watchguard network security handbook

WatchGuard® Network SecurityHandbook

Firebox™ System 5.0

Copyright�� !��

Notice to Users��"��#��#��$%��!��&��#��"&��$��$%��#��$��'��$�()��#��"&��#��*��"��#��#��$��$��#��#��"��+��&��&��#��"��#��

TRADEMARK NOTES

��,�!�)��#��-��#��-��"��.��)��'��$�(�)��#)��/��"#��#��-��"�� #��-��#��#��"��"��!��&��

ii WatchGuard Firebox System 5.0

Contents

CHAPTER 1 The Need for Network Security ................................ 1The Conveniences and Dangers of Networking ............................ 1

Security vs. convenience 2What is a security policy? 3Making peace with a security policy 3

What Makes a Good Network Security System? ............................ 4Simplicity 4Scalability 4High uptime and quick recovery from failure 4Distributed architecture 5Dynamically secured against the latest security threats 5Economy of IP addresses 6Secure connections 6Authentication 6Content discrimination 6Secure remote management and communication 7Virtual private networking (VPN) 7Highly configurable logging and notification 7Summarize and report network activity 8Quick and responsive 8Well-conceived security system policies 8Physically secured security appliance 8

The WatchGuard Solution .............................................................. 9Assumptions 9Separation of key security system components 10Ease of use begets secure use 11Open code base 12To proxy or to packet filter? 13Integrating security technologies into a stand-alone appliance 13

CHAPTER 2 Security and Firewall Management Policies ......... 15Balancing Risk vs. Productivity ..................................................... 16

Network Security Handbook iii

Incoming services: security principles 17Outgoing services 18Other principles of security vs. risk 19Elements that decrease firewall security 20

Organizing Your Organization ...................................................... 22Determining Allowable Traffic ...................................................... 22Organizing Networks .................................................................... 23Determining Off-Limit Areas ........................................................ 24Physical Security ........................................................................... 25The Human Factor ........................................................................ 26

CHAPTER 3 Network Configuration .............................................. 27Simple Network (Drop-In) Configuration ...................................... 27

Using a secondary network 29Multiple Network Configuration ................................................... 30

CHAPTER 4 Proxying and Packet Filtering .................................. 33The Purpose of Dynamic Packet Filtering .................................... 33How the Firebox Security System Uses Proxies ............................ 35What is the Firewall Stance? ......................................................... 36Defining Traffic Through Services ................................................. 36

CHAPTER 5 Beyond Proxies and Packet Filters .......................... 39What is the Purpose of Blocking Sites? ........................................ 39

Logging blocked sites 40What is the Purpose of Blocking Ports? ....................................... 40

Conflicts in blocked ports 43Network Address Translation (NAT) .............................................. 44

What is dynamic NAT? 44What is static NAT? 45

Aliasing ......................................................................................... 46Authentication .............................................................................. 47

Authentication methods 48

iv WatchGuard Firebox System 5.0

Firebox authentication described 49Windows NT authentication described 50RADIUS authentication described 50CRYPTOCard authentication described 52

Encryption .................................................................................... 53Block Web Access ........................................................................ 54

WebBlocker configurable parameters 54How WebBlocker works 56

CHAPTER 6 Virtual Private Networking ....................................... 59Branch Office Virtual Private Networking ..................................... 60

Branch Office VPN with IPSec 60 Logging VPN activity 61

Remote User Virtual Private Networking ...................................... 62Mobile User VPN 62Remote User VPN with PPTP 62

Managing the Internet Distributed Enterprise ............................. 62VPN Manager 63Sample IDE configurations 63

CHAPTER 7 Maintaining a Firewall ................................................ 67The Firebox System and Firewall Maintenance ........................... 67

LiveSecurity Service broadcasts 69LiveSecurity Service Web site 70

Using Logging to Record Hostile Events ..................................... 70Notifications Provide First Alert ................................................... 71

How notification counts and handles events 72Developing logging and notification policies .............................. 73

Selecting which events to log 73Allocating servers as Event Processors 75Log file size and turnover frequency 75Which events will trigger notification? 76Choosing the form of notification 77

Monitoring the firewall visually .................................................... 77

Network Security Handbook v

Obtaining Summary Reports ........................................................ 78Why generate reports? 78The WatchGuard Historical Reports module 79

Index ............................................................................................. 81

vi WatchGuard Firebox System 5.0

CHAPTER 1 The Need for Network Security

�� !��!��!�"�� "��#�!��$��!��

The Conveniences and Dangers of Networking

%�� !!��"��&!��!� �&��!�� "��#�� "��!��""��!��""��!��!!��!��"�� !��

'��"��&())*��"��"��!��"�� "�� #�!��"��!��!��!��!��!��"��!�� +��!��

Network Security Handbook 1

CHAPTER 1: The Need for Network Security

��"�"��"��"��"�� &!�� !� ��"��!��!��!�!�� "�� "��,��!��

-�� .��/��#�� &"�!�� .��"�"��0��"�� 1��"��!��,�� /��"��!!��!��

��!��!��!��"��!!��!��23 �� !��"�� "��!�� "��"��!��&��4��"��"�� !�!�� #��

3 �� !��!��!��!��"��!��"��!��"��!!��!��

3 �� !��"��&��

5��"��#��!��!��!��"��!��!�� " ��!�� ,��!��!��!��"��!�� "��"��"� ��!��

2 WatchGuard Firebox System 5.0

The Conveniences and Dangers of Networking

Security vs. convenience,��"��"��!��,��!�� "��"��"��!��"��"��"��

��!��!��"��!��!!&�� !!��!��"�� .��/��""�"��!!� ��!��

What is a security policy?��#��!!��!��"��"�� .��!��!��-��!!��"��!��!!��

4��#"�!��!��"� ��!��6��"�� .��"� ��!��"�� .��!��!�� &!��!�"� �"��"�� "� ��!��"��!��"�� .��0��!!��"��!��!!��!!�� &�� 7�� !��

�� !!��!��!� ��!��!��!� ��"��

Making peace with a security policy6��!�� !��7�� 7�� .��!��23 ,�� .��!��

��!��!��!��



3 ,��"��!��

3 ,�� !�"��"�!�"�� .��"��

4��!!��"��!�� !��!��"��"��!��!!�!!�� "��"��!��!��-��!�� !!�"�� "��!�� !��"��!�� .��/��-�� "��!��!� ��"��!!��"��!��!��

What Makes a Good Network Security System?

8��!�"��"��"�� "�!��

Simplicity-��"�!�#�� &�&��"��"��"�!��"�!�� "��!��!��!��!��

8�� "��!��!��"�!�#��9��"�� 2��!!��!!��!!��"��

Scalability��!��"��!��"�� "��/��4��#"�!��"��"� ��.�� !��&��!!�"� ��!��!��!� �� .��-��!�!��"��!��#��!��"��



��:��"�� !�!��"�!�#��"� ��-!�� "�"� ��"��!!��!��!� ��;6��!��"��"��"�� !��"��"��

High uptime and quick recovery from failure��/��!��!!��!��!��/��!��<��&��""��!�� "��"��!��!��!��"��!��-��!��!!��&��2�=��!��!��!��$��!!��!!��!��'��"��!��!��!��:��:��!��!��

-� �� 8�'4��"��"��!�� !��!��"��4�� "��!��!�� !��!��!��!��!��"��"��!!��!��!��!�

Distributed architecture5��"�� "��4��#"�!��"� ��!!��!��"��"� �� !!��"��!��"�!� ��

-�� "��"��-��!!��!��#"�!��!�� #��"��-��!!��!��!��!�!��"��!�� !��!�� !�!��



Dynamically secured against the latest security threats��&�"��!�� "��"�!�"��!�� -��!!�� #�!�� "��"��

,��!!��&��&��4��/�� -��"��"��"��"��!��!��"�� "��"��"��"��!��!��"�� !�� !��!��

��!!��!�� "��"��"��!��"��

Economy of IP addresses-��!!��!��!��!�� !��!��6�� 6��7��!��!!��!��/��6��!!�� 2�3 ��"�� .��/��!��6�

��"��!�� "��"��

3 +�� 6��!!��!�� !��6��

3 ��"��6�� .�� !��6��

Secure connections-!!��"��!��"�!�"��!!��!��""��2��!��"��"��!!��!��!��



�� !��!�!��!�!��"��

Authentication-��!!��!!��"��!�"�� "��"��-� ��"��!��!��!��,�� "�!��!��!��!�� .��!�� !��!��!�"��8�!��!��"��"��!��!�!��

Content discrimination>��"��!�� .��"�"��"�� .��"�� &��"�� .�� !��!��-� ��"��"��"�!!��"�� #"�!�� "�!�� "�� !�� !��

Secure remote management and communication-� ��"��"� ��"��"��!�� "��"��!��!��!��""�� "�� ;6��!�� !��!��

Virtual private networking (VPN);6��!�� "�� .��!��""��!�� "�!��8��"��;6��!��!�� 4��#"�!��;6��



��!��

;6��!��!��7��"��!��"�� "��;6��!��#"�!��!��!!&�"�!�"��!�� !��

Highly configurable logging and notification-� ��"�!��!� ��!��"��"��!�!��!� �� !��"��!� ��

�?��!�� !� ��!� ��!��"��"��?�� !� ��!!��4��#"�!��"��!� ��"�� "� �"��!!��!!��"��"�� "��!� ��!��"��

<� �� "��!��!�� !� ��!��!��.��:��!� ��!�� !!��!� ��!!��!��!��!��&��"��-��!��:��!� ��!!��!��.��!��!�#��!��

-� ��!� �� "��"��"��"��"��

Summarize and report network activity-� ��"� ��"�� !�� &��"� �"��+��!��!��!� �� "��&�&��"��"��


The WatchGuard Solution

Quick and responsive-� ��"�!!��"��"�� :��!��!��"��"!��"�� .��

Well-conceived security system policies-��"��!�� "��!��-��!!&�!��"��"��""��!��!��#"��!��!!��"�!��""��!��!��!��!��

��!!&��!��!��!��!!��.�� -��!�� .��!!��.��

Physically secured security appliance4��!!��!!��!�� !��-!!��!��.��"�!��!��!!��"� �"��!��!��5��!��6�� "��!!/��!��!��!� ��2��.��!!��!!��!��!��!!��!��"�� .��!� ��


��$��#��!��!��!��&!��!��7��$��4��#��

��$��"�!��!!��4��#��!��4��#��4��#��4��#��4�;6��4��#��% %��% %@��



Assumptions �� !��!�� "��-��"��"��!��!��"��!�� !��!!�� !�� !��

4�� "��"��"��!!�� !��!��"��!��"��!!��"��"��

-��"��"��"��23 ��3 ��!!��!!��2��.��

!!��3 ��"� �"��!!��2��.��

��!!��3 �� !�� !!��

$��"��"��!�� "��!��

+��"��!�� !��"��!��"��"��!!��"��!��!�� "��"�"��!��!��"��!��"��7��"!��7��!��"��"�� .��4��#��"��"�� !��!&�"��8��!��!!�!� ��0� �� .��"��#��!�� 4��#0��!��"��!��



Separation of key security system components��!!��!!��"��"��"��"�� !��"��

��$��4��#��"��!!��!� �� "� �"��"��!��!� ��!��!��"��2��$��=��6��!� �� 8� �"��4��#��

�� 4��#��!��"��"��-!!�� !��"��7��!��!� ��!��!��"�!��!��"��!��7��4��#��<�"�� 4��#��!��"��"�.��#��!��

'��!�� !!�� !��&!��!��!��!!��!!��!��!�� !��!�� !��!��!��$��"�� "��!!��!��"��4��#��

��!��4��#��"��!!��!�� "��'�� "��!��"��!��"�"��!��"��!!�� !&��"�� !&�� "��

��$��"��!��!� ��!!�� !��"��"��!!��!��!��-��!!��!��.��!�� 8� �"��$��=��6�� "��:��"��"��"��-!!��""��4��#��!�"��

'��8� �"�� !��=��6�� !��"��!!��"�� .��



6��!!�� 8� �"��!� �� "��!��!��8� �"�� !��!��"� �"��!� �� !� �� !�� !��!��!��!��

-��$��4��#��8� �"��!��!��!��8� �"��"��4��#�� ""��"��"� �"��+��"��"��"��8� �"��!��!��!��!� ��

Ease of use begets secure use-��&�&��"��!!��"��:��!��!��"�!��!�� "��!��'��!!�� !!�� 2��!!��!!��"��6�� "�!��!��!��!��!��"��!��!!��!��!��"�!��

��"��!��$��!��2��"�!��"�� #�� !��!��!�� '�� "��!��"��2�3 =#��"�!��7��

��"��!�� !��!��

3 ��"�!�#��!�� "��!��!��!��

3 ��!��#��&��!��3 ��"�� !��



Open code base-��"��"��!��"��!��&��!��!!�� "�� "��!��-!�� "��"��"�"��"�!��!��"��!!��!�"�� "�� ""�� :��!�� !!&�� "��8��!��"��"� �� "��!��"�!�� #�� "��!�"��

6��!�� "��!��!��!��"��!�� "��#��!��!��!��!��""�"�� !��#��!�� !��&��!��"��

��$��4��#��"��!��!�!��<��#�� "��!�� "��!�� !��!��!�� "��!�� !�� #�� "��!!��:��"��!!��!�!��""��!�� "��

��$�� !��!!�"�� "��!��!��"��!��<��#��!��"��""��.�� "��"��!��!��!��4��#��"��"��!��"��$��!� �� !!��$��!��!�� !�� "��!��

,�� <��#��!�!��"��!!�� #��!�� "��!��!��!��!�� "��"��!�!��!��"��$��-��$��"��!!��!�� !��



�� "�� !�� "��!!�� "��

To proxy or to packet filter?-!!��!!��!��!�� !��"��!��#�� !��"��!��!�� #�!��"��>��A��B6��#�� 6��4�!�� C��=��"�� 4��$��!� ��"��

6��!�� !!�� ""��2��"��!��!��2�-�� D�%��#�&��!!�� "��!��!��"��"�"��6��#��2�-�� "�� D

The WatchGuard answer: both in moderation

��$��4��#��"��"�!��"��#��!�� !� ��5�� "�� !�!��'�� !��!��!��"��!��!��&��-!!�� "�"�� .��/��!��!��%��!!�� "��"��!�� "�!�"��!!��$��.��!��

��!�� #��8�6��4�6�� 6��!��!�� "��#��#��!!��!!��



Integrating security technologies into a stand-alone appliance

8��!��"� �� "��!!��"��!��"��!��"��"��!��!��$��4��#��"�� "��!��"�� &!��"��!!��!��2

�� "� ��"��$��4��#��"��5�"��>��!!��9-5�,��>9+6�%>��5��$��/��4��#��,��:��"�� -��!��"� ��/�� !��!��!�� "� �"��!�� !��

� ��6��"�� !��!�� .�� "��!��!�!��$�� >��!�B>��%�C�!��$��4��#��"��9�� !� ��&!�� !!��"�� !� ��!��!��"��

�� ;��!��!� ��!�� !��&��"��"��5�<��;6��!� ��!�"��!��!��!��"�� "��"��!��!��#��$��4��#��"��!��&�&



��;6��!��!��!��"��"� ��;6�� "�� !��!��


CHAPTER 2 Security and Firewall Management Policies

-�� .��/��!��"��!!�� "��"��!��!!�� .��!�� "��!��"��!��"��-��!��!��!!�� :��23 ��!!��!��"��"��D3 ��!!��"��D3 ��!!��"�!�"��"��

��!��D3 ��!!�� D3 ��!��!��"��!!��!!��D3 ��"��#��!��!!��"��D3 ��"��!��!��!!��!��

��"��""��D

��"��!!0�� "�� .��/��!!��!�� .�� !!��

%��!��!�� "��$��=��"��"��!�"��!��!��"�!�"��


CHAPTER 2: Security and Firewall Management Policies

��"��!��!��"��!��%��!�"��!��!!��!��4��#��"�!�"��!��!�� .��/��"��"��""��!��!�"��!!�"� �"��!��

-��!!�"� �"��!��!��!!�� .��/��!!��!!��!!�� !!��!��

-��!!�"� �"��!��"��23 ��3 ��""��!��!!��

�� "��3 ��""��!��:��1��

��3 ��.��

��!!3 ��"�� .��"�"��3 �� .��"�"��

Balancing Risk vs. Productivity

��!��"��!��"��"��!�!��!!�� .��"�"��:�� !��"��!�!��!!�� .��"�"��"��"��

��"�� !!��#�"�� &��!��"��$��"�� E��.��%��$��6�!��8� ��#��!!�� 4��#�� !��"�!��!��!��!��!!��

��:��"��!��!��2



3 �� !�+��!��!��!�"��"��!��!��"�� .��"�"��+��!��!��!��!��+��!��!��"��!��4��"��"��"� ��!!��!��!��

3 �� !�4��!� ��"�!��"�� !��!��"�!!��!!��!�� !��-��!��"!!��!��!��!��!��!�!��"��!��!��!!��"��!��!��"��"��!!��!��!�� !��

3 " �� !��"��4��!��"��$��"�� /�� #�� !!�� .��+��"��!��!��!��!��#��

��:��!��!��!��4��#"�!��!�� !��!��!�� !��"�� !��"��"��!��%�� "��"��"!!�"��"��!��!�� !��

Incoming services: security principles=��!�� "�� .��"��!�"�� !�� !��!��!!�� "��!�� "�� 4��#�� 2



3 -��!��!��!!��-��!��"�� !��"�!��

3 ��!!��!��,��!�� !��"��!��#�!��

3 ��!&��"��96>��

3 ��!��4�6��!��6%6��8��"��"��-�� 4�6��!��6%6��!��!��#��!�� .��

3 ��!&�� #"�!��!��

3 ��5��8�6��"��4�6�� 6��!��!��

3 -!!�� !�� !��!��!!�� !��!!��

3 -!!�� !��!!�� !!��!�.��!��4��#�"��!�� !��

3 -!!�� "��"��!!�� "��4��"��!!��!��

3 ��!&��"��

3 -!!�� "�� "��!��;6�� .�� !!��!!�� "�� "��!� ��"�� !��"��!!��"�� "�� !��"!!� ��"��!� ��



=��!��"�� !��4�!!�� "��!!��

Outgoing services�� !�� "��"��"�� "�� !!��>��!�� "��!�� .��4��#"�!�� 4�6��"��&��!��1��"��!��"�� 4�6��"��"��"��!�� .��

-��#"�!��"��4�6��!��6%6��!��"��!!��

Other principles of security vs. risk��"��"�!�#�� !� ��"��!�� !��!��"�"��

Internal hosts

��"��!��!!��"�� !!��"�� "�!��"��&�� "�� !��-!!�� :�!��!��!��!!��

Masquerading private network numbers

��"��!��"�:��4��#��



"�:��"��!��"��!!�� 4��#�

Automatic rejection of spoofing and IP options

�� "��!��6��!�� "��"�� .��6��6��!� ��"�!��!�!��!��"!�� 4��#�� !��"��!!��6��

Elements that decrease firewall security-�� E��.��!!��#�� =��"��"��!��"��!� �!��!�� "��"� ��!��"��"��

Additional gateways and hosts

-��!� ��"�!��=��!� ��%��!��!��'��"�� "�� !��

=��!��"��!�� !��-�� "��!��!��!��

=��!��"��%��!��!��!�� !��=�� %��!��!��!��

High risks

��#��"�!�� 4��#�� !!��%�� "�� 4��#��!��



3 %�� "��!!��!��"�� "��

3 %�� "��!!��!��6�� "��

3 ��!�� B-��C��!!��"�� "�-��#��!��-��"��!!�"��2��/��F

Medium risks

��!!�� &��&�!�� 23 ,�� !��6��""��

��3 ��!�� 6�"�:�� 3 ��!�� 3 =��!�� "�� 4�60��"��!��

��"�� 4�6��!��"�!�� 3 -�� !��#��

Low risks

��"��!!��"��"�� 3 -�� #��!��"��

��!��-��#��"��&��!��!��#��!��!!��!��

3 -�� !��;6��!��

Lowering risks

%��!��#�� !!��!��2



3 9�� "�� !��&��

3 9�� "�� !��%��!��&�!��

3 �� !!��"��!��&��"��!!��

3 ��:��!!��"��#��!��!��"��&��

Organizing Your Organization

%� ��.�� .��"��!�� "�!��"�"�� ""��1��

��!��"�� .�� .��7��

4��#"�!��"� �� !��!��"�� !��"��+��!��"� �� "�!�� .��$��!�� 2�3 $��!�� !��!��

��"�� !�� ;6��

3 $��'!��"��

$�� !��"�!�� !��$�� $��-��-��!��+�� "��"�� $��"��"�!��!��!�


Determining Allowable Traffic

��"��-�� .�� "��"��"� ��

+�� '!��"��"��'!��&��&�� 4��#"�!��"� �� !��"�� !��"��!��!�� !��9G5��"��

Determining Allowable Traffic

5��"�� !!��#��!�� 4��#��!��!��"��"�� .��"�"�� !��"�� "��"��"��!��"�� !!��!��!��

��!��#��!��!!��"��!��!��!��!��9�"�"��!��!��!!��4��!��!��!!&��"��"��#"��&��!��!��"��!��"�!��"��"�� "��!��!��

Organizing Networks

-��"�!�� .��.��23 ��



3 ,��3 8�#��

��4��#��.��!��"�#��%��!��>�"��%��!��!��"�� !��$�� !��"��!��!��4��#��%��!��"��!��%��!��"��

��!!�� "��!!��$�� !��!��"�� !��!�!�� !��!!��

3 ��=#��!��#��!��!!��!!��


Determining Off-Limit Areas

3 ��!��"#�"�"��!�"��

3 ��%��!��!!��!��!��4�6��

Determining Off-Limit Areas

<�!��!��&!�"��!��"��"��!�� !��!!��>��"� ��!��23 6��!!��!��3 >��9G5��3 '��!��3 ��"��!��!��

�� !!��!�!��

��"��!��"��"��"��#�!��:��.��"��"��"�� !��!��!��"��4��#��!��!��!��4��#"�!��!��"��"��!��!��!� ��"��!�"��"��:��

��"��!�� 4��#"�!��"� ��"��"��4��$��'!��!��"��!��!��!!��"��"��"��"��'!��!��"�!�� 4��#�

Physical Security

�� !!�� !��!"�� !��!��!"��+��!��!��



��!��!��"��"��!��4��#��"�� 8� �"��"��!��!�� 4��#��$��=��6��!��"�� !��!��"��;6��!��""��

8��!!��!��!�!��.��"�"�� .��!�� .��!� ��4��#��8� �"��!��!!��4��#��!��"��!��8� �"��!��!��&�� &��!!��!��!��!!��9� �� !��"�"��"��"��!!��"��!��!��"��;6��!��

4��!!��"��!��!��!��"��!��%��"��""��"�� .��"�� .�� "��!��"��"��!��

The Human Factor

��!!�"� �"��!��!�� !� ��!��+��!�� !!��!��!��!��!!��"� ��!��!!��"��4��#��!��!��!��"��!��!!��

��!��!��!�"��!��!��+�� .��"��""��!��!��"�� 4��#��"��"�� !��!��!��!�� .��"��!��""��"��


The Human Factor

��"��#�� !!��"��!��""��


CHAPTER 3 Network Configuration

��4��#��1�� "�� !��6��7��4��#�=#��!��6�� !��4��#��"�!��"�� $��"�!��"�!!��4��#&��"��!��

��$��"�!��!�� !�� #�!��23 ��"�!��3 6��#��-96��!��!�3 8�!��!��3 ��&�� 3 ��

Simple Network (Drop-In) Configuration

-��"�!��&�� !�� .��4��#��


CHAPTER 3: Network Configuration

��-��"�!�� !!��!��2

��"��"��!!�� "��4��#��"��6�� !!��&��4��#��B��C��#�� "��"!��"��"�!��!��

-��"�!�� !��/��4��#��!��!��4��#��<-�� "��


Simple Network (Drop-In) Configuration

How the simple configuration works with proxy ARP

$��!!��"��-96��!��!��:�� 6�� 2�

09:06:38.272923 arp who-has linus.torvalds.org tell kernel.torvalds.org

��6��2

09:06:38.272923 arp reply linus.torvalds.org is-at 0:0:c0:72:cd:f2

-��"��"��"��!��0�� /��!��

��"�!�� 4��#��"��#��-962��-96��:��"��!��!��B��C��!!��4��#��!��

��"��"�!!��4��#��!�� !� ��4��#�� /��-96��:��

4��!!��"��"��-96��!��!!��!��!��

4��$��"�!�� !!��4��#�"�� 6��"�� !��"��%��!��!!��!!�� "��6��"��"�� .��6��- ��"�!�� !��

��"�!�� "��"�� .��/��<-��""��4��#��$��6�!��8� ��!��



!��6��6��/�� !!��

Using a secondary network-��"��!��4��#/��!�� !�� 4��#��"�� 6��"��6��=#��!��%��!�� 6�!��6�!��"��!� ��!!��"��!��

��!��!!��4��#�� -��"�!��"�!��!��


Multiple Network Configuration

Multiple Network Configuration

��"�!��!�� 4��#��!��!� ��!��!!��!��2

��"�!��!�� "�� !��4��#��=#��!��%��!��!��"�!��!�� =#��!��%��!��"�!��!�� "��"��

��"��"�!��!�� "��-��!��"��+��!��



��"��!��4��#��


CHAPTER 4 Proxying and Packet Filtering

��$�� "��"�2��"��!�� !��#��

��!�� #��!��!!��!� ��!��#��#�� !�� !��!��"��$��7�� !��

The Purpose of Dynamic Packet Filtering

5��"��!�� #"�� "��!��"��"��-��!��#"��"��!!��!� ��"��#��!��"�!�� !��

-��!!��!��!� ��"�!��!�� "��#"��!��"��"�� "��!� ��"��!� ��"��


CHAPTER 4: Proxying and Packet Filtering

��"�� !� ��!��"��!!��"�!��!�� !��#"�� 0��"�!��"�!��!!��!��

4��#"�!��!�� A*H��!��B��C��!��!��"��!�� !��!��

6��!��!!�� !��"��!��!��!� � ��!!�� !!��!��9�!��!�� !��!!��"��"��"��!��"��!��"��"��!��6��

��$��"��!�� !�� !�� $��!�� !��!�� $��"��!�&��!!�� "��!�� 4��#"�!��!��"�� $�� "��!!��!��


How the Firebox Security System Uses Proxies

��'!��!��"�� !��!��

How the Firebox Security System Uses Proxies

6��#�� !!��!��#"�� !��!!�� #��"�� "��!��"�!��!� ��!��"�!��"�� !��B��C��B4��"C��!��#"��!��/��"��!�� #��4��#"�!�� !�� !� ��"��/�� &�� !!��"��"��"�!��#��#"��!!��8�6��"��#��!�� "��"�� !� � ��8�6��#��!!��!�0��!��!��

6��#��!��!��!��6��!��!�!��!��"��#��"��!!�� !�.��&��!�!��"�!�#�� !!��!�� "��#��"�� !��%�� !��

��$��"�!�� "��"��"��!�� #��!��"��!��6�� !!��#��!��"��!��!��"��!��!��"��8��!��"�� $��#��8�6��"�!��4�6��!�� 6�



��<�� !��!!��

��!��#��"��<-��""�� !��!� ��"�� !��"��

What is the Firewall Stance?

��!��!!�� !��6��!!��!!�� #�!�� !!��""��!!��!��!!��#�!��!��!!��B��#�!��!��!!��C

��$��4��#��"��!��"��""��!��!!��!�� "�!��6��!�� !��

��!��"��4��#��"�� "��"��!��!��!��!!��!�� "��!��6��#��"��!��!��

Defining Traffic Through Services

��$��"��6�!��8� ��#��!�� !!��!��!��.��!��.��#�� 1��"��


Defining Traffic Through Services

!!��!��"��!��!��!��+��!��"�.��!��!��

+��"��!��:��"��!!��$��!��""��>61�6��!��'��"��$��!��!��!��!�� !��!!��"��!��!��"��!��!��!��!�

Configurable parameters for services

��!��"�� $��4��#��"��!�� !!�� 2

#��$��!�� "�� !��4��#��"�� !��4��#��

%� ��#��4��#�� 6��4�6��8�6��!�� 8�6��4�6�� "�� !��!��"�&��!��#��

& ��' �� =��!��!��!��!� ��"�!�� &��"�"��



Changing a service

%�� !�� 23 +�� !��"��

�#�� 3 +�� !� ��

+��"�� /��!� ��#�� /��!��+��"��!�� !�� !��

Deleting a service

�� !��"��!!��!��#��!�� !��&��!��


CHAPTER 5 Beyond Proxies and Packet Filters

-!�� #��!��!!�� !��!��!!��"��"��%��!!��!��!�� 6�"�:�� !��-�� "�� "��!�� %��!��!�� !��

What is the Purpose of Blocking Sites?

-��!��6��4��#��$��"�� 4��#��4��#��!��!��23 6��"��!��!��!�� !��

�� !��"��!!�� "3 -��&�!��$��!��"��!!��

��4��#/�� 4��#"�!�� !�� "��+��!�� &


CHAPTER 5: Beyond Proxies and Packet Filters

�!�� &��&�� -��&�!�� "��!��!��&�!�� "��"��"�� "�"��

��!�� "��!��=#��!��4��#��>��%��!��'!��!��

'��!��$��"��"��!��!��7(*�*�*�*1I��(JK�(L�*�*1(K��()K�(LI�*�*1(L��'��!��!��6��"��!"��!��94>��()(I��(LKJ��(M)J��

'!��!!��"��!��"��%��!��"�!��!��!!��"��"��"��+�� !� �� !!��"��"��!��!!��!��"��

Logging blocked sites-!!��!�!� �� '!��!��4��#�!� �� "��"��!!��"��!��"��""��"�� "��&��

What is the Purpose of Blocking Ports?

'!�� !��#�!��!��!��"��#��!��!��!��-�'!��6�� !��



<��'!��'!��6��!��!��"��=#��!��>��%��!��'!��6��!��

�>61�6�� !��"��-��!��!!&�� -�� "��-��-�-��!��"�� (*KH��6��*�� (*KH�� !!��6��(*KA��

4��#"�!��!��"�"��!��"��!�� !��!��KH��!��!�� "��"�� (*KA��!��"��!��!��!�� "� ��(*KA��!��KH��#��"� ��(*KM��!��!��!!��KH��

��!��!�� !23 '!��6��"��

��=��$��"�� '!��6��!��"��!��!��

3 6��!�!��!� ��!��3 ��"��>61�6��"��(*KH��!��

��!��!�� "��!!��!!&��"��(*KA�� !!��+��!�� "��"��(*KA�

'��!��$��!��!��"��!��!!��:�� "��"��

��!!��!!�� !��!��!��2

(� �� )� ��*+++,*+*-.N��!��!�"��"��!��!��!��!��"��!�!��N��!��!��"��""��



��!��!�� !��N��!��!!��!!�� "��!��"��!��!!��"��!�� !��

��N��!��L***��N��"�!��!��!��!��!��"��L***��L*LH��"#�"�"��LA��!��

(�/ ��#��)� ��01++.8��N��4��"�!�#�� "��&��"��-��#�!��!��!��N��

'/#�)� ��2+34.�4��4�!��"��!��>61�6�� !��"�� !�"��"�� 4��

NOTE

0��1 ��*')2��&�!��#��##��"��*')��"��*')��$��#��"��+��*')��&��$��!��"��*')��1 ��#��

5�� )� ��2+++.%�� "��"��8��"��"�!��N��

�� )� ��61-��613.��"��"��"��!��"�

$%�� )� ��111.96>��(((��"��!!�� 96>��96>��"��!��!��!��!��



�� 96>��"��!�!��

� ��+6��*��-�-��"�� "��*�

� ��16��(��!��>6"�#��'!�� "��

5��#��!!��6N��6��K(H��!!��6N��6��!!��"� ��#�!��!��!��K(H��

'��7�5#��)� ��1-0�� 1-4.+��!��!��!��'�%��!!��!��!��"�!��!��!��!�� !�� "��

Conflicts in blocked ports��"��"��"��"��!��!� ��"��"� ��!�"��!��!��"��!��"� ��"��!��!��!��

+��!��!��!�� "��(***�� ()))��"��!�!��!��!��!��

NOTE

)��3�45�"��

Auto-blocking sites that attempt to use blocked ports

+�� !��"��"��!��&�!��+��!��&�!��



Logging blocked port activity

+��!��!� ��""��"��!��+�� "��!� �!!��"��!�� "��"��"��"��!��

Network Address Translation (NAT)

��-��!��"��!��-��!��6�"�:�� !��"��'��!!��-�23 5��"��-��!��6�"�:��

��!��4��#��6��!��!��!��6�� 5��"��-��

3 ��-��!�� I*�� 6��!!�� "�� !!�� -��!!�� !�� 6��!!�

What is dynamic NAT?5��"��-��!��!��"�� !��!��"��4��#��!��5��"��-��!��!"��!!��>6��,56&��"��

��"��-�� "��"��4��#��&��6��4��#��"��"��"��6��4��#��"��"��5��!��0��4��#��#"��"��"��"�:��


Network Address Translation (NAT)

��!��"��&�&��!&��"�� "��%�� !��"��"�� "�!��"��2�� "��"��"��"�!��-�� !��!��-��"��!��#��

Important dynamic NAT configuration parameters

5��"��-��!�� !��"��!!�� !�!�� 2

�� !��"�&��!��"��-�2��>6��!��"�&��>6�4��"�&��,56��!��"�&��>6��"�&��!��!��"�&��>6��-�!� ��!��!��!��"�!�� &!��!��!!��>6�4��"�&��!�"��"��"��"��"��,56��"�&��!�"��,56��

��'8�� +�� "��!!��!��=#��!��%��!!��""��"��"��"��4��#��+��"�:��"��!�� .��!��"��!!�� 2

&��(*�*�*�*��(*�KMM�KMM�KMM��(*�*�*�*1I��!��

&��(JK�(L�*�*��(JK�H(�KMM�KMM��(JK�(L�*�*1(K��!��

&��()K�(LI�*�*��()K�(LI�KMM�KMM��()K�(LI�*�*1(L��!��

��"��>��!�94>�()(I��"��"��6��



What is static NAT?��-��"��"�� "��"��"��-��!�� #��!!�� !��

��-��"�� 6��"��4��#��"�:��"�� !��"��+��!!��-��!��"�!�

4��#"�!��"� ��"�!�� !!��6��!��!� ��"��#��!��-��!�� !��!!��"�!��"��"�!��4��#��4��#��!�� "�!��8�6��

Configuring static NAT

�� -�� "��!�� "��-��-�� &��&�� #"�!��8�6��"��!� ��!��4��"��"�� "��!��-��!��#��!��!��0��!��

Aliasing

-!�� !�� !!��"�� !��!��"��

-!�� "�!��"�"��6��5�"��$��,��6�� "��"�� "��6��-!��!�� !�� '!��


Authentication

NOTE

'��$�(/�#��*�/�#��#��6�� .�� $��'��$�(/�#��*�/�#��

-!�� !�� .�� !!��!��!��!��!!�� 2

/�� -��!��"�"��"��!�� /��6��

/�� -��!��"�"��"��!��6��

��9� �� 1��!!�� .��"��

%��9� ��'!�� !!�!!��"��

8�� 9� �� .��"��"��!��2�9-5�,��>9+6�%>��$��

Authentication

,��-��!!��!��4��#�� O�&��!��!��

��,��-��!�� "��6�� "��"�� %� �� 6��%� �� 4�6��"��



�� "��!� ��4��"�� "��6��"��"��!��!��"��"�� !��"��"��

NOTE

7��#��$��0��.�� ##��"��!��#��&��#��#��8��.��(��!��9��#��$��#��

��$��-��!!��"�� "��6��"�!!��"��"��"��6�� 6��!!��!�� 5 >6��"��!��6��-��!��!��"��!��"��!!� ��"��"��!��"� ��"��6��

Authentication methods��$��4��#��"�� 2�3 ��6��"��5�"��>��!!��3 9-5�,�&��"�!��94>�K(HI�3 >9+6�%>��3 ��5��3 ��$��!&��4��#��"��

��"�� "��!� �!��0��"��"��:��

��4��#��"��"�� 4��#�


Authentication

��!��"�� "�� 7��9-5�,��>9+6�%>��

��!��4��#��"�� "��/��!��!��4��#�

NOTE

:��".�� #��$��#��

��$!��!�-�� 2�3 <� ��"��7��!��"��!!��

��"��!� ��"��3 ��"��7��"��"��

��"��"��!�"��&��

The WatchGuard authentication implementation

�� O�&��!�� 8��=#�!��,9<��4��#��-��!�.��4��#��O��!��"��"��"��!��4��#�� -��!��"��"��"��,��"��"��!��#�

-��!�!��!��"��6�� 5 >6��4��#��"��!��"�� 4��#��$��4��#��"�� &��&��"�� !!��!��

��$��!!��!��&��!� ��"�>9+6�%>��>9+6�%-�"��



��9'&(��!�� !��&��!��"�>9+6�%>��$��4��#��"�

��!&��!��$��4��#��"�� "!!��"��0��"�� "��!��4��#�� !��!��!��

Firebox authentication described,��"�� "��4��#��$��!��8��!��,��;6��

4��5�"��>��!!��9-5�,��"��1�� 9-5�,��4��4��#�5�"��"�!!��4��#�,��8�"��-��,��-��!� ��#�

�� 4��#�� "�"��

NOTE

�&��"��;0*��&��'��$�(��#��""��<��=��$��>�$��.��;0*��<��=��?��!��"��#��'��$�(&��00�0�@��#��#��$��#��>�$��.��00�0��#��'��$�(�

Windows NT authentication described��5�"��,��-��5�"��,��$��,��$��!��!��5�"��>��!!��

��$��"�!�"��"��


Authentication

��+��!!�� "�� $��2

" ��'��"��

8�� %�8��& ��+�� $��!��6��"��"��

��& ��9� ��+�� .��

RADIUS authentication described��9�"��-��5�!&��,��9-5�,��"��9-5�,��!��&��"��"��"��;6�� !��!�!��!!��-��"��!��9-5�,��"�� :��:��"��9-5�,��!��"��!��"�!��!��!!��B��C�

6��9-5�,��"��=��!!�� "�� !��"��9-5�,��"�!��!��!�.�� !��"�!��!��#�� "��"��#"�!��,��5�"��!!��5��!��"��"��"�"�!��!��!!��

��9-5�,�� "��!��&��&�� "��"�� !��



4��9-5�,��"��1�� !��6��4��#��9-5�,��

��$��/��"�!�"��9-5�,��!�� !!�� "��2

�%�8��6��"�� 9-5�,��

% ��"��4��#��!!��9-5�,��

#��!!��4��#��9-5�,��&��"��#�!��"��9-5�,��

7��$8:��#�#��+��9-5�,��9-5�,��"��!�!��"��"��"��"��9-5�,��

NOTE

��A /�.)&��-��&��6 08��6��-� ��0��9��>�-��A /�.)��!��6 0�

CRYPTOCard authentication described>9+6�%>��&��"��!!��>9+6�%>��!!�� "��!��&!�� !��!��

>�� $��>9+6�%>��"��:��!!��>9+6�%>�� "��/��!��4��#�


Authentication

��$��"�!�"��>9+6�%>��!�� !!�� "��2

�%�8��6��"�� >9+6�%>��

% ��"��4��#��!!��>9+6�%>��"��!!�� "��!��LKA�

8�� %� ��>9+6�%>��"��>9+6�%>��B6��C��!��

�� !�� "��"��"#�"�"�"��"��>9+6�%>��>9+6�%>��/��""��"��L*��

#��!!��4��#��>9+6�%>��!��B6��C��!��>9+6�%>��&��"��#�!��"��>9+6�%>��!!��4��#��>9+6�%>��

NOTE

��#��#��A@0�:��#��#��'��$�(B��0��A@0�:��!��B��"��"��'��$�(��A@0�:��!��'��#��"��#��A@0�:��!��#��:��C��$��A@0�:��!��



How CRYPTOCard authentication works

��!��O��!��"��"��%��!!��"�� "��O��!��!�� "��"��"��>9+6�%>��>9+6�%>��"��"��"��O��!��!��"��"��>9+6�%>��"�� >9+6�%>��9-5�,�� !��!��>9+6�%>��=#��!��>9+6�%>�� >9+6�%>��4��"��>9+6�%>��"��"��!��

Encryption

�� !��"��!��"��"��!��=��"�!��"��"��!��!!��#��.��$��4��#��"��"�!��!��!��!�� !��4��#��"��!!��"��1�#�� !��,��

��$��!��!��2��=��-��ML&��5�=��5=��! ��"��=��((K&��!�&5=��-��(LI&��!�&5=��

'��!��4��#��"��!!��!�"� �"��4��#"�!��"� �"��"�


Block Web Access

��>��!�>��4��#��#��"�!�� "�!�!��4��#��=��6��

=��!��'��%��9�"��,��;6��!��!��!��&�� !��!��!��"��:��"��!�� !��!��"��"��4�� !��!�� "��4��"��!�� #��""��

Block Web Access

��'!�� 6��#��,9<&��!�� !��"��!��#�� !��!!��

��'!��"��"�� .��!�� .��"�� !��!�� "�� !��!�!�� &��

��'!��"��!��!��!�� .��!�� !�!��+�� '!��"��!!��"��!!��!��"�� $��"�� $��!��4��#�



WebBlocker configurable parameters�� '!�� 23 >��!�3 ��!�� 3 6��!� ��3 =#��3 ��'!��$��

Controls

��!��'!�� 8� �"��!��"��!!��!�� "�"�� /�� '!��!��

4��"�!��!�� '!�� B>� ��5��'!��C��

Scheduling

��'!��!�� !��"��!��7��!��&��!��%��!�� .��/��"!��0��&��!�� .�� "!��,��"��!��!��!��!��4��#"�!��"� ��!�� !!��!��"��

��"��!��"�"��"�� !�� !�� !�� "��

Privileges

%��!��&��!�� !� ��"��!��6��!� ��"��!!��!!�� !�


Block Web Access

��&��!��!��!��!��!!��!��

Exceptions

��'!��#��!��'!�� =#��!!��'!��!��0��!!��!!�� !��#��!��!�� 6��!��'!��!��

��#��"��!��6��!!��!!�� !��'!��

��#��!��6��!��6��"��"�� +��#�� "��"�� !��!��

4��#"�!��!��!��"1P��/��!��BP��C��!��"��!��!!�!!��"1P��!��!��!��!��

��!��#�!!��#�!��"� ��"��"� ��Q��#��!��"1P �� 1��#��"��'��!�� Q�� "�� !��,9<��!!��"��

NOTE

@��D��(��(��$��-��.A,��&��<��(�=��D��$��#��"��(��&��"��.A,�'��(�#��$��-&&&��#CD��(�

Logging and WebBlocker

��'!�� !� ��!��!��!��!��!��"��!��



��'!��!� ��!�� "��!!��!��,9<�� !��-�!� �� !��"��!7��!��!��

How WebBlocker works��'!��!!��$��=��6��"�� 4��#��

��4��#��=��6�� '!��,9<�5��%��4��#�:��=��6��'!��=��6��$��!� ��!��4��#�

��4��#��:��=��6��!��'!��=��6��!��!��4��#��!��4��#�� !� �� "��2��.��"��"��"��4��#�:��=��6��!��

��"�!��!��"�!��4��#��!!��!��!��=��6��!!��

��!!��"��B��!��!��C��"�!��"��!��B��!��C��4��#��!!��!��#��"��=��6��

��4��#��!!��!!��!��"��,��"�� "�� B��!��C��!��4��#��!��

��!��"��!!��!��!��'!��>��!�� !��


CHAPTER 6 Virtual Private Networking

-�;��!�6��;6��!��""��"��!��!��!��!� ��"��!��!��!&��

��""�� !��"��


CHAPTER 6: Virtual Private Networking

��#"�!��-��!��!!��7�� !!��7��!!��!��$��!�23 ��6��

��!��$��4��#��% %��6��&��"�!��

3 ��!��"��!��$��4��#��% %��6��&��"�!��

3 # $��%��6��!��"��4��#��6��!��

3 &�� %��66�6��!��"��4��#�

Branch office virtual private networking

��$��"��""��:��4��#��6��&��"�!��'��%��;6��"��!�� "�!��"��!�� ""�� $��'��%��;6��!�2�3 �6��3 ��$��;6��!

Branch Office VPN with IPSec��$��'��%��;6��!��"�!��6��=�4��=� �� 4��6��'��%��;6��!��!��4��#��6��&��"�!��


Branch office virtual private networking

�� !��"�� !��!��

'��%��;6��6��!�!��$��"��"��5=��ML&�� $�� 5=��ML&��!�5=��(LI&��

�6��!��!��!��!�"�� !�� - ��-�� !��!��!�"�� !��!��=�6��=��!��6�!��!��!��!�"�� !��

=��;6��!��6�� 6�"��#��6��;6��!�� 4��#��-��6��HK&��"�� !�7! ��"��!�� !��7�� ""��

��"��!��6��!��.�� !��;6��!��4��#"�!��"��5=��;6�� "��!��"��"��:�� !�5=��!!��"��"��"��5;>6��!�� !��5;>6��.��"�!��!��"��!!��!��

Internet Key Exchange (IKE)

-��"��;6��!��4��#��6��&��"�!�� !!�� "�� "��!��+��!��!��"�� :��!��;6��

��R��=#�� R=��"�� "�� $��!��6��R��=#�� !��"��!!�� R=��



��!��4��#��!��&��;6��R=��

WatchGuard Branch Office VPN��$��'��%��;6��$��!��9�-�9>A��!��!��$��4��#��9�-�9>A�(KI&��!�!��"��"��<��"��9>A�ML&��!�!��

��<��"��!��$��;6��.��!�� ;6��.�� 4��#��!��4��#��;6��.��!�� !��!��9�� ;6��.��"��"��"�� "��"��4��#��!�

Logging VPN activity-�� "�� !� �� !!�� !� ��"��!� ��!��!��!��!�� ;6�� !��!� ��<� �� !!��!��!��

Remote user virtual private networking

9�"��,��;6��!!��"��"��"��"�� !��"��!&��"��"��!��&��5�<��9�"��,��;6��"��!!��!�� !!��4��#��9�"��,��;6��!!��!��!!�� "�!��!��"��4��#�� "��

��$��9�"��,��;6��66�6��!�� $��8��!��,��;6��6��


Managing the Internet Distributed Enterprise

Mobile User VPN8��!��,��;6��6��!��"��4��#"�!��"�!�� "��"��!�� !&��!��"��"�� ;6��:��!��4��#��!��8��!��,��;6��"��!��!��$��<��"�

8��!��,��;6��:��!�� 4��#��"��!��"�� !��66�6�� 4��#��"��"��!��!�� &�� !��

Remote User VPN with PPTP9�"��,��;6�� 66�6��!��"��9�"��,��;6��66�6�� 66�6��!��8��)M�� ,��M*�9�"��,��;6��66�6��!��


��5��=��5=��!!��;6��!��"�!��!��5=�!!�� .��"��"��!��!��""��"��&�� !��&��

%��!��"� �"��"�!��!��;6��!��!�!��"�!�#��"�!�� "�� "�� 5=��$��;6��8� ��;6��8� ��""��"�!��!��#�'��%��;6��



VPN Manager;6��8� ��!�.��!�� "� �� 5=��!�� !��$��<��"��;6��8� ��!��!�� !!�;6��"�� !�� 4��#��"�� !��!��!��&�&�� !��6��!��$��5��"��;6��>�� 6��!��5;>6��

What is DVCP?

'��"�� !��&��&�!��"��.��5;>6��!�"��"�� 6��!��"�� !�� "�!�� !��!��

>�� ;6��8� ��!�� 4��#��5;>6�� 4��#��1��% %��;6��-��;6��8� ��6��5;>6��;6��8� ��!��!�� "�!��!��"�!��!��"��"�� !��;6��8� ��!!��;6��

Sample IDE configurations��"��5��=�� 2

Hub and spoke

�� !!�;6��!��"��!!��!��"� ��!!��!�� :��!��"!!��!�4��#��"��"�� "��9�"��,��;6��$��% %�



Figure 7: Internet Distributed Enterprise - Hub and Spoke

Lattice configuration

%��B�!��C�� !!��"�!��!��;6��!��""��"��!��"��"��"�"�!��!��!��!�� !� ��!��4��#�� !� ��!��:�� !!��"!!��"�� 9�"��,��;6��% %��



Figure 8: Internet Distributed Enterprise - Lattice or “Web”


CHAPTER 7 Maintaining a Firewall

��"��!��!!��!��%� �� :�� !��#��!��"�!�� !��!��!!�� !�"�� !!�

The Firebox System and Firewall Maintenance

�� .��>=9��J�M��-��!��!!��!��!��M*��0��!��4��!��"�� "�� :�� !�� !��!��"�� !�� !��!��!!��"��!��#��"��!!��

��$��4��#��"�� !��!��!!��"��"��


CHAPTER 7: Maintaining a Firewall

��!��!��"��!��!��8� �"��

��$��4��#��"��!��&��<��-��"��<��"��4��#��"��>��!�� 4��#��"��<�� !��!��!!� ��!��"!��!�� 2

:��<��"��!��!!��!� ��!��!�� .��/��<��!��"��

/�� $�� .��!��9��9��"�� #��!�.��!��9��9��"��"�!��!��!!�<��

��, ��%��"��!�� #��/��"��!��!��$��


The Firebox System and Firewall Maintenance

4��#��"��"��"�� !!�� =��$��"��!�� "��"��:��!��!�� "��!�� "��"�� !��"��<��"&��2��"�� !�"��#��"��"�� .��<��"��"��!��#��%��!!��"��!��

8�� $��4��#��"�� "��"��"�.��!�� "��$��"��!� ��!��"��!!�<��!��5� �!��"��!��9�-�5��;�� !��"�

LiveSecurity Service broadcasts<��"��&"�!��!��"�� !��!��:��<��2��"��#��!�� !�0��!�� &�� 0��!��!�� .��0��"�� !��"�.��"��"�.��



Rapid response team

'��<��$��/��9��9��"��#��!��!��"�� "�� "��!��"��"�� :��:��!��%��"��"��

��9��9��"�"#�"�.��!��!��"�� !�� "��#��!!��!��!��,��"��9��9��"� ��#��#��"�� "��&��

LiveSecurity Service Web site-��<��!�� "��!��!��$��<�� !��4-E��"��&��!��!��!��!�� !!��"��"��

��!�.��<�� !� ��2

��ECC&&&�&��#C��

Using Logging to Record Hostile Events

<� �� B��C��4��#��-�� !��4��#��!!�� 7��"��"��!�7�� "�� 4��#��

<� �� !��4��#��=��6��<� � ��#"�!��"�� 4��#��"��=��6��"��!��.��"��!� ��!��


http://www.watchguard.com/support

Notifications Provide First Alert

<� �� "��"��"��!� ��>�� "��

-!�� !� �!!��"��!�� !��!!�� 4��#��!� �!!��"!��!��!!�"��!��!�� !�"��=��6��"��!� �� 4��#��

Notifications Provide First Alert

-��"�� "��"�� 4��#��"��"��!��"��"�!��&��=��6��!!�� #��"�� "�

��4��#��"!�� !��'��"��!��!��"��!��

4��#"�!��$��""�� !��!�� 4��#��-��:��:�� %��4��#��=��6��"��-��"��#"��!� �� .��"��!��!��23 '!��"��3 '!��6�� 3 >��6��



+��!��4��#��"��!!��!��6��

<� �� !�� "��"�� !��"�� "��!��!�� &��

How notification counts and handles events-�"��"�� #��!�� !��!��&��!��

<��!7��!��<� �� !� ��"��"��

9��>��7��!��<� �� !� ��"��"��"��

'�!��#"�!��"�� "��

Example

��!��23 <��!�S�M�"��3 9��S�A3 9��!�S�(M�"��

-�� (*2**��"��"�� !� �� "��"�� "��!��!��!��"��"�� 2( (*2**7��!��

K (*2*(7��$��!��

H (*2*L7��$��!��

A (*2((7��$��!��

M (*2(L7��$��!��


Developing Logging and Notification Policies

��"��!��(��K��H��A��M��!!��!��!��M�"��

��"�!��!��!��!��:�!��"��"��"��!��4��#��!��B�� C

�� !� �� "��!��!��!!��&��"�&�� "�!��""��"��"��!� �� "�!��!��!��!��4��#��"�!��!� �� !�

��"�!��!��!��!��!��!��


�� !� �� !��!!�� !� �� &��"��-��!�� !� �� !��"��!��$��4��#��"��!!��"��!��"��!��!� �� !��!!��!��!� �� !��

��!!��!� �� !��!��2�3 ��!� �3 ��!� 3 ��!!��!� ��3 ��!� ��!!��!� ��!�� 1��!� ��!��

��

��!��!��23 ��!!��

��



3 ��"��

��"��!!��"��

Selecting which events to log��"��$��6�!��8� ��"��!� 23 ��!� �� !��5��!�6��

��!�� !� 3 ��!� �� !��!�

��!� �

��5��!�6�� !�� !��!��"��!�� &��!��!"��!��!� �� !��23 �� 7��!��6�

��&"�!��"��"�� "��"��"�� .��!��

3 �6�%��7�#��!��"��

3 6��6��7��"��

3 �6�-��7��"��6��

3 9��7�!��!!��"��4��#�

4�� !��!��!� ��!!�� 23 -!!��"�� 3 5��"�� 3 -!!�� 3 5��

�� !��!� ��!�� "� ��!�� !�� !!��!��!� �� 6��



��!� �� !!��-��!!��!!��!��4��"��!!��!!��#��!�"��!��"�!��!��"��!� ��!�� :��!��

��$��!� �!!��"��!�� !�� !!��

��!!��!� ��4��#"�!��"�� 4�6��!!��"�� "��!�!��!� �� "�� -!!��!��

Selecting the service events to log

-�� !��!��!� ��"��"� ��!� �� 4��#"�!��!�.�� "��!��"!!��"��!�� .��"� ��!� �!!��"��!��!��!!��

Allocating servers as Event Processors4��"!!��"�!�� 8� �"��=��6��!� ��-��!��!��"��"� �� "�� &��=��6��!�"��"&��.�� &��=��6��"��=��6��!��8� �"��

8�!��!��=��6��!��"��"��=��6��!��!��!� �� 0��!!�� &�� =��6��!�!��!� ��

Log file size and turnover frequency+��"#�"�"��.��!� ��!��"��!� ��"��!��!��"��!��!� ��!��



"#�"�"�� =��6��!��!� ��!��!!��#��!��!��!� ��!��

4��#"�!��!� ��!��"#�"�"��(**�***��%��4��#�� "��H��'��"��I��!� ��!��(**�***��-��=��6�� "��)��!� ��!��!��"��!��!��

��!�"#�"�"�!� ��!��.�� !��!2��!!�� !�!��"��!� ��"��!�� !� ��!��!�� :��!��!��"#�"�"��.��!��"��"��!� ��"��4��#�

4��#"�!��"!!��"� ��(*�***��!� ��"��!��"� ��!��!� �(**�***��

�� !�"#�"�"�!� ��!��!��4��#��$�� !�9��"��!��!� ��!��!��!��"� �"��!��!� ��!��!� �� !��!�� /��!�!� ��!�� "��/��!!�� .��

Which events will trigger notification?��"��"��!�� 6�� !��6�!��8� ��5��!�6�� !�� !� ��!��!"��!�� !� ��

%��!��23 ��4��#�� D3 ��"��"��

�� !!D


Monitoring the Firewall Visually

4��#"�!��"�!�� !��!��"��!!��"�� "��%��!� �� "��"��!!��"�� !��!��!��!�� !!��!� ��"�!�#��"�� "��!��!��!��"��"��:��!�� "�� 4��#��!��!��=��6��!!��:��

��""�� !!�� "��#��

��"�!��!��!��"��!��4��#��!�"�� !�� &��#��8�6��4�6��"� ��H*��!�.��!�"�� "��"� ��

Choosing the form of notification��"��&"�!�� 8� �"��"�� "��"��!��!��4��#"�!��"� ��=��6��/�� &��"��

Monitoring the Firewall Visually

��$��4��#��"��!�"�� !��"�� !��1��!&�"��!��!�.��"� �"��!��



��$��4��#��"��!�� !�� !��!&�"��"�� !��!��!��!��4��#�8��"�� !��!��2�

��; �� 5��!��!��!� �

" � ��5��!��!&�"��"�� "��"��>�!��&��-!!��5��6��#��8�:��!1�#��!��6��5��"��"��

7��;��)/�� <�; �� .5��!��!&�"��"�� =��'�� !��"�� ""��6��!�.��!�� !��!��(**8�1��

#�� )/�� <�; �� .5��!��!&�"��"�� !�� !��&�� &��!��

#��$�� )/�� <�; �� .9��""��4��#/��!��!!�!��

8�� &��)/�� <�; �� .5��!��!��-��,��"��6��

7� ��#��&��)/�� <�; �� .5��!��6��!��#��!��"��!��!�� "�� &�!��


Obtaining Summary Reports


-�� !!�� "��%�� "� �"�� !�� "��

��!� ��4��#��"��"��0��!&�"��!��!&�"��!� ��#��!��!��"��"��!� �� !�9��!��4��#��"��&�&��"��!��"�� !�4��#��

Why generate reports?��!!&� �� !��!��!�� .��"�� !��!�� .��!��!��#�!��"�� !&��!��!��

-� �� !��!��!��""��.��2�3 ��

��D�3 �� !��

��!�� !��D�3 ��!��!��

�� !��D

�� !�9��"��!��!!��""��!�� "��"��,9<��"�:�� "��"��!��"��:��!��!��"��

The WatchGuard Historical Reports module ��!�9��""��.��!�#��!�� .��"��



��+��#�"��!� �� !�� !�9�� .��"�.��#��&��!��#��!��

Types of reports

��!��2�

=<�� <��:��"��!� ��4��#��

��#�� ""�� "��

" �� "��(*��"��

#�� "��(*��"��

#�� !��

�$&�� <�� 6��!�� " ��

Building reports

'��!�� "��!�� ""��.�� !!�� !��-��!��"��"��"��!� ��

4��#"�!��B�� C��!�� 4��#��!��"�� .��/��!�� !��"�� #"�!�� #"�!��H&5��&��



Exporting reports

��!�9��#��"��!�� "��

�:/�$�� #��!��#��!��!��!� ��!��""��!�"��#��!��>54�� "��

�� /��%'>�$�� !�9��!��#��!� ��!��"��"��4��!!��;6��T��

��4��!!��;6��!��!��"��!��$�� !�9��$�� !�9��"��6��I*��4��!!��;6��!��!��"��,9<��:��"��"�!��!��,9<��:��"�� "��6��I*��


Index

A 6 5��

�� 14��$�� 15"��#�� 15"��&��-��#�� 15��"�� !�� 14&��-�� 15

��!��-��" �� A0��"�� 5

�A@0�:�� F��F3/G)��/G) F3��$�� 1�14/6�0 1 '��$�( 1 "��>�$��.��;0* 1 �� 14��"�� 1 ��#�� 1�#�� 1�� 1 A /�.) F��F��#�� 1��#��#�� 1��&�*� F�

�� 5� ��,�� 4��$��-�� 3

B7��&��#�� 44$��-��

�� 13��'��$�(��"�� 1�$��"��" 1��$�� 1��!�� 13

��"�� 1�$��-��!��

*�7�:) 13*') 1�*�!��0H�!��0 13:��&� 1�� 1�� 1�A0��#�� 1�� 1�H'��!�� 1�H��& 1�

7��-��)�� 44$��-��

��'��$�(��"�� 1��$��-�� 3 �13��#�� 3 �� 1��#�� 3 ��!��&��-�� 1�

7��:""��;0*�� 6 5��G)0 5��IG 5��0)�� 5��$�� 5��#��"�� 53&��0)�� 5�

C��"��"�� A@0�:�� F��F3

��!�� 1�-�� 1

��$��*:�� 1

D�� /G) F3�5�/6�0�� 1 ��$�� F��/*)��-��" ��"��

��0�� (� A0 ��&��-� � ��$�� 4

/;�0 53


��#��-�"��)��-�"��/��#��;0*��"��0�� 53

E�#��(�"�� 3F�� 5��

��;0*�� F17:;0*&��0)�� 5�/G) 5��$�� F3�0)�� 5��!��" F3��/G) 5�;0*�� 5�

G)0 5�G(��"�� 1

F"��#�� '��$�(��

��&��-� � �� ,��(��# ��&�� 54��$7��-�� F5�� 1 ��$��" ��"��" ��"�� 3�� 4�#�� 44#�� 44��"�� 4��" �F��(��-�"�� 3��"��#>��#��)�� "�#��"

"��&��-�"�� 35�� 3��!��#��" ��#� 1�� 3#�� 54#��#��" �5��" �

"�� A0�� '�0 3F�34

��#�� -��" ��

G��&��

H6��A�� 4��4 ��

��

6�� 446��0 3F

��$�� F1��-��" ��

��$��-��"�� 51

I� * 1��/G 5��IG 5��#��!��-�" �4�� &��- �1��

��J��&��-� ��"��J�� !��#�� -��" ��"��##��

�� *�#$�� 1��/��$��G�� 5��I��G(�� 5��0��$�� 41�0��

��#��&��-��"�� 3��#��" 5��"��

�0�� 3��0#��?��

��$�� 11�1F��!��&��-��#$��

�0�� 41


�0)�� 5�� 1

L��" �F��"�� 51,��(

��!��" ��$��

,�!�)��)��!��$��"��" 5�$�� 5 ��$�� 5�A��A��# 5��5 ��$�� 4�

��!�� 4F��

�� 3��$7��-�� F5$��-��!�� 13$��-�� 1��!�� 43��"��$�� 4��"��"��!�� 34��$�� 3�4��!�� 43"��J� 4F"��!��"��?�� 4F�0��$�� 41�0�� 41��$�� 41��%��-�� 41��"��-� 41;0*��!�� 5�

M>��#��)��

��$�� " �F��"��#'��$�( ��

>��#�$�&��'�� F>�$��.��;0* 5��5�>�7' F#��&��-��"��

��0�� 3��$�� 3�

>.;0*�� 1

N* ��)��*�&��- ��*�7�:)��!�� 13*�&��- ��

��$�� 11��#�� 11��#��* � 11�� 11�1F�#�� 1F

��&��-��"�� 4��$��-� 51�� 51#�� 3�

*�&��-'��)��#�)��*')��&��-��!��"��&��-�

��"��!�� 1F�� 5��#��"�""��!�� 1��$�� F��J�� 3��"�$�� 1��#��#��#�� 4��!�� $��"�� 1�� "�� 5�� 5��

*') 1��"��

��%�� 4�$��-��!�� 13��"��$�� 4��"��"��!�� 34��$�� 4��#��!�� 45��!�� 43�(�#�� 44"��#�" 44��(�#��" 4�

*�!��0H�!��0 13*��#�� 1

O��$�� :��&� 1�


:��"�� 3��1��&��-��!�� !��-��" ��

P��-�"��!��-��" ��-�"��

�� 31��$�� 33��" 33�� 31

��-�"�� 3��#��"�� F0:0��-��" ��"��&�� 11��$�� 4��

� 1�� 1�� 1��34��3 13�� 1��3 13F�3 1�F�1 1�

��$��-��)��$��-��&��"�� 00�0 5�00�0&��A.;0* 5�� 1 ��!��&��-�� 1F��(��!��-��" ��(��

��$�� 3�33�3F'�0 3F�346��0 3F��"�� 34)>�0 3F�34

��(� A0��"�� (�!��-�"�� 3

RA /�.) F��F�

/��.��)��!�� F��!�� 1

A��A��# 5��5

�� 1��#��#��#�� 4A�#��.��;0*

��$�� 5�&��00�0 5�

��&��-��!��

$�� $�� 4��(�� -�� 4��" 4

�� 1�A0��#�� 1�A0��!�� 4�� 1�

S��$�� 1��&��-�

��$�� 1�� 0�� 3�

)��/��!�� 1��

��&��K�� J��-� �5��0#��?�� "��&�� 5��#��"�""��!��# 1��"��$��K��"�� 4��#�� 5��#��#�� 1��"��&��-�� "��"��"&�� F�� #��&�$��""�� $�� F��#�� F��#��"�0�� 5"��&��#��#�� 5��#��"��" �5�� 0�� &��-� ��#��?��!��&��-��#$�� &��-��!�� $�� J��J�� !�� "�$�� 1


��-�"�� 3��#��"�� F�� (�� 3?��-��!��"��#"�� 1��%��"��#�� #��#��#��K��##�� 4��-!��!�� 5�� 5��#�� 1!��!��

)��0��#��( 5��

��"��&�� 3�� 3$��-!��!�� 5$��" �F$��"��" 3��$�� 3��F�(�#��" 3��#��!�� 4

��#��;0*� 4��#��" 1��$�� F��#�� F��"�� #� 1��"��#�� 1��$�� 1

)�� 1��!��"�� 4F��!��(��)��(��!��

��#��'�0 �� " 34��"��$��#��"�� 34��"�� 35��"��""��"�� 34�� 3�/*) ��!�� 4F'�0 ��6��0 ��#��'�0 ��*') 1�*�!��0H�!��0 13��&��- ��&��- ��:��&� 1�

�� -�"�� 0:0 ��(�� 1��-��" �� 1�A0� �4A0��#�� 1�� 1��-�"��#�� 4)>�0 �� ;0* ��H'��!�� 1�H��& 1�

��!��)��(��-�"��)��!�� 44��#��"��)��"��$��-��)��$��-��)>�0

��$�� 3F�34��-��" ��

��"&��"��"�� F�� )0� 5��"��

��$�� 41��%��#��

��-��" ��-��" ��)��A�� 44

T��-��" ��#��&��#��* � 1F��""��#�� 44��""��#��&�$�� (��)��(��/G) F3�5��"�� 3��1��&��-��!��

��)0� 5��$�� 5�&��"��!�� 5�&��>.;0* 5�


U.A,"�� F1��)��

V;��0��!��*�&��-��)��;0*�!�� F;0*>��

��"�� 53��$�� 53

;0*��&��!��"��# ��7��:""�� 5�$��""�� 5��$�� 4��1�F �� F1�� 5�>�$��.�� 5�#�$�� 5�00�0 5�A�#��.�� 5��-��" ��

W��)��G!��0��

��$7��-�� F5��$�� " �F

��)�� 3��$��$��-�� 5�F1��$7��-��

�� F5��"�� FF��$�� F1��$�� F1�F5�(�� FF��"�� !�� FF�� FF��$��#�� F1

��$��"��'��&��;0*� ��&�*�� F�

XH'��!�� 1�H��& 1�


watchguard network security handbook

Documents

firewall security

security principles

principles of security

security policy

firebox security system

physical security

good network security

secured security appliance