السلام علیک یا ابا عبد الله الحسین علیه السلام
 

السلام علیک یا ابا عبد الله الحسین علیه السلام

به وبلاگ امام حسین علیه السلام خوش آمدید اللهم صل علی محمد و آل محمد
 

 

؟What is the firewall

 

The firewall is a computer system (or network device) that separates our internal network of computers from the Internet. The term firewall comes from the fact that by separating our computers from the Internet, we can limit the damage that can spread from the Internet into the University, just like fire doors or firewalls stop fire spreading in a building. The firewall is there to protect you, not to restrict you. It is particularly important to appreciate that the firewall is not a "Berlin Wall", but rather a filter. Traffic from the Internet can only reach the services that we

choose to make available, not any other servi

 

How do I make DNS work with a firewall

 

Some organizations want to hide DNS names from the outside. Many experts don't think hiding DNS names is worthwhile, but if site/corporate policy mandates hiding domain names, this is one approach that is known to work. Another reason you may have to hide domain names is if you have a non-standard addressing scheme on your internal network. In that case, you have no choice but to hide those addresses. Don't fool yourself into thinking that if your DNS names are hidden that it will slow an attacker down much if they break into your firewall. Information about what is on your network is too easily gleaned from the networking layer itself. If you want an interesting demonstration of this, ping the subnet broadcast address on your LAN and then do an ``arp -a.'' Note also that hiding names in the DNS doesn't address the problem of host names ``leaking'' out in mail headers, news articles, etc.
This approach is one of many, and is useful for organizations that wish to hide their host names from the Internet. The success of this approach lies on the fact that DNS clients on a machine don't have to talk to a DNS server on that same machine. In other words, just because there's a DNS server on a machine, there's nothing wrong with (and there are often advantages to) redirecting that machine's DNS client activity to a DNS server on another machine.

First, you set up a DNS server on the bastion host that the outside world can talk to. You set this server up so that it claims to be authoritative for your domains. In fact, all this server knows is what you want the outside world to know; the names and addresses of your gateways, your wildcard MX records, and so forth. This is the ``public'' server.

Then, you set up a DNS server on an internal machine. This server also claims to be authoritative for your domains; unlike the public server, this one is telling the truth. This is your ``normal'' nameserver, into which you put all your ``normal'' DNS stuff. You also set this server up to forward queries that it can't resolve to the public server (using a ``forwarders'' line in /etc/named.boot on a Unix machine, for example).

Finally, you set up all your DNS clients (the /etc/resolv.conf file on a Unix box, for instance), including the ones on the machine with the public server, to use the internal server. This is the key.

An internal client asking about an internal host asks the internal server, and gets an answer; an internal client asking about an external host asks the internal server, which asks the public server, which asks the Internet, and the answer is relayed back. A client on the public server works just the same way. An external client, however, asking about an internal host gets back the ``restricted'' answer from the public server.

This approach assumes that there's a packet filtering firewall between these two servers that will allow them to talk DNS to each other, but otherwise restricts DNS between other hosts.

Another trick that's useful in this scheme is to employ wildcard PTR records in your IN-ADDR.ARPA domains. These cause an an address-to-name lookup for any of your non-public hosts to return something like ``unknown.YOUR.DOMAIN'' rather than an error. This satisfies anonymous FTP sites like ftp.uu.net that insist on having a name for the machines they talk to. This may fail when talking to sites that do a DNS cross-check in which the host name is matched against its address and vice versa.

 

What DOS attacks does Intoto’s Firewall protect against

Land attack, Smurf attacks, Unknown IP protocol, IP source route option detection, Zero length IP option, IP unaligned time, Ping of Death, Syn Flooding, UDP Flooding, Win Nuke, Re-Assembly attacks, Jolt and Jolt2 attacks, Octopus, TraceRoute detection, Echo Storm, ICMP unreachable storm, ICMP router advertisement, Echo reply without echo request, Twinge attach detection, Snork attack, Ascend attack, Fraggle attack detected, W2K domain controller attack, TCP header fragmentation, Short header, XMAS scan, Null scan, Sequence out of range, FIN scan, Post connection SYN, Invalid urgent offset, RFProwl, etc.

 

 

 ?Which type of firewall is better

 

It depends. What does your security policy (after your risk assessment and business needs assessment) say? Note, if a firewall has been certified by ICSA (see "Firewall Testing and ICSA Certification," below), it has passed a battery of security tests, whether it employs packet filters, application gateways, a combination, or something else. Particular enterprises may have reasons to pick one type over another, but that decision should be based on the security policy and the attributes of a particular firewall product rather than a particular firewall technology

 

 

 What type of Firewall is provided in Intoto’s iGateway


 

Intoto’s Firewall is a complete stateful inspection firewall technology.



 

Can Firewall policies be enabled based on time schedules


 

Selectors for FireWall policies can be IP addresses, user groups and these policies can be applied for specified time intervals




 

Can Firewall policies be enabled based on time schedules


Yes, Intoto’s Firewall policies can be set based on time, user groups, and IP addresses.

Can I add a new ALG to Intoto’s Firewall


 

Certainly, the customer does not need to know the internals of Firewall code. The mechanism of adding support for new application level gateway uses well-defined API’s offered by Firewall, therefore one can easily add new ALG’s

.


How does Intoto’s Firewall software take care of FTP applications, which increase the data size?


The software takes care of this by maintaining serial numbers (sequence number) and delta factor.



 

How does NAT/NAPT affect firewall effectiveness

 

First firewall processing is done on the data-grams and then if needed it gets address/port translated

.


How many concurrent sessions can be established through Intoto’s Firewall software?


 

There are no restrictions as far as the Firewall software is concerned.




 

How much code memory (in bytes) is required for iGateway Firewall


 

89 KB




 

What are the mechanisms to integrate Firewall to existing TCP/IP stacks


 

Intoto provides detailed porting guides in order to assist its customers in porting the software to different TCP/IP stacks. In addition, Intoto provided optional porting services for porting its software to new development environments

.

What attacks does eFireWall guard against


List of attacks Intoto FireWall guards against 1. Land attack 2. Smurf attacks 3. Win Nuke attacks 4. Unknow IP protocol 5. Reassembly attacks 1. Teardrop 2. Newtear 3. syndrop 4. Teardrop2 5. Opetear 6. tentacle 7. Bonk 8. Boink 9. Ip Fragment overlap 10. Ip last fragment length changing 11. Too many IP fragments 12. Very small IP fragments 13. Ping of Death 14. NetSea 15. Empty fragment 16. SSPing 17. FluShot 18. Oshare 6. IP Source route option detection 7. Zero length IP option 8. IP unaligned time 9. Jolt and Jolt2 10. TraceRoute detection 11. Echo Storm detection 12. ICMP unreachable storm ( In implementation ) 13. Ping sweep 14. ICMp router advertisement 15. Echo reply without ECHO request (SMURF ) 16. Twinge attack detection 17. snork attack 18. Ascend attack 19. Fraggle attack detected 20. UDP short header 21. W2K domain controller attack ( being done ) 22. TCP synflood attack. 23. TCP header fragmentation 24. TCP short header 25. TCP XMAS scan 26. TCP null scan 27. TCP sequence out of range 28. TCP FIN scan (Stelth) 29. TCP postconnection SYN 30. TCP invalid urgent offset 31. RFProwl 32. Syn flooding 33. UDP flooding 34. Octopus



 

What features are supported by eFireWall

 

The 3 main functions of FireWall are policy definition and enforcement, guarding against attacks(details) and providing logging - Complete stateful packet inspection firewall (SPI) - Support for DMZ (optional) - NAT (Details) - Corporate IN/OUT bound policies - DMZ IN/OUT bound policies - IP address objects - Services objects - NAT objects - Service time-outs - Statistics - Application Content filtering - Authenticated remote user access - E-mail alerts - Syslog support for event logging - Web based or CLI based firewall configuration and management - Comprehensive network access statistics Selectors for FireWall policies can be IP addresses, user groups and these policies can be applied for specified time intervals

.



 

What is the typical number of users that can be supported by iGateway in corporate environment

 

Intoto’s Firewall does not put any restrictions on the number of users. It is up to the customer’s product hardware features in terms of memory and processing power to set the number of users. The Intoto software only requires one or two macros to be changed in order to set the number of users.

What type of FireWall is provided in iGateway


 

eFireWall features The 3 main functions of FireWall are policy definition and enforcement, guarding against attacks(details) and providing logging - Complete stateful packet inspection firewall (SPI) - Support for DMZ (optional) - NAT (Details) - Corporate IN/OUT bound policies - DMZ IN/OUT bound policies - IP address objects - Services objects - NAT objects - Service time-outs - Statistics - Application Content filtering - Authenticated remote user access - E-mail alerts - Syslog support for event logging - Web based or CLI based firewall configuration and management - Comprehensive network access statistics Selectors for FireWall policies can be IP addresses, user groups and these policies can be applied for specified time intervals

firewall.persianblog.ir