Innominate mGuard Version 5 - Innominate Security Technologies AG
Contents
1. IPsec connection ppp0 external interface of a PPPoE PPTP connection OUT Router Modes Outgoing interface PHYSOUT Stealth Mode ethO external interface eth1 internal interface eth2 internal interface of the mGuard PCI driver mode only ipsec0 external interface of an IPsec connection ppp0 external interface of a PPPoE PPTP connection MAC This information is displayed only if the protocol is unknown neither TCP nor UDP nor ICMP and if the packet is sent to an external IP address of the mGuard The format is lt source MAC address 6 octets gt lt destination MAC address 6 octets gt lt protocol type 2 octets gt ID Unique ID of the IP datagram shared by all fragments if fragmented FLAGS When the TCP protocol is used also the TCP flags e g SYN are displayed URG Urgent flag ACK Acknowledgement flag PSH Push flag RST Reset flag SYN SYN flag only exchanged at TCP connection establishment FIN FIN flag only exchanged at TCP disconnection URGP The Urgent Pointer allows for urgent out of band data transfer Document ID AN205002A07 005 Page 3 of 11 mGuard Version 5 Firewall Logging Example 2007 09 19 17 25 22 07497 kernel fw incoming 1 121e0dc4 a774 1f09 9647 000cbe022aad act ACCEPT IN ethO OUT eth1 SRC 10 1 0 46 DST 192 168 1 100 LEN 52 TOS 0x00 PREC 0x00 TTL 126 D 57945 DF PROTO TCP SPT 3053 DPT 445 SEQ 2602365526 ACK 0 WINDOW 65535 RES 0x00 SYN URGP 0 OPT Each log entry starts wi2. with act DROP In this case the displayed SRC IP address belongs to the internal network Example 2007 09 20 10 36 25 06867 kernel fw incoming 1 121e0dc5 a774 1f09 9647 000cbe022aad act DROP N ethO OUT eth1 SRC 192 168 1 1 DST 192 168 1 100 LEN 40 TOS 0x00 PREC 0x00 TTL 127 I D 1276 PROTO TCP SPT 1234 DPT 5678 SEQ 0 ACK 0 WINDOW 1500 RES 0x00 SYN URGP 0 4 6 VPN Firewall fw vpn lt name gt in fw vpn lt name gt out Log entries with the prefixes fw vpn lt name gt in and fw vpn lt name gt out are caused by configured incoming and or outgoing VPN firewall rules menu IPsec VPN gt Connections tab Firewall with activated logging lt name gt is the mGuard s internal name for the VPN connection The relation between name of the VPN connection and its mGuard s internal name is displayed in the menu IPsec VPN gt IPsec Status Examples 2007 10 10 15 05 43 60093 kernel fw vpn v000 0O00 in 1 1018e080 f179 1cb3 bbf3 OOOcbe022aad act ACCEPT N ipsecO OUT ethl1 SRC 192 168 80 100 DST 192 168 1 100 LEN 60 TOS 0x00 PREC 0x00 TTL 126 ID 1528 PROTO ICMP TYPE 8 CODE 0 ID 512 SEQ 1280 2007 10 10 15 08 06 53609 kernel fw vpn v000 000 out 1 1018e080 f179 1cb3 bbf3 OOOcbe022aad act ACCEPT N eth1 OUT ipsecO SRC 192 168 1 100 DST 192 168 80 100 LEN 60 TOS 0x00 PREC 0x00 TTL 127 D 986 PROTO ICMP TYPE 8 CODE 0 ID 512 SEQ 1024 Document ID AN205002A07 005 Page 8 of 11 mGuard Version 5 Firewall Logging 4 7 SYN
3. Flood Protection SYN flood The limits for new incoming and outgoing TCP connections SYN flood protection per second can be configured through the menu Network Security gt DoS Protection If one of the limits is exceeded a log entry is issued with the log prefix SYN flood Those events are only logged once per second Example 2007 10 10 14 56 56 33045 kernel SYN flood act DROP SYN flood act DROP IN ethO OUT eth1 SRC 10 1 0 52 DST 192 168 1 100 LEN 40 TOS 0x00 PREC 0x00 TTL 127 ID 232 PROTO TCP SPT 1234 DPT 5678 SEQ 0 ACK 0 WINDOW 1500 RES 0x00 SYN URGP 0 4 8 ICMP Flood Protection I CMP flood The maximum number of incoming and outgoing ICMP echo requests ICMP flood protection per second can be configured through the menu Network Security gt DoS Protection If one of the limits is exceeded a log entry is issued with the log prefix I CMP flood Those events are only logged once per second Example 2007 10 10 14 59 31 22647 kernel I CMP flood act DROP CMP flood act DROP IN eth0O OUT ethl SRC 10 1 0 52 DST 192 168 1 100 LEN 92 TOS 0x00 PREC 0x00 TTL 254 ID 1432 PROTO ICMP TYPE 8 CODE 0 ID 40962 SEQ 7 68 Document ID AN205002A07 005 Page 9 of 11 mGuard Version 5 Firewall Logging 5 Related Documentation The following documents can be downloaded from our homepage www innominate com gt Downloads gt Documentation and Downloads gt Application Notes Please check our homepage periodically for updated or a
4. LED protecting industrial networks Security Technologies AG Innominate mGuard Version 5 Application Note Firewall Logging m Guard smart mGuard PCI mGuard blade mGuard industrial RS EAGLE mGuard mGuard delta Innominate Security Technologies AG Albert Einstein Str 14 12489 Berlin Germany Phone 49 0 30 6392 3300 Fax 49 0 30 6392 3307 contact innominate com www innominate com mGuard Version 5 Firewall Logging Table of Contents 1 Disclaimer 2 Log Abbreviations 3 Firewall Traversal 4 Log Prefixes 4 1 4 2 4 3 4 4 4 5 4 6 4 7 4 8 Consistancy Check and TCP Flags fw invalid input fw invalid forward fw invalid output Remote Access Rules fw ssh access fw https access fw snmp access Port Forwarding fw portforwarding User Firewall ufw Firewall Anti Spooting and Connection Tracking fw incoming fw outgoing VPN Firewall fw von lt name gt in fw von lt name gt out SYN Flood Protection SYN flood ICMP Flood Protection CMP flood 5 Related Documentation Document ID AN205002A07 005 Page 1 of 11 SO oO Cc oO N N N N n mGuard Version 5 Firewall Logging 1 Disclaimer Innominate Security Technologies AG October 2007 Innominate and mGuard are registered trademarks of the Innominate Security Technologies AG All other brand names or product names are trade names service marks tra
5. System Settings tab Time and Date for synchronizing the system time with an NTP server this has an effect on the timestamps displayed in the web interface only If you use remote logging the timestamp is displayed in UTC This makes it easier to compare the logs when you use a central syslog server for registering the logs of different devices which are located in different time zones Document ID AN205002A07 005 Page 4 of 11 mGuard Version 5 Firewall Logging 3 Firewall Traversal Remote HTTPS SSH or SNMP access Data packets which need to pass the firewall Anti Spoofing Anti Spoofing Consistency Check Consistency Check Connection Tracking Connection Tracking TCP Flags new connections TCP Flags new connections Remote Access Rules Port Forwarding User Firewall VPN Firewall SYN Flood Protection TCP only ICMP Flood Protection ICMP only Anti spoofing This check is performed on all packets which try to establish a new connection from the external to the internal network The firewall drops the packet if the source IP address belongs to the internal network Consistency check The firewall performs this check if the option Enable TCP UDP ICMP consistency checks is enabled in the menu Network Security gt Packet Filter tab Advanced The consistency check is performed on all packets The firewall checks all TCP UDP ICMP packets regarding not permitted or wrong hea
6. dditional documents User s Manual e User Manual mGuard Application Notes e Windows 2000 XP TCP Tuning for High Bandwidth Networks e Innominate mGuard Rollout Support Additional Documentation e mGuard Configuration Examples e mGuard Update Recovery Flash Procedures Interoperability Guides How to setup a VPN tunnel between the mGuard and one of the following devices e Astaro V5 V6 PSK and X 509 Certificates Astaro Security Gateway 220 PSK and X 509 Certificates Bintec VPN Access 25 PSK and X 509 Certificates Check Point NGX R60 PSK and X 509 Certificates Cisco 1812 PSK and X 509 Certificates Cisco PIX PSK and X 509 Certificates Cisco VPN3000 Concentrator PSK and X 509 Certificates Fortigate 60 PSK and X 509 Certificates Microsoft ISA Server 2004 PSK and X 509 Certificates NETGEAR FVS338 PSK and X 509 Certificates Netscreen 5GT 204 5400 PSK and X 509 Certificates TrustGate5 PSK and X 509 Certificates Document ID AN205002A07 005 Page 10 of 11
7. demarks or registered trade marks of their respective owners mGuard technology is protected by the German patents 10138865 and 10305413 Further national and international patent applications are pending No part of this documentation may be reproduced or transmitted in any form by any means without prior written permission of the publisher All information contained in this documentation is subject to change without previous notice Innominate offers no warranty for these documents This also applies without limitation for the Implicit assurance of scalability and suitability for specific purposes In addition Innominate is neither liable for errors in this documentation nor for damage accidental or otherwise caused in connection with delivery output or use of these documents This documentation may not be photocopied duplicated or translated into another language either in part or in whole without the previous written permission of Innominate Security Technologies AG Document ID AN205002A07 005 Page 2 of 11 mGuard Version 5 Firewall Logging 2 Log Abbreviations The following table explains the abbreviations used in the firewall log and their meaning Abbreviation Performed action on the packet DROP REJECT or ACCEPT IN Router Modes Incoming interface PHYSIN Stealth Mode ethO external interface eth1 internal interface eth2 internal interface of the mGuard PCI driver mode only ipsec0 external interface of an
8. der values e g invalid checksum and drops invalid packets Connection tracking Connection tracking is performed on all packets which do not establish a new connection The firewall drops the packet if it does not belong to an existing connection TCP flags The firewall checks the validity of the specified TCP flags on all packets which would establish a new connection The combination of the specified TCP flags is checked and the firewall drops the packet if the flags are not conforming to the specification The following combinations will cause a drop of the packet flags FIN URG and PSH are set IS set SYN RST SYN RST The packet will be dropped if the flags SYN and RST are set SYN FIN SYN FIN The packet will be dropped if the flags SYN and FIN are set SYN ACK FIN RST The flags SYN ACK and FIN are checked The packet will RST be dropped if only the flag RST is set Document ID AN205002A07 005 Page 5 of 11 mGuard Version 5 Firewall Logging SYN flood protection The limits for new incoming and outgoing TCP connections per second can be configured through the menu Network Security gt DoS Protection If one limit incoming and or outgoing is exceeded the firewall drops the packets ICMP flood protection The maximum number of incoming and outgoing ICMP echo requests per second can be configured through the menu Network Security gt DoS Protection If one limit incoming and or outgoing is exceeded the fi
9. ess e Remote SNMP access rules menu Management gt SNMP tab Query Examples 2007 10 10 16 03 23 44406 kernel fw ssh access 1 1018e08e f179 1cb3 bbf3 000cbe022aad act ACCEPT fw 0 0 1 act ACCEPT IN ethO OUT MAC 00 Oc be 02 2a ad 00 Oc f1 e4 78 54 08 00 SRC 10 1 0 54 DST 10 1 80 100 LEN 52 TOS 0x00 PREC 0x00 TTL 128 D 63731 DF PROTO TCP SPT 4346 DPT 22 SEQ 363370156 ACK 0 WINDOW 65535 RES 0x00 SYN URGP 0 OPT 020404EC0103030001010402 2007 10 10 16 03 34 62712 kernel fw https access 1 1018e08f f179 1cb3 bbf3 000cbe022aad act ACCEPT fw 0 1 1 act ACCEPT IN ethO OUT MAC 00 0c be 02 2a ad 00 Oc f1 e4 78 54 08 00 SRC 10 1 0 54 DST 10 1 80 100 LEN 52 TOS 0x00 PREC 0x00 TTL 128 D 63767 DF PROTO TCP SPT 4347 DPT 443 SEQ 2097405829 ACK 0 WINDOW 65535 RES 0x00 SYN URGP 0 OPT 020404EC0103030001010402 4 3 Port Forwarding fw portforwarding Log entries with the prefix fw portforwarding are caused by configured port forwarding rules menu Network Security gt NAT tab Port Forwarding with activated logging Example 2007 10 10 15 57 14 75422 kernel fw portforwarding 1 1018e08c f179 1cb3 bbf3 000cbe022aad act ACCEPT IN ethO OUT ethl SRC 10 1 0 52 DST 192 168 1 100 LEN 40 TOS 0x00 PREC 0x00 TTL 127 D 232 PROTO TCP SPT 1234 DPT 5678 SEQ 0 ACK 0 WINDOW 1500 RES 0x00 SYN URGP 0 Document ID AN205002A07 005 Page 7 of 11 mGuard Version 5 Firewall Logging 4 4 User Firewall ufw Log entr
10. ies with the prefix ufw are caused by an activated used firewall with activated logging Example 2007 10 10 15 34 17 31458 kernel ufw ufwO0000 1 1018e08b f179 1cb3 bbf3 000cbe022aad act ACCEPT N ethO OUT eth1l SRC 10 1 0 52 DST 192 168 1 100 LEN 60 TOS 0x00 PREC 0x00 TTL 127 ID 2177 PROTO ICMP TYPE 8 CODE 0 ID 512 SEQ 11008 4 5 Firewall Anti Spoofing and Connection Tracking fw incoming fw outgoing Log entries with the prefixes fw incoming and fw outgoing are caused by configured incoming and or outgoing firewall rules with activated logging e Incoming firewall rules menu Network Security gt Packet Filter tab Incoming Rules e Outgoing firewall rules menu Network Security gt Packet Filter tab Outgoing Rules Examples 2007 10 10 15 25 35 15495 kernel fw incoming 1 1018e085 f179 1cb3 bbf3 000cbe022aad act ACCEPT N ethO OUT ethl1 SRC 10 1 0 52 DST 192 168 1 100 LEN 40 TOS 0x00 PREC 0x00 TTL 127 D 232 PROTO TCP SPT 1234 DPT 5678 SEQ 0 ACK 0 WINDOW 1500 RES 0x00 SYN URGP 0 2007 10 10 15 28 29 68717 kernel fw outgoing 1 1018e089 f179 1cb3 bbf3 000cbe022aad act REJ ECT N eth1 OUT ethO SRC 192 168 1 100 DST 10 1 0 254 LEN 60 TOS 0x00 PREC 0x00 TTL 127 D 1073 PROTO ICMP TYPE 8 CODE 0 ID 512 SEQ 2304 If received data packets do not belong to an existing connection Connection Tacking the packets are dropped act DROP If the Anti spoofing check succeeded on a packet the log prefix fw incoming is displayed
11. rewall drops the packets Document ID AN205002A07 005 Page 6 of 11 mGuard Version 5 Firewall Logging 4 Log Prefixes 4 1 Consistancy Check and TCP Flags fw invalid input fw invalid forward fw invalid output Log entries with the prefixes fw invalid input fw invalid forward or fw invalid output may be caused either by invalid TCP flags or by a failed consistency check e g wrong checksum _Log Prefix Description __ O fw input unclean Packet which was sent directly to the external or internal interface of the mGuard fw output unclean Packet which was generated by the mGuard This log prefix should never occur but it was implemented for the sake of completion fw forward unclean Packet which would pass the firewall Example invalid TCP flags 2007 10 10 16 07 36 93741 kernel fw invalid forward 0 act DROP N ethO OUT eth1l SRC 10 1 0 52 DST 192 168 1 100 LEN 40 TOS 0x00 PREC 0x00 TTL 127 ID 232 PROTO TCP SPT 1234 DPT 5678 SEQ 0 ACK 0 WINDOW 1500 RES 0x00 SYN FIN URGP 0 4 2 Remote Access Rules fw ssh access fw https access fw snmp access Log entries with the prefixes fw ssh access fw https access or fw snmp access are caused by remote access rules for SSH HTTPS and SNMP access from the external network with activated logging e Remote HTTPS access rules menu Management gt Web Settings tab Access e Remote SSH access rules menu Management gt System Settings tab Shell Acc
12. th the time stamp and the log identifier e g fw incoming 1 121e0dc4 a 74 1f09 9647 000cbe022aad The log identifier can be used in the menu Logging gt Browse local logs for locating the firewall rule which caused the log entry Lookup function The log identifier has the following format lt Log Prefix gt lt Rule Number gt lt Log I D gt Log Prefix The log prefix indicates at which step of the firewall traversal an action occurred Rule Number The rule number displays the information which configured firewall rule caused the log entry lt Rule Number gt 0 indicates that the log entry is caused by a default firewall rule Log ID Each kind of configured firewall e g incoming rules outgoing rules HTTPS remote access has its own unique log ID This unique ID is used together with the log prefix and the rule number for locating the firewall rule which caused the log entry Lookup function in the menu Logging gt Browse local logs Network Security Packet Filter Outgoing Rule Number Log ID TCP 0 0 0 0 0 an 0 0 0 0 0 http Accept default rule I ITC w 0 0 0 0 0 ny 0 0 0 0 0 Ftp Aone pt w TCP w 00 0 00 2 00 0 00 telnet Accept w These rules specity which trafie from the inside is allowed to pass to the outside Paste pate Port seating ore ony meaningful for TCP and UOP Log entries for unknown connection attempts io F Note If you have activated the NTP service menu Management gt
Download Pdf Manuals
Related Search