Getting Started with CSCF

Getting Started with CSCF's Netscreen Firewalls

This document describes some things you need to know before doing any maintenance on the CSCF Netscreen Firewalls.

Adding Administrative Users

The firewalls support two types of administrators. There are Read-Write administrators, who can make configuration changes, and Read-Only administrators, that can only view changes. Although the firewalls have a local admin user database, it's configured to use a RADIUS server for account information. The RADIUS server in turn points to UWDir for authentication, but not authorization.

To add an administrative user, logon to watcher204.cscf as root and add the user to /etc/raddb/users. There are examples in the file to help you. Please note that watcher204.cscf is not the permanent home for the Radius server.

Logging in to the devices

All firewall logins are restricted to the UW Campus Network.
Although there are two firewall servers, you only need to make changes on dc-csfw1, since the configs are syncronized. There are two ways to access this system.

Access the firewall using SSH when using CLI (command line interface) to update Network/Interface/Routing settings.
Access the firewall using a web browser (https web interface) to update firewall policies.

Adding Policies

Make sure you read

http://www.cs.uwaterloo.ca/cscf/policies/firewall

before making any policy changes.

Firewall rulesets are based on Source/Destination Zone pairs.
Firewall rules (aka policies) are made up of:

Source Host(s)/Network(s)
Destination Host(s)/Network(s)
Service(s) (ie. port numbers)
Action (Permit or Deny)

Before adding a policy, make sure the service or protocol you are adding is "known" to the firewall. You should also add the hosts/networks to the Address Book. Consider defining a group of hosts if appropriate. Hosts, services (ie. protocols), and groups may be defined the Objects menu of the web interface.

It's essential that you consider traffic between zones when adding policies to the firewall. For example, if you want to "allow SSH into Zone2", you need to think about from what zone(s) you will allow SSH. You may refine the statement to "allow SSH into Zone2 from anywhere". For this to happen, you need to make N new policies, one for "Untrust -> Zone2", then N-1 policies for "ZoneX -> Zone2", where X =1...N, X ≠ 2.

Adding Networks

You should take a look at the Layer 3 routing diagram then read the document on moving a subnet.

2005/08/25 - jatestar