Para el que le interese configurar la seguridad en el Xavi 7028R (Firewall y e IDS) os comento una informacion que igual os interese.
En primer lugar, en Windows hay un "truco" para acceder a un modo extendido de la aplicacion de configuracion de Telefonica, que incorpora un apartado para configurar el Firewall y los Firewall Triggers.
Para ello debeis añadir al registro la clave alfanumerica "optFirewall" con valor "true" en HKEY_LOCAL_MACHINE\SOFTWARE\Telefonica\Kit Inalambrico\Instalacion, esto hara que aparezca la opcion "Gestìon de puertos y cortafuegos".
Ojo, esta opcion requiere saber lo que uno se hace. No vale luego quejarse a Telefonica ya que ellos NO proporcionan esta opcion a los usuarios (y eso que yo tengo bastante mania a Telefonica).
Acerca de los parametros del IDS, para el que no sepa os pongo la siguiente informacion, esta en ingles asi que el que no sepa ingles...ya sabe que traduzca :) :
14.16 firewall set IDS blacklist
14.16.1 Syntax
firewall set IDS blacklist {enable | disable | clear}
14.16.2 Description
This command sets the blacklist IDS (Intrusion Detection Setting).
Blacklisting denies an external host access to the system if IDS has
detected an intrusion from that host. Access to the network is denied for
ten minutes.
Note - This CLI command is case-sensitive. You must type the
command attributes exactly as they appear in the syntax section
on this page. If you do not use the same case-sensitive syntax,
the command fails and the CLI displays a syntax error message.
14.17 firewall set IDS DOSattackblock
14.17.1 Syntax
firewall set IDS DOSattackblock
14.17.2 Description
This command sets the DOS (Denial of Service) attack block duration
Intrusion Detection Setting (IDS). A DOS attack is an attempt by an
attacker to prevent legitimate users from using a service. If a DOS
attack is detected, all suspicious hosts are blocked by the firewall for
a
set time limit. This command allows you to specify the duration of the
block time limit.
14.18 firewall set IDS MaxICMP
14.18.1 Syntax
firewall set IDS MaxICMP
14.18.2 Description
This command sets the maximum number of ICMP packets per second
that are allowed by firewall before an ICMP Flood is detected. An
ICMP Flood is a DOS (Denial of Service) attack. An attacker tries to
flood the network with ICMP packets in order to prevent transportation
of legitimate network traffic.
Once the maximum number of ICMP packets per second is reached, an
attempted ICMP Flood is detected. The firewall blocks the suspected
attacker for the time limit specified in the firewall set IDS
DOSattackblock command.
14.19 firewall set IDS MaxPING
14.19.1 Syntax
firewall set IDS MaxPING
14.19.2 Description
This command sets the maximum number of pings per second that are
allowed by firewall before an Echo Storm is detected. Echo Storm is a
DOS (Denial of Service) attack. An attacker sends oversized ICMP
datagrams to the system using the 'ping' command. This can cause the
system to crash, freeze or reboot, resulting in denial of service to
legitimate users.
Once the maximum number of pings per second is reached, an
attempted DOS attack is detected. The firewall blocks the suspected
attacker for the time limit specified in the firewall set IDS
DOSattackblock command.
14.20 firewall set IDS MaxTCPopenhandshake
14.20.1 Syntax
firewall set IDS MaxTCPopenhandshake
14.20.2 Description
This command sets the maximum number of unfinished TCP
handshaking sessions per second that are allowed by firewall before a
SYN Flood is detected. SYN Flood is a DOS (Denial of Service) attack.
When establishing normal TCP connections, three packets are
exchanged:
1 A SYN (synchronize) packet is sent from the host to the network
server
2 A SYN/ACK packet is sent from the network server to the host
3 An ACK (acknowledge) packet is sent from the host to the network
server
If the host sends unreachable source addresses in the SYN packet, the
server sends the SYN/ACK packets to the unreachable addresses and
keeps resending them. This creates a backlog queue of unacknowledged
SYN/ACK packets. Once the queue is full, the system will ignore all
incoming SYN requests and no legitimate TCP connections can be
established.
Once the maximum number of unfinished TCP handshaking sessions is
reached, an attempted DOS attack is detected. The firewall blocks the
suspected attacker for the time limit specified in the firewall set IDS
DOSattackblock command.
14.21 firewall set IDS SCANattackblock
14.21.1 Syntax
firewall set IDS SCANattackblock
14.21.2 Description
This command allows you to set the scan attack block duration Intrusion
Detection Setting (IDS). The firewall detects when the system is being
scanned by a suspicious host attempting to identify any open ports. If
scan activity is detected, all suspicious hosts are blocked by the
firewall
for a set time limit. This command allows you to specify the duration of
the block time limit.
14.22 firewall set IDS victimprotection
14.22.1 Syntax
firewall set IDS victimprotection {enable | disable}
14.22.2 Description
This command enables/disables the victim protection Intrusion
Detection Setting (IDS). Enabling this command protects the victim
from an attempted spoofing attack.
Web spoofing allows an attacker to create a 'shadow' copy of the World
Wide Web. All access to the shadow Web goes through the attacker's
machine, so the attacker can monitor all of the victim's activities and
send false data to or from the victim's machine.
If victim protection is enabled, packets destined for the victim host of
a
spoofing style attack are blocked. The command allows you to specify
the duration of the block time limit.
14.23 firewall show IDS
14.23.1 Syntax
firewall show IDS
14.23.2 Description
This command displays the following information about the Firewall
IDS settings:
? IDS enabled status (true or false)
? Blacklist status (true or false)
? Use Victim Protection status (true or false)
? DOS attack block duration (in seconds)
? Scan attack block duration (in seconds)
? Victim protection block duration (in seconds)
? Maximum TCP open handshaking count allowed (per second)
? Maximum ping count allowed (per second)
? Maximum ICMP count allowed (per second)
En fin nada mas solo recordar que respecto al firewall los permisos se dan a IP's y a puertos por separado. Esto es con los Validators puedes dar permiso o no al trafico de una determinada IP pero aun asi el firewall no permitira el trafico hasta que indiqueis a que puertos permite la entrada o salida el firewall para todas las IP's que tengan permiso.
Nada mas, espero que os sirva de ayuda. Saludos.