Chapter 2. Initial Configuration
Prev   Next

Chapter 2. Initial Configuration

Introduction

This chapter contains the following sections:

The Gauntlet system is designed to connect between two networks, with a network interface connected to each. This documentation refers to “internal” and “external” network connections. The internal network is a trusted network (or networks), while the external network (or networks) is any untrusted network you want to connect to, for example, the Internet. The Internet is considered untrusted because anybody can try to access your network from it.

Choosing Your Network Configuration

Silicon Graphics recommends that you install the firewall using two network interfaces. In this way, routers are not a security-critical component of your network. If you are connecting a Gauntlet system to an existing subnet in which screening is already being performed by routers, your situation may require that you connect the firewall with only one network interface. Doing so requires care, since the security of the system then relies on a combination of the Gauntlet firewall and the screening routers; if the router is configured improperly, a security breach might result.

Figure 2-1 represents the standard, recommended configuration of a Gauntlet system. In this configuration, one interface is connected to each network, and traffic does not automatically flow across the firewall system (IP packet forwarding is disabled). Routers should be configured to maintain their own security and may optionally be configured to provide additional filtering as desired.

Figure 2-1. Recommended Gauntlet Installation


Figure 2-2 represents a Gauntlet system connected between networks that are screened using routers. Only a single interface is attached to the network. In this configuration, the security of the network depends not only on the Gauntlet system, but on the router(s) screening rules. Care must be exhibited when setting up the routers. Note that the router between the internal network and the external network in Figure 2-2 may be omitted at your discretion. If so, use extreme care to ensure that traffic is only permitted from the untrusted network to the Gauntlet system and not to any other hosts on the protected network.

Figure 2-2. Less Secure Configuration Relying on Screening Routers


Using the configuration in Figure 2-2 is not recommended unless a particular environment absolutely mandates it.

Figure 2-3 illustrates a full-scale Gauntlet architecture in which two local area networks are protected by dual-homed Gauntlet hosts and connected via the Internet.

Figure 2-3. Example Gauntlet Network Architecture


Installation Procedure

This section is a list of steps we recommend you follow in sequence to install a Gauntlet firewall. Read through this list before proceeding.

Caution: The host should not be connected in the firewall position until specifically noted, and that is not until the last step of this procedure.

  1. Read the section “Choosing Your Network Configuration”

  2. Fill out the preparation checklist in the section “Before You Begin”.

  3. Install a new release of IRIX on the host you plan to use as the Gauntlet firewall.

    Note: We recommend you install a completely new release so that you are starting with a known configuration. It is possible to install the firewall software on an established system, but we do not recommended it unless you must and are confident of your administrative expertise.

  4. Add any additional network hardware that you are using. (Do not connect the Gauntlet host to the external connection until the final step.)

  5. Install Gauntlet and Encrypt (U.S. only) from the installation media. Refer to your software release notes for details on software installation.

  6. Click on Network Setup (and ISDN Setup and PPP Setup if you need them). Also click on Minimize Exposure under About Firewall Administration.

  7. Step through the configuration forms (described in Chapter 3), and enter the information according to your setup and security policy as defined in the preparation checklist.

  8. Once you have filled out the forms to your satisfaction, click on Configure All (on the introductory form). Any obvious problems are reported, so fix them, and run Configure All again until no major problems are reported.

  9. You may now physically connect your Gauntlet host to the external network connection.

Chapter 3, “Management Interface,” describes the management interface (referred to in Step 7) you use to configure the Gauntlet firewall environment.

Before You Begin

Use the following checklist to help you establish your basic firewall implementation philosophy. You should have the information requested here (as appropriate for your design) before attempting to initialize the Gauntlet software.

Preparation Checklist

Follow the steps in this section to collect the necessary information before beginning the Gauntlet configuration.

  1. Assign a designated system administrator and a backup administrator for the gauntlet system:

    • System administrator:_________________________

      Phone: _________________________

      E-mail: __________________________

      Beeper/Pager: ________________________

    • Backup administrator:_________________________

      Phone: _________________________

      E-mail: __________________________

      Beeper/Pager: ________________________

  2. Is your network currently operational where the firewall is to be installed?

    When installing the Gauntlet host, be sure it is not connected to the external network until the configuration procedure as described in Chapter 3 is completed.

  3. What is the contact information for your network service provider (for example, your Internet service provider)?

    Phone: _______________________________

    E-mail: __________________________

    Beeper/Pager: ________________________

  4. What is the speed/type of your network connection?

    __ PPP/SLIP at ______________

    __ 56 KB

    __ 218 KB

    __ 512 KB

    __ T1

    __ Ethernet

  5. What are the network hardware connections in use at your site?

    __ AUI—Location: _____________________________

    __ 10BaseT—Location: _______________________________

    __ BNC—Location: ________________________________

    __ Other (describe)—Location: _____________________________

  6. Do you have administrative control of internetwork routers at the point where the firewall is to be connected?

    __ Yes

    __ No

    • If “No”, who has control?

    • Name: __________________________________________

    • Phone: _______________________________

    • E-mail: __________________________

    • Beeper/Pager: ________________________

  7. What is the network address of the internetwork router(s) where the firewall is to be connected?

    Router IP address: _______________________________________

  8. What is the registered DNS domain for your network (if the firewall is to be connected to the Internet)?

    Your DNS domain name: ___________________________________

  9. Is DNS currently administered by you or by a third party?

    __ By us

    __ By third party:

    • Name: __________________________________________

    • Phone: _______________________________

    • E-mail: __________________________

    • Beeper/Pager: ___________

  10. If you serve DNS for your domain, do you have an external system (such as your service provider) that is to act as a secondary server?

    __ No

    __ Yes

    • IP Address: ______________________________________

    • Name: __________________________________________

    • Phone: _______________________________

    • E-mail: __________________________

    • Beeper/Pager: ___________

  11. Do you want to hide internal DNS information from external networks?

    __ No

    __ Yes

    • If so, you must have an internal DNS server:

    • Hostname: _____________________________

    • IP address: ______________________________

    • Administrator: ___________________________

      Phone: _______________________________

      E-mail: __________________________

      Beeper/Pager: ___________

  12. What is the internal address of the firewall (for dual-homed hosts only)?

    Hostname: ____________________________________

    IP address: ___________________________________________

  13. If the internal and external addresses are both part of the same network number, please ensure that you are using the subnet routing on your internal network. For example, if the external address is 192.33.112.55 and the internal address is 192.33.112.99. the firewall must be correctly configured with a subnet mask to enable it to determine if the hosts are on internal or external networks.

  14. For each of the following protocols, determine access privileges, that is, whether access is permitted from inside out, and/or from outside in.

    Table 2-1. Network Protocol Access Privileges

    Protocol

    External to Internal

    Internal to External

    Telnet

     

     

    FTP

     

     

    finger

     

     

    rlogin

     

     

    NNTP (USENET)

     

     

    http (World Wide Web)

     

     


  15. For each of the following services, describe whether strong authentication is required to access the network. (Strong authentication refers to the use of hardware or software means to provide single-use passwords.)

    Table 2-2. Protocol Authentication Required

    Protocol

    External to Internal

    Internal to External

    Telnet

     

     

    rlogin

     

     

    FTP

     

     


  16. If the firewall host is physically accessible to the system administrator(s), should access be limited only to the console, or is network access (for example, Telnet) to be allowed?

    __ Console access only

    __ Network access allowed

  17. Do you have a central e-mail hub that should receive all e-mail for user@yourdomain.domain?

    __ No

    __ Yes

    • Hostname: __________________________________

    • IP address: ___________________________________

    If you do not have a central e-mail hub for your organization, describe where e-mail should go when entering or leaving your network (see Table 2-3).

    Table 2-3. E-mail Routing

    E-mail Address

    Entering Network

    Leaving Network

    user@host.yourdomain.domain

     

     

    user@yourdomain.domain

     

     


  18. Should all outgoing e-mail from your domain have an address of user@yourdomain.domain? (This option makes sense only if there is a central hub for user@domain.domain.)

  19. Are there any special mail gateway systems internally that the firewall should know about? For example, if you wish to set up virtual e-mail domains such as user@MSmail.yourdomain.domain, list special domains or interconnections that you may require.

    Special requirements: ________________________________________

  20. Are you currently running USENET on your network?

    __ No

    __ Yes

    • Do you plan to gateway USENET NNTP traffic through the firewall?

      __ No

      __ Yes

      Internal news server:

      Hostname: ______________________

      IP Address: _______________________

      External news server:

      Hostname: ______________________

      IP Address: _______________________

  21. Do you plan to provide an anonymous FTP server?

    __ No

    __ Yes

  22. Draw a diagram of your network including all connectivity points with the firewall, routers, and external networks, including dial-in[2] , SLIP/PPP, frame relay, remote bridges, and so on.


[2] A dial-in line to the internal network is a weak point in security as the firewall (or even a router) does not control traffic through it in any way.

Prev Table of Contents Next
Chapter 1. Firewall Basics  Chapter 3. Management Interface