]oYddafklYddYlag...
CHAPTER 1: The Need for Network Security
12 WatchGuard Firebox System 5.0
H`qka[Yddqk]hYjYlaf_l`]EYfY_]e]flKlYlagfYfdg__af...
The WatchGuard Solution
Network Security Handbook 13
Open code base
9fqeYfm^Y[lmj]jg^k][mjalq]na[]kemklj]kgdn]l`]^mfYe]flY...
CHAPTER 1: The Need for Network Security
14 WatchGuard Firebox System 5.0
gh]jYlaf_kqkl]eZm_Yfl`Ylqgmk`gmd[gflY[ll`]gh]jYl...
The WatchGuard Solution
Network Security Handbook 15
Integrating security technologies into a stand-alone
appliance
E]j]dq...
CHAPTER 1: The Need for Network Security
16 WatchGuard Firebox System 5.0
f]logjcNHF[YhYZadalq$ZmlYdkg]fYZd]kl`]YeafakljYl...
Network Security Handbook 15
CHAPTER 2 Security and Firewall
Management Policies
9fgj_YfarYlagfÌkk][mjalqhgda[q^gjekl`]ZYk...
CHAPTER 2: Security and Firewall Management Policies
16 WatchGuard Firebox System 5.0
h]jeakkagfd]n]dk^gj[gehml]jk$aj][lgj...
Balancing Risk vs. Productivity
Network Security Handbook 17
œ O`Ylgqgm`Yn]lgdgk]afYf]logjck][mjalqZj]Y[`7Qgm[gmd
dgk]Y[lm...
CHAPTER 2: Security and Firewall Management Policies
18 WatchGuard Firebox System 5.0
œ 9f]logjcakgfdqYkk][mj]l`Yfl`]d]Ykl...
Balancing Risk vs. Productivity
Network Security Handbook 19
=Y[`kY^]lqhj][YmlagfqgmgZk]jn]afl`akdakleYc]kqgmjf]logjc
ka_f...
CHAPTER 2: Security and Firewall Management Policies
20 WatchGuard Firebox System 5.0
eYkim]jY]$gmlka]Yll]ehlklgaj][ldq[gf...
Balancing Risk vs. Productivity
Network Security Handbook 21
œ Gn]jjaaf_l`]k]llaf_lgYmlgeYla[YddqZdg[chY[c]lk^jgekhgg^]
Yj...
CHAPTER 2: Security and Firewall Management Policies
22 WatchGuard Firebox System 5.0
œ J]klja[laf_af[geaf_ljY^^a[^gjY_an]...
Determining Allowable Traffic
Network Security Handbook 23
[gehml]jk9kYfgj_YfarYlagf[`Yf_]k$qgm[YfYgjj]egn]mk]jkgj
kqkl]ek...
CHAPTER 2: Security and Firewall Management Policies
24 WatchGuard Firebox System 5.0
œ Mfljmkl]
œ Eap]ljmkl
Oal`Yaj]Zgp$q...
Determining Off-Limit Areas
Network Security Handbook 25
œ L`]Ljmkl]afl]j^Y[][gff][lklgl`]afl]jfYdf]logjc$o`a[`qgm
oYflhjg...
CHAPTER 2: Security and Firewall Management Policies
26 WatchGuard Firebox System 5.0
k][mjalqhgda[ql`YlhYkk]kgfdql`]egkla...
The Human Factor
Network Security Handbook 27
Yf]fnajgfe]flo`]j]k][mj]Z]`Ynagjak]ph][l]l`Yflgljqlg
[gf^a_mj]qgmj^aj]oYddkg...
CHAPTER 2: Security and Firewall Management Policies
28 WatchGuard Firebox System 5.0
Network Security Handbook 27
CHAPTER 3 Network Configuration
L`]aj]Zgp[Yfhjgl][lYoa]YjjYqg^hjanYl]f]logjckYf'gj`gklkZq
j]h...
CHAPTER 3: Network Configuration
28 WatchGuard Firebox System 5.0
l`]jgml]jlgl`]Afl]jf]l9kaehd]f]logjc[gf^a_mjYlagfakaddmk...
Simple Network (Drop-In) Configuration
Network Security Handbook 29
How the simple configuration works with proxy ARP
?]f]...
CHAPTER 3: Network Configuration
30 WatchGuard Firebox System 5.0
dakll`]AHYj]kk]kg^Yfqf]logjckoal`AHYj]kk]kgmlka]Yf
afl]j...
Multiple Network Configuration
Network Security Handbook 31
Multiple Network Configuration
L`]emdlahd]f]logjc[gf^a_mjYlagf...
CHAPTER 3: Network Configuration
32 WatchGuard Firebox System 5.0
f]logjckl`]f[ge]mf]jl`]hjgl][lagfYfY[[]kkjmd]kk]lmh^gjl`...
Network Security Handbook 33
CHAPTER 4 Proxying and Packet Filtering
OYl[`?mYjhjgna]kalkk][mjalql`jgm_`loge][`Yfakek2qfYea...
CHAPTER 4: Proxying and Packet Filtering
34 WatchGuard Firebox System 5.0
oal`afl`][gehYfq@][`][ckl`]hgklYd_ma]daf]klgeYc]...
How the Firebox Security System Uses Proxies
Network Security Handbook 35
lgY:dg[c]Kal]kdakl$eYcaf_l`af_kkm[`YkhgjlkhY[]hj...
CHAPTER 4: Proxying and Packet Filtering
36 WatchGuard Firebox System 5.0
O]Z!D]kkYf_]jgmklqh]kg^hY[c]lkYj]^adl]j]Zqafanam...
Defining Traffic Through Services
Network Security Handbook 37
YddgoYZd]ljY^^a[]fhgaflkYf]l]jeaf]l`]^adl]jjmd]kYfhgda[a]k^...
CHAPTER 4: Proxying and Packet Filtering
38 WatchGuard Firebox System 5.0
Changing a service
Gf[]Yk]jna[]akY]$qgm[Yf[`Yf_]...
Network Security Handbook 39
CHAPTER 5 Beyond Proxies and Packet
Filters
9dl`gm_`hjgpa]kYfhY[c]l^adl]jkYj]l`]Zj]YYfZmll]jg...
CHAPTER 5: Beyond Proxies and Packet Filters
40 WatchGuard Firebox System 5.0
Zdg[caf_gfYk]jna[]%Zq%k]jna[]ZYkak^gjkal]kl`...
What is the Purpose of Blocking Ports?
Network Security Handbook 41
Dac]:dg[c]Kal]k$:dg[c]HgjlkYhhdqgfdqlghY[c]lkl`Yl[ge]a...
CHAPTER 5: Beyond Proxies and Packet Filters
42 WatchGuard Firebox System 5.0
]Ykadq]^]Yl]ZqYcfgod]_]YZd]YllY[c]jA^YfYllY[...
What is the Purpose of Blocking Ports?
Network Security Handbook 43
YllY[caf_JH;k]jna[]kaklg[gflY[ll`]hgjleYhh]jlg^afgml
o...
CHAPTER 5: Beyond Proxies and Packet Filters
44 WatchGuard Firebox System 5.0
Logging blocked port activity
Qgm[YfYdkgYbmk...
Network Address Translation (NAT)
Network Security Handbook 45
L`akYj]kkljYfkdYlagfakqfYea[afl`YlYf]ohgjl%lg%afl]jfYd%`gkl...
CHAPTER 5: Beyond Proxies and Packet Filters
46 WatchGuard Firebox System 5.0
What is static NAT?
KlYla[F9Lhjgna]khjgl][la...
Authentication
Network Security Handbook 47
NOTE
)LUHER[ 'RPDLQ XVHUV DQG JURXSV DQG 17 'RPDLQ XVHUV DQG JURXSV DUH
QRW WK...
CHAPTER 5: Beyond Proxies and Packet Filters
48 WatchGuard Firebox System 5.0
hjgna]Yml`]fla[Ylaf_YlYafl`]^gjeg^Ydg_afYfhY...
DV RQO RQH XVHU SHU PDFKLQH FDQ EH DXWKHQWLFDWHG DW DQ
RQH WLPH
OYl[`?mYj9ml`]fla[YlagfYddgokqgmlg]^af]h]jeakkagfkYf_jgmhk...
Authentication
Network Security Handbook 49
alk]d^$Yfafl`]gl`]j[Yk]k$l`]mk]jfYe]k$hYkkogjk$Yf_jgmhkYj]
klgj]gfl`]k]jn]jh]j...
CHAPTER 5: Beyond Proxies and Packet Filters
50 WatchGuard Firebox System 5.0
YfJ:%)Lgc]fkL`ak]fYZd]kqgmlgk][mj]f]logjcY[[...
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
WatchGuard Network Security Handbook
Upcoming SlideShare
Loading in...5
×

WatchGuard Network Security Handbook

623

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
623
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
29
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "WatchGuard Network Security Handbook"

  1. 1. WatchGuard® Network Security Handbook Firebox™ System 5.0
  2. 2. ii WatchGuard Firebox System 5.0 Copyright &RSULJKW ‹ :DWFK*XDUG 7HFKQRORJLHV ,QF $OO ULJKWV UHVHUYHG Notice to Users ,QIRUPDWLRQ LQ WKLV GRFXPHQW LV VXEMHFW WR FKDQJH DQG UHYLVLRQ ZLWKRXW QRWLFH 7KLV GRFXPHQWDWLRQ DQG WKH VRIWZDUH GHVFULEHG KHUHLQ LV VXEMHFW WR DQG PD RQO EH XVHG DQG FRSLHG DV RXWOLQHG LQ WKH )LUHER[ 6VWHP VRIWZDUH HQGXVHU OLFHQVH DJUHHPHQW 1R SDUW RI WKLV PDQXDO PD EH UHSURGXFHG E DQ PHDQV HOHFWURQLF RU PHFKDQLFDO IRU DQ SXUSRVH RWKHU WKDQ WKH SXUFKDVHU·V SHUVRQDO XVH ZLWKRXW SULRU ZULWWHQ SHUPLVVLRQ IURP :DWFK*XDUG 7HFKQRORJLHV ,QF TRADEMARK NOTES :DWFK*XDUG DQG /LYH6HFXULW DUH HLWKHU WUDGHPDUNV RU UHJLVWHUHG WUDGHPDUNV RI :DWFK*XDUG 7HFKQRORJLHV ,QF LQ WKH 8QLWHG 6WDWHV DQG RWKHU FRXQWULHV )LUHER[ 6SDP6FUHHQ DQG 'HVLJQLQJ SHDFH RI PLQG DUH WUDGHPDUNV RI :DWFK*XDUG 7HFKQRORJLHV ,QF $OO RWKHU WUDGHPDUNV RU WUDGH QDPHV PHQWLRQHG KHUHLQ LI DQ DUH WKH SURSHUW RI WKHLU UHVSHFWLYH RZQHUV
  3. 3. Network Security Handbook iii Contents CHAPTER 1 The Need for Network Security ................................ 1 The Conveniences and Dangers of Networking ............................ 1 Security vs. convenience 2 What is a security policy? 3 Making peace with a security policy 3 What Makes a Good Network Security System? ............................ 4 Simplicity 4 Scalability 4 High uptime and quick recovery from failure 4 Distributed architecture 5 Dynamically secured against the latest security threats 5 Economy of IP addresses 6 Secure connections 6 Authentication 6 Content discrimination 6 Secure remote management and communication 7 Virtual private networking (VPN) 7 Highly configurable logging and notification 7 Summarize and report network activity 8 Quick and responsive 8 Well-conceived security system policies 8 Physically secured security appliance 8 The WatchGuard Solution .............................................................. 9 Assumptions 9 Separation of key security system components 10 Ease of use begets secure use 11 Open code base 12 To proxy or to packet filter? 13 Integrating security technologies into a stand-alone appliance 13 CHAPTER 2 Security and Firewall Management Policies ......... 15 Balancing Risk vs. Productivity ..................................................... 16
  4. 4. iv WatchGuard Firebox System 5.0 Incoming services: security principles 17 Outgoing services 18 Other principles of security vs. risk 19 Elements that decrease firewall security 20 Organizing Your Organization ...................................................... 22 Determining Allowable Traffic ...................................................... 22 Organizing Networks .................................................................... 23 Determining Off-Limit Areas ........................................................ 24 Physical Security ........................................................................... 25 The Human Factor ........................................................................ 26 CHAPTER 3 Network Configuration .............................................. 27 Simple Network (Drop-In) Configuration ...................................... 27 Using a secondary network 29 Multiple Network Configuration ................................................... 30 CHAPTER 4 Proxying and Packet Filtering .................................. 33 The Purpose of Dynamic Packet Filtering .................................... 33 How the Firebox Security System Uses Proxies ............................ 35 What is the Firewall Stance? ......................................................... 36 Defining Traffic Through Services ................................................. 36 CHAPTER 5 Beyond Proxies and Packet Filters .......................... 39 What is the Purpose of Blocking Sites? ........................................ 39 Logging blocked sites 40 What is the Purpose of Blocking Ports? ....................................... 40 Conflicts in blocked ports 43 Network Address Translation (NAT) .............................................. 44 What is dynamic NAT? 44 What is static NAT? 45 Aliasing ......................................................................................... 46 Authentication .............................................................................. 47 Authentication methods 48
  5. 5. Network Security Handbook v Firebox authentication described 49 Windows NT authentication described 50 RADIUS authentication described 50 CRYPTOCard authentication described 52 Encryption .................................................................................... 53 Block Web Access ........................................................................ 54 WebBlocker configurable parameters 54 How WebBlocker works 56 CHAPTER 6 Virtual Private Networking ....................................... 59 Branch Office Virtual Private Networking ..................................... 60 Branch Office VPN with IPSec 60 Logging VPN activity 61 Remote User Virtual Private Networking ...................................... 62 Mobile User VPN 62 Remote User VPN with PPTP 62 Managing the Internet Distributed Enterprise ............................. 62 VPN Manager 63 Sample IDE configurations 63 CHAPTER 7 Maintaining a Firewall ................................................ 67 The Firebox System and Firewall Maintenance ........................... 67 LiveSecurity Service broadcasts 69 LiveSecurity Service Web site 70 Using Logging to Record Hostile Events ..................................... 70 Notifications Provide First Alert ................................................... 71 How notification counts and handles events 72 Developing logging and notification policies .............................. 73 Selecting which events to log 73 Allocating servers as Event Processors 75 Log file size and turnover frequency 75 Which events will trigger notification? 76 Choosing the form of notification 77 Monitoring the firewall visually .................................................... 77
  6. 6. vi WatchGuard Firebox System 5.0 Obtaining Summary Reports ........................................................ 78 Why generate reports? 78 The WatchGuard Historical Reports module 79 Index ............................................................................................. 81
  7. 7. Network Security Handbook 1 CHAPTER 1 The Need for Network Security O`]fmf]jlYcaf_f]logjck][mjalq$l`]^ajklkl]haklgo]a_`l`] gZb][lan]k Z]f]^alk!g^YfAfl]jf]l[gff][lagfoal`l`]jakckL`]hmjhgk] g^l`]F]logjcK][mjalq@YfZggcaklgafljgm[]qgmlgl`][gf[]hlkg^ f]logjck][mjalqO]ak[mkkZgl`l`]jakckYfgZb][lan]kaf[jY^laf_Y k][mjalqhgda[qO]Ydkga]fla^ql`]]d]e]flkg^Y_ggk][mjalqkqkl]e Yf]phdYaf`goOYl[`?mYjk][mjalqhjgm[lkkmhhgjlqgmjgn]jYd kljYl]_a[k][mjalqgZb][lan]k The Conveniences and Dangers of Networking Gja_afYddq$[gehml]jko]j]klYf%Ydgf]mfalkKggf$dYj_]%k[Yd]mk]jk Z]_Yff]logjcaf_l`]e^gj]Yka]j]p[`Yf_]g^af^gjeYlagfL`ak[j]Yl] daf]kg^[geemfa[Ylagfaflgo`a[`afl]jdgh]jk fgo[geegfdq[Ydd] `Y[c]jk[gmdafk]jlgj[gmfl]j^]ale]kkY_]klg_YafY[[]kklg[dYkka^a] YlY :ql`]ea%)11(k$l`][geZafYlagfg^egj]Y^^gjYZd][gehml]jk$]Yka]j lgmk]kg^loYj]$YfYfaf[j]Yk]Yhhj][aYlagf^gjl`]Z]f]^alkg^ f]logjcaf_Yfaf^gjeYlagfk`Yjaf_$[j]Yl]Yf]phdgkagfafl`]fmeZ]j g^hjanYl]afklalmlagfYdf]logjckdafc]lgl`]Afl]jf]lL`akl][`fa[YdYf kg[aYd]n]dghe]flhmll`]ogjdYlqgmj^af_]jlahkQgm[gmdfgo
  8. 8. CHAPTER 1: The Need for Network Security 2 WatchGuard Firebox System 5.0 h]j^gjeegj]j]k]Yj[`^jgeY`ge][gehml]joal`Afl]jf]lY[[]kkl`Yf mjaf_Yo]]c%dgf_klYqYlYdYj_]e]ljghgdalYfdaZjYjqL`]j]akdalld] Yj_me]fll`Yll`]Z]f]^alkg^f]logjcaf_Yj]]fgjegmkMf^gjlmfYl]dq$kg Yj]l`]jakck 9fqh]jkgfoal`Afl]jf]lY[[]kk[Yfna]oqgmjgj_YfarYlagfÌkO]Zkal]$gj ]p[`Yf_]]%eYadoal`gj_YfarYlagfe]eZ]jk3l`]j]^gj]$Yfqh]jkgf[Yf Yll]ehllg^afoYqklg_Yafj]Y'ojal]Y[[]kklgqgmjk]jn]jkYf [gehml]jkl`Ylklgj]YfakhdYql`akYlYMhlgfgo$f]logjckmk] ogjcklYlagf$k]jn]j$Yfjgml]j]na[]kLghjgl][lY_Yafkll`]Afl]jf]lÌk af`]j]flk][mjalql`j]Yl$l`][gehml]jf]logjc^aj]oYddoYk[j]Yl]YkY f]o[dYkkg^f]logjc]na[] L`j]]`aklgja[Ydlj]fkd]lgl`]]n]dghe]flg^^aj]oYddkYkY[dYkkg^ f]logjc]na[]k2 œ L`]af[j]Ykaf_j]daYf[]gfl`]Afl]jf]l^gj[gee]j[]$j]k]Yj[`$Yf [gddYZgjYlagfZq[gjhgjYlagfkFglgfdqo]j][gehml]jmk]jk Y[[]kkaf_l`]Afl]jf]l^gjaf^gjeYlagf$l`]qo]j]Ydkgmkaf_allg ljYfkY[lZmkaf]kk kge]lae]koal`f]o]j$d]kkk][mjalq%[gfk[agmk ]fl]jhjak]k!mfk$Y[[gmflfmeZ]jk$Yf[j]al[YjfmeZ]jko]j] j]_mdYjdqZ]af_]p[`Yf_]gn]jl`]Afl]jf]l œ L`]jak]g^l`]Afl]jf]lYkYfYn]fm]g^mfYml`gjar]Y[[]kkaflg [gjhgjYl]f]logjckL`]hjgda^]jYlagfg^Afl]jf]lhghmdYjalqYf Y[[]kkaZadalqYdkge]YflYhjgda^]jYlagfg^Yll]ehlkYlhjYfck$ nYfYdake$Yfl`]^lg^afl]dd][lmYdhjgh]jlq œ L`][gklkYkkg[aYl]oal`l`YlmfYml`gjar]Y[[]kkL`]Z]f]^alkg^ af[j]Yk]f]logjcaf_o]j]Z]af_l`j]Yl]f]Zql`][gklkg^dgkk^jge Zj]Yc%afk goflae][Ymk]ZqYk][mjalqZj]Y[`[YfZ]n]jq]ph]fkan]Fglgfdqak hjgm[lanalqdgklmfladl`]Zj]Y[`][gehml]jkYj]ZY[cgfdaf]$ZmldYklaf_ YeY_][YflYc]hdY[]mjaf_l`]k][mjalqZj]Y[`Mf^gjlmfYl]dq$l`]gfdq oYqlgljmdqk][mj]Yf]logjc^jgel`]Afl]jf]laklg`Yn]fg[gff][lagf lgl`]Afl]jf]l$o`a[`afalk]d^`YkYf]_Ylan]aehY[lgfhjgm[lanalq F]logjck][mjalqhjgm[lkhjgna]l`]e]YfklgeYfY_]l`]jakck Ykkg[aYl]oal`Afl]jf]lY[[]kkoal`gmldgkaf_l`]Z]f]^alkg^af[j]Yk] Y[[]kkYf[gff][lanalq
  9. 9. The Conveniences and Dangers of Networking Network Security Handbook 3 Security vs. convenience Mk]jkYfkqkl]eYeafakljYlgjk`Yn]]flaj]dqa^^]j]flgZb][lan]kMk]jk oYfllg`Yn]l`]ogjdYll`]aj^af_]jlahkKqkl]eYeafakljYlgjkf]]lg j]klja[lY[[]kkYkem[`YkhgkkaZd]lgYngak][mjalq[gehjgeak]kYf goflae] L`][gf^da[lZ]lo]]fl`]^j]]^dgog^af^gjeYlagfYfl`]f]]^gj k][mjalq[YfZ]j]kgdn]oal`Yo]dd%]ka_f]^aj]oYddYhhdaYf[] [geZaf]oal`l`]gj_YfarYlagfÌk[geeale]fllgYfafl]dda_]flk][mjalq hgda[q What is a security policy? Afl`][gfl]plg^f]logjc^aj]oYddk$Yk][mjalqhgda[qakY[gehjgeak]l`Yl Yfgj_YfarYlagf][a]klgYghlZ]lo]]fYZkgdml]k][mjalqYfYZkgdml] Y[[]kk9^mddq^gje]k][mjalqhgda[qkh]ddkgmlo`g[Yf_]laf$o`]j] l`]q[Yf_g$Yfo`g[Yf_]lgml gj]pYehd]$Yk][mjalqhgda[qea_`lkh][a^ql`Yl[]jlYafafl]jf]lhjglg[gd AH!Yj]kk]kgfl`]Afl]jf]leYqfgl[gflY[lYfqgf]gjYfql`af_oal`af Yfgj_YfarYlagfAlea_`lYdkgklYl]l`Yl[]jlYaf[gehml]jkoal`afl`] gj_YfarYlagfYj]Y[[]kkaZd]gfdqZqY[[gmflaf_$gjlgh%d]n]deYfY_]e]fl$ gjeYjc]laf_Alea_`l^mjl`]j]klYZdak`l`Ylgl`]j[gehml]jkgfl`] Afl]jf]l[Yffglaj][ldqY[[]kkYfq[gehml]joal`afqgmjgj_YfarYlagf3 afkl]Y$Yddgmlka]ljY^^a[eYqgfdq[gflY[lqgmj^aj]oYddO`]j]ljY^^a[ak jgml]lgl`]^aj]oYdd$alg]kl`]_Yl]%c]]haf_Èjgmlaf_gj]fqaf_ljY^^a[ Y[[gjaf_lgl`]k][mjalqhgda[q AfYalagflgjgmlaf_$l`]^aj]oYddk`gmddg_[]jlYaflqh]kg^Y[lanalqL`] k][mjalqhgda[qk`gmda[lYl]o`a[`lqh]kg^Y[lanalqYj]dg__]Yf o`a[`gf]k[gfklalml]YhYll]jfl`YloYjjYflkfgla^a[Ylagfg^Yf]logjc YeafakljYlgj Making peace with a security policy HmZdak`af_Yk][mjalqhgda[qÈYfl`]j]Ykgfaf_Z]`afalÈlgl`]]flaj] gj_YfarYlagfhjgna]kYld]Ykll`j]]Z]f]^alk2 œ Mk]jk_YafYk]fk]l`Yll`]gj_YfarYlagfakdggcaf_gmllghjgl][ll`]aj ^ad]kYfl`]ajdan]da`gg
  10. 10. CHAPTER 1: The Need for Network Security 4 WatchGuard Firebox System 5.0 œ Mk]jkg^l]f^afl`Yll`]q`Yn]Y[[]kk^j]]gekl`]qo]j]fgl hj]nagmkdqYoYj]g^ œ Mk]jk_YafYfmf]jklYfaf_l`YlY[[]kkdaealYlagfkYj]aehd]e]fl] lghjgl][ll`]gj_YfarYlagf^jgeakYkl]j aj]oYddkYj]kkl`]k][mjalqnk^j]]ge[gf^da[lZqhjgnaaf_Y ljYfkhYj]flkgdmlagfl`Yl`]dhkkqkl]eYeafakljYlgjkk][mj]l`]aj f]logjc$o`ad]kladdYddgoaf_mk]jkeYfqg^l`]^j]]gekl`]qogmddac] 9hjgh]jdq[gf^a_mj]^aj]oYddeYc]kh]f]ljYlaf_Yf]logjc^jgel`] Afl]jf]ln]jqa^^a[mdl$Yfq]lhj]k]jn]kY_j]Yl]Ydg^egZadalq^gjl`] gj_YfarYlagfÌkmk]jk a^]kaj]!9f[gf^a_mjaf_l`]k][mjalqkqkl]elg hjgm[]]lYad]dg_kg^Y[lanalqeYc]kalYddZmlaehgkkaZd]^gjY`gklad] gmlka]jlgZj]Ycafoal`gmlZ]af_]l][l] What Makes a Good Network Security System? EYfq]d]e]flkeYc]mhYjgZmkl$]^^][lan]k][mjalqkqkl]eL`]klYjlaf_ hgafl$`go]n]j$akkaehda[alqg^]ka_f Simplicity 9f]logjck][mjalq]na[]l`Ylak[gehd]pafalk]ka_f$[gf^a_mjYlagf$gj Yq%lg%Yqgh]jYlagfakegj]hjgf]lg]jjgj$Yf`Ykegj]hgaflkg^]fljq l`Yfgf]l`Ylakkaehd]Kaehd]]ka_fkYj]egj]dac]dqlgZ]mk] [gfkakl]fldqYf[gjj][ldq Egj]gn]j$k][mjaf_Yf]logjc^jgegmlka]YllY[cakfglaf`]j]fldqY a^^a[mdlgj[gehd]phjghgkalagfJYl`]j$alakYeYll]jg^k]_j]_Ylaf_ ljY^^a[aflglog_jgmhk2l`Ylo`a[`akYddgo]lghYkkl`]^aj]oYddmf]j []jlYaf[gfljgdd][aj[meklYf[]k$Yfl`Ylo`a[`akfgl Scalability L`]f]logjck][mjalqkgdmlagfemklZ]YZd]lgc]]hhY[]oal`[gehYfq _jgol`Yfl`][gehYfqÌkaf[j]Yk]mk]g^f]logjck][mjalqgj ]pYehd]$Y[gehYfqea_`lfglaf[j]Yk]afkar]ka_fa^a[Yfldqgn]jYlog% q]Yjh]jagZmlkladdea_`lf]]lgk[Yd]mhalkf]logjchjgl][lagfYkal ^afkf]oYhhda[Ylagfk^gjf]logjcl][`fgdg_qafalkgj_YfarYlagf9 k[YdYZd]kqkl]efglgfdq]phYfkYlj]YkgfYZd][gkl$alkYeafakljYlagf
  11. 11. What Makes a Good Network Security System? Network Security Handbook 5 j]imaj]e]flk_Yafdalld][gehd]palqYkl`]kqkl]e_jgok9dl`gm_`l`] kqkl]eea_`l`Yn]egj]^aj]oYddYhhdaYf[]k$dg_`gklk$Yml`]fla[Ylagf `gklk$NHFlmff]dk$Yfgl`]j[gehgf]flklgYeafakl]jYklae]_g]kgf$ l`]mk]jafl]j^Y[]k`gmdj]eYafl`]kYe] High uptime and quick recovery from failure O]Ìdac]lgl`afcl`YlYddf]logjck][mjalq]na[]kYj]n]jqj]daYZd]$Zml l`YlÌkfglf][]kkYjadql`][Yk]Dgo%[gkl[gee]j[aYdf]logjchjgl][lagfak Yqgmf_afmkljqKge]hjgm[lkeYq`Yn]dgo]jj]daYZadalqafYjmk`lg g^^]jeYjc]lYZd]^]Ylmj]k9^Yad]^aj]oYddakYfg%oafkalmYlagf2=al`]jal k`mlkgofqgmjO]Zkal] ^Yadk`ml!gjd]Yn]kalgh]flggmlka]YllY[c ^Yadgh]f! ?an]fY[`ga[]g^l`]log$YkY^]^aj]oYddoadd^Yadk`ml! :][Ymk]kge][jYk`]kYj]af]nalYZd]$Yf]logjck][mjalqYhhdaYf[]k`gmd `Yn]Yima[cZggljgmlaf]lgj]klgj]k]jna[]Ykima[cdqYkhgkkaZd] 9_ggf]logjck][mjalq]na[]`YkY`a_`EL: e]Yflae]Z]lo]]f ^Yadmj]k!jYlaf_Yfmk]kj]daYZd]`YjoYj]Yfkg^loYj][gehgf]flkgj ]n]f_j]Yl]jmhlae]$l`]k][mjalqYhhdaYf[]k`gmdZ][gf^a_mjYZd]^gj ^Yadgn]jL`Ylak$alk`gmd`Yn]l`][YhYZadalqlgZ]hYaj]oal`Yk][gf YhhdaYf[]l`YloYalkafklYfZqeg]YfYmlgeYla[Yddqkoal[`]kafa^l`] ^ajklYhhdaYf[]aklYc]fg^^daf]gjk]jna[]k^Yad Distributed architecture akljaZml]Yj[`al][lmj]e]YfkYkka_faf_a^^]j]flf]logjck][mjalqlYkck lga^^]j]fl[gehml]jkgj]pYehd]$YakljaZml]Yj[`al][lmj]ea_`l`Yn] gf]]na[]Ykl`]^aj]oYddYhhdaYf[]$Yfgl`]j[gehml]jlg[j]Yl]Yf eYfY_][gf^a_mjYlagfk^gjl`]^aj]oYdd$gl`]j[gehml]jklg`Yfd]l`] kqkl]edg_k$Yfq]lgl`]jgf]klgklgj]l`]Yml`]fla[YlagfYfmk]j YlYZYk]k 9akljaZml]Yj[`al][lmj]k]hYjYl]klYkckYf^mf[lagfkY[[gjaf_lglqh] YfYkka_fkl`]elgkqkl]ekZ]klkmal]lgl`]j]kh][lan]lYkck9^aj]oYdd YhhdaYf[]$^gj]pYehd]$k`gmd`Yn]fgklgjY_]gjhgjlkg^]fljq ]pljYf]gmklgalkhjaeYjq^mf[lagf9^aj]oYddYhhdaYf[]oal`Y`Yjjan] gj^j]]dqYnYadYZd]l]jeafYdhgjlkakfglYkk][mj]Ykgf]o`gk] [gf^a_mjYlagfakklgj]g^^daf]YfakY[[]kk]gfdql`jgm_`Y]a[Yl] k]jaYddaf]gjYf]f[jqhl][gff][lagf
  12. 12. CHAPTER 1: The Need for Network Security 6 WatchGuard Firebox System 5.0 Dynamically secured against the latest security threats LgZ]]^^][lan]$Yf]logjck][mjalq]na[][YffglZ]YklYla[$gf]%lae] hjgm[lF]logjc]flj]hj]f]mjkYj][gfklYfldqafn]flaf_f]ok]jna[]klg ljYfkealemdlae]aY$l]d][gf^]j]f[af_$Yfgl`]jYnYf[]k]jna[]kgn]j l`]Afl]jf]l9f`Y[c]jkYj]h]jh]lmYddqafn]flaf_Yf]phdgalaf_f]o e]l`gklgafnY]f]logjckYfafljgm[]najmk]kYfogjek MkmYddq$gml%g^%Yl]kg^loYj]akbmklaf[gfn]fa]flgjf]logjck][mjalq$ `go]n]j$alÌkgofja_`lYf_]jgmk9kYf]logjck][mjalqkqkl]e Z][ge]kgmlYl]$alZ][ge]kegj]nmdf]jYZd]lg]e]j_af_`Y[ckYf YllY[ce]l`gkL`]f]logjcYeafakljYlgjemkll`]fana]`akgj`]j lae]Z]lo]]fdg[YdYeafakljYlagflYkckYfl`]lYkcg^c]]haf_l`] f]logjck][mj]Zqojalaf_gjgZlYafaf_hYl[`]k$YfakYZdaf_nmdf]jYZd] k]jna[]k A]Yddq$Yf]logjck][mjalq]na[]af[dm]kYfmhYlaf_e][`Yfake^jge l`]n]fgj$o`a[`gofdgYkaf^gjeYlagfgff]ok][mjalql`j]YlkYf kg^loYj]hYl[`]klgc]]hl`]f]logjck][mjalq[mjj]fl Economy of IP addresses 9^aj]oYddk`gmdZ]YZd]lgj]hj]k]flYf]flaj]f]logjclgl`]ogjdYkY kaf_d]hmZda[AHYj]kkgjjYf_]g^AHYj]kk]kÈl`]k]Yj]kk]kk`gmd Z]l`]^aj]oYddYhhdaYf[]ÌkAHYj]kk]kL`akhjgna]kl`]^gddgoaf_ Z]f]^alk2 œ L`]f]logjck][mjalqkqkl]e[Yf`a]l`]gj_YfarYlagfÌkafl]jfYdAH Yj]kk]k^jgel`]j]klg^l`]ogjd$l`]j]Zqhjgl][laf_[gehml]j a]flala]k^jgekljYf_]jk œ Qgm[Yfmk]Ykka_f hjanYl]!AHYj]kk]kZ]`afl`]^aj]oYddoal`gml ogjjqg^[dYk`af_oal`hmZda[AHYj]kk]kgfl`]Afl]jf]l œ Al[YfkYn]egf]q$YkAKHk[`Yj_]Y^]]o`]fYfgj_YfarYlagfgZlYafkY f]ojYf_]g^hmZda[AHYj]kk]k Secure connections 9ddk][mjalqkqkl]ekk`gmdaehd]e]flk][mj][gff][lagfkZ]lo]]fYdd [jala[YdYfk]fkalan]hgaflkg^[geemfa[Ylagf2L`]dafckZ]lo]]fl`] YeafakljYlagf[gehml]jYfl`]^aj]oYddYhhdaYf[]k`gmdmk]kljgf_
  13. 13. What Makes a Good Network Security System? Network Security Handbook 7 ]f[jqhlagf$Yfkljgf_]f[jqhlagfk`gmdZ]YnYadYZd]^gjgl`]j[jala[Yd dafck$km[`YkZ]lo]]fl`]eYafg^^a[]YfZjYf[`g^^a[] Authentication 9ml`]fla[Ylagfakmk]lg]fkmj]l`YlYddljY^^a[akY[lmYddqk]fl^jgel`] kgmj[][dYae]lggja_afYl]al$Yfl`Yll`]mk]jgjeY[`af]l`Ylk]flalak h]jeall]lggkg9_ggk][mjalqkqkl]eg^^]jkk]n]jYdlqh]kYfd]n]dk g^Yml`]fla[YlagfMkaf_emdlahd]d]n]dkg^Yml`]fla[Ylagf$qgm[Yf gj_Yfar]qgmjk][mjalqhgda[qlg_an]a^^]j]fl_jgmhkg^mk]jka^^]j]fl d]n]dkg^Y[[]kk$Yfdaeall`YlY[[]kklgkh][a^a[Yj]Ykgfqgmjf]logjc Emdlahd]lqh]kg^Yml`]fla[Ylagf]fkmj]kl`Yll`]egklk][mj]gj [gehYlaZd]lqh]g^Yml`]fla[YlagfakYnYadYZd]^gjY_an]fmk] Content discrimination ;gfl]flak[jaeafYlagfakl`]YZadalqlghj]n]flgj_YfarYlagfe]eZ]jk ^jgemkaf_gj_YfarYlagflae]Yfj]kgmj[]klg_YafO]Z%ZYk] ]fl]jlYafe]flafYhhjghjaYl]lgl`]gj_YfarYlagf_gYdk$h`adgkgh`a]k$Yf ogjc]l`a[9_gg[gfl]flak[jaeafYlagfe][`YfakeYddgokl`] YeafakljYlgjlgj]klja[lO]Zkmj^af_ZYk]gflqh]g^[gfl]fl ^gj ]pYehd]$_YeZdaf_!$lae]g^Yq$YflgYkka_fl`gk]jmd]klg_jgmhkgj afanamYdk Secure remote management and communication 9_ggk][mjalqkqkl]e[YfZ]eYfY_]^jgeYj]egl]dg[Ylagf$Zml hj]n]flk]Yn]kjghhaf_gfl`]YeafakljYlan]k]kkagfL`] YeafakljYlagflggdkk`gmdZ]YZd]lg[geemfa[Yl]]n]jql`af_l`] YeafakljYlgjf]]klgcfgoYZgmlY[lan][gff][lagfk$[gf^a_mj] k]jna[]k$]fa]hY[c]lk$NHFlmff]dk$_]f]jYdk][mjalqhgda[a]k$Yfl`] f]logjc[gf^a_mjYlagf Virtual private networking (VPN) NHF[YhYZadala]kYj]af`a_`]eYf^gjgj_YfarYlagfkl`Yl`Yn]ZjYf[` g^^a[]k$l]d][geeml]jk$gjljYn]daf_]ehdgq]]kEYfqa^^]j]fllqh]kg^ kg^loYj]n]fgjkg^^]jkge]lqh]g^NHF[YhYZadala]k$Yffglf][]kkYjadq afYk][mjalqhY[cY_]gj]pYehd]$YNHFhY[cY_]l`Ylg]kfglhjgna]
  14. 14. CHAPTER 1: The Need for Network Security 8 WatchGuard Firebox System 5.0 Yml`]fla[Ylagfgj]f[jqhlagfk`gmdfglZ]mk]^gj[gfm[laf_k]jagmk Zmkaf]kk NHFakZ]kl`Yfd]ZqYf]logjck][mjalq]na[]Z][Ymk]al]fkmj]kl`Yl l`]k][mjalqhgda[qakmfa^a]È[gehYlaZd]Yegf_alknYjagmk[gehgf]flk Yf^mf[lagfkAl]fkmj]kl`YlYNHFlmff]d$^gj]pYehd]$g]kfgl[dYk` oal`l`]^aj]oYdd%aehd]e]fl]k][mjalqhgda[a]k$l`Ylhjagjala]kg^Y[[]hl] Yf]fa]k]jna[]kYj][gfkakl]fl$Yfl`YlYaf_Yk]jna[]gjYlmff]d g]kfglZj]Y[`k][mjalq Highly configurable logging and notification 9_ggk][mjalqkqkl]ed]lkqgmkh][a^qo`a[`lqh]kg^]n]flkYj]dg__] ^gj]Y[`afanamYdk]jna[]Kge]k]jna[]]n]flkeYqf]]dalld]gjfg dg__af_o`ad]gl`]jk]jna[]keYqf]]lg`Yn]]n]jq]n]fldg__] AlkYdoYqkY_gga]Ylgdg_]fa]]n]flkAfl`]]n]flg^Yf]logjc YllY[c$dg_k[Yfj]n]Ydl`]kgmj[]g^l`]YllY[cKge]lae]kalk]n]fY_gg a]Ylgdg_ljY^^a[l`YlakYddgo]gj]pYehd]$qgmeYqoYfllgdg_ af[geaf_eYfY_]e]fl[gff][lagfklgl`]^aj]oYddAfl`]]n]fll`Yll`] hYkkh`jYk]klgqgmj^aj]oYddo]j][gehjgeak]Yf[`Yf_]ko]j]eY] lgal$l`]dg_kogmdhjgna]l`]af^gjeYlagff]]]lgljY[cgofl`] afljm]j Dg__af_hYjYe]l]jkk`gmdZ]YbmklYZd]Y[[gjaf_lgdg_`gkl[YhY[alq YfmkYZd]^ad]kar]L`]^j]im]f[qYlo`a[`l`]dg_^ad]Z]_afk gn]jojalaf_$[Ydd]dg_jgddgn]j$alk]d^k`gmdYdkgZ]mk]j%]l]jeaf] 9Zadalqlgk]ll`]^j]im]f[qg^dg_jgddgn]jZqYl]gjZq^ad]kar]hjgna]k YalagfYd^d]paZadalq 9_ggdg__af_kqkl]eoYl[`]k^gjhYll]jfkkqehlgeYla[g^Yll]ehl] k][mjalqZj]Y[`]kYffgla^qYfYeafakljYlgjg^l`]kmkha[agmkY[lanalq Summarize and report network activity 9_ggk][mjalqkqkl]e_an]kYfY[[mjYl]$e]Yfaf_^md$YfkljYa_`l% ^gjoYjY[[gmflg^alkmk]lgeYfY_]e]flQgmk`gmdZ]YZd]lgkgjll`] dg__af_YlYZqnYjagmkhYjYe]l]jkkm[`Yk`gkl%lg%`gkl[gff][lagfk$ Afl]jf]lY[lanalq$YfegklY[lan]lae]kg^Yq
  15. 15. The WatchGuard Solution Network Security Handbook 9 Quick and responsive 9_ggk][mjalqkqkl]eYddgokl`]f]logjcYeafakljYlgjlgeYc] [gf^a_mjYlagf[`Yf_]kima[cdq$]Ykadq$Yfoal`eafaeYdaehY[llgl`] gj_YfarYlagff]logjc Well-conceived security system policies 9f]logjck][mjalqkqkl]eakgfdqYk_ggYkl`]k][mjalqkqkl]ehgda[a]k l`Yljan]al9o]dd%hdYff]k][mjalqkqkl]ekh][a^a]ko`a[`[gehml]jk [Yf[geemfa[Yl]oal`l`]gmlka]Yfafo`a[`oYqkAl[dgk]dq]pYeaf]k [gfl]flk]flnaYhjglg[gdkl`Yl[Yf`a]gl`]j$hgl]flaYddq]kljm[lan] [gfl]fllqh]kAl]ehdgqk]f[jqhlagfo`]j][geemfa[Ylagfdaf]k[gmdZ] afl]j[]hl]$YfYml`]fla[Ylagfo`]j]n]jY^Yc]mk]ja]flalq[gmd`Yn] ]kljm[lan]j]kmdlk O]dd%[gf[]an]k][mjalqhgda[a]kd]Yn]fg`gd]kafl`]^aj]oYdd$bmkl Yml`gjar]hYkkY_]k9`gd]akYfqjgml]aflgYfgj_YfarYlagff]logjc l`YlYddgokmfYml`gjar]]fljq Physically secured security appliance afYddq$Y^aj]oYddakgfdqYk_ggYkalkh`qka[Ydk][mjalq9ddl`] ]f[jqhlagfYfYml`]fla[Ylagfafl`]ogjdakg^fgmk]a^YfmfYml`gjar] h]jkgf[YfkaehdqoYdcmhlgqgmj^aj]oYddgjeYfY_]e]flogjcklYlagf YfgofdgY[jala[YdA^ad]k$AHYj]kk]k$gjhgjlYkka_fe]flkL`] ^aj]oYddÌkh`qka[Ydk][mjalqk`gmdZ]YfYdg_gmklgl`]f]logjck][mjalqal hjgna]k2fgmfYml`gjar]Y[[]kkYddgo]L`]^aj]oYddYhhdaYf[]k`gmd Z]h`qka[Yddqdg[c]YoYq^jgeqgmjgj_YfarYlagfYldYj_] The WatchGuard Solution L`]OYl[`?mYjYhhjgY[`lgjgZmklf]logjck][mjalqakYfaf]ph]fkan]$ ]Ykadq]hdgqYZd]$klYf%Ydgf]]na[]cfgofYkYf]logjck][mjalq YhhdaYf[]Èl`]OYl[`?mYjaj]Zgp L`]OYl[`?mYj^Yeadqg^^aj]oYddk aj]Zgp]k!af[dm]l`]aj]ZgpAA$ aj]ZgpAAHdmk$aj]ZgpAAYklNHF$aj]ZgpAAA$KG@G$YfKG@Gtl[
  16. 16. CHAPTER 1: The Need for Network Security 10 WatchGuard Firebox System 5.0 Assumptions AfklYfYjk][mjalqhjY[la[]k$l`]^ajklkl]hafk][mjaf_l`]o`gd] ]fl]jhjak]ak]n]dghaf_Yh]jae]l]j]^]fk]9]^]fk]g^l`]h]jae]l]j Ykkme]kl`Yll`]h]ghd]gfl`]afka]Yj]lgZ]ljmkl]$o`ad]l`gk]gfl`] gmlka]Yj]fgllgZ]ljmkl]L`]gml]jh]jae]l]jak`Yj]f]$d]Ynaf_ gfdq[gfljgdd]_Yl]oYqk[YhYZd]g^hYkkaf_ljY^^a[L`]k]_Yl]oYqkl`]f `Yn]l`]j]khgfkaZadalqg^_jYflaf_gj]fqaf_Y[[]kklgl`]]flaj] f]logjc gjljY^^a[l`Ylgja_afYl]k^jgegmlka]l`]h]jae]l]j$l`]h]jae]l]j ]^]fk][`Ydd]f_]kl`]ljY^^a[YfYhhda]kYk]lg^jmd]k ]jan]^jgel`] k][mjalqhgda[q!lg]l]jeaf]o`]l`]jaloaddh]jeall`]ljY^^a[lg[ge] afka] 9h]jae]l]j]^]fk]eYc]kl`]k]Ykkmehlagfk2 œ L`]`gklkYfafka]mk]jk[YfZ]ljmkl] œ L`]^aj]oYdd]na[]akh`qka[Yddqk][mj]2FgmfYml`gjar]h]jkgfkYj] Yddgo]lgY[[]kkal œ L`]eYfY_]e]flogjcklYlagfakh`qka[Yddqk][mj]2FgmfYml`gjar] h]jkgfkYj]Yddgo]lgY[[]kkal œ F]logjcljY^^a[[Yf_gafYfgmlgfdql`jgm_`Y[gfljgdd]_Yl]oYq ?an]fl`]k][gfalagfk$Yh]jae]l]j]^]fk]j]eYafkk][mj]Ykdgf_Ykl`] f]logjck][mjalqkqkl]eakhjgh]jdq[gf^a_mj]Yf^mf[lagfaf_ QgmemklYdoYqkZ]na_adYflgn]jl`]^ajklYkkmehlagf$l`Yll`]h]ghd]gf l`]afka][YfZ]ljmkl]A^Ykqkl]eoal`Yh]jae]l]j]^]fk]ak km[[]kk^mddqYllY[c]$alakegj]dac]dqlgZ]Zjgm_`lgof^jgel`]afka] L`]j]^gj]$Yf]^^][lan]k][mjalqkqkl]eemklYdkgZ]YZd]lgegfalgjl`] afka]Y[lanalqYf]fYZd]YeafakljYlgjklgoYl[`^gjZ]`YnagjÈoal`gj oal`gmleYda[agmkafl]flÈl`Yl[gmd[gehjgeak]gj_YfarYlagfk][mjalq L`]aj]ZgpKqkl]ehjgna]kYkmal]g^egfalgjaf_lggdklgYaaf ]l][lagfg^km[`Y[lanalq$km[`YkYj]Yd%lae]LjY^^a[Egfalgj$o`a[` akhdYqkYdddg__]]n]flkYkl`]q`Yhh]f3@gklOYl[`$o`a[`k`goko`Yl gj_YfarYlagf[gehml]jkYj][gff][l]lgo`a[`]pl]jfYd`gklkl`jgm_` qgmjaj]Zgp3hdmkgl`]jegfalgjkYfklYlmklggdk
  17. 17. The WatchGuard Solution Network Security Handbook 11 Separation of key security system components AfYfq^aj]oYddafklYddYlagf$qgmemkleYc]kge]ZYka[Ykkmehlagfk j]_Yjaf_l`]dYqgmlg^l`]nYjagmk[gehgf]flk L`]OYl[`?mYjaj]ZgpKqkl]e`YkYakljaZml]Yj[`al][lmj]Al afl]flagfYddqk]hYjYl]kl`]dg__af_$eYfY_]e]fl$YfljY^^a[ ak[jaeafYlagf^Y[adala]kaflgl`j]]k]hYjYl]dg_a[YdYfh`qka[Yd [gehgf]flk2l`]OYl[`?mYjK][mjalq=n]flHjg[]kkgj dg__af_k]jn]j!$ l`]EYfY_]e]flKlYlagf$Yfl`]aj]Zgp K]hYjYlaf_l`]k]^mf[lagfk]fkmj]kl`Yll`]aj]Zgp`Ykgfdql`]`YjoYj] Yfkg^loYj]f][]kkYjqlgh]j^gjealk^mf[lagfg^ljY^^a[ak[jaeafYlagf 9ddgl`]j^]Ylmj]kg^Y_]f]jYdhmjhgk][gehml]jÈakcjan]$mk]j hjg^ad]k$dg_af^ad]k$hYkkogj^ad]k$Yfemdlahd]l]jeafYdY[[]kkÈYj]fgl gfYaj]ZgpDaealaf_aj]Zgp^mf[lagfYdalqeafaear]kl`]]phgkmj]lg hgl]flaYdl`j]Yl :][Ymk]Y[[]kklgY[gfkgd]_]f]jYddq_jYflkdgo%d]n]dY[[]kklgl`]k]jn]j alk]d^$Ydd^aj]oYdd[gfkgd]kk`gmdZ]_mYj][dgk]dqLgYj]kkl`ak _]f]jYdnmdf]jYZadalq$OYl[`?mYj`Ykj]egn]l`]gh]jYlaf_kqkl]e k`]ddYf[gfkgd]^mf[lagfk^jgel`]aj]Zgp Af[Yk]g^Yhgo]j^Yadmj]$l`]aj]ZgpYmlgeYla[Yddqj]ZgglkYfj]dgYk alk[mjj]fl[gf^a_mjYlagfaf^gjeYlagf:][Ymk]l`]gh]jYlaf_kqkl]eak dgY]^jge^dYk`e]egjq$alakfglkmZb][llgakc[jYk`]kgj^ad]kqkl]e [gjjmhlagfYkakl`][Yk]g^^aj]oYddkjmffaf_gf_]f]jYd%hmjhgk] [gehml]jkoal`_]f]jYd%hmjhgk]gh]jYlaf_kqkl]ek Afl`]OYl[`?mYjk][mjalqeg]d$Y[lanalqdg_kYf^aj]oYdd [gf^a_mjYlagf^ad]kYj]klgj]gfgf]gjegj]gl`]j[gehml]jk$fglgfl`] ^aj]oYddYhhdaYf[]alk]d^9^l]jYdd$l`]]na[]l`YlZdg[ckmfYml`gjar] ljY^^a[k`gmdfgl[gflYafl`]c]qklgalkgofmfgaf_L`]EYfY_]e]fl KlYlagfYfOYl[`?mYjK][mjalq=n]flHjg[]kkgj[YfZ][gf^a_mj]^gj YmlgeYla[ZY[cmhkgjZ]]imahh]oal`eajjgj]akcklg]fkmj][Yhlmj] g^aehgjlYflk][mjalqaf^gjeYlagf9dd[geemfa[YlagfkZ]lo]]fl`] aj]ZgpYfl`]k]]d]e]flkYj]]f[jqhl] :][Ymk]l`]EYfY_]e]flKlYlagf[gflYafk[gf^a_mjYlagf^ad]kYfZ][Ymk] l`]=n]flHjg[]kkgjklgj]kYlYj]_Yjaf_l`]_]f]jYdljY^^a[hYll]jfkg^ l`]f]logjc$qgmemklh`qka[Yddqk][mj]l`]k]`gklk^jgel`]j]klg^qgmj gj_YfarYlagf
  18. 18. CHAPTER 1: The Need for Network Security 12 WatchGuard Firebox System 5.0 H`qka[Yddqk]hYjYlaf_l`]EYfY_]e]flKlYlagfYfdg__af_`gkl^jgel`] f]logjck][mjalqYhhdaYf[]]f`Yf[]kh`qka[YdYfYlYk][mjalqA^l`] EYfY_]e]flKlYlagfakafYfgh]jYlagf[]fl]jl`Ylakk][mj]Y_YafklY h`qka[YdZj]Y[`g^k][mjalq$l`]]f[jqhl][`Yff]d^gjeYfY_]e]flYf dg__af_^mf[lagfk]fkmj]kl`Yll`]dg_kYf[gf^a_mjYlagf^ad]kYj]kY^] j]_Yjd]kkg^l`]d]n]dg^ljmklhdY[]afl`]afl]jn]faf_f]logjck 9fgl`]jZ]f]^alg^l`]OYl[`?mYjakljaZml]Yj[`al][lmj]akl`Yll`] aj]ZgpYfl`]EYfY_]e]flKlYlagf[YfZ]dg[Yl]k]hYjYl]dqAf[Yk]k o`]j]alakfgl^]YkaZd]lgc]]hl`]EYfY_]e]flKlYlagfgfl`]hj]eak]k$ l`]aj]Zgpak]ka_f]lgY[[geegYl]k][mj]j]egl]eYfY_]e]flQgm [YfYeafakl]jal^jgeYj]egl]EYfY_]e]flKlYlagfnaYYf]f[jqhl] dafcAlYdkgmk]kYf]f[jqhl]dafclgojal]]n]flklgl`]dg__af_`gkl Ease of use begets secure use 9f]Ykq%lg%mk]kqkl]eoaddZ]mk]egj]^j]im]fldqYfoal`^]o]j gh]jYlagfYd]jjgjkl`YfY[gehda[Yl]gf]L`]ZYka[hjaf[ahd]kg^ hjgl][laf_Yf]logjc^jgegmlka]afl]j^]j]f[]Yj]fgla^^a[mdllg mf]jklYf:Yka[Yddq$qgmk]_j]_Yl]Yddf]logjcljY^^a[aflglog_jgmhk2 l`Ylo`a[`akYddgo]lghYkkmf]j[gfljgdd][aj[meklYf[]k ljmkl]!$ Yfl`Ylo`a[`akfgl mfljmkl]!Hmllaf_l`akkaehd]hjaf[ahd]aflgY j]daYZd]hjgm[lakaf]]Yfafngdn]hjg[]kk$Zmlalkmk]Yf YeafakljYlagfk`gmdkladdZ]j]dYlan]dqkaehd] L`]k]^mfYe]flYdkjan]l`]OYl[`?mYjYhhdaYf[][gf[]hl2Y]na[] l`Ylakkaehd]lgmk]$k][mj]afl]jekg^]ka_fYf]p][mlagf$Yk^YklYk [YfZ]oal`gmlkY[ja^a[af_k][mjalq$Yfj]daYZd]gn]jl`]dgf_jmf:q [gf]fkaf_l`]f]logjck][mjalqkqkl]elgYfYhhdaYf[]$l`]f]logjc YeafakljYlgjakhj]k]fl]oal`Y]na[]l`Yl2 œ =paklkYfogjck^gjgf]kaehd]hmjhgk]Èoal`^]o]jlYkckZ]af_ h]j^gje]$l`]j]akd]kklg_gojgf_Yf^]o]jnmdf]jYZadala]klg YllY[c œ @Ykfg[gehd]pmf]jdqaf_gh]jYlaf_kqkl]eoal`l`]Ykkg[aYl] nmdf]jYZadala]klgYllY[cYf^Yadmj] œ Akd]kk]ph]fkan]l`YfYk]jn]j%ZYk]kgdmlagf œ @Ykfgegnaf_hYjlklgo]Yjgmlgl`]jl`Yfl`][ggdaf_^Yfk
  19. 19. The WatchGuard Solution Network Security Handbook 13 Open code base 9fqeYfm^Y[lmj]jg^k][mjalq]na[]kemklj]kgdn]l`]^mfYe]flYd ljY]%g^^Z]lo]]fhjghja]lYjqYfhmZda[af^jYkljm[lmj]^gjl`]gn]jYdd ]na[]gh]jYlaf_kqkl]eL`]_j]Yl]klYnYflY_]g^mkaf_Yhjghja]lYjq gh]jYlaf_kqkl]eak[gfljgdg^l`]kgmj[][g]9dl`gm_`hjghja]lYjq gh]jYlaf_kqkl]ekeYqk]]eegj]k][mj]$Yhjghja]lYjqkqkl]eYdkg hdY[]kYc]q[gehgf]flg^gn]jYddf]logjck][mjalqafl`]`Yfkg^Y daeal]_jgmhg^gh]jYlaf_kqkl]ehjg_jYee]jkOal`l`]jakaf_ ^j]im]f[qg^hmZdak`]Zm_j]hgjlkj]_Yjaf_o]dd%cfgofgh]jYlaf_ kqkl]ekkm[`YkEa[jgkg^lOafgokFLYfKmfKgdYjak$Yk][mjalq]na[] eYfm^Y[lmj]jea_`lfglZ][gf^a]fll`Yll`]n]fgjkg^hjghja]lYjq gh]jYlaf_kqkl]ekhmZdak`lae]dqYfY[[mjYl]Zm_^ap]k^gjl`]aj gh]jYlaf_kqkl]ekL`ak[Yf[j]Yl]Yfmff][]kkYjq]d]e]flg^jakc HmZda[k[jmlafqg^Yfgh]jYlaf_kqkl]e$gfl`]gl`]j`Yf$ljY]k[gfljgd g^l`]kgmj[][g]^gjl`]hgo]j^mdYmalYf]n]dghe]fl[YhYZadalqg^ gh]jYlaf_kqkl]e]ph]jlkogjdoa]L`]nYdm]g^l`]hggdg^lYd]flYf [geeale]flj]hj]k]fl]Zql`ak_jgmhg^h]ghd]^Yj]p[]]kl`]nYdm]g^ YfqYnYflY_]af[gfljgdl`Ylaf%`gmk]]n]dghe]fl[Yf`Yn] L`]OYl[`?mYjaj]ZgpKqkl]eakZYk]gfl`]^j]]dqYnYadYZd]Dafmp gh]jYlaf_kqkl]eFglgfdq`Ykl`]gh]jYlaf_kqkl]ealk]d^oal`klggl`] `a_`]kld]n]dkg^hmZda[k[jmlafqafj]_Yjlgalk^mfYe]flYd]ka_f$Zml l`]af]nalYZd]Zm_^ap]kl`YlYfqf]logjcgh]jYlaf_kqkl]eoaddj]imaj] gn]jlae]`Yn]`aklgja[YddqZ]]fYnYadYZd]^Yj^Ykl]jl`Yfl`gk]g^l`] [gee]j[aYdgh]jYlaf_kqkl]en]fgjk L`]OYl[`?mYj]ka_fhjg[]kkj]d]Yk]kYddega^a[Ylagfklgl`] gh]jYlaf_kqkl]ec]jf]dZY[caflgl`]hmZda[geYafL`akhjg[]kk]fYZd]k l`]Dafmp]n]dghe]fl[geemfalqlgk[jmlafar]l`][`Yf_]ko]`Yn] eY]lg]fkmj]l`Yll`]ega^a[YlagfkYj]klYZd]Yfj]daYZd]L`]aj]Zgp Kqkl]ekg^loYj][g]l`Yljmfkgfl`]ega^a]c]jf]dj]eYafk hjghja]lYjqlgOYl[`?mYjL][`fgdg_a]k$Af[L`ak]ka_fYhhjgY[` YddgokOYl[`?mYjlg]hdgqYk][mj]YhhdaYf[]gn]jYfY__j]kkan]dq ]Zm__]gh]jYlaf_kqkl]eYlY^jY[lagfg^l`]lglYd[gklg^gl`]jf]logjc k][mjalqYhhjgY[`]k Mkaf_l`]Dafmpc]jf]dYdkge]Yfkl`YlYddZm_^ap]kj]kmdlaf_^jgeY hj]nagmkdqmfcfgofnmdf]jYZadalqafl`]mf]jdqaf_gh]jYlaf_kqkl]eYj] eY]YnYadYZd]lgl`]]fmk]jaj][ldq^jgeOYl[`?mYj9kY OYl[`?mYj[mklge]j$qgmoaddf]n]jZ]lgdl`YlYfqZm_akklja[ldqYf
  20. 20. CHAPTER 1: The Need for Network Security 14 WatchGuard Firebox System 5.0 gh]jYlaf_kqkl]eZm_Yfl`Ylqgmk`gmd[gflY[ll`]gh]jYlaf_kqkl]e n]fgj^gjl`]hYl[`O]k]jna[]o`Ylo]k]dd$ja_`lgoflgalkgh]jYlaf_ kqkl]e To proxy or to packet filter? 9dd^aj]oYddk[YfZ]dggk]dq_jgmh]aflglog[Yl]_gja]k$l`gk]l`Ylj]dq hjaeYjadqgfhjgpqaf_l`]ljY^^a[Yfl`gk]l`Ylj]dqhjaeYjadqgf^adl]jaf_ l`]ljY^^a[ ^gjYf]phdYfYlagfg^l`]k]l]jek$k]];`Yhl]j,$ÉHjgpqaf_Yf HY[c]ladl]jaf_Ê!=Y[`e]l`g`YkalkYnYflY_]kYfakYnYflY_]k gjOYl[`?mYjL][`fgdg_a]k$l`]akkm]k[ge]goflglog [gfka]jYlagfk$kh]]Yfk][mjalq HY[c]l^adl]jaf_^aj]oYddk`Yn]gf]l`af_af[geegf2L`]qYj]^YklL`akak Z][Ymk]l`]qg[gehYjYlan]dqd]kkogjc$o`a[`jYak]kl`]akkm]29j]l`]q gaf_]fgm_`ogjclgk][mj]l`]f]logjc7Gfl`]gl`]j`Yf$bmkl Z][Ymk]hjgpq%ZYk]^aj]oYddkYj]gaf_egj]ogjcl`Yfl`]hY[c]l^adl]jk g]kfglf][]kkYjadqeYc]l`]eegj]k][mj]Hjgpa]kjYak]l`]akkm]29j] l`]qgaf_egj]ogjcl`Yff][]kkYjq$Yfakl`]ogjcl`]qYj]gaf_l`] ja_`logjc7 The WatchGuard answer: both in moderation L`]OYl[`?mYjaj]ZgpKqkl]e]ehdgqkY[geZafYlagfg^hjgpqYf hY[c]l^adl]jaf_l][`fgdg_a]kgaf_lggem[`[YfZ]YkZYYkgaf_lgg dalld]:][Ymk]`Ynaf_Zgl`lglYdk][mjalqYflglYd^mf[lagfYdalqak aehgkkaZd]$YfqkgdmlagfakYljY]%g^^9ddgoaf_Ykh][a^a[k]jna[]l`jgm_` l`]k][mjalqkqkl]eeYqZ]lggafk][mj]^gjYfgj_YfarYlagfÌkhmZda[ Afl]jf]lY[[]kk$ZmlY[[]hlYZd]^gjAfljYf]lmk]GjYddgoaf_Y_an]f k]jna[]eYqZ]]]e]lggafk][mj]$lggaf]^^a[a]fl$gjfgloa]dqmk] ]fgm_`lgaehd]e]flYlYddOYl[`?mYj`Ykk[jmlafar]]Y[`k]jna[]lg ][a]`goZ]kllg[gfljgdalkY[[]kklgl`]hjgl][l]f]logjc O`]fo][YfYnYdm]Zqmkaf_Yhjgpq Ykoal`KELH$LH$gj@LLH o`]j]nmdf]jYZadala]kYj]n]jq`a_`!^gjYk]jna[]$o]gkgO`]falg]k fgleYc]k]fk]oal`afl`][gfl]plg^Yk]jna[]lgmk]Yhjgpq$o]gfgl L`mko]YddgoYddljY^^a[lghYkkgjZ]]fa]hYkkY_]afl`]oYql`Ylak Z]klkmal]^gjl`]ljY^^a[lqh]
  21. 21. The WatchGuard Solution Network Security Handbook 15 Integrating security technologies into a stand-alone appliance E]j]dqeYfY_af_l`]YlYklj]YeoaddfglYllYafljm]f]logjck][mjalq$ Z][Ymk]l`]f]logjc]fnajgfe]flaf[dm]kZgl`eY[`af]kYfl`]h]ghd] o`gmk]l`]eF]logjck][mjalqemklafngdn]l`]h]ghd]l`Ylmk]l`] f]logjc$`gol`]qY[[]kkal$Yfo`Yll`]qgoal`l`]j]kgmj[]kgfal L`]OYl[`?mYjaj]ZgpKqkl]eafl]_jYl]kl`]e][`Yfa[YdYf`meYf ^Y[lgjkg^f]logjck][mjalqZqafl]_jYlaf_l`j]]klYf%Ydgf][gehgf]flk aflgl`]^aj]oYddYhhdaYf[]2 Mk]jYml`]fla[Ylagf LgeYfY_]mk]jY[[]kklgAfl]jf]lj]kgmj[]kafl`]akljaZml] f]logjc]fnajgfe]fl$l`]OYl[`?mYjaj]ZgpKqkl]ekmhhgjlk mk]jYml`]fla[YlagfnaYYfFLgeYaf;gfljgdd]j$J9AMKk]jn]j$ ;JQHLG;Yjk]jn]j$K][mjAk]jn]j$gjOYl[`?mYjÌkaj]Zgp Yml`]fla[YlagfMk]jk[YfZ]j]imaj]lgYml`]fla[Yl]lggf]g^ l`]k]kqkl]ekZ]^gj]Y[[]kkaf_YfqAfl]jf]lj]kgmj[]k 9ml`]fla[Ylagf]fYZd]kqgmlgeYfY_]$ljY[c$YfYmalmk]jkÌ Y[[]kklg[gjhgjYl]Afl]jf]lj]kgmj[]koal`_j]YlY[[mjY[qL`ak hjgna]knYdmYZd]hdYffaf_Yfj]kgmj[]eYfY_]e]flYlYlg YkkaklafakgdYlaf_Yj]Ykg^_]f]jYdafl]j]kl$lj]fk$oYkl]$^jYm$ YfYZmk] ;gfl]fleYfY_]e]fl HYll]jfkaf`meYfj]kgmj[]j]_mdYlagfk$hdmkl`][gkllgYf gj_YfarYlagfj]_Yjaf_Afl]jf]lYZmk]eYc]alf][]kkYjqlg[gfljgd l`]lqh]g^[gfl]flYnYadYZd]lgl`][gjhgjYl]Afl]jf]lmk]j OYl[`?mYj`Ykafl]_jYl]l`]Kmj^;gfljgdÉ;qZ]jFGLÊdaklaflg l`]OYl[`?mYjaj]ZgpKqkl]eJ]kaaf_gfl`]dg_k]jn]j$l`ak afmkljq%d]Yaf_YlYZYk]g^Afl]jf]lkal]kYddgokl`] YeafakljYlgjlg_jYflgj]fqY[[]kklg[gfl]flZqlqh]$hjanad]_] d]n]d$Yflae]g^Yq NajlmYdhjanYl]f]logjcaf_ NajlmYdhjanYl]f]logjcl][`fgdg_q[j]Yl]kYf]f[jqhl][`Yff]d gfl`]Afl]jf]lmkaf_dgo%[gklAfl]jf]l[gff][lagfk km[`YkY eg]egjKD!NHFl][`fgdg_q]daeafYl]kl`]f]]^gj[gkldq$ ]a[Yl]daf]ko`ad]eYaflYafaf_k][mjalqL`akeYc]kj]egl] kal]kY[[]kkaZd]l`Ylo]j]hj]nagmkdqlgg]ph]fkan]lg[gff][llg L`]OYl[`?mYjaj]ZgpKqkl]efglgfdqhjgna]kf]logjc%lg%
  22. 22. CHAPTER 1: The Need for Network Security 16 WatchGuard Firebox System 5.0 f]logjcNHF[YhYZadalq$ZmlYdkg]fYZd]kl`]YeafakljYlgjlg eYfY_]l`YlNHFk]_e]flYkl`gm_`alo]j]aj][ldqYllY[`]lgY h`qka[Ydafl]j^Y[]
  23. 23. Network Security Handbook 15 CHAPTER 2 Security and Firewall Management Policies 9fgj_YfarYlagfÌkk][mjalqhgda[q^gjekl`]ZYkak^gjalk^aj]oYdd [gf^a_mjYlagfL`]ZjgY]kl$egkl[gehj]`]fkan]k][mjalqhgda[qkh]ddk gml]n]jqYkh][lg^`goYfgj_YfarYlagfhjgl][lkalkZmadaf_k$Ykk]lk$ af^gjeYlagf$Yfh]jkgff]d^jgel`]^l$nYfYdake$afljmkagf$YfafnYkagf g^hjanY[q9k][mjalqhgda[qk`gmdYj]kkl`]^gddgoaf_im]klagfk2 œ @gooaddl`]h`qka[Ydk][mjalqg^Ykk]lkYfkqkl]ekZ]eYaflYaf]7 œ @gooaddljYk`l`Yl[gflYafkk]fkalan]af^gjeYlagfZ]akhgk]g^7 œ O`goaddaehd]e]flYfeYaflYafo`YlYkh][lkg^l`]k][mjalq hgda[q7 œ O`YlY[[]kkoaddZ]_jYfl]lgl`]nYjagmkmk]jkYf_jgmhk7 œ O`Ylj][j]YlagfYdmk]g^^Y[adala]kYfkqkl]ekoaddZ]Yddgo]7 œ O`Ylj]egl]Y[[]kkYf]pl]jfYdoaddZ]h]jeall]7 œ A^h]jeall]$o`Yld]n]dg^Y[[]kk$Yfk][mjalqoaddZ]Yhhda]klg j]egl][geemfa[Ylagfk7 Kge]g^l`]k]akkm]kYj]Z]qgfl`]k[gh]g^Yf]logjc^aj]oYdd3lg_]l`]j l`]q[gehjak]Yfgj_YfarYlagfÌkYhhjgY[`lgk][mjalq$Yfoaddaf^dm]f[] `gol`]gj_YfarYlagf[gf^a_mj]kalk^aj]oYdd GZnagmkdq$h`qka[Ydk][mjalqYfklY^^af_Yj]Z]qgfl`]k[gh]g^l`ak g[me]flYfl`]OYl[`?mYjhjgm[lk=n]fafeYll]jkg^YlYY[[]kk$ kge]]d]e]flkg^l`]k][mjalqhgda[qogmdZ]aehd]e]fl]Zqk]llaf_
  24. 24. CHAPTER 2: Security and Firewall Management Policies 16 WatchGuard Firebox System 5.0 h]jeakkagfd]n]dk^gj[gehml]jk$aj][lgja]k$Yf^ad]kGl`]j]d]e]flk ogmdZ]Yj]kk]Zql`]^aj]oYddYhhdaYf[]L`]aj]Zgp[Yfaehd]e]fl hgda[a]kgfj][j]YlagfYdmk]g^Yfgj_YfarYlagfÌk[gehml]jkYff]logjck$ YfYml`]fla[Yl]Yfk][mj]j]egl][geemfa[YlagfkL`]k]dYll]j ]d]e]flkYj]Y^aj]oYddeYfY_]e]flhgda[q 9^aj]oYddeYfY_]e]flhgda[qakYkmZk]lg^l`]k][mjalqhgda[qAl kh][a^a[YddqYj]kk]k`goYfgj_YfarYlagfÌkf]logjc^aj]oYddgj^aj]oYddk oaddZ][gf^a_mj]lg[gfljaZml]lgl`]gn]jYddk][mjalqhgda[q 9^aj]oYddeYfY_]e]flhgda[q]l]jeaf]k2 œ O`a[``gklk[Yfk]fYfj][]an]o`a[`cafkg^ljY^^a[ œ O`Yl[geemfa[Ylagfhjglg[gdkYf[gfl]fllqh]kYj]Yddgo] l`jgm_`l`]f]logjch]jae]l]j œ O`a[`[geemfa[Ylagfdafckj]imaj]Yml`]fla[YlagfYf'gj ]f[jqhlagf œ O`a[`mk]jkYj]Yml`gjar]lgmk]nYjagmkk]jna[]kl`jgm_`l`] ^aj]oYdd œ O`Yllae]kg^Yqgj_YfarYlagfe]eZ]jk[YfZjgok]l`]O]Z œ O`Yllqh]kg^O]Zkal]kgj_YfarYlagfe]eZ]jk[Yfnakal Balancing Risk vs. Productivity L`]hmjhgk]g^Yfqk][mjalqhgda[qaklg]l]jeaf]l`]ZYdYf[]Z]lo]]f kY^]lqYfhjgm[lanalqL`]egj]af^gjeYlagfYfYkk]lkYj]YnYadYZd]lg Yddgj_YfarYlagfe]eZ]jk$l`]ima[c]jl`]q[Yf_]ll`af_kgf]L`]d]kk af^gjeYlagfYfYkk]lkYnYadYZd]lgYddgj_YfarYlagfe]eZ]jk$l`]egj] k][mj]l`]af^gjeYlagfYfYkk]lkYj] Aff]logjck][mjalq$l`]egklk][mj][gf^a_mjYlagfakfgf]logjc [gff][lagfYlYddL`]f]plegklk][mj]akYag]$gjgml_gaf_%gfdq [gff][lagfL`]l`ajegklk][mj]akl`]OYl[`?mYjjmae]flYjq f]logjc[gf^a_mjYlagfYkhjgm[]Zql`]Ima[cK]lmhOarYjGf[]qgm gh]fl`]OYl[`?mYjHgda[qEYfY_]jlg]phYfYf^mddq[gf^a_mj]l`] aj]Zgp$]Y[`[gf^a_mjYlagfYalagfgj[`Yf_]lgaf[j]Yk]ljY^^a[^dgo kaemdlYf]gmkdqjYak]kl`]jakcd]n]dg^l`]^aj]oYdd[gf^a_mjYlagf L`]im]klagfkqgmemklYkcqgmjk]d^lgYjjan]YlYZYdYf[]Yj]2
  25. 25. Balancing Risk vs. Productivity Network Security Handbook 17 œ O`Ylgqgm`Yn]lgdgk]afYf]logjck][mjalqZj]Y[`7Qgm[gmd dgk]Y[lmYdegf]qafkge][Yk]k$afl]jfYdhYkkogjk$gjh]jkgfYd af^gjeYlagfgfgj_YfarYlagfe]eZ]jkQgm[gmddgk][jala[Yd YlYZYk]^ad]kQgm[gmddgk]hjgm[lanalqYk[gehml]jkYj][d]Yfk]$ k`mlgof$Yfj]Zggl]gjkge][gehYfa]k$Yk][mjalqZj]Y[` ea_`lkh]ddYdgkkg^[j]aZadalqYfhj]kla_]Y^^][laf_hj]k]flYf ^mlmj]Zmkaf]kk œ O`Ylakl`]hgl]flaYd[gklg^Ykaf_d]k][mjalqZj]Y[`7gjYdYj_]eYad gj]jgh]jYlagfo`]j]l`]O]Zkal]akalkhjaeYjqkgmj[]g^j]n]fm] _Yl`]jaf_$Ykm[[]kk^md`Y[c[gmd[gkleaddagfkg^gddYjkafdgkl Zmkaf]kkmjaf_l`]gmlY_]Yfaf[j]aZadalq^gj^mlmj]Zmkaf]kk9 km[[]kk^mdgh]jYlagfoal`YkeYddO]Zkal]^gjhmZda[j]dYlagfk hmjhgk]kogmddgk]dalld]e]YkmjYZd]j]n]fm]$Zmlogmdkladdaf[mj kge]d]n]dg^]eZYjjYkke]fl$]kh][aYddqa^l`]`Y[c]jkc]hll`]O]Z kal]mhZmlYdl]j]allgakhdYq_jgkk]ha[lagfkgjd]oY[lanala]k œ @godac]dqYj]nYjagmklqh]kg^Zj]Y[`]klgg[[mj7Kge]lqh]kg^ k]jn]jkYj]mf]j[gfklYflYllY[cafYf[aYdafklalmlagfkYj]mf]j YllY[c^gj[j]alYfY[[gmflaf^gjeYlagf?gn]jfe]flY_]f[a]kYf f]logjck][mjalqY_]f[a]kYj]mf]j[gfklYflYllY[clg^]]l`] `Y[c]jÌk]_ggjlg]phj]kkjY_]Yl[gfljgddaf_gj_YfarYlagfkQgm`Yn] lg]l]jeaf]`gog^l]fqgmYj]mf]jYllY[c$Yf`godac]dqalakl`Yl qgmogmdkmklYafYfYllY[cl`Yl[gmdZ]n]jq]ph]fkan] L`]Yfko]jklgl`]k]im]klagfkk`gmd`]dhqgmYjjan]YlqgmjZYdYf[]g^ k][mjalqnkhjgm[lanalqgj]pYehd]$Z][Ymk]^afYf[aYdafklalmlagfkYj] YfgZnagmklYj_]lYfYkm[[]kk^mdYllY[c[gmdj]kmdlafZa_dgkk]k$ k][mjalqemkllYc]hj][]]flgn]jl`jgm_`hmlZ][Ymk]^Ykll`jgm_`hmlak mk]d]kka^qgmjegf]qgj[j]al[YjfmeZ]jkYj]klgd]fafl`]hjg[]kkGf l`]gl`]j`Yf$YZmkaf]kkoal`Y`a_`Yegmflg^ljY^^a[$o`]j]]Y[` ljYfkY[lagfYegmflklgYkeYddYegmflg^egf]q$ogmdnYdm] l`jgm_`hmlgn]jYZkgdml]k][mjalq Incoming services: security principles =fYZdaf_af[geaf_k]jna[]k[j]Yl]kY[gfmalaflgYfqgj_YfarYlagfAl eYqZ]daeal]lgYkaf_d]k]jna[]YfYkaf_d]hgjl$ZmlalakY[gfmal fgf]l`]d]kkL`]^gddgoaf_Yj]kge]jmd]k^gjYkk]kkaf_k][mjalqjakckYk qgmYaf[geaf_k]jna[]klgYaj]Zgp[gf^a_mjYlagf2
  26. 26. CHAPTER 2: Security and Firewall Management Policies 18 WatchGuard Firebox System 5.0 œ 9f]logjcakgfdqYkk][mj]l`Yfl`]d]Yklk][mj]k]jna[]Yddgo]aflg al9kqgm]fYZd]af[geaf_k]jna[]k$l`]dgkkg^k][mjalqak[memdYlan] œ K]jna[]kqgmgfglmf]jklYfo]ddk`gmdZ][gfka]j] mfljmklogjl`qMfcfgofjakckYj]YdoYqk_j]Yl]jl`Yfcfgofgf]k O`]f]n]jYf]o[gfl]fllqh]hjglg[gdak[j]Yl]$Ykkme]l`Yl`Y[c]jk Yj]j]YqYfYZd]lg]phdgalal œ K]jna[]koal`fgZmadl%afYml`]fla[Ylagf egklJH;k]jna[]k!Yfl`gk] l`Ylo]j]fgl]ka_f]lgZ]mk]gfl`]Afl]jf]lYj]jakcq œ K]jna[]kl`Ylk]fhYkkogjkafl`][d]Yj LH$l]df]l$HGH!Yj]n]jq jakcqEYfqmk]jkmk]l`]kYe]hYkkogjo`]j]n]jhjgehl]^gj gf]9hY[c]lkfa^^]jafl]j[]hlaf_YfLH$l]df]l$gjHGHljYfkY[lagf [gmdafl]j[]hlY[d]Yjl]plhYkkogjl`Ylogmdhjgna]Y[[]kk l`jgm_`gmlYfgj_YfarYlagf œ K]jna[]koal`Zmadl%afkljgf_Yml`]fla[Ylagf ^gj]pYehd]$kk`!Yj] j]YkgfYZdqkY^] œ K]jna[]kkm[`YkFK$KELH$YfgfqegmkLH$Yf@LLHYj]hj]llq kY^]gfdqa^l`]qYj]mk]af[gfn]flagfYdoYqk œ 9ddgoaf_Yk]jna[]lgY[[]kkgfdqYkaf_d]afl]jfYd`gklakkY^]jl`Yf Yddgoaf_l`]k]jna[]lgk]n]jYdgjYdd`gklk œ 9ddgoaf_Yk]jna[]lgl`]ghlagfYdf]logjcakkY^]jl`YfYddgoaf_allg l`]ljmkl]f]logjcAlakkY^]jlgYddgoljY^^a[aflgYf]mljYdrgf] l`] ghlagfYdf]logjc!jYl`]jl`Yfl`]hjanYl]f]logjc ljmkl]!L`] aj]ZgpeYaflYafkk][mjalqZ]lo]]fl`]logZq^adl]jaf_YfqljY^^a[ Z]lo]]fl`]ghlagfYdYfljmkl]f]logjck œ 9ddgoaf_Yk]jna[]^jgeYj]klja[l]k]lg^`gklkakkge]o`YlkY^]j l`YfYddgoaf_l`]k]jna[]^jgeYfqo`]j]mjl`]jegj]$alakkY^]ja^ qgmYddgoYk]jna[]gfdqlgYj]klja[l]k]lg^`gklk œ A^l`]k]jna[]g]kfgl`Yn]Zmadl%afYml`]fla[Ylagf$qgm[Yfeala_Yl] l`]jakcZqmkaf_mk]jYml`]fla[Ylagfoal`l`Ylk]jna[] œ 9ddgoaf_af[geaf_k]jna[]k^jgeYnajlmYdhjanYl]f]logjc NHF!$ o`]j]l`]gj_YfarYlagfYll`]gl`]j]fakcfgofYfYml`]fla[Yl]$ ak_]f]jYddqkY^]jl`YfYddgoaf_af[geaf_k]jna[]k^jgel`]Afl]jf]lYl dYj_]L`]egj]la_`ldq]^af]l`]j]egl]f]logjc$l`]kY^]jalakAlak kY^]jlgYddgoaf[geaf_k]jna[]k^jgeYkaf_d]`gklgjkeYdd_jgmhg^ `gklkl`Yf^jgeYdYj_]jf]logjc
  27. 27. Balancing Risk vs. Productivity Network Security Handbook 19 =Y[`kY^]lqhj][YmlagfqgmgZk]jn]afl`akdakleYc]kqgmjf]logjc ka_fa^a[YfldqkY^]jgddgoaf_l`j]]gj^gmjhj][Ymlagfkakem[`kY^]jl`Yf ^gddgoaf_gf]gjfgf] Outgoing services Af_]f]jYd$l`]_j]Yljakck[ge]^jgeaf[geaf_k]jna[]k$fglgml_gaf_ gf]kL`]j]Yj]$`go]n]j$kge]afl]j]klaf_k][mjalqjakckoal`gml_gaf_ k]jna[]kYko]dd;gfljgdg^gml_gaf_k]jna[]kakgf]Ykh][lg^hjgl][laf_ qgmjf]logjc^jge`gklad]Y[lkoal`afqgmjgj_YfarYlagfgj]pYehd]$ o`]f[gf^a_mjaf_l`]gml_gaf_LHk]jna[]$qgm[YfeYc]alj]Y%gfdq Yf'gjj]klja[ll`]]klafYlagf`gklkl`Yl[Yfj][]an]km[`YljYfkeakkagf L`akogmdhj]n]flafka]jk^jgemkaf_LHlgljYfkeal[gjhgjYl]k][j]lk lgY`ge][gehml]jgjlgYjanYdgj_YfarYlagf 9kYfgl`]j]pYehd]$hYkkogjkmk]^gjkge]k]jna[]k LH$l]df]l$HGH! Yj]k]flafl`][d]YjA^l`]hYkkogjkYj]l`]kYe]Ykl`gk]mk] afl]jfYddq$Y`Y[c]j[Yf`abY[cl`YlhYkkogjYfmk]allg_YafY[[]kklg qgmjf]logjc Other principles of security vs. risk L`]egj][gehd]pqgmjf]logjc[gf^a_mjYlagfkYj]$l`]jakca]jl`]qYj] L`]dYj_]jYfegj]Y[[]kkaZd]l`]ljmkl]f]logjcak$l`]_j]Yl]jl`] [`Yf[]l`]j]Yj]hgl]flaYdhgaflkg^YllY[cYf`gklad]e]eZ]jkgfl`] f]logjc Internal hosts L`]egj]afl]jfYd`gklkl`YlYj]Yddgo]Ykaklaf[l]klafYlagfk$l`]egj] jakcql`][gf^a_mjYlagfL`akakZ][Ymk]]Y[`Yddgo]af[geaf_k]jna[] aehda]kY[]jlYafYegmflg^`gkl%ZYk][gf^a_mjYlagfYfegfalgjaf_gf l`Ylafl]jfYd`gkl9ddgl`]jl`af_kZ]af_]imYd$qgmYj]kY^]ja^gfdqgf] afl]jfYd`gklakl`]]klafYlagf^gjYddk]jna[]kl`Yfa^qgm`Yn]gf]`gkl h]jk]jna[] Masquerading private network numbers AlakkY^]jlg`Yn]hjanYl]f]logjcfmeZ]jkafqgmjafl]jfYdf]logjcgj f]logjckeYkim]jY]Zql`]aj]ZgpO`]fhjanYl]Yj]kk]kYj]
  28. 28. CHAPTER 2: Security and Firewall Management Policies 20 WatchGuard Firebox System 5.0 eYkim]jY]$gmlka]Yll]ehlklgaj][ldq[gflY[lhjanYl]f]logjc fmeZ]jkoaddZ]j]b][l]Zql`]jgml]jZ]^gj]j]Y[`af_l`]aj]Zgp Automatic rejection of spoofing and IP options Khgg^af_ako`]j]YfYll]ehl]]fljqmk]kgf]g^qgmjafl]jfYdAH Yj]kk]kYkl`]kgmj[]Yj]kkL`]a]Yaklg^ggdl`]jgml]jaflg l`afcaf_l`]hY[c]l[Ye]^jgeoal`afl`]gj_YfarYlagfAHghlagfkYj] Yalagfklgl`]klYfYjAH`]Y]jo`a[`$o`]fmk]d]_alaeYl]dqY dalld]^mf[lagfYdalq$Yfo`]fmk]oal`eYda[]Yj]Yf_]jgmkL`] aj]Zgp[gf^a_mjYlagfk`gmdZ]k]llgYmlgeYla[Yddqj]b][lhY[c]lkoal` khgg^]Yj]kk]kgjAHghlagfkafl`]aj`]Y]jk Elements that decrease firewall security 9^l]jqgm[j]Yl]YZYka[[gf^a_mjYlagfoal`l`]Ima[cK]lmhOarYj$qgm oadd]phYfYf^mjl`]j]^af]qgmj[gf^a_mjYlagf=Y[`^]Ylmj]qgmY gjk]leYqaf[j]Yk]l`]af`]j]fljakcKge]^]Ylmj]kaf[j]Yk]l`]jakcYdgl$ kge]af[j]Yk]alkda_`ldqL`akk][lagfdaklknYjagmk[gf^a_mjYlagf hYjYe]l]jkqgmea_`lk]l$YfYkkg[aYl]kYdgo$e]ame$gj`a_`jakc ^Y[lgjoal`l`]Yalagfg^l`Yl^]Ylmj] Additional gateways and hosts 9alagfYd_Yl]oYqkYj]Y[memdYlan]jakc=Y[`YalagfYd_Yl]oYqqgm Yg^^l`]Ljmkl]gjGhlagfYdafl]j^Y[]YkYdgojakc:ql`]lae]qgm Y]a_`lgjegj]_Yl]oYqk$qgm`Yn]Y]Y^Yajdq`a_`jakc =Y[`aklaf[ldqfYe]`gklgfl`]Ljmkl]afl]j^Y[]YkYdgojakclg YZgmll`]]_j]]l`YlYfY]_Yl]oYqogmd9koal`Y]_Yl]oYqk$ ]a_`lgjegj]YalagfYd`gklkdakl]gfl`]Ljmkl]afl]j^Y[]YkY^Yajdq `a_`jakc =Y[`aklaf[ldqfYe]`gklgfl`]GhlagfYdafl]j^Y[]$`go]n]j$YkY n]jqdgojakc$YZgml`Yd^o`YlYfY]_Yl]oYqgjLjmkl]`gklogmd =n]f]a_`lgjl]f`gklkgfl`]GhlagfYdafl]j^Y[]YkY^Yajdqdgojakc High risks L`]k]jakckYj]]plj]e]dq`a_`^gjYaj]Zgpk]jnaf_Ykqgmj^aj]oYddlgl`] Afl]jf]lGn]jjaaf_l`]k]k]llaf_keYqZ]gcYqa^qgmYj]mkaf_l`] aj]Zgplgk]hYjYl]logafl]jfYd$hjanYl]f]logjck
  29. 29. Balancing Risk vs. Productivity Network Security Handbook 21 œ Gn]jjaaf_l`]k]llaf_lgYmlgeYla[YddqZdg[chY[c]lk^jgekhgg^] Yj]kk]kakYn]jq`a_`jakc$egj]l`Yfloa[]Yk`a_`Yk`Ynaf_l]f _Yl]oYqkgfl`]Ljmkl]afl]j^Y[] œ Gn]jjaaf_l`]k]llaf_lgYmlgeYla[YddqZdg[chY[c]lkoal`AHghlagfk afl`]Yj]kkakYn]jq`a_`jakc$egj]l`Yfloa[]Yk`a_`Yk`Ynaf_ l]f_Yl]oYqkgfl`]Ljmkl]afl]j^Y[] œ Ajj]khgfkaZd][gf^a_mjYlagfk$km[`Yk[gf^a_mjaf_l`]É9fqÊk]jna[]lg Yddgoaf[geaf_ljY^^a[^jge9fq]pl]jfYd`gkllg9fqljmkl]`gkl L`akeYc]kqgmj^aj]oYddeggl2gfÌlgal Medium risks L`]^gddgoaf_hjY[la[]kYj]YZgmlgf]%^gmjl`lggf]%`Yd^YkYf_]jgmkYk l`]`a_`jakcY[lagfkYZgn]2 œ Mkaf_hmZda[AHYj]kk]k^gj[geeml]jkgfl`]Ljmkl]afl]j^Y[] afkl]Yg^hjanYl]Yj]kk]k œ Fgl]fYZdaf_AHeYkim]jYaf_ œ Fgl]fYZdaf_hgjl^gjoYjaf_ œ =Y[`afklYf[]g^]fYZdaf_Af[geaf_LH3l`j]]gjegj]]fYZd] Af[geaf_LHk]jna[]kogmdl`]j]^gj]Y[[memdYl]lgY`a_`jakc œ 9af_YhY[c]l^adl]jk]jna[] fglhjgpa]k]jna[]! Low risks L`]k]Y[lagfkYjakc$ZmlfglYkjYeYla[YddqYkl`]e]amegj`a_` jakck œ 9af_hjgpa]k]jna[]kYkYdgojakc[gehYj]lg`Ynaf_l`Yl k]jna[]akYZd]9hjgpa]k]jna[]akem[`kY^]jl`YfalkhY[c]l% ^adl]j][gmfl]jhYjl$Z][Ymk]gfdql`]hjgpa]n]jkagfZdg[ckmfkY^] [gfl]fllqh]kojYhh]afka]YddgoYZd][gfl]fllqh]k œ 9af_k]jna[]kkm[`Ykkk`$kkd$YfNHFl`Yl`Yn]l`]ajgof Yml`]fla[YlagfYj]dgo]jjakcl`YfYaf_k]jna[]kl`Yl`Yn]fg Yml`]fla[Ylagf Lowering risks Gf[]qgm`Yn]Y]^adl]jYfhjgpqk]jna[]k$qgm[Yfj]m[]l`]jakck l`]qZjaf_Zq^mjl`]jj]klja[laf_l`]YddgoYZd]ljY^^a[^gjl`]k]jna[]2
  30. 30. CHAPTER 2: Security and Firewall Management Policies 22 WatchGuard Firebox System 5.0 œ J]klja[laf_af[geaf_ljY^^a[^gjY_an]fk]jna[]lgYkaf_d]`gklgfl`] Ljmkl]afl]j^Y[]j]m[]kl`]jakcZqYZgmlgf]%^gmjl` œ J]klja[laf_af[geaf_ljY^^a[^gjY_an]fk]jna[]lgYkaf_d]`gklgfl`] GhlagfYdafl]j^Y[]j]m[]kl`]jakcZqYZgmlgf]%`Yd^ œ A^gml_gaf_ljY^^a[akYddgo]^jgegfdqgf]`gkl^gjYk]jna[]$l`]jakc akj]m[]Zqgf]%^gmjl`A^l`]j]Yj]loggjegj]Yddgo]`gklk$l`]j] akfgka_fa^a[Yfljakcj]m[lagf œ A^l`]k]jna[]j]imaj]kmk]jYml`]fla[YlagflgYddgoY[[]kk^jge ]pl]jfYd`gklk$l`]jakcakj]m[]Zq`Yd^[gehYj]lgYfgf% Yml`]fla[Yl]k]jna[] Organizing Your Organization Gj_Yfaraf_Yfgj_YfarYlagf^gjf]logjcYeafakljYlagfYfk][mjalq afngdn]kYkka_faf_]ehdgq]]kgje]eZ]jklg_jgmhkZYk]gf[geegf lYkck$^mf[lagfk$Y[[]kkf]]k$Yf'gjljmklogjl`af]kk A^qgm`Yn]fglYdj]Yqgf]l`ak$fgoakl`]lae]lggj_Yfar]qgmj gj_YfarYlagfÈZ]^gj]qgmZ]_aflg[gf^a_mj]f]logjck][mjalq gj]pYehd]$qgmea_`l`Yn]Y_jgmh^gjY[[gmflaf_$Yfgl`]j^gj h]jkgff]d$kYd]k$eYjc]laf_$Yfj]k]Yj[`Yf]n]dghe]flQgmYdkg ea_`l[j]Yl]YhjgZYlagfYjq_jgmhoal``a_`j]klja[lagfk^gjf]o ]ehdgq]]kgjl`gk]o`gYj]h]j[]an]YkY_j]Yl]jjakclgl`] gj_YfarYlagfOal`OYl[`?mYj$qgm[Yf]daf]Yl]loga^^]j]fllqh]kg^ _jgmhk2 œ ?jgmhk^gjYdaYk]kYfYml`]fla[Ylagf$o`]j]_jgmhaf_kYj]Yhhda[YZd] ^gjaf[geaf_Yfgml_gaf_ljY^^a[^gjkh][a^a[k]jna[]k$Yf^gjnajlmYd hjanYl]f]logjcaf_ NHF! œ ?jgmhk^gjO]Z:dg[c]j$o`]j]qgm]l]jeaf]o`a[`_jgmhk[Yf Y[[]kko`a[`[gfl]fllqh]ko`]fZjgokaf_l`]O]Z ?jgmhaf_^gjYdaYk]kYfYml`]fla[Ylagfkaehda^a]kl`]lYkcg^[gf^a_mjaf_ Y[[]kkjmd]k?jgmhk[YfZ][j]Yl]mkaf_l`]OYl[`?mYj9[[]kkYf 9ml`]fla[YlagflggdQgm[Yf_jgmhmk]jkZql`]e]l`gl`]qmk]lg Yml`]fla[Yl]$Zql`]lqh]g^kqkl]el`]qmk]$gjZql`]l`af_kl`]qf]] Y[[]kklg?jgmhk[YfZ]eY]mhg^Yf]logjcgjemdlahd]$afanamYd
  31. 31. Determining Allowable Traffic Network Security Handbook 23 [gehml]jk9kYfgj_YfarYlagf[`Yf_]k$qgm[YfYgjj]egn]mk]jkgj kqkl]ek^jge_jgmhk Qgm[j]Yl]l`]k][gflqh]g^_jgmhaf_^gjO]Z:dg[c]j$o`]j]qgm ]l]jeaf]o`g[Yfna]oo`Ylkgjlkg^[gfl]fllqh]kYfo`]fl`]qeYq Zjgok]l`]O]ZOal`O]Z:dg[c]jqgm[Yf[j]Yl]gf%`gmjYfg^^%`gmj Y[[]kklga^^]j]fl[gfl]fllqh]k^gja^^]j]fl_jgmhkgj]pYehd]$qgm ea_`l`a_`dqj]klja[l[mklge]jk]jna[]_jgmhkZ][Ymk]l`]q`Yn]lgZ] [gfklYfldq^g[mk]gf[mklge]jf]]k$o`ad]qgm]fYZd]ZjgYZjgokaf_ YZadalqlgJlgeYc]j]k]Yj[`^YklYfmf^]ll]j] Determining Allowable Traffic ]l]jeafaf_o`a[`ljY^^a[lgYddgoafo`a[`aj][lagfakYf]phj]kkagfg^ qgmjk][mjalqhgda[qO`]f[gf^a_mjaf_k]jna[]k^gjYaj]Zgp$qgm hjgZYZdqgfglf]]lg]fYZd]em[`af[geaf_ljY^^a[O`]fqgmj gj_YfarYlagfe]eZ]jkY[[]kkYO]Zkal]$l`Ylakj]_Yj]Ykgml_gaf_ ljY^^a[$]n]fo`]fl`]qgofdgYkge]l`af_^jgeYO]Zkal]L`]ljY^^a[ aj][lagfak]l]jeaf]Zqo`a[`aj][lagfafalaYl]l`][gff][lagfAf eYfq[Yk]k$l`]gfdqaf[geaf_ljY^^a[oaddZ]]fYZd]naYnajlmYdhjanYl] f]logjcaf_ L`]k][mj]klYf[]hgda[qakl`Ylo`Yl]n]jakfgl]phj]kkdqYddgo]ak ^gjZa]fL`]j]^gj]$qgmemkl][a]YfY[lan]dq]fYZd]Yfqk]jna[]k qgmoYfllgd]lafgjd]lgmlJ]e]eZ]jl`Yl]n]jqk]jna[]qgm]fYZd] hmf[`]kYfgl`]j`gd]afqgmj^aj]oYddgjl`akj]Ykgf$]fYZd]k]jna[]kl`Yl Yj]gfdqf][]kkYjqYfo]dd%bmkla^a]$Yf^gjl`gk][gff][lagfkl`Ylemkl Z]eY]$]pYeaf]o`]l`]jYj]Y%gfdq[gff][lagfogmdkm^^a[]LYc] [Yj]fgllggh]fj]mfYflk]jna[]kl`Ylmk]l`]kYe]hjglg[gdZmlkaehdq gh]fmhegj]hgjlklgmk]al$l`]j]ZqeYcaf_qgmjf]logjcegj] nmdf]jYZd]lghgjlkhY[]hjgZ]k Organizing Networks 9lalkkaehd]kl$gj_Yfar]l`]f]logjcaflgl`j]]rgf]k2 œ Ljmkl]
  32. 32. CHAPTER 2: Security and Firewall Management Policies 24 WatchGuard Firebox System 5.0 œ Mfljmkl] œ Eap]ljmkl Oal`Yaj]Zgp$qgmhmll`]ljmkl]rgf]g^l`]afl]jfYdf]logjcgfl`] Ljmkl]afl]j^Y[]Yfl`]eap]ljmklgfl`]GhlagfYdafl]j^Y[] ;gehml]jkgfl`]GhlagfYdafl]j^Y[][gflYafgfdql`][gfl]fll`Ylqgmg fgleafk`Yjaf_oal`l`]j]klg^l`]ogjdOal`l`]OYl[`?mYj K][mjalqLjaYf_d]eg]d$fglgfdqg]kl`]aj]Zgphjgl][ll`]Ljmkl] YfGhlagfYdafl]j^Y[]k^jgel`]Afl]jf]l$alYdkghjgl][lkl`]Ljmkl]Yf GhlagfYdafl]j^Y[]k^jgegf]Yfgl`]j L`]^gddgoaf_aY_jYeaddmkljYl]kl`]OYl[`?mYjK][mjalqLjaYf_d]Al k`gokhgkkaZd]hjaeYjqljY^^a[hYll]jfk^gjY_an]fhY[c]l$Yf[YfZ] n]jq`]dh^mddYl]jo`]f][aaf_o`]l`]jYk]jna[]k`gmdZ]Yddgo]gj ]fa] œ L`]=pl]jfYdafl]j^Y[][gff][lklgl`]]pl]jfYdf]logjc lqha[Yddql`] Afl]jf]l!l`Ylhj]k]flkl`]k][mjalq[`Ydd]f_]
  33. 33. Determining Off-Limit Areas Network Security Handbook 25 œ L`]Ljmkl]afl]j^Y[][gff][lklgl`]afl]jfYdf]logjc$o`a[`qgm oYflhjgl][l]lgl`]eYpaemehjY[la[YdYegmfl œ L`]GhlagfYdafl]j^Y[][gff][lklgYk][gfk][mj]f]logjcLqha[Yddq alak[gff][l]lgYfqf]logjcg^k]jn]jkhjgna]^gjhmZda[Y[[]kk$ km[`YkhmZda[O]ZgjLHk]jn]jk Determining Off-Limit Areas DYkldq$][a]o`a[`hYjlkg^qgmjafl]jfYdf]logjcYj]g^^%daeal^gj ]n]jqgf]gjf]Yjdq]n]jqgf]L`]j]eYqZ][gehml]jkl`Ylk`gmdfglZ] [gff][l]lgYfql`af_]dk]YlYdd;YfaYl]kea_`laf[dm]2 œ HYqjgddYfh]jkgff]dj][gjk œ ;gjhgjYl]JY[lanalq œ :mkaf]kkhdYfk œ F]logjcYeafakljYlagflggdkkm[`YkhY[c]lkfa^^]jko`a[`[gmdZ] Yf_]jgmklgqgmjk][mjalqa^l`]qo]j]_]f]jYddqYnYadYZd] A^kge]h]ghd]f]]j]egl]Y[[]kklgkge]g^l`]k]`gklk$eYc]kmj]lgk]l mhY[[]kkl`Ylak]p[dmkan]Yfj]imaj]kYml`gjarYlagfKge]e]l`gkg^ j]egnaf__]f]jYdYnYadYZadalqeYqZ]Z]qgfl`]aj]Zgpk[gh]$Zml k`gmdZ]hYjlg^Yk][mjalqhgda[qfgf]l`]d]kkgj]pYehd]$qgm[gmd k]lh]jeakkagfkYfgof]jk`ahg^[]jlYaf[gehml]jkkm[`l`YlgfdqY^]o h]ghd][Yfdg_aflgl`]eL`]fdaealo`Ylf]logjck]jna[]k[YfZ]mk] lgY[[]kkl`]k][gehml]jklggf]kl`Ylj]imaj]Yml`]fla[Ylagf L`]j]eYqYdkgZ]`gklkgmlgfl`]Afl]jf]ll`Ylhgk][gfklYflYf_]jk gj]pYehd]$l`]j]ea_`lZ]Ymfan]jkalq[gehml]jl`Ylklm]fl`Y[c]jk `Yn]mk]egj]l`Yfgf[]lgljqlgafnY]qgmjf]logjcgjl`]k]kal]k$ OYl[`?mYjhjgna]kY:dg[c]Kal]kdaklo`]j]qgm[Yfh]jeYf]fldq Zdg[cYddljY^^a[^jgel`]k][gehml]jkA^YhY[c]l[ge]k^jgeY`gklgfl`] :dg[c]Kal]kdakl$alkaehdqg]kfgl_]lhYkll`]aj]Zgp Physical Security O`]fk]llaf_mh$[gf^a_mjaf_$YfafklYddaf_afl`]f]logjcYfa_alYd j]Yde$gfglf]_d][ll`]h`qka[Ydj]YdeQgm[gmd`Yn]Yfajgf[dY
  34. 34. CHAPTER 2: Security and Firewall Management Policies 26 WatchGuard Firebox System 5.0 k][mjalqhgda[ql`YlhYkk]kgfdql`]egklaffg[mgmkljY^^a[$Zmlalakfgl n]jqhjgl][lan]a^kge]gf][YfoYdcaflgqgmjg^^a[]YflYc]l`]aj]Zgp g^^l`]]kcYfgmll`]ggjL`]kYe]_g]k^gjl`]EYfY_]e]flKlYlagf l`][gehml]jqgmmk]lg[j]Yl]$Ydl]j$YfmhdgY[gf^a_mjYlagfklgl`] aj]Zgp!$jgml]j$OYl[`?mYjK][mjalq=n]flHjg[]kkgj$dYhlgh[gehml]jk af_]f]jYd$YfdYhlgh[gehml]jkmk]^gjNHFl]d][geemlaf_ EYc]kmj]Yddl`]k]]na[]kYj]gfdqYnYadYZd]lgYml`gjar]e]eZ]jkg^ qgmjgj_YfarYlagf$fgllgl`]hmZda[gjqgmjgj_YfarYlagfYldYj_]L`] aj]Zgp$EYfY_]e]flKlYlagf$Yf]n]flhjg[]kkgjk`gmdZ]h`qka[Yddq k][mj]L`]aj]Zgpk`gmdZ]afYjggemf]jdg[cYfc]qL`] EYfY_]e]flKlYlagfYf]n]flhjg[]kkgjgjhjg[]kkgjkk`gmdYld]Ykl `Yn]Yc]qkoal[`Yf^Ykl%Y[laf_$hYkkogj%hjgl][l]k[j]]fkYn]jk$Yf a]Yddqk`gmdZ]mf]jdg[cYfc]qYko]ddJ]_Yjaf_l`]dYhlghk$ j]e]eZ]j$eYfqYml`]fla[Ylagfk[`]e]kY[lmYddqYml`]fla[Yl]l`] [gehml]j$fgll`]h]jkgf$kgYf]jjYfldYhlghl`Ylakgfl`]Yml`]fla[Ylagf dakl^gjYj]egl]mk]jNHF[gmdhgk]Yk]jagmkk][mjalql`j]Yl afYddq$eYc]kmj]qgm`Yn]Yk][mjalqhgda[qlg`Yfd]hjaflgmlkYf hgjlYZd]YlYe]aY akc]ll]k$lYh]k!k][mj]dqGf]g^l`]egkl[geegf `Y[c]je]l`gkg^_Yafaf_gj_YfarYlagfYj]kk]kYfhYkkogjkak mehkl]janaf_$o`]j]l`]`Y[c]jka^lkl`jgm_`gj_YfarYlagfljYk`^gj klgjY_]e]aYYfhjaflgmlkl`Ylj]n]YdY[[gmflfYe]k$`gklfYe]kYf Yj]kk]k$hYkkogj^ad]k$Yfkggf The Human Factor L`]km[[]kkg^l`]^aj]oYddeYfY_]e]flhgda[q]h]fkgf[Yj]^md [jY^laf_g^l`]dYj_]jk][mjalqhgda[qQgmk`gmdl`gm_`l^mddq[gfka]j Yf[d]Yjdq]daf]Yl]o`YloaddZ]eYfY_]Zqh]ghd]Yfo`YloaddZ] YmlgeYl]L`]aj]ZgpakYhgo]j^mdYf]^^][lan]lggd$fglY^afYd$ YmlgeYl]kgdmlagflgYddYkh][lkg^f]logjck][mjalq Afl]jfYdk][mjalqYZmk]kYj]h]jkgff]dhjgZd]ek$Yfk`gmdZ]`Yfd] Ykkm[`Qgmjgj_YfarYlagfemkl[geealalk]d^lgj]khgfkaZdqegfalgjaf_ f]logjcY[lanalq ^gjo`a[`l`]aj]ZgpKqkl]ehjgna]kYkmal]g^ ]^^][lan]egfalgjaf_lggdk!O`]fh]ghd]Zj]Y[`gjnagdYl]l`]k][mjalq hgda[q$qgmjgj_YfarYlagfemkllYc]j]khgfkaZadalqlg[geemfa[Yl]oal` l`gk]o`gk]Y[lagfkhgk]Yk][mjalqjakcAlak^Yjegj]]^^][lan]lg[j]Yl]
  35. 35. The Human Factor Network Security Handbook 27 Yf]fnajgfe]flo`]j]k][mj]Z]`Ynagjak]ph][l]l`Yflgljqlg [gf^a_mj]qgmj^aj]oYddkgl`Ylaf^jY[lagfkYj]aehgkkaZd]lg[geeal
  36. 36. CHAPTER 2: Security and Firewall Management Policies 28 WatchGuard Firebox System 5.0
  37. 37. Network Security Handbook 27 CHAPTER 3 Network Configuration L`]aj]Zgp[Yfhjgl][lYoa]YjjYqg^hjanYl]f]logjckYf'gj`gklkZq j]hj]k]flaf_l`]eYkYkaf_d]AHYj]kkÈl`]aj]Zgp=pl]jfYdAHYj]kk O`]l`]jqgm`Yn]Ykaf_d]f]logjcZ]`afl`]aj]Zgp$Y^]of]logjck$ gjYbmeZd]g^akbgafl]f]logjckYfjYfgeYj]kk]kYkka_f]lg kh][a^a[`gklk$l`]OYl[`?mYjYhhjgY[`[YfYkkaeadYl]l`]eYddaflgY aj]Zgp%[gehYlaZd]f]logjc[gf^a_mjYlagf OYl[`?mYjY[[gehdak`]kl`akn]jkYladalql`jgm_`k]n]jYd[gf^a_mjYlagf [gf[]hlkl`YlYj]]phdYaf]`]j]2 œ Kaehd]f]logjck œ Hjgpq9JH Yj]kkj]kgdmlagfhjglg[gd! œ Emdlahd]f]logjck œ KmZ%f]llaf_ œ K][gfYjqf]logjck Simple Network (Drop-In) Configuration 9kaehd]$gjjgh%aff]logjc[gf^a_mjYlagfako`]j]qgm`Yn]Ykaf_d] f]logjcoal`afqgmjgj_YfarYlagf$Yfl`]aj]ZgpklYfkZ]lo]]falYf
  38. 38. CHAPTER 3: Network Configuration 28 WatchGuard Firebox System 5.0 l`]jgml]jlgl`]Afl]jf]l9kaehd]f]logjc[gf^a_mjYlagfakaddmkljYl] Z]dgo2 L`]egklaehgjlYfl^]Ylmj]akl`YlYddf]logjcYkka_fe]flk^gjl`] aj]Zgp$jgml]j$YfhjanYl]f]logjcmk]l`]kYe]AHYj]kkjYf_]L`ak [gf^a_mjYlagfak[Ydd]jgh%afZ][Ymk]l`]aj]ZgpakÉjghh]afÊlgYf ]paklaf_f]logjcAfl`ak[gf^a_mjYlagf$l`]j]akbmklgf]f]logjcYj]kk jYf_]$Yf[gf^a_mjYlagflYkckYj]eafaeYd[gehYj]lgYemdlahd] f]logjck]lmh 9kaehd][gf^a_mjYlagfak^gjkalmYlagfko`]j]qgm[YfakljaZml]Ykaf_d] f]logjcÌkYj]kkkhY[]Y[jgkkaj]Zgpafl]j^Y[]kAl]fYZd]kqgmlghdY[] l`]aj]ZgpZ]lo]]fl`]jgml]jYfl`]D9Foal`gmlj][gf^a_mjaf_Yfqg^ l`]eY[`af]kgfl`]Ljmkl]afl]j^Y[]
  39. 39. Simple Network (Drop-In) Configuration Network Security Handbook 29 How the simple configuration works with proxy ARP ?]f]jYddqo`]fYeY[`af]f]]klgk]fYhY[c]l$alZjgY[YklkYf9JH Yj]kkj]kgdmlagfhjglg[gd!j]im]klYkcaf_^gjl`]`YjoYj]Yj]kkg^ l`]afl]j^Y[][Yjl`Ylgofkl`]]klafYlagfAHg^l`]hY[c]lZ]af_k]fl2 09:06:38.272923 arp who-has linus.torvalds.org tell kernel.torvalds.org L`]`YjoYj]afl]j^Y[][Yjl`Yl`Ykl`]]klafYlagfAHYj]kkj]khgfk oal`l`][gjj][l`YjoYj]Yj]kk2 09:06:38.272923 arp reply linus.torvalds.org is-at 0:0:c0:72:cd:f2 9fl`]hY[c]lakk]fllgl`][gjj][lYj]kkFgl]l`YlZgl`eY[`af]k emklZ]gfl`]kYe]h`qka[Ydoaj]3gl`]joak]$l`]ZjgY[Yklk[Yffglj]Y[` l`]ja_`lafl]j^Y[][Yj$YfogfÌlk]fYj]hdq AfYkaehd][gf^a_mjYlagf$l`]aj]Zgph]j^gjekhjgpq9JH2AlYfko]jk 9JHj]im]klk^gjeY[`af]kl`YlYj]gfgl`]jf]logjck$o`a[`gjafYjadq [gmdfglÉ`]YjÊl`]ZjgY[YklkO`]fqgmafklYddl`]aj]ZgpZ]lo]]f l`]jgml]jYfl`]j]klg^l`]Ljmkl]f]logjc$alj]hda]k^gjl`]jgml]j$ Y[[]hlkl`]hY[c]l$Yf^gjoYjkallgl`]jgml]j L`ake][`YfakeYddgokl`]aj]ZgplgZ]hdY[]afYf]logjcoal`gml [`Yf_af_]^Ymdl_Yl]oYqkgfl`]ljmkl]`gklk$kaf[]l`]aj]ZgpYfko]jk ^gjl`]jgml]j$]n]fl`gm_`l`]jgml]j[Yffgl`]Yjl`]ljmkl]`gklÌk9JH j]im]klk gjl`aklgogjc$`go]n]j$Yddl`]ljmkl]eY[`af]kemkl`Yn]l`]aj9JH [Y[`]k^dmk`]$kgl`Yll`]Ljmkl]afl]j^Y[]`YjoYj]Yj]kkakYddgo] lgj]hdY[]l`]Y[lmYdjgml]j`YjoYj]Yj]kk gjYOYl[`?mYjkaehd]f]logjc[gf^a_mjYlagflgogjc$Yddl`j]] afl]j^Y[]kgfl`]aj]ZgpemklZ]Ykka_f]AHYj]kk]kgfl`]kYe] f]logjc j]_Yjd]kkg^o`]l`]jqgmeYc]mk]g^l`]GhlagfYdafl]j^Y[]! A]Yddq$Yddl`j]]afl]j^Y[]kYj]Ykka_f]l`]kYe]AHYj]kk$fglbmkl Yj]kk]k^jgel`]kYe]f]logjcjYf_]L`akkYn]kqgmjgj_YfarYlagf logAHYj]kk]k9_Yaf$j]^]jlgl`]kaehd]f]logjc[gf^a_mjYlagf^a_mj] ]Yjda]jafl`ak[`Yhl]j L`]kaehd][gf^a_mjYlagfYkkme]kl`Ylegklg^Yfgj_YfarYlagfÌkD9Fak gfl`]Ljmkl]afl]j^Y[]Al[Yf$`go]n]j$Y[[geegYl]gl`]jf]logjck Z]`afl`]aj]ZgpL`]OYl[`?mYjHgda[qEYfY_]jhjgna]kYlggdlg
  40. 40. CHAPTER 3: Network Configuration 30 WatchGuard Firebox System 5.0 dakll`]AHYj]kk]kg^Yfqf]logjckoal`AHYj]kk]kgmlka]Yf afl]j^Y[]Ìkf]logjcjYf_]L`]gl`]jf]logjckYj][Ydd]k][gfYjq f]logjck Using a secondary network 9k][gfYjqf]logjcakgf]gfl`]kYe]h`qka[Ydoaj]Ykl`]aj]ZgpÌk afl]j^Y[]k$Zmlo`a[``Yn]Yj]kk]kl`YlZ]dgf_lgYf]flaj]dqa^^]j]fl f]logjcO`]fYaf_Yk][gfYjqf]logjclggf]g^l`]aj]Zgp afl]j^Y[]k$qgmYj]eYhhaf_YfAHYj]kk^jgel`]k][gfYjqf]logjclg l`]AHYj]kkg^l`]afl]j^Y[] ]al`]jLjmkl]$=pl]jfYd$gjGhlagfYd!L`ak akcfgofYk[j]Ylaf_gjYaf_YfAHYdaYklgl`]f]logjcafl]j^Y[]^gjl`] k][gfYjqf]logjcL`akAHYdaYkZ][ge]kl`]]^Ymdl_Yl]oYq^gjYddl`] eY[`af]kgfl`YlhYjla[mdYjk][gfYjqf]logjc L`akYdkgl]ddkl`]aj]Zgpl`Yll`]j]akYfgl`]jf]logjcj]kaaf_gfl`Yl oaj]9k][gfYjqf]logjc[YfZ]mk]ZqZgl`kaehd]Yfemdlahd] f]logjc[gf^a_mjYlagfk
  41. 41. Multiple Network Configuration Network Security Handbook 31 Multiple Network Configuration L`]emdlahd]f]logjc[gf^a_mjYlagfak^gjkalmYlagfko`]j]l`]aj]Zgpak hmlafhdY[]oal`k]hYjYl]dg_a[Ydf]logjckgfalkafl]j^Y[]kAlak addmkljYl]Z]dgo2 L`]emdlahd]f]logjc[gf^a_mjYlagfemklYkka_fk]hYjYl]f]logjc Yj]kkjYf_]klgYld]Ykllogg^l`]l`j]]aj]Zgpafl]j^Y[]k =pl]jfYd$ Ljmkl]$YfGhlagfYd!A^qgm`Yn]gfdqlogk]hYjYl]f]logjcYj]kk]k YfqgmoYfllgmk]l`]emdlahd][gf^a_mjYlagf$Ykka_fl`gk]f]logjcklg l`]=pl]jfYdYfLjmkl]afl]j^Y[]k l`Ylak$gfglmk]l`]GhlagfYd afl]j^Y[]!Afemdlahd][gf^a_mjYlagfeg]$]Y[`afl]j^Y[]emklZ]gfY k]hYjYl]f]logjc A^qgm`Yn]l`j]]gjegj]f]logjcYj]kk]k$mk]l`]emdlahd]f]logjc [gf^a_mjYlagfYfeYhl`j]]f]logjcklgl`]l`j]]afl]j^Y[]k9 YalagfYdf]logjckYkK][gfYjqF]logjcklggf]gjegj]g^l`] afl]j^Y[]kQgm[Yfj]dYl]a^^]j]flf]logjcklga^^]j]flafl]j^Y[]kL`gk]
  42. 42. CHAPTER 3: Network Configuration 32 WatchGuard Firebox System 5.0 f]logjckl`]f[ge]mf]jl`]hjgl][lagfYfY[[]kkjmd]kk]lmh^gjl`Yl afl]j^Y[]L`]aj]Zgp^gjoYjkhY[c]lklgl`]nYjagmkafl]j^Y[]k ]h]faf_gf`gol`]f]logjckYf`gklkYj][gf^a_mj]Yf]^af]
  43. 43. Network Security Handbook 33 CHAPTER 4 Proxying and Packet Filtering OYl[`?mYjhjgna]kalkk][mjalql`jgm_`loge][`Yfakek2qfYea[ hY[c]l^adl]jaf_YfljYfkhYj]flYhhda[Ylagfhjgpa]k L`akak[mkkagf]^af]kYf]k[jaZ]khY[c]l^adl]jaf_Yfk]jna[]hjgpa]k Ykj]dYl]lg^aj]oYddl][`fgdg_q$o`Yl]Y[`g]k$Yfo`q[]jlYaf hjglg[gdkf]]l`]]pljYk][mjalqg^hjgpqaf_nk^adl]jaf_AlYdkgaf[dm]k ak[mkkagfg^YklYf[]Yfl`]jYea^a[Ylagfkg^l`]OYl[`?mYjklYf[]È o`a[`aklg[gf^a_mj]]n]jql`af_qgmoYfllghYkkYf]fq]n]jql`af_ ]dk] The Purpose of Dynamic Packet Filtering qfYea[hY[c]l^adl]jaf_]pYeaf]kl`]`]Y]jkg^hY[c]lkZ]af_k]flgj j][]an]@]Y]jkhjgna]af^gjeYlagfgfl`]kgmj[]g^l`]hY[c]l$l`] ]klafYlagf$l`]hjglg[gdmk]$l`]hgjlfmeZ]j$Yfgl`]jaf^gjeYlagfg^ l`Ylkgjl9hY[c]l^adl]j]pYeaf]kl`]`]Y]jklg]l]jeaf]o`]l`]jl`]q ^gddgod]_alaeYl]kqflYpjmd]kYf[gehdqoal`l`][gf^a_mj]k][mjalq hgda[q 9^aj]oYddhY[c]l^adl]jakYfYdg_gmklgl`]eYadkgjl]jYlYhmZdak`af_ [gehYfq$o`g]pYeaf]k]fn]dgh]klgeYc]kmj]l`Yll`]qYj]Zgl` [geaf_^jgeYd]_alaeYl]Yj]kk$YfZgmf^gjYd]_alaeYl]]algj
  44. 44. CHAPTER 4: Proxying and Packet Filtering 34 WatchGuard Firebox System 5.0 oal`afl`][gehYfq@][`][ckl`]hgklYd_ma]daf]klgeYc]kmj]l`Yl`] akYddgo]lgk]fl`aklqh]g^eYadlgl`akhYjla[mdYj]algj@]g]kfgl gh]fl`]]fn]dgh]kYf]pYeaf]l`]klgjqZ]af_k]fl3`]kaehdqkgjlkYf jgml]kl`]eYadL`akak]kk]flaYddqo`YlhY[c]l^adl]jkg gj]pYehd]$a^YhY[c]l^adl]j]f[gmfl]j]YhY[c]lYkka_f]lghgjl,(+$ Yfl`]^adl]jÉcfgokÊl`Yll`akhgjl`YkfglZ]]fgh]f]^gjYfqk]jna[]$ l`]^adl]jogmdj]b][ll`]hY[c]lZ][Ymk]alkhgjlfmeZ]jakafnYda Y[[gjaf_lghY[c]l^adl]jjmd]k HY[c]l^adl]jklqha[Yddqgh]jYl]Y[[gjaf_lgjmd]kl`Yl]l]jeaf]hY[c]l akhgkalagfL`]k]jmd]kYj]ojall]fafY^adl]jdYf_mY_]Yf[gdd][l]aflg _jgmhk[Ydd]jmd]k]lkJmd]k]lk[YfZ]a^^a[mdllg[gf^a_mj]Yfogjc Z]klo`]fafl]jhj]l]Zqhjgh]jdqojall]f^aj]oYddkg^loYj]jYl`]jl`Yf Zq`Yjja]f]logjckqkl]eYeafakljYlgjkAfYalagf$eYfqhY[c]l ^adl]jkgfglhjgna]l`]e]Yfklg^adl]jgfkge]g^l`]egj]mk]^md hjgh]jla]kg^AHhY[c]lk OYl[`?mYjmk]kqfYea[hY[c]l^adl]jaf_jmd]ko`a[`_gZ]qgfZYka[ hY[c]l^adl]jaf_]k[jaZ]YZgn]OYl[`?mYjZYk]kalk^adl]jaf_fglgfdq gfk]jna[]lqh]k$ZmlYdkggf[gfalagfkkmjjgmfaf_l`]afalaYlagfg^Y [gff][lagfOYl[`?mYjmk]kqfYea[jmd]%k]lk$Yddgoaf_qgmlgYYf j]egn]jmd]k]h]faf_gff]logjcY[lanalqgj]pYehd]$a^YhYjla[mdYj kal]Yll]ehlklg[gff][llgYhgjlal`YkfgZmkaf]kk[gff][laf_lg$ OYl[`?mYj[YfZ][gf^a_mj]lgYmlgeYla[YddqYl`YlhYjla[mdYj`gkl
  45. 45. How the Firebox Security System Uses Proxies Network Security Handbook 35 lgY:dg[c]Kal]kdakl$eYcaf_l`af_kkm[`YkhgjlkhY[]hjgZ]k af[j]Ykaf_dqa^^a[mdllg[Yjjqgml How the Firebox Security System Uses Proxies Hjgpa]k_go]ddZ]qgfl`]^mf[lagfg^YhY[c]l^adl]jZq]pYeafaf_fgl bmkll`]`]Y]jkZmlYdkgl`]hY[c]l[gfl]flYko]ddAfgaf_kg$l`]hjgpq ]l]jeaf]ko`]l`]j^gjZa]f[gfl]flakZ]af_ljYfkeall]$Yf^adl]jkgj ]fa]kl`][gfl]flYkYhhjghjaYl]Lgj]nakall`][gjhgjYl]eYadkgjl]j YfYdg_q$d]lmkkmhhgk]l`]eYadkgjl]j`YkbmklZ]]fhjgegl]lg k[j]]faf_]algjFgo`]fglgfdqj]Ykl`]ÉLgÊYfÉjgeÊYj]kk]k gfl`]]fn]dgh]k$`]]pYeaf]kl`]]fn]dgh]Ìk[gfl]flklg]l]jeaf] o`]l`]jl`]Yj]kk]]algjk`gmdj]Yl`]klgjqFgo`]akY[laf_YkY hjgpq^gjl`][gfl]fl]algjgj]pYehd]$l`]k[j]]faf_]algjgh]fkYf ]fn]dgh][gflYafaf_Yd]_alaeYl]Yml`gjÌkgja_afYlaf_Yj]kk$o`a[`ak Yj]kk]lgl`][ggcZggc]algjAfka]`]^afkYfY[lagf%Yn]flmj] klgjqk]lafYjYaf^gj]kl@]oaddfgl^gjoYjl`]eYfmk[jahlZ][Ymk]alk [gfl]flakafYhhjghjaYl]Afl`]kYe]oYq$YeYadhjgpq]pYeaf]kYdd KELHhY[c]lklg]l]jeaf]o`]l`]jl`]q[gflYaf^gjZa]f[gfl]fl lqh]k$km[`Yk]p][mlYZd]hjg_jYekgjal]ekojall]fafk[jahlaf_ dYf_mY_]kL`]KELHhjgpqcfgokl`]k][gfl]fllqh]kYj]fglYddgoYZd]3 YhY[c]l^adl]jogmdf]n]j`Yn]fgla[] Hjgpa]kogjcYll`]Yhhda[Ylagfd]n]d$o`]j]YkAHhY[c]l^adl]jkogjcYll`] hjglg[gdd]n]dL`ake]Yfkl`Yl]Y[`hY[c]ll`Ylakj][]an]ZqYhjgpq emklZ]kljahh]g^Yddalkf]logjcojYhhaf_$YfYdqr]$hjg[]kk]$Yf j]%ojYhh]kgal[YfZ]^gjoYj]lgalkafl]f]]klafYlagfL`akYk k]n]jYddYq]jkg^[gehd]palqYfhjg[]kkaf_o]ddZ]qgfl`]hY[c]l ^adl]jaf_hjg[]kkO`Yll`ake]Yfk$g^[gmjk]$akl`Ylhjgpa]kmk]mhegj] hjg[]kkaf_ZYfoal`l`YfhY[c]l^adl]jkGfl`]gl`]j`Yf$l`]q[Yf [Yl[`Yf_]jgmk[gfl]fllqh]kafoYqkl`YlhY[c]l^adl]jk[Yffgl OYl[`?mYj]ehdgqkYhjY_eYla[[geZafYlagfg^qfYea[hY[c]l ^adl]jaf_YfljYfkhYj]flhjgpa]klg[gfljgdYfegfalgjl`]^dgog^AH hY[c]lkl`jgm_`l`]^aj]oYddL`]ljYfkhYj]flhjgpa]kYj]mk]^gjl`] hjglg[gdkl`YlYj]l`]egklnmdf]jYZd]$o`a[`Yj]mk]Zql`]oa]kl nYja]lqg^f]logjcmk]jk$Yfo`a[`Yj]egkldac]dqlg`Yn]^gjZa]f [gfl]fllqh]k]eZ]]oal`afEgklfglYZd]Yegf_l`]OYl[`?mYj k]jna[]kYj]hjgpa]k^gjKELH ]eYad!$LH ^ad]ljYfk^]j!$Yf@LLH
  46. 46. CHAPTER 4: Proxying and Packet Filtering 36 WatchGuard Firebox System 5.0 O]Z!D]kkYf_]jgmklqh]kg^hY[c]lkYj]^adl]j]ZqafanamYddq [gf^a_mj]k]jna[]k Oal`Zgl`hY[c]l^adl]jkYfhjgpa]k$qgm[Yf]l]jeaf]o`Yl`gklkoal`af qgmjD9FYfgfl`]Afl]jf]l[Yf[geemfa[Yl]oal`]Y[`gl`]jl`jgm_` l`Ylhjglg[gd$o`a[`]n]flklgdg_ km[`Ykj]b][l]af[geaf_hY[c]lk!$Yf o`a[`k]ja]kg^]n]flkk`gmdafalaYl]Yfgla^a[Ylagfg^l`]f]logjc YeafakljYlgj What is the Firewall Stance? L`]hgda[qg^Y^aj]oYddj]_Yjaf_l`]]^Ymdlakhgkalagfg^AHhY[c]lkak cfgofYkalkklYf[]L`]klYf[]a[lYl]ko`Yll`]^aj]oYddoaddgoal`Yfq _an]fhY[c]lafl`]YZk]f[]g^]phda[alafkljm[lagfkAlak_]f]jYddqY[[]hl] Zql`]Afl]jf]lk][mjalq[geemfalql`Yll`]klYf[]g^Y^aj]oYddk`gmdZ] lgak[YjYddhY[c]lkl`YlYj]fgl]phda[aldqYddgo]$g^l]fklYl]YkÉl`Yl o`a[`akfgl]phda[aldqYddgo]ak]fa]Ê L`]OYl[`?mYjaj]ZgpKqkl]e$dac]egkl[gee]j[aYd^aj]oYddk$Yghlk l`akYkalk]^YmdlklYf[]L`akhjgl][lkY_YafklYllY[ckZYk]gff]o$ mf^YeadaYj$gjgZk[mj]AHk]jna[]kAlYdkghjgna]kYkY^]lqf]lj]_Yjaf_ mfcfgofk]jna[]kYf[gf^a_mjYlagf]jjgjko`a[`[gmdgl`]joak] l`j]Yl]ff]logjck][mjalq O`Yll`akYdkge]Yfk$l`]f$akl`Yl^gjl`]aj]ZgplghYkkYfqljY^^a[$al emklZ][gf^a_mj]lggkgL`]f]logjcYeafakljYlgjemklY[lan]dq k]d][ll`]k]jna[]kYfhjglg[gdkYddgoYZd]$[gf^a_mj]]Y[`gf]Yklgo`a[` `gklk[Yfk]fYfj][]an]l`]e$Yfk]lgl`]jhjgh]jla]kafanamYdlg l`]k]jna[]Hjgpa]kg^^]jl`]egkl]lYad]YalagfYdhjgh]jla]k Defining Traffic Through Services Afl`]OYl[`?mYjYeafakljYlan]afl]j^Y[] Hgda[qEYfY_]j!$a[gfk j]hj]k]flk]jna[]k hjgpa]kYfhY[c]l^adl]jk![gf^a_mj]gfl`]^aj]oYdd O]af[dm]f]Yjdq^gmjgr]fhY[c]l^adl]jkYfYfgl`]jgr]fhjgpa]k K]jna[]k[YfZ][gf^a_mj]^gjgml_gaf_ljY^^a[Yf'gjaf[geaf_ljY^^a[ L`]q[YfZ]Y[lan]gjafY[lan]O`]fqgm[gf^a_mj]Yk]jna[]$qgmk]ll`]
  47. 47. Defining Traffic Through Services Network Security Handbook 37 YddgoYZd]ljY^^a[]fhgaflkYf]l]jeaf]l`]^adl]jjmd]kYfhgda[a]k^gj ]Y[`g^l`]k]k]jna[]kQgm[YfYdkg[j]Yl]k]jna[]klg[mklgear]jmd]kk]lk$ ]klafYlagfk$hjglg[gdk$hgjlkmk]$]l[ QgmeYqYdkgYmfaim]gj[mklgek]jna[]kL`ak^]Ylmj]Yddgok OYl[`?mYjlg]YkadqY[[geegYl]f]oL;H'AHk]jna[]kYkl`]qYj] ]n]dgh]:]Yjafeaf$`go]n]j$l`Yla^OYl[`?mYjafglaf[dm]Y hY[c]l^adl]jk]jna[]qgmdac]$alakhjgZYZdqZ][Ymk]o]gfglYng[Yl]alk _]f]jYdmk]afY^aj]oYddO]hjgna]l`]e]Yfklg[j]Yl]qgmjgofhY[c]l ^adl]jk$Zmlo`]fqgmg$gfdqh]jeall`]ljY^^a[^dgoafl`Ylk]jna[]l`Ylak YZkgdml]dq]kk]flaYd Configurable parameters for services L`]j]Yj]k]n]jYdhYjYe]l]jkqgm[Yfk]lgj[gf^a_mj]afl`]OYl[`?mYj aj]ZgpKqkl]e^gjYk]jna[]$af[dmaf_l`]^gddgoaf_2 K]f]jkYfJ][aha]flk L`]j]Yj]k]hYjYl][gfljgdk^gj[gf^a_mjaf_af[geaf_Yf gml_gaf_ljY^^a[L`]gml_gaf_[gfljgdk k]f]jk!]^af]o`a[` `gklk$mk]jkgjf]logjckZ]`afl`]aj]Zgp[Yfmk]l`akk]jna[]lg afalaYl]k]kkagfkoal`Yfgmlka]`gklL`]af[geaf_[gfljgdk j][aha]flk!]^af]o`a[``gklkYfmk]jkgmlka]l`]aj]Zgp[Yf mk]l`akk]jna[]lgafalaYl]k]kkagfkoal`qgmjhjgl][l]mk]jk$ `gklkgjf]logjck Hjgh]jlqK]llaf_k gjhjgpa]kkm[`Yk@LLH$LH$YfKELH$l`]j]Yj]YalagfYd hjgh]jlqk]llaf_kAfl`][Yk]g^KELHYfLH$l`]j]Yj]k]hYjYl] k]llaf_k^gjaf[geaf_Yfgml_gaf_hjgh]jla]kL`]k][gfljgdk ]fYZd]qgmlgk]llae]%gmlkYfgl`]jj]d]nYflhjgh]jla]k^gjl`Yl hjgpq Dg__af_YfFgla^a[Ylagf =Y[`k]jna[]`Ykl`][gfljgdklg]fYZd]qgmlgk]d][lo`a[`]n]flk$ a^Yfq$Yj]lgZ]dg__]$o`]l`]jqgmoYfllgZ]fgla^a]g^l`]k] ]n]flk$Yfo`]l`]jqgmoYfllgZ]fgla^a]Zq]eYad$hY_]j$hgh% mhoafgo$gjgl`]j[mklgee]l`g
  48. 48. CHAPTER 4: Proxying and Packet Filtering 38 WatchGuard Firebox System 5.0 Changing a service Gf[]Yk]jna[]akY]$qgm[Yf[`Yf_][]jlYaf^]Ylmj]kYfYlljaZml]k YZgmll`Ylk]jna[]oal`gml]d]laf_l`]k]jna[]YfYaf_alY_Yaf2 œ Qgm[Yf[`Yf_]l`]jmd]k]lk^gjaf[geaf_Yfgml_gaf_ljY^^a[^gjYf ]paklaf_k]jna[] œ Qgm[Yf[`Yf_]dg__af_Yffgla^a[Ylagf[`YjY[l]jakla[k^gjYk]jna[] Qgm[Yfega^qYfql`af_[gflYaf]gfYk]jna[]Ìkhjgh]jla]kaYdg_Zgp$ Zml[Yffgl[`Yf_]Yfql`af_l`YlakhYjlg^Yk]jna[]ÌkafalaYdk]lmhQgm emkl]d]l]YfYl`]k]jna[]a^qgmoYfllg[`Yf_]alkhgjl [gf^a_mjYlagf$[da]flhgjlk]llaf_$gjhjglg[gdmk] Deleting a service O`]f]n]jqgmoYfllglYc]Yk]jna[]gmlg^l`][gf^a_mjYlagf$al[YfZ] ]d]l]^jgel`]YddgoYZd]k]jna[]k$hjgpa]k$Yfhjglg[gdkafYkaf_d] gh]jYlagfL`]k]jna[][YfZ]j]%Y]dYl]j$a^]kaj]
  49. 49. Network Security Handbook 39 CHAPTER 5 Beyond Proxies and Packet Filters 9dl`gm_`hjgpa]kYfhY[c]l^adl]jkYj]l`]Zj]YYfZmll]jg^ ^aj]oYddaf_$k]n]jYdgl`]j^]Ylmj]kYj]]kk]flaYdlgYf]^^][lan]^aj]oYdd$Yf eYfqegj]Yj]YhhjghjaYl]lgl`]ZjgY]j[gf[]hlg^f]logjck][mjalq Gl`]jZYka[^aj]oYdd^mf[lagfkaf[dm]Zdg[caf_kal]kYfhgjlk$AH eYkim]jYaf_$f]logjcYj]kkljYfkdYlagf F9L!$YfYkka_faf_ a]fla^a]jklgkh][a^a[[gehml]jkYf_jgmhkg^[gehml]jk YdaYkaf_! Gl`]jf]logjck][mjalq^]Ylmj]kaf[dm]Yml`]fla[Ylagf$najlmYdhjanYl] f]logjcaf_$YfO]ZZdg[caf_ What is the Purpose of Blocking Sites? 9Zdg[c]kal]akYfAHYj]kkgmlka]l`]aj]Zgpl`YlOYl[`?mYj hj]n]flk^jge[gff][laf_oal``gklkZ]`afl`]aj]Zgp$gjl`]aj]Zgp alk]d^L`]j]Yj]logcafkg^Zdg[c]kal]k2 œ H]jeYf]fldqZdg[c]kal]k$o`a[`Yj]dakl]afl`][gf^a_mjYlagf^ad] Yf[`Yf_]gfdqa^qgmeYfmYddq[`Yf_]l`]e œ 9mlg%Zdg[c]kal]k$o`a[`OYl[`?mYjYkgj]d]l]kqfYea[Yddq ZYk]gf`gol`]aj]ZgpÌk[gf^a_mjYlagfakk]lgj]pYehd]$qgm[Yf [gf^a_mj]allgZdg[ckal]kl`Ylgja_afYl]YfhgjlhjgZ]k$gjl`Yl Yll]ehllg[gff][llg^gjZa]fhgjlkQgm[YfYdkg[gf^a_mj]Ymlg%
  50. 50. CHAPTER 5: Beyond Proxies and Packet Filters 40 WatchGuard Firebox System 5.0 Zdg[caf_gfYk]jna[]%Zq%k]jna[]ZYkak^gjkal]kl`Ylgja_afYl]hY[c]lk l`YlYkh][a^a[k]jna[]]fa]k9mlg%Zdg[caf_l]ehgjYjqZdg[ckYkal] mfladl`]Ymlg%Zdg[caf_e][`Yfakelae]kgml Y[[gjaf_lgqgmj k]llaf_$jYf_af_^jgeeafml]klgYqk! Kal]Zdg[caf_[YfZ]aehgk]gfdqlgljY^^a[gfl`]=pl]jfYdafl]j^Y[]g^l`] aj]Zgp;gff][lagfkZ]lo]]fl`]Ljmkl]YfGhlagfYdafl]j^Y[]kYj]fgl kmZb][llgl`]:dg[c]Kal]kdakl :q]^Ymdll`]OYl[`?mYjkqkl]eh]jeYf]fldqZdg[ckl`j]]f]logjc Yj]kk]kÈ)(((('0$)/*).((')*$Yf)1*).0((').L`]k]Yj]l`] hjanYl]f]logjcYj]kk]k:Y[cZgf]jgml]jkk`gmdf]n]jhYkkljY^^a[ oal`l`]k]Yj]kk]kafl`]kgmj[]gj]klafYlagf^a]dg^YfAHhY[c]lA^ l`]j]akljY^^a[^jgegf]g^l`]k]Yj]kk]k$alakYdegkl[]jlYafdqYkhgg^] gjgl`]joak]kmkh][lYj]kkJ;k)1)0$).*/$Yf)-1/[gn]jl`]mk]g^ l`]k]Yj]kk]k :dg[c]Kal]kYddgoqgmlghj]n]flmfoYfl][gflY[l^jgecfgofgj kmkh][l]`gklad]kqkl]ekGf[]qgma]fla^qY`gklad]kal]$qgm[Yfkaehdq Zdg[cYddYll]ehl][gff][lagfk^jgel`]eQgm[Yf[gf^a_mj]dg__af_lg j][gjYddY[[]kkYll]ehlk^jgeZdg[c]kal]k$Yfl`mk[gdd][l[dm]kYklg o`Ylk]jna[]kl`]qYj]Yll]ehlaf_lgYllY[c Logging blocked sites 9ddg^l`]mkmYddg__af_ghlagfk[YfZ]mk]oal`:dg[c]Kal]kL`]k] ]n]flkk`gmdZ]k]fllgl`]aj]Zgpdg_AlakY_gga]Ylg`Yn]l`] kqkl]eYmlgeYla[Yddqfgla^ql`]f]logjcYeafakljYlgjo`]fYZdg[c] kal]Yll]ehlklg[geemfa[Yl]$kaf[]l`akakYjYj]]n]fll`YleYqka_fa^qYf Yll]ehl]Zj]Yc%af What is the Purpose of Blocking Ports? :dg[caf_hgjlk]fYZd]kqgmlg]phda[aldqakYZd][]jlYaff]logjck]jna[]k ^jge]pl]jfYdY[[]kkl`YlYj]nmdf]jYZd]]fljqhgaflkafqgmjgh]jYlagf9 :dg[c]Hgjlk]llaf_lYc]khj][]]f[]gn]jYfqg^l`][gf^a_mjYlagf k]llaf_k^gjafanamYdk]jna[][gf^a_mjYlagfk
  51. 51. What is the Purpose of Blocking Ports? Network Security Handbook 41 Dac]:dg[c]Kal]k$:dg[c]HgjlkYhhdqgfdqlghY[c]lkl`Yl[ge]aflg qgmjf]logjcgfl`]=pl]jfYdafl]j^Y[];gff][lagfkZ]lo]]fqgmj GhlagfYdYfLjmkl]afl]j^Y[]kYj]fglkmZb][llgl`]:dg[c]Hgjlkdakl L;H'AHf]logjckmk]hgjlklgaklaf_mak`Z]lo]]fa^^]j]flYhhda[Ylagfk gfl`]kYe]`gkl9hhda[Ylagfk]jn]jkmk]o]dd%cfgofhgjlkYkka_f]Zq Afl]jf]l9kka_f]FmeZ]j9ml`gjalq A9F9!^gjl`]k]jn]jka]g^Y [gff][lagf$Yfl`][da]flka]mk]kjYfgehgjlk_j]Yl]jl`Yf)(*+Hgjlk (l`jgm_`)(*+[Yf_]f]jYddqZ][gfka]j]k][mj]Hgjlk)(*,YfYZgn] [YfZ][gfka]j]afk][mj] gj]pYehd]$gfYl]df]l[gff][lagf^jgeeY[`af]dafmk[gelg lgjnYdkgj_$qgmogmdYdoYqkmk]hgjl*+^gjl]df]lgflgjnYdkgj_ l`] k]jn]j!$Yfkge]hgjlfmeZ]j_j]Yl]jl`Yf)(*,gfdafmk[ge l`][da]fl! L`]^ajkll]df]l[gff][lagflglgjnYdkgj_ea_`lmk]hgjl)(*,gfl`] [da]flka]Yfhgjl*+gfl`]k]jn]jka]L`]f]pl[gff][lagfea_`lmk] hgjl)(*-gfl`][da]flka]$Zmlogmdkladdmk]hgjl*+gfl`]k]jn]jka] L`]j]Yj]k]n]jYdj]Ykgfkl`YlZdg[caf_hgjlk[YfZ]mk]^md2 œ :dg[c]Hgjlkhjgna]Yfaf]h]f]fl[`][clghjgl][ll`]egkl k]fkalan]k]jna[]k=n]fa^Yfgl`]jhYjlg^OYl[`?mYjak eak[gf^a_mj]$:dg[c]Hgjlkhjgna]kYfgl`]jdaf]g^]^]fk]^gjl`] egklnmdf]jYZd]k]jna[]k œ HjgZ]klghYjla[mdYjdqk]fkalan]k]jna[]k[YfZ]dg__]af]h]f]fldq œ Kge]L;H'AHk]jna[]kl`Ylmk]hgjlfmeZ]jkYZgn])(*+ k]]Z]dgo! Yj]nmdf]jYZd]lgYllY[ca^l`]YllY[c]jgja_afYl]kl`][gff][lagf^jge YfYddgo]o]dd%cfgofk]jna[]oal`YhgjlfmeZ]jmf]j)(*,L`mk$ l`]k][gff][lagfk[YfZ]YllY[c]ZqYhh]Yjaf_lgZ]YfYddgo] [gff][lagfafl`]ghhgkal]aj][lagfQgm[Yfhj]n]fll`aklqh]g^ YllY[cZqZdg[caf_l`]hgjlfmeZ]jkg^k]jna[]ko`gk]hgjlfmeZ]jk Yj]mf]j)(*, :q]^Ymdl$OYl[`?mYjZdg[ckk]n]jYd]klafYlagfhgjlkL`ake]Ykmj] hjgna]k[gfn]fa]fl]^Ymdlko`a[`oaddfglj]imaj][`Yf_]k^gjegkl [mklge]jk Lqha[Yddq$l`]^gddgoaf_k]jna[]kk`gmdYdoYqkZ]Zdg[c]2 POafgo hgjlk.(((%.(.+! POafgo`Ykk]n]jYdaklaf[lk][mjalqhjgZd]eko`a[`eYc]alY daYZadalqgfl`]Afl]jf]lO`ad]l`]j]Yj]k]n]jYdYml`]fla[Ylagf k[`]e]kYnYadYZd]Yll`]Pk]jn]jd]n]d$l`]egkl[geegfgf]kYj]
  52. 52. CHAPTER 5: Beyond Proxies and Packet Filters 42 WatchGuard Firebox System 5.0 ]Ykadq]^]Yl]ZqYcfgod]_]YZd]YllY[c]jA^YfYllY[c]j[Yf [gff][llgYfPk]jn]j$l`]q[Yf]Ykadqj][gjYddc]qkljgc]klqh] Yll`]ogjcklYlagf$[gdd][laf_YfqhYkkogjkYfgl`]jk]fkalan] af^gjeYlagfOgjk]$km[`afljmkagfk[YfZ]a^^a[mdlgjaehgkkaZd] lg]l][lZqYddZmll`]egklcfgod]_]YZd]YfhYjYfgamk]jk L`]^ajklPOafgok]jn]jakYdoYqkgfhgjl.(((A^qgm`Yn]Yf Pk]jn]joal`emdlahd]akhdYqk$]Y[`f]oakhdYqmk]kYf YalagfYdhgjlfmeZ]jY^l]j.((($mhlg.(.+^gjYeYpaemeg^ .,akhdYqkgfY_an]f`gkl PgflK]jn]j hgjl/)((! EYfqn]jkagfkg^POafgokmhhgjl^gflk]jn]jkgflk]jn]jk Yj][gehd]phjg_jYekl`YljmfYkl`]kmh]j%mk]jgfkge]`gklk 9kkm[`$alakZ]kllg]phda[aldqakYZd]Y[[]kklgP^gflk]jn]jk FK hgjl*(,1! FK l`]F]logjcad]Kqkl]e!akYhghmdYjL;H'AHk]jna[]^gj hjgnaaf_k`Yj]^ad]kqkl]ekgn]jYf]logjc@go]n]j$[mjj]fl n]jkagfk`Yn]k]jagmkYml`]fla[YlagfYfk][mjalqhjgZd]eko`a[` eYc]hjgnaaf_FKk]jna[]gn]jl`]Afl]jf]ln]jqYf_]jgmk NOTE 3RUW LV QRW DVVLJQHG WR 1)6 KRZHYHU LQ SUDFWLFH WKLV LV WKH PRVW FRPPRQ SRUW XVHG IRU 1)6 7KH SRUW DVVLJQHG IRU 1)6 LV DVVLJQHG E WKH SRUWPDSSHU ,I RX·UH XVLQJ 1)6 LW ZRXOG EH D JRRG LGHD WR YHULI WKDW 1)6 LV XVLQJ SRUW RQ DOO RXU VVWHPV Gh]fOafgok hgjl*(((! Gh]fOafgokakYoafgoaf_kqkl]e^jgeKmfEa[jgkqkl]ek o`a[``YkkaeadYjk][mjalqjakcklgPOafgo jdg_af$jk`$j[h hgjlk-)+$-),! L`]k]logk]jna[]khjgna]j]egl]Y[[]kklggl`]j[gehml]jkYf Yj]jYl`]jafk][mj]gfl`]Afl]jf]lKaf[]eYfqYllY[c]jkhjgZ]^gj l`]k]k]jna[]k$alakhjm]fllgZdg[cl`]e JH;hgjleYhh]j hgjl)))! JH;K]jna[]kmk]hgjl)))lg]l]jeaf]o`a[`hgjlkYj]Y[lmYddq mk]ZqY_an]fJH;k]jn]jKaf[]JH;k]jna[]kl`]ek]dn]kYj] l]jjaZdqnmdf]jYZd]lgYllY[cgn]jl`]Afl]jf]l$l`]^ajklkl]haf
  53. 53. What is the Purpose of Blocking Ports? Network Security Handbook 43 YllY[caf_JH;k]jna[]kaklg[gflY[ll`]hgjleYhh]jlg^afgml o`a[`k]jna[]kYj]YnYadYZd] hgjl( Hgjl(akj]k]jn]ZqA9F9$ZmleYfqhjg_jYeko`a[`k[Yfhgjlk klYjll`]ajk]Yj[`gfhgjl( hgjl) Hgjl)ak^gjl`]jYj]dqmk]L;Hempk]jna[]:dg[caf_alakYfgl`]j oYqlg[gf^mk]hgjlk[Yffaf_hjg_jYek Gl`]jK]jna[]k Fgn]ddAHPgn]jAH hgjl*)+!A^qgmmk]Fgn]ddAHPgn]jAH afl]jfYddq$qgmea_`loYfllg]phda[aldqZdg[chgjl*)+`]j] F]l:AGKk]jna[]k hgjlk)+/l`jgm_`)+1! Qgmk`gmdYdkgZdg[cl`]k]hgjlka^qgmmk]F]l:AGKafl]jfYddq O`ad]km[`k]jna[]kYj]Zdg[c]aehda[aldqZq]^YmdlhY[c]l `Yfdaf_$Zdg[caf_l`]e`]j][YfZ][gfn]fa]fl Conflicts in blocked ports Kge]lae]kjYfgehgjlkYj]fgljYfgeAlakhgkkaZd]l`Yld]_alaeYl] mk]jkea_`l`Yn]hjgZd]ekZ][Ymk]g^Zdg[c]hgjlkAfhYjla[mdYj$kge] [da]flkea_`ll]ehgjYjadq^YadZ][Ymk]g^Zdg[c]hgjlk Qgmk`gmdZ]n]jq[Yj]^mdYZgmlZdg[caf_hgjlfmeZ]jkZ]lo]]f)((( l`jgm_`)111$Ykl`]k]fmeZ]jkYj]hYjla[mdYjdqdac]dqlgZ]mk]Yk[da]fl hgjlk NOTE 6RODULV XVHV SRUWV JUHDWHU WKDQ IRU FOLHQWV Auto-blocking sites that attempt to use blocked ports Qgm[Yf[gf^a_mj]YZdg[c]hgjlkm[`l`Ylo`]fYfgmlka]`gklYll]ehlk lgY[[]kkal$l`Ylgmlka]`gklakl]ehgjYjadqYmlg%Zdg[c]Qgm[YfYdkgk]l l`]mjYlagfg^l`]Ymlg%Zdg[c
  54. 54. CHAPTER 5: Beyond Proxies and Packet Filters 44 WatchGuard Firebox System 5.0 Logging blocked port activity Qgm[YfYdkgYbmklqgmj]n]fldg_kYffgla^a[YlagflgY[[geegYl] Yll]ehlklgY[[]kkZdg[c]hgjlkQgm[Yf[gf^a_mj]l`]k][mjalqkqkl]elg dg_YddYll]ehlklgmk]Zdg[c]hgjlk$Yf[Yf^mjl`]j[gf^a_mj]l`]kqkl]e lgk]fYf]logjcYeafakljYlgjfgla^a[Ylagfo`]fkge]gf]Yll]ehlklg Y[[]kkYZdg[c]hgjl Network Address Translation (NAT) F]logjc9j]kkLjYfkdYlagfeYhkhjanYl]Yj]kk]klghmZda[gf]kYf na[]n]jkYF9LakYdkgcfgofYkAHeYkim]jYaf_gjhgjl^gjoYjaf_$ ]h]faf_gfl`]lqh]g^Yj]kkljYfkdYlagfh]j^gje]:Yka[Yddq$l`]j] Yj]loglqh]kg^F9L2 œ qfYea[F9L YdkgcfgofYkAHeYkim]jYaf_gjhgjlYj]kk ljYfkdYlagf!hj]k]flkl`]aj]ZgpAHYj]kklgl`]hmZda[$o`ad]al `a]kYfljYfkdYl]kl`]AHYj]kk]kg^l`]`gklkalakhjgl][laf_ qfYea[F9Lhjgl][lk`gkla]flala]kafgml_gaf_ljY^^a[ œ KlYla[F9L YdkgcfgofYkhgjl^gjoYjaf_!Ykka_fkYhgjlkh][a^a[lg Y_an]fk]jna[] km[`Ykhgjl0(^gj@LLH!lgYfgl`]jhgjlafl]jfYddq$ kgl`Ylgja_afYlgjkg^af[geaf_ljY^^a[f]n]jcfgoo`Yl`gklak Y[lmYddqj][]anaf_l`]hY[c]lkKlYla[F9LYddgok`gklaf_g^YhmZda[ k]jn]jmkaf_YhjanYl]AHYj]kkZ]`afY^aj]oYdd What is dynamic NAT? qfYea[F9L`a]kdg[Ydf]logjcYj]kk]k^jgegl`]j`gklkgfl`] Afl]jf]l@gklk]dk]o`]j]gfl`]Afl]jf]lk]]gfdqhY[c]lk^jgel`] aj]Zgpalk]d^qfYea[F9L[YfljYfkdYl]l`]Yj]kk]kg^YdegklYddL;H YfMH%ZYk]ljYfkeakkagfk AfqfYea[F9L$gml_gaf_hY[c]lkYj]eYhh]lgYjYfgehgjlgfl`] aj]ZgpL`]kgmj[]Yj]kkgfl`]k]hY[c]lkakl`]fj]%ojall]foal`l`]AH Yj]kkg^l`]aj]Zgp$Yfl`]jYfgehgjlfmeZ]jL`]j]egl]]fk]]k l`]AHYj]kkg^l`]aj]ZgpYfl`]jYfgehgjlfmeZ]jYlYakk]fl ZY[clgl`akdg[Ylagf3l`]aj]Zgpl`]f]pYeaf]kl`]`]Y]jk$YfeYhkl`] hgjlfmeZ]jZY[clgl`]eYkim]jY]`gkl
  55. 55. Network Address Translation (NAT) Network Security Handbook 45 L`akYj]kkljYfkdYlagfakqfYea[afl`YlYf]ohgjl%lg%afl]jfYd%`gkl eYhhaf_akeY]^gj]Y[`[gff][lagfGfYfq_an]f[gff][lagf$Yf afl]jfYd`gkleYqZ]eYhh]lgYfq_an]fhgjlL`]aehda[Ylagfkg^l`ak Yj]aehgjlYfl2qfYea[F9Logjckgfdqgf]oYqÈ^gjGml_gaf_ ljY^^a[Lgh]j^gjel`]kYe]kgjlg^gh]jYlagf^jgel`]gmlka]lgl`] afka]$]ehdgqKlYla[F9Llg]ka_fYl]kh][a^a[afl]jfYd`gklklgj][]an] l`]hY[c]lkg^gfdqgf]hgjlKlYla[F9Lak]k[jaZ]afegj]]lYadafl`] f]plk][lagf Important dynamic NAT configuration parameters qfYea[F9L`Ykk]n]jYd[gf^a_mjYZd]hYjYe]l]jk$g^o`a[`l`] ^gddgoaf_Yj]hYjla[mdYjdqka_fa^a[Yfl2 Lae]gmlk L`]j]Yj]l`j]]YbmklYZd]lae]%gmlnYdm]kYkkg[aYl]oal` qfYea[F9L2L;HAd]Lae]%gml$L;Hafak`Lae]%gml$YfMH Ad]Lae]%gmlL`]L;Hlae]%gmlnYdm]Y[lkYkYfad]lae]%gml^gj nYjagmkL;H[gff][lagfk9dYj_]jnYdm]ak`]dh^mda^qgmh]j^gje dgf_%dan]l]df]lk]kkagfkY[jgkkl`]^aj]oYddL;Hafak`Lae]%gml daealkl`]Yegmflg^lae]Yk]kkagfoYalk^gjY^afak`hY[c]l^jge l`]j]egl]kal]$YfMHlae]%gmldaealkl`]oYalgfMH k]kkagfk Mk]qfYea[F9Lgfl`]k]f]logjck Qgm[Yf]ka_fYl]o`a[`f]logjck`Yn]l`]ajYj]kk]k qfYea[YddqljYfkdYl]lgl`]=pl]jfYdafl]j^Y[]Gmlka]l`] afl]j^Y[]$Ydd[geemfa[Ylagf^jgel`]k]`gklkYhh]Yjklg[ge] ^jgel`]aj]ZgpQgm[YfeYkim]jY]YkeYfq`gklkgjf]logjck Ykqgmdac]A^qgmmk]hjanYl]f]logjckafqgmjgj_YfarYlagf$qgmj hjanYl]f]logjckk`gmdZ]fmeZ]j]afgf]g^l`]^gddgoaf_ Yj]kkjYf_]k2 %)((((lg)(*--*--*-- )(((('0afkdYk`fglYlagf! %)/*).((lg)/*+)*--*-- )/*).((')*afkdYk`fglYlagf! %)1*).0((lg)1*).0*--*-- )1*).0((').afkdYk`fglYlagf! L`]k]Yj]l`]hjanYl]j]k]jn]f]logjcfmeZ]jk;gfkmdlJ; )1)0^gjegj]af^gjeYlagfgfj]k]jn]AHYj]kk]k
  56. 56. CHAPTER 5: Beyond Proxies and Packet Filters 46 WatchGuard Firebox System 5.0 What is static NAT? KlYla[F9Lhjgna]khjgl][lagf^jgeaf[geaf_ljY^^a[AleYaflYafkl`] k][mjalqg^Yfgfqealqg^qfYea[F9LYfYkl`]^mf[lagfYdalqg^ ^gjoYjaf_]pl]jfYddqgja_afYl]ljY^^a[lgkh][a^a[afl]jfYd`gklk KlYla[F9Lj]aj][lkaf[geaf_AHhY[c]lk$^jgel`]aj]Zgplgl`]kh][a^a[ eYkim]jY]`gklZ]`afalAlj]ojal]kl`]`]Y]jkg^l`]hY[c]lkYf ^gjoYjkl`]eZYk]gfl`]gja_afYd]klafYlagfhgjlfmeZ]jQgm lqha[Yddqmk]klYla[F9L^gjhmZda[k]jna[]kkm[`YkO]Zkal]kYf]eYad gj]pYehd]$qgmea_`loYfllgk]lmhYeYadk]jn]jo`gk]Yj]kkqgm gfgloYfl_]f]jYddqcfgof$gjl`Yl`YkYfAHYj]kkl`YlogmdfglZ] d]_alaeYl]gfl`]]pl]jfYdf]logjcKlYla[F9L]fYZd]kqgmlg]ka_fYl]Y kh][a^a[afl]jfYdk]jn]jlgj][]an]Ydd]eYadL`]f$o`]f]n]jkge]gf] k]fk]eYadYj]kk]lgl`]aj]Zgp$l`]aj]ZgpcfgoklgljYfkdYl]l`] Yj]kklgl`]]ka_fYl]]eYad KELH!k]jn]j Configuring static NAT Lg[gf^a_mj]klYla[F9L^gjY_an]f`gkl$alemklYdj]YqZ]gfYf]logjc mkaf_qfYea[F9LKlYla[F9Lak[gf^a_mj]gfYk]jna[]%Zq%k]jna[] ZYkakO`]fqgmk]lmhY_an]fk]jna[] ^gj]pYehd]$KELH!$gf[]qgm ]l]jeaf]l`]]da_aZd]jgeYfLg`gklk^gjaf[geaf_Yfgml_gaf_ ljY^^a[$qgmeYql`]fYhhdqklYla[F9LlgljYfkdYl]l`]]pl]jfYdYj]kklg Yfafl]jfYdYj]kk3qgm[YfYdkgj]aj][ll`]hgjl^gjl`Ylk]jna[] Aliasing 9daYkaf_]fYZd]kqgmlg[gf^a_mj]nYjagmk[gdd][lagfkg^[gehml]jkaflg _jgmhk$Yf[j]Yl]_jgmhkg^mk]jkoal`nYjqaf_d]n]dkg^h]jeakkagfk 9daYkaf_hjgna]kYkaehd]oYqlgj]e]eZ]jAHYj]kk]k$FLgeYaf ?jgmhkYfMk]jk$f]logjcAHYj]kk]k$Yfkmh]j_jgmhk[gflYafaf_ kge][geZafYlagfg^_jgmhk$mk]jk$geYafk$YfAHYj]kk]k9daYk]k [Yfl`]fZ]mk]^gjZmadaf_Y[[]kkjmd]k^gjk]jna[]k$^gjYml`]fla[Ylagf _jgmhk$Yf^gj_jgmhko`]f[gf^a_mjaf_O]Z:dg[c]j
  57. 57. Authentication Network Security Handbook 47 NOTE )LUHER[ 'RPDLQ XVHUV DQG JURXSV DQG 17 'RPDLQ XVHUV DQG JURXSV DUH QRW WKH VDPH DV +RVW $OLDVHV 8VH WKH $OLDVHV WDE WR FUHDWH KRVW DOLDVHV WKDW FRQWDLQ )LUHER[ 'RPDLQ XVHUV DQG 17 'RPDLQ XVHU 9daYkaf_akl`]Y[lg^]daf]Ylaf_qgmjgj_YfarYlagfY[[gjaf_lg _jgmhaf_k km[`YkYml`]fla[Ylagfmk]gjY[[]kkYddgo]!gmldaf]af qgmjk][mjalqhgda[qAlaf[dm]kl`]^gddgoaf_2 ja]fdq`gklfYe]k 9]k[jahlan]gj]Ykadqj]e]eZ]j]fYe]YkYfYdaYk^gjY_an]f k]jn]jgjogjcklYlagfÌkAHYj]kk ja]fdqf]logjcfYe]k 9]k[jahlan]gj]Ykadqj]e]eZ]j]fYe]YkYfYdaYk^gjY f]logjcAHYj]kk Ogjc?jgmhk L`]k]Yj]_jgmhkg^ogjcklYlagfkYf'gjk]jn]jk$mkmYddq gj_Yfar]Zq^mf[lagfgj]hYjle]fl Hjanad]_]?jgmhk AfO]Z:dg[c]j$qgm[Yf[j]Yl]_jgmhkZYk]gfo`YlO]Zkal]k qgmoaddYddgol`]elgY[[]kkYfo`]f 9ml`]fla[Ylagf?jgmhk L`]k]Yj]_jgmhkgj_Yfar]Zql`]e]l`gl`]qmk]lgj]egl]dq Y[[]kkqgmjf]logjc2J9AMK$;JQHLG;Yj$gjOYl[`?mYj Yml`]fla[Ylagf Authentication Mk]j9ml`]fla[YlagfYddgokafanamYdmk]jklgYml`]fla[Yl]lgl`]aj]Zgp mkaf_YBYnY%]fYZd]O]ZZjgok]jAlakmk]lghjgna]Y[[]kk[gfljgd^gj gml_gaf_[gff][lagfk Oal`Mk]j9ml`]fla[Ylagf$alfgdgf_]jeYll]jko`YlAHYj]kkakZ]af_ mk]$gj^jgeo`a[`eY[`af]Ymk]j[`ggk]klgogjcLg_YafY[[]kklg Afl]jf]lk]jna[]k km[`YkGml_gaf_@LLHgjGml_gaf_LH!l`]mk]jemkl
  58. 58. CHAPTER 5: Beyond Proxies and Packet Filters 48 WatchGuard Firebox System 5.0 hjgna]Yml`]fla[Ylaf_YlYafl`]^gjeg^Ydg_afYfhYkkogjgjl`] mjYlagfg^l`]Yml`]fla[Ylagf$l`]mk]jfYe]akla]lg[gff][lagfk gja_afYlaf_^jgel`]AHYj]kk^jgeo`a[`l`]mk]jYml`]fla[Yl]L`ak eYc]kalhgkkaZd]lgljY[cfglgfdql`]eY[`af]k^jgeo`a[`[gff][lagfk Yj]gja_afYlaf_$ZmlYdkgl`]mk]j^jgeo`gel`][gff][lagfkYj] gja_afYlaf_ NOTE %HFDXVH XVHUQDPHV DUH ERXQG WR ,3 DGGUHVVHV 8VHU $XWKHQWLFDWLRQ LV QRW UHFRPPHQGHG IRU XVH LQ DQ HQYLURQPHQW ZLWK PXOWLXVHU PDFKLQHV VXFK DV 8QL[ VHUYHUV
  59. 59. DV RQO RQH XVHU SHU PDFKLQH FDQ EH DXWKHQWLFDWHG DW DQ RQH WLPH OYl[`?mYj9ml`]fla[YlagfYddgokqgmlg]^af]h]jeakkagfkYf_jgmhk mkaf_mk]jfYe]k$jYl`]jl`YfAHYj]kk]kL`akkqkl]eYddgok^gj kalmYlagfko`]j]mk]jkeYqmk]egj]l`Yfgf][gehml]jgjAHYj]kk LjY[caf_Y[lanala]kZqmk]jjYl`]jl`YfAHak]kh][aYddqmk]^mdgff]logjck mkaf_@;H$o`]j]Ymk]jogjcklYlagfeYq`Yn]k]n]jYda^^]j]flAH Yj]kk]kgn]jl`][gmjk]g^Yo]]c9ml`]fla[YlagfZqmk]jakYdkgmk]^md af]m[Ylagf]fnajgfe]flk$km[`Yk[dYkkjggek$Yf[gdd]_][gehml]j []fl]jko`]j]eYfqa^^]j]flh]ghd]ea_`lmk]l`]kYe]AHYj]kkgn]j l`][gmjk]g^l`]Yq Authentication methods L`]OYl[`?mYjaj]ZgpKqkl]e[YfYml`]fla[Yl]mk]jkY_Yafkl^gmj lqh]kg^Yml`]fla[Ylagfk]jn]jk2 œ FLHjaeYjqgeYaf;gfljgdd]jk œ J9AMK%[gehdaYflYml`]fla[Ylagfk]jn]jk Yk]^af]afJ;*)+0! œ ;JQHLG;YjYml`]fla[Ylagf œ K][mjAYml`]fla[Ylagf œ L`]OYl[`?mYjZmadl%afYml`]fla[Ylagfk]jn]j aj]ZgpgeYaf! L`]a^^]j]f[]kYegf_l`]nYjagmkYml`]fla[Ylagfk[`]e]kYj]dYj_]dq ljYfkhYj]fllgl`]mk]j3l`]mk]jh]j^gjekl`]kYe]k]im]f[]g^lYkcklgZ] Yml`]fla[Yl]Y_YafklYfqg^l`]^gmjlqh]kg^Yml`]fla[Ylagf L`]a^^]j]f[]^gjl`]aj]ZgpYeafakljYlgjakl`Ylafgf][Yk]l`] YlYZYk]g^mk]jfYe]k$hYkkogjk$Yf_jgmhkYj]klgj]gfl`]aj]Zgp
  60. 60. Authentication Network Security Handbook 49 alk]d^$Yfafl`]gl`]j[Yk]k$l`]mk]jfYe]k$hYkkogjk$Yf_jgmhkYj] klgj]gfl`]k]jn]jh]j^gjeaf_l`]Yml`]fla[YlagfÈ]al`]jYOafgok FLk]jn]j$J9AMKk]jn]j$gj;JQHLG;Yjk]jn]j Afl`]dYll]j[Yk]$o`]j]l`]Yml`]fla[Ylagfk]jn]jakfgll`]aj]Zgp$qgm emklk]lmhl`YlYml`]fla[Ylagfk]jn]jY[[gjaf_lgl`]eYfm^Y[lmj]jÌk afkljm[lagfkYfhdY[]algfl`]f]logjckgalakY[[]kkaZd]Zql`]aj]Zgp NOTE 2QO RQH WSH RI 8VHU $XWKHQWLFDWLRQ PD EH XVHG DW D WLPH L`]j]Yj]log?dgZYd9ml`]fla[YlagfK]llaf_k2 œ Dg_gflae]gmlÈo`]j]qgmk]d][l`goeYfqk][gfkYj]Yddgo]^gj YfYll]ehl]dg_gfZ]^gj]l`]lae]gmlk`mlkgofl`][gff][lagf œ K]kkagflae]gmlÈo`]j]qgmk]l`goeYfq`gmjkYk]kkagfj]eYafk gh]fZ]^gj]l`]lae]gmlk`mlkgofl`][gff][lagfL`akakYk]llae] daealYfakajj]kh][lan]g^]f%mk]jljY^^a[ The WatchGuard authentication implementation LgYml`]fla[Yl]mkaf_YfqBYnY%]fYZd]O]ZZjgok]jkm[`YkF]lk[Yh] FYna_YlgjgjEa[jgkg^lAfl]jf]l=phdgj]j$mk]jk^ajkl[gff][llgYMJDgf l`]aj]Zgp9kh][aYdar]O]Zk]jn]jgfl`]aj]Zgpl`]fk]fkYBYnY Yhhd]lZY[clgl`]mk]j$o`]j]affYe]YfhYkkogjaf^gjeYlagfak ]fl]j]L`akaf^gjeYlagfak]f[jqhl]oal`afl`]Yhhd]lYfhYkk]ZY[c lgl`]aj]Zgp^gjn]ja^a[YlagfY_Yafkll`]Yml`]fla[Ylagfk]jn]j]^af]af alk[gf^a_mjYlagf9kYj]kmdl$l`]kqkl]eYml`]fla[Yl]kmk]jkbmklgf[]$ afkl]Yg^]Y[`lae]l`]qYll]ehllg[gff][llgYkal]Mk]jfYe]Yf hYkkogjaf^gjeYlagff]]]^gjYml`]fla[Ylagfakf]n]jhYkk]af[d]Yj l]pl 9ml`]fla[YlagfakhYjla[mdYjdq[jm[aYdo`]fqgmmk]qfYea[AH Yj]kkaf_ @;H!Z]`afl`]aj]Zgp$gjoYflmk]jklga]fla^q l`]ek]dn]kZ]^gj]h]j^gjeaf_nYjagmkk]jna[]kl`jgm_`l`]aj]ZgpOal` l`]OYl[`?mYjaj]ZgpKqkl]e$Yml`]fla[Ylagf[YfZ][gf^a_mj]gfY k]jna[]%Zq%k]jna[]ZYkak$e]Yfaf_l`Ylmk]jkoaddgfdqf]]lgYml`]fla[Yl] Z]^gj]mkaf_[]jlYafk]jna[]k OYl[`?mYjg^^]jk^mddafl]jgh]jYZadalqoal`klYfYjk%ZYk] Yml`]fla[Ylagfl][`fgdg_q^jge;JQHLG;Yj^gjZgl`;JQHLG9eaf
  61. 61. CHAPTER 5: Beyond Proxies and Packet Filters 50 WatchGuard Firebox System 5.0 YfJ:%)Lgc]fkL`ak]fYZd]kqgmlgk][mj]f]logjcY[[]kkmkaf_ hgo]j^mdlgc]f%ZYk]Yml`]fla[Ylagfkgdmlagfk^jge;JQHLG;Yj$af [gfbmf[lagfoal`l`]OYl[`?mYjaj]ZgpKqkl]e L`]Zmadl%afYml`]fla[Ylagfk]jn]jaf[dm]oal`l`]OYl[`?mYjaj]Zgp Kqkl]eak]ka_f]^gjkeYdd]j]fnajgfe]flk3mk]jfYe]k$_jgmhfYe]k YfhYkkogjk[YfZ]]fl]j]aj][ldqaflgl`]aj]Zgp[gf^a_mjYlagflg k]lafanamYd^adl]jjmd]kYk]kaj] Firebox authentication described Mk]jfYe]k$hYkkogjk$Yf_jgmhkeYqZ]klgj]afl`]aj]Zgp$^gj OYl[`?mYjYml`]fla[YlagfL`]k]Y[[gmflkYj]Ydkgmk]^gjEgZad]Mk]j NHF gjFLgeYaf;gfljgdd]jgjJ9AMKYml`]fla[Ylagf$qgmemkl]fl]jl`] mk]jkYf'gj_jgmhkgfl`]j]kh][lan]OafgokFLgjJ9AMK Yml`]fla[Ylagfk]jn]jkgjaj]ZgpgeYafY[[gmflk$`go]n]j$qgm h]j^gjeYddYml`]fla[Ylagfk]lmhgfl`]aj]ZgpMk]jklYZg^l`]E]eZ]j 9[[]kkYfMk]j9ml`]fla[YlagfK]lmhaYdg_Zgp Af[gf^a_mjaf_aj]ZgpYml`]fla[Ylagf$qgm[Yf]^af]mk]jkYf_jgmhk$ YfYkka_fe]eZ]jklgkh][a^a[_jgmhk NOTE 7ZR :DWFK*XDUG DXWKHQWLFDWLRQ JURXSV DUH LQFOXGHG IRU D 931 FRQQHFWLRQ ZLWK RQO RQH )LUHER[ DW WKH KRPH RIILFH 7KH JURXS ´LSVHF XVHUVµ LV D VSHFLDO EXLOWLQ JURXS WKDW FRQWDLQV RQO FXUUHQWO DXWKHQWLFDWHG 0RELOH 8VHU 931 XVHUV 7KH JURXS ´SSWSXVHUVµ LV WKH HTXLYDOHQW JURXS FUHDWHG IRU UHPRWH XVHUV FRQQHFWLQJ WR WKH )LUHER[ ZLWK 3373 RX PXVW DGG XVHU QDPHV WR WKH DSSURSULDWH JURXS WR HQDEOH WKHP WR XVH 0RELOH 8VHU RU 3373 WR UHPRWHO FRQQHFW WR WKH )LUHER[ Windows NT authentication described OafgokFLgeYafMk]j9ml`]fla[YlagfakZYk]gfFLgeYafMk]jk Yf?jgmhk$Yfmk]kl`]Mk]jYf?jgmhYlYZYk]Ydj]YqafhdY[]gf qgmjOafgokFLgeYaf;gfljgdd]j OYl[`?mYjaehd]e]flYlagfg^Yml`]fla[YlagfnaYYOafgokFLk]jn]j Ykkme]kqgm`Yn][gf^a_mj]qgmjOafgokFLk]jn]joal`mk]jkYf

×