1 / 32

Sepehr Firewalls

Sepehr Firewalls. Sepehr Sadra Tehran Co. Ltd. Ali Shayan December 2008. Introduction. GOS3 (GateMAN Operating System v3) User Interfaces: GUI (GateSetUP) CLI Log Log Analyzers SLAT v2,3 (Sepehr Log Analysis Tool) CBLR (Client Based Log Report)

elyse
Download Presentation

Sepehr Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sepehr Firewalls Sepehr Sadra Tehran Co. Ltd. Ali Shayan December 2008

  2. Introduction • GOS3 (GateMAN Operating System v3) • User Interfaces: • GUI (GateSetUP) • CLI • Log • Log Analyzers • SLAT v2,3 (Sepehr Log Analysis Tool) • CBLR (Client Based Log Report) • Caser (Content Analysis System Extended Revision) • LAN User Accounting • Authentication Server : gateauthd • Authentication Client : LAN Authenticator (web-based), GateAUTH (Windows Application) • RAMA (Remote Access Monitoring Agent)

  3. Firewall Platform Types • Sepehr4100 Series • Sepehr4110 • Sepehr4108 • Sepehr4106 • Sepehr4104 • Sepehr4102 • Sepehr3400

  4. Sepehr4100 Series Hardware Specification • 2 x 10/100/1000 Mbps UTP Ethernet Ports. • 2 x GBICs PCI-Express Card. • 4 x 10/100/1000 Mbps UTP Ethernet PCI-Express Card • Bypass Module • Fault Tolerant in Router Mode • VPN Accelerator • 3.2 GHz XEON CPU • 2 GB RAM • LCD Panel for limited configurations • 19 inches rack mountable chassis with 1U height

  5. Sepehr4110 Hardware Specification • 10 x 10/100/1000 Mbps UTP Ethernet Ports. • Fault Tolerant in Router Mode • VPN Accelerator • 3.2 GHz XEON CPU • 2 GB RAM • LCD Panel for limited configurations • 19 inches rack mountable chassis with 1U height

  6. Sepehr4108 Hardware Specification • 6 x 10/100/1000 Mbps UTP Ethernet Ports. • 2 x GBICs/SFPs PCI-Express Card. • Fault Tolerant in Router Mode • VPN Accelerator • 3.2 GHz XEON CPU • 2 GB RAM • LCD Panel for limited configurations • 19 inches rack mountable chassis with 1U height

  7. Sepehr4106 Hardware Specification • 2 x 10/100/1000 Mbps UTP Ethernet Ports. • 4 x GBICs/SFPs PCI-Express Card. • Fault Tolerant in Router Mode • VPN Accelerator • 3.2 GHz XEON CPU • 2 GB RAM • LCD Panel for limited configurations • 19 inches rack mountable chassis with 1U height

  8. Sepehr4100 Final Hardware

  9. Sepehr 4104 Hardware Specification • 4 x 10/100/1000 Mbps UTP Ethernet Ports. • 3.2 GHz PIV CPU • 1 GB RAM • Bypass Module • Fault Tolerant in Router Mode • LCD Panel for limited configurations • 19 inches rack mountable chassis with 1U height

  10. Sepehr 4102 Hardware Specification • 2 x 10/100 Mbps UTP Ethernet Ports • 2 x 10/100/1000 Mbps UTP Ethernet Ports • 2.8 GHz PIV CPU • 1 GB RAM • Bypass Module • Fault Tolerant in Router Mode • LCD Panel for limited configurations • 19 inches rack mountable chassis with 1U height

  11. Sepehr 3400 Hardware Specification • 4 x 10/100 Mbps UTP Ethernet Ports • 1 GHz CPU • 1 GB RAM • Fault Tolerant in Router Mode • VPN Accelerator • 19 inches rack mountable chassis with 1U height

  12. Firewall Engine Types • Without any Extension • FL : Full Log • Firewall with all features • Logging the Header of the Packets (Log Packet, Log Connection, Log NAT) • Logging the Content of Packet • FLV : Full Log Visualize • Firewall with all features • Logging the Header of the Packets (Log Packet, Log Connection, Log NAT) • Logging the Content of Packet • Events Visualizer (

  13. Sepehr 4100 Series, Sepehr 3400 • Firewall with ALL Firewalling Features • Logging the Header of the Packetsand Connections - Log Packet - Log Connection - Log NAT • Statistical Log Analyzer (SLAT 2) • Client Based Log Analyzer (CBLR) • Authentication

  14. Sepehr 4100 FL Series, Sepehr 3400 FL • Firewall with ALL Firewalling Features • Logging the Header of the Packetsand Connections • Log Packet • Log Connection • Log NAT • Logging the Body of the Packetsand Connections • Log Content • Statistical Log Analyzer (SLAT 2) • Client Based Log Analyzer (CBLR) • Authentication • RAMA

  15. Sepehr 4100 FLV Series, Sepehr 3400 FLV • Firewall with ALL Firewalling Features • Logging the Header of the Packetsand Connections • Log Packet • Log Connection • Log NAT • Logging the Body of the Packetsand Connections • Log Content • Statistical Log Analyzer (SLAT 2) • Client Based Log Analyzer (CBLR) • Events Visualizer (Caser) • Authentication • RAMA

  16. Working Modes • Bridge • Router • Compound Mode

  17. Traffic Shaping • Per Firewall Network Interface • Frames per second limitation on input/output frames per port • Bits per second limitation on input/output bits per port. • By Protocol Type • By Source/Destination MAC address • By Source/Destination IP address • By Source/Destination Port Number • Per TCP connection bandwidth limitation

  18. Packet Filtering • Packet filtering based on input/output directions. • Packet filtering based on input/output interfaces.

  19. Packet Filtering (continued) • Mac Protocol filtering by type (ARP, Reverse ARP, IP, IPX, …, and RAW frames) • Internet Protocol filtering by type (ICMP, IGMP, TCP, …, and RAW packets) and Source/Destination address • TCP/UDP filtering by Source/Destination port • ICMP filtering by type and code

  20. Checksum • Full IP Datagram filtering with Automatic IP Checksum Control ( Layer 2 ) • Checksum Checking (inbound) on TCP, UDP or ICMP Packets ( Layer 3 ) • Accept if correct • Drop if incorrect • Accept if incorrect • Checksum Calculating (outbound) on TCP, UDP or ICMP Packets ( Layer 3 )

  21. Tight TCP State-full Inspection • TCP Checksum Checking • TCP Sequence Number Checking and Tracing in Stream • Syn/Ack/Fin State Transition Control and Violation Avoidance • Out of sequence TCP packet alignment.

  22. Application Layer Filtering • Application layer protocol monitoring and violation control. - HTTP - SMTP - FTP - TELNET

  23. HTTP URL Filtering • URL filtering with user defined URL database to filter: - Domains - Sub-domains - Directories • White list URL databases • Regular expression databases

  24. SMTP Filtering • SMTP filtering with respect expressions of - username - domain-name - username@domain-name sender/receiver databases.

  25. FTP Filtering • Downloading files • Uploading files

  26. VPN • IPSec , IKE • Gateway to Gateway • Sepehr to Sepehr • Sepehr to Cisco • Sepehr to Windows 2003 Server • Gateway to workstation • Sepehr to Windows 2000, XP

  27. NAT • Hide Source NAT with replacing • Source IP Address (Single, Subnet, Range, Database) • Source Port Number (Single, Range, Database) • Hide Destination NAT with replacing • Destination IP Address (Single, Subnet, Range, Database) • Destination Port Number (Single, Range, Database) • Hide Source and Destination Simultaneously • Source/Destination IP Address (Single, Subnet, Range, Database) • Source/Destination Port Number (Single, Range, Database) • NATing on Router and Bridge Mode

  28. VLAN • VLAN definition on Ethernet Ports • Bridging between Ethernet ports which have same Cluster ID • Routing between VLANs • Truncking Support (802.1q) • Multi Point Installation and configuration

  29. Fault Tolerance • Routing Mode • Virtual Routing Redundancy Protocol (VRRP)

  30. Log Server • Remote Log Archiving • Directly or Indirectly Connection to Firewall • Specific Protocol • Log Archiving • Time • Volume • FIFO for Archived Log Files

  31. References • [1] Sepehr S. T. Co. LTD, Sepehr Firewalls, October 2008.

More Related