Defining a Firewall Configuration

About this task

To configure a firewall:

Procedure

  1. Select the Configuration tab from the Web user interface.
  2. Select Security.
  3. Select Wireless Firewall to display existing firewall policies.
    The Wireless Firewall screen has Denial of Service, Storm Control, and Advanced Settings tabs used to create the single firewall policy used by the access point and its connected devices. The Denial of Service tab displays by default.
    Click to expand in new window
    Wireless Firewall Screen - Denial of Service Tab
    GUID-706EEE64-FD7F-42AF-B90E-58C05F2CA426-low.png

    A denial of service (DoS) attack is an attempt to make a computer or network resource unavailable to its intended users. Although the means to carry out a DoS attack will vary, it generally consists of a concerted effort of one or more persons attempting to prevent a device, site or service from functioning temporarily or indefinitely.

    Most DoS attacks involve saturating the target device with external communications requests so it cannot respond to legitimate traffic or respond so slowly the device becomes unavailable in respect to its defined data rate. DoS attacks are implemented by either forcing targeted devices to reset or consuming the device‘s resources so it can no longer provide service.

  4. Select the Activate Firewall Policy option on the upper left-hand side of the screen to enable the screen‘s parameters for configuration.
    Ensure that this option stays selected to apply the configuration to the access point profile.

    The Settings field lists all of the DoS attacks for which the firewall has filters. Each DoS filter contains the following four items:

    Event Lists the name of each DoS attack.
    Enable Select Enable to set the firewall to filter the associated DoS attack based on the selection in the Action column.
    Action If a DoS filter is enabled, choose an action from the drop-down menu to determine how the firewall policy treats the associated DoS attack.
    • Log and Drop - An entry for the associated DoS attack is added to the log and then the packets are dropped.
    • Log Only - An entry for the associated DoS attack is added to the log. No further action is taken.
    • Drop Only - The DoS packets are dropped. No further action is taken.
    Log Level Select this option to enable logging to the system log. Then select a standard Syslog level from the Log Level drop-down menu.
  5. The following Events can be filtered on behalf of the firewall:
    Ascend The Ascend DoS attacks are a series of attacks that target known vulnerabilities in various versions of Ascend routers.
    Broadcast/Multicast ICMP Broadcast or Multicast ICMP DoS attacks are a series of attacks that take advantage of ICMP behavior in response to echo replies. These usually involve spoofing the source address of the target and sending ICMP broadcast or multicast echo requests to the rest of the network and in the process flooding the target machine with replies.
    Chargen The Chargen attack establishes a Telnet connection to port 19 and attempts to use the character generator service to create a string of characters which is then directed to the DNS service on port 53 to disrupt DNS services.
    Fraggle The Fraggle DoS attack uses a list of broadcast addresses to send spoofed UDP packets to each broadcast address‘ echo port (port 7). Each of those addresses that have port 7 open will respond to the request generating a lot of traffic on the network. For those that do not have port 7 open they will send an unreachable message back to the originator, further clogging the network with more traffic.
    FTP Bounce The FTP Bounce DoS attack uses a vulnerability in the FTP “PORT” command as a way to scan ports on a target machine by using another machine in the middle.
    Invalid Protocol Attackers may use vulnerability in the endpoint implementation by sending invalid protocol fields, or may misuse the misinterpretation of endpoint software. This can lead to inadvertent leakage of sensitive network topology information, called hijacking, or a DoS attack.
    IP Spoof IP Spoof is a category of DoS attack that sends IP packets with forged source addresses. This can hide the identity of the attacker.
    LAND The LAND DoS attack sends spoofed packets containing the SYN flag to the target destination using the target port and IP address as both the source and destination. This will either crash the target system or result in high resource utilization slowing down all other processes.
    Option Route Enables the IP Option Route denial of service check in the firewall.
    Router Advertisement In this attack, the attacker uses ICMP to redirect the network router function to some other host. If that host can not provide router services, a DoS of network communications occurs as routing stops. This can also be modified to single out a specific system, so that only that system is subject to attack (because only that system sees the 'false' router). By providing router services from a compromised host, the attacker can also place themselves in a man-in-the-middle situation and take control of any open channel at will (as mentioned earlier, this is often used with TCP packet forgery and spoofing to intercept and change open TELNET sessions).
    Router Solicit The ICMP Router Solicitation scan is used to actively find routers on a network. Of course, a hacker could set up a protocol analyzer to detect routers as they broadcast routing information on the network. In some instances, however, routers may not send updates. For example, if the local network does not have other routers, the router may be configured to not send routing information packets onto the local network.

    ICMP offers a method for router discovery. Clients send ICMP router solicitation multicasts onto the network, and routers must respond (as defined in RFC 1122).

    By sending ICMP router solicitation packets (ICMP type 9) on the network and listening for ICMP router discovery replies (ICMP type 10), hackers can build a list of all of the routers that exist on a network segment. Hackers often use this scan to locate routers that do not reply to ICMP echo requests.

    Smurf The Smurf DoS Attack sends ICMP echo requests to a list of broadcast addresses in a row, and then repeats the requests, thus flooding the network.
    Snork The Snork DoS attack uses UDP packet broadcasts to consume network and system resources.
    TCP Bad Sequence Enables a TCP Bad Sequence denial of service check in the firewall.
    TCP FIN Scan Hackers use the TCP FIN scan to identify listening TCP port numbers based on how the target device reacts to a transaction close request for a TCP port (even though no connection may exist before these close requests are made). This type of scan can get through basic firewalls and boundary routers that filter on incoming TCP packets with the Finish (FIN) and ACK flag combination. The TCP packets used in this scan include only the TCP FIN flag setting.

    If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target device discards the FIN and sends no reply.

    TCP Intercept A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection.

    Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a Web site, accessing email, using FTP service, and so on.

    The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection. The number of SYNs per second and the number of concurrent connections proxied depends on the platform, memory, processor, and other factors. In the case of illegitimate requests, the software‘s aggressive timeouts on half-open connections and its thresholds on TCP connection requests protect destination servers while still allowing valid requests.

    When establishing a security policy using TCP intercept, you can choose to intercept all requests or only those coming from specific networks or destined for specific servers. You can also configure the connection rate and threshold of outstanding connections. Optionally operate TCP intercept in watch mode, as opposed to intercept mode. In watch mode, the software passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the software intervenes and terminates the connection attempt.

    TCP/IP TTL Zero The TCP IP TTL Zero DoS attack sends spoofed multicast packets onto the network which have a Time To Live (TTL) of 0. This causes packets to loop back to the spoofed originating machine, and can cause the network to overload.
    TCP Null Scan Hackers use the TCP NULL scan to identify listening TCP ports. This scan also uses a series of strangely configured TCP packets, which contain a sequence number of 0 and no flags. Again, this type of scan can get through some firewalls and boundary routers that filter incoming TCP packets with standard flag settings.

    If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target discards the TCP NULL scan, sending no reply.

    TCP Post SYN A remote attacker may be attempting to avoid detection by sending a SYN frame with a different sequence number than the original SYN. This can cause an Intrusion Detection System (IDS) to become unsynchronized with the data in a connection. Subsequent frames sent during the connection are ignored by the IDS.
    TCP Packet Sequence An attempt to predict the sequence number used to identify packets in a TCP connection, which can be used to counterfeit packets. The attacker hopes to correctly guess the sequence number used by the sending host. If successful, they can send counterfeit packets to the receiving host which will seem to originate from the sending host, even though the counterfeit packets may originate from some third host controlled by the attacker.
    TCP XMAS Scan The TCP XMAS Scan floods the target system with TCP packets including the FIN, URG, and PUSH flags. This is used to determine details about the target system and can crash a system.
    TCP Header Fragment Enables the TCP Header Fragment denial of service check in the firewall.
    Twinge The Twinge DoS attack sends ICMP packets and cycles through using all ICMP types and codes. This can crash some Windows systems.
    UDP Short Header Enables the UDP Short Header denial of service check in the firewall.
    WINNUKE The WINNUKE DoS attack sends a large amount of data to UDP port 137 to crash the NETBIOS service on windows and can also result on high CPU utilization on the target machine.
    Hop Limit Zero Enables the check for Hop Limit in IPv6 packets. If the value is zero, it is considered a DoS and is blocked.
    Multicast ICMPv6 The Multicast ICMPv6 attack sends multicast ICMPv6 packets. This is applicable to only ICMPv6 Echo request/reply packets.
    TCP Intercept Mobility Enables the detection of IPv6 TCP packets with mobility option Home- Address-Option (HAO) or RH (Routing Header) type two and does not generate TCP syn cookies for these packets.
  6. Select OK to update the Denial of Service settings.
    Select Reset to revert to the last saved configuration. The firewall policy can be invoked at any point in the configuration process by selecting Activate Firewall Policy from the upper left-hand side of the access point user interface.
  7. Select the Storm Control tab.
  8. Select the Activate Firewall Policy option on the upper left-hand side of the screen to enable the screen‘s parameters for configuration.
    Ensure that this option stays selected to apply the configuration to the access point profile.
    Click to expand in new window
    Wireless Firewall Screen - Storm Control Tab
    GUID-10653233-5C4C-44B7-9398-C37898F42B99-low.png

    The firewall maintains a facility to control packet storms. Storms are packet bombardments that exceed the high threshold configured for an interface. During a storm, packets are throttled until the rate falls below the configured rate, severely impacting performance for the interface. Thresholds are configured in terms of packets per second.

  9. Refer to the Storm Control Settings field to set the following:
    Traffic Type Use the drop-down menu to define the traffic type for which the Storm Control configuration applies. Options include ARP, Broadcast, Multicast, and Unicast.
    Interface Type Use the drop-down menu to define the interface for which the Storm Control configuration is applied. Only the specified interface uses the defined filtering criteria. Options include Ethernet, WLAN, and Port Channel.
    Interface Name Use the drop-down menu to refine the interface selection to a specific WLAN or physical port. This helps with threshold configuration for potentially impacted interfaces.
    Packets per Second Select the check box to activate the spinner control used to specify the packets per second threshold for activating the Storm Control mechanism.
  10. Select + Add Row as needed to add additional Storm Control configurations for other traffic types or interfaces.
    Select the Delete icon as required to remove selected rows.
  11. Refer to the Storm Control LOgging field to define how storm events are logged:
    Traffic Type Use the drop-down menu to define the traffic type for which the Storm Control logging configuration applies. Options include ARP, Broadcast, Multicast, and Unicast.
    Logging Select the check box to activate the spinner control used to specify the standard log level used if a Storm Control attack is detected. The default log level is Warning.
  12. Select + Add Row as needed to add additional Storm Control log entries for other interfaces.
    Select the Delete icon as required to remove selected rows.
  13. Select OK to update the Storm Control settings.
    Select Reset to revert to the last saved configuration.The firewall policy can be invoked at any point in the configuration process by selecting Activate Firewall Policy from the upper left-hand side of the access point user interface.
  14. Select the Advanced Settings tab.
    Use the Advanced Settings tab to enable or disable the firewall, and to define application layer gateway settings, flow timeout configuration, and TCP protocol checks.
    Click to expand in new window
    Wireless Firewall Screen - Advanced Settings Tab
    GUID-BA1937BF-3661-422E-AD44-3CDE1071A3ED-low.png
  15. Refer to the Firewall Status radio buttons to define the firewall as either Enabled or Disabled.
    The firewall is enabled by default.

    If disabling the firewall, a confirmation prompt displays stating NAT, wireless hotspot, proxy ARP, deny-static-wireless-client, and deny-wireless-client sending not permitted traffic excessively will be disabled.

  16. Refer to the General field to enable or disable the following firewall parameters:
    Enable Proxy ARP Select this option to allow the firewall policy to use Proxy ARP responses for this policy on behalf of another device. Proxy ARP allows the firewall to handle ARP routing requests for devices behind the firewall. This feature is enabled by default.
    DHCP Broadcast to Unicast Select this option to enable the conversion of broadcast DHCP offers to unicast. Converting DHCP broadcast traffic to unicast traffic can help reduce network traffic loads. This feature is disabled by default.
    L2 Stateful Packet Inspection Select this option to enable stateful packet inspection for RF Domain manager routed interfaces within the Layer 2 firewall. This feature is disabled by default.
    IPMAC Conflict Enable When multiple devices on the network have the same IP or MAC address, traffic passing through the firewall can experience routing issues. This occurs, for example, when removing a device from the network and attaching another using the same IP address. To avoid these issues, enable IP and MAC conflict detection. This feature is disabled by default.
    IPMAC Conflict Logging Select this option to enable logging for IP and MAC address conflict detection. This feature is disabled by default.
    IPMAC Conflict Action Set the action taken when an attack is detected. Options include Log Only, Drop Only, or Log and Drop. The default setting is Log and Drop.
    IPMAC Routing Conflict Enable Select this option to enable IPMAC Routing Conflict detection. This is also known as a Hole-196 attack in the network. This feature helps to detect if the client is sending routed packets to the correct router-mac-address.
    IPMAC Routing Conflict Logging Select enable logging for IPMAC Routing Conflict detection. This feature is disabled by default is set to Warning.
    IPMAC Routing Conflict Action Use this option to set the action taken when an attack is detected. Options include Log Only, Drop Only, or Log and Drop. The default setting is Log and Drop.
    DNS Snoop Entry Timeout Select this option and set a timeout, in seconds, for DNS Snoop Entry. DNS Snoop Entry stores information such as Client to IP Address and Client to Default Gateway(s) and uses this information to detect if the client is sending routed packets to a wrong MAC address.
    IP TCP Adjust MSS Select this option and adjust the value for the maximum segment size (MSS) for TCP segments on the router. Set a value between 472 bytes and 1,460 bytes to adjust the MSS segment size. The default value is 472 bytes.
    TCP MSS Clamping Select this option to enable TCP MSS Clamping. TCP MSS Clamping allows for the configuration of the maximum segment size of packets at a global level.
    Max Fragments/Datagram Set a value for the maximum number of fragments (between 2 and 8,129) allowed in a datagram before it is dropped. The default value is 140 fragments.
    Max Defragmentations/Host Set a value for the maximum number of defragmentations, between 1 and 16,384, allowed per host before it is dropped. The default value is 8.
    Min Length Required Select this option and set a minimum length, between 8 bytes and 1,500 bytes, to enforce a minimum packet size before being subject to fragment based attack prevention.
    Virtual Defragmentation Select this option to enable IP virtual defragmentation to help prevent fragment-based attacks, such as tiny fragments or large number of IP fragments.
    Virtual Defragmentation Timeout Set a virtual defragmentation timeout from 1- 60 seconds to prevent IP fragment-based attacks. The default value is 1 second.
  17. The firewall policy allows traffic filtering at the application layer using the Application Layer Gateway feature.
    The Application Layer Gateway provides filters for the following common protocols:
    FTP ALG Select the Enable box to allow FTP traffic through the firewall using its default ports. This feature is enabled by default.
    TFTP ALG Select the Enable box to allow TFTP traffic through the firewall using its default ports. This feature is enabled by default.
    PPTP ALG Select the check box to allow PPTP traffic through the firewall. Microsoft uses PPTP in its Windows operating systems to establish VPN connection between two endpoints on the internet. PPP frames are used to tunnel packets through the IP backbone. PPTP uses a client-server model for connectivity. This feature is enabled by default.
    SIP ALG Select the Enable box to allow SIP traffic through the firewall using its default ports. This feature is enabled by default.
    SCCP ALG Select the check box to allow SCCP traffic through the firewall using its default ports. This feature is enabled by default. Signalling Connection Control Part (SCCP) is a network protocol that provides routing, flow control and error correction in telecommunication networks.
    FaceTime ALG Select the check box to allow Apple‘s FaceTime video calling traffic through the firewall using its default port. This feature is enabled by default.
  18. Refer to the Firewall Enhanced Logging field to set the following parameters:
    Log Dropped ICMP Packets Use the drop-down menu to define how dropped ICMP packets are logged. Logging can be rate limited for one log instance every 20 seconds. Options include Rate Limited, All, or None. The default setting is None.
    Log Dropped Malformed Packets Use the drop-down menu to define how dropped malformed packets are logged. Logging can be rate limited for one log instance every 20 seconds. Options include Rate Limited, All, or None. The default setting is None.
    Enable Verbose Logging Select this option to enable verbose logging for dropped packets. This setting is disabled by default.
  19. Select the Enable Stateful DHCP Checks radio button to enable the stateful checks of DHCP packet traffic through the firewall.
    The default setting is enabled. When enabled, all DHCP traffic flows are inspected.
  20. Define Flow Timeout intervals for the following flow types impacting the firewall:
    TCP Close Wait Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540), or Hours (1 - 9). The default setting is 10 seconds.
    TCP Established Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540), or Hours (1 - 9). The default setting is 90 minutes.
    TCP Reset Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540), or Hours (1 - 9). The default setting is 10 seconds.
    TCP Setup Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540), or Hours (1 - 9). The default setting is 10 seconds.
    Stateless TCP Flow Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540), or Hours (1 - 9). The default setting is 90 seconds.
    Stateless FIN/RESET Flow Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540), or Hours (1 - 9). The default setting is 10 seconds.
    ICMP Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540), or Hours (1 - 9). The default setting is 30 seconds.
    UDP Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540), or Hours (1 - 9). The default setting is 30 seconds.
    Any Other Flow Define a flow timeout value in either Seconds (1 - 32,400), Minutes (1 - 540), or Hours (1 - 9). The default setting is 30 seconds.
  21. Refer to the TCP Protocol Checks field to set the following parameters:
    Check TCP states where a SYN packet tears down the flow Select the check box to allow a SYN packet to delete an old flow in TCP_FIN_FIN_STATE and TCP_CLOSED_STATE and create a new flow. The default setting is enabled.
    Check unnecessary resends of TCP packets Select the check box to enable the checking of unnecessary resends of TCP packets. The default setting is enabled.
    Check Sequence Number in ICMP Unreachable error packets Select the check box to enable sequence number checks in ICMP unreachable error packets when an established TCP flow is aborted. The default setting is enabled.
    Check Acknowledgment Number in RST packets Select the check box to enable the checking of the acknowledgment number in RST packets which aborts a TCP flow in the SYN state. The default setting is enabled.
    Check Sequence Number in RST packets Select the check box to check the sequence number in RST packets which abort an established TCP flow. The default setting is enabled.
  22. Select the IPv6 Settings tab.
    Click to expand in new window
    Wireless Firewall Screen - Advanced Settings Tab - IPv6 Settings Tab
    GUID-04347313-A6B2-457F-B1B2-5A669E58C889-low.png
  23. Refer to the IPv6 Firewall Enable option to provide firewall support to IPv6 packet streams.
    This setting is enabled by default. Disabling IPv6 firewall support also disables proxy neighbor discovery.

    IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed uniquely of eight groups of four hexadecimal digits separated by colons.

  24. Select IPv6 Rewrite Flow Label to provide flow label rewrites for each IPv6 packet.
    A flow is a sequence of packets from a particular source to a particular (unicast or multicast) destination. The flow label helps keep packet streams from looking like one massive flow.

    Flow label rewrites are disabled by default and must be manually enabled. Flow label re-writes enable the re-classification of packets belonging to a specific flow. The flow label does nothing to eliminate the need for packet filtering.

  25. Select Enable Proxy ND to generate neighbor discovery responses on behalf of another access point managed device.
    When this option is enabled, any IPv6 packet received on an interface is parsed to see whether it is known to be a neighbor solicitation. This setting is enabled by default.
  26. Use the Event table to enable individual IPv6 unique events.
    IPv6 events can be individually enabled or collectively enabled or disabled using the Enable All Events and Disable All Events buttons.
    Event The Event column lists the name of each IPv6 specific event subject to logging.
    Enable Checking Enable sets the firewall policy to filter the associated IPv6 event based on the selection in the Action column.
    Action If a filter is enabled, choose an action from the drop-down menu to determine how the firewall treats the associated IPv6 event.
    • Log and Drop - An entry for the associated IPv6 event is added to the log and then the packets are dropped.
    • Log Only - An entry for the associated IPv6 event is added to the log. No further action is taken.
    • Drop Only - The DoS packets are dropped. No further action is taken.
    Log Level To enable logging to the system log, check the box in the Log Level column. Then select a standard Syslog level from the Log Level drop-down menu.
  27. The following Events can be filtered on behalf of the firewall:
    Duplicate Options Select to enable duplicate options handling in hop-by-hop and destination option extension headers. This configuration excludes HAO (Home Address Option) handling.
    IPv6 MAC Conflict Select to enable checking for conflicts between IPv6 addresses and MAC addresses.
    IPv6 MAC Routing Conflict Select to enable checking for IPv6 routing table (next-hop IPv6 address, MAC address) conflicts.
    Option Strict Padding Select to enable strict checks for validating Pad1 and PadN options.
    Option End Point Identification Select to enable end point identification. This option is not enabled by default.
    Option Network Service Access Point Select to enable Network Service Access Point option. This option is not enabled by default.
    Option Router Alert Select to enable router alert option. This option is not enabled by default.
    Routing Heading Type One Select to enable checking for routing type one (1) in the Routing Type field of the Routing extension header for IPv6 packets. Routing Header 1 is used for NIMROD a project of DARPA. This option is not enabled by default.
    Routing Heading Type Two Select to enable checking for routing type two (2) in the Routing Type field of the Routing extension header for IPv6 packets. Routing Header 2 is used for Mobile IPv6 where it can hold the home address of the mobile node. This option is not enabled by default.
    Strict Extension Header Check Select to enable check for out of order and number of occurrences of extension headers in an IPv6 packet. The option is enabled by default.
    Strict Home Address Option Check Select to enable strict check for placement of home address option in the Destination option extension header. This option is enabled by default.
    Unknown Options Select to enable configuring unknown options handling in hop-by-hop and destination option extension headers.
  28. Select OK to update the Firewall Policy Advanced Settings.
    Select Reset to revert to the last saved configuration. The firewall policy can be invoked at any point in the configuration process by selecting Activate Firewall Policy from the upper left-hand side of the access point user interface.