mail us  |  mail this page

contact us
training  | 
tech stuff  | 

The LockBox™ (Firewall)

Introduction to LockBox

The LockBox™ table may be configured manually by using CoolFig’s SNMP view of the router (get CoolFig here) or the Control Server 4.0+ diagnostic application (get Control Server here).

The LockBox™ service is powerful 'State' based firewall which allows the user to configure incoming and outgoing security (firewall) functions based on traffic type, port number, port range, IP address or ip address range. The LockBox™ allows the user to determine the types of access that are allowed TO and FROM their networks, subnets(s) or host(s).

Configuration

The LockBox™ service is configured using the MIB entries (up to 16 are allowed) in the LockBoxTable (zyTrax\router\lockBox\lockBoxTable\lockBoxEntry). Using CoolFig (V 2.1+) or Control Server 4.00 or higher. The lockBoxTable consists of the following entries.

The LockBox™ is defaulted as not active and is turned on by setting the MIB entry lockBoxReqState = 1. The state of all security mechanisms and current (last 16) security events may be inspected using telnet Page 'c' (or 'C'). If the LockBox™ is activated with NO valid entries it defaults to OUTGOING ENABLED and ICMP_PING.

(NOTE:The term REMOTE is always used relative to the router i.e. the remote values lie on the remote network side of the router, the term SOURCE or LOCAL specifies a value on the local network (or LAN) side of the router)

MIB name Meaning
lockMode Indicates the mode of operation of this entry and may take one of the following values:
  • 1 = Outgoing enabled.
  • 2 = Destination Allowed.
  • 3 = Destination Disallowed.
  • 4 = Destination only.
  • 5 = ICMP Ping.
  • 6 = ICMP All.
  • 7 = ICMP None.
  • 8 = Incoming Allowed.
  • 9 = Outgoing enabled (Paired).

(see further explanation of each lockMode type below)
lockIPType Specifies the IP traffic type that this entry applies to:
  • 0 = all traffic type (TCP, UDP and ICMP)
  • 1 = ICMP type
  • 6 = TCP type
  • 17 = UDPtype
lockRemoteIP Optionally indicates an IP address on the remote network to which the lockMode entry applies. If you want all IP addresses (i.e. don't care) set this value to 0.0.0.0 (the router will always set the corresponding lockRemoteMask to 0.0.0.0 in this case). If you are defining a range of IP addresses (i.e. the corresponding mask value is NOT 0.0.0.0 or 255.255.255.255 then the actual value used has no significance other than it must lie within the range you want to use). This entry is ignored if lockMode = Outgoing enabled or Outgoing enabled (Paired).
lockRemoteMask The subnet mask that will be ANDed with the remote IP address to determine an IP range. If his value is 255.255.255.255 then only the single IP address (lockRemoteIP) is applicable. If set to 0.0.0.0 NO addresses are valid. This entry is ignored if lockMode = Outgoing enabled enabled or Outgoing enabled (Paired).
remoteLowPort Indicates the lowest (if a range defined using lockRemoteHighPort) or the only remote port number to be be applied to this lockMode entry. Setting this value to 0 indicates ANY (ALL) port(s) will be acceptable (and the corresponding lockHighPort entry will be ignored). This entry is ignored with lockMode = Outgoing enabled enabled or Outgoing enabled (Paired).
remoteHighPort Indicates the highest remote port number to be be applied to this lockMode entry (only used if lockRemoteLowPort is NOT 0). Setting this value to 0 indicates that only the lockRemoteLowPort will be used (if applicable). This entry is ignored if lockMode = Outgoing enabled enabled or Outgoing enabled (Paired).
lockSourceIP Optionally indicates an IP address on the local network to which the lockMode entry applies. If this address is set to 0.0.0.0 then ALL ip addresses are valid for this lockMode entry (the router will always set the corresponding lockSourceMask to 0.0.0.0 in this case). This entry is ignored if lockMode = Outgoing enabled enabled or Outgoing enabled (Paired).
lockSourceMask The net mask that will be ANDed with the lockSourceIP to determine an IP range. If set to 255.255.255.255 then only the single IP address ( lockSourceIP) is applicable. If set to 0.0.0.0 no addresses are valid. This entry is ignored if lockMode = Outgoing enabled enabled or Outgoing enabled (Paired).
lockSourceLowPort Indicates the lowest (if a range defined using lockSourceHighPort) or the only local port number to be be applied to this lockMode entry. Setting this value to 0 indicates that ANY (ALL) ports(s) ports are acceptable (and the corresponding lockSourceHighPort entry will be ignored). This entry is ignored if lockMode = Outgoing enabled enabled or Outgoing enabled (Paired).
lockSourceHighPort Indicates the highest local port number to be be applied to this lockMode entry (only valid if lockSourceLowPort is NOT 0). Setting this value to 0 indicates that only the lockSourceLowPort will be used (if applicable). This entry is ignored if lockMode = Outgoing enabled enabled or Outgoing enabled (Paired).

Notes

  1. The user may vary the period that UDP connections remain 'open' following the last transmit or receive message by use of the lockBoxTimeout parameter. This value indicates the maximum time that a UDP remote IP is allowed to send data through the LockBox™ after the last message has been sent to or received from it. This value should be set to the slowest expected (or allowed) response time from any UDP location (see Short History… below).
  2. To activate a new or updated ipPolicyTable the normal run time table update method should be followed e.g. select ipNumPolicies then Update (without changing its value). The router will immediately use the new values.
  3. To remove an entry set the value of lockMode to 0.

"LockBox™ modes of Operation (detailed description)

Mode Name Description
Outgoing Enabled
OR
Outgoing Enabled (Paired) 		Indicates that the LockBox™ will only allow incoming traffic from a destination that the user has initiated communication with. Essentially "If I talk to you, you can talk to me but not otherwise". The following notes apply:
  1. All other MIB values are ignored for this entry (i.e. you cannot specify a range of IP addresses to which this feature applies).
  2. LockBox™ provides 'state' based TCP capability. TCP connections remain 'open' (that is traffic is allowed from the destination) until the TCP session is closed (FIN flags have been received and sent or the connection has been RESET) when the window is immediately closed.
  3. ICMP operations remain 'open' until the remote IP responds in which case the window is immediately closed or if they do not respond the window remains 'open' for the period specified in lockBoxTimeout
  4. UDP 'sessions' remain 'open' for the period specified in lockBoxTimeout. with the following exceptions:
    • UDP requests to a DNS service are always paired and once the response has been received the session is closed immediately.
  5. The LockBox™ does NOT enable secondary ports with the exception of FTP sessions in which case it will enable secondary ports allocated by the FTP PORT or EPRT.
  6. Outgoing enabled (Paired) allows secondary pairs of ports to communicate which may be necessary when operating in certain system/networking environments (notably NETBIOS).
Destination Allowed Indicates that the LockBox™ will allow outgoing traffic to this destination. The user may subset this destination by traffic type, IP address range and port number of port range AND may optionally limit the SOURCE IP address(es) that may access this destination.
Destination Disallowed Indicates that the LockBox™ will disallow outgoing traffic to this destination. The user may additionally define the traffic type, an IP address range and port number (or port range) AND may optionally limit the SOURCE IP address(es) for which the destination IP is disallowed.
Destination Only Indicates that ONLY the specified destination IP address(es) are allowed. The user may subset this destination by traffic type, IP address range and port number of port range AND may optionally limit the SOURCE IP address(es) that may access this destination.
ICMP Ping Indicates that the LockBox™ will allow all incoming ICMP Requests to the specified destination IP address(es). The user may subset the valid destination(s) by using the lockSourceIP (and lockSourceMask) and the remote IP address(es) that are allowed to initiate ICMP messages (using lockRemoteIP and lockRemoteMask). If no ICMP entry (ICMP Ping, ICMP None or ICMP all) is present the LockBox™ will pass through ALL ICMP echo (PING) requests ONLY. The LockBox™ will also ALLOW the following ICMP messages as a response to the ORIGINAL IP request:
  • Source Quench
  • Destination unreachable
  • Time exceeded
To suppress this behavior you must use an ICMP NONE entry.
NOTE: ICMP Redirects are NOT allowed.
ICMP All Indicates that the LockBox™ will allow all ICMP messages to the destination IP address. If not specified the LockBox™ WILL NOT pass ICMP messages (other than Ping - see above).
ICMP None Indicates that the LockBox™ will not allow any ICMP requests to any destinations specified by lockSourceIP (modified by lockSourceMask). the user may further modify the remote IP addresses to which this restriction applies using lockRemoteIP and lockRemoteMask.
Incoming Allow Indicates that the LockBox™ will allow incoming traffic to the specified IP address(es). The user may subset this feature by defining the Source IP address(es) and port number (or range) to which this feature applies (using lockSourceIP and lockSourceMask, lockSourceLowPort and lockSourceHighPort). This mode would typically be used to enable access to an FTP or Web site.

Notes:

  1. Activating the LockBox™ with no valid entries will default to OUTGOING ENABLED and ICMP_PING thus ensuring that the local network always has both a high degree of protection and sensible maintainability.
  2. All traffic to the router will be subject to the defined GoodGuys list (if activated) prior to the LockBox™ checks to prevent accidental lockout from router configuration and diagnostic features.

Operational Use and Examples

The LockBox™ works as transparently as possible, as a general rule where the PC or Host software provides an optional to work with a firewall DO NOT SELECT this option. The following notes apply when using the LockBox™ with certain systems, applications or utilities.

FTP (Client side)

Many FTP applications allow you to select Passive Mode for use with a firewall. If you are using the 'Outgoing Enabled' or 'Outgoing enabled (paired)' feature of the LockBox™ you do NOT need to use this setting (though the LockBox™ will work if you do select this option). The LockBox™ automatically detects FTP applications and enables the requested secondary ports (and only those secondary ports) during the FTP operation.

FTP (Server side)

If you are running an FTP site that is available to the whole world (internet) then configure 'Outgoing enabled' and an 'Incoming Allow' entry with the following values.

lockRemoteIP = 0.0.0.0 (all IP addresses)

lockRemoteMask = 0.0.0.0

lockRemoteLowPort = 0

lockSourceIP = the IP address of the FTP server

lockSourceMask = 255.255.255.255 (single IP address)

lockSourceLowPort = 20 (FTP Data Transfer Port)

lockSourceHighPort = 21 (FTP Control Port)

The above entries will allow traffic ONLY to the FTP ports on the defined FTP server. If the range of allowable addresses that may access the FTP is finite create a suitable lockRemoteIP and lockRemoteMask to only allow those entries. e.g. assume only the Class C address 207.139.107.x can access the site then the following entries may be used to subset the allowable traffic to the FTP server:

lockRemoteIP = 207.139.107.0

lockRemoteMask = 255.25.255.0 (Class C netmask)

You can define multiple 'Incoming Allow' entries (up to 16) so if you have one or more ranges of valid IP addresses you can specify individual entries for each.

Web Server

If you are running a Web site that is available to the whole world (internet) then configure 'Outgoing enabled' and an 'Incoming Allow' entry with the following values.

lockRemoteIP = 0.0.0.0 (all IP addresses)

lockRemoteMask = 0.0.0.0

lockRemoteLowPort = 0

lockSourceIP = the IP address of the Web server

lockSourceMask = 255.255.255.255 (single IP address)

lockSourceLowPort = 80 (HTTP Port)

lockSourceHighPort = 0 (single port only)

The above entries will allow traffic ONLY to the HTTP ports on the defined Web server. If the range of allowable IP addresses that may access the Web site is finite create a suitable lockRemoteIP and lockRemoteMask to only allow those addresses e.g. assume only the Class C address 207.139.107.x can access the site then the following entries may be used to subset the allowable traffic

lockRemoteIP = 207.139.107.0

lockRemoteMask = 255.25.255.0 (Class C netmask)

You can define multiple 'Incoming Allow' entries (up to 16) so if you have one or more ranges of valid IP addresses you can specify individual entries for each.

DNS Server

If you are running a DNS server that is available to the whole world (internet) then configure 'Outgoing enabled' and an 'Incoming Allow' entry with the following values.

lockRemoteIP = 0.0.0.0 (all IP addresses)

lockRemoteMask = 0.0.0.0

lockRemoteLowPort = 0

lockSourceIP = the IP address of the DNS server

lockSourceMask = 255.255.255.255 (single IP address)

lockSourceLowPort = 53 (DNS Port)

lockSourceHighPort = 0 (single port only)

The above entries will allow traffic ONLY to the DNS port on the defined DNS server. If the range of allowable IP addresses that may access the DNS is finite create a suitable lockRemoteIP and lockRemoteMask to only allow those addresses e.g. assume only the Class C address 207.139.107.x can access the site then the following entries may be used to subset the allowable traffic

lockRemoteIP = 207.139.107.0

lockRemoteMask = 255.25.255.0 (Class C netmask)

You can define multiple 'Incoming Allow' entries (up to 16) so if you have one or more ranges of valid IP addresses you can specify individual entries for each.

Multiple Server sites

As a general rule expose as little as you can and use a single entry for each server type that you wsh to make available.

If you are running an FTP, DNS and Web server on a single host then you COULD define a single LockBox™ entry with the following entries

lockSourceLowPort = 20 (FTP data transfer port)

lockSourceHighPort = 80 (HTTP port)

The above would achieve the result you require BUT will also expose (to the bad guys) all the ports that lie in the defined range. In the above case this will expose among others the Telnet port (23) on your server which you may not want.

Microsoft Networking (or other NetBios network)

If you are using Microsoft Networking (LAN Manager) and want the network browser and other services to operate normally through the LockBox™ (i.e. you are on a network accessing a remote WINS host) then you must select the 'Outgoing enabled (Paired)' mode of operation AND create an 'Incoming Allow' entry for the IP address (or range of IP addresses - using lockRemoteIP) that will generate either the services you require e.g. printing, file service (generally only the WINS host) or with which you wish to share files or other resources. To minimise the potential for security breaches specify the lockRemoteLowPort = 137, lockRemoteHighPort = 139 and lockIPType = 6 (TCP).

Trace Route command

The Trace Route command line from DOS (tracert x.x.x.x) will operate as normal if either the ICMP default option is used or an explicit entry is used for ICMP Ping or ICMP All. Trace route will NOT work if an ICMP None entry is used (unless this defines only a range of remote IP addresses in which case Trace Route will work to those valid addresses).

Short History of the (Security) World ..Part I

The following notes provide a general background on security, specifically in the context of the ZyTrax family of routers and it's LockBox™ product. This is not meant to be a comprehensive treatise on security or even network security.

In general, security is a compromise between allowing normal operations to proceed unhindered and the need to provide some level of controlled access to data. In particular in the networking context certain very useful 'babies' such as Ping and TraceRoute features should not be thrown out with the security 'bathwater'. The ZyTrax LockBox™ provides features that preserve key network elements and diagnostic features (which in themselves are benign) while being uncompromising in all other forms of security. However, if you really don't feel comfortable you can either limit these features to trusted addresses or turn them off entirely.

Some Terminology (yawn…)

The LockBox™ is a State based Packet Filter firewall. To explain: the 'state' based term indicates that it is sensitive to the state of connections (TCP) and it’s a 'packet filter' because it uses a set of user supplied (or default) rules to filter out disallowed packets from the stream of packets going to and being received from the network.

We are all Good Guys (really……)

Many firewalls assume that every one behind the firewall is a 'Good Guy' (trusted). The LockBox™ a very cynical piece of software and allows you to specify limitations on both sides of the firewall enabling you to allow features (or destinations) to only certain local hosts - you can even limit the traffic from certain hosts to only a single destination if you wish e.g. a remote e-mail server.

Do I need a PHD to configure this thing (depends…..)

Depends on the 'type' of network access that you need. If all you want to do is browse the net, get your e-mail and ftp your brains out then the problems is dead easy. You want to talk to everybody … but you don't want anybody talking to you… unless you talked to them first. i.e they can reply to your demands but not initate them. With the LockBox™ its painfully easy just turn on the LockBox™ and do nothing else. This enables a type of access that ZyTrax calls 'Outgoing enabled' and the LockBox™ defaults to this state if you do nothing. NOTE: Turning on the LockBox™ with no parameters also allows ping responses to all your hosts … if you want to know if this is a good or bad idea you also need to read a little more…if you are prepared to take in on trust then stop reading now, rush out and turn on the lockbox.

If you want to provide some type of service e.g. a Web server, FTP server then your problem is a little trickier and you need to read and understand a little more…

Its useful at this point to understand that in IP networks there are (in general) three types of traffic TCP (used for Web access, FTP, e-mail access etc). UDP (used for access to DNS and streaming media services among others) and ICMP (network maintenance, discovery and diagnostic services e.g. PING). Each type of service has different characteristics and therefore presents different security risks and opportunities.

TCP - the Gentleman of the Network

TCP (Transmission Control Protocol) is the most commonly used traffic type in normal net access (browsing, e-mail and ftp). TCP sessions are formally opened and closed using special sequences. TCP also uses ports as well as IP addresses to communicate. Certain ports are called 'well known' because they are… 'kinda' well known e.g. FTP control port number = 21. Typically to start a FTP session you will send from your IP address to another IP address to its port 21 from a random port on your host. The firewall inspects the traffic and if it passes the test it places that entry (consisting of your IP, the destination IP, your port number and the remote port number) in a trusted table which allows traffic exactly matching that to be returned. Once this session is 'open' no traffic can legitimately occur for a long time. When the session ends the LockBox™ sees the formal closing and because the STATE (remember that word) is now closed, immediately shuts the window so no one can sneak in. There is no 'hanging window' in the LockBox™ after a TCP session is terminated.

Ooops we are not quite finished. To make things just a tad more difficult for the poor user (and the LockBox™) certain applications (notably FTP) open secondary ports. That is when you send to an FTP port the FTP server will respond and then start transmission on another (secondary) port. So this perfect entry in the trusted table that we set up above is useless and the firewall may reject perfectly legitimate traffic. To overcome this many firewalls force you to use the Passive mode of operation. The LockBox™ uses a much simpler and less intrusive way. The FTP server tells the user via commands which port it will use and the LockBox™ inspects the traffic, sees this newly allocated port and automatically enables it so that your FTP carries on its merry way. You continue to use your system without having to learn new tricks just be cause someone decided to install a firewall.

UDP - The Wild man of the Network

UDP traffic is fast, can appear in pairs e.g. to a DNS or one message can generate tons of input e.g. streaming audio. It has no definable start and no definable end. All firewalls have real problems with UDP traffic. In general the only method is to time out the open window created when a message is sent via UDP to a destination. The LockBox™ uses the value (time in seconds) specified in lockBoxTimeout to keep this entry open.

ICMP - The Energizer Bunny' of the Network

ICMP traffic pops up all over the place and can be essential to efficient operation of the network. If a normal piece of traffic cannot be routed you receive an ICMP message telling you (Host unreachable or Time exceeded). The famous (infamous) Ping (actually an ICMP Echo Request) can be invaluable in diagnosing networking problems and is an invaluable tool for verifying simple network connectivity. The LockBox™ deals with ICMP in a very particular way. If you do nothing it allows ICMP PING requests from any destination to be responded to. One of the great misunderstandings about security is the myth that "if they can't see me they can't hurt me". The LockBox™ philosophy is different.

products

support home
NetWidget
air-frame

resources

on-line help
tech info
faqs
open guides

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Mozilla

[an error occurred while processing this directive]

Site

CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2024 ZyTrax, Inc.
All rights reserved. Legal and Privacy 		site by zytrax
hosted by javapipe.com		 web-master at zytrax
Page modified: January 20 2022.
<