Filter Preferences allows the administrator to globally define most logging and filter options for user-defined filters in one location, as well as enable or disable Stealth mode. Logging options for automatic filters, tunnel A secure virtual connection through the Internet or an intranet. connections (ìopensî and ìclosesî) and filter blocks have been added. ICMP packets dropped by Stealth mode can be logged.
Default logging options are used when the Default option is selected in a filter definition LOG field, allowing the event selected to be logged whenever the filter is activated. All protocols are logged by default.
Automatic filters are generated by the firewall to allow expected events such as response packets from DNS queries and mail servers. Automatic filters can be logged and disabled. GTA recommends disabling automatic filters only for troubleshooting and configuration testing.
In General Preferences, filter actions basic to the firewall may be adjusted. The administrator can enable or disable filters, generate alarms, send email, send an ICMP ìservice not availableî message, or log a filtered event.
A spoof occurs when a packet A sequence of data and control characters (binary digits) in a specified format that is switched/transferred as a whole. arrives at one interface and its return path is through a different interface. This may be caused by an intrusion attempt made altering the packet source IP address; or a mis-configured firewall, e.g., when networks or hosts located on, or connected to, the internal side of a firewall have not been defined.
A doorknob twist occurs when a connection is attempted on a port for which there is no service or tunnel in place and a filter has accepted the packet. A Doorknob Twist usually indicates that the firewall is mis-configured.
By default, fragmented packets are reassembled and forwarded only if the resulting packet does not violate security policy; otherwise, they are dropped.
Invalid packets are those that are not the expected size or have an invalid option bit The smallest element of computer storage, a single digit in a binary number (0 or 1). Eight bits make up a byte, which is equivalent to one alphanumeric character.; e.g., an ICMP port unreachable packet must have at least 28 bytes. Invalid packets are dropped silently by default, but the system now includes the ability to log dropped packets.
If a packet is valid, but not expected by the state table, the firewall denies it, e.g., a packet can only generate a single ICMP port unreachable response; a second one may indicate an ICMP replay attack; also, an unexpected packet may be a packet that does not have the correct flags during TCPís three-way handshake. The system now includes the ability to log these packets.
Stealth mode is the factory set default for new GTA Firewall systems. In Stealth mode, the firewall will not respond to ICMP ping requests, ICMP traceroute requests nor UDP traceroute requests. Filters that allow pings,
traceroutes, etc., from the External interface are not functional when the firewall is in stealth mode. In addition, the firewall will not respond with an ICMP message when a packet arrives for a port without a tunnel or service set on any External Network The External network is the unprotected network for which no network address translation is performed. The External network is typically connected to the Internet. However, GNAT Box can also be used internally on private networks as an intranet firewall. If connected to the Internet, the external interface must have a registered IP address. GNAT Box provides no security for hosts located on the External network. See Protected and Private Service Networks. interface. Because it is activated at the system kernel level, Stealth mode filtering will not appear in the Active Filters list.
Like all Automatic Filters, Stealth mode has priority over the other filter types.
Every filter has a log action. A "Yes" in the filter action field for the filter explicitly logs the packet, a "No" explicitly does not log the packet. The Default option requires the filter to take the action defined here. By default, all rejected packets for all protocols are logged. Tunnels refer to connections created by the action of a filter (automatic or user-defined) or an inbound tunnel.
This section allows the default parameters for alarm notifications to be set. When a filter is matched, an alarm event is activated. Each alarm event increments the alarm count by one. If either the time or number of alarms threshold is exceeded, a notification will be sent documenting all the events. Multiple messages will be sent if the number of events exceeds the maximum count.
Threshold for generating email
Data coalescing reduces the amount of individual filter event data that enters the logs, blending similar data into a single log event. Coalescing selected in Filter Preferences applies only to Automatic Filters, such as those created by a tunnel when AUTOMATIC ACCEPT ALL is selected on an Inbound Tunnel definition. Coalescing is enabled by default in Filter Preferences. The INTERVAL A distance between two points or occurrences, especially between recurrent conditions or states. The number of units between a letter, digraph, code group, and the recurrence of the same letter, digraph, counting either the first or second occurrence of both. is a global option for all filter event coalescing. Set the interval to zero (0) to turn off all coalescing.
Although the email server is typically a host on the Protected Network The Protected network is the network hidden behind the GNAT Box system. The term Protected network is used by GTA to refer to the network directly connected to the GNAT Box system. All features and attributes associated with this network also apply to all networks connected to the Protected network. All hosts and IP addresses used on this network are hidden from the External and Private Service networks. Hosts on the Protected Network are by default not accessible from the External network or PSN network. The Tunnel facility can be used to allow external access to hosts and services on this network. or PSN, the server can be an external host. The notifications can be sent to any valid and accessible email address. In order to use a host name for the email server, you must have defined a DNS server for lookups on the GTA Firewall. If the host name is an internal host, the DNS server must be internal so that it can resolve the name of the hidden host. If the DNS server is an external host and the target server is an internal host, you will have to use the IP address. If you are unsure about the name, use the hostís IP address.
The Email Server need not be the same as the one used in the Email Proxy. If alarms and/or email notifications are set on a filter, and the email server is not enabled, a warning message will be sent to the log.
Simple Network Management Protocol (SNMP) is a standard for managing and retrieving data from each network IP device and sending it to designated hosts. If SNMP is not enabled, selecting SNMP filter actions on the filter definition screen has no effect. If SNMP is checked as an action, the GTA Firewall will generate an enterprise-specific generic trap on a filter definition when the filter is matched. The SNMP manager is typically on the Protected Network, though it may reside on any network.
Selecting Auto in the BINDING INTERFACE field will select the interface configured in Network Information through which the packet would normally exit based on the routing table.
Connect a modem to one of any available serial ports on your GTA Firewall or use an internal modem card for software-based firewalls. The modem is only used for dialing and sending DTMF tones, so a basic model will suffice.
The CODE A system of instructions making up software. A system of symbols making up cipher text. field may include any valid numbers or symbols used by your numeric pager may use. Commas represent pauses and are typically required while the pager announcement is played. Most pagers have the message terminated by a # symbol. Please consult your pager service for the specifics of your pager.
¨ Note
Stealth mode does not affect Protected Network or Private Service Network interfaces. If you wish to set Stealth mode for these interfaces, create the appropriate Remote Access Filter.