Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Hardware Firewalls

23K

Solutions

20K

Contributors

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
0
Important Lessons on Recovering from Petya
LVL 10
Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
1
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
2
 
LVL 36

Expert Comment

by:Loganathan Natarajan
Comment Utility
What about storing cpanel, or important logins to re-login often? shall we store it in the browser?
0
 
LVL 1

Author Comment

by:Kiefer Dunham
Comment Utility
Hi Loganathan. I very much enjoy the convenience of storing my usernames and passwords in my browser for several of the websites that I frequently visit. Most of the time this practice is very acceptable and carries little risk of a breach in the security of your personal information. However, I would not recommend doing so if you share any of your devices with others. In the end, it is really at the user's discretion. If you save all of your usernames and passwords to a browser account such as those offered by say Google Chrome, then all that a hacker has to do is find out that one username and password to have instant access to all your other accounts. There is an old saying. "Don't put all your eggs in one basket." I believe it applies here. There is always some risk. Though, the risk is minimal in this circumstance. I hope this helps.
0
Imagine you have a shopping list of items you need to get at the grocery store. You have two options:
A. Take one trip to the grocery store and get everything you need for the week, or
B. Take multiple trips, buying an item at a time, to achieve the same feat.
Obviously, unless you are purposefully trying to get out of the house you’d choose “A”. But why do we so often times choose “B” when it comes to our data transmission performance? The key metric here is efficiency.How many trips do you want to take?

MTU…says you need to buy Milk in 1 Gallon containers rather than by the ounce!

MTU is an acronym that stands for the Maximum Transmission Unit, which is the single largest physical packet size, measured in bytes, a network can transmit. If messages are larger than the specified MTU they are broken up into separate, smaller packets also known as packet fragmentation or “fragmented”, which slows the overall transmission speeds because instead of making one trip to the grocery store you are now making multiple trips to achieve the same feat. In other words, the maximum length of a data unit a protocol can send in one trip, without fragmentation occurring is dictated by the MTU value defined.

Do I Really need to Manually Correct the MTU Value?

The correct MTU value will help you select the correct shopping cart size in order to be the most efficient in your grocery shopping so that you don’t have to take multiple trips. Shouldn’t I just leave…
19
 

Expert Comment

by:Jason Shaw
Comment Utility
Would changing the MTU on on-side of VPN tunnel cause any issues with VPN ?
0
 
LVL 26

Author Comment

by:Blue Street Tech
Comment Utility
Hi Jason, I assume you are only changing it on one side of a VPN tunnel. If I am correct, then it would only benefit one side of the connection. So if that connection is having the issues then it may remedy the problem, however for greater efficacy I'd do both ends (they most likely will not have the same MTU).
0
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable.

BACKGROUND

SonicOS separates Service Objects into three different views or groupings: “All Services”, “Custom Services” & “Default Services”. Within each view there are two sections called “Service Groups” & “Services”. Service Groups are simply just Services grouped together for related purposes. Default Services are a list of system-created, commonly used, services that you can utilize to create many different networking policies and rules. They are not only created for convenience but they also play a key role in how default Access Rules function, which I’ll discuss later. For all intents and purposes Default Services Objects and Default Services are synonymous here and I’ll be focusing this discussion on the “Ping” Service Group within Default Services. Ping is just an example, but this bug occurs when renaming any Default Service Object.
Image showing Default Services.Some customers of SonicWALL security appliances will rename Default Services under the Service Groups section like Ping and rename it to “Ping Group” or “Group: Ping”, etc. to denote that it is in fact a group, which actually includes both Ping 0 (ICMP - reply) and Ping 8 (ICMP - request) rather than a single Service Object, e.g. Ping 8 (ICMP - request).

When …
3
 
LVL 26

Author Comment

by:Blue Street Tech
Comment Utility
New update: SonicWALL just got back to me and is handling this based on the amount of affected user reports. It missed the 5.9 release but is schedule to be included for the subsequent release.
0
 
LVL 2

Expert Comment

by:Peter Wilson
Comment Utility
Very helpful. Thank you!
1
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your primary gateway to secondary gateway.

This article will step through configuring  static routes in your SonicWALL Network Appliance to route HTTP /  HTTPS or any specific traffic to Secondary Default Gateway. This article applies all SonicWALL Network Appliance supporting Sonicwall Enhance OS.

This article assumes that you have Two (2) ISP, and both connected to your Sonicwall Appliance via ISP Modem/Router.
 
NOTE: It is assumed that both WAN connection are configured and active.

HTTP Rule :
Login to the SonicWALL Network Appliance and go to Network >Routing > Add (refer to Figure 1) >
Source:      LAN Subnet or Any
Destination:       Any
Service:       HTTP
Gateway:       Secondary Default Gateway
Interface:       X2
Metric:       20
Comment:       HTTP Route

(Optional) Select the Disable route when the interface is disconnected checkbox to have the route automatically disabled when the interface is disconnected. i Recomend to CHECK this BOX.

(Optional) The Allow VPN path to take precedence.I Recomend to leave this box UN-CHECKED.

HTTPS Rule :
Login to the SonicWALL Network Appliance and go to Network >Routing > Add (refer to Figure 2) >
Source:      LAN Subnet or Any
Destination:       Any
Service:       HTTPS
Gateway:       Secondary Default …
2
 
LVL 3

Expert Comment

by:itubaf
Comment Utility
Yes, make sense

0
 
LVL 3

Expert Comment

by:WiReDWolf
Comment Utility
I came across another instance why this would be useful.  

A client system needed to connect to a secured site with session control.  The session was managed probably via a cookie that recorded the referrer IP address.

With load balancing the browser was being directed through both ISP connections and each time the router switched the user would lose her session forcing her to log in again.  Within minutes her session was lost yet again because of the load balancing.

I had to create a static route directing all traffic to that particular site through a specific interface.
0
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment.
natwarning.jpg
These instructions are based on ScreenOS 6.2, but are easily adaptable to devices running versions 5.4 and above.

Setting up requires you to setup custom services, and then create VIP service entries. You can do that via WebUI or CLI (Command Line Interface - Telnet or SSH).

Using WebUI:
1]  Create the custom services
     Go To: Policy > Policy Elements > Services > Custom. Create the following three services

Xbox Live 1 -
    UDP scr port: 0 – 65535 dst port 3074-3074
    TCP scr port: 0 – 65535 dst port 3074-3074
    UDP scr port: 0 – 65535 dst port 88-88
    Timeout Never

Xbox Live 2 -
    UDP scr port: 0 – 65535 dst port 3074-3074
    TCP scr port: 0 – 65535 dst port 3074-3074
    Timeout 30

Xbox Live 3 -
    UDP scr port: 0 – 65535 dst port 88-88
    timeout 30
custom services
2]  On the Untrust Interface create a VIP and then add the services for Xbox Live 2 and Xbox Live 3 pointing to the Xbox’s Static IP address.
     Go To: Network > Interfaces > Edit > VIP/VIP Services > New VIP service

Virtual IP: Untrust IP address
Virtual Port: 3074
Map to Service: Xbox Live 2 (3074)
Map to IP: <Xbox-ip>
Server Auto: False
Click OK
  Repeat for 'Xbox Live 3'
Vip/Vip Service
0
 
LVL 18

Author Comment

by:Sanga Collins
Comment Utility
Thank you, i look forward to your response
0
 

Expert Comment

by:RepublicFinancial
Comment Utility
Thanks!!! great directions.
0
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound traffic flowing.

We settled on the SonicWall UTM 2400 firewall.  Aside from all the normal security appliance bells and whistles (IPS, AV, Content Filtering, etc), the 2400 series offered some features specifically for high availability.

The 2400 UTM can be quickly and easily clustered into an active/passive arrangement.  Failover is fast (1-2 seconds), though not real-time.  But, for web applications, it seems to get it done.
Providing six physical ethernet ports, two can be dedicated to different ISP connections.  We combined a cheap ($40/mo) DSL line with our 15mb metro fiber pipe to provide backup.
We placed two simple switches between our ISP routers and the Firewalls, so each router is connected to each firewall.  In this manner, a failure of the ISP, router, switch, or fiewall would all be caught and initiate failover.
The Sonicwall supports multiple methods for keeping links alive.  We set each firewall to ping Google's DNS server (8.8.8.8).  After five failed attempts one second apart, the path that failed is considered "down" and failover is initiated.  However, the firewall is smart enough to NOT failover if BOTH paths are down (i.e, if the ping target is offline).
2
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN connections.  Research with SonicWALL support and the cable or ADSL modem provider indicated the default MTU size needed to be modified.

The MTU dictates the size of packets sent from your router to your ISP before they are fragmented (broken down into smaller sizes).  If the packets are too big, they are fragmented.  The minimum MTU is 68 and the minimum size datagram a host is required to handle is 576.  The default MTU size for the SonicWALL WAN interface is 1500.


Steps to Determine the Appropriate MTU Size

1.      Click Start > Run and type CMD.
2.      From the command prompt type:
ping www.google.com -f -l 1500

Open in new window


-f: Prevents the packets from being fragmented.
-l: Ping, by default, sends a packet size of 32 bytes.  This switch allows the packet size to be specified.
Typically, the following response occurs: "Packet needs to be fragmented but DF set."

4.      Subtract anywhere from 10 to 20 from 1500 until a successful ping response occurs.  In my example, I subtracted 20 until I received the reply indicated in the screen shot.

 Step 4. Ping Reply
5.     Take the number from Step 4 and increase your packet size in small increments and …
16
 
LVL 26

Expert Comment

by:Blue Street Tech
Comment Utility
Nice article and good find on the MTU utility above! I voted you up!
0
 

Expert Comment

by:AndyArnone
Comment Utility
Added to our KB. Thanks for the info.
0
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-point wireless. It didn’t seem to make a lot of sense to me to have a fancy high end firewall at the main office, then basically open up a back door to it by leaving a cheap one in place at the satellite office.

Tell me more ... no seriously
Whilst shopping around for a decent firewall at a reasonable price I found a common theme with the sales pitch. The emphasis seemed to be on the brand name and jargon. Then about halfway down the page in tiny print, that seems to get tinier every year now, they put the actual specs.

After you think you have found a real bargain, you find out in the tiny print at the bottom of the page that it only allows 5 users or some ridiculously low number. I would think that a highly valuable morsel of data like that would be right under the pretty picture of the product.

The cost of it all
Another annoying thing not uncommon to network hardware and software is the lack of a price tag on a lot of stuff. I guess it follows the old adage that "if you have to ask how much it costs, you can’t afford it" ... or some such nonsense. But I like knowing how much things cost in order to fairly compare similar products. Cost is a big factor to most businesses.

The people who are …
7
 
LVL 38

Administrative Comment

by:younghv
Comment Utility
SkykingOH:
You may feel free to offer your "opinion" on the technical merits of an Article, but please do not comment on the intent of the Author.

Perhaps you should consider submitting an Article of your own to fully express your technical advice.

younghv
Page Editor
0
 
LVL 9

Author Comment

by:Bob Stone
Comment Utility
I do have a relationship with several vendors and have with numerous vendors in the past. Unfortunately vendors require you to go through a reseller. When I deal with a reseller most generally it is one of them making me jump through hoops repeatedly, seemingly for their amusement at times. Resellers come and go all the time. The superstar reseller who could get anything fast, cheap, and easy last year is out of business now.

As for dealing directly with vendors, that doesn't happen because they don't want to talk to peon IT people like me. I can't even renew enterprise AV without finding a new reseller (again) because the one I used last year bounces every email and the phone is routed to operator that tells me they vacated the offices 6 months ago with no forwarding.  

I currently have several Cisco firewalls and a very nice (read: damn expensive) SonicWall firewall. I have had appliances by Juniper, Avaya and a few other obscure names only an old school IT person would recognize. The fact that I used recon hardware and OpenSource software to seal a potential hole in a remote office doesn't mean I used bubble gum and baling wire. Contrary to what big name vendors think, experienced IT people can build their own stuff that actually works. Also  OpenSource doesn't mean it is like Swiss cheese that any script kiddie can poke into. It wasn't that long ago that Cisco firewalls had a huge TCP vulnerability that allowed numerous break-ins.

Truth is, nothing is 100% safe, and anyone who thinks that a shiny nameplate makes you safe is a fool.

0
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is available starting with 6.0.

The profiling is only available in CLI, so you need to know how to get there by a serial attached terminal emulation, or telnet / ssh. This is not covered here.

General CLI tip
At all times, you can type unique starting parts of the commands:
 
get fpro pac stop

Open in new window

and if you can't remember the syntax, just put a question mark after your command to get further help:
 
get fpro pac ?

Open in new window

or press [Tab] for auto-complete and help

How to

1. Preparation of profiling


The preparation can be done at any time, and needs not to be changed once set up.
 
unset fprofile packet wrap
set fprofile packet enable
set fprofile packet count 16

Open in new window

The count is measured in kilo-packets, allowed are 1-256
 

2. Start and stop profiling

 

clear fprofile
set fprofile packet start

Open in new window

If you set up nowrap (like above), profiling ends automatically as soon as the packet count is reached. If you set wrap mode, the buffer used is overwritten until you issue a
 
set fprofile packet stop

Open in new window

I've seen no CPU effect if you leave fprofile enabled (but stopped), however you can disable that to be safe:
 
unset fprofile packet enable

Open in new window

After disabling fprofile, the collected profile data is not available anymore, even after reenabling.
If you want to check the actual state of the profiling enginge:
 
get fprofile

Open in new window

shows state of fprofile: enabled and start or stop.
 

3. Viewing the profile

2

Hardware Firewalls

23K

Solutions

20K

Contributors

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.