WatchGuard Internet Security Handbook

WatchGuardInternet Security Handbook

LiveSecurity System 4.0

ox™

er

ft

c.

ght and

and ve

DisclaimerInformation in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.®

Copyright and Patent InformationCopyright© 1998, 1999 WatchGuard Technologies, Inc.® All rights reserved.

WatchGuard Technologies, Inc.®, WatchGuard® are registered trademarks, and Firebis a trademark of WatchGuard Technologies, Inc. in the USA and other countries.

Certain materials herein are Copyright ©1995-1999 Microsystems Software, Inc. CybPatrol® is a registered trademark of Microsystems Software, Inc. CyberNOT™ and CyberNOT List™ are trademarks of Microsystems Software, Inc.

Ethernet™ is a trademark of Xerox Corporation. Microsoft®, NetMeeting™, Windows®, Windows 95®, Windows 98®, Windows NT®,and Windows NT Server® are either registered trademarks or trademarks of MicrosoCorporation in the USA and other countries.Java™ is a trademark of Sun Microsystems®.PostScript® is a registered trademark of Adobe Systems, Inc. X Window™ is a trademark of the Massachusetts Institute of Technology. RealAudio™, RealVideo™, and RealNetwork™s are trademarks of RealNetworks, InStreamWorks™ and StreamWorks Player™ are trademarks of Xing Technology Corporation. VDOLive™ and VDOPhone™ are trademarks of VDOnet Corp.Certain materials herein are Copyright ©1992-99 RSA Data Security, Inc. and Copyri©Hi/fn, Inc. 1993, including one or more U.S. Patents: 4701745, 5015009, 5126739, 5146221, and other patents pending.

Many of the other designations used by manufacturers and sellers to distinguish theirproducts are claimed as trademarks. Where those designations appear in this book, WatchGuard Technologies, Inc. was aware of a trademark claim, the designations habeen printed with initial capital letters or all capital letters.

Printed in the United States of America.

DocVer: S-40-Handbook-3

Declaration of Conformity

OYl[`?mYj\�L][`fgdg_a]k+).�G[[a\]flYd�9n]fm]�Kgml`Kmal]�*((K]Ylld]$�O9�10)(,�

2 WatchGuard Internet Security Handbook

<][dYj]k�l`]�;=%eYjc]\�hjg\m[l2

FCC CertificationLàk�\]na[]�`Yk�Z]]f�l]kl]\�Yf\�^gmf\�lg�[gehdq�oal`�daealk�^gj�;dYkk�9�\a_alYd�\]na[]$�hmjkmYfl�lg�HYjl�)-�g^�l`]�>;;�Jmd]k&�Gh]jYlagf�ak�kmZb][l�lg�l`]�^gddgoaf_�log�[gf\alagfk2

1. Làk�\]na[]�eYq�fgl�[Ymk]�`Yje^md�afl]j^]j]f[]

2. Làk�\]na[]�emkl�Y[[]hl�Yfq�afl]j^]j]f[]�j][]an]\$�af[dm\af_�afl]j^]j]f[]�l`Yl�eYq�[Ymk]�mf\]kaj]\�gh]jYlagf&

CE NoticeL`]�g^â[aYd�;=�kqeZgd�af\a[Yl]k�[gehdaYf[]�g^�làk�OYl[`?mYj\�L][`fgdg_a]k��hjg\m[l�lg�l`]�=E;�\aj][lan]�g^�l`]�=mjgh]Yf�;geemfalq&�L`]�;=�kqeZgd�^gmf\�`]j]�gj�]dk]o`]j]�af\a[Yl]k�l`Yl�làk�OYl[`?mYj\�hjg\m[l�e]]lk�gj�]p[]]\k�l`]�^gd%dgoaf_�klYf\Yj\k2

CSA StatementLàk�;dYkk�9�\a_alYd�YhhYjYlmk�e]]lk�Ydd�j]imaj]e]flk�g^�l`]�;YfY\aYf�Afl]j^]j]f[]%;Ymkaf_�=imahe]fl�J]_mdYlagfk&

;]l�YhhYj]ad�fme]jaim]�\]�dY�[dYkk]�9�j]kh][l]�lgml]k�d]k�]pa_]f[]k�\m�J]_d]e]fl�kmj�d]�eYl]ja]d�Zjgmdd]mj�\m�;YfY\Y&

Product Models: Firebox II, Firebox II Plus

Complies with: 73/23/EEC Low Voltage Directive 89/336/EEC Electromagnetic Compatibility Directive

Compliance Standards:

EN60950:1992 Electrical Safety A1:1993, A2:1993, A3:1995, A4:1997, A11:1997

EN55022,Class A RF Emissions Information Technology

EN50082-1 EMC Immunity Standard

EN60950:1992 Electrical Safety A1:1993, A2:1993, A3:1995, A4:1997, A11:1997

EN55022,Class A RF Emissions Information Technology

EN50082-1 EMC Immunity Standard

WatchGuard Internet Security Handbook 3

Internet Security Handbook Table of Contents

CHAPTER 1 L`]�F]]\�^gj�F]logjc�K][mjalq 1

L`]�;gfn]fa]f[]k�Yf\�<Yf_]jk�g^�F]logjcaf_ 1K][mjalq�nk&�;gfn]fa]f[] )(O`Yl�ak�Y�K][mjalq�Hgda[q7 )(EYcaf_�H]Y[]�oal`�Y�K][mjalq�Hgda[q ))

O`Yl�EYc]k�Y�?gg\�F]logjc�K][mjalq�Kqkl]e ))Kaehda[alq ))K[YdYZadalq )*<akljaZml]\�9j[àl][lmj] )*<qfYea[Yddq�K][mj]\�Y_Yafkl�l`]�DYl]kl�K][mjalq�L`j]Ylk )*=[gfgeq�g^�AH�9\\j]kk]k )+K][mj]�;gff][lagfk )+9ml`]fla[Ylagf )+;gfl]fl�<ak[jaeafYlagf )+K][mj]�J]egl]�EYfY_]e]fl�Yf\�;geemfa[Ylagf ),@a_`dq�;gfâ_mjYZd]�Dg__af_�Yf\�Fglaâ[Ylagf ),KmeeYjar]�Yf\�J]hgjl�F]logjc�9[lanalq ),Ima[c�Yf\�J]khgfkan] ),9�O]dd%;gf[]an]\�K][mjalq�Hgda[q ),H`qka[Yddq�K][mj]\�K][mjalq�9hhdaYf[] ),

L`]�OYl[`?mYj\�Kgdmlagf )-9kkmehlagfk )-K]hYjYlagf�g^�C]q�K][mjalq�Kqkl]e�;gehgf]flk ).=Yk]�g^�Mk]�:]_]lk�K][mj]�Mk] )/Gh]f�;g\]�:Yk] )0Lg�Hjgpq�gj�Lg�HY[c]l�>adl]j7 )1Afl]_jYlaf_�K][mjalq�L][`fgdg_a]k�aflg�Y�KlYf\�9dgf]�9hhdaYf[] )1

CHAPTER 2 K][mjalq�Yf\�>aj]oYdd�EYfY_]e]fl�Hgda[a]k *)

:YdYf[af_�Jakc�nk&�Hjg\m[lanalq **Af[geaf_�K]jna[]k2�K][mjalq�Hjaf[ahd]k *+Gml_gaf_�K]jna[]k *,

Gl`]j�Hjaf[ahd]k�g^�K][mjalq�nk&�Jakc *,=d]e]flk�l`Yl�<][j]Yk]�>aj]oYdd�K][mjalq *-

Gj_Yfaraf_�qgmj�Gj_YfarYlagf */<]l]jeafaf_�qgmj�9ddgoYZd]�LjY^â[ *0Gj_Yfaraf_�qgmj�f]logjc k! *0<]l]jeafaf_�Gml%g^%:gmf\k�Yj]Yk *1H`qka[Yd�K][mjalq +(L`]�@meYf�>Y[lgj +)

CHAPTER 3 F]logjc�;gfâ_mjYlagf ++

Kaehd]�F]logjc� <jgh%af!�;gfâ_mjYlagf ++@go�l`]�Kaehd]�;gfâ_mjYlagf�Ogjck�oal`�Hjgpq�9JH +,9Zgml�J]dYl]\�F]logjck�Yf\�J]dYl]\�@gklk +-

Emdlahd]�F]logjc�;gfâ_mjYlagf +.

CHAPTER 4 Hjgpqaf_�Yf\�HY[c]l�>adl]jaf_ +1

<qfYea[�HY[c]l�>adl]jaf_ +1Hjgpa]k ,(KlYf[] ,);gfâ_mjaf_�K]jna[]k ,)

;gfâ_mjYZd]�HYjYe]l]jk�^gj�K]jna[]k ,*;`Yf_af_�Y�K]jna[] ,*<]d]laf_�Y�K]jna[] ,+

CHAPTER 5 :]qgf\�Hjgpa]k�Yf\�HY[c]l�>adl]jk ,-

:dg[caf_�Kal]k ,-Dg__af_�:dg[c]\�Kal]k ,.

:dg[caf_�Hgjlk ,.;gf^da[lk�af�:dg[c]\�Hgjlk ,09mlg%Zdg[caf_�kal]k�l`Yl�Yll]ehl�lg�mk]�Zdg[c]\�hgjlk ,1Dg__af_�:dg[c]\�Hgjl�9[lanalq ,1

F]logjc�9\\j]kk�LjYfkdYlagf� F9L! ,1<qfYea[�F9L ,1KlYla[�F9L -);gfâ_mjaf_�KlYla[�F9L -)

9daYkaf_ -)9ml`]fla[Ylagf -*

9ml`]fla[Ylagf�E]l`g\k -+>aj]Zgp�9ml`]fla[Ylagf --Oaf\gok�FL�9ml`]fla[Ylagf --JY\amk�9ml`]fla[Ylagf --;JQHLG;Yj\�9ml`]fla[Ylagf -/@go�;JQHLG;Yj\�9ml`]fla[Ylagf�Ogjck -/J]egnaf_�9ml`]fla[Ylagf -0;gfâ_mjaf_�Yf�9ml`]fla[Ylagf�=fnajgfe]fl -0;geZafaf_�Mk]j�9ml`]fla[Ylagf�Yf\�J]egl]�Mk]j�NHF -0

=f[jqhlagf -1O]Z:dg[c]j .(

K]llYZd]�HYjYe]l]jk .)=p[]hlagfk .)Dg__af_�Yf\�O]Z:dg[c]j .*@go�O]Z:dg[c]j�Ogjck .*

CHAPTER 6 Dan]K][mjalq .-

L`]�Dan]K][mjalq�;da]fl ..9f�Afl]_jYl]\�Kgdmlagf ..Dan]K][mjalq�:jgY\[Yklk ..K][mjalq�:jgY\[Yklk ./L`j]Yl�J]khgfk]k ./Af^gjeYlagf�9d]jlk ./

JYha\�J]khgfk]�L]Ye .0Dan]K][mjalq�9ddaYf[] .0

CHAPTER 7 NajlmYd�HjanYl]�F]logjcaf_ .1

:jYf[`�G^â[]�NHF /(AHK][�Aehd]e]flYlagf�g^�:jYf[`�G^â[]�NHF /)OYl[`?mYj\�k�Hjghja]lYjq�=f[jqhlagf�Hjglg[gd /);gfâ_mjYlagf�;`][cdakl /*=f[jqhlagf /+Dg__af_ /+:jYf[`�G^â[]�NHF�Kh][aYd�;gfka\]jYlagfk /+KYehd]�;gfâ_mjYlagfk /+:jYf[`�G^â[]�NHF�oal`�AHK][ /,;gfâ_mjaf_�K]jna[]k�lg�ogjc�oal`�NHF /09ml`]fla[Ylaf_�Yf�AHK][�Lmff]d�naY�Y�Oaf\gok�FL�K]jn]j /1

J]egl]�Mk]j�NHF 0(J]egl]�Mk]j�NHF�oal`�HHLH 0(;gfâ_mjYlagf�;`][cdakl 0)Hj]hYjaf_�l`]�;da]fl�;gehml]jk 0)J]egl]�Mk]j�NHF�oal`�AHK][ 0*

CHAPTER 8 Dg__af_�Yf\�Fglaâ[Ylagf 0+

O`Yl�Dg__af_�Ak 0+O`Yl�Fglaâ[Ylagf�Ak 0,<]n]dghaf_�Dg__af_�Yf\�Fglaâ[Ylagf�Hgda[a]k 0,

O`Yl�=n]flk�lg�Dg_ 0-Oà[`�K]jna[]kÌ�=n]flk�lg�Dg_ 0.Oà[`�K]jn]j k!�lg�9ddg[Yl]�Yk�Dg_�@gklk 0.Dg_�>ad]�Kar]�Yf\�Lmjfgn]j�>j]im]f[q 0.Oà[`�=n]flk�oadd�Lja__]j�Fglaâ[Ylagf7 0/O`Yl�^gje�g^�fglaâ[Ylagf�qgm�oadd�mk] 00

@go�Fglaâ[Ylagf�;gmflk�Yf\�@Yf\d]k�=n]flk 00

CHAPTER 9 Egfalgjaf_�qgmj�K][mjalq�Kqkl]e 1)

@gklOYl[` 1*L`]�@gklOYl[`�<akhdYq 1*

:Yf\oa\l`�E]l]j 1+L`]�:Yf\oa\l`�E]l]j�<akhdYq 1+

K]jna[]OYl[` 1+KlYlmkJ]hgjl 1,9ml`]fla[Ylagf�Dakl 1-:dg[c]\�Kal]�Dakl 1-

CHAPTER 10 J]hgjlaf_ 1/

O`q�J]hgjlaf_7 1/L`]�OYl[`?mYj\�@aklgja[Yd�J]hgjlk�Eg\md] 10Lqh]k�g^�J]hgjlk 10:mad\af_�J]hgjlk 11=phgjlaf_�J]hgjlk 11

;<>�J]hgjlk 11O]ZLj]f\k�^gj�>aj]oYddk�Yf\�NHFk��J]hgjlk )((

CHAPTER 1 The Need for Network Security

Làk�[`Yhl]j�\ak[mkk]k�l`]�[gfn]fa]f[]�g^�hmllaf_�qgmj�f]logjc�gf�l`]�Afl]jf]l�n]jkmk�l`]�k][mjalq�jakck&�Al�l`]f�\ak[mkk]k�nYjagmk�YhhjgY[`]k�lg�k][mjalq&

The Conveniences and Dangers of Networking

Gja_afYddq$�[gehml]jk�o]j]�klYf\%Ydgf]�mfalk&�Kggf$�dYj_]%k[Yd]�mk]jk�Z]_Yf�f]logjcaf_�l`]e�lg_]l`]j�^gj�]Yka]j�]p[`Yf_]�g^�af^gjeYlagf&�Làk�[j]Yl]\�daf]k�g^�[geemfa[Ylagf�aflg�oà[`�afl]jdgh]jk� fgo�[geegfdq�[Ydd]\�É`Y[c]jkÊ!�[gmd\�afk]jl�gj�[gmfl]j^]al�e]kkY_]k�lg�_Yaf�Y[[]kk�lg�[dYkkaâ]\�\YlY&

:q�l`]�ea\%)11(k$�]n]j�egj]�Y^^gj\YZd]�[gehml]jk�gh]jYl]\�Zq�]Yk%a]j�lg�mk]�kg^loYj]$�[geZaf]\�oal`�l`]�Z]f]âlk�l`Yl�f]logjcaf_�Zjaf_k�af�l`]�\akk]eafYlagf�g^�af^gjeYlagf$�[j]Yl]\�Yf�]phdgkagf�af�l`]�mk]�g^�hjanYl]�afklalmlagfYd�f]logjck�dafc]\�lg�l`]�Afl]jf]l&�Làk�l][`fa[Yd'kg[aYd�\]n]dghe]fl�dal]jYddq�hml�l`]�ogjd\�Yl�gf]Ìk�âf_]j%lahk&�Gf]�[gmd\�fgo�h]j^gje�egj]�j]k]Yj[`�^jge�Y�h]jkgfYd�[ge%hml]j�oal`�Afl]jf]l�Y[[]kk�Yl�`ge]�l`Yf�\mjaf_�Y�o]]cdgf_�klYq�Yl�Y�dYj_]�e]ljghgdalYf�daZjYjq&�L`]j]�ak�dalld]�Yj_me]fl�l`Yl�l`]�Z]f]âlk�g^�f]logjcaf_�Yj]�]fgjegmk&�Mf^gjlmfYl]dq$�kg�Yj]�l`]�jakck&�

L`]�^Y[l�l`Yl�Yfq�h]jkgf�oal`�Afl]jf]l�Y[[]kk�[gmd\�na]o�qgmj�gj_Y%farYlagfÌk�O]Zkal]$�gj�]p[`Yf_]�]%eYad�oal`�gj_YfarYlagf�e]eZ]jk�Ydkg�e]Yfl�l`Yl�Yfq�h]jkgf�[gmd\�Yll]ehl�lg�âf\�oYqk�lg�_Yaf�j]Y\'ojal]�Y[[]kk�lg�qgmj�k]jn]jk�Yf\�[gehml]jk�l`Yl�klgj]�Yf\�\akhdYq�làk�\YlY&�Mh�lg�fgo$�f]logjck�`Y\�ogjcklYlagfk$�k]jn]jk$�Yf\�jgml%]jk&�Lg�hjgl][l�Y_Yafkl�l`]�Afl]jf]lÌk�af`]j]fl�k][mjalq�l`j]Yl$�l`]�[gehml]j�f]logjc�Éâj]oYddÊ�oYk�[j]Yl]\�Yk�Y�f]o�[dYkk�g^�f]logjc�\]na[]&


The Need for Network Security

L`]j]�Yj]�l`j]]�àklgja[Yd�lj]f\k�l`Yl�d]\�lg�l`]�\]n]dghe]fl�g^�âj]%oYddk�Yk�Y�[dYkk�g^�f]logjc�\]na[]k2

� The increasing reliance on the Internet for commerce, research and collaboration by corporations.�Fgl�gfdq�o]j]�[gehml]j�mk]jk�Y[[]kkaf_�l`]�Afl]jf]l�^gj�af^gjeYlagf$�l`]q�o]j]�Ydkg�mkaf_�al�lg�ljYfkY[l�Zmkaf]kk$�o`]j]�^mf\k$�Y[[gmfl�fmeZ]jk$�Yf\�[j]\al�[Yj\�fmeZ]jk�o]j]�Z]af_�]p[`Yf_]\&

� The rise of the Internet as an avenue of unauthorized access into corporate networks.�L`]�hjgda^]jYlagf�g^�l`]�Afl]jf]lÌk�hghmdYjalq�Yf\�Y[[]kkaZadalq�Ydkg�e]Yfl�Y�hjgda^]jYlagf�g^�Yll]ehlk�Yl�hjYfck$�nYf\Ydake$�Yf\�l`]^l�g^�afl]dd][lmYd�hjgh]jlq�Yf\�]d][ljgfa[�^gjek�g^�egf]q&

� The costs associated with that unauthorized access.�L`]�Z]f]âlk�g^�af[j]Yk]\�f]logjcaf_�o]j]�Z]af_�l`j]Yl]f]\�Zq�l`]�[gklk�g^�dgkk�^jge�Zj]Yc%afk&

<goflae]�\m]�lg�Y�k][mjalq�Zj]Y[`�[Yf�Z]�n]jq�]ph]fkan]&�Fgl�gfdq�ak�l`]j]�l`]�dgkl�hjg\m[lanalq�mflad�l`]�Zj]Y[`]\�[gehml]jk�Yj]�ZY[c�gfdaf]$�l`]j]�ak�Ydkg�l`]�im]klagf�g^�`go�em[`�dYklaf_�\YeY_]�g[[mjj]\�\mjaf_�l`]�k][mjalq�Zj]Y[`&�Mf^gjlmfYl]dq$�l`]�gfdq�oYq�lg�ljmdq�k][mj]�Y�f]logjc�^jge�l`]�Afl]jf]l�ak�lg�`Yn]�fg�[gff][lagf�lg�l`]�Afl]jf]l$�oà[`�af�alk]d^�ak�Y�f]_Ylan]�aehY[l�gf�hjg\m[lanalq&��F]logjc�k][mjalq�hjg\m[lk�hjgna\]�l`]�e]Yfk�lg�eYfY_]�l`]�jakck�Ykkg[aYl]\�oal`�Afl]jf]l�Y[[]kk�oal`gml�dgkaf_�l`]�Z]f]âlk�g^�af[j]Yk]\�Y[[]kk�Yf\�[gff][lanalq&��

Security vs. ConvenienceAf�eYfq�[Yk]k�l`]j]�ak�Y�[gfklYfl�ZYlld]�Z]lo]]f�mk]jk�Yf\�kqkl]e�Y\eafakljYlgjk�gn]j�f]logjc�k][mjalq�hgda[q&�Mk]jk�oYfl�lg�`Yn]�l`]�ogjd\�Yl�l`]aj�âf_]jlahk&�Kqkl]e�Y\eafakljYlgjk�`Yn]�Y�n]kl]\�afl]j%]kl�af�j]klja[laf_�Y[[]kk�Yk�em[`�Yk�hgkkaZd]�lg�Ynga\�k][mjalq�[ge%hjgeak]k$�dgkk$�Yf\�\goflae]&�

L`]�[gf^da[l�Z]lo]]f�l`]�^j]]�^dgo�g^�af^gjeYlagf�Yf\�l`]�f]]\�^gj�k][mjalq�[Yf�Z]�j]kgdn]\�oal`�Y�o]dd%\]ka_f]\�âj]oYdd�YhhdaYf[]�[geZaf]\�oal`�l`]�gj_YfarYlagfÌk�[geeale]fl�lg�Yf�afl]dda_]fl�k][m%jalq�hgda[q&

What is a Security Policy?Af�l`]�[gfl]pl�g^�f]logjc�âj]oYddk$�Y�k][mjalq�hgda[q�ak�Y�klYl]e]fl�g^�l`]�gn]jYdd�ZYdYf[]�Z]lo]]f�[gfn]fa]f[]�Yf\�k][mjalq�l`Yl�Yf�gj_Yfa%rYlagf�\][a\]k�lg�Y\ghl�Yk�Y�[gehjgeak]�Z]lo]]f�YZkgdml]�k][mjalq�Yf\�YZkgdml]�Y[[]kk&�>mddq�^gje]\$�Y�k][mjalq�hgda[q�kh]ddk�gml�Ydd�o`g�[Yf�_]l�af$�o`g�[Yf�_]l�gml$�Yf\�o`]j]�l`]q�[Yf�_g&�

>gj�]pYehd]$�Y�k][mjalq�hgda[q�ea_`l�kh][a^q�l`Yl�[]jlYaf�AH�Y\\j]kk]k�gf�l`]�Afl]jf]l�eYq�fgl�[gflY[l�Yfqgf]�gj�Yfqlàf_�oalàf�qgmj�gj_YfarYlagf$�fg�eYll]j�o`Yl&�Al�ea_`l�^mjl`]j�kh][a^q�l`Yl�[]jlYaf�


What Makes a Good Network Security System

[gehml]jk�oalàf�l`]�gj_YfarYlagf�Yj]�Y[[]kkaZd]�gfdq�Zq�Y[[gmflaf_$�gj�Zq�lgh%d]n]d�eYfY_]e]fl$�gj�eYjc]laf_&�Al�ea_`l�^mjl`]j�kh][a^q�l`Yl�gl`]j�[gehml]jk�gf�l`]�Afl]jf]l�[Yffgl�\aj][ldq�Y[[]kk�Yfq�[ge%hml]j�oalàf�qgmj�gj_YfarYlagf3�l`Yl�afkl]Y\$�Ydd�gmlka\]�ljY^â[�eYq�gfdq�[gflY[l�qgmj�âj]oYdd&

L`]�̂ aj]oYdd�l`]f�\][a\]k�oà[`�ljY^â[�ak�jgml]\�lg�oà[`�[gehml]jk$�_jgmhk$�gj�mk]jk&�Al�k`gmd\�dg_�[]jlYaf�lqh]k�g^�Y[lanalq$�Yf\�l`]�hgda[q�k`gmd\�\a[lYl]�o`Yl�lqh]k�g^�Y[lanalq�Yj]�dg__]\�Yf\�o`Yl�lqh]k�[gf%klalml]�Y�hYll]jf�l`Yl�oYjjYflk�fglaâ[Ylagf�g^�Y�f]logjc�Y\eafakljY%lgj&�L`]j]�Yj]�eYfq�egj]�hYjYe]l]jk�Y�k][mjalq�hgda[q�[Yf�lYc]�aflg�Y[[gmfl�Yf\�kh][a^q&�L`]�hgafl�ak$�o`]f�qgm�Y\\�Ydd�l`]�k][mjalq�Y[[]kk�hYjYe]l]jk�mh$�l`]q�[gehjak]�l`]�k][mjalq�hgda[q&

Making Peace with a Security PolicyHmZdakàf_�Y�k][mjalq�hgda[qÈYf\�l`]�j]Ykgfaf_�Z]àf\�alÈlg�l`]�]flaj]�gj_YfarYlagf�al�hjgna\]k�Yl�d]Ykl�l`j]]�Z]f]âlk2

� Gj_YfarYlagf�e]eZ]jk�_Yaf�Y�k]fk]�l`Yl�l`]�gj_YfarYlagf�ak�dggc%af_�gml�lg�hjgl][l�l`]aj�âd]k�Yf\�l`]aj�dan]da`gg\

� L`]q�g^l]f�âf\�l`Yl�l`]q�`Yn]�Y[[]kk�^j]]\gek�l`]q�o]j]fÌl�hj]%nagmkdq�YoYj]�g^

� L`]q�_Yaf�Yf�mf\]jklYf\af_�l`Yl�Y[[]kk�daealYlagfk�Yj]�aehd]%e]fl]\�lg�hjgl][l�l`]�gj_YfarYlagf�^jge�\akYkl]j��

>aj]oYddk�Y\\j]kk�l`]�k][mjalq�nk&�^j]]\ge�[gf^da[l�Zq�hjgna\af_�Y�ljYfkhYj]fl�kgdmlagf�l`Yl�`]dhk�l`]�kqkl]e�Y\eafakljYlgjk�k][mj]�l`]aj�f]logjc$�oàd]�kladd�Yddgoaf_�mk]jk�eYfq�g^�l`]�^j]]\gek�l`]q�ogmd\�dac]&�9�hjgh]jdq�[gfâ_mj]\�âj]oYdd�eYc]k�h]f]ljYlaf_�Y�f]l%ogjc�^jge�l`]�Afl]jf]l�n]jq�\a^â[mdl$�Yf\�q]l�hj]k]jn]k�Y�_j]Yl�\]Yd�g^�egZadalq�oalàf�l`]�gj_YfarYlagf� a^�\]kaj]\!&�;gfâ_mjaf_�l`]�k][mjalq�kqkl]e�lg�hjg\m[]�\]lYad]\�dg_k�g^�Y[lanalq�l`Yl�Yj]�j]na]o]\�gf�Y�j]_mdYj�ZYkak�eYc]k�al�Ydd�Zml�aehgkkaZd]�^gj�Y�`gklad]�gmlka\]j�lg�Zj]Yc�af�oal`gml�Z]af_�\]l][l]\&�


EYfq�]d]e]flk�[gehjak]�Y�jgZmkl$�]^^][lan]�k][mjalq�kqkl]e3�l`]�klYjlaf_�hgafl$�`go]n]j$�ak�kaehda[alq�g^�\]ka_f&

SimplicityL`]�âjkl�hYjY\a_e�g^�f]logjc�k][mjalq�ak�l`Yl�[gehd]p�k][mjalq�akfÌl�k][mj]&�9�f]logjc�k][mjalq�\]na[]�l`Yl�ak�[gehd]p�af�alk�\]ka_f$�[gf%â_mjYlagf�gj�\Yq�lg�\Yq�gh]jYlagf�ak�egj]�hjgf]�lg�]jjgj$�Yf\�`Yk�egj]�hgaflk�g^�]fljq�l`Yf�gf]�l`Yl�ak�kaehd]&��Kaehd]�\]ka_fk�Yj]�egj]�dac]dq�lg�Z]�mk]\�[gfkakl]fldq�Yf\�[gjj][ldq&�



Egj]gn]j$�k][mjaf_�Y�f]logjc�^jge�gmlka\]�YllY[c�ak�fgl�af`]j]fldq�Y�\a^â[mdl�gj�[gehd]p�hjghgkalagf&�JYl`]j$�al�ak�e]j]dq�Y�eYll]j�g^�k]_%j]_Ylaf_�ljY^â[�aflg�log�_jgmhk3�l`Yl�oà[`�ak�Yddgo]\�lg�hYkk�l`]�âj]oYdd�mf\]j�[]jlYaf�[gfljgdd]\�[aj[meklYf[]k$�Yf\�l`Yl�oà[`�ak�fgl&��Af�gl`]j�ogj\k$�l`]�hjg\m[l�k`gmd\�Yddgo�l`Yl�oà[`�ak�\]]e]\�kY^]�Yf\�\]fq�l`]�j]kl&��

ScalabilityL`]�f]logjc�k][mjalq�kgdmlagf�emkl�Z]�YZd]�lg�c]]h�hY[]�oal`�[ge%hYfq�_jgol`�Yf\�l`]�[gehYfqÌk�af[j]Yk]\�mk]�g^�f]logjc�k][mjalq&�>gj�]pYehd]$�Y�[gehYfq�ea_`l�fgl�af[j]Yk]�af�kar]�ka_faâ[Yfldq�gn]j�Y�log%q]Yj�h]jag\�Zml�kladd�ea_`l�f]]\�lg�k[Yd]�mh�l`]aj�f]logjc�hjg%l][lagf�ka_faâ[Yfldq�Yk�l`]q�âf\�f]o�Yhhda[Ylagfk�^gj�f]logjc�l][`%fgdg_q�af�l`]aj�gj_YfarYlagf&�9�k[YdYZd]�kqkl]e�fgl�gfdq�]phYf\k�Yl�j]YkgfYZd]�[gkl$�alk�Y\eafakljYlagf�j]imaj]e]flk�_Yaf�dalld]�[gehd]p%alq�Yk�l`]�kqkl]e�_jgok&�Af�gl`]j�ogj\k$�l`]j]�eYq�Z]�egj]�âj]oYdd�YhhdaYf[]k$�dg_�`gklk$�Yml`]fla[Ylagf�`gklk$�NHF�lmff]dk$�Yf\�gl`]j�làf_k�lg�Y\eafakl]j$�Zml�l`]�mk]j�afl]j^Y[]�k`gmd\�j]eYaf�l`]�kYe]&

Distributed Architecture<akljaZml]\�Yj[àl][lmj]�]fYZd]k�qgm�lg�Ykka_f�\a^^]j]fl�̂ aj]oYdd�lYkck�lg�\a^^]j]fl�[gehml]jk&�Làk�^]Ylmj]�ak�j]dYl]\�lgÈZml�fgl�f][]kkYjadq�\]h]f\]fl�gfÈk[YdYZadalq&�>gj�]pYehd]$�Y�\akljaZml]\�Yj[àl][lmj]�ea_`l�`Yn]�gf]�\]na[]�Yk�l`]�âj]oYdd�YhhdaYf[]$�Yfgl`]j�[gehml]j�ogmd\�[j]Yl]�Yf\�Ydl]j�[gfâ_mjYlagfk�^gj�al$�gl`]j�[gehml]jk�ogmd\�`Yf\d]�l`]�kqkl]e�dg_k$�Yf\�q]l�gl`]j�gf]k�[gmd\�`Yn]�l`]�Yml`]fla%[Ylagf�Yf\�mk]j�\YlYZYk]k&

<akljaZml]\�Yj[àl][lmj]�gZnagmkdq�eYc]k�k[Ydaf_�mh�]Yka]j$�Zml�al�Ydkg�k]hYjYl]k�lYkck�Yf\�^mf[lagfk�Y[[gj\af_�lg�lqh]�Yf\�Ykka_fk�l`]e�lg�`Yj\oYj]�Z]kl�kmal]\�lg�l`]�j]kh][lan]�lYkck&�9�fglYZd]�]pYehd]�ak�l`Yl�Y�âj]oYdd�YhhdaYf[]�k`gmd\�`Yn]�fg�klgjY_]�gj�hgjlk�g^�]fljq�]pljYf]gmk�lg�alk�hjaeYjq�^mf[lagf&�9�âj]oYdd�YhhdaYf[]�oal`�Y�`Yj\�\jan]�Yf\'gj�^j]]dq�YnYadYZd]�l]jeafYd�hgjlk�ak�fgl�Yk�k][mj]�Yk�gf]�o`gk]�[gfâ_mjYlagf�ak�klgj]\�g^^daf]�Yf\�[Yf�Z]�Y[[]kk]\�gfdq�l`jgm_`�Y�\]\a[Yl]\�k]jaYd�daf]�gj�Yf�]f[jqhl]\�[gf%f][lagf&

Dynamically Secured against the Latest Security ThreatsLg�Z]�]^^][lan]$�Y�f]logjc�k][mjalq�\]na[]�[Yffgl�Z]�Y�klYla[$�gf]%lae]�hjg\m[l&�F]logjc�]flj]hj]f]mjk�Yj]�[gfklYfldq�afn]flaf_�f]o�k]j%na[]k�lg�ljYfkeal�emdlae]\aY$�l]d][gf^]j]f[af_$�Yf\�gl`]j�Y\nYf[]\�k]jna[]k�gn]j�l`]�Afl]jf]l&�9f\�l`]�`Y[c]jk�Yj]�[gfklYfldq�afn]flaf_�Yf\�]phdgalaf_�f]o�e]l`g\k�lg�afnY\]�f]logjck$�afljg\m[]�najmk]k�Yf\�ogjek&



A\]Yddq$�Y�f]logjc�k][mjalq�\]na[]�af[dm\]k�Yf�mh\Ylaf_�e][`Yfake�^jge�l`]�n]f\]j$�oà[`�\gofdgY\k�af^gjeYlagf�gf�f]o�k][mjalq�l`j]Ylk�Yf\� a^�f][]kkYjq!�kg^loYj]�hYl[`]k�lg�c]]h�l`]�f]logjc�k][m%jalq�[mjj]fl&�

Oal`gml�Y�[gfklYfl�mh\Ylaf_�e][`Yfake$�Yf�gj_YfarYlagfÌk�âj]oYdd�Z][ge]k�egj]�nmdf]jYZd]�]Y[`�lae]�Y�f]o�]phdgalYlagf�e]l`g\�[ge]k�Ydgf_�mflad�l`]�âj]oYdd�n]f\gj�akkm]k�Y�kg^loYj]�mh_jY\]&�Gj�l`]�f]logjc�Y\eafakljYlgj�emkl�\ana\]�àk�lae]�Z]lo]]f�dg[Yd�Y\eafakljYlagf�lYkck�Yf\�c]]haf_�[mjj]fl�gf�f]o�k][mjalq�l`j]Ylk�Yf\�l`]f�ojalaf_�gj�gZlYafaf_�hYl[`]k�gj�[`Yf_af_�l`]�[gfâ_mjYlagf�af�`gh]k�l`Yl�al�c]]hk�l`]�gj_YfarYlagfÌk�f]logjc�k][mj]&

Economy of IP Addresses9�âj]oYdd�k`gmd\�Z]�YZd]�lg�j]hj]k]fl�qgmj�]flaj]�f]logjc�lg�l`]�ogjd\�Yk�Y�kaf_d]�hmZda[�AH�Y\\j]kk�gj�jYf_]�g^�AH�Y\\j]kk]kÈl`]�âj]oYdd�YhhdaYf[]Ìk�gof�AH�Y\\j]kk&�Làk�hjgna\]k�log�Z]f]âlk2�

� L`]�âj]oYdd�à\]k�qgmj�gj_YfarYlagfÌk�AH�Y\\j]kk]k�^jge�l`]�j]kl�g^�l`]�ogjd\$�l`]j]Zq�hjgl][laf_�qgmj�[gehml]jkÌ�a\]flala]k�^jge�kljYf_]jk&

� Qgm�[Yf�mk]�hjanYl]�AH�Y\\j]kk]k�oalàf�qgmj�gj_YfarYlagf�oal`%gml�ogjjq�g^�[dYkàf_�oal`�hmZda[�AH�Y\\j]kk]k�gf�l`]�Afl]jf]l&

Secure Connections9dd�k][mjalq�kqkl]ek�k`gmd\�aehd]e]fl�k][mj]�[gff][lagfk�Z]lo]]f�Ydd�[jala[Yd�Yf\�k]fkalan]�hgaflk�g^�[geemfa[Ylagf&�Làk�_]f]jYddq�e]Yfk�l`Yl�l`]�dafck�Z]lo]]f�l`]�Y\eafakljYlagf�[gehml]j�Yf\�l`]�âj]oYdd�YhhdaYf[]�]ehdgq�kljgf_�]f[jqhlagf�Yf\�l`Yl�kljgf_�]f[jqh%lagf�ak�YnYadYZd]�^gj�gl`]j�[jala[Yd�dafck&

Authentication9ml`]fla[Ylagf�ak�l`]�e]Yfk�lg�]fkmj]�l`Yl�Yf�af[geaf_�e]kkY_]�ak�Y[lmYddq�k]fl�^jge�l`]�kgmj[]�[dYae]\�lg�gja_afYl]�al&�9�_gg\�âj]oYdd�`Yk�k]n]jYd�lqh]k�Yf\�d]n]dk�g^�Yml`]fla[Ylagf�YnYadYZd]&�Emdlahd]�d]n%]dk�g^�Yml`]fla[Ylagf�]fYZd]k�qgm�lg�gj_Yfar]�qgmj�k][mjalq�hgda[q�kg�l`Yl�\a^^]j]fl�_jgmhk�g^�mk]jk�`Yn]�\a^^]j]fl�Yj]Yk�Yf\�d]n]dk�g^�Y[[]kk&�Emdlahd]�lqh]k�g^�Yml`]fla[Ylagf�]fkmj]k�l`Yl�l`]�egkl�k][mj]�gj�[gehYlaZd]�lqh]�g^�Yml`]fla[Ylagf�ak�YnYadYZd]�^gj�Y�_an]f�mk]&�

Content Discrimination;gfl]fl�\ak[jaeafYlagf�ak�l`]�YZadalq�lg�hj]n]fl�gj_YfarYlagf�e]e%Z]jk�^jge�mkaf_�Yf�gj_YfarYlagfÌk�lae]�Yf\�j]kgmj[]k�lg�_Yaf�Ogjd\�Oa\]�O]Z%ZYk]\�]fl]jlYafe]fl�afYhhjghjaYl]�lg�l`]�gj_YfarYlagfÌk�_gYdk$�hàdgkghà]k$�Yf\�ogjc�]là[&�9�_gg\�O]Z�Zdg[caf_�e][`Y%fake�\a^^]j]flaYl]k�lqh]k�g^�hgl]flaYddq�afYhhjghjaYl]�[gfl]fl$�Yf\�



Ykka_fk�\a^^]j]fl�d]n]dk�g^�Y[[]kk�lg�_jgmhk�gj�af\ana\mYdk�Yl�kh][aâ]\�h]jeall]\�Yf\�hjgàZal]\�Y[[]kk�lae]k&

Secure Remote Management and Communication9�_gg\�k][mjalq�kqkl]e�[Yf�Z]�eYfY_]\�^jge�Y�j]egl]�dg[Ylagf�af�Y�oYq�l`Yl�hj][dm\]k�]Yn]k\jghhaf_�gf�l`]�Y\eafakljYlan]�k]kkagf&�

Highly Configurable Logging and Notification9�_gg\�k][mjalq�kqkl]e�]fYZd]k�qgm�lg�kh][a^q�oà[`�kgjlk�g^�]n]flk�Yj]�dg__]\&�Qgm�k`gmd\�Z]�YZd]�lg�kh][a^q�oà[`�]n]flk�Yj]�dg__]\�^gj�]Y[`�af\ana\mYd�k]jna[]&�Kge]�k]jna[]Ìk�]n]flk�eYq�f]]\�dalld]�gj�fg�dg__af_�oàd]�gl`]j�k]jna[]k�eYq�f]]\�lg�`Yn]�]n]jq�]n]fl�dg__]\&�Qgm�Ydkg�f]]\�lg�Z]�YZd]�lg�Y\bmkl�dg__af_�hYjYe]l]jk�lg�Y[[geeg\Yl]�[`Yf_]k�af�k]jn]j�[YhY[alq$�mkYZd]�âd]�kar]$�Yf\�l`]�^j]%im]f[q�Yl�oà[`�l`]�dg_âd]�Z]_afk�gn]jojalaf_�alk]d^&�9�_gg\�dg__af_�kqkl]e�[Yf�Z]�[gfâ_mj]\�lg�oYl[`�^gj�hYll]jfk�kqehlgeYla[�g^�g^�Yll]ehl]\�k][mjalq�Zj]Y[`]k�Yf\�fgla^q�Yf�Y\eafakljYlgj�g^�l`]�kmk%ha[agmk�Y[lanalq&

Summarize and Report Network Activity9�_gg\�k][mjalq�kqkl]e�_an]k�Yf�Y[[mjYl]$�e]Yfaf_^md$�Yf\�kljYa_`l%^gjoYj\�Y[[gmfl�g^�alk�mk]�lg�eYfY_]e]fl&�Qgm�k`gmd\�Z]�YZd]�lg�kgjl�l`]�dg__af_�\YlY�Zq�nYjagmk�hYjYe]l]jk�km[`�Yk�`gkl%lg%`gkl�[gff][%lagfk$�Afl]jf]l�Y[lanalq$�egkl�Y[lan]�laek]�g^�\Yq$�]l[&

Quick and Responsive9�_gg\�k][mjalq�kqkl]e�]fYZd]k�l`]�f]logjc�Y\eafakljYlgj�lg�eYc]�[gfâ_mjYlagf�[`Yf_]k�ima[cdq$�]Ykadq$�Yf\�oal`�eafaeYd�aehY[l�lg�l`]�gj_YfarYlagfÌk�f]logjc&

A Well-Conceived Security Policy9�f]logjc�k][mjalq�kqkl]e�ak�gfdq�Yk�_gg\�Yk�l`]�k][mjalq�hgda[q�Z]àf\�al&�9�o]dd%hdYff]\�k][mjalq�hgda[q�[dgk]dq�]pYeaf]k�[gfl]fl�k]fl�naY�hjglg[gdk�l`Yl�[Yf�à\]�gl`]j$�hgl]flaYddq�\]kljm[lan]�[gfl]fl�lqh]k&�Al�kh][aâ]k�oà[`�gj_YfarYlagf�[gehml]jk�[Yf�[geemfa[Yl]�oal`�l`]�gmlka\]�Yf\�af�oà[`�oYqk&�Al�]ehdgqk�]f[jqhlagf�o`]j]�[geemfa[Ylagf�daf]k�[gmd\�Z]�afl]j[]hl]\$�Yf\�Yml`]fla[Ylagf�o`]j%]n]j�Y�^Yc]\�mk]j�a\]flalq�[gmd\�`Yn]�\]kljm[lan]�j]kmdlk&�9f\�l`]�o]dd%[gf[]an]\�k][mjalq�hgda[q�`Yk�fg�É`gd]kÊ�af�l`]�âj]oYdd$�bmkl�Yml`gjar]\�hYkkY_]k&�9�`gd]�ak�Yfq�jgml]�aflg�qgmj�gj_YfarYlagf�f]lgjc�l`Yl�Yddgok�]Ykq�gj�mfYml`gjar]\�]fljq&

Physically Secured Security Appliance>afYddq$�Y�âj]oYdd�ak�gfdq�Yk�_gg\�Yk�alk�h`qka[Yd�k][mjalq&�9dd�l`]�]f[jqhlagf�Yf\�Yml`]fla[Ylagf�af�l`]�ogjd\�ak�g^�fg�mk]�a^�Yf�mfYm%l`gjar]\�h]jkgf�[Yf�kaehdq�oYdc�mh�lg�qgmj�âj]Zgp�YhhdaYf[]�gj�


The WatchGuard Solution

eYfY_]e]fl�klYlagf�Yf\�\gofdgY\�[jala[Yd�A<�âd]k$�AH�Y\\j]kk]k$�hgjl�Ykka_fe]flk$�gj�kaehdq�mfhdm_�gj�h`qka[Yddq�`Yje�l`]�mfal&�9�âj]oYdd�YhhdaYf[]Ìk�h`qka[Yd�k][mjalq�k`gmd\�Z]�YfYdg_gmk�lg�l`]�f]l%ogjc�k][mjalq�al�hjgna\]k2�l`]j]�k`gmd\�Z]�fg�Yml`gjar]\�Y[[]kk$�Yf\�al�k`gmd\�fgl�Z]�YnYadYZd]�lg�Yfqgf]�gl`]j�l`Yf�alk�Y\eafakljYlgj k!�Yf\�Yml`gjar]\�kmZklalml]k&�L`]�âj]oYdd�YhhdaYf[]�k`gmd\�Z]�h`qka%[Yddq�dg[c]\�YoYq�^jge�qgmj�gj_YfarYlagf�Yl�dYj_]&


OYl[`?mYj\�L][`fgdg_a]kÌ�YhhjgY[`�lg�jgZmkl�f]logjc�k][mjalq�ak�l`]�af]ph]fkan]$�]Ykadq�\]hdgqYZd]$�klYf\Ydgf]�\]na[]�cfgof�Yk�Y�ÉF]logjc�K][mjalq�9hhdaYf[]$Ê�l`]�OYl[`?mYj\�>aj]Zgp&

Assumptions Af�klYf\Yj\�k][mjalq�hjY[la[]k$�l`]�âjkl�kl]h�lg�k][mjaf_�l`]�o`gd]�]fl]jhjak]�ak�Y�h]jae]l]j�\]^]fk]&�9�\]^]fk]�g^�l`]�h]jae]l]j�Ykkme]k�l`Yl�l`]�h]ghd]�gf�l`]�afka\]�Yj]�lg�Z]�ljmkl]\$�oàd]�l`gk]�gf�l`]�gmlka\]�Yj]�fgl�lg�Z]�ljmkl]\�af�Yfq�ka_faâ[Yfl�oYq&�L`]�gml]j�h]jae]l]j�ak�`Yj\]f]\$�d]Ynaf_�gfdq�gf]�_Yl]oYq�[YhYZd]�g^�hYkkaf_�ljY^â[&�Làk�_Yl]oYq�ak�l`]f�hdY[]\�af�Y�hgkalagf�g^�_jYflaf_�gj�\]fq%af_�Y[[]kk�lg�l`]�]flaj]�f]logjc&�

>gj�ljY^â[�l`Yl�gja_afYl]k�^jge��gmlka\]�l`]�h]jae]l]j$�l`]�h]jae]l]j�\]^]fk]�[`Ydd]f_]k�l`]�ljY^â[�Yf\�Yf\�Yhhda]k�Y�k]l�g^�jmd]k� \]jan]\�^jge�l`]�k][mjalq�hgda[q!�lg�\]l]jeaf]�o`]l`]j�al�oadd�h]jeal�l`]�ljY^%â[�lg�[ge]�afka\]&�

9�h]jae]l]j�\]^]fk]�eYc]k�l`]k]�Ykkmehlagfk2

� L`]�`gklk�Yf\�afka\]�mk]jk�[Yf�Z]�ljmkl]\&�� L`]�h`qka[Yd�k][mjalq�g^�l`]�afklYddYlagf�ak�Y\]imYl]&��Fg�mfYml`g%

jar]\�h]jkgfk�Yj]�Yddgo]\�lg�Y[[]kk�l`]�Y[lmYd�k][mjalq�kqkl]e&�� L`]�eYfY_]e]fl�klYlagf�ak�k][mj]�^jge�h`qka[Yd�lYeh]jaf_&��Fg�

mfYml`gjar]\�h]jkgfk�Yj]�Yddgo]\�lg�Y[[]kk�l`]�eYfY_]e]fl�ogjcklYlagf&

� F]logjc�ljY^â[�`Yk�gfdq�gf]�oYq�af�Yf\�gfdq�gf]�oYq�gml&�

?an]f�l`]k]�[gf\alagfk$�Y�h]jae]l]j�\]^]fk]�j]eYafk�k][mj]�Yk�dgf_�Yk�l`]�f]logjc�k][mjalq�kqkl]e�ak�hjgh]jdq�[gfâ_mj]\�Yf\�^mf[lagf%af_&�

Qgm�emkl�YdoYqk�Z]�na_adYfl�gn]j�l`]�âjkl�Ykkmehlagf$�l`Yl�l`]�h]g%hd]�gf�l`]�afka\]�[Yf�Z]�ljmkl]\&�A^�Y�kqkl]e�oal`�Y�h]jae]l]j�\]^]fk]�ak�km[[]kk^mddq�YllY[c]\$�al�ak�egj]�dac]dq�lg�Z]�Zjgm_`l�\gof�^jge�l`]�afka\]&�L`]j]^gj]$�Yf�]^^][lan]�k][mjalq�kqkl]e�emkl�Ydkg�Z]�YZd]�lg�egfalgj�l`]�afka\]�Y[lanalq�Yf\�]fYZd]�Y\eafakljYlgjk�lg�oYl[`�^gj�



Z]`YnagjÈoal`�gj�oal`gml�eYda[agmk�afl]flÈl`Yl�[gmd\�[gehjg%eak]�l`]�gj_YfarYlagfÌk�k][mjalq&�L`]�Dan]K][mjalq�Kqkl]e�hjgna\]k�Y�kmal]�g^�egfalgjaf_�lggdk�lg�Ya\�af�\]l][lagf�g^�km[`�Y[lanalq&

Separation of Key Security System ComponentsAf�Yfq�âj]oYdd�afklYddYlagf$�al�ak�f][]kkYjq�lg�eYc]�kge]�ZYka[�Ykkmehlagfk�j]_Yj\af_�l`]�dYqgml�g^�l`]�nYjagmk�[gehgf]flk�

FIGURE 1. Separation of Security Components

L`]�OYl[`?mYj\�K][mjalq�Kqkl]e�`Yk�Y�\akljaZml]\�Yj[àl][lmj]2�al�afl]flagfYddq�k]hYjYl]k�l`]�dg__af_$�eYfY_]e]fl$�Yf\�ljY^â[�\ak%[jaeafYlagf�^Y[adala]k�aflg�l`j]]�k]hYjYl]�dg_a[Yd�Yf\�h`qka[Yd�[gehg%f]flk$�l`]�dg_�`gkl$�eYfY_]e]fl�ogjcklYlagf$�Yf\�l`]�>aj]Zgp$�j]kh][lan]dq&�

K]hYjYlaf_�l`]k]�^mf[lagfk�]fkmj]k�l`Yl�l`]�>aj]Zgp�`Yk�gfdq�l`]�`Yj\oYj]�Yf\�kg^loYj]�f][]kkYjq�lg�h]j^gje�alk�^mf[lagf�g^�ljY^â[�\ak[jaeafYlagf&�9dd�gl`]j�^]Ylmj]k�g^�Y�_]f]jYd�hmjhgk]�[gehml]jÈ\akc�\jan]$�mk]j�hjgâd]k$�dg_af�âd]k$�hYkkogj\�̂ ad]k$�emdlahd]�l]jeafYd�Y[[]kkÈYj]�fgl�gf�Y�>aj]Zgp&�Daealaf_�l`]�>aj]ZgpÌk�^mf[lagfYdalq�eafaear]k�l`]�]phgkmj]�lg�hgl]flaYd�l`j]Yl&�

Kaf[]�Y[[]kk�lg�Y�[gfkgd]�_]f]jYddq�_jYflk�dgo�d]n]d�Y[[]kk�lg�l`]�k]jn]j�alk]d^$�Ydd�âj]oYdd�[gfkgd]k�k`gmd\�Z]�_mYj\]\�[dgk]dq&�Lg�Y\\j]kk�làk�_]f]jYd�nmdf]jYZadalq$�OYl[`?mYj\�`Yk�j]egn]\�l`]�gh]jYlaf_�kqkl]e�k`]dd�^jge�l`]�>aj]Zgp&�

Af�[Yk]�g^�Y�hgo]j�^Yadmj]$�l`]�>aj]Zgp�YmlgeYla[Yddq�j]Zgglk�Yf\�j]dgY\k�alk�[mjj]fl�[gfâ_mjYlagf�af^gjeYlagf&�Kaf[]�l`]�gh]jYlaf_�kqkl]e�ak�dgY\]\�^jge�]al`]j�Y�\akc]ll]� >ajZgp�)(')((�jmffaf_�OYl[`?mYj\�+&(�gj�]Yjda]j!�gj�^dYk`�e]egjq$�al�ak�fgl�kmZb][l�lg�\akc�[jYk`]k�gj�âd]�kqkl]e�[gjjmhlagf�Yk�ak�l`]�[Yk]�g^�âj]oYddk�jmffaf_�gf�_]f]jYd�hmjhgk]�[gehml]jk�oal`�_]f]jYd�hmjhgk]�gh]jYlaf_�kqk%l]ek&�

SD

A l low ed D en ied

E X TE R NA L

T R US T ED

O PT IO NA L

D IS A R M E DAR M E D

PO W E R

F I R E W A L L N E T W O R K

F I R E B O X

ManagementWorkstation

Logging Server

Windows 95Windows NTLinux

Nativeapplications

Windows 95Windows NTUnix Syslog

NotificationEngine



Af�l`]�OYl[`?mYj\�k][mjalq�eg\]d$�Y[lanalq�dg_k�Yf\�âj]oYdd�[gfâ_%mjYlagf�âd]k�Yj]�klgj]\�gf�gf]�gj�egj]�gl`]j�[gehml]jk$�fgl�gf�l`]�âj]oYdd�YhhdaYf[]�alk]d^&�9^l]j�Ydd$�l`]�\]na[]�l`Yl�Zdg[ck�mfYml`g%jar]\�ljY^â[�k`gmd\�fgl�[gflYaf�l`]�c]qk�lg�alk�gof�mf\gaf_��L`]�eYfY_]e]fl�`gkl�Yf\�dg__af_�`gkl k!�[Yf�Z]�[gfâ_mj]\�^gj�Ymlg%eYla[�ZY[cmhk�Yf\'gj�Z]�]imahh]\�oal`�eajjgj]\�\akck�lg�]fkmj]�[Yhlmj]�g^�aehgjlYfl�k][mjalq�af^gjeYlagf&�9dd�[geemfa[Ylagfk�Z]lo]]f�l`]�>aj]Zgp�Yf\�l`]k]�]d]e]flk�Yj]�]f[jqhl]\&��

Kaf[]�l`]�eYfY_]e]fl�ogjcklYlagf�[gflYafk�l`]�[gfâ_mjYlagfÌk�klgj]\�âd]k�Yf\�\YlY�j]_Yj\af_�l`]�_]f]jYd�ljY^â[�hYll]jfk�g^�l`]�f]l%ogjc�gf�l`]�dg_�`gkl$�qgm�emkl�h`qka[Yddq�k][mj]�làk�kqkl]e�^jge�l`]�j]kl�g^�qgmj�gj_YfarYlagf&��Af�kge]�[Yk]k�al�eYq�fgl�]n]f�Z]�^]Yka%Zd]�lg�c]]h�l`]�eYfY_]e]fl�ogjcklYlagf�gf�l`]�hj]eak]k�Yl�Ydd&�L`]�>aj]Zgp�ak�\]ka_f]\�lg�Y[[geeg\Yl]�k][mj]�j]egl]�eYfY_]e]fl&�Qgm�[Yf�Y\eafakl]j�al�^jge�Y�j]egl]�eYfY_]e]fl�ogjcklYlagf�naY�Yf�]f[jqhl]\�dafc&�Al�Ydkg�mk]k�Yf�]f[jqhl]\�dafc�lg�ojal]�]n]flk�lg�l`]�dg__af_�`gkl&�

H`qka[Yddq�k]hYjYlaf_�l`]�eYfY_]e]fl�ogjcklYlagf�Yf\�dg__af_�`gkl�^jge�l`]�f]logjc�k][mjalq�YhhdaYf[]�]f`Yf[]k�h`qka[Yd�Yf\�\YlY�k][mjalq&�A^�l`]�eYfY_]e]fl�ogjcklYlagf�ak�af�Yf�gh]jYlagf�[]fl]j�l`Yl�ak�k][mj]\�Y_Yafkl�Y�h`qka[Yd�Zj]Y[`�g^�k][mjalq$�l`]�]f[jqhl]\�[`Yff]d�̂ gj��eYfY_]e]fl�Yf\�dg__af_�̂ mf[lagfk�]fkmj]k�l`Yl�l`]�dg_k�Yf\�[gfâ_mjYlagf�âd]k�Yj]�kY^]�j]_Yj\d]kk�g^�l`]�d]n]d�g^�ljmkl�hdY[]\�af�l`]�afl]jn]faf_�f]logjck&�

Ease of Use Begets Secure Use9f�]Yka]j%lg%mk]�kqkl]e�oadd�Z]�mk]\�egj]�̂ j]im]fldq�Yf\�oal`�̂ ]o]j�gh]jYlagfYd�]jjgjk�l`Yf�Y�[gehda[Yl]\�gf]&�L`]�ZYka[�hjaf[ahd]k�g^�hjgl][laf_�Y�f]logjc�^jge�gmlka\]�afl]j^]j]f[]�Yj]�fgl�\a^â[mdl�lg�mf\]jklYf\&�:Yka[Yddq$�qgm�k]_j]_Yl]�Ydd�f]logjc�ljY^â[�aflg�log�_jgmhk3�l`Yl�oà[`�ak�Yddgo]\�lg�hYkk�mf\]j�[gfljgdd]\�[aj[me%klYf[]k� cfgof�kY^]�[gfl]fl!$�Yf\�l`Yl�oà[`�ak�fgl� cfgof�Yk�mfkY^]$�gj�mfcfgof�[gfl]fl!&�Hmllaf_�làk�kaehd]�hjaf[ahd]�aflg�Y�j]daYZd]�hjg\m[l�ak�af\]]\�Yf�afngdn]\�hjg[]kk$�Zml�alk�mk]�Yf\�Y\eafakljYlagf�[Yf�kladd�Z]�j]dYlan]dq�kaehd]&�

L`]k]�^mf\Ye]flYdk�\jan]�l`]�OYl[`?mYj\�L][`fgdg_a]k�YhhdaYf[]�[gf[]hl2�Y�\]na[]�l`Yl�ak�kaehd]�lg�mk]$�k][mj]�af�l]jek�g^�\]ka_f�Yf\�]p][mlagf$�Yk�^Ykl�Yk�[Yf�Z]�oal`gml�kY[jaâ[af_�kY^]lq$�Yf\�j]daYZd]�gn]j�l`]�dgf_�jmf&�:q�[gf\]fkaf_�l`]�f]logjc�k][mjalq�kqkl]e�lg�Yf�YhhdaYf[]$�l`]�f]logjc�Y\eafakljYlgj�ak�hj]k]fl]\�oal`�Y�\]na[]�l`Yl2�

� =paklk�Yf\�ogjck�^gj�gf]�kaehd]�hmjhgk]3�oal`�^]o]j�lYkck�Z]af_�h]j^gje]\$�l`]j]�ak�d]kk�lg�_g�ojgf_�Yf\�^]o]j�nmdf]jYZadala]k�lg�YllY[c

� @Yk�fg�[gehd]p�mf\]jdqaf_�gh]jYlaf_�kqkl]e�oal`�l`]�Ykkg[aYl]\�nmdf]jYZadala]k�lg�YllY[c�Yf\�^Yadmj]



� Ak�d]kk�]ph]fkan]�l`Yf�Y�k]jn]j%ZYk]\�kgdmlagf� @Yk�Y�à_`�d]n]d�g^�l`jgm_`hml�oàd]�h]j^gjeaf_�hjgpq%ZYk]\�

[gfl]fl�afkh][lagf�af�[jalaYd�Yj]Yk&� @Yk�fg�egnaf_�hYjlk�lg�o]Yj�gml�gl`]j�l`Yf�l`]�\akc]ll]�\jan]�af�

l`]�>:%)((�Yf\�l`]�[ggdaf_�^Yfk&��

Open Code Base9fq�eYfm^Y[lmj]j�g^�k][mjalq�\]na[]k�emkl�j]kgdn]�l`]�^mf\Ye]flYd�ljY\]g^^�Z]lo]]f�hjghja]lYjq�Yf\�hmZda[�af^jYkljm[lmj]�^gj�l`]�\]na[]Ìk�mf\]jdqaf_�gh]jYlaf_�kqkl]e&��L`]�_j]Yl]kl�Y\nYflY_]�g^�mkaf_�Y�hjghja]lYjq�gh]jYlaf_�kqkl]e�ak�[gfljgd�g^�l`]�kgmj[]�[g\]&�9dl`gm_`�hjghja]lYjq�gh]jYlaf_�kqkl]ek�eYq�k]]e�egj]�k][mj]$�Y�hjghja]lYjq�kqkl]e�Ydkg�hdY[]k�Y�c]q�[gehgf]fl�g^�l`]�f]logjcÌk�gn]jYdd�k][mjalq�af�l`]�`Yf\k�g^�Y�daeal]\�_jgmh�g^�gh]jYlaf_�kqkl]e�hjg_jYee]jk&��Oal`�l`]�jakaf_�^j]im]f[q�g^�hmZdak`]\�Zm_�j]hgjlk�j]_Yj\af_�o]dd�cfgof�gh]jYlaf_�kqkl]ek�km[`�Yk�Ea[jgkg^l�FL�Yf\�Kmf�KgdYjak$�Y�k][mjalq�\]na[]�eYfm^Y[lmj]�eYq�fgl�Z]�[gfâ\]fl�l`Yl�l`]�n]f\gjk�g^�hjghja]lYjq�gh]jYlaf_�kqkl]ek�hmZdak`�lae]dq�Yf\�Y[[mjYl]�Zm_�âp]k�^gj�l`]aj�gh]jYlaf_�kqkl]ek&�Làk�eYq�[j]Yl]�Yf�mff][]kkYjq�]d]e]fl�g^�jakc&

�HmZda[�k[jmlafq�g^�Yf�gh]jYlaf_�kqkl]e$�gf�l`]�gl`]j�`Yf\$�ljY\]k�[gfljgd�g^�l`]�kgmj[]�[g\]�^gj�l`]�hgo]j^md�Ym\al�Yf\�\]n]dghe]fl�[YhYZadalq�g^�gh]jYlaf_�kqkl]e�]ph]jlk�ogjd\�oa\]&�L`]�nYdm]�g^�l`]�hggd�g^�lYd]fl�Yf\�[geeale]fl�j]hj]k]fl]\�Zq�làk�_jgmh�g^�h]ghd]�^Yj�]p[]]\k�l`]�nYdm]�g^�Yfq�Y\nYflY_]�af�[gfljgd�l`Yl�af%`gmk]�\]n]dghe]fl�eYq�]fbgq&

L`]�OYl[`?mYj\�L][`fgdg_a]k�K][mjalq�Kqkl]e�ak�ZYk]\�gf�l`]�̂ j]]dq�YnYadYZd]�Dafmp�gh]jYlaf_�kqkl]e&��Fgl�gfdq�`Yk�l`]�gh]jYlaf_�kqk%l]e�alk]d^�oal`klgg\�l`]�à_`]kl�d]n]dk�g^�hmZda[�k[jmlafq�oal`�j]_Yj\k�lg�alk�^mf\Ye]flYd�\]ka_f$�Zml�l`]�af]nalYZd]�Zm_�âp]k�l`Yl�Yfq�f]logjc�gh]jYlaf_�kqkl]e�oadd�j]imaj]�gn]j�lae]�`Yn]�àklgja%[Yddq�Z]]f�YnYadYZd]�^Yj�^Ykl]j�l`Yf�l`gk]�g^�l`]�[gee]j[aYd�gh]jYlaf_�kqkl]e�n]f\gjk&

OYl[`?mYj\Ìk�\]ka_f�hjg[]kk�j]d]Yk]k�Ydd�eg\aâ[Ylagfk�lg�l`]�gh]j%Ylaf_�kqkl]e�c]jf]d�ZY[c�aflg�l`]�hmZda[�\geYaf&�Làk�hjg[]kk�]fYZd]k�l`]�Dafmp�\]n]dghe]fl�[geemfalq�lg�k[jmlafar]�l`]�[`Yf_]k�o]�`Yn]�eY\]�lg�]fkmj]�l`Yl�l`]�eg\aâ[Ylagfk�Yj]�klYZd]�Yf\�j]da%YZd]&��L`]�Dan]K][mjalq�Kqkl]e�kg^loYj]�[g\]�l`Yl�jmfk�gf�l`]�eg\a%â]\�c]jf]d�j]eYafk�hjghja]lYjq�lg�OYl[`?mYj\�L][`fgdg_a]k&��Làk�\]ka_f�YhhjgY[`�Yddgok�OYl[`?mYj\�lg�\]hdgq�Y�k][mj]�YhhdaYf[]�gn]j�Yf�Y__j]kkan]dq�\]Zm__]\�gh]jYlaf_�kqkl]e�Yl�Y�^jY[lagf�g^�l`]�lglYd�[gkl�g^�gl`]j�f]logjc�k][mjalq�YhhjgY[`]k&�

Mkaf_�l`]�Dafmp�c]jf]d�Ydkg�e]Yfk�l`Yl�Ydd�Zm_�âp]k�j]kmdlaf_�^jge�Y�hj]nagmkdq�mfcfgof�nmdf]jYZadalq�af�l`]�mf\]jdqaf_�gh]jYlaf_�kqk%



l]e�Yj]�eY\]�YnYadYZd]�lg�l`]�]f\�mk]j�\aj][ldq�^jge�OYl[`?mYj\&��9k�Y�OYl[`?mYj\�[mklge]j$�qgm�oadd�f]n]j�Z]�lgd\�l`Yl�Yfq�Zm_�ak�klja[ldq�Yf�gh]jYlaf_�kqkl]e�Zm_�Yf\�l`Yl�qgm�k`gmd\�[gflY[l�l`]�gh]jYlaf_�kqkl]e�n]f\gj�^gj�l`]�hYl[`&��O]�k]jna[]�o`Yl�o]�k]dd$�ja_`l�\gof�lg�alk�gh]jYlaf_�kqkl]e&�

To Proxy or To Packet Filter?9dd�âj]oYddk�[Yf�Z]�dggk]dq�_jgmh]\�aflg�log�[Yl]_gja]k$�l`gk]�l`Yl�j]dq�hjaeYjadq�gf�hjgpqaf_�l`]�ljY^â[�Yf\�l`gk]�l`Yl�j]dq�hjaeYjadq�gf�âdl]jaf_�l`]�ljY^â[&��=Y[`�e]l`g\�`Yk�alk�Y\nYflY_]k�Yf\�\akY\%nYflY_]k&�>gj�OYl[`?mYj\�L][`fgdg_a]k�l`]�akkm]k�[ge]�\gof�lg�log�[gfka\]jYlagfk$�kh]]\�Yf\�k][mjalq&�

HY[c]l�âdl]jaf_�âj]oYddk�`Yn]�gf]�làf_�af�[geegf2�l`]q�Yj]�^Ykl&��Làk�ak�Z][Ymk]�l`]q�\g�[gehYjYlan]dq�d]kk�ogjc$�oà[`�jYak]k�l`]�akkm]2�9j]�l`]q�\gaf_�]fgm_`�ogjc�lg�k][mj]�l`]�f]logjc7�Gf�l`]�gl`]j�`Yf\$�bmkl�Z][Ymk]�hjgpq%ZYk]\�âj]oYddk�Yj]�\gaf_�egj]�ogjc�l`Yf�l`]�hY[c]l�âdl]jk�\g]k�fgl�f][]kkYjadq�eYc]�l`]e�egj]�k][mj]&�Hjgpa]k�jYak]�l`]�akkm]2�9j]�l`]q�\gaf_�egj]�ogjc�l`Yf�f][]kkYjq$�Yf\�ak�l`]�ogjc�l`]q�Yj]�\gaf_�l`]�ja_`l�ogjc7

The WatchGuard Answer: Both in ModerationL`]�OYl[`?mYj\�K][mjalq�Kqkl]e�]ehdgqk�Y�[geZafYlagf�g^�hjgpq�Yf\�hY[c]l�âdl]jaf_�l][`fgdg_a]k&��<gaf_�lgg�em[`�[Yf�Z]�Yk�ZY\�Yk�\gaf_�lgg�dalld]&�Kaf[]�`Ynaf_�Zgl`�lglYd�k][mjalq�Yf\�lglYd�^mf[lagfYd%alq�ak�aehgkkaZd]$�Yfq�kgdmlagf�ak�Y�ljY\]%g^^&�9ddgoaf_�Y�kh][aâ[�k]j%na[]�l`jgm_`�l`]�k][mjalq�kqkl]e�eYq�Z]�lgg�afk][mj]�^gj�Yf�gj_YfarYlagf�k�hmZda[�Afl]jf]l�Y[[]kk$�Zml�Y[[]hlYZd]�^gj�AfljYf]l�mk]&�Gj�Yddgoaf_�Y�_an]f�k]jna[]�eYq�Z]�\]]e]\�lgg�afk][mj]$�lgg�af]^â%[a]fl$�gj�fgl�oa\]dq�mk]\�]fgm_`�lg�aehd]e]fl�Yl�Ydd&�OYl[`?mYj\�`Yk�]pYeaf]\�]Y[`�k]jna[]�lg�\][a\]�`go�Z]kl�lg�[gfljgd�alk�Y[[]kk�lg�l`]�hjgl][l]\�f]logjc&�

Kg$�^gj�Y�_an]f�k]jna[]$�o`]j]�o]�[Yf�Y\\�nYdm]�Zq�]ehdgqaf_�Y�hjgpq� Yk�oal`�kelh$�^lh$�gj�̀ llh�o`]j]�nmdf]jYZadala]k�Yj]�n]jq�̀ a_`!$�o]�\g�kg&�O`]j]�al�\g]kfÌl�eYc]�k]fk]�oalàf�l`]�[gfl]pl�g^�Y�k]jna[]�lg�mk]�Y�hjgpq$�o]�\gfÌl&��L`mk�o]�Yddgo�Ydd�ljY^â[�lg�hYkk�gj�Z]�\]fa]\�hYkkY_]�af�l`]�oYq�l`Yl�ak�Z]kl�kmal]\�^gj�l`]�ljY^â[�lqh]&��>gj�]pYehd]$�kk`�ea_`l�̀ Yn]�Y�oa\]�k]d][lagf�g^�kgmj[]k�Yf\�\]klafYlagfk�Z][Ymk]�l`]�k]jna[]�`Yk�Zmadl%af�Yml`]fla[Ylagf&

Integrating Security Technologies into a Stand Alone ApplianceE]j]dq�eYfY_af_�l`]�\YlY�klj]Ye�oadd�fgl�YllYaf�ljm]�f]logjc�k][m%jalq$�Z][Ymk]�l`]�f]logjc]\�]fnajgfe]fl�af[dm\]k�Zgl`�eY[àf]k�Yf\�l`]�h]ghd]�o`g�mk]�l`]e&��F]logjc�k][mjalq�emkl�afngdn]�l`]�h]ghd]�l`Yl�mk]�l`]�f]logjc$�`go�l`]q�Y[[]kk�al$�Yf\�o`Yl�l`]q�\g�oal`�l`]�j]kgmj[]k�gf�al&�L`]�OYl[`?mYj\�K][mjalq�Kqkl]e�afl]_jYl]k�



l`]�eY[àf]�Yf\�`meYf�^Y[lgjk�g^�f]logjc�k][mjalq�Zq�afl]_jYlaf_�l`j]]�klYf\Ydgf]�[gehgf]flk�aflg�l`]�âj]oYdd�YhhdaYf[]2

User Authentication Lg�eYfY_]�mk]j�Y[[]kk�lg�Afl]jf]l�j]kgmj[]k�af�l`]�\akljaZml]\�f]logjc�]fnajgfe]fl$�l`]�OYl[`?mYj\�L][`fgdg_a]k�K][mjalq�Kqkl]e�kmhhgjlk�mk]j�Yml`]fla[Ylagf�naY�Yf�FL�<geYaf�;gfljgdd]j$�Y�JY\amk�k]jn]j$�gj�l`]�OYl[`?mYj\�L][`fgdg_a]k�K][mjalq�Kqkl]eÌk�gof�Yml`]fla[Ylagf&�Mk]jk�[Yf�Z]�j]imaj]\�lg�Yml`]fla[Yl]�lg�gf]�g^�l`]k]�kqkl]ek�Z]^gj]�Y[[]kkaf_�Yfq�Afl]jf]l�j]kgmj[]k&�9ml`]fla[Ylagf�]fYZd]k�qgm�lg�eYfY_]$�ljY[c$�Yf\�Ym\a�mk]jkÌ�Y[[]kk�lg�[gjhgjYl]�Afl]jf]l�j]kgmj[]k�oal`�_j]Yl�Y[[m%jY[q&�Làk�hjgna\]k�nYdmYZd]�hdYffaf_�Yf\�j]kgmj[]�eYfY_]e]fl�\YlY�lg�Ykkakl�af�akgdYlaf_�Yj]Yk�g^�_]f]jYd�afl]j]kl$�lj]f\k$�oYkl]$�^jYm\$�Yf\�YZmk]&

Content ManagementHYll]jfk�af�`meYf�j]kgmj[]�j]_mdYlagfk$�hdmk�l`]�[gkl�lg�Yf�gj_YfarYlagf�j]_Yj\af_�Afl]jf]l�YZmk]�eYc]�al�f][]kkYjq�lg�[gfljgd�l`]�lqh]�g^�[gfl]fl�YnYadYZd]�lg�l`]�[gjhgjYl]�Afl]jf]l�mk]j&�OYl[`?mYj\�L][`fgdg_a]k�`Yk�afl]_jYl]\�l`]�;qZ]j?mYj\�É;qZ]jFGLÊ�dakl�aflg�l`]�OYl[`?mYj\�K][m%jalq�Kqkl]e&��J]ka\af_�gf�l`]�dg_�k]jn]j$�làk�af\mkljq%d]Y\af_�\YlYZYk]�g^�Afl]jf]l�kal]k�Yddgok�l`]�Y\eafakljYlgj�lg�_jYfl�gj�\]fq�Y[[]kk�lg��[gf%l]fl�Zq�lqh]$�hjanad]_]�d]n]d$�Yf\�lae]�g^�\Yq&�

Virtual private networkingNajlmYd�hjanYl]�f]logjc�l][`fgdg_q�]fYZd]k�Yf�gj_YfarYlagf�lg�j]hdY[]�d]Yk]\�l]d]h`gf]�daf]k�oal`�em[`�d]kk�[gkldq�mk]�g^�Yf�]f[jqhl]\�[`Yff]d� Y�lmff]d!�gf�l`]�Afl]jf]l&��Làk�eYc]k�j]egl]k�kal]k�Y[[]kkaZd]�l`Yl�o]j]�hj]nagmkdq�lgg�]ph]fkan]�lg�[gff][l�lg&�L`]�OYl[`?mYj\�Dan]K][mjalq�Kqkl]e�fgl�gfdq�hjgna\]k�làk�f]logjc%lg%f]logjc�NHF�[YhYZadalq$�Zml�Ydkg�]fYZd]k�l`]�Y\eafakljYlgj�lg�Yhhdq�Yf�YjZaljYjq�k][mjalq�hgda[q�lg�l`Yl�NHF�k]_e]fl�Yk�l`gm_`�al�o]j]�\aj][ldq�YllY[`]\�lg�Y�h`qka[Yd�afl]j%^Y[]&


CHAPTER 2 Security and Firewall Management Policies

L`]�jmdaf_�hjaf[ahd]�Z]àf\�Y�âj]oYdd�[gfâ_mjYlagf�ak�Yf�gj_YfarY%lagfÌk�k][mjalq�hgda[q&�Af�alk�ZjgY\]kl�gj�egkl�[gehj]`]fkan]�\]âfa%lagf$�Y�k][mjalq�hgda[q�kh]ddk�gml�]n]jq�Ykh][l�g^�`go�Yf�gj_YfarYlagf�hjgl][lk�alk�Zmad\af_k$�Ykk]lk$�af^gjeYlagf$�Yf\�h]jkgff]d�^jge�l`]^l$�nYf\Ydake$�afljmkagf$�Yf\�afnYkagf�g^�hjanY[q&�L`]k]�Ykh][lk�af[dm\]2

� H`qka[Yd�k][mjalq�g^�l`]�Zmad\af_� H`qka[Yd�k][mjalq�g^�l`]�gj_YfarYlagfÌk�Ykk]lk� K`j]\\af_�gj�\]kljgqaf_�l`]�gj_YfarYlagfÌk�ljYk`�l`Yl�[gflYafk�

k]fkalan]�af^gjeYlagf� KlY^âf_�Yf\�k[`]\mdaf_�lg�aehd]e]fl�l`]�k][mjalq�hgda[q� <YlY�Y[[]kk�_jYfl]\�lg�nYjagmk�mk]jk�Yf\�_jgmhk� J][j]YlagfYd�mk]�g^�Yf�gj_YfarYlagfÌk�^Y[adala]k� K][mjalq�d]n]d�g^�j]egl]�[geemfa[Ylagfk� 9ml`]fla[Ylagf�j]imaj]\�^gj�j]egl]�[geemfa[Ylagfk�

9dd�g^�l`]k]�^Y[lgjk�Yj]�]kk]flaYd�^gj�k]llaf_�mh�Yf�gj_YfarYlagf�oal`�Y�ogjcYZd]�ZYdYf[]�Z]lo]]f�k][mjalq�Yf\�hjg\m[lanalq&�Kge]�g^�l`]e�Yj]�Z]qgf\�l`]�k[gh]�g^�Y�f]logjc�âj]oYdd&�9dd�g^�l`]e�lg_]l`]j�[gehjak]�Yf�gj_YfarYlagfÌk�YhhjgY[`�lg�k][mjalq$�Yf\�oadd�af^dm]f[]�`go�l`]�gj_YfarYlagf�[gfâ_mj]k�alk�âj]oYdd&�

GZnagmkdq$�h`qka[Yd�k][mjalq�Yf\�klY^âf_�Yj]�Z]qgf\�l`]�k[gh]�g^�làk�\g[me]fl�Yf\�l`]�OYl[`?mYj\�hjg\m[lk&�=n]f�af�eYll]jk�g^�\YlY�Y[[]kk$�kge]�]d]e]flk�g^�l`]�k][mjalq�hgda[q�ogmd\�Z]�aehd]%e]fl]\�Zq�k]llaf_�h]jeakkagfk�d]n]dk�^gj�[gehml]jk$�\aj][lgja]k$�Yf\�âd]k&�Gl`]j�]d]e]flk�ogmd\�Z]�Y\\j]kk]\�Zq�l`]�âj]oYdd�YhhdaYf[]&�L`]�>aj]Zgp�[Yf�Ydkg�aehd]e]fl�hgda[a]k�gf�j][j]YlagfYd�mk]�g^�Yf�gj_YfarYlagfÌk�[gehml]jk�Yf\�f]logjck$�Yf\�Yml`]fla[Yl]�Yf\�k][mj]�j]egl]�[geemfa[Ylagfk&�L`]k]�dYll]j�]d]e]flk�Yj]�Y�âj]oYdd�eYfY_]e]fl�hgda[q&�


Security and Firewall Management Policies

9�âj]oYdd�eYfY_]e]fl�hgda[q�ak�Y�kmZk]l�g^�l`]�k][mjalq�hgda[q&�Al�kh][aâ[Yddq�Y\\j]kk]k�`go�Yf�gj_YfarYlagfÌk�f]logjc�âj]oYdd k!�oadd�Z]�[gfâ_mj]\�lg�[gfljaZml]�lg�l`]�gn]jYdd�k][mjalq�hgda[q&

9�âj]oYdd�eYfY_]e]fl�hgda[q�\]l]jeaf]k2

� Oà[`�`gklk�[Yf�k]f\�Yf\�j][]an]�oà[`�caf\k�g^�ljY^â[� O`Yl�[geemfa[Ylagf�hjglg[gdk�Yf\�[gfl]fl�lqh]k�Yj]�Yddgo]\�

l`jgm_`�l`]�âj]oYdd� Oà[`�[geemfa[Ylagf�dafck�j]imaj]�Yml`]fla[Ylagf�Yf\'gj�

]f[jqhlagf� Oà[`�mk]jk�Yj]�Yml`gjar]\�lg�mk]�nYjagmk�k]jna[]k�l`jgm_`�l`]�

âj]oYdd� O`Yl�lae]k�g^�\Yq�gj_YfarYlagf�e]eZ]jk�[Yf�Zjgok]�l`]�O]Z� O`Yl�lqh]k�g^�O]Z�kal]k�gj_YfarYlagf�e]eZ]jk�[Yf�nakal

Balancing Risk vs. Productivity

L`]�hmjhgk]�g^�Yfq�k][mjalq�hgda[q�ak�lg�\]l]jeaf]�l`]�ZYdYf[]�Z]lo]]f�kY^]lq�Yf\�hjg\m[lanalq&�L`]�egj]�af^gjeYlagf�Yf\�Ykk]lk�Yj]�YnYadYZd]�lg�Ydd�gj_YfarYlagf�e]eZ]jk$�l`]�ima[c]j�l`]q�[Yf�_]l�làf_k�\gf]&�L`]�d]kk�af^gjeYlagf�Yf\�Ykk]lk�YnYadYZd]�lg�Ydd�gj_Yfa%rYlagf�e]eZ]jk$�l`]�egj]�k][mj]�l`]�af^gjeYlagf�Yf\�Ykk]lk�Yj]&

Af�f]logjc�k][mjalq$�l`]�egkl�k][mj]�[gfâ_mjYlagf�ak�fg�f]logjc�[gff][lagf�Yl�Ydd&�L`]�f]pl�egkl�k][mj]�ak�Y�\ag\]$�gj�gml_gaf_%gfdq�[gff][lagf&�L`]�làj\�egkl�k][mj]�ak�OYl[`?mYj\Ìk�jm\ae]flYjq�f]l%ogjc�[gfâ_mjYlagf�Yk�hjg\m[]\�Zq�l`]�Ima[cK]lmh�OarYj\&�Gf[]�qgm�gh]f�l`]�OYl[`?mYj\�Hgda[q�EYfY_]j�lg�]phYf\�Yf\�^mddq�[gf%â_mj]�qgmj�>aj]Zgp$�]Y[`�[gfâ_mjYlagf�Y\\alagf�gj�[`Yf_]�qgm�eYc]�lg�af[j]Yk]�l`]�^dgo�g^�ljY^â[�kaemdlYf]gmkdq�jYak]k�l`]�jakc�d]n]d�g^�qgmj�âj]oYdd�[gfâ_mjYlagf&

L`]�im]klagfk�qgm�emkl�Ykc�qgmjk]d^�lg�Yjjan]�Yl�qgmj�ZYdYf[]�Yj]2

� O`Yl�\g�qgm�`Yn]�lg�dgk]�af�Y�f]logjc�k][mjalq�Zj]Y[`7�Qgm�[gmd\�dgk]�Y[lmYd�egf]q�af�kge]�[Yk]k$�afl]jfYd�hYkkogj\k$�gj�h]jkgfYd�af^gjeYlagf�gf�gj_YfarYlagf�e]eZ]jk&�Qgm�[gmd\�dgk]�[jala[Yd�\YlYZYk]�âd]k&�Qgm�[gmd\�dgk]�hjg\m[lanalq�Yk�[gehml]jk�Yj]�[d]Yfk]\$�k`ml�\gof�Yf\�j]Zggl]\&�>gj�kge]�[gehYfa]k$�Y�k][m%jalq�Zj]Y[`�ea_`l�kh]dd�Y�dgkk�g^�[j]\aZadalq�Yf\�hj]kla_]�Y^^][laf_�hj]k]fl�Yf\�^mlmj]�Zmkaf]kk&�

� O`Yl�ak�l`]�hgl]flaYd�[gkl�g^�Y�kaf_d]�k][mjalq�Zj]Y[`7�>gj�]pYe%hd]$�Y�ZYfc�[gmd\�dgk]�eaddagfk�g^�\gddYjk�af�Y�kaf_d]�k][mjalq�Zj]Y[`&�9f�gfdaf]�Zggcklgj]�ea_`l�dgk]�Y�^]o�Zggck�Yf\�af^gje�Y�[mklge]j�l`Yl�l`]�[j]\al�[Yj\�fmeZ]j�mk]\�^gj�l`]�ljYfkY[lagf�oYk�[gehjgeak]\&



� @go�dac]dq�Yj]�nYjagmk�lqh]k�g^�Zj]Y[`]k�lg�g[[mj7�Kge]�lqh]k�g^�k]jn]jk�Yj]�mf\]j�[gfklYfl�YllY[c&�>afYf[aYd�afklalmlagfk�Yj]�mf\]j�YllY[c�^gj�[j]\al�Yf\�Y[[gmfl�af^gjeYlagf&�?gn]jfe]fl�Y_]f[a]k�Yf\�f]logjc�k][mjalq�Y_]f[a]k�Yj]�mf\]j�[gfklYfl�YllY[c�lg�^]]\�l`]�`Y[c]jÌk�]_g�gj�lg�]phj]kk�jY_]�Yl�[gfljgddaf_�gj_YfarYlagfk&�Qgm�`Yn]�lg�\]l]jeaf]�`go�g^l]f�qgm�Yj]�mf\]j�YllY[c$�Yf\�`go�dac]dq�qgm�ogmd\�kmklYaf�Yf�YllY[c�l`Yl�[gmd\�Z]�n]jq�]ph]fkan]&

L`]�Yfko]jk�lg�l`]k]�im]klagfk�k`gmd\�`]dh�qgm�Yjjan]�Yl�qgmj�ZYd%Yf[]�g^�k][mjalq�nk&�hjg\m[lanalq&�>gj�]pYehd]$�kaf[]�âfYf[aYd�afklalm%lagfk�Yj]�Yf�gZnagmk�lYj_]l�Yf\�Y�km[[]kk^md�YllY[c�[gmd\�j]kmdl�af�Za_�dgkk]k$�k][mjalq�emkl�lYc]�hj][]\]fl�gn]j�l`jgm_`hml�Z][Ymk]�^Ykl�l`jgm_`hml�ak�mk]d]kk�a^�qgmj�egf]q�gj�[j]\al�[Yj\�fmeZ]jk�Yj]�klg%d]f�af�l`]�hjg[]kk&�Gf�l`]�gl`]j�`Yf\$�Y�Zmkaf]kk�oal`�Y�à_`�Yegmfl�g^�ljY^â[$�o`]j]�]Y[`�ljYfkY[lagf�Yegmflk�lg�Y�keYdd�Yegmfl�g^�egf]q$�ogmd\�nYdm]�l`jgm_`hml�gn]j�YZkgdml]�k][mjalq&

Incoming Services: Security PrinciplesO`]f�qgm�]fYZd]�af[geaf_�k]jna[]k$�qgm�Yj]�[j]Ylaf_�Y�[gf\mal�aflg�qgmj�gj_YfarYlagf&�Al�eYq�Z]�daeal]\�lg�Y�kaf_d]�k]jna[]�Yf\�Y�kaf_d]�hgjl$�Zml�al�ak�Y�[gf\mal�fgf]l`]d]kk&�>gddgoaf_�Yj]�kge]�jmd]k�g^�l`meZ�lg�Ykk]kk�qgmj�k][mjalq�jakck�Yk�qgm�Y\\�af[geaf_�k]jna[]k�lg�qgmj�>aj]Zgp�[gfâ_mjYlagf2

� Qgm�Yj]�YdoYqk�d]kk�k][mj]�l`Yf�l`]�d]Ykl�k][mj]�k]jna[]�qgm�Yddgo�aflg�qgmj�f]logjc&�Qgm�dgk]�k][mjalq�[memdYlan]dq�Yk�qgm�]fYZd]�af[geaf_�k]jna[]k&

� K]jna[]k�qgm�\gfÌl�mf\]jklYf\�n]jq�o]dd�k`gmd\�Z]�[gfka\]j]\�mfljmklogjl`q&�Mfcfgof�jakck�Yj]�YdoYqk�_j]Yl]j�l`Yf�cfgof�gf]k&

� K]jna[]k�oal`�fg�Zmadl%af�Yml`]fla[Ylagf� egkl�JH;�k]jna[]k!�Yf\�l`gk]�l`Yl�o]j]�fgl�\]ka_f]\�lg�Z]�mk]\�af�Yf�Afl]jf]l�Yj]�jakcq&

� K]jna[]k�l`Yl�k]f\�hYkkogj\k�af�l`]�[d]Yj� >LH$�l]df]l$�HGH!�Yj]�n]jq�jakcq&�EYfq�mk]jk�mk]�l`]�kYe]�hYkkogj\�o`]j]n]j�hjgehl]\�^gj�gf]&�9�hY[c]l�kfa^^]j�afl]j[]hlaf_�Yf�>LH$�l]df]l$�gj�HGH�ljYfkY[lagf�[gmd\�afl]j[]hl�Y�[d]Yj�l]pl�hYkkogj\�l`Yl�ogmd\�hjgna\]�Y[[]kk�l`jgm_`gml�qgmj�gj_YfarYlagf&

� K]jna[]k�oal`�Zmadl%af�kljgf_�Yml`]fla[Ylagf� ^gj�]pYehd]$�kk`!�Yj]�j]YkgfYZdq�kY^]&

� K]jna[]k�km[`�Yk�<FK$�KELH$�Yfgfqegmk�>LH$�Yf\�@LLH�Yj]�hj]llq�kY^]�gfdq�a^�l`]q�Yj]�mk]\�af�[gfn]flagfYd�oYqk&�

� 9ddgoaf_�Y�k]jna[]�lg�Y[[]kk�gfdq�Y�kaf_d]�afl]jfYd�`gkl�ak�kY^]j�l`Yf�Yddgoaf_�l`]�k]jna[]�lg�k]n]jYd�gj�Ydd�`gklk&

� 9ddgoaf_�Y�k]jna[]�lg�l`]�GhlagfYd�f]logjc�ak�kY^]j�l`Yf�Yddgoaf_�al�lg�l`]�Ljmkl]\�f]logjc�Z][Ymk]�qgm�Yj]�Yddgoaf_�ljY^â[�lg�qgmj�Éf]mljYd�rgf]Ê�jYl`]j�l`Yf�qgmj�hjanYl]�f]logjc$�Yf\�l`]�>aj]Zgp�âdl]jk�ljY^â[�Z]lo]]f�l`]�GhlagfYd�Yf\�Ljmkl]\�f]logjck&�



� 9ddgoaf_�Y�k]jna[]�^jge�Y�j]klja[l]\�k]l�g^�`gklk�ak�kge]o`Yl�kY^]j�l`Yf�Yddgoaf_�l`]�k]jna[]�^jge�Yfqo`]j]&�Al�ak�kY^]j�q]l�a^�qgm�Yddgo�Y�k]jna[]�gfdq�lg�Y�j]klja[l]\�k]l�g^�`gklk&

� =Y[`�kY^]lq�hj][Ymlagf�qgm�gZk]jn]�af�làk�dakl�eYc]k�qgmj�f]l%ogjc�ka_faâ[Yfldq�kY^]j&�>gj�]pYehd]$�^gddgoaf_�l`j]]�gj�^gmj�hj]%[Ymlagfk�ak�em[`$�em[`�kY^]j�l`Yf�^gddgoaf_�gf]�gj�fgf]&

� A^�l`]�k]jna[]�\g]kfÌl�`Yn]�Zmadl%af�Yml`]fla[Ylagf$�qgm�[Yf�eala%_Yl]�l`]�jakc�Zq�mkaf_�mk]j�Yml`]fla[Ylagf�oal`�l`Yl�k]jna[]&

� 9ddgoaf_�af[geaf_�k]jna[]k�^jge�Y�najlmYd�hjanYl]�f]logjc� NHF!$�o`]j]�l`]�gj_YfarYlagf�Yl�l`]�gl`]j�]f\�ak�cfgof�Yf\�Yml`]fla[Yl]\$�ak�_]f]jYddq�kY^]j�l`Yf�Yddgoaf_�af[geaf_�k]jna[]k�^jge�l`]�Afl]jf]l�Yl�dYj_]&�L`]�egj]�âfal]�l`]�j]egl]�f]logjc$�l`]�kY^]j&�Al�ak�kY^]j�lg�Yddgo�af[geaf_�k]jna[]k�^jge�Y�kaf_d]�`gkl�gj�keYdd�_jgmh�g^�`gklk�l`Yf�^jge�Y�dYj_]j�f]logjc&

Outgoing ServicesAf�_]f]jYd$�l`]�_j]Yl�jakck�[ge]�^jge�af[geaf_�k]jna[]k$�fgl�gml_g%af_�gf]k&�L`]j]�Yj]$�`go]n]j$�kge]�afl]j]klaf_�k][mjalq�jakck�oal`�gml_gaf_�k]jna[]k�Yk�o]dd&�>gj�]pYehd]$�o`]f�Yf�gj_YfarYlagf�e]e%Z]j�Y[[]kk]k�l`]�Afl]jf]l$�l`Yl�ak�Yf�gml_gaf_�k]jna[]$�]n]f�a^�l`]�mk]j�\gofdgY\k�âd]k�^jge�Yf�]pl]jfYd�O]Z�k]jn]j&�FgjeYddq�làk�ak�j]Y%kgfYZdq�kY^]�mfd]kk�l`]�\gofdgY\�[gflYafk�Yf�]p][mlYZd]�hjg_jYe&�Fg�gf]�cfgok�o`Yl�l`Yl�hjg_jYe�oadd�\g�mflad�al�ak�Y[lanYl]\$�oà[`�ak�lgg�dYl]�a^�l`]�hjg_jYe�ak�eYda[agmk&�9f�]pYehd]�g^�làk�oYk�l`]�E]dakkY�najmk�g^�)111$�oà[`�]eZ]\\]\�Y�Ea[jgkg^l�Ogj\�]p][mlYZd]�af�Yf�]%eYad�e]kkY_]&�O`]f�l`]�mk]j�gh]f]\�l`]�Ogj\�\g[me]fl$�al�Y[lanYl]\�Y�n]jq�kaehd]�Ogj\�eY[jg�l`Yl�k]fl�[gha]k�g^�l`]�]%eYad�lg�l`]�âjkl�*-�fYe]k�af�l`]�j][aha]flÌk�h]jkgfYd�]%eYad�Y\\j]kk�Zggc&

9k�Yfgl`]j�]pYehd]$�a^�Yf�Yddgo]\�gml_gaf_�k]jna[]�ljYfkealk�[d]Yj%l]pl�hYkkogj\k� ^gj�]pYehd]$�>LH$�l]df]l$�gj�HGH!�l`]q�eYq�Z]�l`]�kYe]�Yk�qgmj�gj_YfarYlagfÌk�afl]jfYd�hYkkogj\k�Yf\�mk]j�A<k&

Other Principles of Security vs. RiskL`]�egj]�[gehd]p�qgmj�f]logjc�[gfâ_mjYlagfk�Yj]$�l`]�jakca]j�l`]q�Yj]&�L`]�dYj_]j�Yf\�egj]�Y[[]kkaZd]�l`]�Ljmkl]\�f]logjc�ak$�l`]�_j]Yl]j�l`]�[`Yf[]�l`]j]�Yj]�hgl]flaYd�hgaflk�g^�YllY[c�Yf\�`gklad]�e]eZ]jk�gf�l`]�f]logjc&

Internal HostsL`]�egj]�afl]jfYd�`gklk�l`Yl�Yj]�Yddgo]\�Yk�\aklaf[l�\]klafYlagfk$�l`]�egj]�jakcq�l`]�[gfâ_mjYlagf&�Làk�ak�Z][Ymk]�]Y[`�Yddgo]\�af[geaf_�k]jna[]�aehda]k�Y�[]jlYaf�Yegmfl�g^�`gkl%ZYk]\�[gfâ_mjYlagf�Yf\�egfalgjaf_�gf�l`Yl�afl]jfYd�`gkl&�9dd�gl`]j�làf_k�Z]af_�]imYd$�qgm�Yj]�kY^]j�a^�gfdq�gf]�afl]jfYd�`gkl�ak�l`]�\]klafYlagf�^gj�Ydd�k]jna[]k�l`Yf�a^�qgm�`Yn]�gf]�`gkl�h]j�k]jna[]&



Masquerading Private Network NumbersAl�ak�kY^]j�lg�`Yn]�hjanYl]�f]logjc�fmeZ]jk�af�qgmj�afl]jfYd�f]l%ogjc k!�eYkim]jY\]\�Zq�l`]�>aj]Zgp&�Gmlka\]�Yll]ehlk�lg�\aj][ldq�[gflY[l�hjanYl]�f]logjc�fmeZ]jk�oadd�Z]�j]b][l]\�Zq�l`]�jgml]j�Z]^gj]�l`]q�[Yf�]n]f�eYc]�al�lg�l`]�>aj]Zgp&

Automatic Rejection of Spoofing and IP OptionsKhggâf_�ak�o`]j]�Yf�Yll]ehl]\�]fljq�mk]k�gf]�g^�qgmj�afl]jfYd�AH�Y\\j]kk]k�Yk�l`]�kgmj[]�Y\\j]kk&�L`]�a\]Y�ak�lg�^ggd�l`]�jgml]j�aflg�Élàfcaf_Ê�l`]�hY[c]l�[Ye]�^jge�oalàf�l`]�gj_YfarYlagf&�AH�ghlagfk�Yj]�Y\\alagfk�lg�l`]�klYf\Yj\�AH�`]Y\]j�oà[`$�o`]f�mk]\�d]_ala%eYl]dq�Y\\�dalld]�^mf[lagfYdalq$�Yf\�o`]f�mk]\�oal`�eYda[]�Yj]�\Yf%_]jgmk&�Fgl�k]llaf_�qgmj�>aj]Zgp�[gfâ_mjYlagf�lg�YmlgeYla[Yddq�j]b][l�hY[c]lk�oal`�khgg^]\�Y\\j]kk]k�gj�AH�ghlagfk�af�l`]aj�`]Y\]jk�_j]Yldq�[gehjgeak]k�l`]�kY^]lq�g^�qgmj�afklYddYlagf&

Elements that Decrease Firewall Security9^l]j�qgm�[j]Yl]�Y�ZYka[�[gfâ_mjYlagf�oal`�l`]�Ima[cK]lmh�OarYj\$�qgm�oadd�]phYf\�Yf\�^mjl`]j�\]âf]�qgmj�[gfâ_mjYlagf&�=Y[`�^]Ylmj]�qgm�Y\\�gj�k]l�eYq�af[j]Yk]�l`]�af`]j]fl�jakc&�Kge]�^]Ylmj]k�af[j]Yk]�l`]�jakc�Y�dgl$�kge]�d]kk&�Làk�k][lagf�daklk�nYjagmk�[gfâ_mjYlagf�hYjYe]l]jk�qgm�ea_`l�k]l$�Yf\�Ykkg[aYl]k�Y�dgo$�e]\ame$�gj�à_`�jakc�^Y[lgj�oal`�l`]�Y\\alagf�g^�l`Yl�^]Ylmj]&

Additional Gateways and Hosts9\\alagfYd�_Yl]oYqk�Yj]�Y�[memdYlan]�jakc&�=Y[`�Y\\alagfYd�_Yl]oYq�qgm�Y\\�g^^�l`]�Ljmkl]\�gj�GhlagfYd�afl]j^Y[]�Y\\k�Y�dgo�jakc&�:q�l`]�lae]�qgm�Y\\]\�]a_`l�gj�egj]�_Yl]oYqk$�qgmÌn]�Y\\]\�Y�^Yajdq�à_`�jakc&�

=Y[`�\aklaf[ldq�fYe]\�`gkl�gf�l`]�Ljmkl]\�afl]j^Y[]�Y\\k�Y�dgo�jakc�lg�YZgml�l`]�\]_j]]�l`Yl�Yf�Y\\]\�_Yl]oYq�ogmd\&�9k�oal`�Y\\]\�_Yl]oYqk$�]a_`l�gj�egj]�Y\\alagfYd�`gklk�dakl]\�gf�l`]�Ljmkl]\�afl]j%^Y[]�Y\\k�Y�^Yajdq�à_`�jakc&�

=Y[`�\aklaf[ldq�fYe]\�`gkl�gf�l`]�GhlagfYd�afl]j^Y[]$�`go]n]j$�Y\\k�Y�n]jq�dgo�jakc$�YZgml�`Yd^�o`Yl�Yf�Y\\]\�_Yl]oYq�gj�Ljmkl]\�`gkl�ogmd\&�=n]f�]a_`l�gj�l]f�`gklk�gf�l`]�GhlagfYd�afl]j^Y[]�Y\\k�Y�^Yajdq�dgo�jakc&�

Big RisksL`]k]�jakck�Yj]�]plj]e]dq�à_`�^gj�Y�>aj]Zgp�k]jnaf_�Yk�qgmj�âj]oYdd�lg�l`]�Afl]jf]l&�Gn]jja\af_�l`]k]�k]llaf_k�eYq�Z]�GC�a^�qgm�Yj]�mkaf_�l`]�>aj]Zgp�lg�k]hYjYl]�log�afl]jfYd$�hjanYl]�f]logjck&

� Gn]jja\af_�l`]�k]llaf_�lg�YmlgeYla[Yddq�Zdg[c�hY[c]lk�^jge�khgg^]\�Y\\j]kk]k�ak�Y�n]jq�à_`�jakc$�egj]�l`Yf�loa[]�Yk�à_`�Yk�`Ynaf_�l]f�_Yl]oYqk�gf�l`]�Ljmkl]\�afl]j^Y[]&�



� Gn]jja\af_�l`]�k]llaf_�lg�YmlgeYla[Yddq�Zdg[c�hY[c]lk�oal`�AH�ghlagfk�af�l`]�Y\\j]kk�ak�Y�n]jq�à_`�jakc$�egj]�l`Yf�loa[]�Yk�à_`�Yk�`Ynaf_�l]f�_Yl]oYqk�gf�l`]�Ljmkl]\�afl]j^Y[]&

� Ajj]khgfkaZd]�[gfâ_mjYlagfk$�km[`�Yk�[gfâ_mjaf_�l`]�É9fqÊ�k]j%na[]�lg�Yddgo�af[geaf_�ljY^â[�^jge�9fq�]pl]jfYd�`gkl�lg�9fq�ljmkl]\�`gkl&�Làk�j]f\]jk�qgmj�âj]oYdd�eggl3�\gfÌl�\g�al�

Medium RisksL`]�^gddgoaf_�hjY[la[]k�Yj]�YZgml�gf]%^gmjl`�lg�gf]%`Yd^�Yk�\Yf_]j%gmk�Yk�l`]�à_`�jakc�Y[lagfk�YZgn]2

� Mkaf_�hmZda[�AH�Y\\j]kk]k�^gj�[geml]jk�gf�l`]�Ljmkl]\�afl]j^Y[]�afkl]Y\�g^�hjanYl]�Y\\j]kk]k&�

� Fgl�]fYZdaf_�AH�EYkim]jY\af_&�� Fgl�]fYZdaf_�Hgjl�>gjoYj\af_&� =Y[`�afklYf[]�g^�]fYZdaf_�Af[geaf_�>LH3�l`j]]�gj�egj]�]fYZd]\�

Af[geaf_�>LH�k]jna[]k�ogmd\�l`]j]^gj]�Y[[memdYl]�lg�Y�à_`�jakc&� 9fq�Y\\]\�hY[c]l�âdl]j�k]jna[]� fgl�l`]�hjgpa]\�k]jna[]k!&

Low RisksL`]k]�Y[lagfk�Y\\�jakck$�Zml�fgl�Yk�\jYeYla[Yddq�Yk�l`]�e]\ame�gj�à_`�jakck&

� 9\\af_�hjgpa]\�k]jna[]k�Y\\k�Y�dgo�jakc�[gehYj]\�lg�`Ynaf_�l`Yl�k]jna[]�\akYZd]\&�Hjgpa]\�KELH�ak�kge]o`Yl�jakca]j�l`Yf�@LLH�gj�<FK&�9�hjgpa]\�k]jna[]�ak�em[`�kY^]j�l`Yf�alk�hY[c]l%âdl]j]\�[gmfl]jhYjl$�Z][Ymk]�gfdq�l`]�hjgpa]\�n]jkagf�Zdg[ck�mfkY^]�[gf%l]fl�lqh]k�ojYhh]\�afka\]�YddgoYZd]�[gfl]fl�lqh]k&

� 9\\af_�k]jna[]k�km[`�Yk�kk`$�kkd$�Yf\�nhf�oà[`�`Yn]�l`]aj�gof�Yml`]fla[Ylagf�Yj]�dgo]j�jakc�l`Yf�Y\\af_�k]jna[]k�l`Yl�`Yn]�fg�Yml`]fla[Ylagf&�

Lowering RisksGf[]�qgm�`Yn]�Y\\]\�âdl]j�Yf\�hjgpq�k]jna[]k$�qgm�[Yf�j]\m[]�l`]�jakck�l`]q�Zjafc�Zq�^mjl`]j�j]klja[laf_�l`]�YddgoYZd]�ljY^â[�^gj�l`]�k]j%na[]2

� J]klja[laf_�af[geaf_�ljY^â[�^gj�Y�_an]f�k]jna[]�lg�Y�kaf_d]�`gkl�gf�l`]�Ljmkl]\�afl]j^Y[]�j]\m[]k�l`]�jakc�Zq�YZgml�gf]%^gmjl`&�

� J]klja[laf_�af[geaf_�ljY^â[�^gj�Y�_an]f�k]jna[]�lg�Y�kaf_d]�`gkl�gf�l`]�GhlagfYd�afl]j^Y[]�j]\m[]k�l`]�jakc�Zq�YZgml�gf]%`Yd^&�

� A^�log�gj�egj]�`gklk�Yj]�Yddgo]\�af[geaf_�ljY^â[�^gj�Y�_an]f�k]j%na[]$�l`]j]�ak�dalld]�gj�fg�jakc�j]\m[lagf&�

� A^�gml_gaf_�ljY^â[�ak�Yddgo]\�^jge�gfdq�gf]�`gkl�^gj�Y�k]jna[]$�l`]�jakc�ak�j]\m[]\�Zq�gf]%^gmjl`&�A^�l`]j]�Yj]�log�gj�egj]�Yddgo]\�`gklk$�l`]j]�ak�fg�ka_faâ[Yfl�jakc�j]\m[lagf&


Organizing your Organization

� A^�l`]�k]jna[]�j]imaj]k�mk]j�Yml`]fla[Ylagf�lg�Yddgo�Y[[]kk�^jge�]pl]jfYd�`gklk$�l`]�jakc�ak�[ml�af�`Yd^�[gehYj]\�lg�Y�fgf%Yml`]fla%[Yl]\�k]jna[]&�

Organizing your Organization

Gj_Yfaraf_�qgmj�gj_YfarYlagf�^gj�l`]�hmjhgk]k�g^�f]logjc�Y\eafak%ljYlagf�Yf\�k][mjalq�ak�l`]�Y[l�g^�Ykka_faf_�]ehdgq]]k�gj�gj_YfarYlagf�e]eZ]jk�lg�_jgmhk�ZYk]\�gf�l`]�[geegfYdalq�g^�l`]aj�lYkck$�^mf[%lagfk$�Y[[]kk�f]]\k$�Yf\'gj�ljmklogjlàf]kk&

A^�qgm�`Yn]�fgl�Ydj]Y\q�\gf]�làk$�fgo�ak�\]âfal]dq�l`]�lae]�lg�gj_Y%far]�qgmj�gj_YfarYlagf�gj�[gehYfqÈZ]^gj]�qgm�Z]_af�[gfâ_mjaf_�qgmj�f]logjc�k][mjalq&

>gj�]pYehd]$�qgm�ea_`l�`Yn]�Y�_jgmh�^gj�Y[[gmflaf_$�Yfgl`]j�^gj�h]jkgff]d$�kYd]k$�eYjc]laf_$�Yf\�j]k]Yj[`�Yf\�\]n]dghe]fl&�Qgm�Ydkg�ea_`l�[j]Yl]�Y�hjgZYlagfYjq�_jgmh�oal`�à_`�j]klja[lagfk�^gj�f]o�]ehdgq]]k�gj�l`gk]�o`g�Yj]�h]j[]an]\�Yk�Y�_j]Yl]j�jakc�lg�l`]�gj_YfarYlagf&�Oal`�OYl[`?mYj\$�qgm�[Yf�\]daf]Yl]�log�\a^^]j]fl�lqh]k�g^�_jgmhk2�

� ?jgmhk�^gj�YdaYk]k�Yf\�Yml`]fla[Ylagf$�o`]j]�_jgmhaf_k�Yj]�Yhhda%[YZd]�^gj�af[geaf_�Yf\�gml_gaf_�ljY^â[�^gj�kh][aâ[�k]jna[]k$�Yf\�^gj�najlmYd�hjanYl]�f]logjcaf_� NHF!

� ?jgmhk�^gj�O]Z:dg[c]j$�o`]j]�qgm�\]l]jeaf]�oà[`�_jgmhk�[Yf�Y[[]kk�oà[`�[gfl]fl�lqh]k�o`]f�Zjgokaf_�l`]�O]Z&

L`]�âjkl�lqh]�g^�_jgmhaf_�ak�]plj]e]dq�aehgjlYfl�Yf\�lae]%kYnaf_&�Oal`�_jgmhk$�al�ak�em[`�ima[c]j�Yf\�]Yka]j�lg�k]l�mh�Y�kh][aâ[�k]jna[]�^gj�[]jlYaf�_jgmhk�g^�[gehml]j�mk]jk$�gj�lg�Ykka_f�Y�[]jlYaf�lqh]�g^�Yml`]fla[Ylagf�lg�Y�_jgmh�g^�l]d][geeml]jk&�Qgm�[j]Yl]�_jgmhk�af�OYl[`?mYj\�oal`�l`]�9[[]kk�Yf\�9ml`]fla[Ylagf�K]lmh�lggd&�Gf]�làf_�]kh][aYddq�`Yf\q�oal`�làk�ak�l`Yl�qgm�[Yf�[j]Yl]�_jgmhk�l`Yl�mk]�Y�hYjla[mdYj�caf\�g^�Yml`]fla[Ylagf&�Qgm�[Yf�Ydkg�`Yn]�Y�f]logjc�Yk�Y�_jgmh$�gj�Y�_jgmh�g^�af\ana\mYd�[gehml]jk�Yk�Y�_jgmh&�A^�qgm�âf\�l`Yl�log�gj�egj]�h]ghd]�Yj]�af�egj]�l`Yf�gf]�_jgmh$�lYc]�l`]e�gml�g^�l`gk]�_jgmhk�Yf\�[j]Yl]�Y�f]o�_jgmh�^gj�l`]k]�h]ghd]&�Qgm�[Yf�hj]llq�em[`�[j]Yl]�Yk�eYfq�_jgmhk�Yk�f][]kkYjq�lg�eYc]�kmj]�qgmj�gj_YfarYlagf�ak�hjgh]jdq�\]daf]Yl]\�^gj�egkl�]^^][lan]�Y\eafak%ljYlagf�g^�k][mjalq&

Qgm�[j]Yl]�l`]�k][gf\�lqh]�g^�_jgmhaf_�^gj�O]Z:dg[c]j$�o`]j]�qgm�\]l]jeaf]�o`g�[Yf�na]o�o`Yl�kgjlk�g^�[gfl]fl�lqh]k�Yf\�o`]f�l`]q�eYq�Zjgok]�l`]�O]Z&�Af�O]Z:dg[c]j�qgm�[Yf�[j]Yl]�gf%`gmj�Yf\�g^^%`gmj�Y[[]kk�lg�\a^^]j]fl�[gfl]fl�lqh]k�^gj�\a^^]j]fl�_jgmhk&�>gj�]pYe%hd]$�qgm�ea_`l�à_`dq�j]klja[l�[mklge]j�k]jna[]�_jgmhk�Z][Ymk]�l`]q�



`Yn]�lg�Z]�[gfklYfldq�^g[mk]\�gf�[mklge]j�f]]\k$�oàd]�qgm�]fYZd]�ZjgY\�Zjgokaf_�YZadalq�lg�J�<�lg�eYc]�j]k]Yj[`�^Ykl�Yf\�mf^]ll]j]\&

Determining your Allowable Traffic

<]l]jeafaf_�oà[`�ljY^â[�qgm�Yddgo�af�oà[`�\aj][lagf�ak�Y�eYbgj�eYfa^]klYlagf�g^�qgmj�k][mjalq�hgda[q&�O`]f�[gfâ_mjaf_�k]jna[]k�^gj�qgmj�>aj]Zgp$�qgm�hjgZYZdq�\g�fgl�f]]\�lg�]fYZd]�em[`�Af[geaf_�ljY^â[&�O`]f�qgmj�gj_YfarYlagf�e]eZ]jk�Y[[]kk�Y�O]Zkal]$�l`Yl�ak�Gml_gaf_�ljY^â[$�]n]f�o`]f�l`]q�\gofdgY\�kge]làf_�^jge�Y�O]Z%kal]&�L`]�ljY^â[�\aj][lagf�ak�\]l]jeaf]\�Zq�oà[`�\aj][lagf�afalaYl]\�l`]�[gff][lagf&�Af�eYfq�[Yk]k$�l`]�gfdq�af[geaf_�ljY^â[�oadd�Z]�]fYZd]\�naY�najlmYd�hjanYl]�f]logjcaf_&

L`]�k][mj]�klYf[]�\a[lYl]k�l`Yl�o`Yl]n]j�ak�fgl�]phj]kkdq�Yddgo]\�ak�^gjZa\\]f&�L`]j]^gj]$�qgm�emkl�\][a\]�Yf\�Y[lan]dq�]fYZd]�Yfq�k]j%na[]k�qgm�oYfl�lg�d]l�af�gj�d]l�gml&�J]e]eZ]j�l`Yl�]n]jq�k]jna[]�qgm�]fYZd]�hmf[`]k�Yfgl`]j�`gd]�af�qgmj�âj]oYdd&�>gj�làk�j]Ykgf$�]fYZd]�k]jna[]k�l`Yl�Yj]�gfdq�f][]kkYjq�Yf\�o]dd%bmklaâ]\&�LYc]�[Yj]�fgl�lg�gh]f�j]\mf\Yfl�k]jna[]k�l`Yl�mk]�l`]�kYe]�hjglg[gd�Zml�kaehdq�gh]f�mh�egj]�hgjlk�lg�mk]�al$�l`]j]Zq�eYcaf_�qgmj�f]logjc�egj]�nmdf]jY%Zd]�lg�hgjl�khY[]�hjgZ]k&

Organizing your network(s)

9l�alk�kaehd]kl$�qgm�gj_Yfar]�l`]�f]logjc�aflg�log�Yj]Yk2

� K][mj]\�Yj]Yk� >j]]�Yj]Yk

Oal`�Y�>aj]Zgp$�qgm�hml�l`]�k][mj]\�hYjl�g^�qgmj�afl]jfYd�f]logjc�gf�l`]�Ljmkl]\�afl]j^Y[]�Yf\�l`]�^j]]�Yj]Y�gf�l`]�GhlagfYd�afl]j^Y[]&�;gehml]jk�gf�l`]�GhlagfYd�afl]j^Y[]�[gflYaf�gfdq�l`]�[gfl]fl�l`Yl�qgm�\gfÌl�eaf\�k`Yjaf_�oal`�l`]�j]kl�g^�l`]�ogjd\&�Oal`�OYl[`%?mYj\Ìk�K][mjalq�LjaYf_d]�eg\]d$�fgl�gfdq�\g]k�l`]�>aj]Zgp�hjgl][l�l`]�Ljmkl]\�Yf\�GhlagfYd�afl]j^Y[]k�^jge�l`]�Afl]jf]l$�al�Ydkg�hjgl][lk�l`]�Ljmkl]\�Yf\�GhlagfYd�afl]j^Y[]k�^jge�]Y[`�gl`]j&

L`]�^gddgoaf_�\aY_jYe�ak�[Ydd]\�l`]�ÉOYl[`?mYj\�K][mjalq�LjaYf%_d]&Ê�Al�k`gok�hgkkaZd]�hjaeYjq�ljY^â[�hYll]jfk�^gj�Y�_an]f�hY[c]l$�Yf\�[Yf�Z]�n]jq�`]dh^md�dYl]j�o`]f�\][a\af_�o`]l`]j�Y�k]jna[]�k`gmd\�Z]�Yddgo]\�gj�\]fa]\&


Determining Out-of-Bounds areas

�

FIGURE 2. WatchGuard Security Triangle

� L`]�]pl]jfYd�afl]j^Y[]�[gff][lk�lg�l`]�]pl]jfYd�f]logjc� lqha[Yddq�l`]�Afl]jf]l!�l`Yl�hj]k]flk�l`]�k][mjalq�[`Ydd]f_]&�

� L`]�ljmkl]\�afl]j^Y[]�[gff][lk�lg�l`]�afl]jfYd�f]logjc�oà[`�qgm�oYfl�hjgl][l]\�lg�l`]�eYpaeme�hjY[la[Yd�Yegmfl&

� L`]�ghlagfYd�afl]j^Y[]�[gff][lk�lg�Y�k][gf\�k][mj]�f]logjc&�Lqha%[Yddq�al�ak�[gff][l]\�lg�Yfq�f]logjc�g^�k]jn]jk�hjgna\]\�^gj�hmZda[�Y[[]kk$�l`Yl�ak$�hmZda[�k]jn]jk&

Determining Out-of-Bounds areas

Gf]�dYkl�aehgjlYfl�[gfka\]jYlagf�ak�lg�\][a\]�oà[`�hYjlk�g^�qgmj�afl]jfYd�f]logjc�Yj]�gml�g^�Zgmf\k�^gj�]n]jqgf]�gj�f]Yjdq�]n]jqgf]&�L`]j]�eYq�Z]�[gehml]jk�l`Yl�k`gmd\�fgl�Z]�[gff][l]\�lg�Yfqlàf_�]dk]�Yl�Ydd&�;Yf\a\Yl]k�ea_`l�af[dm\]2

� HYqjgdd�Yf\�h]jkgff]d�j][gj\k� ;gjhgjYl]�J�<�Y[lanalq� :mkaf]kk�hdYfk� F]logjc�Y\eafakljYlagf�lggdk�km[`�Yk�hY[c]l�kfa^^]jk�oà[`�[gmd\�

Z]�\Yf_]jgmk�lg�qgmj�k][mjalq�a^�l`]q�o]j]�_]f]jYddq�YnYadYZd]&

A^�qgm�\]l]jeaf]�l`Yl�kge]�h]ghd]�f]]\�j]egl]�Y[[]kk�lg�kge]�g^�l`]k]�`gklk$�eYc]�kmj]�qgm�k]l�mh�Y[[]kk�kg�l`Yl�al�ak�]p[dmkan]�Yf\�

:DWFK*XDUG6HFXULW\7ULDQJOH

,QFRPLQJ

,QFRPLQJ

,QFRPLQJ

2XWJRLQJ

2XWJR

LQJ

2XWJRLQJ

6HFXULW\7ULDQJOH

([WHUQDO,QWHUIDFH

2SWLRQDO,QWHUIDFH

7UXVWHG,QWHUIDFH



j]imaj]k�Yml`gjarYlagf&�Kge]�e]l`g\k�g^�j]egnaf_�_]f]jYd�YnYadYZad%alq�eYq�Z]�Z]qgf\�l`]�>aj]ZgpÌk�k[gh]$�Zml�k`gmd\�Z]�hYjl�g^�qgmj�k][mjalq�hgda[q�fgf]l`]d]kk&�>gj�]pYehd]$�qgm�[gmd\�k]l�h]jeakkagfk�Yf\�gof]jkàh�g^�[]jlYaf�[gehml]jk�km[`�l`Yl�gfdq�Y�n]jq�^]o�h]g%hd]�[Yf�dg_�aflg�l`]e�Yl�Ydd&�L`]f�daeal�o`Yl�f]logjc�k]jna[]k�[Yf�Z]�mk]\�lg�Y[[]kk�l`]k]�[gehml]jk�lg�gf]k�l`Yl�j]imaj]�Yml`]fla[Ylagf&

L`]j]�eYq�Ydkg�Z]�`gklk�gml�gf�l`]�Afl]jf]l�l`Yl�hgk]�[gfklYfl�\Yf%_]jk&�>gj�]pYehd]$�l`]j]�ea_`l�Z]�Y�mfan]jkalq�[gehml]j�l`Yl�klm\]fl�`Y[c]jk�̀ Yn]�mk]\�egj]�l`Yf�gf[]�lg�ljq�lg�afnY\]�qgmj�f]logjc&�>gj�l`]k]�kal]k$�OYl[`?mYj\�hjgna\]k�Y�:dg[c]\�Kal]k�dakl�o`]j]�qgm�[Yf�h]jeYf]fldq�Zdg[c�Ydd�ljY^â[�̂ jge�l`]k]�[gehml]jk&�A^�Y�hY[c]l�[ge]k�^jge�Y�`gkl�gf�l`]�:dg[c]\�Kal]k�dakl$�al�kaehdq�\g]kfÌl�_]l�hYkl�l`]�>aj]Zgp&

Physical Security

O`]f�k]llaf_�mh$�[gfâ_mjaf_$�Yf\�afklYddaf_�af�l`]�f]logjc�Yf\�\a_%alYd�j]Yde$�\gfÌl�f]_d][l�l`]�h`qka[Yd�j]Yde&�Qgm�[gmd\�`Yn]�Yf�ajgf%[dY\�k][mjalq�hgda[q�l`Yl�hYkk]k�gfdq�l`]�egkl�affg[mgmk�ljY^â[$�Zml�alÌk�fgl�n]jq�hjgl][lan]�ak�kge]gf]�[Yf�oYdc�aflg�qgmj�g^â[]�Yf\�lYc]�l`]�>aj]Zgp�g^^�qgmj�\]kclgh�Yf\�gml�g^�qgmj�[mZa[d]&�L`]�kYe]�_g]k�^gj�qgmj�eYfY_]e]fl�klYlagf� l`]�[gehml]j�qgm�mk]�lg�[j]Yl]$�Ydl]j$�Yf\�mhdgY\�[gfâ_mjYlagfk�lg�l`]�>aj]Zgp!$�jgml]j$�dg_�`gklk$�dYhlgh�[gehml]jk�af�_]f]jYd$�Yf\�]kh][aYddq�dYhlgh�[gehml]jk�mk]\�^gj�J]egl]�Mk]j�NHF�l]d][geemlaf_&

EYc]�kmj]�Ydd�l`]k]�\]na[]k�Yj]�fgl�_]f]jYddq�YnYadYZd]�lg�gj_YfarY%lagf�e]eZ]jk�gj�l`]�hmZda[&�L`]�>aj]Zgp$�eYfY_]e]fl�klYlagf$�Yf\�dg_�`gklk�k`gmd\�Z]�h`qka[Yddq�k][mj]\&�L`]�>aj]Zgp�k`gmd\�Z]�af�Y�jgge�mf\]j�dg[c�Yf\�c]q&�L`]�eYfY_]e]fl�Yf\�dg_�`gklk�k`gmd\�Yl�d]Ykl�`Yn]�Y�c]qkoal[`�Yf\�^Ykl%Y[laf_�hYkkogj\%hjgl][l]\�k[j]]f�kYn]jk$�Yf\�a\]Yddq�k`gmd\�Z]�mf\]j�dg[c�Yf\�c]q�Yk�o]dd&�J]_Yj\af_�l`]�dYhlghk$�j]e]eZ]j$�eYfq�Yml`]fla[Ylagf�k[`]e]k�Y[lmYddq�Yml`]fla[Yl]�l`]�[gehml]j$�fgl�l`]�h]jkgf$�kg�Yf�]jjYfl�dYhlgh�l`YlÌk�gf�l`]�Yml`]fla[Ylagf�dakl�^gj�J]egl]�Mk]j�NHF�[gmd\�hgk]�Y�k]jagmk�k][mjalq�l`j]Yl$�Yl�d]Ykl�mflad�qgm�j]egn]�alk�Yml`gjarYlagf&

>afYddq$�eYc]�kmj]�qgm�`Yn]�Y�k][mjalq�hgda[q�lg�`Yf\d]�hjaflgmlk�Yf\�hgjlYZd]�\YlY�e]\aY� \akc]ll]k$�lYh]k!�k][mj]dq&�Gf]�g^�l`]�egkl�[geegf�`Y[c]j�e]l`g\k�g^�_Yafaf_�cfgod]\_]�g^�Yf�gj_YfarYlagfÌk�Y\\j]kk]k�Yf\�hYkkogj\k�ak�É\mehkl]j�\anaf_$Ê�o`]j]�l`]�`Y[c]j�ka^lk�l`jgm_`�l`]�gj_YfarYlagfÌk�ljYk`�^gj�klgjY_]�e]\aY�Yf\�j]n]Yd%af_�hjaflgmlk&


The Human Factor

The Human Factor

L`]�km[[]kk�g^�l`]�âj]oYdd�hgda[q�\]h]f\k�gf�`go�[Yj]^mddq�[jY^l]\�l`]�dYj_]j�k][mjalq�hgda[q�ak&�Af�hYjla[mdYj$�qgm�emkl�\jYo�Yf�afl]dda%_]fl�daf]�Z]lo]]f�o`Yl�ak�̀ meYfdq�eYfY_]\�Yf\�o`Yl�ak�YmlgeYl]\&�L`]�>aj]Zgp�ak�Y�hgo]j^md�Yf\�]^^][lan]�lggd$�fgl�Y�âfYd$�YmlgeYl]\�kgdmlagf�lg�f]logjc�k][mjalq&�>gj�]pYehd]$�Ydl`gm_`�l`]�>aj]Zgp�[Yf�hjgl][l�^jge�eYfq�lqh]k�g^�]pl]jfYd�l`j]Ylk$�al�[Yf�gfdq�\ak[gmjY_]�l`j]Ylk�^jge�l`]�afka\]�g^�qgmj�gj_YfarYlagf&�A^�qgmj�j]khgfk]�lg�afl]jfYd�k][mjalq�Zj]Y[`]k�ak�lg�Y\\�Yfgl`]j�k][mjalq�jmd]�lg�l`]�>aj]Zgp�[gfâ_mjYlagf$�qgm�eYq�Z]�[memdYlan]dq�dgo]jaf_�alk�gn]jYdd�k][mjalq�Yk�qgm�Y\\�[gehd]palq&�

Afl]jfYd�k][mjalq�YZmk]k�Yj]�h]jkgff]d�hjgZd]ek$�Yf\�k`gmd\�Z]�`Yf%\d]\�Yk�km[`&�Qgmj�gj_YfarYlagf�emkl�[geeal�alk]d^�lg�j]khgfkaZdq�egfalgjaf_�f]logjc�Y[lanalq� ^gj�oà[`�l`]�Dan]K][mjalq�Kqkl]e�hjg%na\]k�Y�kmal]�g^�]^^][lan]�egfalgjaf_�lggdk!&�O`]f�h]ghd]�Zj]Y[`�gj�nagdYl]�l`]�k][mjalq�hgda[q$�qgmj�gj_YfarYlagf�emkl�lYc]�j]khgfkaZad%alq�lg�[geemfa[Yl]�oal`�l`gk]�o`gk]�Y[lagfk�hgk]�Y�k][mjalq�jakc&�Al�ak�^Yj�egj]�]^^][lan]�lg�[j]Yl]�Yf�]fnajgfe]fl�o`]j]�k][mj]�Z]`Ynagj�ak�]ph][l]\�l`Yf�lg�ljq�lg�[gfâ_mj]�qgmj�âj]oYdd�kg�l`Yl�af^jY[lagfk�Yj]�aehgkkaZd]�lg�[geeal&


CHAPTER 3 Network Configuration

Làk�[`Yhl]j�]phdYafk�`go�qgm�[Yf�mk]�Y�kaf_d]�Yml`gjar]\�AH�Y\\j]kk�gf�l`]�>aj]Zgp�lg�j]hj]k]fl�Yf\�hjgl][l�Y�oa\]�nYja]lq�g^�hja%nYl]�f]logjck�Yf\'gj�`gklk&�O`]l`]j�qgm�`Yn]�Y�kaf_d]�f]logjc�Z]àf\�l`]�>aj]Zgp$�Y�^]o�f]logjck$�gj�Y�bmeZd]�g^�\akbgafl]\�f]l%ogjck�Yf\�jYf\ge�Y\\j]kk]k�Ykka_f]\�lg�kh][aâ[�`gklk$�l`]�OYl[`%?mYj\�YhhjgY[`�[Yf�YkkaeadYl]�l`]e�Ydd�aflg�Y�>aj]Zgp%[gehYlaZd]�f]logjc�[gfâ_mjYlagf&

OYl[`?mYj\�Y[[gehdak`]k�làk�n]jkYladalq�l`jgm_`�k]n]jYd�[gfâ_mjY%lagf�[gf[]hlk�l`Yl�Yj]�]phdYaf]\�af�làk�[`Yhl]j2

� Kaehd]�f]logjck� Hjgpq�9JH� Y\\j]kk�j]kgdmlagf�hjglg[gd!� Emdlahd]�f]logjck� KmZ%f]llaf_� J]dYl]\�f]logjck� J]dYl]\�`gklk

Simple Network (Drop-in) Configuration

9�kaehd]$�gj�É\jgh%afÊ�f]logjc�[gfâ_mjYlagf�ak�o`]j]�qgm�`Yn]�Y�kaf_d]��f]logjc�oalàf�qgmj�gj_YfarYlagf$�Yf\�l`]�>aj]Zgp�klYf\k�Z]lo]]f�al�Yf\�l`]�jgml]j�Yf\�Afl]jf]l�ogjd\&�9�kaehd]�f]logjc�[gf%â_mjYlagf�ak�addmkljYl]\�Z]dgo2


Network Configuration

FIGURE 3. Example of a Simple Network

9dl`gm_`�l`]�addmkljYlagf�eYq�dggc�Y�Zal�[gehd]p$�l`]�aehgjlYfl�làf_�lg�fgla[]�ak�l`Yl�Ydd�f]logjc�Ykka_fe]flk�̂ gj�l`]�>aj]Zgp$�jgml]j$�Yf\�hjanYl]�f]logjc�mk]�l`]�kYe]�AH�Y\\j]kk�jYf_]&

9�kaehd]�[gfâ_mjYlagf�ak�^gj�kalmYlagfk�o`]j]�qgm�[Yf�\akljaZml]�qgmj�f]logjcÌk�dg_a[Yd�Y\\j]kk�khY[]�Y[jgkk�l`]�>aj]ZgpÌk�afl]j^Y[]k&�Al�]fYZd]k�qgm�lg�hdY[]�l`]�>aj]Zgp�Z]lo]]f�l`]�jgml]j�Yf\�l`]�D9F�oal`gml�j][gfâ_mjaf_�Yfq�g^�l`]�eY[àf]k�gf�l`]�Ljmkl]\�afl]j^Y[]&�

How the Simple Configuration Works with Proxy ARP?]f]jYddq�o`]f�Y�eY[àf]�f]]\k�lg�k]f\�Y�hY[c]l$�al�ZjgY\[Yklk�Yf�9JH� Y\\j]kk�j]kgdmlagf�hjglg[gd!�j]im]kl�Ykcaf_�^gj�l`]�`Yj\oYj]�Y\\j]kk�g^�l`]�afl]j^Y[]�[Yj\�l`Yl�ÉgofkÊ�l`]�\]klafYlagf�AH�g^�l`]�hY[c]l�Z]af_�k]fl2�

��DUS�ZKR�KDV�OLQXV�WRUYDOGV�RUJ�WHOO�NHUQHO�WRUYDOGV�RUJ

L`]�`Yj\oYj]�afl]j^Y[]�[Yj\�l`Yl�`Yk�l`]�\]klafYlagf�AH�Y\\j]kk�j]khgf\k�oal`�l`]�[gjj][l�`Yj\oYj]�Y\\j]kk2

��DUS�UHSO\�OLQXV�WRUYDOGV�RUJ�LV�DW��F��FG�I�

5RXWHU

)LUHER[�,,

Trusted InterfaceIP: 111.222.121.2/24Network: 111.222.121.0

Trusted NetworkNetwork: 111.222.121.0/24

Address Range:111.222.121.3 to

111.222.121.254

RouterIP: 111.222.121.1/24Network: 111.222.121.0

External InterfaceIP: 111.222.121.2/24Network: 111.222.121.0

Optional InterfaceIP: 111.222.121.2/24Network: 111.222.121.0/24

Related Host:111.222.121.3


Simple Network (Drop-in) Configuration

Yf\�l`]�hY[c]l�ak�k]fl�lg�l`]�[gjj][l�Y\\j]kk$�Ykkmeaf_�Zgl`�eY[àf]k�Yj]�gf�l`]�kYe]�h`qka[Yd�oaj]2�gl`]joak]�l`]�ZjgY\[Yklk�[Yffgl�j]Y[`�l`]�ja_`l�afl]j^Y[]�[Yj\$�Yf\�al�l`]j]^gj]�[YfÌl�k]f\�Y�j]hdq&

Af�Y�kaehd]�[gfâ_mjYlagf$�l`]�>aj]Zgp�h]j^gjek�hjgpq�9JH2�al�Yfko]jk�9JH�j]im]klk�^gj�eY[àf]k�l`Yl�Yj]�gf�gl`]j�f]logjck$�oà[`�gj\afYjadq�[gmd\�fgl�É`]YjÊ�l`]�ZjgY\[Yklk&�O`]f�qgm�afklYdd�l`]�>aj]Zgp�Z]lo]]f�l`]�jgml]j�Yf\�l`]�j]kl�g^�l`]�Ljmkl]\�f]logjc$�al�j]hda]k�^gj�l`]�jgml]j$�Y[[]hlk�l`]�hY[c]l$�Yf\�^gjoYj\k�al�lg�l`]�jgml]j&

Làk�e][`Yfake�Yddgok�l`]�>aj]Zgp�lg�Z]�hdY[]\�af�Y�f]logjc�oal`%gml�[`Yf_af_�\]^Ymdl�_Yl]oYqk�gf�l`]�Ljmkl]\�`gklk$�kaf[]�l`]�>aj]Zgp�Yfko]jk�^gj�l`]�jgml]j$�]n]f�l`gm_`�l`]�jgml]j�[Yffgl�`]Yj�l`]�Ljmkl]\�`gklÌk�9JH�j]im]klk&

>gj�làk�lg�ogjc$�`go]n]j$�Ydd�l`]�Ljmkl]\�eY[àf]k�emkl�`Yn]�l`]aj�9JH�[Y[`]k�^dmk`]\$�kg�l`Yl�l`]�Ljmkl]\�afl]j^Y[]�`Yj\oYj]�Y\\j]kk�ak�Yddgo]\�lg�j]hdY[]�l`]�Y[lmYd�jgml]j�`Yj\oYj]�Y\\j]kk&

>gj�Y�OYl[`?mYj\�Ékaehd]�f]logjc�[gfâ_mjYlagfÊ�lg�ogjc$�Ydd�l`j]]�afl]j^Y[]k�gf�l`]�>aj]Zgp�emkl�Z]�Ykka_f]\�AH�Y\\j]kk]k�gf�l`]�kYe]�f]logjc� j]_Yj\d]kk�g^�o`]l`]j�qgm�eYc]�mk]�g^�l`]�GhlagfYd�afl]j%^Y[]!&�A\]Yddq$�Ydd�l`j]]�afl]j^Y[]k�Yj]�Ykka_f]\�l`]�kYe]�AH�Y\\j]kk$�fgl�bmkl�Y\\j]kk]k�^jge�l`]�kYe]�f]logjc�jYf_]&�Làk�kYn]k�qgmj�gj_YfarYlagf�log�AH�Y\\j]kk]k&�9_Yaf$�j]^]j�lg�>a_mj] +$�É=pYehd]�g^�Y�Kaehd]�F]logjc$Ê�gf�hY_] +,&

L`]�kaehd]�[gfâ_mjYlagf�Ykkme]k�l`Yl�egkl�g^�qgmj�gj_YfarYlagfÌk�D9F�ak�hdY[]\�gf�l`]�Ljmkl]\�afl]j^Y[]&�Al�[Yf$�`go]n]j$�Y[[geeg%\Yl]�gl`]j�f]logjck�gj�`gklk�g^�gl`]j�Y\\j]kk�jYf_]k�Z]àf\�l`]�>aj]Zgp&�L`]�OYl[`?mYj\�Hgda[q�EYfY_]j�hjgna\]k�Y�lggd�lg�dakl�l`]�AH�Y\\j]kk]k�g^�Yfq�f]logjck�gj�eY[àf]k�oal`�AH�Y\\j]kk]k�gmlka\]�Yf�afl]j^Y[]Ìk�f]logjc�jYf_]&�L`]�gl`]j�f]logjck�Yj]�[Ydd]\�J]dYl]\�F]logjck3�l`]�gl`]j�eY[àf]k�Yj]�[Ydd]\�J]dYl]\�@gklk&

About Related Networks and Related HostsJ]dYl]\�F]logjck�Yj]�f]logjck�gf�l`]�kYe]�h`qka[Yd�oaj]�Yk�l`]�>aj]Zgp�afl]j^Y[]k$�Zml�oà[`�`Yn]�f]logjc�Y\\j]kk]k�l`Yl�Z]dgf_�lg�Yf�]flaj]dq�\a^^]j]fl�f]logjc&�J]dYl]\�@gklk�Yj]�`gklk� mkmYddq�k]jn%]jk�gj�jgml]jk!�af�Y�Kaehd]�[gfâ_mjYlagf�l`Yl�emkl�Z]�hdY[]\�gf�l`]�GhlagfYd�gj�=pl]jfYd�afl]j^Y[]�g^�l`]�>aj]Zgp&

O`]f�Y\\af_�Y�J]dYl]\�F]logjc�lg�gf]�g^�l`]�>aj]Zgp�afl]j^Y[]k$�qgm�Yj]�eYhhaf_�Yf�AH�Y\\j]kk�^jge�l`]�j]dYl]\�f]logjc�lg�l`]�AH�Y\\j]kk�g^�l`]�afl]j^Y[]� Ljmkl]\$�=pl]jfYd$�gj�GhlagfYd!&�Làk�ak�cfgof�Yk�[j]Ylaf_�gj�Y\\af_�Yf�AH�YdaYk�lg�l`]�f]logjc�afl]j^Y[]�^gj�



l`]�J]dYl]\�F]logjc&�Làk�AH�YdaYk�Z][ge]k�l`]�\]^Ymdl�_Yl]oYq�^gj�Ydd�l`]�eY[àf]k�gf�l`Yl�hYjla[mdYj�j]dYl]\�f]logjc&

Làk�Ydkg�l]ddk�l`]�>aj]Zgp�l`Yl�l`]j]�ak�Yfgl`]j�f]logjc�j]ka\af_�gf�l`Yl�oaj]&�J]dYl]\�F]logjck�[Yf�Z]�mk]\�Zq�Zgl`�kaehd]�Yf\�emdla%hd]�f]logjc�[gfâ_mjYlagfk&�

Related HostsAf�Y�kaehd]�f]logjc�[gfâ_mjYlagf� k]]�ÉKaehd]�F]logjc� <jgh%af!�;gfâ_mjYlagfÊ�gf�hY_] ++!$�OYl[`?mYj\�Ykkme]k�l`Yl�Ydd�g^�l`]�`gklk�Yj]�gf�l`]�Ljmkl]\�afl]j^Y[]&�Ll`]�J]dYl]\�@gklk�^]Ylmj]�af^gjek�l`]�>aj]Zgp�oà[`�`gklk�Yj]�]p[]hlagfk�lg�l`]�Y\\j]kk�jYf_]&�Al�ak�[geegf�hjY[la[]�lg�hdY[]�O]Z�k]jn]jk$�>LH�k]jn]jk$�Yf\�gl`]j�ÉhmZda[Ê�eY[àf]k�gf�l`]�GhlagfYd�k]_e]fl&�9�jgml]j�lqha[Yddq�da]k�g^^�l`]�=pl]jfYd�afl]j^Y[]&�

Af�Y�kaehd]�[gfâ_mjYlagf$�l`]k]�Yj]�Ydd�J]dYl]\�@gklk$�Yf\�emkl�`Yn]�l`]aj�AH�Y\\j]kk]k�Ykkg[aYl]\�oal`�l`]�YhhjghjaYl]�afl]j^Y[]&�Af�làk�oYq$�OYl[`?mYj\�ak�YZd]�lg�hjgl][l�l`]�nYjagmk�`gklk�l`Yl�j]ka\]�gf�l`]�kYe]�f]logjc�^jge�]Y[`�gl`]j&�L`]�`gklk�gf�l`]�ljmkl]\�afl]j^Y[]�Yj]�Yk�kY^]�^jge�l`]�hmZda[�k]jn]jk�Yk�l`]q�Yj]�^jge�Afl]jf]l�k]jn]jk&

>gj�Y�kaehd]�f]logjc�l`Yl�mk]k�k]hYjYl]�AH�Y\\j]kk]k�^gj�]Y[`�g^�l`]�l`j]]�afl]j^Y[]k� fgl�j][gee]f\]\!$�l`]�=pl]jfYd�afl]j^Y[]Ìk�gof�AH�Y\\j]kk�emkl�Ydkg�Z]�Y\\]\�Yk�Y�J]dYl]\�@gkl�gf�l`]�=pl]jfYd�afl]j%^Y[]&�Làk�]fkmj]k�l`Yl�`gklk�gf�l`]�Ljmkl]\�Yf\�GhlagfYd�afl]j^Y[]k�[Yf�k]f\�ljY^â[�lg�l`]�]pl]jfYd�AH�Y\\j]kk&

Af�Y�emdlahd]�f]logjc�[gfâ_mjYlagf$�]Y[`�afl]j^Y[]�ak�gf�Y�\a^^]j]fl�f]logjc$�kg�l`]�J]dYl]\�@gklk�^]Ylmj]�ak�fgl�aehd]e]fl]\�^gj�l`gk]�[gfâ_mjYlagfk&

Multiple Network Configuration

L`]�emdlahd]�f]logjc�[gfâ_mjYlagf�ak�^gj�kalmYlagfk�o`]j]�l`]�>aj]Zgp�ak�hml�af�hdY[]�oal`�k]hYjYl]�dg_a[Yd�f]logjck�gf�alk�afl]j%^Y[]k&�Al�ak�addmkljYl]\�Z]dgo2


Multiple Network Configuration

L`]�emdlahd]�f]logjc�[gfâ_mjYlagf�emkl�Ykka_f�k]hYjYl]�f]logjc�Y\\j]kk�jYf_]k�lg�Yl�d]Ykl�log�g^�l`]�>aj]ZgpÌk�l`j]]�afl]j^Y[]k� =pl]j%fYd$�Ljmkl]\$�Yf\�GhlagfYd!&�A^�qgm�`Yn]�log�k]hYjYl]�f]logjc�Y\\j]kk]k�Yf\�qgm�oYfl�lg�mk]�l`]�emdlahd]�[gfâ_mjYlagf$�mk]�gfdq�l`]�=pl]jfYd�Yf\�Ljmkl]\�afl]j^Y[]k� l`Yl�ak$�\gfÌl�mk]�l`]�GhlagfYd�afl]j^Y[]!�Z][Ymk]�]Y[`�afl]j^Y[]�emkl�Z]�gf�Y�k]hYjYl]�f]logjc�af�emdlahd]�[gfâ_mjYlagf�eg\]&�

A^�qgm�`Yn]�l`j]]�gj�egj]�f]logjc�Y\\j]kk]k$�mk]�l`]�emdlahd]�f]l%ogjc�[gfâ_mjYlagf�Yf\�eYh�l`j]]�f]logjck�lg�l`]�l`j]]�afl]j^Y[]k&�9\\�Y\\alagfYd�f]logjck�Yk�J]dYl]\�F]logjck�lg�gf]�gj�egj]�g^�l`]�afl]j^Y[]k&�Qgm�[Yf�j]dYl]�\a^^]j]fl�f]logjck�lg�\a^^]j]fl�afl]j^Y[]k&�L`gk]�f]logjck�l`]f�[ge]�mf\]j�l`]�hjgl][lagf�Yf\�Y[[]kk�jmd]k�k]l�mh�^gj�l`Yl�afl]j^Y[]&�L`]�>aj]Zgp�^gjoYj\k�hY[c]lk�lg�l`]�nYjagmk�afl]j^Y[]k�\]h]f\af_�gf�`go�l`]�f]logjck�Yf\�`gklk�Yj]�[gfâ_mj]\�Yf\�\]âf]\&

5RXWHU

)LUHER[�,,

Trusted InterfaceIP: 211.111.212.1/24Network: 211.111.212.0/24

Trusted NetworkNetwork: 211.111.212.0/24

Address Range:211.111.212.2 to 211.111.212.255

RouterIP: 111.222.121.1/24Network: 111.222.121.0/24

External InterfaceIP: 111.222.121.2/24Network: 111.222.121.0/24

Optional InterfaceIP: 199.88.66.1.1/24Network: 199.88.66.0/24

Optional HostIP: 199.88.66.194/24Network: 199.88.66.0/24Gateway:199.88.66.1

Default Gateway:IP: 211.111.212.0/24


CHAPTER 4 Proxying and Packet Filtering

OYl[`?mYj\�hjgna\]k�alk�k][mjalq�l`jgm_`�log�e][`Yfakek2�\qfYea[�hY[c]l�âdl]jaf_�Yf\�ljYfkhYj]fl�Yhhda[Ylagf�hjgpa]k&

Làk�[`Yhl]j�\]âf]k�Yf\�\]k[jaZ]k�hY[c]l�âdl]jaf_�Yf\�k]jna[]�hjgp%a]k�Yk�j]dYl]\�lg�̂ aj]oYdd�l][`fgdg_q$�o`Yl�]Y[`�\g]k$�Yf\�o`q�[]jlYaf�hjglg[gdk�f]]\�l`]�]pljY�k][mjalq�g^�hjgpqaf_�nk&�âdl]jaf_&�Af[dm\]k�\ak[mkkagf�g^�Y�ÉklYf[]Ê�Yf\�l`]�jYeaâ[Ylagfk�g^�OYl[`?mYj\Ìk�klYf[]Èl`Yl�qgm�[gfâ_mj]�]n]jqlàf_�qgm�oYfl�lg�hYkk&

Dynamic Packet Filtering

<qfYea[�hY[c]l�âdl]jaf_�]pYeaf]k�l`]�`]Y\]jk�g^�hY[c]lk�Z]af_�k]fl�gj�j][]an]\&�@]Y\]jk�hjgna\]�af^gjeYlagf�gf�l`]�kgmj[]�g^�l`]�hY[c]l$�l`]�\]klafYlagf$�l`]�hjglg[gd�mk]\$�l`]�hgjl�fmeZ]j$�Yf\�gl`]j�af^gjeYlagf�g^�l`Yl�kgjl&�9�hY[c]l�̂ adl]j�]pYeaf]k�l`]�̀ ]Y\]jk�lg�\]l]jeaf]�o`]l`]j�l`]q�^gddgo�d]_alaeYl]�kqflYp�jmd]k�Yf\�[gehdq�oal`�l`]�[gfâ_mj]\�k][mjalq�hgda[q&�

9�âj]oYdd�hY[c]l�âdl]j�ak�YfYdg_gmk�lg�l`]�eYad�kgjl]j�Yl�Y�hmZdakàf_�[gehYfq$�o`g�]pYeaf]k�l`]�Yml`gjkÌ�]fn]dgh]k�lg�eYc]�kmj]�l`Yl�l`]q�Yj]�Zgl`�[geaf_�^jge�Y�d]_alaeYl]�Y\\j]kk$�Yf\�Zgmf\�^gj�Y�d]_alaeYl]�]\algj�oalàf�l`]�[gehYfq&�@]�[`][ck�l`]�hgklYd�_ma\]%daf]k�lg�eYc]�kmj]�l`Yl�`]�ak�Yddgo]\�lg�k]f\�làk�lqh]�g^�eYad�lg�làk�hYjla[mdYj�]\algj&�@]�\g]k�fgl�gh]f�l`]�]fn]dgh]k�Yf\�]pYeaf]�l`]�klgjq�Z]af_�k]fl3�`]�kaehdq�kgjlk�Yf\�jgml]k�l`]�eYad&�Làk�ak�]kk]f%laYddq�o`Yl�hY[c]l�âdl]jk�\g&�

>gj�]pYehd]$�a^�Y�hY[c]l�âdl]j�]f[gmfl]j]\�Y�hY[c]l�Ykka_f]\�lg�hgjl�,(+$�Yf\�l`]�̂ adl]j�ÉcfgokÊ�l`Yl�làk�hgjl�̀ Yk�fgl�Z]]f�gh]f]\�̂ gj�Yfq�k]jna[]$�l`]�âdl]j�ogmd\�j]b][l�l`]�hY[c]l�Z][Ymk]�alk�hgjl�fmeZ]j�ak�afnYda\�Y[[gj\af_�lg�hY[c]l�âdl]j�jmd]k&


Proxying and Packet Filtering

HY[c]l�âdl]jk�lqha[Yddq�gh]jYl]�Y[[gj\af_�lg�jmd]k�l`Yl�\]l]jeaf]�hY[c]l�\akhgkalagf&�L`]k]�jmd]k�Yj]�ojall]f�af�Y�âdl]j�dYf_mY_]�Yf\�[gdd][l]\�aflg�_jgmhk�[Ydd]\�ÊJmd]�K]lk&Ê�Jmd]�K]lk�[Yf�Z]�\a^â[mdl�lg�[gfâ_mj]�Yf\�ogjc�Z]kl�o`]f�afl]jhj]l]\�Zq�hjgh]jdq%ojall]f�âj]%oYdd�kg^loYj]�jYl`]j�l`Yf�Zq�`Yjja]\�f]logjc�kqkl]e�Y\eafakljYlgjk&�Af�Y\\alagf$�eYfq�hY[c]l�âdl]jk�\g�fgl�hjgna\]�l`]�e]Yfk�lg�âdl]j�gf�kge]�g^�l`]�egj]�mk]^md�hjgh]jla]k�g^�AH�hY[c]lk&�

OYl[`?mYj\�mk]k�\qfYea[�hY[c]l�âdl]jaf_�jmd]k�oà[`�_g�Z]qgf\�ZYka[�hY[c]l�̂ adl]jaf_�\]k[jaZ]\�YZgn]&�OYl[`?mYj\�ZYk]k�alk�̂ adl]jaf_�fgl�gfdq�gf�k]jna[]�lqh]k$�Zml�Ydkg�gf�[gf\alagfk�kmjjgmf\af_�l`]�afa%laYlagf�g^�Y�[gff][lagf&�OYl[`?mYj\�mk]k�\qfYea[�jmd]%k]lk$�Yddgo%af_�qgm�lg�Y\\�Yf\�j]egn]�jmd]k�\]h]f\af_�gf�f]logjc�Y[lanalq&�>gj�]pYehd]$�a^�Y�hYjla[mdYj�kal]�Yll]ehlk�lg�[gff][l�lg�Y�hgjl�al�`Yk�fg�Zmkaf]kk�[gff][laf_�lg$�OYl[`?mYj\�[Yf�Z]�[gfâ_mj]\�lg�YmlgeYla%[Yddq�Y\\�l`Yl�hYjla[mdYj�`gkl�lg�Y�ÉZdg[c]\�kal]k�dakl$Ê�eYcaf_�làf_k�km[`�Yk�hgjl�khY[]�hjgZ]k�af[j]Ykaf_dq�\a^â[mdl�lg�[Yjjq�gml&�

Proxies

Hjgpa]k�_g�o]dd�Z]qgf\�l`]�^mf[lagf�g^�Y�hY[c]l�âdl]j�Zq�]pYeafaf_�fgl�bmkl�l`]�`]Y\]jk�Zml�Ydkg�l`]�hY[c]l�[gfl]fl�Yk�o]dd&�Af�\gaf_�kg$�l`]�hjgpq�\]l]jeaf]k�a^�l`]j]�ak�Y�^gjZa\\]f�[gfl]fl�lqh]�à\\]f�gj�]eZ]\\]\�af�Yf�Yddgo]\�[gfl]fl�lqh]&�Lg�j]nakal�l`]�[gjhgjYl]�eYad�kgjl]j�YfYdg_q$�d]lÌk�kmhhgk]�l`]�eYad�kgjl]j�`Yk�bmkl�Z]]f�hjgegl]\�lg�k[j]]faf_�]\algj&�Fgo�`]�fgl�gfdq�j]Y\k�l`]�ÉLgÊ�Yf\�É>jgeÊ�Y\\j]kk]k�gf�l`]�]fn]dgh]k$�`]�]pYeaf]k�l`]�]fn]dgh]Ìk�[gfl]flk�lg�\]l]jeaf]�o`]l`]j�l`]�Y\\j]kk]\�]\algj�k`gmd\�j]Y\�l`]�klgjq&�Fgo�`]�ak�Y[laf_�Yk�Y�hjgpq�^gj�l`]�[gfl]fl�]\algj&�>gj�]pYehd]$�l`]�k[j]]f%af_�]\algj�gh]fk�Yf�]fn]dgh]�[gflYafaf_�Y�d]_alaeYl]�Yml`gjÌk�gja_a%fYlaf_�Y\\j]kk$�Yf\�Y\\\j]kk]\�lg�l`]�[ggcZggc�]\algj&��Afka\]�`]�âf\k�Yf�Y[lagf%Y\n]flmj]�â[lagf�klgjq�k]l�af�Y�jYaf�^gj]kl&�@]�[YfÌl�^gjoYj\�l`]�eYfmk[jahl�Z][Ymk]�alk�[gfl]fl�ak�afYhhjghjaYl]&�Af�l`]�kYe]�oYq$�Y�eYad�hjgpq�]pYeaf]k�Ydd�KELH�hY[c]lk�lg�\]l]jeaf]�o`]l`]j�l`]q�[gflYaf�^gjZa\\]f�[gfl]fl�lqh]k$�km[`�Yk�]p][mlYZd]�hjg_jYek�gj�al]ek�ojall]f�af�k[jahlaf_�dYf_mY_]k&�L`]�KELH�hjgpq�ÉcfgokÊ�l`]k]�[gfl]fl�lqh]k�Yj]�fgl�YddgoYZd]&�9�hY[c]l�̂ adl]j�ogmd\�f]n]j�`Yn]�fgla[]\&

Hjgpa]k�ogjc�Yl�l`]�Yhhda[Ylagf�d]n]d$�o`]j]Yk�AH�hY[c]l�âdl]jk�ogjc�Yl�l`]�hjglg[gd�d]n]d&�Làk�e]Yfk�l`Yl�]Y[`�hY[c]l�l`Yl�ak�j][]an]\�Zq�Y�hjgpq�emkl�Z]�kljahh]\�g^�Ydd�alk�f]logjc�ojYhhaf_$�YfYdqr]\$�hjg%[]kk]\$�Yf\�j]%ojYhh]\�kg�al�[Yf�Z]�^gjoYj\]\�lg�alk�afl]f\]\�\]kla%fYlagf&�Làk�Y\\k�k]n]jYd�dYq]jk�g^�[gehd]palq�Yf\�hjg[]kkaf_�o]dd�Z]qgf\�l`]�hY[c]l�âdl]jaf_�hjg[]kk&�O`Yl�làk�e]Yfk$�g^�[gmjk]$�ak�l`Yl�hjgpa]k�mk]�mh�egj]�hjg[]kkaf_�ZYf\oa\l`�l`Yf�hY[c]l�âdl]jk&�


Stance

Gf�l`]�gl`]j�`Yf\$�l`]q�[Yf�[Yl[`�\Yf_]jgmk�[gfl]fl�lqh]k�af�oYqk�l`Yl�hY[c]l�âdl]jk�[Yffgl&�

OYl[`?mYj\�]ehdgqk�Y�n]jq�hjY_eYla[�[geZafYlagf�g^�\qfYea[�hY[c]l�âdl]jaf_�Yf\�ljYfkhYj]fl�hjgpa]k�lg�[gfljgd�Yf\�egfalgj�l`]�^dgo�g^�AH�hY[c]lk�l`jgm_`�l`]�âj]oYdd&�L`]�ljYfkhYj]fl�hjgpa]k�Yj]�mk]\�^gj�l`]�hjglg[gdk�l`Yl�Yj]�l`]�egkl�nmdf]jYZd]$�oà[`�Yj]�mk]\�Zq�l`]�oa\]kl�nYja]lq�g^�f]logjc�mk]jk$�Yf\�oà[`�Yj]�egkl�dac]dq�lg�`Yn]�mfYddgo]\�[gfl]fl�lqh]k�]eZ]\\]\�oalàf&�Egkl�fglYZd]�Yegf_�l`]�OYl[`?mYj\�k]jna[]k�Yj]�hjgpa]k�^gj�KELH� ]%eYad!$�>LH� âd]�ljYfk^]j!$�Yf\�@LLH� OOO!&�D]kk�\Yf_]jgmk�lqh]k�g^�hY[c]lk�Yj]�âdl]j]\�Zq�af\ana\mYddq�[gfâ_mj]\�k]jna[]k&�=n]f�oal`�hY[c]l�âd%l]jk$�qgm�[Yf�\]l]jeaf]�o`Yl�`gklk�oalàf�qgmj�D9F�Yf\�gf�l`]�Afl]jf]l�[Yf�[geemfa[Yl]�oal`�]Y[`�gl`]j�l`jgm_`�l`Yl�hjglg[gd$�oà[`�]n]flk�lg�dg_� km[`�Yk�j]b][l]\�af[geaf_�hY[c]lk!$�Yf\�oà[`�k]ja]k�g^�]n]flk�k`gm\�afalaYl]�Y�fglaâ[Ylagf�g^�l`]�f]logjc�Y\eafak%ljYlgj&

Stance

L`]�hgda[q�g^�Y�âj]oYdd�j]_Yj\af_�l`]�\]^Ymdl�\akhgkalagf�g^�AH�hY[c%]lk�ak�cfgof�Yk�alk�klYf[]&�L`]�klYf[]�\a[lYl]k�o`Yl�l`]�âj]oYdd�oadd�\g�oal`�Yfq�_an]f�hY[c]l�af�l`]�YZk]f[]�g^�]phda[al�afkljm[lagfk&�Al�ak�_]f]jYddq�Y[[]hl]\�Zq�l`]�Afl]jf]l�k][mjalq�[geemfalq�l`Yl�l`]�klYf[]�g^�Y�âj]oYdd�k`gmd\�Z]�lg�\ak[Yj\�Ydd�hY[c]lk�l`Yl�Yj]�fgl�]phda[aldq�Yddgo]\$�g^l]f�klYl]\�Yk�Él`Yl�oà[`�ak�fgl�]phda[aldq�Yddgo]\�ak�\]fa]\&Ê

L`]�OYl[`?mYj\�K][mjalq�Kqkl]e$�dac]�egkl�[gee]j[aYd�âj]oYddk$�Y\ghlk�làk�Yk�alk�\]^Ymdl�klYf[]&�Làk�hjgl][lk�Y_Yafkl�YllY[ck�ZYk]\�gf�f]o$�mf^YeadaYj$�gj�gZk[mj]�AH�k]jna[]k&�Al�Ydkg�hjgna\]k�Y�kY^]lq�f]l�j]_Yj\af_�mfcfgof�k]jna[]k�Yf\�[gfâ_mjYlagf�]jjgjk�oà[`�[gmd\�gl`]joak]�l`j]Yl]f�f]logjc�k][mjalq&�

O`Yl�làk�Ydkg�e]Yfk$�l`]f$�ak�l`Yl�^gj�l`]�>aj]Zgp�lg�hYkk�Yfq�ljY^â[$�al�emkl�Z]�[gfâ_mj]\�lg�\g�kg&�L`]�f]logjc�Y\eafkljYlgj�emkl�Y[lan]dq�k]d][l�l`]�k]jna[]k�Yf\�hjglg[gdk�YddgoYZd]$�[gfâ_mj]�]Y[`�gf]�Yk�lg�oà[`�`gklk�[Yf�k]f\�Yf\�j][]an]�l`]e$�Yf\�k]l�gl`]j�hjgh%]jla]k�af\ana\mYd�lg�l`]�k]jna[]&�L`]�egkl�\]lYad]\�Y\\alagfYd�hjgh]j%la]k�Z]dgf_�lg�l`]�hjgpa]k&

Configuring Services

Af�l`]�OYl[`?mYj\�Y\eafakljYlan]�afl]j^Y[]$�a[gfk�j]hj]k]fl�k]jna[]k� hjgpa]k�Yf\�hY[c]l�âdl]jk!�l`Yl�[Yf�Z]�[gfâ_mj]\�^gj�Y�âj]oYdd&�O]�af[dm\]�f]Yjdq�^gmj�\gr]f�hY[c]l�âdl]jk�Yf\�Yfgl`]j�\gr]f�hjgpa]k&�K]jna[]k�[Yf�Z]�[gfâ_mj]\�^gj�gml_gaf_�ljY^â[�Yf\'gj�af[geaf_�ljY^%



â[&�L`]q�[Yf�Z]�Y[lan]�gj�afY[lan]&�O`]f�qgm�[gfâ_mj]�Y�k]jna[]$�qgm�k]l�l`]�YddgoYZd]�ljY^â[�]f\�hgaflk�Yf\�\]l]jeaf]�l`]�âdl]j�jmd]k�Yf\�hgda[a]k�^gj�]Y[`�g^�l`]k]�k]jna[]k&�Qgm�[Yf�Ydkg�[j]Yl]�k]jna[]k�lg�[mk%lgear]�jmd]k�k]lk$�\]klafYlagfk$�hjglg[gdk$�hgjlk�mk]\$�]l[&

Qgm�eYq�Ydkg�Y\\�mfaim]�gj�[mklge�k]jna[]k&�Làk�^]Ylmj]�Yddgok�OYl[`?mYj\�lg�]Ykadq�Y[[geeg\Yl]�f]o�L;H'AH�k]jna[]k�Yk�l`]q�Yj]�\]n]dgh]\&��:]Yj�af�eaf\$�`go]n]j$�l`Yl�a^�OYl[`?mYj\�\a\fÌl�af[dm\]�Y�hY[c]l�âdl]j�k]jna[]�qgmÌ\�dac]$�alÌk�hjgZYZdq�Z][Ymk]�o]�\gfÌl�Y\ng[Yl]�alk�_]f]jYd�mk]�af�Y�âj]oYdd&�O]�hjgna\]�l`]�e]Yfk�lg�[j]Yl]�qgmj�gof�hY[c]l�âdl]jk$�Zml�o`]f�qgm�\g$�gfdq�h]jeal�l`]�ljY^â[�^dgo�af�l`Yl�k]jna[]�l`Yl�ak�YZkgdml]dq�]kk]flaYd&

Configurable Parameters for ServicesL`]j]�Yj]�k]n]jYd�hYjYe]l]jk�qgm�[Yf�k]l�gj�[gfâ_mj]�af�l`]�OYl[`%?mYj\�K][mjalq�Kqkl]e$�af[dm\af_�l`]�^gddgoaf_2

ServicesK]jna[]k�Yj]�l`]�hj]%[gfâ_mj]\�hjgpa]k�Yf\�hY[c]l�âdl]jk�l`Yl�kgjl�Yf\�\aj][l�ljY^â[�^gj�l`]k]�lqh]k�g^�hjglg[gdk&�

Senders and Recipients for a Service>gj�]Y[`�k]jna[]�qgm�oYfl�Y[lan]$�qgm�emkl�k]l�af[geaf_�Yf\'gj�gml_g%af_�Y[[]kk�jmd]k�gj�hjgh]jla]k$�oà[`�]flYadk�\]âfaf_�l`]�`gklk$�f]l%ogjck$�dg__af_$�Yf\'gj�mk]jk�o`g�Yj]�h]jeall]\�lg�k]f\�gj�j][]an]�hY[c]lk�l`jgm_`�l`]�âj]oYdd�mkaf_�làk�k]jna[]&�

L`]j]�Yj]�k]hYjYl]�[gfljgdk�^gj�[gfâ_mjaf_�af[geaf_�Yf\�gml_gaf_�ljY^%â[&�L`]�gml_gaf_�[gfljgdk�\]âf]�oà[`�`gklk�Yf\�mk]jk�Z]àf\�l`]�>aj]Zgp�[Yf�mk]�làk�k]jna[]�lg�afalaYl]�k]kkagfk�oal`�Yf�gmlka\]�`gkl&�L`]�af[geaf_�[gfljgdk�\]âf]�oà[`�`gklk�Yf\�mk]jk�gmlka\]�l`]�>aj]Zgp�[Yf�mk]�làk�k]jna[]�lg�afalaYl]�k]kkagfk�oal`�qgmj�hjgl][l]\�mk]jk�Yf\�`gklk&�Qgm�[Yf�Ydkg�kh][a^q�Yf\�Y\\�l`]�`gklk�gj�mk]jk�lg�]al`]j�kgmj[]k�gj�\]kla%fYlagfk�g^�af[geaf_�gj�gml_gaf_�ljY^â[�Y[[gj\af_�lg�l`]�jmd]k�qgm�oYfl�lg�\]âf]&

Property Settings>gj�hjgpa]k�km[`�Yk�@LLH$�>LH$�Yf\�KELH$�l`]j]�Yj]�Y\\alagfYd�hjgh]j%la]k�k]llaf_k&�Af�l`]�[Yk]�g^�KELH$�l`]j]�Yj]�k]hYjYl]�k]llaf_k�^gj�af[geaf_�Yf\�gml_gaf_�hjgh]jla]k&�L`]k]�[gfljgdk�]fYZd]�qgm�lg�k]l�lae]gmlk�Yf\�gl`]j�j]d]nYfl�hjgh]jla]k�^gj�l`Yl�hjgpq&�

Logging and Notification=Y[`�k]jna[]�`Yk�l`]�[gfljgdk�lg�]fYZd]�qgm�lg�k]d][l�oà[`�]n]flk�a^�Yfq�Yj]�lg�Z]�dg__]\$�o`]l`]j�qgm�oYfl�lg�Z]�fglaâ]\�g^�l`]k]�]n]flk$�Yf\�o`]l`]j�qgm�oYfl�lg�Z]�fglaâ]\�Zq�]%eYad$�hY_]j$�hgh%mh�oaf\go$�gj�gl`]j�[mklge�e]l`g\&�

Changing a ServiceGf[]�Y�k]jna[]�ak�Y\\]\$�qgm�[Yf�[`Yf_]�[]jlYaf�^]Ylmj]k�Yf\�YlljaZml]k�YZgml�l`Yl�k]jna[]�oal`gml�\]d]laf_�l`]�k]jna[]�Yf\�Y\\af_�al�Y_Yaf2


Configuring Services

� Qgm�[Yf�[`Yf_]�l`]�jmd]�k]lk�^gj�af[geaf_�Yf\�gml_gaf_�ljY^â[�^gj�Yf�]paklaf_�k]jna[]&

� Qgm�[Yf�[`Yf_]�dg__af_�Yf\�fglaâ[Ylagf�[`YjY[l]jakla[k�^gj�Y�k]j%na[]&

� Qgm�emkl�\]d]l]�Yf\�Y\\�l`]�k]jna[]�a^�qgm�oYfl�lg�[`Yf_]�alk�hgjl�[gfâ_mjYlagf$�[da]fl�hgjl�k]llaf_$�gj�hjglg[gd�mk]\&

Qgm�[Yf�eg\a^q�Yfqlàf_�[gflYaf]\�gf�Y�k]jna[]Ìk�hjgh]jla]k�\aYdg_�Zgp$�Zml�[Yffgl�[`Yf_]�Yfqlàf_�l`Yl�ak�hYjl�g^�Y�k]jna[]Ìk�afalaYd�k]lmh&

Deleting a ServiceO`]f]n]j�qgm�oYfl�lg�lYc]�Y�k]jna[]�gml�g^�l`]�[gfâ_mjYlagf$�al�ak�n]jq�kaehd]�lg�\]d]l]�al�^jge�l`]�YddgoYZd]�k]jna[]k$�hjgpa]k$�Yf\�hjg%lg[gdk�af�Y�kaf_d]�gh]jYlagf&

Qgm�[Yf�YdoYq�Y\\�l`]�k]jna[]�ZY[c�af�dYl]j�a^�\]kaj]\&


CHAPTER 5 Beyond Proxies and Packet Filters

9dl`gm_`�hjgpa]k�Yf\�hY[c]l�âdl]jk�Yj]�l`]�ÉZj]Y\�Yf\�Zmll]jÊ�g^�âj]oYddk$�l`]j]�Yj]�k]n]jYd�gl`]j�^]Ylmj]k�l`Yl�Yj]�]kk]flaYd�lg�Yf�]^^][lan]�âj]oYdd$�Yf\�eYfq�gl`]j�^]Ylmj]k�l`Yl��Yj]�YhhjghjaYl]�lg�l`]�ZjgY\]j�[gf[]hl�g^�f]logjc�k][mjalq&�Gl`]j�ZYka[�âj]oYdd�^mf[%lagfk�af[dm\]�Zdg[caf_�kal]k�Yf\�hgjlk$�AH�eYkim]jY\af_$�f]logjc�Y\\j]kk�ljYfdYlagf� F9L!$�Yf\�Ykka_faf_�a\]flaâ]jk�lg�kh][aâ[�[ge%hml]jk�Yf\�_jgmhk�g^�[gehml]jk� YdaYkaf_!&�Gl`]j�f]logjc�k][mjalq�^]Ylmj]k�af[dm\]�Yml`]fla[Ylagf$�najlmYd�hjanYl]�f]logjcaf_$�Yf\�O]Z�Zdg[caf_&

Blocking Sites

9�Zdg[c]\�kal]�ak�Yf�AH�Y\\j]kk�gmlka\]�l`]�>aj]Zgp�l`Yl�OYl[`?mYj\�hj]n]flk�^jge�[gff][laf_�oal`�`gklk�Z]àf\�l`]�>aj]Zgp&�L`]j]�Yj]�log�caf\k�g^�Zdg[c]\�kal]k2

� H]jeYf]fldq�Zdg[c]\�kal]k$�oà[`�Yj]�dakl]\�af�l`]�[gfâ_mjYlagf�âd]$�Yf\�[`Yf_]�gfdq�a^�qgm�eYfmYddq�[`Yf_]�l`]e

� �9mlg%Zdg[c]\�kal]k$�oà[`�OYl[`?mYj\�Y\\k�gj�\]d]l]k�\qfYea%[Yddq$�ZYk]\�gf�`go�l`]�âj]oYddÌk��\]^Ymdl�hY[c]l�`Yf\daf_�[gfâ_%mjYlagf�ak�k]l&�>gj�]pYehd]$�qgm�[Yf�[gfâ_mj]�al�lg�Zdg[c�kal]k�l`Yl�gja_afYl]�khggâf_�Yll]ehlk�Yf\�hgjl�hjgZ]k&�Qgm�[Yf�Ydkg�[gfâ_%mj]�Ymlg%Zdg[caf_�gf�Y�k]jna[]%Zq%k]jna[]�ZYkak�^gj�kal]k�l`Yl�gja_a%fYl]�hY[c]lk�l`Yl�Y�kh][aâ[�k]jna[]�\]fa]k&�9mlg%Zdg[caf_�ak�Y�l]ehgjYjq�klYl]�l`Yl�j]n]jlk�o`]f�l`]�Ymlg%Zdg[caf_�e][`Yfake�lae]k�gml� oà[`�[Yf�jYf_]�^jge�Y�eafml]�lg�Y�^]o�o]]ck!&

:dg[c]\�Kal]k�Yhhda]k�gfdq�lg�ljY^â[�gf�l`]�=pl]jfYd�afl]j^Y[]�g^�l`]�>aj]Zgp&�;gff][lagfk�Z]lo]]f�l`]�Ljmkl]\�Yf\�GhlagfYd�afl]j^Y[]k�Yj]�fgl�kmZb][l�lg�l`]�:dg[c]\�Kal]k�dakl&


Beyond Proxies and Packet Filters

:q�\]^Ymdl�l`]�OYl[`?mYj\�kqkl]e�h]jeYf]fldq�Zdg[ck�l`j]]�f]l%ogjc�Y\\j]kk]kÈ)(&(&(&('0$�)/*&(&(&).')*$�Yf\�)1*&).0&(&(').&�L`]k]�Yj]�l`]�hjanYl]�f]logjc�Y\\j]kk]k&�:Y[cZgf]�jgml]jk�k`gmd\�f]n]j�hYkk�ljY^â[�oal`�l`]k]�Y\\j]kk]k�af�l`]�kgmj[]�gj�\]klafYlagf�â]d\�g^�Yf�AH�hY[c]l&�A^�l`]j]�ak�ljY^â[�^jge�gf]�g^�l`]k]�Y\\j]kk]k$�al�ak�Ydegkl�[]jlYafdq�Y�khgg^]\�gj�gl`]joak]�kmkh][l�Y\\j]kk&�J>;k�)1)0$�).*/$�Yf\�)-1/�[gn]j�l`]�mk]�g^�l`]k]�Y\\j]kk]k&

OYl[`?mYj\Ìk�Ymlg%Zdg[caf_�Yf\�dg__af_�e][`Yfakek�[Yf�`]dh�qgm�\][a\]�o`Yl�kal]k�lg�h]jeYf]fldq�Zdg[c&�>gj�]pYehd]$�a^�qgm�[gfâ_%mj]�\]^Ymdl�hY[c]l�`Yf\daf_�lg�j]b][l�khggâf_�Yll]ehlk$�YmlgeYla%[Yddq�Zdg[c�kal]k�l`Yl�Yll]ehl�khggâf_$�Yf\�lg�dg_�l`]�khggâf_�Yll]ehl$�qgm�[Yf�dYl]j�na]o�l`]�dg_k�lg�\]l]jeaf]�a^�kh][aâ[�`gklk�Yj]�[gflafmgmkdq�ljqaf_�lg�khgg^�l`]aj�oYq�aflg�qgmj�kqkl]e&�O`]f�qgm�âf\�gf]�l`Yl�]pàZalk�làk�hYll]jf$�qgm�[Yf�Y\\�l`Yl�kal]Ìk�AH�Y\\j]kk�lg�l`]�h]jeYf]fl�:dg[c]\�Kal]k�dakl&

:dg[c]\�Kal]k�Yj]�mk]^md�Z][Ymk]�qgm�[Yf�[gehd]l]dq�hjgl][l�Y_Yafkl�kqkl]ek�oal`�oà[`�qgm�oYfl�fg�[gflY[l&�Gf[]�qgm�\]l]jeaf]�km[`�kal]k$�kaehdq�Zdg[c�Ydd�Yll]ehl]\�[gff][lagfk�^jge�l`]e&�Qgm�[Yf�[gfâ_mj]�dg__af_�lg�j][gj\�Ydd�Y[[]kk�Yll]ehlk�^jge�Zdg[c]\�kal]k$�Yf\�l`mk�[gdd][l�[dm]k�Yk�lg�o`Yl�k]jna[]k�l`]q�Yj]�Yll]ehlaf_�lg�YllY[c&

Logging Blocked Sites9dd�g^�l`]�mkmYd�dg__af_�ghlagfk�[Yf�Z]�mk]\�oal`�:dg[c]\�Kal]k&�L`]k]�]n]flk�k`gmd\�Z]�k]fl�lg�l`]�>aj]Zgp�dg_$�Yf\�al�ak�Y�_gg\�a\]Y�lg�`Yn]�l`]�kqkl]e�YmlgeYla[Yddq�fgla^q�l`]�f]logjc�Y\eafakljYlgj�o`]f�Y�Zdg[c]\�kal]�Yll]ehlk�lg�[geemfa[Yl]$�kaf[]�làk�ak�Y�jYj]�]n]fl�l`Yl�eYq�ka_fa^q�Yf�Yll]ehl]\�Zj]Yc%af&�

Blocking Ports

:dg[caf_�Hgjlk�]fYZd]k�qgm�lg�]phda[aldq�\akYZd]�[]jlYaf�f]logjc�k]j%na[]k�^jge�]pl]jfYd�Y[[]kk�l`Yl�Yj]�nmdf]jYZd]�]fljq�hgaflk�af�qgmj�gh]jYlagf&�Làk�lYc]k�hj][]\]f[]�gn]j�Yfq�g^�l`]�[gfâ_mjYlagf�k]l%laf_k�^gj�af\ana\mYd�k]jna[]�[gfâ_mjYlagfk&�

Dac]�:dg[c]\�Kal]k$�:dg[c]\�Hgjlk�Yhhdq�gfdq�lg�hY[c]lk�l`Yl�[ge]�af�lg�qgmj�f]logjc�gf�l`]�=pl]jfYd�afl]j^Y[]&�;gff][lagfk�Z]lo]]f�qgmj�GhlagfYd�Yf\�Ljmkl]\�afl]j^Y[]k�Yj]�fgl�kmZb][l�lg�l`]�:dg[c]\�Hgjlk�dakl&

L;H'AH�f]logjck�lqha[Yddq�mk]�hgjlk�lg�\aklaf_mak`�Z]lo]]f�\a^^]j%]fl�Yhhda[Ylagfk�gf�l`]�kYe]�`gkl&�9hhda[Ylagf�k]jn]jk�mk]�o]dd%cfgof�hgjlk�Ykka_f]\�Zq�Afl]jf]l�9kka_f]\�FmeZ]j�9ml`gjalq�


Blocking Ports

A9F9!�^gj�l`]�k]jn]j�ka\]�g^�Y�[gff][lagf$�Yf\�l`]�[da]fl�ka\]�mk]k�jYf\ge�hgjlk�_j]Yl]j�l`Yf�)(*,&

>gj�]pYehd]$�gf�Y�l]df]l�[gff][lagf�^jge�eY[àf]�dafmk&[ge�lg�lgj%nYd\k&gj_$�qgm�ogmd\�YdoYqk�mk]�hgjl�*+�^gj�l]df]l�gf�lgjnYd\k&gj_� l`]�k]jn]j!$�Yf\�kge]�hgjl�fmeZ]j�_j]Yl]j�l`Yf�)(*,�gf�dafmk&[ge� l`]�[da]fl!&

L`]�âjkl�l]df]l�[gff][lagf�lg�lgjnYd\k&gj_�ea_`l�mk]�hgjl�)(*,�gf�l`]�[da]fl�ka\]�Yf\�hgjl�*+�gf�l`]�k]jn]j�ka\]&

L`]�f]pl�[gff][lagf�ea_`l�mk]�hgjl�)(*-�gf�l`]�[da]fl�ka\]$�Zml�ogmd\�kladd�mk]�hgjl�*+�gf�l`]�k]jn]j�ka\]&

L`]j]�Yj]�k]n]jYd�j]Ykgfk�l`Yl�Zdg[caf_�hgjlk�[Yf�Z]�mk]^md2

� :dg[c]\�Hgjlk�hjgna\]k�Yf�af\]h]f\]fl�[`][c�lg�hjgl][l�l`]�egkl�k]fkalan]�k]jna[]k&�=n]f�a^�Yfgl`]j�hYjl�g^�OYl[`?mYj\�ak�eak[gf%â_mj]\$�:dg[c]\�Hgjlk�hjgna\]k�Yfgl`]j�daf]�g^�\]^]fk]�^gj�l`]�egkl�nmdf]jYZd]�k]jna[]k&

� HjgZ]k�lg�hYjla[mdYjdq�k]fkalan]�k]jna[]k�[Yf�Z]�dg__]\�af\]h]f%\]fldq&

� Kge]�L;H'AH�k]jna[]k�l`Yl�mk]�hgjlk�_j]Yl]j�l`Yf�)(*,� k]]�Z]dgo!�Yj]�nmdf]jYZd]�lg�YllY[c�a^�l`]�YllY[c]j�gja_afYl]k�l`]�[gf%f][lagf�^jge�Yf�Yddgo]\�o]dd%cfgof�k]jna[]�d]kk�l`Yf�)(*,&�L`mk$�l`]k]�[gff][lagfk�[Yf�Z]�YllY[c]\�Zq�Yhh]Yjaf_�lg�Z]�Yf�Yddgo]\�[gff][lagf�af�l`]�ghhgkal]�\aj][lagf&�L`]�hgjl�fmeZ]jk�g^�km[`�k]jna[]k�k`gmd\�Z]�Y\\]\�lg�l`]�Zdg[c]\�hgjlk�dakl&

:q�\]^Ymdl$�OYl[`?mYj\�Zdg[ck�imal]�Y�^]o�\]klafYlagf�hgjlk&�Làk�e]Ykmj]�hjgna\]k�[gfn]fa]fl�\]^Ymdlk�oà[`�oadd�fgl�j]imaj]�[`Yf_]k�^gj�egkl�[mklge]jk&

Lqha[Yddq$�l`]�^gddgoaf_�k]jna[]k�k`gmd\�YdoYqk�Z]�Zdg[c]\2

X Window (ports 6000-6063)P�Oaf\gok�`Yk�k]n]jYd�\aklaf[l�k][mjalq�hjgZd]ek�oà[`�eYc]�al�Y�daYZad%alq�gf�l`]�Afl]jf]l&�Oàd]�l`]j]�Yj]�k]n]jYd�Yml`]fla[Ylagf�k[`]e]k�YnYad%YZd]�Yl�l`]�P�k]jn]j�d]n]d$�l`]�egkl�[geegf�gf]k�Yj]�]Ykadq�\]^]Yl]\�Zq�Y�cfgod]\_]YZd]�YllY[c]j&�A^�Yf�YllY[c]jk�[Yf�[gff][l�lg�Yf�P�k]jn]j$�l`]q�[Yf�]Ykadq�j][gj\�Ydd�c]qkljgc]k�lqh]\�Yl�l`]�ogjcklYlagf$�[gdd][laf_�Yfq�hYkkogj\k�Yf\�gl`]j�k]fkalan]�af^gjeYlagf&�Ogjk]$�km[`�afljmkagfk�[Yf�Z]�\a^â[mdl�gj�aehgkkaZd]�lg�\]l][l�Zq�Ydd�Zml�l`]�egkl�cfgod]\_]YZd]�Yf\�hYjYfga\�mk]jk&

L`]�âjkl�P�Oaf\go�k]jn]j�ak�YdoYqk�gf�hgjl�.(((&�A^�qgm�`Yn]�Yf�P�k]jn]j�oal`�emdlahd]�\akhdYqk$�]Y[`�f]o�\akhdYq�mk]k�Yf�Y\\a%lagfYd�hgjl�fmeZ]j�Y^l]j�.((($�mh�lg�.(.+�^gj�Y�eYpaeme�g^�.,�\akhdYqk�gf�Y�_an]f�`gkl&



X Font Server (port 7100)J][]fl�n]jkagfk�g^�P�Oaf\gok�kmhhgjl�^gfl�k]jn]jk&�Oàd]�l`]j]�Yj]�fg�cfgof�k][mjalq�jakck�Ykkg[aYl]\�oal`�P�^gfl�k]jn]jk$�l`]k]�Yj]�f]o$�[ge%hd]p�hjg_jYek�oà[`�jmf�Yk�l`]�kmh]j%mk]j�gf�egkl�`gklk&�9k�km[`$�al�ak�Z]kl�lg�]phda[aldq�\akYZd]�Y[[]kk�lg�P�^gfl�k]jn]jk&

NFS (port 2049)F>K� l`]�F]logjc�>ad]�Kqkl]e!�ak�Y�hghmdYj�L;H'AH�k]jna[]�^gj�hjgna\%af_�k`Yj]\�âd]�kqkl]ek�gn]j�Y�f]logjc&�@go]n]j$�[mjj]fl�n]jkagfk�`Yn]�k]jagmk�Yml`]fla[Ylagf�Yf\�k][mjalq�hjgZd]ek�oà[`�eYc]�hjgna\af_�F>K�k]jna[]�gn]j�l`]�Afl]jf]l�n]jq�\Yf_]jgmk&

OpenWindows (port 2000)Gh]fOaf\gok�ak�Y�oaf\goaf_�kqkl]e�^jge�Kmf�Ea[jgkqkl]ek�oà[`�`Yk�l`]�kYe]�k][mjalq�jakck�Yk�P�Oaf\gok&

rlogin, rsh, rcp (ports 513, 514)L`]k]�log�k]jna[]k�hjgna\]�j]egl]�Y[[]kk�lg�gl`]j�[gehml]jk�Yf\�Yj]�jYl`]j�afk][mj]�gf�l`]�Afl]jf]l&�Kaf[]�eYfq�YllY[c]jk�hjgZ]�^gj�l`]k]�k]j%na[]k$�al�ak�hjm\]fl�lg�Zdg[c�l`]e&

RPC portmapper (port 111)JH;�K]jna[]k�mk]�hgjl�)))�lg�\]l]jeaf]�oà[`�hgjlk�Yj]�Y[lmYddq�mk]\�Zq�Y�_an]f�JH;�k]jn]j&�Kaf[]�JH;�k]jna[]k�l`]ek]dn]k�Yj]�l]jjaZdq�nmdf]jY%Zd]�lg�YllY[c�gn]j�l`]�Afl]jf]l$�l`]�âjkl�kl]h�af�YllY[caf_�JH;�k]jna[]k�ak�lg�[gflY[l�l`]�hgjleYhh]j�lg�âf\�gml�oà[`�k]jna[]k�Yj]�YnYadYZd]&

port 0Hgjl�(�ak�j]k]jn]\�Zq�A9F9$�Zml�eYfq�hjg_jYek�oà[`�k[Yf�hgjlk�klYjl�l`]aj�k]Yj[`�gf�hgjl�(&

port 1Hgjl�)�ak�^gj�l`]�jYj]dq�mk]\�L;Hemp�k]jna[]&�:dg[caf_�al�ak�Yfgl`]j�oYq�lg�[gf^mk]�hgjl�k[Yffaf_�hjg_jYek&

Other ServicesFgn]dd�AHP�gn]j�AH� hgjl�*)+!&�A^�qgm�mk]�Fgn]dd�AHP�gn]j�AH�afl]jfYddq$�qgm�ea_`l�oYfl�lg�]phda[aldq�Zdg[c�hgjl�*)+�`]j]&

NetBIOS services (ports 137 through 139)Qgm�k`gmd\�Ydkg�Zdg[c�l`]k]�hgjlk�a^�qgm�mk]�F]l:AGK�afl]jfYddq&�Oàd]�km[`�k]jna[]k�Yj]�Zdg[c]\�aehda[aldq�Zq�\]^Ymdl�hY[c]l�̀ Yf\daf_$�Zdg[caf_�l`]e�`]j]�[Yf�Z]�[gfn]fa]fl�Z][Ymk]�l`]q�[Yf�YmlgeYla[Yddq�Y\\�`gklk�lg�l`]�:dg[c]\�Kal]�Dakl&

Conflicts in Blocked PortsKge]lae]k�ÉjYf\geÊ�hgjlk�Yj]fÌl�jYf\ge&�Al�ak�hgkkaZd]�l`Yl�d]_ala%eYl]�mk]jk�ea_`l�`Yn]�hjgZd]ek�Z][Ymk]�g^�Zdg[c]\�hgjlk&�Af�hYjla[%mdYj$�kge]�[da]flk�ea_`l�l]ehgjYjadq�^Yad�Z][Ymk]�g^�Zdg[c]\�hgjlk&�Af�

!NOTE

Port 2049 is not assigned to NFS; however, in practice, this is the most common port used. The port assigned for NFS is assigned by the portmapper. It would be a good idea to verify that NFS is using port 2049 on all your systems.


Network Address Translation (NAT)

hjY[la[]�làk�`Yk�fgl�Z]]f�Y�hjgZd]e$�Z][Ymk]�Yhhda[Ylagf�dYq]jk�[Yf�Yf\�\g�j]ljq�^Yad]\�[gff][lagfk&

Qgm�k`gmd\$�`go]n]j$�Z]�n]jq�[Yj]^md�YZgml�Zdg[caf_�hgjl�fmeZ]jk�Z]lo]]f�)(((�l`jgm_`�)111$�Yk�l`]k]�fmeZ]jk�Yj]�hYjla[mdYjdq�dac]dq�lg�Z]�mk]\�Yk�[da]fl�hgjlk&

Auto-blocking sites that attempt to use blocked portsQgm�[Yf�[gfâ_mj]�Y�Zdg[c]\�hgjl�km[`�l`Yl�o`]f�Yf�gmlka\]�`gkl�Yll]ehlk�lg�Y[[]kk�al$�l`Yl�gmlka\]�`gkl�ak�l]ehgjYjadq�Ymlg%Zdg[c]\&�Qgm�[Yf�Ydkg�k]l�l`]�\mjYlagf�g^�l`]�Ymlg%Zdg[c&

Logging Blocked Port ActivityQgm�[Yf�Ydkg�Y\bmkl�qgmj�]n]fl�dg_k�Yf\�fglaâ[Ylagf�lg�Y[[geeg\Yl]�Yll]ehlk�lg�Y[[]kk�Zdg[c]\�hgjlk&�Qgm�[Yf�[gfâ_mj]�l`]�k][mjalq�kqk%l]e�lg�dg_�Ydd�Yll]ehlk�lg�mk]�Zdg[c�hgjlk$�Yf\�[Yf�^mjl`]j�[gfâ_mj]�l`]�kqkl]e�lg�k]fl�Y�f]logjc�Y\eafakljYlgj�fglaâ[Ylagf�o`]f�kge]%gf]�Yll]ehlk�lg�Y[[]kk�Y�Zdg[c]\�hgjl&

Network Address Translation (NAT)

F]logjc�9\\j]kk�LjYfkdYlagf�eYhk�hjanYl]�Y\\j]kk]k�lg�hmZda[�gf]k�Yf\�na[]�n]jkY&�F9L�ak�Ydkg�cfgof�Yk�AH�eYkim]jY\af_�gj�hgjl�^gj%oYj\af_$�\]h]f\af_�gf�l`]�lqh]�g^�Y\\j]kk�ljYfkdYlagf�h]j^gje]\&�:Yka[Yddq$�l`]j]�Yj]�log�lqh]k�g^�F9L2

� <qfYea[�F9L$� Ydkg�cfgof�Yk�AH�eYkim]jY\af_�gj�hgjl�Y\\j]kk�ljYfkdYlagf!�oà[`�hj]k]flk�l`]�>aj]ZgpÌk�AH�Y\\j]kk�lg�l`]�hmZda[$�oàd]�al�à\]k�Yf\�ljYfkdYl]k�l`]�AH�Y\\j]kk]k�g^�l`]�`gklk�al�ak�hjg%l][laf_&�<qfYea[�F9L�hjgl][lk�`gklkÌ�a\]flala]k�af�gml_gaf_�ljY^%â[&

� KlYla[�F9L$� Ydkg�cfgof�Yk�hgjl�^gjoYj\af_!�oà[`�Ykka_fk�Y�hgjl�kh][aâ[�lg�Y�_an]f�k]jna[]� km[`�Yk�hgjl�0(�^gj�@LLH!�lg�Yfgl`]j�hgjl�afl]jfYddq$�kg�l`Yl�gja_afYlgjk�g^�af[geaf_�ljY^â[�f]n]j�cfgo�o`Yl�`gkl�ak�Y[lmYddq�j][]anaf_�l`]�hY[c]lk&

Dynamic NAT<qfYea[�F9L�̀ a\]k�dg[Yd�f]logjc�Y\\j]kk]k�^jge�gl`]j�̀ gklk�gf�l`]�Afl]jf]l&�@gklk�]dk]o`]j]�gf�l`]�Afl]jf]l�k]]�gfdq�hY[c]lk�^jge�l`]�

!NOTE

Solaris uses ports greater than 32768 for clients.



>aj]Zgp�alk]d^&�<qfYea[�F9L�[Yf�ljYfkdYl]�l`]�Y\\j]kk]k�g^�Ydegkl�Ydd�L;H�Yf\�M<H%ZYk]\�ljYfkeakkagfk&

Af�<qfYea[�F9L$�gml_gaf_�hY[c]lk�Yj]�eYhh]\�lg�Y�jYf\ge�hgjl�gf�l`]�>aj]Zgp&�L`]�kgmj[]�Y\\j]kk�gf�l`]k]�hY[c]lk�ak�l`]f�j]%ojall]f�oal`�l`]�AH�Y\\j]kk�g^�l`]�>aj]Zgp$�Yf\�l`]�jYf\ge�hgjl�fmeZ]j&�L`]�j]egl]�]f\�k]]k�l`]�AH�Y\\j]kk�g^�l`]�>aj]Zgp�Yf\�l`]�jYf\ge�hgjl�fmeZ]j&�<YlY�ak�k]fl�ZY[c�lg�làk�dg[Ylagf3�l`]�>aj]Zgp�l`]f�]pYeaf]k�l`]�`]Y\]jk$�Yf\�eYhk�l`]�hgjl�fmeZ]j�ZY[c�lg�l`]�eYkim]jY\]\�`gkl&

Làk�Y\\j]kk�ljYfkdYlagf�ak�\qfYea[�af�l`Yl�Y�f]o�hgjl%lg%afl]jfYd%`gkl�eYhhaf_�ak�eY\]�^gj�]Y[`�[gff][lagf&�Gf�Yfq�_an]f�[gff][lagf$�Yf�afl]jfYd�`gkl�eYq�Z]�eYhh]\�lg�Yfq�_an]f�hgjl&�L`]�aehda[Ylagfk�g^�làk�Yj]�aehgjlYfl2�<qfYea[�F9L�ogjck�gfdq�gf]�oYqÈ^gj�Gml%_gaf_�ljY^â[&�Lg�h]j^gje�l`]�kYe]�kgjl�g^�gh]jYlagf�^jge�l`]�gmlka\]�lg�l`]�afka\]$�qgm�emkl�]ehdgq�KlYla[�F9L�lg�\]ka_fYl]�kh][aâ[�afl]jfYd�`gklk�lg�j][]an]�l`]�hY[c]lk�g^�gfdq�gf]�hgjl&�KlYla[�F9L�ak�\]k[jaZ]\�af�egj]�\]lYad�af�l`]�f]pl�k][lagf&

Important Dynamic NAT Configuration Parameters<qfYea[�F9L�`Yk�k]n]jYd�[gfâ_mjYZd]�hYjYe]l]jk$�g^�oà[`�l`]�^gd%dgoaf_�Yj]�hYjla[mdYjdq�ka_faâ[Yfl2

TimeoutsL`]j]�Yj]�l`j]]�Y\bmklYZd]�lae]gml�nYdm]k�Ykkg[aYl]\�oal`�<qfYea[�F9L2�L;H�A\d]�Lae]gml$�L;H�>afak`�Lae]gml$�Yf\�M<H�A\d]�Lae]gml&�L`]�L;H�lae]gml�nYdm]�Y[lk�Yk�Yf�a\d]�lae]gml�^gj�nYjagmk�L;H�[gff][%lagfk&�9�dYj_]j�nYdm]�ak�`]dh^md�a^�qgm�h]j^gje�dYj_]�âd]�ljYfk^]jk�gj�dgf_%dan]\�l]df]l�k]kkagfk�Y[jgkk�l`]�âj]oYdd&�L;H�>afak`�Lae]gml�daealk�l`]�Yegmfl�g^�lae]�Y�k]kkagf�oYalk�^gj�Y�âfak`�hY[c]l�^jge�l`]�j]egl]�kal]$�Yf\�M<H�lae]gml�daealk�l`]�oYal�gf�M<H�k]kkagfk&

Use Dynamic NAT on these networksQgm�[Yf�\]ka_fYl]�oà[`�f]logjck�`Yn]�l`]aj�Y\\j]kk]k�\qfYea[Yddq�ljYfkdYl]\�lg�l`]�=pl]jfYd�afl]j^Y[]&�Gmlka\]�l`]�afl]j^Y[]$�Ydd�[geemfa%[Ylagf�^jge�l`]k]�`gklk�Yhh]Yjk�lg�[ge]�^jge�qgmj�>aj]Zgp&�Qgm�[Yf�eYkim]jY\]�Yk�eYfq�`gklk�gj�f]logjck�Yk�qgm�dac]&�A^�qgm�mk]�hjanYl]�f]logjck�af�qgmj�gj_YfarYlagf$�qgmj�hjanYl]�f]logjck�k`gmd\�Z]�fme%Z]j]\�af�gf]�g^�l`]�^gddgoaf_�Y\\j]kk�jYf_]k2

Ò )(&(&(&(�lg�)(&*--&*--&*--� )(&(&(&('0�af�kdYk`�fglYlagf!Ò )/*&).&(&(�%�)/*&+)&*--&*--� )/*&).&(&(')*�af�kdYk`�fglYlagf!Ò )1*&).0&(&(�%�)1*&).0&*--&*--� )1*&).0&(&(').�af�kdYk`�fglYlagf!L`]k]�Yj]�l`]�hjanYl]�j]k]jn]\�f]logjc�fmeZ]jk&�;gfkmdl�J>;�)1)0�^gj�egj]�af^gjeYlagf�gf�j]k]jn]\�AH�Y\\j]kk]k&�:q�\]^Ymdl$�l`]k]�Yj]�Ydj]Y\q�]fl]j]\�af�l`]�EYkim]jY\]�Zgp$�kg�qgm�eYq�fgl�f]]\�lg�[gfâ_mj]�Yfqlàf_�Y\\alagfYd&

ExceptionsQgm�[Yf�\]ka_fYl]�`gklk�gf�qgmj�ljmkl]\�Yf\�ghlagfYd�f]logjck�l`Yl�oadd�fgl�mk]�<qfYea[�F9L�o`]f�[geemfa[Ylaf_�oal`�l`]�ljmkl]\�f]logjck&�


Aliasing

A^�qgm�<qfYea[�F9L�gfdq�l`]�ghlagfYd�gj�l`]�ljmkl]\�afl]j^Y[]$�qgm�[Yf�eYfmYddq�\akYZd]�al�Z]lo]]f�l`Yl�afl]j^Y[]�Yf\�l`]�gl`]j&�A^�Zgl`�afl]j%^Y[]k�<qfYea[�F9L$�l`]�k][mjalq�kqkl]e�YmlgeYla[Yddq�\akYZd]k�eYk%im]jY\af_�Z]lo]]f�l`]e&

Static NATKlYla[�F9L�hjgna\]k�hjgl][lagf�^jge�af[geaf_�ljY^â[&�Al�eYaflYafk�l`]�k][mjalq�g^�Yfgfqealq�g^�<qfYea[�F9L�Yf\�Y\\k�l`]�^mf[lagfYd%alq�g^�^gjoYj\af_�]pl]jfYddq�gja_afYl]\�ljY^â[�lg�kh][aâ[�afl]jfYd�`gklk&

KlYla[�F9L�j]\aj][lk�AH�hY[c]lk�\]klaf]\�lg�Y�>aj]Zgp�lg�l`]�kh][aâ[�eYkim]jY\]\�`gkl�Z]àf\�al&�Al�j]ojal]k�l`]�`]Y\]jk�g^�l`]�hY[c]lk�Yf\�^gjoYj\k�l`]e�ZYk]\�gf�l`]�gja_afYd�\]klafYlagf�hgjl�fmeZ]j&�Qgm�lqha[Yddq�mk]�KlYla[�F9L�̂ gj�hmZda[�k]jna[]k�km[`�Yk�O]Zkal]k�Yf\�]%eYad&

>gj�]pYehd]$�qgm�ea_`l�oYfl�lg�k]l�mh�Y�eYad�k]jn]j�l`Yl�`Yk�Yfg%fqealq$�gj�l`Yl�`Yk�Yf�AH�Y\\j]kk�l`Yl�ogmd\�fgl�Z]�d]_alaeYl]�gf�l`]�]pl]jfYd�f]logjc&�KlYla[�F9L�]fYZd]k�qgm�lg�\]ka_fYl]�Y�kh][aâ[�afl]jfYd�k]jn]j�lg�j][]an]�Ydd�]%eYad&�L`]f$�o`]f]n]j�kge]gf]�k]f\k�]%eYad�Y\\j]kk]\�lg�l`]�>aj]Zgp$�l`]�>aj]Zgp�ÉcfgokÊ�lg�ljYfkdYl]�l`]�Y\\j]kk�lg�l`]�\]ka_fYl]\�]%eYad� KELH!�k]jn]j&

Configuring Static NATLg�[gfâ_mj]�KlYla[�F9L�^gj�Y�_an]f�`gkl$�al�emkl�Ydj]Y\q�Z]�gf�Y�f]l%ogjc�mkaf_�<qfYea[�F9L&�KlYla[�F9L�ak�[gfâ_mj]\�gf�Y�k]jna[]%Zq%k]jna[]�ZYkak&�O`]f�qgm�k]l�mh�Y�_an]f�k]jna[]� ^gj�]pYehd]$�KELH!$�gf[]�qgm�\]l]jeaf]�l`]�]da_aZd]�>jge�Yf\�Lg�`gklk�^gj�af[geaf_�Yf\�gml_gaf_�ljY^â[$�qgm�eYq�l`]f�Yhhdq�KlYla[�F9L�lg�ljYfkdYl]�l`]�]pl]jfYd�Y\\j]kk�lg�Yf�afl]jfYd�Y\\j]kk3�qgm�[Yf�Ydkg�eYkim]jY\]�l`]�hgjl�^gj�l`Yl�k]jna[]�lg�kge]làf_�]dk]2

Aliasing

9daYkaf_�]fYZd]k�qgm�lg�[gfâ_mj]�nYjagmk�[gdd][lagfk�g^�[gehml]jk�aflg�_jgmhk$�Yf\�[j]Yl]�_jgmhk�g^�mk]jk�oal`�nYjqaf_�d]n]dk�g^�h]j%eakkagfk&

9daYkaf_�hjgna\]k�Y�kaehd]�oYq�lg�j]e]eZ]j�AH�Y\\j]kk]k$�FL�<geYaf�?jgmhk�Yf\�Mk]jk$�f]logjc�AH�Y\\j]kk]k$�Yf\�kmh]j_jgmhk�[gflYafaf_�kge]�[geZafYlagf�g^�_jgmhk$�mk]jk$�\geYafk$�Yf\�AH�Y\\j]kk]k&�9daYk]k�[Yf�l`]f�Z]�mk]\�^gj�Zmad\af_�Y[[]kk�jmd]k�^gj�k]j%na[]k$�^gj�Yml`]fla[Ylagf�_jgmhk$�Yf\�^gj�_jgmhk�o`]f�[gfâ_mjaf_�O]Z�:dg[c]j&�



9daYkaf_�ak�l`]�Y[l�g^�\]daf]Ylaf_�qgmj�gj_YfarYlagf�Y[[gj\af_�lg�qgmj�k][mjalq�hgda[q&�Al�af[dm\]k�l`]�^gddgoaf_2

“Friendly” host names9�\]k[jahlan]�gj�]Ykadq�j]e]eZ]j]\�fYe]�Yk�Yf�YdaYk�^gj�Y�_an]f�k]jn]j�gj�ogjcklYlagfÌk�AH�Y\\j]kk&

“Friendly” network names9�\]k[jahlan]�gj�]Ykadq�j]e]eZ]j]\�fYe]�Yk�Yf�YdaYk�^gj�Y�f]logjcÌk�AH�Y\\j]kk&

Work GroupsL`]k]�Yj]�_jgmhk�g^�ogjcklYlagfk�Yf\'gj�k]jn]jk$�mkmYddq�gj_Yfar]\�Zq�^mf[lagf�gj�\]hYjle]fl&

Privilege GroupsAf�O]Z:dg[c]j$�qgm�[Yf�[j]Yl]�_jgmhk�ZYk]\�gf�o`Yl�O]Zkal]k�qgmÌdd�Yddgo�l`]e�lg�Y[[]kk�Yf\�o`]f&

Authentication GroupsL`]k]�Yj]�_jgmhk�gj_Yfar]\�Zq�o`]l`]j�l`]q�j]egl]dq�Y[[]kk�qgmj�f]l%ogjc�naY�J9<AMK$�;JQHLG;Yj\$�gj�OYl[`?mYj\�Yml`]fla[Ylagf&

Authentication

Mk]j�9ml`]fla[Ylagf�Yddgok�af\ana\mYd�mk]jk�lg�Yml`]fla[Yl]�lg�l`]�>aj]Zgp&�Al�ak�_]f]jYddq�mk]\�lg�hjgna\]�Y[[]kk�[gfljgd�^gj�gml_gaf_�[gff][lagfk&�

Mk]j�9ml`]fla[Ylagf�eYhk�Y�mk]j�fYe]�lg�Y�ogjcklYlagf�AH�Y\\j]kk$�Yddgoaf_�l`]�ljY[caf_�g^�[gff][lagfk�ZYk]\�gf�mk]j�fYe]�jYl`]j�l`Yf�AH�Y\\j]kk&�L`]�mk]jÌk�ogjcklYlagf�emkl�̀ Yn]�Y�BYnY%[YhYZd]�Afl]jf]l�Zjgok]j&�>gj�f]logjck�mkaf_�<qfYea[�@gkl�;gfljgd�Hjglg[gd� <@;H!$�làk�ak�ka_faâ[Yfl&�9�mk]jÌk�ogjcklYlagf�eYq�`Yn]�k]n]jYd�\a^^]j]fl�AH�Y\\j]kk]k�gn]j�l`]�[gmjk]�g^�Y�o]]c$�eYcaf_�al�af[j]Yk%af_dq�\a^â[mdl�lg�ljY[c�l`]�Y[lanala]k�g^�Y�kaf_d]�mk]j&

Oal`�Mk]j�9ml`]fla[Ylagf$�al�fg�dgf_]j�eYll]jk�o`Yl�AH�Y\\j]kk�ak�Z]af_�mk]\$�gj�^jge�oà[`�eY[àf]�Y�mk]j�[`ggk]k�lg�ogjc&�Lg�_Yaf�Y[[]kk�lg�Afl]jf]l�k]jna[]k� km[`�Yk�Gml_gaf_�@LLH�gj�Gml_gaf_�>LH!�l`]�mk]j�emkl�hjgna\]�Yml`]fla[Ylaf_�\YlY�af�l`]�^gje�g^�Y�dg_af�Yf\�hYkkogj\&�>gj�l`]�\mjYlagf�g^�l`]�Yml`]fla[Ylagf$�l`]�mk]jÌk�fYe]�ak�la]\�lg�[gff][lagfk�gja_afYlaf_�^jge�l`]�AH�Y\\j]kk�^jge�oà[`�l`]�mk]j�Yml`]fla[Yl]\&

!NOTE

Firebox Domain users and groups and NT Domain users and groups are not the same as Host Aliases. You can use the Aliases tab, however, to create host aliases that contain Firebox Domain users and NT Domain users.


Authentication

Làk�eYc]k�al�hgkkaZd]�lg�ljY[c�fgl�gfdq�l`]�eY[àf]k�^jge�oà[`�[gff][lagfk�Yj]�gja_afYlaf_$�Zml�Ydkg�^jge�o`ge�l`]q�Yj]�gja_afYl%af_&

Gl`]j�kalmYlagfk�o`]j]�Yml`]fla[Ylagf�ea_`l�Z]�mk]^md�af[dm\]�]\m%[Ylagf�]fnajgfe]flk$�km[`�Yk�[dYkkjggek$�Yf\�[gdd]_]�[gehml]j�[]f%l]jk�o`]j]�eYfq�\a^^]j]fl�h]ghd]�ea_`l�mk]�l`]�kYe]�AH�Y\\j]kk�gn]j�l`]�[gmjk]�g^�l`]�\Yq&

Authentication Methods9ml`]fla[Ylagf�ak�mk]\�lg�hgkalan]dq�a\]fla^q�mk]jk�Yf\�\]âf]�Émk]jÊ�Yf\�Émk]j�_jgmhÊ�hgda[a]k&�L`]�OYl[`?mYj\�Dan]K][mjalq�Kqkl]e�[Yf�Yml`]fla[Yl]�mk]jk�Y_Yafkl�^gmj�Yml`]fla[Ylagf�k]jn]jk2�

� FL�hjaeYjq�\geYaf�[gfljgdd]jk&� 9�f]logjc�\geYaf�ak�Y�_jgmh�g^�[gehml]jk�Yf\�\]na[]k�gf�Y�f]logjc�l`Yl�Yj]�Y\eafakl]j]\�Yk�Y�mfal�oal`�[geegf�jmd]k�Yf\�hjg[]\mj]k& )

� J9<AMK%[gehdaYfl�Yml`]fla[Ylagf�k]jn]jk� Yk�\]âf]\�af�J>;�*)+0!�

� ;JQHLG;Yj\�Yml`]fla[Ylagf�� OYl[`?mYj\�k�Zmadl%af�Yml`]fla[Ylagf�k]jn]j� >aj]Zgp�\geYaf!

L`]�\a^^]j]f[]k�Yegf_�l`]�nYjagmk�Yml`]fla[Ylagf�k[`]e]k�Yj]�dYj_]dq�ljYfkhYj]fl�lg�l`]�mk]j3�l`]�mk]j�h]j^gjek�l`]�kYe]�k]im]f[]�g^�lYkck�lg�Z]�Yml`]fla[Yl]\�Y_Yafkl�Yfq�g^�l`]�^gmj�lqh]k�g^�Yml`]fla%[Ylagf&�

L`]�\a^^]j]f[]�^gj�l`]�>aj]Zgp�Y\eafakljYlgj�ak�l`Yl�af�gf]�[Yk]�l`]�\YlYZYk]�g^�mk]jfYe]k$�hYkkogj\k$�Yf\�_jgmhk�Yj]�klgj]\�gf�l`]�>aj]Zgp�alk]d^$�Yf\�af�l`]�gl`]j�[Yk]k$�l`]�mk]jfYe]k$�hYkkogj\k$�Yf\�_jgmhk�Yj]�klgj]\�gf�l`]�k]jn]j�h]j^gjeaf_�l`]�Yml`]fla[YlagfÈOaf\gok�FL�k]jn]j$�JY\amk�k]jn]j$�gj�;JQHLG;Yj\�k]jn]j&�

Af�l`]�[Yk]�g^�Yf�]pl]jfYd�Yml`]fla[Ylagf�k]jn]j$�qgm�emkl�k]l�mh�l`Yl�k]jn]j�Y[[gj\af_�lg�l`]�eYfm^Y[lmj]jÌk�afkljm[lagfk�Yf\�hdY[]�al�gf�l`]�f]logjc�kg�al�ak�Y[[]kkaZd]�Zq�l`]�>aj]Zgp&

!NOTE

Because usernames are bound to IP addresses, User Authentication should never be used in an environment where multi-user machines (such as Unix servers) are being used. Only one user per machine can be authenticated at any one time.



A^�qgm�Ydj]Y\q�Yj]�mkaf_�Y�Oaf\gok�FL�<geYaf�;gfljgdd]j$�qgm�eYq�oYfl�lg�[gflafm]�mkaf_�l`Yl�^gj�mk]j�Yml`]fla[Ylagf�^gj�k]jna[]k�gl`]j�l`Yf�J]egl]�Mk]j�NHF&�

Af�Y\\alagf$�l`]j]�Yj]�log�?dgZYd�9ml`]fla[Ylagf�K]llaf_k2�

� Dg_gf�lae]gml�o`]j]�qgm�k]d][l�`go�eYfq�k][gf\k�Yj]�Yddgo]\�^gj�Yf�Yll]ehl]\�dg_gf�Z]^gj]�l`]�lae]gml�k`mlk�\gof�l`]�[gff][%lagf

� K]kkagf�lae]gml�o`]j]�qgm�k]l�`go�eYfq�`gmjk�Y�k]kkagf�[Yf�j]eYaf�gh]f�oal`gml�c]qkljgc]k�Z]^gj]�l`]�lae]gml�k`mlk�\gof�l`]�[gff][lagf&

The WatchGuard Authentication ImplementationLg�Yml`]fla[Yl]$�mkaf_�Yfq�BYnY�]fYZd]\�[da]fl�Zjgok]j$�km[`�Yk�F]lk[Yh]�FYna_Ylgj�gj�Ea[jgkg^l�Afl]jf]l�=phdgj]j$�mk]jk�âjkl�im]jq�Yf�Yml`]fla[Ylagf�\Y]egf�gf�l`]�>aj]Zgp&�9�ea[jg%OOO�k]jn]j�gf�l`]�>aj]Zgp�l`]f�k]f\k�Y�BYnY�Yhhd]l�ZY[c�lg�l`]�mk]j$�o`]j]af�fYe]�Yf\�hYkkogj\�af^gjeYlagf�ak�]fl]j]\&�Làk�af^gjeYlagf�ak�]f[jqhl]\�oalàf�l`]�Yhhd]l�Yf\�hYkk]\�ZY[c�lg�l`]�>aj]Zgp�^gj�n]jaâ[Ylagf�Y_Yafkl�l`]�Yml`]fla[Ylagf�k]jn]j�\]âf]\�af�alk�[gfâ_mjYlagf&�9k�Y�j]kmdl$�l`]�kqkl]e�Yml`]fla[Yl]k�mk]jk�bmkl�gf[]$�afkl]Y\�g^�]Y[`�lae]�l`]q�Yll]ehl�lg�[gff][l�lg�Y�kal]&�Mk]j�fYe]�Yf\�hYkkogj\�af^gjeY%lagf�f]]\]\�^gj�Yml`]fla[Ylagf�ak�f]n]j�hYkk]\�af�[d]Yj�l]pl&

9ml`]fla[Ylagf�ak�hYjla[mdYjdq�[jm[aYd�o`]f�qgm�mk]�\qfYea[�AH�Y\\j]kkaf_� <@;H!�Z]àf\�l`]�>aj]Zgp$�gj�oYfl�mk]jk�lg�a\]fla^q�l`]ek]dn]k�Z]^gj]�h]j^gjeaf_�nYjagmk�k]jna[]k�l`jgm_`�l`]�>aj]Zgp&�Oal`�l`]�OYl[`?mYj\�Dan]K][mjalq�Kqkl]e$�Yml`]fla[Ylagf�[Yf�Z]�[gfâ_mj]\�gf�Y�k]jna[]%Zq%k]jna[]�ZYkak�Yddgoaf_�mk]jk�lg�gfdq�f]]\�lg�Yml`]fla[Yl]�^gj�[]jlYaf�k]jna[]k&

OYl[`?mYj\�g^^]jk�^mdd�afl]jgh]jYZadalq�oal`�klYf\Yj\k%ZYk]\�Yml`]fla[Ylagf�l][`fgdg_q�^jge�;JQHLG;Yj\�^gj�Zgl`�;JQHLG9\%eaf�Yf\�J:%)�Lgc]fk&�Làk�]fYZd]k�qgm�lg�k][mj]�f]logjc�Y[[]kk�mkaf_�hgo]j^md�lgc]f%ZYk]\�Yml`]fla[Ylagf�kgdmlagfk�^jge�;JQHLG%;Yj\$�af�[gfbmf[lagf�oal`�l`]�OYl[`?mYj\�Dan]K][mjalq�Kqkl]e&

L`]�Zmadl%af�Yml`]fla[Ylagf�k]jn]j�af[dm\]\�oal`�l`]�OYl[`?mYj\�Dan]K][mjalq�Kqkl]e�ak�\]ka_f]\�^gj�keYdd]j�]fnajgfe]flk&�Mk]j�fYe]k$�_jgmh�fYe]k�Yf\�hYkkogj\k�[Yf�Z]�]fl]j]\�\aj][ldq�aflg�l`]�>aj]Zgp�[gfâ_mjYlagf�lg�k]l�af\ana\mYd�âdl]j�jmd]k�Yk�\]kaj]\&

!NOTE

Only one type of User Authentication may be used at a time.


Authentication

Firebox AuthenticationMk]jfYe]k$�hYkkogj\k$�Yf\�_jgmhk�eYq�Ydkg�Z]�klgj]\�af�l`]�>aj]Zgp&�L`]k]�Y[[gmflk�Yj]�Ydkg�mk]\�^gj�J]egl]�Mk]j�NHF&�

>gj�FL�<geYaf�;gfljgdd]j�gj�JY\amk�Yml`]fla[Ylagf$�qgm�emkl�]fl]j�l`]�mk]jk�Yf\'gj�_jgmhk�gf�l`]�j]kh][lan]�Oaf\gok�FL�gj�JY\amk�Yml`]fla[Ylagf�k]jn]jk&�>gj�>aj]Zgp�<geYaf�Y[[gmflk$�`go]n]j$�qgm�h]j^gje�Ydd�Yml`]fla[Ylagf�k]lmh�gf�l`]�>aj]Zgp�Mk]jk�lYZ�g^�l`]�E]eZ]j�9[[]kk�Yf\�Mk]j�9ml`]fla[Ylagf�K]lmh�\aYdg_�Zgp&

Af�[gfâ_mjaf_�>aj]Zgp�Yml`]fla[Ylagf$�qgm�[Yf�\]âf]�mk]jk�Yf\�_jgmhk$�Yf\�Ykka_f�e]eZ]jk�lg�kh][aâ[�_jgmhk&�

Windows NT AuthenticationOaf\gok�FL�<geYaf�Mk]j�9ml`]fla[Ylagf�ak�ZYk]\�gf�FL�<geYaf�Mk]jk�Yf\�?jgmhk$�Yf\�mk]k�l`]�Mk]j�Yf\�?jgmh�\YlYZYk]�Ydj]Y\q�af�hdY[]�gf�qgmj�Oaf\gok�FL�<geYaf�;gfljgdd]j&

OYl[`?mYj\Ìk�aehd]e]flYlagf�g^�Yml`]fla[Ylagf�naY�Y�Oaf\gok�FL�k]jn]j�Ykkme]k�qgm�`Yn]�[gfâ_mj]\�qgmj�Oaf\gok�FL�k]jn]j�oal`�mk]jk�Yf\�_jgmhk&�Qgm�[Yf�[gfâ_mj]�l`]k]�hYjYe]l]jk�o`]f�k]llaf_�mh�Oaf\gok�FL�Yml`]fla[Ylagf�^gj�OYl[`?mYj\2

Host NameL`]�`gkl�fYe]�g^�l`]�FL�k]jn]j�qgm�oYfl�lg�mk]�^gj�Yml`]fla[Ylagf&

Automatic IP Address LookupQgm�[Yf�[gfâ_mj]�OYl[`?mYj\�lg�dggc�mh�l`]�AH�Y\\j]kk�^gj�l`]�Oaf%\gok�FL�\geYaf�`gkl�fYe]&

Use Local GroupsQgm�[Yf�mk]�l`]�Oaf\gok�FL�k]jn]jÌk�gj_YfarYlagf�g^�mk]jk�Yf\�_jgmhk&

Radius AuthenticationL`]�J]egl]�9ml`]fla[Ylagf�<aYd%Af�Mk]j�K]jna[]� J9<AMK!�hjgna\]k�j]egl]�mk]jk�oal`�k][mj]�Y[[]kk�lg�[gjhgjYl]�f]logjck&�J9<AMK�ak�Y�[da]fl%k]jn]j�kqkl]e�l`Yl�klgj]k�Yml`]fla[Ylagf�af^gjeYlagf�^gj�mk]jk$�

!NOTE

The group “RemoteVPN” is a special built-in group that contains only currently authenticated Remote User VPN users. You must add user names to this group to enable them to use Remote User VPN.

!NOTE

You cannot use local groups for Windows NT authentication if your administration workstation is a Windows 95 host. Windows 95 does not support the ability to gather the list of local groups from a computer running Windows NT. You must run SMS from a Windows NT host to configure local groups in your rule sets.



j]egl]�Y[[]kk�k]jn]jk$�Yf\�NHF�_Yl]oYqk�af�Y�[]fljYd�mk]j�\YlYZYk]�YnYadYZd]�lg�Ydd�k]jn]jk&�9ml`]fla[Ylagf�^gj�l`]�]flaj]�f]logjc�`Yh%h]fk�^jge�gf]�dg[Ylagf&�J9<AMK�hj]n]flk�`Y[c]jk�^jge�afl]j[]hlaf_�Yf\�j]khgf\af_�lg�Yml`]fla[Ylagf�j]im]klk�Zq�ljYfkeallaf_�Yf�Yml`]fla[Ylagf�c]q�l`Yl�a\]flaâ]k�al�lg�l`]�J9<AMK�[da]fl&�Fgl]�l`Yl�al�ak�l`]�c]q�l`Yl�ak�ljYfkeall]\$�Yf\�fgl�Y�hYkkogj\&�L`]�hYkkogj\�j]ka\]k�gf�l`]�[da]fl�Yf\�k]jn]j�kaemdlYf]gmkdq&�L`Yl�ak�o`q�al�ak�g^l]f�[Ydd]\�Y�Ék`Yj]\�k][j]l&Ê�

:]^gj]�J9<AMK$�mk]j�Yml`]fla[Ylagf�oYk�klgj]\�gf�]Y[`�j]egl]�Y[[]kk�k]jn]j�gf�Y�f]logjc&�=Y[`�k]jn]j�`Y\�lg�Z]�af\ana\mYddq�[gf%â_mj]\$�eYcaf_�k][mjalq�hgda[a]k�Yf\�l`]�mk]j�\YlYZYk]�`Yj\�lg�eYaflYaf&�J9<AMK�`Yk�Y[[]kk�lg�emdlahd]�k]jn]jk$�Yf\�[]fljYdar]\�[gfâ_mjYlagf�Yf\�[gfljgd&�Làk�kaehdaâ]k�alk�dafck�oal`�]paklaf_�f]l%ogjc�gh]jYlaf_�kqkl]e�Yml`]fla[Ylagf�af^gjeYlagf� ^gj�]pYehd]$�Oaf\gok�FL�Mk]j�<geYaf�gj�Fgn]dd�F]lOYj]�<aj][l�K]jna[]�lj]]k!&�Al�Ydkg�eYc]k�al�]Yka]j�^gj�j]egl]�Y[[]kk�kg^loYj]�^jge�emdlahd]�n]f%\gjk�lg�ogjc�o]dd�lg_]l`]j&

L`]�J9<AMK�k]jn]j�klgj]k�Yf\�^gjoYj\k�k]kkagf�[gfâ_mjYlagf�af^gj%eYlagf�gf�Yf�af\ana\mYd$�mk]j%Zq%mk]j�ZYkak$�kg�mk]jk�_]lk�l`]�kYe]�k]jna[]�hYjYe]l]jk�j]_Yj\d]kk�g^�l`]�k]jn]j�l`]q�[gff][l�lg&�

>gj�JY\amk�Yml`]fla[Ylagf$�qgm�emkl�]fl]j�l`]�mk]jk�Yf\'gj�_jgmhk�[j]Yl]\�^gj�l`]�af\ana\mYd�k]jna[]�hjgh]jla]k�Yf\�l`]�AH�Y\\j]kk�g^�l`]�>aj]Zgp�gf�l`]�JY\amk�Yml`]fla[Ylagf�k]jn]j&�

OYl[`?mYj\Ìk�aehd]e]flYlagf�g^�JY\amk�Yml`]fla[Ylagf�]fYZd]k�qgm�lg�[gfâ_mj]�l`]k]�hYjYe]l]jk2

IP AddressL`]�AH�Y\\j]kk�g^�l`]�eY[àf]�qgm�Yj]�mkaf_�Yk�Y�JY\amk�k]jn]j&

PortL`]�hgjl�fmeZ]j�l`]�>aj]Zgp�oadd�mk]�^gj�JY\amk�Yml`]fla[Ylagf&

SecretL`]�hYkkogj\�l`Yl�oadd�^mf[lagf�Yk�Y�k`Yj]\�k][j]l�Z]lo]]f�qgmj�>aj]Zgp�Yf\�l`]�JY\amk�k]jn]j&�L`]�k][j]l�ak�[Yk]%k]fkalan]�Yf\�emkl�Z]�]pY[ldq�l`]�kYe]�Yk�l`]�gf]�]fl]j]\�gf�l`]�JY\amk�k]jn]j&

Backup radius serverQgm�[Yf�kh][a^q�Y�k][gf\�JY\amk�k]jn]j�Yk�Y�ZY[cmh�^gj�JY\amk�Yml`]fla%[Ylagf�o`]f�qgmj�hjaeYjq�k]jn]j�ak�mfYnYadYZd]&�L`]�ZY[cmh�emkl�`Yn]�l`]�kYe]�k`Yj]\�k][j]l�Yk�l`]�l`]�Y\eafakljYlagf�`gkl�Yf\�l`]�hjaeYjq�JY\amk�k]jn]j&

!NOTE

WatchGuard Radius works only with CHAP (Challenge Hand-shake Authentication Protocol) authentication. Make sure your Radius server supports CHAP.


Authentication

CRYPTOCard Authentication;JQHLG;Yj\�ak�Y�̀ Yj\oYj]%ZYk]\�Yml`]fla[Ylagf�kqkl]e�l`Yl�Yddgok�mk]jk�lg�Yml`]fla[Yl]�naY�;JQHLG;Yj\Ìk�[`Ydd]f_]�j]khgfk]�kqkl]e�oà[`�af[dm\]k�g^^daf]�`Ykàf_�g^�hYkkogj\k&�Al�]fYZd]k�qgm�lg�Yml`]fla[Yl]�af\ana\mYdk�af\]h]f\]fl�g^�l`]�`gklk�l`]q�Yj]�gf&�

;gfâ_mjaf_�OYl[`?mYj\�;JQHLG;Yj\�k]jn]j�Yml`]fla[Ylagf�Ykkme]k�l`Yl�qgm�`Yn]�Y[imaj]\�Yf\�afklYdd]\�Y�;JQHLG;Yj\�k]jn]j�Y[[gj\af_�lg�l`]�eYfm^Y[lmj]jÌk�afkljm[lagfk$�Yf\�l`Yl�l`]�k]jn]j�ak�Y[[]kkaZd]�^gj�Yml`]fla[Ylaf_�lg�l`]�>aj]Zgp&

OYl[`?mYj\Ìk�aehd]e]flYlagf�g^�;JQHLG;Yj\�K]jn]j�]fYZd]k�qgm�lg�[gfâ_mj]�l`]k]�hYjYe]l]jk2

IP AddressL`]�AH�Y\\j]kk�g^�l`]�eY[àf]�qgm�Yj]�mkaf_�Yk�Y�;JQHLG;Yj\�K]jn]j&

PortL`]�hgjl�fmeZ]j�l`]�>aj]Zgp�oadd�mk]�^gj�l`]�;JQHLG;Yj\�K]jn]j&�L`]�hgjl�fmeZ]j�\g]k�fgl�mkmYddq�f]]\�lg�Z]�[`Yf_]\�^jge�l`]�\]^Ymdl$�.*,&

Administrator PasswordL`]�;JQHLG;Yj\�k]jn]jËk�Y\eafakljYlgj�hYkkogj\�Yk�^gmf\�af�l`]�;JQHLG;Yj\�k]jn]jÌk�ÉHYkko\Ê�âd]&

TimeoutL`]�d]f_l`�af�k][gf\k�^gj�l`]�lae]gml�h]jag\&�L`]�lae]gml�h]jag\�ak�l`]�eYpaeme�Yegmfl�g^�lae]�qgm�[Yf�oYal�^gj�l`]�;JQHLG;Yj\�k]jn]j�lg�j]khgf\�lg�qgm&�;JQHLG;Yj\Ìk�j][gee]f\]\�lae]gml�ak�.(�k][gf\k&�

SecretL`]�hYkkogj\�l`Yl�oadd�^mf[lagf�Yk�Y�k`Yj]\�k][j]l�Z]lo]]f�làk�>aj]Zgp�Yf\�l`]�;JQHLG;Yj\�k]jn]j&�Làk�ak�l`]�c]q�gj�[da]fl�c]q�af�l`]�ÉH]]jkÊ�âd]�gf�l`]�;JQHLG;Yj\�k]jn]j&�L`]�k][j]l�ak�[Yk]%k]fkalan]�Yf\�emkl�Z]�]pY[ldq�l`]�kYe]�Yk�l`]�gf]�]fl]j]\�gf�l`]�;JQHLG;Yj\�k]jn]j&�Làk�oadd�Z]�mk]\�lg�]f[jqhl�l`]�k]kkagf�Z]lo]]f�l`]�>aj]Zgp�Yf\�l`]�;JQH%LG;Yj\�k]jn]j&

How CRYPTOCard Authentication WorksL`]j]�ak�Y�eafa%@LLH�k]jn]j�jmffaf_�gf�l`]�>aj]Zgp�gf�hgjl�,)((�Yl�`llh2''S>aj]Zgp�ljmkl]\�afl]j^Y[]�AHU2,)((&�Af�gj\]j�lg�Yml`]fla[Yl]$�mk]jk�emkl�[gff][l�lg�làk�Yml`]fla[Ylagf�k]jn]j�mkaf_�Y�o]Z�Zjgok]j� l`Yl�kmhhgjlk�BYnY!�lg�làk�MJD2�`llh2''S>aj]Zgp�ljmkl]\�afl]j^Y[]�AH�`]j]U2,)(('&

!NOTE

When implementing a CRYPTOCard authentication scheme, you must also add the Firebox’s IP address and the users or groups to authenticate to the CRYPTOCard server’s configuration file. The Firebox is entered as a client to the CRYPTOCard server. For more information, see your CRYPTOCard server documenta-tion. Only one alias/group is supported by the CRYPTOCard server.



Làk�dgY\k�Y�BYnY�Yhhd]l�l`Yl�hjgehlk�^gj�Y�mk]jfYe]�Yf\�hYkkogj\&�Gf[]�l`]�mk]j�km[[]kk^mddq�lqh]k�af�Y�eYl[àf_�mk]jfYe]�Yf\�hYkk%ogj\$�l`]�BYnY�Yhhd]l�\akhdYqk�Yf�Yml`]fla[Ylagf�kljaf_�af�l`]�^gje�g^�Y�fmeZ]j&�L`]�mk]j�l`]f�]fl]jk�làk�fmeZ]j�aflg�àk�;JQHLG;Yj\&�L`]�;JQHLG;Yj\�hjg[]kk]k�l`]�fmeZ]j�Yf\�akkm]k�Y�k][gf\�fme%Z]j&�L`]�mk]j�l`]f�]fl]jk�làk�fmeZ]j�af�Y�k][gf\�khY[]�gf�l`]�BYnY�Yhhd]lÌk�mk]j�afl]j^Y[]&�Làk�fmeZ]j�ak�ljYfkeall]\�lg�l`]�;JQHLG%;Yj\�k]jn]j$�oà[`�l`]f�Yml`]fla[Yl]k�l`]�j]khgf\af_�fmeZ]j&�Af�\gaf_�kg$�;JQHLG;Yj\�lYc]k�l`]�ZYka[�Yml`]fla[Ylagf�g^�JY\amk�Yf\�Y\\k�kljaf_]fl�d]n]dk�g^�Yml`]fla[Ylagf&�Oal`�;JQHLG;Yj\�Yml`]fla%[Ylagf$�gf]�[Yffgl�mk]�Y�O]Z�Zjgok]j�lg�Y[[]kk�kal]k�gf�l`]�=pl]jfYd�afl]j^Y[]�oal`gml�hgkk]kkagf�g^�Y�;JQHLG;Yj\&�L`]�;JQHLG;Yj\�emkl�Z]�k]l�mh�Yf\�j]_akl]j]\�oal`�l`]�;JQHLG;Yj\�k]jn]j&�>mj%l`]jegj]$�gf]�[Yffgl�mk]�Y�;JQHLG;Yj\�lg�h]j^gje�l`]�fmeZ]j�]fljq�Yf\�j]khgfk]�oal`gml�c]qaf_�af�l`]�[gjj][l�mk]j�a\]flaâ[Ylagf�Yf\�hYkkogj\�gf�l`]�;JQHLG;Yj\�alk]d^&�

Gf[]�l`]q�Yj]�km[[]kk^mddq�Yml`]fla[Yl]\$�mk]jk�[Yf�l`]f�eafaear]�l`]�BYnY�oaf\go�Yf\�Z]_af�Zjgokaf_�l`]�O]Z&�9k�dgf_�Yk�l`]�BYnY�oaf\go�j]eYafk�Ydan]� l`Yl�ak$�al�[Yf�Z]�eafaear]\�Zml�fgl�[dgk]\!$�mk]jk�j]eYaf�Yml`]fla[Yl]\&�A^�l`]q�[da[c�l`]�;dgk]�Zmllgf�af�l`]�BYnY�oaf\go�gj�[dgk]�l`]aj�Zjgok]j�[gehd]l]dq$�l`]q�Yj]�fg�dgf_]j�Yml`]fla[Yl]\&

Removing AuthenticationL`]�gfdq�oYq�lg�hj]n]fl�k]d][l]\�Y[[gmflk�^jge�Z]af_�YZd]�lg�Yml`]fla[Yl]�ak�lg�\akYZd]�l`]aj�Y[[gmflk�gf�l`]aj�j]kh][lan]�Yml`]fla%[Ylagf�k]jn]jkÈl`]�FL�;gfljgdd]j$�JY\amk�K]jn]j$�gj�gf�l`]�>aj]Zgp&�9�mk]j�[Yf�j]eYaf�[gff][l]\�^gj�mh�lg�*,�`gmjk�Z]^gj]�Z]af_�Ymlg%eYla[Yddq�\ak[gff][l]\&�L`]�kYe]�Yhhda]k�lg�;JQHLG;Yj\$�]p[]hl�qgm�[Yf�Ydkg�[gfâk[Yl]�l`]�mk]jÌk�;JQHLG;Yj\�alk]d^$�oà[`�j]f\]jk�Yml`]la[Ylagf�aehgkkaZd]�^gj�l`Yl�mk]j&

Configuring an Authentication EnvironmentGf]�oYq�lg�[j]Yl]�]^^][lan]�Mk]j�9ml`]fla[Ylagf�]fnajgfe]flk�ak�lg�j]klja[l�Ydd�Gml_gaf_�k]jna[]k�lg�gfdq�Yddgo�[gff][lagfk�>jge�9ml`]fla[Yl]\�Mk]jk&�>gj�]pYehd]$�mkaf_�Oaf\gok�FL�K]jn]j$�qgm�ogmd\�[j]Yl]�Y�?jgmh�gf�l`]�Oaf\gok�FL�k]jn]j�l`Yl�[gflYafk�Ydd�l`]�Mk]j�Y[[gmflk&�L`]f�qgm�ogmd\�Y\\�l`Yl�_jgmh�fYe]�lg�l`]�Afl]jfYd�`gklk�^gj�l`]�Gml_gaf_�gj�Hjgpq�k]jna[]�af�l`]�OYl[`?mYj\�Hgda[q�EYfY_]j&

Combining User Authentication and Remote User VPNO`]f�Y�J]egl]�Mk]j�NHF�[gff][lagf�ak�eY\]�lg�l`]�>aj]Zgp$�l`]�[da%]flÌk�mk]jfYe]�Yf\�hYkkogj\�Yj]�[`][c]\�Y_Yafkl�l`]�>aj]Zgp�<geYaf�gfdq&�>gj�làk�j]Ykgf$�J]egl]�Mk]j�NHF�mk]jk�emkl�`Yn]�Yf�Y[[gmfl�af�l`]�>aj]Zgp�<geYaf$�Yf\�emkl�Z]�Y�e]eZ]j�g^�l`]�


Encryption

J]egl]NHF�_jgmh�^gj�Y[[]kk$�j]_Yj\d]kk�g^�Yfq�gl`]j�Yml`]fla[Ylagf�k[`]e]�af�mk]&�S[j]^�lg�JMNHF�`]j]U

O`]f�mk]jk�Yml`]fla[Yl]�mkaf_�l`]aj�Y[[gmfl�af�l`]�>aj]Zgp�<geYaf$�OYl[`?mYj\�YmlgeYla[Yddq�Y\\k�l`]aj�AH�Y\\j]kk�lg�Ydd�>aj]Zgp�<geYaf�_jgmhk�g^�oà[`�l`]q�Yj]�Y�e]eZ]j� Yf\�[gfn]jk]dq�j]egn]\�o`]f�l`]q�]f\�l`]aj�Yml`]fla[Ylagf!&

J]egl]NHF�ak�Y�Zmadl%af�>aj]Zgp�<geYaf�?jgmh�o`]j]�qgm�emkl�]fl]j�Ydd�[mjj]fldq�Y[lan]�J]egl]�Mk]j�NHF�mk]jk&�O`]f�Y�mk]j�km[%[]kk^mddq�[gff][lk�lg�l`]�>aj]Zgp�mkaf_�J]egl]�Mk]j�NHF$�OYl[`%?mYj\�YmlgeYla[Yddq�Y\\k�l`]�Ykka_f]\�J]egl]NHF�Y\\j]kk�lg�l`]�mk]jfYe]�lg�làk�Zmadl%af�YdaYk&�O`]f�l`]�mk]j�k`mlk�\gof�l`]�J]egl]�Mk]j�NHF�k]kkagf$�OYl[`?mYj\�YmlgeYla[Yddq�j]egn]k�l`]�mk]jÌk�Y\\j]kk�Ykkg[aYl]\�oal`�l`Yl�mk]j�^jge�l`]�J]egl]NHF�YdaYk&

:q�\]^Ymdl$�J]egl]�Mk]j�NHF�mk]jk� gj�Yfq�mk]jk!�`Yn]�fg�Y[[]kk�hjanad]_]k�l`jgm_`�Y�>aj]Zgp&�Lg�Yddgo�J]egl]�Mk]j�NHF�mk]jk�lg�Y[[]kk�eY[àf]k�gf�l`]�Ljmkl]\�f]logjc$�qgm�emkl�Y\\�l`]aj�mk]j%fYe]k� gj�l`]�J]egl]NHF�_jgmh�YdaYk!�lg�k]jna[]�a[gfk�af�l`]�k]j%na[]k�Yj]fY&

9�lqha[Yd�mk]�g^�làk�Zmadl%af�_jgmh�ak�lg�Yddgo�af[geaf_�[gff][lagfk�lg�[]jlYaf�Ljmkl]\�k]jn]jk�^jge�l`]�J]egl]NHF�_jgmh�e]eZ]jk&�Làk�ak�Yf�]Ykq�oYq�lg�hjgna\]�gmlka\]�Y[[]kk�lg�[jala[Yd�eY[àf]k�afka\]�qgmj�f]logjc$�oal`gml�jakcaf_�qgmj�_]f]jYd�k][mjalq&

>gj�]pYehd]$�lg�Yddgo�gml_gaf_�l]df]l$�Zml�gfdq�Yddgo�af[geaf_�l]d%f]l�a^�l`]�j]im]kl�[ge]k�^jge�Y�J]egl]�Mk]j�NHF�mk]j$�qgm�ogmd\

� 9\\�l`]�l]df]l�k]jna[]�lg�l`]�OYl[`?mYj\�Hgda[q�EYfY_]j� ;gfâ_mj]�l`]�gml_gaf_�\aj][lagf�gfdq�lg�Yddgo�l]df]l�ljY^â[�^jge�

Yfq�afl]jfYd�`gkl�lg�Yfq�gmlka\]�`gkl&�� ;gfâ_mj]�af[geaf_�\aj][lagf�lg�Yddgo�ljY^â[�^jge�l`]�

J]egl]NHF�_jgmh$�lg�Yfq�afl]jfYd�`gkl&

Encryption

=f[jqhlagf�k[jYeZd]k�l`]�[`YjY[l]jk�af�ljYfkeakkagf�hY[c]lk�lg�eYc]�al�\a^â[mdl�lg�\][g\]�Yf\�j]Y\&�Afl]j[]hlaf_�hY[c]lk�ak�fgl�\a^â[mdl&�K]f\af_�[jala[Yd�af^gjeYlagf�km[`�Yk�[j]\al�[Yj\�fmeZ]jk�oal`�]ph]j%Ylagf�\Yl]k�gj�hYkkogj\k�Yk�[d]Yj�l]pl�ak�fgl�Y�kY^]�làf_�lg�\g&�L`]�OYl[`?mYj\�Dan]K][mjalq�kqkl]e�]ehdgqk�\a^^]j]fl�lqh]k�g^�]f[jqh%lagf�^gj�[jala[Yd�[gff][lagfk�l`Yl�[gmd\�[gehjgeak]�qgmj�kqkl]e�a^�\YlY�o]j]�ljYfkeall]\�Yk�[d]Yj�l]pl&�



L`]�Dan]K][mjalq�Kqkl]e�hjgna\]k�YmlgeYla[�]f[jqhlagf�^gj�[gff][%lagfk�Z]lo]]f�l`]�EYfY_]e]fl�KlYlagf�Yf\�l`]�>aj]Zgp$�Dg_�@gkl$�Yf\�=n]fl�Hjg[]kkgj&�Al�g^^]jk�[gfâ_mjYZd]�]f[jqhlagf�o`]f�k]llaf_�mh�J]egl]�Mk]j�gj�:jYf[`�G^â[]�NHF&

OYl[`?mYj\�g^^]jk�l`j]]�\a^^]j]fl�d]n]dk�g^�]f[jqhlagf2�KlYf\Yj\$�=f`Yf[]\$�Yf\�Kljgf_&�=f`Yf[]\�Yf\�Kljgf_�]f[jqhlagf�Yj]�g^^]j]\�Yk�ghlagfk$�Yf\�emkl�Z]�da[]fk]\�Yf\�afklYdd]\�k]hYjYl]dq�^jge�qgmj�klYf\Yj\�Dan]K][mjalq�Kqkl]e&

KlYf\Yj\�]f[jqhlagf�mk]k�Y�-.%Zal�]f[jqhlagf�c]q$�Ydkg�cfgof�Yk�<=K� <YlY�=f[jqhlagf�K]jna[]!&�=f`Yf[]\�]f[jqhlagf�mk]k�Y�))*%Zal�c]q&�Kljgf_�]f[jqhlagf�mk]k�Y�).0%Zal� ljahd]%<=K!�c]q&�L`]k]�Yj]�l`]�d]n%]dk�g^�]f[jqhlagf�^gj�l`]�EYfY_]e]fl�KlYlagf�[gff][lagfk�l`Yl�mk]�YmlgeYla[�]f[jqhlagf&�L`]k]�da[]fk]�daealk�Ydkg�]klYZdak`�`go�kljgf_�Yf�]f[jqhlagf�qgm�[Yf�mk]�^gj�NHF&�>gj�]pYehd]$�a^�qgm�Yj]�k]llaf_�mh�:jYf[`�G^â[]�NHF�oal`�YmlgeYla[�AHK][$�qgm�emkl�`Yn]�kljgf_�]f[jqhlagf�lg�mk]�K@9%)%@E9;�Yml`]fla[Ylagf�oal`�+<=K%;:;�]f[jqhlagf&

A^�qgm�`Yn]�=f`Yf[]\�gj�Kljgf_�]f[jqhlagf$�qgm�[Yf�[`ggk]�l`]�d]n]d�g^�]f[jqhlagf�YhhjghjaYl]�lg�l`]�lmff]d�qgm�k]l�mh&�>gj�]pYehd]$�^gj�_]f]jYd�mk]$�qgm�ea_`l�mk]�kaf_d]%<=K�]f[jqhlagf�eYpaear]�l`jgm_`hml&�>gj�Y\eafakljYlan]�gj�ljYfkY[lagfYd�[gff][lagfk�o`]j]�qgm�`Yn]�egj]�lg�dgk]�a^�hY[c]lk�Yj]�afl]j[]hl]\�Yf\�\][g\]\$�qgm�[Yf�k]l�mh�à_`dq�]f[jqhl]\�lmff]dk�Z]lo]]f�kh][aâ[�`gklk�gj�f]l%ogjck&

WebBlocker

O]Z:dg[c]j�ogjck�oal`�l`]�@LLH�hjgpq�l`Yl�hjgna\]k�MJD%âdl]jaf_�[YhYZadala]k&�Al�ak�Y�[gehj]`]fkan]�lggd�Yf\�mk]j�afl]j^Y[]�^gj�]p]jlaf_�âf]�[gfljgd�gn]j�o`Yl�lqh]�g^�O]Z�kal]k�mk]jk�Yj]�Yddgo]\�lg�na]o&�

O]Z:dg[c]j�hjgna\]k�l`]�e]Yfk�lg�\]l]jeaf]�l`]�o`g$�o`]f$�Yf\�o`Yl�g^�O]Z�kmjâf_�oalàf�qgmj�gj_YfarYlagf&�Al�]fYZd]k�qgm�lg�k]h%YjYl]�qgmj�gj_YfarYlagf�aflg�Yk�eYfq�mk]jk�gj�_jgmhk�Yk�qgmÌ\�dac]� o`g!$�\][a\]�o`Yl�`gmjk�l`]q�Yj]�^j]]�lg�Y[[]kk�l`]�Ogjd\�Oa\]�O]Z� o`]f!$�Yf\�o`Yl�[Yl]_gja]k�g^�O]Z�kal]k�l`]q�eYq�nakal� o`Yl!&��Af�^Y[l$�qgm�[Yf�\a^^]j]flaYl]�Z]lo]]f�l`]�kal]k�l`]q�[Yf�nakal�\mjaf_�j]_mdYj�`gmjk�Yf\�l`]�kal]k�YnYadYZd]�af�qgmj�gj_YfarYlagfÌk�g^^%`gmjk&

O]Z:dg[c]j�mk]k�Y�\YlYZYk]�g^�o]Zkal]k�o`gk]�[gfl]fl�ak�egkl�dac]dq�lg�Z]�[gmfl]j�lg�Y�lqha[Yd�gj_YfarYlagfÌk�k][mjalq�hgda[q&�L`]�\YlYZYk]�ak�mh\Yl]\�gf�Y�^j]im]fl�ZYkak&�Qgm�[Yf�[gfâ_mj]�O]Z:dg[c]j�lg�YmlgeYla[Yddq�mh\Yl]�l`]�o]Zkal]�\YlYZYk]$�gj�qgm�[Yf�[`ggk]�lg�


WebBlocker

eYfmYddq�mh\Yl]�al�o`]f�qgm�dac]&�>gj�YmlgeYla[�mh\Ylaf_$�OYl[`%?mYj\�[`][ck�l`]�\YlYZYk]�gf[]�Y�\Yq&�A^�l`]�\YlYZYk]�gf�l`]�\YlY%ZYk]�O]Zkal]�ak�\a^^]j]fl�^jge�l`]�gf]�Z]af_�mk]\�Yl�qgmj�kal]$�OYl[`?mYj\�gZlYafk�l`]�f]o�\YlYZYk]�Yf\�dgY\k�al�aflg�l`]�>aj]Zgp&

Settable ParametersO`]f�k]llaf_�mh�O]Z:dg[c]j$�qgm�[Yf�[gfâ_mj]�l`]k]�ZYka[�Yj]Yk2

� ;gfljgdk� O]Z:dg[c]j�?jgmhk� =p[]hlagfk� Na]o�?jgmh�E]eZ]jk

ControlsAf�l`]�[gfljgdk�Yj]fY$�qgm�[Yf�Y[lanYl]�gj�\]Y[lanYl]�O]Z:dg[c]j$�[Ymk]k�eYfY_]e]fl�ogjcklYlagf�lg�[`][c�l`]�gZb][lagfYZd]�o]Zkal]�\YlYZYk]�gf[]�Y�\Yq�Yf\�YmlgeYla[Yddq�\gofdgY\�al�o`]f�al�[`Yf_]k$�Yf\�]fl]j�Y�[mklge�e]kkY_]�lg�Z]�k]fl�lg�mk]jkÌ�Zjgok]jk�o`]f�l`]q�Yj]�\]fa]\�Y�hY_]�Z][Ymk]�g^�O]Z:dg[c]j�jmd]k&�

>gj�Y�[gehd]l]�daklaf_�g^�O]Z:dg[c]j�[Yl]_gja]k�Yf\�o`Yl�lqh]k�g^�O]Zkal]k�l`]q�j]hj]k]fl$�k]]�É;Yl]_gjq�<]k[jahlagfk�^gj�O]Z%:dg[c]jÊ�af�l`]�OYl[`?mYj\�J]^]j]f[]�EYfmYd&

WebBlocker GroupsL`]�O]Z:dg[c]j�?jgmhk�Yj]Y�ak�o`]j]�qgm�k]l�mh�Yf\�eYaflYaf�Y[[]kk�hjanad]_]k�^gj�_jgmhk�g^�mk]jk&�>gj�O]Z:dg[c]j�lg�Yddgo�gj�\]fq�Y[[]kk�hjanad]_]k$�qgm�emkl�[j]Yl]�Yf\�\]âf]�_jgmhk�g^�`gklk&

SchedulingO]Z:dg[c]j�hjgna\]k�log�k]hYjYl]dq�[gfâ_mjYZd]�lae]�Zdg[ckÈGh]jYlagfYd�@gmjk�Yf\�Fgf%gh]jYlagfYd�`gmjk&�Gh]jYlagfYd�`gmjk�Yj]�Yf�gj_YfarYlagfÌk�fgjeYd�`gmjk�g^�gh]jYlagf3�fgf%gh]jYlagfYd�`gmjk�Yj]�o`]f�Yf�gj_YfarYlagf�ak�fgl�[gf\m[laf_�alk�fgjeYd�Zmka%f]kk&�Mk]�l`]k]�lae]�Zdg[ck�lg�Zmad\�jmd]k�YZgml�o`]f�\a^^]j]fl�lqh]k�g^�kal]k�Yj]�lg�Z]�Zdg[c]\&�>gj�]pYehd]$�qgm�ea_`l�Zdg[c�khgjlk�kal]k�\mjaf_�Zmkaf]kk�`gmjk$�Zml�Yddgo�Y[[]kk�Yl�dmf[`�lae]$�]n]faf_k$�Yf\�o]]c]f\k&

A^�l`]�kYe]�`gkl�gj�YdaYk�ak�Y�e]eZ]j�g^�egj]�l`Yf�gf]�_jgmh$�Yf\�l`]�Y[[]kk�jmd]k�Yj]�\a^^]j]fl�^gj�l`]�log�_jgmhk$�l`Yl�`gkl�gj�YdaYk�ak�kmZ%b][l�lg�l`]�kljgf_]j�jmd]&�L`Yl�ak$�l`]�_jgmh�l`Yl�`Yk�l`]�hjgàZal]\�kal]k�lYc]k�hj][]\]f[]�gn]j�l`]�h]jeall]\�kal]k�g^�l`]�gl`]j�_jgmh&�

ExceptionsO]Z:dg[c]j�hjgna\]k�Yf�=p[]hlagfk�[gfljgd�lg�gn]jja\]�Yfq�g^�l`]�O]Z:dg[c]j�k]llaf_k&�Làk�lYc]k�hj][]\]f[]�gn]j�Ydd�gl`]j�jmd]k&�9\\�MJDk�l`Yl�oadd�Z]�Yddgo]\�gj�\]fa]\�YZgn]�Yf\�Z]qgf\�Ydd�gl`]j�k]l%



laf_k&�L`]�Zdg[c]\�MJDk�`]j]�Yhhdq�gfdq�lg�@LLH�ljY^â[�Yf\�Yj]�fgl�j]dYl]\�lg�l`]�:dg[c]\�Kal]k�dakl&

=p[]hlagfk�Yj]�ZYk]\�gf�hYll]jf%eYl[àf_&�HYll]jfk�Yj]�eYl[`]\�ZYk]\�gf�l`]�âjkl�hYjl�g^�l`]�MJD�Y^l]j�l`]�AH�Y\\j]kk�gj�@gkl�9daYk&�Lqha[Yd�MJDk� ^gj�]pYehd]$�\]Ydaf_�oal`�_YeZdaf_!�ea_`l�dggc�dac]�làk2

KWWS��ZZZ�KHGJHP\�FRP�EHWVKWWS��ZZZ�KHGJHP\�FRP�EHWV�IUHHKWWS��ZZZ�KHGJHP\�FRP�EHWVDFWVKWWS��ZZZ�KHGJHP\�FRP�EHWVHGXFDWLRQ�KWWS��ZZZ�KHGJHP\�FRP�IUHHEHWV

L`]�hYll]jf�eYl[àf_�ogjck�gf�l`]�l]pl�l`Yl�[ge]k�Y^l]j�ooo&`]\_]eq&[ge2�Z]lk$�Z]lkY[lk$�Z]lk]\m[Ylagf$�Z]lk'^j]]$�Yf\�^j]]Z]lk&

HdY[]�Yf�Ykl]jakc� "!�af�^jgfl�g^�l`]�kljaf_�qgm�oak`�lg�eYl[`&�A^�l`Yl�kljaf_�Yhh]Yjk�Yfqo`]j]�af�l`]�dg[Ylagf�hYjl�g^�l`]�MJD$�al�oadd�Z]�eYl[`]\&�L`]j]^gj]$�"Z]lk�oadd�eYl[`�Ydd�g^�l`]�MJDk�dakl]\�af�gmj�]pYehd]$�kaf[]�ÉZ]lkÊ�Yhh]Yjk�Yl�kge]�hgafl�af�Ydd�g^�l`]�MJDk&

Logging and WebBlockerO]Z:dg[c]j�_]f]jYl]k�dg_k�\]Ydaf_�oal`�\]faYdk$�\YlYZYk]�\gofdgY\�j]kmdlk$�Yf\�Jmd]�[gf^da[lk&�

9[[]kk�Yll]ehlk�Yj]�dg__]\�\akhdYqaf_�af^gjeYlagf�YZgml�kgmj[]�Yf\�\]klafYlagf�Y\\j]kk�Yk�o]dd�Yk�l`]�Zdg[c]\�MJD$�Yf\�o`Yl�[Yl]_gja]k�[Ymk]\�l`]�\]faYd&

9�dg_�]fljq�ak�_]f]jYl]\�k`goaf_�l`]�j]kmdlk�g^�Yfq�Yll]ehl]\�\YlY%ZYk]�j]lja]nYdÈa^�al�oYk�km[[]kk^md$�a^�al�^Yad]\$�Yf\�o`q&

How WebBlocker WorksO`]f�O]Z:dg[c]j�ak�afalaYddq�klYjl]\$�l`]�OYl[`?mYj\�=n]fl�Hjg[]k%kgj�emkl�Z]�jmffaf_�af�gj\]j�lg�k]f\�Y�\YlYZYk]�lg�l`]�>aj]Zgp&�

L`]�>aj]Zgp�Yf\�=n]fl�Hjg[]kkgj�ogjc�lg_]l`]j�lg�c]]h�l`]�:dg[c]\�MJD�<YlYZYk]�[mjj]fl&�Gf�klYjlmh$�l`]�>aj]Zgp�im]ja]k�l`]�=n]fl�Hjg[]kkgj�^j]im]fldq�^gj�Y�:dg[c]\�MJD�\YlYZYk]&�L`]�=n]fl�Hjg[]k%kgj�[gflY[lk�Y�k]jn]j�gh]jYl]\�Zq�OYl[`?mYj\�L][`fgdg_a]k$�Af[&�

!NOTE

Exceptions are intended to block specific sites and subsections of these sites. For that reason, you cannot enter *bets in the pattern sec-tion, and expect to block all URLs (including sites other than www.hedgemy.com) that contain the word “bets.” This is an optional field which, when omitted, matches the pattern to any IP address.


WebBlocker

O`]f�al�âf\k�l`]�\YlYZYk]$�al�j]lja]n]k�al�Yf\�\gofdgY\k�al�lg�l`]�>aj]Zgp&

L`]�>aj]Zgp�l`]f�im]ja]k�l`]�=n]fl�Hjg[]kkgj�`gmjdq�^gj�Yf�mh\Yl]\�\YlYZYk]&�A^�l`]j]�ak�Y�f]o�n]jkagf�g^�l`]�:dg[c]\�MJD�<YlYZYk]$�l`]�=n]fl�Hjg[]kkgj�Yml`]fla[Yl]k�alk]d^�Yf\�ljYfk^]jk�l`]�f]o�<YlYZYk]�gn]j�Yf�]f[jqhl]\�[`Yff]d&�Al�l`]f�[gflY[lk�l`]�>aj]Zgp�Yf\�dgY\k�l`]�f]o�<YlYZYk]�aflg�l`]�>aj]Zgp�Yf\�_]f]jYl]k�Y�dg_�]fljq�k`goaf_�af^gjeYlagf�YZgml�l`]�f]o�<YlYZYk]2�alk�kar]$�[`][ckme$�Yf\�Y�lae]k%lYeh&�L`]j]Y^l]j$�l`]�>aj]Zgp�im]ja]k�l`]�=n]fl�Hjg[]kkgj�`gmjdq�^gj�l`]�hj]k]f[]�g^�Y�f]o�\YlYZYk]&

A^�^gj�Yfq�j]Ykgf$�l`]�f]o]kl�<YlYZYk]�ak�[gjjmhl$�oYk�af[gehd]l]dq�j]lja]n]\$�gj�ak�Yfq�gl`]j�oYq�af[gehd]l]$�l`]�>aj]Zgp�oadd�fgl�dgY\�al&�A^�Y�ljYfk^]j�ak�mfkm[[]kk^md$�l`]�=n]fl�Hjg[]kkgj�oadd�ljq�Y_Yaf�af�Yf�`gmj&

A^�qgm�oak`�lg�j]n]jl�lg�Y�hj]nagmk�[ghq�g^�l`]�<YlYZYk]$�al�[Yf�Z]�^gmf\�af�l`]�afklYddYlagf�\aj][lgjq$�fYe]\�Éo]ZZdg[c]j&gd\&Ê�Kaehdq�j]fYe]�làk�âd]�lg�Éo]ZZdg[c]j&\ZÊ�Yf\�l`]�>aj]Zgp�oadd�mh\Yl]�alk]d^&

O`]f�l`]�>aj]Zgp�ak�j]klYjl]\$�Ydd�O]Z�Y[[]kk�oadd�Z]�Zdg[c]\�^gj�Y�eafml]�gj�log&�Mk]jk�eYq�_]l�Yf�]jjgj�e]kkY_]�l`Yl�j]Y\k�É\YlYZYk]�fgl�dgY\]\$Ê�oàd]�l`]�>aj]Zgp�hj]hYj]k�^gj�âdl]jaf_&

Al�ak�hgkkaZd]�lg�eYfmYddq�^gj[]�Y�\gofdgY\�g^�l`]�dYl]kl�:dg[c]\�MJD�<YlYZYk]&�;gfkmdl�l`]�OYl[`?mYj\�Mk]jÌk�?ma\]�^gj�\]lYadk&


CHAPTER 6 LiveSecurity

L`]�k][mjalq�gj_YfarYlagf$�;=JL$�j]hgjlk�Y�f]o�k][mjalq�l`j]Yl�ak�\ak%[gn]j]\�]n]jq�/&-�\Yqk&�9k�Y�j]kmdl$�ljY\alagfYd�klYla[�âj]oYdd�kgdm%lagfk�Yj]�ima[cdq�gml\Yl]\�Yk�l`]q�_jgo�af[j]Ykaf_dq�nmdf]jYZd]�gn]j�lae]�Zq�mfj]eallaf_�l`j]Ylk&�>gj�l`]�lqha[Yd�f]logjc�Y\eafakljYlgj$�c]]haf_�l`]�f]logjc�k][mjalq�kqkl]e�[mjj]fl�ak�Y�\Ymflaf_�lYkc&�Al�j]imaj]k�[`][caf_�af\mkljq�afka\]j�f]ok�Yf\�lahk�^gj�l`]�dYl]kl�k][m%jalq�l`j]Ylk$�Ykk]kkaf_�o`]l`]j�l`]�f]o�l`j]Yl�ak�\Yf_]jgmk�lg�l`]�dg[Yd�k][mjalq�kqkl]e$�Yf\�a^�f][]kkYjq$�[j]Ylaf_�hYl[`]k�gj�\akYZdaf_�hgjlk�gj�k]jna[]k�nmdf]jYZd]�lg�l`]�f]o]kl�l`j]Ylk&�Oal`�Ydd�l`]�gl`]j�\mla]k�[gf^]jj]\�gf�Y�f]logjc�Y\eafkljYlgj$�làk�ak�fgl�Y�j]Ydakla[�]ph][lYlagf&

L`]�OYl[`?mYj\�Dan]K][mjalq�Kqkl]e�ak�kljm[lmj]\�lg�c]]h�qgmj�f]l%ogjc�\]^]fk]k�Yl�l`]aj�à_`]kl�d]n]d�Yl�Ydd�lae]k&�Af`]j]fl�af�l`]�Yj[à%l][lmj]�ak�Y�\qfYea[�ZjgY\[Ykl�f]logjc�lg�k][mj]dq�\]dan]j�kg^loYj]�mh\Yl]k$�l`j]Yl�j]khgfk]k$�Yf\�af^gjeYlagf�Yd]jlk�\aj][ldq�lg�qgmj�eYfY_]e]fl�klYlagf&�

9�gf]%q]Yj�kmZk[jahlagf�lg�Dan]K][mjalq$�]Ykadq�j]f]o]\�YffmYddq$�ak�Y�klYf\Yj\�[gehgf]fl�g^�l`]�Dan]K][mjalq�Kqkl]e&�Gf[]�qgmj�Dan]K][mjalq�Kqkl]e�ak�afklYdd]\$�al�c]]hk�qgmj�f]logjc�\]^]fk]k�Yl�l`]aj�à_`]kl�d]n]d�Zq�afl]dda_]fldq�Yf\�k]Yed]kkdq�hjgna\af_�l`]k]�Z]f]âlk2

Dynamically UpdatedDan]K][mjalq�ak�l`]�egkl�eYlmj]�k][mjalq�kqkl]e�\]ka_f]\�^gj�kqkl]eYla[�mh\Ylaf_&�Al�ljYfkealk�l`]�dYl]kl�kg^loYj]�mh\Yl]k�Yf\�Y\nYf[]k�af�âj]%oYdd�l][`fgdg_a]k�gj�Yml`]fla[Ylagf�Y[[]kk�[gfljgd�\aj][ldq�lg�qgmj�gj_Y%farYlagfÌk�Dan]K][mjalq�;da]fl�[gehml]j&

Fast and ResponsiveL`]�OYl[`?mYj\�o]�`Yn]�l`]�JYha\�L`j]Yl�J]khgfk]�L]Ye&�Làk�ak�Y�_jgmh�g^�k][mjalq�]ph]jlk�o`gk]�bgZ�ak�lg�mf[gn]j�Yf\�f]mljYdar]�Afl]jf]l�k][mjalq�l`j]Ylk�Yf\�`Y[c]j�YllY[ck�l`Yl�[gmd\�l`j]Yl]f�qgmj�Zmkaf]kk&�Af�


LiveSecurity

Y�eYll]j�g^�`gmjk$�Y�kgdmlagf�ak�a\]flaâ]\�Yf\�mh\Yl]\�k][mjalq�hjgl][%lagf�ak�ZjgY\[Ykl�lg�qgm&�

Team-OrientedGmj�l]Ye�g^�d]Y\af_�k][mjalq�]ph]jlkÌ�hjaeYjq�lYkck�Yj]�lg�âf\�f]o�k][mjalq�l`j]Ylk$�Ykk]kk�l`]aj�nmdf]jYZadalq�lg�l`]�OYl[`?mYj\�Dan]K][m%jalq�Kqkl]e$�Yf\�o`]f�f][]kkYjq$�[j]Yl]�kg^loYj]�hYl[`]k�lg�klj]f_l`]f�qgmj�afklYddYlagf�Y_Yafkl�l`]�f]o]kl�l`j]Yl&�Làk�ak�Y�^Yj�kY^]j�YhhjgY[`�l`Yf�Y�f]logjc�Y\eafakljYlgj�ogjcaf_�Ydgf]�lg�c]]h�l`]�kqkl]e�[mjj]fl&�Dan]K][mjalq�ak�l]Ye%gja]fl]\�af�log�oYqk2�l`]�l]Ye�ogjck�lg_]l`]j�lg�âf\�hjgZd]ek�Yf\�âp�l`]e$�Yf\�l`]�l]Ye�ogjck�oal`�qgmj�gj_YfarYlagf�lg�c]]h�qgmj�f]logjc�k][mjalq�[mjj]fl&�Dan]K][mjalq�kmZk[jaZ]jk�Yj]�l`]�âjkl�lg�Z]f]âl�^jge�l`]aj�af^gjeYlagfYd�Yd]jlk�Yf\�k][mjalq�]ph]jlak]&�G^l]f�qgm�oadd�j][]an]�ZjgY\[Yklk�Z]^gj]�l`]�k][mjalq�l`j]Yl�`Yk�Z]]f�eY\]�hmZda[&

The LiveSecurity Client

=n]jq�f]o�OYl[`?mYj\�Dan]K][mjalq�Kqkl]e�af[dm\]k�Y�gf]%q]Yj�kmZk[jahlagf� ]Ykadq�j]f]o]\!�lg�l`]�Dan]K][mjalq�ZjgY\[Ykl�k]jna[]&�Làk�hYjl�g^�l`]�Dan]K][mjalq�Kqkl]e�af[dm\]k�l`]�Dan]K][mjalq�;da%]fl$�Y�:Y[cO]Z�[da]fl$�l`Yl�Édakl]fkÊ�lg�OYl[`?mYj\Ìk�Dan]K][mjalq�:jgY\[Ykl�k]jna[]&�L`]�Dan]K][mjalq�;<%JGE�[gflYafk�l`]�Dan]K][m%jalq�[da]fl&�Gf[]�afklYdd]\$�làk�[da]fl�Yhhda[Ylagf�YmlgeYla[Yddq�]klYZ%dak`]k�Y�k][mj]�[gff][lagf�oal`�Y�OYl[`?mYj\�Dan]K][mjalq�k]jn]j�Yf\�\gofdgY\k�l`]�dYl]kl�k][mjalq�kg^loYj]&�Làk�mh\Yl]k�qgmj�k][m%jalq�kqkl]e�Y_Yafkl�Yfq�[gf[]jfk�gj�l`j]Ylk�l`Yl�eYq�`Yn]�\]n]dgh]\�Z]lo]]f�o`]f�qgmj�>aj]Zgp�oYk�kàhh]\�Yf\�o`]f�qgm�afklYdd]\�al&

An Integrated SolutionL`]�OYl[`?mYj\�Dan]K][mjalq�Kqkl]e�afl]_jYl]k�kg^loYj]�Yf\�`Yj\%oYj]�[gehgf]flk�aflg�Y�kqkl]e�ghlaear]\�^gj�kY^]dq�Y[[]hlaf_�ljYfk%eakkagfk&�OYl[`?mYj\�mk]k�Y�[geZafYlagf�g^�l][`fgdg_a]k�lg�k][mj]dq�ljYfkeal�Ydd�Dan]K][mjalq�ZjgY\[Yklk�\aj][ldq�lg�qgmj�\]kc%lgh&�<a_alYd�[]jlaâ[Yl]k�Yj]�mk]\�af�[gfbmf[lagf�oal`�Y�hmZda[�c]q�]f[jqhlagf�kqkl]e�\]n]dgh]\�Zq�JK9�<YlY�K][mjalq�Af[&�Ljmkl]\�[]j%laâ[Ylagf�Yml`gjala]k� km[`�Yk�N]jaka_f�Af[!�akkm]�l`]�\a_alYd�[]jlaâ%[Yl]k�mk]\�Zq�l`]�Kqkl]e&

LiveSecurity BroadcastsDan]K][mjalq�ZjgY\[Yklk�Yj]�\]dan]j]\�lg�l`]�Dan]K][mjalq�kg^loYj]�[da]fl�qgm�\]ka_fYl]\�\mjaf_�afklYddYlagf&�Qgm�eYq�Ydkg�j][]an]�Dan]K][mjalq�af^gjeYlagf�Yd]jlk�Yf\�l`j]Yl�j]khgfk]k�naY�]%eYad&�<m]�lg�af`]j]fl�daealYlagfk�af�[mjj]fl�]%eYad�l][`fgdg_q$�Kg^loYj]�Mh\Yl]k�Yj]�\]dan]j]\�gfdq�^jge�Y�k][mj]�Dan]K][mjalq�O]Z�kal]�lg�qgmj�[da]fl&�Af�Y\\alagf$�Dan]K][mjalq�]%eYad�ak�YdoYqk�ka_f]\�oal`�gmj�H?H�c]q�lg�_mYjYfl]]�Yml`]fla[alq&�Af�Ydd�[Yk]k$�kg^loYj]�\aklja%


The LiveSecurity Client

Zmlagfk�Yj]�\a_alYddq�ka_f]\�Yf\�[`][c]\�\mjaf_�l`]�kg^loYj]�afklYd%dYlagf�hjg[]kk&

LjYfkeall]\�lg�qgm�Yj]2�

Software UpdatesGf_gaf_�^mf[lagfYd�]f`Yf[]e]flk�[gn]jaf_�qgmj�]flaj]�Dan]K][mjalq�Kqkl]e&

Threat ResponsesKg^loYj]�mh\Yl]k�kh][aâ[Yddq�Y\\j]kkaf_�Y�f]odq�\ak[gn]j]\�l`j]Yl&

Information AlertsLae]dq�fglaâ[Ylagfk�g^�Zj]Ycaf_�f]ok�Yf\�[mjj]fl�akkm]k�af�Afl]jf]l�k][mjalq&

Security BroadcastsAf�Y\\alagf�lg�kg^loYj]�mh\Yl]k�Y\\j]kkaf_�kh][aâ[�l`j]Ylk$�qgm�j][]an]�^mf[lagfYd�kg^loYj]�]f`Yf[]e]flk�[gn]jaf_�qgmj�]flaj]�OYl[`?mYj\�Dan]K][mjalq�Kqkl]e�gf�Yf�gf_gaf_�ZYkak&�9f�afklYddY%lagf�oarYj\�Yf\�j]d]Yk]�fgl]k�Y[[gehYfq�]Y[`�ljYfkeakkagf�^gj�]Ykq�afklYddYlagf&�L`]k]�[gfn]fa]fl�ljYfkeakkagfk�j]da]n]�qgm�g^�l`]�Zmj%\]f�g^�ljY[caf_�l`]�dYl]kl�kg^loYj]�n]jkagf�lg�c]]h�qgmj�Kqkl]e�[mj%j]fl&

Threat Responses9k�l`]�^j]im]f[q�g^�f]o�YllY[ck�Yf\�k][mjalq�Y\nakgja]k�af[j]Yk]k$�l`]�lYkc�g^�]fkmjaf_�l`Yl�qgmj�f]logjc�ak�k][mj]�Z][ge]k�]n]f�egj]�g^�Y�Zmj\]f&�OYl[`?mYj\�k�JYha\�J]khgfk]�L]Ye$�Y�\]\a[Yl]\�_jgmh�g^�afl]jfYd�k][mjalq�]ph]jlk$�`]dhk�YZkgjZ�làk�Zmj\]f�Zq�egfalgjaf_�l`]�Afl]jf]l�k][mjalq�dYf\k[Yh]�lg�a\]fla^q�f]o�l`j]Ylk�Yk�l`]q�]e]j_]&

Gf[]�Y�f]odq�\ak[gn]j]\�l`j]Yl�ak�a\]flaâ]\$�l`]�JYha\�J]khgfk]�L]Ye�\]n]dghk�Yf\�ljYfkealk�qgm�Y�kg^loYj]�mh\Yl]�kh][aâ[Yddq�Y\\j]kkaf_�làk�l`j]Yl�lg�]fkmj]�qgmj�f]logjc�ak�[gflafmgmkdq�hjg%l][l]\&�=Y[`�L`j]Yl�J]khgfk]�af[dm\]k�Y�\]k[jahlagf�\]lYadaf_�l`]�fYlmj]�Yf\�k]n]jalq�g^�l`]�l`j]Yl$�l`]�jakck�al�hgk]k�Yf\�o`Yl�kl]hk�qgm�k`gmd\�lYc]�lg�]fkmj]�qgmj�f]logjc�ak�hjgl][l]\&

Information AlertsDan]K][mjalq�af^gjeYlagf�Yd]jlk�hjgna\]�lae]dq�fglaâ[Ylagfk�g^�Zj]Ycaf_�f]ok�Yf\�[mjj]fl�akkm]k�af�Afl]jf]l�k][mjalq&�;gfl]fl�ak�lYa%dgj]\�^gj�qgmj�f]]\k$�kg�qgm�f]]\�gfdq�dggc�af�gf]�hdY[]�lg�klYq�YZj]Ykl�g^�l`]�^Ykl�[`Yf_af_�Afl]jf]l�k][mjalq�dYf\k[Yh]��qgmj�\]kc%lgh&�Làk�e]Yfk�l`Yl�o`]f�qgm�j]Y\�YZgml�Y�f]o�`Y[c]j�l`j]Yl$�qgm�n]�Ydj]Y\q�Z]]f�Zja]^]\�gf�alk�aehY[l�Yf\�l`]�hjgh]j�Kqkl]e�[gfâ_mjYlagf�f][]kkYjq�lg�hjgl][l�Y_Yafkl�al&


LiveSecurity

9\\alagfYddq$�Af^gjeYlagf�9d]jlk�c]]h�qgm�af^gje]\�g^�mh[geaf_�]f`Yf[]e]flk�lg�qgmj�OYl[`?mYj\�Dan]K][mjalq�Kqkl]e�Yf\�gl`]j�kh][aYd�Yffgmf[]e]flk&

Rapid Response Team

:]àf\�l`]�Dan]K][mjalq�k]jna[]�ak�OYl[`?mYj\�k�JYha\�J]khgfk]�L]Ye&�L`]k]�k][mjalq�]ph]jlk�[dgk]dq�egfalgj�Y�_Yeml�g^�Afl]jf]l�k][mjalq�kgmj[]k$�f]o�gh]jYlaf_�kqkl]e�\]n]dghe]flk�Yf\�]e]j_af_�`Y[c]j�l][`faim]k�lg�ima[cdq�a\]fla^q�f]o�Afl]jf]l�k][mjalq�l`j]Ylk&�Gf[]�a\]flaâ]\$�làk�l]Ye�Ykk]kk]k�alk�k]n]jalq�Yf\$�a^�YhhjghjaYl]$�ljYfkealk�Y�j]khgfk]�lg�qgm&

L`]�JYha\�J]khgfk]�L]Ye�eYpaear]k�qgmj�d]n]d�g^�Afl]jf]l�k][mjalq�oal`gml�aehY[laf_�qgmj�h]jkgff]d�[gmfl�gj�Zm\_]l&�L`]�\]eYf\�^gj�f]logjc�k][mjalq�]ph]jlk�oadd�[gflafm]�lg�gmlkljah�kmhhdq�^gj�l`]�^gjk]]YZd]�^mlmj]&�Mh\Yl]k�^jge�l`]�JYha\�J]khgfk]�L]Ye�_an]k�qgm�l`]�]ph]jlak]�oal`gml�l`]�]ph]fk]�g^�eYaflYafaf_�km[`�Y�\]hYjle]fl�af%`gmk]&

L`]�JYha\�J]khgfk]�L]Ye�Ydkg�eYaflYafk�Y�Dan]K][mjalq�9j[àn]$�daklaf_�Ydd�g^�l`]�[gfl]fl�qgm�`Yn]�j][]an]\�kg�qgm�\gf�l�`Yn]�lg�eYaflYaf�qgmj�gof�k]hYjYl]�j][gj\k&�K`gmd\�qgm�\]d]l]�Yd]jlk�gj�]Yj%da]j�n]jkagfk�g^�kg^loYj]$�làk�9j[àn]�Yddgok�qgm�lg�j]lja]n]�l`]e�^jge�Y�k][mj]�O]Z�kal]&

LiveSecurity Alliance

L`]�OYl[`?mYj\�Dan]K][mjalq�9ddaYf[]�ak�Y�l][`fgdg_q�Yf\�eYjc]l%af_�hYjlf]j�hjg_jYe�l`Yl�oYk�^gje]\�lg�kmhhgjl�Yf\�]f`Yf[]�l`]�OYl[`?mYj\�Dan]K][mjalq�Kqkl]e&�L`]�_gYd�g^�l`]�9ddaYf[]�ak�lg�hjg%na\]�qgm�oal`�Y�jYf_]�g^�[gehYlaZd]�kgdmlagfk�^jge�Dan]K][mjalq�9ddaYf[]�hYjlf]jk&

9k�Y�OYl[`?mYj\�Dan]K][mjalq�kmZk[jaZ]j$�qgm�Ydkg�Z]f]âl�^jge�l`]�[gdd][lan]�]ph]jlak]�Ydd�g^�l`]�hYjlf]jk�af�l`]�YddaYf[]&�L`]�OYl[`%?mYj\�Dan]K][mjalq�9ddaYf[]�Y[lk�Yk�Y�[gddYZgjYlan]�^gjme�o`]j]�]ph]jlk�^jge�]Y[`�hYjlf]j�hmjkm]�emlmYd�k`Yjaf_�g^�af^gjeYlagf�Yf\�hjg\m[l�afl]jgh]jYZadalq&


CHAPTER 7 Virtual Private Networking

9�NajlmYd�HjanYl]�F]logjc� NHF!�]fYZd]k�log�f]logjck� gj�Y�`gkl�lg�Y�f]logjc!�lg�[geemfa[Yl]�oal`�]Y[`�gl`]j�naY�Y�làj\�mfhjgl][l]\�f]logjc&�L`]�egkl�hghmdYj�hjY[la[Yd�Yhhda[Ylagf�g^�làk�l][`fgdg_q�ak�lg�mk]�l`]�Afl]jf]l� l`]�làj\$�mfhjgl][l]\�f]logjc!�lg�[Yjjq�\YlY�Z]lo]]f�\aklYfl�`gklk�gj�f]logjck�Yl�Y�em[`�dgo]j�[gkl�l`Yf�\]\a%[Yl]\�daf]k�gj�\aYd%mh�[gff][lagfk&�Lg�c]]h�l`]�[geemfa[Ylagf�k][mj]�o`]f�al�hYkk]k�l`jgm_`�l`]�mfhjgl][l]\�f]logjc$�l`]�hY[c]lk�Yj]�]f[YhkmdYl]\�af�Yfq�fmeZ]j�g^�oYqk� ^gj�]pYehd]$�]f[jqhl]\�Yf\�Yml`]fla[Yl]\!&�9�jmd]k]l�l`Yl�\]âf]k�Ydd�l`]�làk�k][mj]\�[gff][%lagfÈl`]�klYjl�Yf\�]f\�hgaflk$�l`]�lqh]�g^�Yml`]fla[Ylagf�Yf\�]f[jqhlagf�mk]\$�l`]�mk]jk�gj�_jgmhk�Yddgo]\�lg�mk]�alÈak�[Ydd]\�Y�lmff]d&�OYl[`?mYj\�hjgna\]k�log�eg\md]k$�]Y[`�oal`�k]n]jYd�ghlagfk$�lg�hjgna\]�k][mj]�lmff]dk2

� :jYf[`�G^â[]�NHF$�oà[`�[j]Yl]k�Y�k][mj]�lmff]d�Z]lo]]f�log�f]logjck�hjgl][l]\�Zq�OYl[`?mYj\�>aj]Zgp]k� gj�Z]lo]]f�Y�OYl[`?mYj\�>aj]Zgp�Yf\�Yf�AHK][%[gehdaYfl�\]na[]!&

� J]egl]�Mk]j�NHF$�oà[`�[j]Yl]k�Y�k][mj]�[gff][lagf� ]al`]j�Zq�mkaf_�klYf\Yj\�HHLH�gj�l`]�ghlagfYd�AHK][�lmff]d!�Z]lo]]f�Y�`gkl�Yf\�Y�f]logjc�hjgl][l]\�Zq�Y�>aj]Zgp&

Mk]�OYl[`?mYj\Ìk�:jYf[`�G^â[]�NHF�lg�k][mj]dq�[gff][l�Yf�g^â[]�f]logjc�af�L`YadYf\�oal`�Yf�g^â[]�f]logjc�af�RaeZYZo]�naY�l`]�Afl]jf]l&�:jYf[`�G^â[]�NHF�[Yf�]n]f�[gff][l�eYfq�k[Yll]j]\�j]egl]�g^â[]k�lg�Y�[]fljYd�g^â[]&�:jYf[`�G^â[]�NHF�j]imaj]k�log�k][mjalq�\]na[]k$�km[`�Yk�log�OYl[`?mYj\�>aj]Zgp]kÈgf]�Yl�]Y[`�]f\�g^�Y�lmff]d&�9l�Y�eafaeme�qgm�f]]\�gf]�>aj]Zgp�Yf\�Yf�AHK][%[gehdaYfl�\]na[]�Yl�l`]�gl`]j�]f\�g^�l`]�lmff]d&

J]egl]�Mk]j�NHF�[Yf�[gff][l�Yf�]ehdgq]]�ljYn]daf_�oal`�Y�dYhlgh�[gehml]j�lg�Y�[gjhgjYl]�f]logjc�l`Yl�ak�hjgl][l]\�Zq�Y�>aj]Zgp&�G^�[gmjk]�al�ogjck�]imYddq�o]dd�oal`�Y�l]d][geemlaf_�]ehdgq]]�o`g�


Virtual Private Networking

lmff]dk�lg�l`]�[gehYfq�>aj]Zgp�^jge�Y�`ge]�H;&�J]egl]�Mk]j�NHF�j]imaj]k�gf]�>aj]Zgp�gfdq�Yl�l`]�f]logjc&

Branch Office VPN

OYl[`?mYj\�:jYf[`�G^â[]�NHF�]fYZd]k�k][mj]�[geemfa[Ylagfk�Z]lo]]f�qgmj�g^â[]�dg[Ylagfk�Yf\�gl`]j�g^â[]k�]imahh]\�oal`�Y�>aj]Zgp�gj�gl`]j�AHK][%[gehdaYfl�k][mjalq�\]na[]&�L`]k]�[gmd\�Z]�qgmj�ZjYf[`�g^â[]k�gj�ljY\af_�hYjlf]jk&�OYl[`?mYj\�:jYf[`�G^â[]�NHF�kmhhgjlk�log�]f[jqhlagf�hjglg[gdk2�

� AHK][� OYl[`?mYj\�k�Hjghja]lYjq�NHF�Hjglg[gd

Mk]�AHK][�lg�lmff]d�Z]lo]]f�Y�OYl[`?mYj\�>aj]Zgp�Yf\�Yf�AHK][%[gehdaYfl�\]na[]�^jge�Yfgl`]j�n]f\gj&�9dkg�mk]�AHK][�Z]lo]]f�log�>aj]Zgp]k��Yf\�gl`]j�[mklge]j�kal]k�Yhhjgn]\�^gj�kljgf_�]f[jqhlagf�Zq�OYl[`?mYj\�L][`fgdg_a]k�Yf\'gj�l`]�M&K&�?gn]jfe]fl&

Mk]�OYl[`?mYj\�NHF�a^�Yl�d]Ykl�gf]�]f\�g^�l`]�lmff]d�\g]k�fgl�mk]�Ékljgf_�]f[jqhlagf&Ê�OYl[`?mYj\�NHF�g^^]jk�,(%Zal�]f[jqhlagf� lg�[gehdq�oal`�]f[jqhlagf�j]_mdYlagfk!&�9dkg�mk]�NHF�^gj�Yfq�lmff]d�l`Yl�`Yk�OYl[`?mYj\�>aj]Zgp]k�Yl�Zgl`�]f\k&�OYl[`?mYj\�NHF�oal`�)*0%Zal�]f[jqhlagf�[Yf�Z]�mk]\�o`]f�Zgl`�]f\k�g^�l`]�lmff]d�Yj]�da[]fk]\�^gj�kljgf_�]f[jqhlagf&�A^�qgm�ogmd\�dac]�lg�mk]�kljgf_�]f[jqhlagf� )*0�Zal$�+<=K!�gj�AHK][$�hd]Yk]�[gflY[l�OYl[`?mYj\�L][`fa[Yd�Kmhhgjl�Yl�*(.&-*)&0+/-&

=Y[`�>aj]Zgp�]f[jqhlk�l`]�e]kkY_]k�lg�Z]�k]fl�lg�Y�j]egl]�>aj]Zgp$�Yf\�\][jqhlk�l`]�j]lmjfaf_�e]kkY_]k&�;geemfa[Ylagf�Z]lo]]f�l`]�log�f]logjck�ljYn]dk�kY^]dq�gn]j�l`]�Afl]jf]l$�\][jqhlYZd]�gfdq�Zq�l`]�>aj]Zgp�gj�AHK][%[gehdaYfl�\]na[]�gf�l`]�gl`]j�]f\&

Gfdq�gf]�NHF�[gff][lagf�ak�h]jeall]\�Z]lo]]f�Yfq�log�>aj]Zgp]k$�Ydl`gm_`�gf]�>aj]Zgp�eYq�`Yn]�[gff][lagfk�lg�eYfq�\a^^]j]fl�>aj]%Zgp]k&�Af�Y\\alagf$�qgm�[Yffgl�mk]�>aj]Zgp]k�lg�j]dYq�]f[jqhl]\�eYl]jaYd�lg�Y�làj\�>aj]Zgp&�9dd�:jYf[`�G^â[]�NHF�>aj]Zgp]k�emkl�Z]�[gfâ_mj]\�af�Y�klYj�f]logjc&

Af[geaf_�[gff][lagfk�^jge�j]egl]�NHF�f]logjck�eYq�Y[[]kk�eY[àf]k�gf�l`]�dg[Yd�Ljmkl]\�afl]j^Y[]�j]_Yj\d]kk�g^�o`]l`]j�l`]�dg[Yd�eY[àf]k�Yj]�eYkim]jY\]\&

;gff][lagfk�eY\]�l`jgm_`�Y�NHF�Yj]�f]n]j�eYkim]jY\]\&


Branch Office VPN

IPSec Implementation of Branch Office VPNOYl[`?mYj\�k�:jYf[`�G^â[]�NHF�]f[jqhlagf�hjglg[gd�ak�[gehdaYfl�oal`�l`]�[mjj]fl�AHK][�Yj[àl][lmj]�Yk�\]âf]\�Zq�l`]�A=L>� Afl]jf]l�=f_af]]jaf_�LYkc�>gj[]!&�AHK][�:jYf[`�G^â[]�NHF�ak�YnYadYZd]�Yk�hYjl�g^�l`]�Kljgf_�=f[jqhlagf�ghlagf&�Oal`�AHK][�:jYf[`�G^â[]�NHF$�qgm�[Yf�]klYZdak`�]f[jqhl]\�lmff]dk�Z]lo]]f�Y�>aj]Zgp�Yf\�Yfq�gl`]j�AHK][%[gehdaYfl�k][mjalq�\]na[]$�j]_Yj\d]kk�g^�ZjYf\$�l`Yl�eYq�Z]�af�k]jna[]�hjgl][laf_�ZjYf[`�g^â[]$�ljY\af_�hYjlf]j�gj�kmhhda]j�dg[Ylagfk&

AHK][�`Yk�Z]]f�\]ka_f]\�lg�af[dm\]�log�f]o�hjglg[gdk�lg�kgdn]�l`]�hjgZd]ek�g^�\YlY�afl]_jalq�Yf\�[gfâ\]flaYdalq�o`]f�k][mjaf_�\YlY�Y[jgkk�l`]�Afl]jf]l&�L`]�9@� 9ml`]fla[Ylagf�@]Y\]j!�hjglg[gd�kgdn]k�l`]�hjgZd]e�g^�\YlY�afl]_jalq�Ydgf]$�oàd]�l`]�=KH� =f[YhkmdYl]\�K][mjalq�HYqdgY\!�hjglg[gd�kgdn]k�l`]�hjgZd]e�g^�\YlY�afl]_jalq�Yf\�[gfâ\]flaYdalq&

=Y[`�NHF�lmff]d�[j]Yl]\�oal`�AHK][�ak�Ykka_f]\�Y�kh][aâ[�K][mjalq�HYjYe]l]j�Af\]p� KHA!&�Làk�\a^^]j]flaYl]k�NHF�lmff]dk�[gfâ_mj]\�gf�l`]�>aj]Zgp&�9f�KHA�ak�Yf�YjZaljYjq$�+*%Zal�fmeZ]j�l`Yl�kh][aâ]k�lg�l`]�j][]anaf_�\]na[]�oà[`�_jgmh�g^�k][mjalq�hjglg[gdkÈYd_gjalèk$�c]qk$�`go�dgf_�l`gk]�c]qk�Yj]�nYda\Èl`]�k]f\]j�ak�mkaf_�^gj�[geem%fa[Ylagf&

Qgm�[Yf�Ydkg�gj\]j�Yf\�hjagjalar]�jgmlaf_�hgda[a]k�lg�kh][a^q�oà[`�NHF�lmff]d�lg�mk]�^gj�[]jlYaf�ljY^â[&�>gj�]pYehd]$�qgm�eYq�mk]�<=K�]f[jqhlagf�̂ gj�NHF�ljY^â[�gja_afYlaf_�^jge�qgmj�kYd]k�l]Ye$�Zml�eYq�j]imaj]�kljgf_]j�Ljahd]<=K�]f[jqhlagf�^gj�Ydd�\YlY�ljYfkeall]\�^jge�qgmj�âfYf[]�\]hYjle]fl&

Internet Key Exchange (IKE)9k�l`]�fmeZ]j�g^�NHF�lmff]dk�Z]lo]]f�>aj]Zgp]k�Yf\�gl`]j�AHK][%[gehdaYfl�\]na[]k�_jgo$�qgm�Yj]�^Y[]\�oal`�l`]�[`Ydd]f_]�g^�eYaf%lYafaf_�eYfq�hYajk�g^�c]qk$�gj�k][j]lk$�^gj�]Y[`�lmff]d&�Qgm�Yj]�Ydkg�j]khgfkaZd]�^gj�eYcaf_�kmj]�l`]k]�c]qk�Yj]�[`Yf_]\�^j]im]fldq�lg�]fkmj]�l`]�k][mjalq�g^�]Y[`�NHF�[gff][lagf&

Afl]jf]l�C]q�=p[`Yf_]� AC=!�YmlgeYl]k�l`]�hjg[]kk�g^�f]_glaYlaf_�c]qk$�[`Yf_af_�c]qk�Yf\�\]l]jeafaf_�o`]f�lg�[`Yf_]�c]qk&�OYl[`%?mYj\�kmhhgjlk�l`]�dYl]kl�\jY^l�g^�l`]�AHK][�klYf\Yj\�l`Yl�mk]k�l`]�Afl]jf]l�C]q�=p[`Yf_]�hjglg[gd�^gj�\qfYea[Yddq�f]_glaYlaf_�c]qk&�AC=�]f`Yf[]k�k][mjalq�Yf\�]fYZd]k�l`]�>aj]Zgp�lg�]klYZdak`�Y�k][mj]�klYf\Yj\k%ZYk]\�NHF�[gff][lagf�oal`�gl`]j�f]logjc�\]na[]k�l`Yl�kmhhgjl�AC=&�

WatchGuard’s Proprietary Encryption ProtocolL`]�OYl[`?mYj\�Hjghja]lYjq�=f[jqhlagf�Hjglg[gd�mk]k�JK9�J;,�]f[jqhlagf�klYf\Yj\k�lg�]klYZdak`�Y�k][mj]�lmff]d�Yegf_�emdlahd]�OYl[`?mYj\�>aj]Zgp]k&�JK9�J;,�)*0%Zal�]f[jqhlagf�ak�YnYadYZd]�af�



l`]�M&K&�Yf\�;YfY\Y�Yf\�J;,�-.%Zal�]f[jqhlagf�ak�YnYadYZd]�^gj�afl]j%fYlagfYd�mk]&

OYl[`?mYj\�k�NHF�OarYj\�oYdck�qgm�l`jgm_`�l`]�kljYa_`l^gjoYj\�hjg[]kk�g^�k]llaf_�mh�l`]�NHF&�L`]�OarYj\�Z]_afk�Zq�a\]fla^qaf_�l`]�>aj]Zgp�Yl�l`]�gl`]j�]f\�g^�]Y[`�lmff]d�Yf\�]Y[`�f]logjc�Z]àf\�l`]�>aj]Zgp&�L`]�NHF�OarYj\�Ydkg�Ykkaklk�qgm�af�k]llaf_�mh�hY[c]l�âdl]j�jmd]k�^gj�mf]f[jqhl]\�j][]an]\�hY[c]lk&�Jmffaf_�l`]�NHF�OarYj\�^jge�Y��`]Y\imYjl]jk��g^â[]�eYc]k�al�n]jq�]Ykq�lg�kYn]�[gfâ_mjYlagf�af^gjeYlagf�lg�j]egl]�ZjYf[`�g^â[]�>aj]Zgp]k&

Configuration Checklist@]j]�ak�Y�dakl�g^�\][akagfk�lg�eYc]�Z]^gj]�hjg[]]\af_�oal`�NHF�[gf%â_mjYlagf2

� AH�Y\\j]kk�g^�Zgl`�>aj]Zgp]k� AH�f]logjc�Y\\j]kk]k�^gj�l`]�f]logjck�[geemfa[Ylaf_�oal`�gf]�

Yfgl`]j� 9�[geegf�hYkk%h`jYk]$�cfgof�Yk�Y�k`Yj]\�k][j]l&�� A^�qgm�Yj]�fgl�mkaf_�:jYf[`�G^â[]�NHF�oal`�AHK][$�]Y[`�>aj]Zgp�

emkl�`Yn]�Y�dg[Yd�NHF�AH�Y\\j]kk&�Làk�emkl�Z]�k]d][l]\�^jge�Y�j]k]jn]\�f]logjc�Y\\j]kk�l`Yl�ak�fgl�af�mk]�gf�]al`]j�g^�l`]�f]l%ogjck�Z]af_�[gff][l]\&�>gj�egj]�af^gjeYlagf�k]]�J>;�)1)0&

� �:gl`�>aj]Zgp]k�emkl�mk]�l`]�kYe]�e]l`g\�g^�]f[jqhlagf

Al�ak�g^l]f�`]dh^md�lg�\jYo�Y�\aY_jYe�oal`�Ydd�l`]�AH�Y\\j]kk]k$�kaf[]�làf_k�[Yf�_]l�Y�dalld]�[gf^mkaf_&�>gj�]pYehd]2

FIGURE 4. Branch Office VPN Diagram

Internet(insecure)

Home OfficeTrusted Network:

Kokomo

172.16.18.0/24

Trusted Network:192.168.6.0/24

External address: 212.134.34.25VPN IP address: 10.10.10.10Unwrapping, decryption, andfinal destination routing occurhere.

Over the Internet, packetsare encrypted and sent via UDP to the reciprocatingFirebox’s external IP addresswhere they are unwrapped, decrypted, and sent on to theirreal destination.

External address: 194.34.54.2VPN IP address: 10.20.20.20Unwrapping, decryption, andfinal destination routing occurhere.


Branch Office VPN

EncryptionQgm�[Yf�k]d][l�Z]lo]]f�,(�gj�)*0�Zal�]f[jqhlagf�a^�qgm�Yj]�Y�M&K&�[mk%lge]j$�;YfY\aYf�[mklge]j$�gj�[mklge]j�o`g�`Yk�Z]]f�Yhhjgn]\�^gj�mk]�g^�kljgf_�]f[jqhlagf�Zq�OYl[`?mYj\�Yf\'gj�l`]�M&K&�?gn]jf%e]fl&�A^�qgm�ogmd\�dac]�lg�mk]�kljgf_�]f[jqhlagf� )*0�Zal$�+<=K!�gj�AHK][$�hd]Yk]�[gflY[l�OYl[`?mYj\�L][`fa[Yd�Kmhhgjl�Yl�*(.&-*)&0+/-&�

Logging9[lanYlaf_�af[geaf_�gj�gml_gaf_�dg__af_�mkmYddq�_]f]jYl]k�Y�dYj_]�fmeZ]j�g^�dg_�]flja]k$�oà[`�ogmd\�dac]dq�kdgo�l`]�hYkkY_]�g^�NHF�ljY^â[�ka_faâ[Yfldq� kaf[]�]Y[`�hY[c]l�ak�dg__]\!&�Dg__af_�g^�l`]k]�]n]flk�Yj]�_]f]jYddq�mk]^md�gfdq�^gj�\]Zm__af_&

Branch Office VPN Special Considerations� L`]j]�ak�Y�hgl]flaYd�AH�khggâf_�hjgZd]e�a^�l`]�j]egl]�>aj]Zgp�AH�ak�

gf�l`]�kYe]�f]logjc�Yk�Y�j]egl]�f]logjc&�Al�ak�l`]gj]la[Yddq�hgkka%Zd]�lg�khgg^�hY[c]lk�^jge�l`Yl�kaf_d]�AH�Y\\j]kk� l`]�j]egl]�>aj]Zgp�AH!&�K`gmd\�làk�Z]�l`]�[Yk]$�l`]�hYjYfga\�Y\eafakljYlgj�k`gmd\�eYc]�kmj]�lg�\akYddgo�Y[[]kk�lg�afl]jfYd�k]jn]jk�^jge�l`Yl�gf]�AH�Y\\j]kk&

� Gf[]�NHF�ak�k]l�mh$�[gfâ_mj]�af[geaf_�k]jna[]k�lg�Yddgo�NHF�[gff][lagfk&�Al�ak�g^l]f�]Yka]kl�lg�[j]Yl]�É@gkl�9daYk]kÊ� ^jge�K]lmh'9[[]kk�Yf\�9ml`]fla[Ylagf&&&!�[gjj]khgf\af_�lg�NHF�j]egl]�f]logjck�kg�l`Yl�k]jna[]k�eYq�Z]�egj]�]Ykadq�[gfâ_mj]\� k]]É9daYkaf_Ê�gf�hY_] -)!$�gj�mk]�l`]�9fq�k]jna[]&

� �OYl[`?mYj\�mk]k�hgjl�,)(,�^gj�NHF�[gff][lagfk&

Sample ConfigurationsL`]j]�Yj]�log�eYaf�lqh]k�g^�NHF�[gff][lagfk2�Y�log�Zgp�[gfâ_mjY%lagf$�Yf\�Y�emdlahd]�Zgp�[gfâ_mjYlagf&

Two Box ConfigurationLàk�[gfâ_mjYlagf�[gff][lk�log�f]logjck�gn]j�l`]�Afl]jf]l�mkaf_�log�>aj]Zgp]k&�Làk�ak�l`]�[gfâ_mjYlagf�addmkljYl]\�af�>a_mj] ,$�É:jYf[`�G^â[]�NHF�<aY_jYe$Ê�gf�hY_] /*&��

Multiple Box ConfigurationLg�]klYZdak`�egj]�l`Yf�gf]�NHF�[gff][lagf�Z]lo]]f�egj]�l`Yf�log�>aj]Zgp]k$�kaehdq�Y\\�emdlahd]�NHF�[gfâ_mjYlagfk�lg�l`]�É[]fljYdÊ�>aj]Zgp$�Yf\�[gfâ_mj]�j]egl]�>aj]Zgp]k�Y[[gj\af_dq&�EYc]�kmj]�l`Yl�hYkk�h`jYk]k�Yj]�mfaim]�lg�Y�kaf_d]�NHF�[gff][lagf&�



Lg�\]l]jeaf]�a^�Y�[gfâ_mjYlagf�`Yk�Z]]f�km[[]kk^md$�oYl[`�^gj�dg_�]flja]k�Yk�l`]�>aj]Zgp�j]Zgglk�l`Yl�k`go�dg[Yd�Yf\�j]egl]�AH�Y\\j]kk]k�^gj�NHF&�Af�Y\\alagf�[`][c�l`]�KlYlmk�g^�l`]�>aj]Zgp�gf[]�al�`Yk�Zggl]\$�Yf\�l`]j]�k`gmd\�Z]�Yf�]fljq�^gj�Y�NHF�afl]j^Y[]�\aj][ldq�^gddgoaf_�l`]�]fljq�^gj�]l`*&

A^�f]al`]j�g^�l`]k]�af\a[Ylagfk�Yj]�hj]k]fl$�j]na]o�Ydd�k]llaf_k�gf�Zgl`�>aj]Zgp]k$�\gmZd]%[`][c�l`Yl�l`]�hYkk�h`jYk]k�Yj]�l`]�kYe]$�Yf\�l`Yl�l`]�[gjj][l�=pl]jfYd�AH�Y\\j]kk]k�]fl]j]\&

Branch Office VPN with IPSecAHK][�ak�Y�hjglg[gd�l`Yl�]f[jqhlk�Yf\'gj�Yml`]fla[Yl]k�AH�ljY^â[� Yl�l`]�AH�d]n]d!�Z]lo]]f�Yfq�eap�g^�YjZaljYjq�`gklk�Yf\�k][mjalq�_Yl]%oYqk� ^gj�]pYehd]$�l`]�OYl[`?mYj\�>aj]Zgp!&�AHK][�[j]Yl]k�k]n]jYd�lmff]dk�Z]lo]]f�l`]�kYe]�log�AHK][�`gklk$�]Y[`�oal`�\a^^]j]fl�e]l`%g\k�g^�Yml`]fla[Ylagf�Yf\�]f[jqhlagf&�OYl[`?mYj\Ìk�:jYf[`�G^â[]�NHF�oal`�AHK][�gj_Yfar]k�l`]�[geemfa[Ylagf�dafck�aflg�Y�+%^mf[lagf�à]jYj[`qÈ?Yl]oYqk$�Lmff]dk$�Yf\�Hgda[a]k$�]Y[`�g^�oà[`�qgm�[j]%Yl]�Yf\�[gfâ_mj]�^gj�\a^^]j]fl�hYjYe]l]jk�l`Yl�mdlaeYl]dq�ogjc�lg_]l`]j&�?Yl]oYqk$�Lmff]dk$�Yf\�Hgda[a]k�Yj]�kmeeYjar]\�Z]dgo2

Gateway9�?Yl]oYq�kh][aâ]k�]f\hgaflk�Yk�Y�^jYe]ogjc�^gj�gf]�gj�egj]�lmff]dk&�O`Yl]n]j�qgm�kh][a^q�^gj�Y�_Yl]oYq$�km[`�Yk�AK9CEH�YmlgeYl]\�c]q�f]_glaYlagf$�Z][ge]k�klYf\Yj\�̂ gj�Yfq�lmff]dk�qgm�[j]Yl]�oal`�l`Yl�_Yl]oYq&

Tunnel9�Lmff]d�]f[YhkmdYl]k�hY[c]lk�Z]lo]]f�log�_Yl]oYqk&�Al�kh][aâ]k�o`Yl�lqh]�g^�]f[jqhlagf�Yf\'gj�Yml`]fla[Ylagf�ak�Yhhda]\�lg�l`]�hY[c]lk�l`Yl�mk]�l`Yl�lmff]d&�9�lmff]d�Ydkg�kh][aâ]k�Yk�]f\hgaflk�Y�>aj]Zgp�Yf\�Yf�AHK][%[gehdaYfl�\]na[]� km[`�Yk�Yfgl`]j�>aj]Zgp!&

Policy9�Hgda[q�kh][aâ]k�oà[`�hY[c]lk�_g�l`jgm_`�oà[`�lmff]dk&�>gj�]pYehd]$�o`]j]�Y�lmff]d�ea_`l�kh][a^q�l`]�AH�Y\\j]kk]k�g^�Y�`ge]�g^â[]�>aj]Zgp�Yf\�Y�ZjYf[`�g^â[]�>aj]Zgp$�Y�hgda[q�ea_`l�kh][a^q�l`]�;=GÌk�`gkl�Yl�l`]�`ge]�g^â[]�Yf\�>a]d\�K]jna[]Ìk�`gkl�Yl�Y�ZjYf[`�g^â[]&�O`]f�l`]�;=G�Yll]ehlk�lg�[gflY[l�l`]�>a]d\�K]jna[]�`gkl$�AHK][�dggck�^gj�Y�hgda[q�l`Yl�k]jna[]k�l`]�afl]f\]\�jgml]�Yf\�eYl[`]k�l`Yl�hgda[q�lg�alk�Ykkg[aYl]\�lmff]d&

!NOTE

On the central Firebox, the same local IP address can be used, for multiple remote Fireboxes but it cannot be used anywhere else in any networks on any of the remote Fireboxes.


Branch Office VPN

O`]f�[gfâ_mjaf_�:jYf[`�G^â[]�NHF�oal`�AHK][$�l`]j]�Yj]�k]n%]jYd�gl`]j�hYjYe]l]jk�Yf\�lg�[`ggk]�Yf\�[gfâ_mj]&�L`]k]�af[dm\]2

Key Negotiation TypeOYl[`?mYj\Ìk�aehd]e]flYlagf�g^�AHK][�af[dm\]k�l`]�ghlagf�lg�k]d][l�AK9CEH� L`]�Afl]jf]l�K][mjalq�9kkg[aYlagf�Yf\�C]q�EYf%Y_]e]fl�Hjglg[gd!�lg�YmlgeYla[Yddq�f]_glaYl]�k]kkagf�c]qk$�oà[`�Yj]�mk]\�Zgl`�lg�]f[jqhl�l`]�\YlY�Yf\�Yml`]fla[Yl]�l`]�mk]jk&�Qgm�[Yf�Ydkg�k]d][l�eYfmYd�c]q�f]_glaYlagf$�af�oà[`�qgm�eYfmYddq�]fl]j�k]kkagf�c]qk�^gj�]Y[`�lmff]d&�

Key ExpirationQgm�[Yf�k]l�k]kkagf�c]qk�lg�]phaj]�Y^l]j�Y�[]jlYaf�fmeZ]j�g^�Zql]k�`Yn]�Z]]f�ljYfk^]jj]\�gj�o`]f�Y�kh][aâ]\�Yegmfl�g^�k]kkagf�lae]�`Yk�ljYfkhaj]\&�Oal`�AK9CEH$�f]o�k]kkagf�c]qk�Yj]�YmlgeYla[Yddq�_]f]jYl]\3�l`]�koal[`�ak�ljYfkhYj]fl�lg�l`]�mk]jk�Yl�]al`]j�]f\�g^�l`]�lmff]d$�Zml�^jmkljYl]k�`Y[c]jk�^jge�Yk[]jlYafaf_�Y�k]kkagf�c]q�af�lae]�lg�]Yn]k\jgh&�

Qgm�[Yf�Ydkg�\akYZd]�]phajYlagf�a^�\]kaj]\&

Traffic Security Protocols;`ggk]�^jge�=KH� =f[YhkmdYl]\�K][mjalq�HYqdgY\!�gj�9@� 9ml`]fla[Ylagf�@]Y\]j!&�

Ò =f[YhkmdYlaf_�K][mjalq�HYqdgY\� =KH!�Ak�mk]\�lg�hjgna\]�Y�eap�g^�k][mjalq�k]jna[]k$�af[dm\af_�]f[jqhlagf�Yf\�daeal]\�Yml`]fla[Ylagf�k]jna[]k�^gj�hYqdgY\k$�Zml�fgl�`]Y\]jk&�Al�ak�Y�hgo]j^md�Yf\�^d]paZd]�hjglg[gd&�=KH�[Yf�]f[jqhl�Yf\�Yml`]fla%[Yl]$�]f[jqhl�oal`gml�Yml`]fla[Ylagf$�gj�Yml`]fla[Yl]�oal`gml�]f[jqhlagf&�=f[jqhlagf�[Yf�Z]�]al`]j�<=K� -.%Zal!�gj�ljahd]%<=K� ).0%Zal�^gj�mk]�af�l`]�Mfal]\�KlYl]k$�;YfY\Y�Yf\�Zq�[mklge]jk�o`g�`Yn]�Z]]f�Yhhjgn]\�^gj�mk]�g^�kljgf_�]f[jqhlagf�Zq�OYl[`?mYj\�Yf\'gj�l`]�M&K&�?gn]jfe]fl!�]f[jqhlagf�Yd_g%jalèk&� 9@�g^^]jk�Yml`]fla[Ylagf�gfdq&!

Ò 9ml`]fla[Ylagf�@]Y\]j� 9@!�Ak�mk]\�lg�hjgna\]�[gff][lagfd]kk�afl]_jalq�Yf\�\YlY�gja_af�Yml`]fla[Ylagf&�9@�hjgna\]k�Yml`]f%la[Ylagf�^gj�Yk�em[`�g^�l`]�AH�`]Y\]j�Yk�hgkkaZd]� ]p[]hl�^gj�emlYZd]�â]d\k�l`Yl�Yj]�fgf%\]l]jeafakla[$�km[`�Yk�LLD�â]d\k�Yf\�l`]�dac]!�Yf\�Ydd�mhh]j�hjglg[gdk�Yf\�hYqdgY\&�

Policy OrderingGf[]�Y�dakl�g^�hgda[a]k�ak�[j]Yl]\$�k]l�l`]aj�gj\]j�kg�l`]�ja_`l�lmff]d�ak�mk]\�^gj�l`]�ja_`l�[geemfa[Ylagf&�Hgda[q�gj\]jaf_�ak�]kk]flaYd�lg�]fkmj]�l`Yl�Y�kh][aâ[�[gff][lagf�j][]an]k�l`]�\]kaj]\�d]n]d�g^�]f[jqhlagf�Yf\'gj�Yml`]fla[Ylagf&�Qgm�emkl�eYc]�kmj]�hgda[a]k�Yj]�k]l�lg�l`]�kYe]�gj\]j�Yl�Zgl`�]f\k�g^�l`]�lmff]d&

>gj�]pYehd]$�kmhhgk]�qgm�\]âf]�Y�à_`%k][mjalq�lmff]d�oal`�).0%Zal� ljahd]%<=K!�]f[jqhlagf�hdmk�Yml`]fla[Ylagf$�Yf\�Y�k][gf\�_]f%]jYd�hmjhgk]�lmff]d�oal`�Yml`]fla[Ylagf�gfdq&�9dgf_�oal`�làk$�kmhhgk]�qgm�`Yn]�[j]Yl]\�log�hgda[a]k$�gf]�l`Yl�kh][aâ]k�l`]�f]l%ogjck�YllY[`]\�lg�l`]�log�AHK][�`gklk� ]&_&$�>aj]Zgp]k!$�Yf\�



Yfgl`]j�l`Yl�kh][aâ]k�gf]�]f\hgafl�Yk�l`]�;=GÌk�`gkl� [Ydd�l`]�`gkl�;=G!�Yf\�l`]�gl`]j�Yk�k]fkalan]�eYjc]laf_�kljYl]_q�`gkl� [Ydd�al�Ecl_!�Yl�Y�j]egl]�g^â[]&�Qgmj�afl]flagf�ak�lg�`Yn]�_]f]jYd�[ge%emfa[Ylagf� dgo�jakc$�à_`�ngdme]!�^dgo�ima[cdq�Z]lo]]f�l`]�f]l%ogjck�mkaf_�l`]�d]kk%k][mj]\�lmff]d$�oàd]�kh][aâ[$�k]fkalan]�dafck� à_`�jakc$�dgo�ngdme]!�Yj]�`Yf\d]\�oal`�egj]�k][mjalq$�Zml�Yl�Y�kdgo]j�kh]]\&

FIGURE 5. Branch Office VPN with IPSec

O`]f�`gkl�;=G�Yll]ehlk�lg�Y[[]kk�Ecl_$�AHK][�dggck�^gj�l`]�âjkl�hgda[q�af�alk�dakl�l`Yl�[Yf�jgml]�l`]�hY[c]lk&�A^�l`]�âjkl�hgda[q�dakl]\�ak�^jge�l`]�dg[Yd�f]logjc�lg�l`]�j]egl]�f]logjc$�AHK][�k]]k�Y�eYl[`�Yf\�mk]k�l`]�d]kk%k][mj]�lmff]d$�oà[`�ak�fgl�o`Yl�l`]�mk]j�afl]f\]\&�A^�l`]�hgda[q�kh][a^qaf_�;=G�Yf\�Ecl_�`gklk�Yk�]f\%hgaflk�ak�dakl]\�âjkl$�AHK][�k]]k�l`Yl�eYl[`�Yf\�mk]k�l`]�Ykkg[aYl]\�à_`%k][mjalq�lmff]d&�;gfn]jk]dq$�o`]f�gl`]j�`gklk�gf�l`]�dg[Yd�f]logjc�lmff]d�lg�Y�`gkl�gf�l`]�gl`]j�f]logjc$�AHk][�a_fgj]k�l`]�;=G%lg%Ecl_�hgda[q�Z][Ymk]�al�ak�fgl�Y�eYl[`$�Yf\�hjg[]]\k�lg�l`]�f]logjc%lg%f]logjc�hgda[q�Yf\�alk�Ykkg[aYl]\�dgo]j%k][mjalq�lmf%f]d�Yk�afl]f\]\&�Làk�]pYehd]�à_`da_`lk�l`]�aehgjlYf[]�g^�k]llaf_�qgmj�hgda[q�gj\]j�[gjj][ldq&

,QWHUQHW

205.123.222.11

147.212.197.45

&(2

0NWJ

+RPH�2IILFH1HWZRUN

%UDQFK�2IILFH1HWZRUN

3ROLF\�2UGHU�1. CEO to Mktg

2. Home Office network to Branch Office network

7XQQHOV�1. 205.123.222.11 to 147.212.197.45 with triple-DES encryption and

2. 205.123.222.11 to 147.212.197.45

authentication.

with authentication only

Tech Support

Sales

NewsletterProduction


Branch Office VPN

Creating Policies for IPSec�Hgda[a]k�Yj]�k]lk�g^�jmd]k$�em[`�dac]�hY[c]l�âdl]j�jmd]k$�l`Yl�\]l]jeaf]�`go�gml_gaf_�AHK][�hY[c]lk�Yj]�Zmadl�Yf\�k]fl$�Yf\�`go�lg�\]l]j%eaf]�a^�af[geaf_�AHK][�hY[c]lk�[Yf�Z]�Y[[]hl]\&�Hgda[a]k�Yj]�\]âf]\�Zq�l`]aj�]f\hgaflk&�L`]k]�Yj]�fgl�l`]�kYe]�Yk�l`]�lmff]dÌk�gj�_Yl]%oYqÌk�]f\hgaflkÈl`]q�Yj]�l`]�kh][aâ[�`gklk�gj�f]logjck�YllY[`]\�lg�l`]�lmff]dÌk�>aj]Zgp]k� gj�gl`]j�AHK][%[gehdaYfl�\]na[]!�l`Yl�oadd�Z]�[geemfa[Ylaf_�l`jgm_`�l`]�lmff]d�qgm�`Yn]�k]l�mh&

The Importance of IPSec Policy OrderOYl[`?mYj\�`Yf\d]k�hgda[a]k�daf]Yjdq�af�l`]�gj\]j�dakl]\�lgh�lg�Zgl%lge�gf�l`]�AHK][�;gfâ_mjYlagf�\aYdg_�Zgp&�O`]f�qgm�âjkl�[j]Yl]�hgda[a]k$�l`]�AHK][�;gfâ_mjYlagf�\aYdg_�Zgp�daklk�l`]e�af�l`]�gj\]j�[j]Yl]\&�Qgm�emkl�eYfmYddq�j]%gj\]j�l`]�hgda[a]k�^jge�egj]�kh][aâ[�lg�d]kk�kh][aâ[�lg�]fkmj]�l`Yl�k]fkalan]�[gff][lagfk�Yj]�jgml]\�Ydgf_�l`]�à_`]j%k][mjalq�lmff]dk&�Af�_]f]jYd$�gj\]j�Ydd�`gkl%lg%`gkl�hgda[a]k�âjkl$�^gddgo]\�Zq�`gkl%lg%f]logjc�Yf\�f]logjc%lg%`gkl�[gff][lagfk$�oal`�f]logjc%lg%f]logjc�hgda[a]k�dakl]\�dYkl&

Policy Ordering CompatibilityHgda[a]k�emkl�Z]�k]l�lg�l`]�kYe]�gj\]j�Yl�Zgl`�]f\k�g^�l`]�lmff]d&�Làk�e]Yfk�qgm�emkl�eYc]�kmj]�l`Yl�qgmj�hgda[a]k�Yf\�hgda[q�gj\]j�Yj]�[geemfa[Yl]\�lg�o`ge]n]j�ak�[gfâ_mjaf_�l`]�j]egl]�>aj]Zgp$�Yf\�l`Yl�l`]�hgda[q�gj\]jk�Yj]�k]l�a\]fla[Yddq&

>gj�]pYehd]$�^gj�Y�lmff]d�Z]lo]]f�@gZgc]f$�F]o�B]jk]q�Yf\�K`]%Zgq_Yf$�Oak[gfkaf$�l`]�hgda[q�gj\]jaf_�k`gmd\�dggc�kge]làf_�dac]�làk2

Hoboken Policies:/RFDO��5HPRWH��'LVSRVLWLRQ��7XQQHO��'HVWLQDWLRQ��6RXUFH��6HFXUH��7XQQHO��6HFXUH��7XQQHO��

Sheboygan Policies:/RFDO��5HPRWH��'LVSRVLWLRQ��7XQQHO��'HVWLQDWLRQ��6RXUFH��6HFXUH��7XQQHO��6HFXUH��7XQQHO��

Lmff]dk�Lmff]d)�Yf\�Lmff]d*�Yj]�dakl]\�af�l`]�kYe]�gj\]j�Yf\�kh][%a^q�l`]�kYe]�]f\hgaflk$�Zml�j]n]jk]�l`]�]f\hgaflk�Yf\�hgjlk�j]dYlan]�lg�oà[`�ak�dg[Yd�Yf\�oà[`�ak�j]egl]$�oà[`�ak�kgmj[]�Yf\�oà[`�ak�\]klafYlagf&

IPSec Implementation Example::gZ� o`gk]�[gehml]j�ak�:gZ`gkl!�oak`]k�lg�l]df]l�^jge�Z]àf\�Y�>aj]Zgp�lg�Y�j]egl]�k]jn]j� fYe]\�J]eKnj!�Z]àf\�Yfgl`]j�>aj]Zgp&

1. :gZ�âj]k�mh�àk�l]df]l�[da]fl$�Yf\�gh]fk�mh�Y�[gff][lagf�lg�K]jn]j&�



2. L`]�\YlY�d]Yn]k�àk�l]df]l�[da]fl&�L`]�AHK][�aehd]e]flYlagf�dggck�l`jgm_`�alk�Hgda[q�\YlYZYk]�Yf\�[`][ck�^gj�hY[c]lk�_gaf_�^jge�:gZ`gkl�lg�J]eKnj�gf�hgjl�*+&�

3. OYl[`?mYj\�âf\k�l`]�hgda[q�eYl[àf_�l`]�hY[c]l&�L`]�>aj]Zgp�fgo�cfgok�oà[`�lmff]d�lg�k]f\�l`]�hY[c]l�l`jgm_`&�

4. OYl[`?mYj\�h]j^gjek�]Y[`�gj\]j]\�kl]h�g^�hjg[]kkaf_�gf�l`]�hY[c]l$�Y[[gj\af_�lg�l`]�lmff]d&

5. >afYddq$�l`]�hY[c]l�ak�ojYhh]\�af�Yf�Égmlka\]Ê�AH�`]Y\]j�lg�_]l�al�lg�l`]�j]egl]�AHK][%[gehdaYfl�k][mjalq�_Yl]oYq$�oal`�l`]�hjglg[gd�k]l�lg�Yf�AHK][�hjglg[gd&�

6. L`]�hY[c]l�ak�l`]f�k]fl�lg�l`]�gl`]j�k][mjalq�_Yl]oYq&�

O`]f�l`]�hY[c]l�j]Y[`]k�l`]�j]egl]�>aj]Zgp2�

1. L`]�hY[c]l�ak�j][]an]\�Zq�l`]�]pl]jfYd�afl]j^Y[]�g^�l`]�>aj]Zgp&�

2. L`]�AH�klY[c�l`]f�[`][ck�l`]�hgda[q�\YlYZYk]�lg�k]]�a^�l`]�kl]hk�al�`Yk�bmkl�h]j^gje]\�lg�mfojYh�l`]�hY[c]l�eYl[`�Y�hgda[q&�Làk�ak�kaehdq�Y�j]n]jk]�g^�l`]�]f[YhkmdYlagf�hjg[]kk�l`Yl�l`]�`gkl�h]j%^gje]\�oàd]�ljYfkeallaf_�l`]�hY[c]l&�

3. A^�l`]�mfojYhhaf_�kl]hk�eYl[`�Y�hgda[q$�l`]f�l`]�afl]jfYd$�mf]f%[jqhl]\�hY[c]lk�Yj]�k]fl�gml�gf�l`]�Ljmkl]\�afl]j^Y[]�lg�J]eKnj&�

>gj�egj]�af^gjeYlagf�k]]�l`]�Afl]jf]l�=f_af]]jaf_�LYkc�>gj[]�k][lagf�gf�AHK][�Yl�KWWS��ZZZ�LHWI�RUJ�KWPO�FKDUWHUV�LSVHF�FKDUWHU�KWPO&�

Configuring Services to work with VPNNHF%[gff][l]\�eY[àf]k�Yj]�lj]Yl]\�dac]�Yfq�gl`]j�eY[àf]�l`Yl�ak�Z]af_�Yddgo]\�Y[[]kk�lg�l`]�f]logjc&�>gj�]pYehd]$�lg�Yddgo�NHF�j]egl]�f]logjck�lg�Y[[]kk�qgmj�afl]jfYd�@LLH�k]jn]j$�[gfâ_mj]�Yf�@LLH�a[gf�Yddgoaf_�eY[àf]�>jge�l`]�j]egl]�NHF�f]logjc�lg�Y[[]kk�l`]�afl]jfYd�@LLH�k]jn]j&

Af�làk�oYq�qgm�[gfljgd�l`]�]pl]fl�lg�oà[`�j]egl]�f]logjck�[Yf�Y[[]kk�l`]�k]jna[]k�l`Yl�Yj]�hjgna\]\�lg�l`]e$�bmkl�dac]�qgm�[gfljgd�Yfq�gl`]j�lqh]�g^�Y[[]kk�lg�eY[àf]k�Z]àf\�l`]�>aj]Zgp&

Qgm�[Yf�[gfâ_mj]�Ydd�k]jna[]k�^gj�qgmj�lmff]dk�Yl�gf[]�Zq�Y\\af_�l`]�9fq�k]jna[]�lg�l`]�[gfâ_mjYlagf&�:]�YoYj]$�`go]n]j$�l`Yl�làk�af[j]Yk]k�k][mjalq�jakck�[gehYj]\�lg�[gfâ_mjaf_�l`]�af\ana\mYd�k]j%na[]k&�>gj�Y�\]k[jahlagf�g^�l`]�9fq�k]jna[]$�k]]�l`]�\]k[jahlagf�af�l`]�K]jna[]k�Yhh]f\ap�g^�l`]�OYl[`?mYj\�Mk]jÌk�?ma\]&

:]�[Yj]^md�YZgml�o`Yl�qgm�Yddgo�]n]f�eY[àf]k�gf�l`]�j]egl]�NHF�f]logjck�lg�Y[[]kk3�a^�eY[àf]k�gf�l`]�j]egl]�NHF�f]logjck�Yj]�[gehjgeak]\$�NHF�gfdq�hjgna\]k�Y�k][mj]�lmff]d�aflg�l`]�Ljmkl]\�f]logjck&�9[[]kk�[gfljgd�ak�Y�[jala[Yd�hYjl�g^�[gfâ_mjaf_�Y�k][mj]�NHF�]fnajgfe]fl&


Branch Office VPN

Authenticating an IPSec Tunnel via a Windows NT ServerQgm�[Yf�k]l�mh�:jYf[`�G^â[]�NHF�oal`�AHK][�kg�l`]�ZjYf[`�g^â[]�mk]jk�Yj]�Yml`]fla[Yl]\�Y_Yafkl�Y�Oaf\gok�FL�9ml`]fla[Ylagf�K]jn]j�Yl�l`]�`ge]�g^â[]$�Yk�addmkljYl]\�af�>a_mj] .�gf�hY_] /1&�@ge]�G^â[]�>aj]Zgp�;gfâ_mjYlagf�=pYehd]

FIGURE 6. IPSec VPN Tunnel with NT Authentication

Mkaf_�l`]�addmkljYlagf�af�>a_mj] .$�ÉAHK][�NHF�Lmff]d�oal`�FL�9ml`]fla[Ylagf$Ê�gf�hY_] /1$�`]j]�ak�`go�qgm�ogmd\�[gfâ_mj]�l`]�KE:�k]jna[]�gf�l`]�@ge]�G^â[]�>aj]Zgp2

Incoming Tab:

� Af[geaf_�Yddgo]\� >jge2�*(0&)-*&*,&)((� Lg2�)1*&).0&*(&)

Outgoing Tab:

� Gml_gaf_�Yddgo]\� >jge2�)1*&).0&)(&)� Lg2�*(0&)-*&*,&)((

IPSec Policies:/RFDO��5HPRWH��'LVSRVLWLRQ��7XQQHO��6UF��3URWR��'HVW�3RUW��6HFXUH��7XQQHO1DPH�� %\SDVV��QRQH!��8GS��

Internet

Home OfficeFirebox:

Kokomo

105.102.33.50

FIrebox:208.152.24.100

IPSec VPN

Tunnel

Windows NT Authentication Server192.168.10.1

Workstation172.16.15.1



Branch Office Firebox Configuration ExampleMkaf_�l`]�addmkljYlagf�af�>a_mj] .$�ÉAHK][�NHF�Lmff]d�oal`�FL�9ml`]fla[Ylagf$Ê�gf�hY_] /1$�`]j]�ak�`go�qgm�ogmd\�[gfâ_mj]�l`]�KE:�k]jna[]�gf�l`]�:jYf[`�G^â[]�>aj]Zgp2

Incoming Tab:

� Af[geaf_�Yddgo]\� >jge2�)1*&).0&)(&)� Lg2�*(0&)-*&*,&)((

Outgoing Tab:

� Gml_gaf_�Yddgo]\� >jge2�*(0&)-*&*,&)((� Lg2�)1*&).0&)(&)

IPSec Policies:/RFDO��5HPRWH��'LVSRVLWLRQ��7XQQHO��6UF��3URWR��'HVW�3RUW��6HFXUH��7XQQHO1DPH�� %\SDVV��QRQH!��8GS��

Remote User VPN

OYl[`?mYj\�J]egl]�Mk]j�NHF�hjgna\]k�ljYn]daf_�]ehdgq]]k�gj�l]d][geeml]jk�oal`�Y�k][mj]�[gff][lagf�lg�qgmj�gj_YfarYlagfÌk�f]l%ogjc&�:][Ymk]�al�mk]k�l`]�Afl]jf]l�lg�]daeafYl]�]ph]fkan]�dgf_%\ak%lYf[]�[`Yj_]k$�làk�kgdmlagf�ak�]plj]e]dq�[gkl%]^^][lan]&�J]egl]�Mk]j�NHF�Ydkg�]daeafYl]k�l`]�f]]\�^gj�qgm�lg�eYaflYaf�\]\a[Yl]\�eg\]e�ZYfck�Yf\�j]egl]�Y[[]kk�k]jn]jk&

J]egl]�Mk]j�NHF�mkaf_�HHLH� Hgafl%lg%Hgafl�Lmff]daf_�Hjglg[gd!�ak�af[dm\]\�oal`�l`]�klYf\Yj\�Dan]K][mjalq�hjg\m[l&�J]egl]�Mk]j�NHF�oal`�AHK][�ak�YnYadYZd]�Yk�Yf�ghlagf&

Remote User VPN with PPTPL`]�klYf\Yj\�OYl[`?mYj\�J]egl]�Mk]j�NHF�j]da]k�gf�Hgafl%lg%Hgafl�Lmff]daf_�Hjglg[gd� HHLH!$�Y�oa\]dq�Y[[]hl]\�klYf\Yj\&�9Êlmff]dÊ�[j]Yl]\�Z]lo]]f�l`]�j]egl]�`gkl�Yf\�l`]�>aj]Zgp�Yddgok�Ydd�ljY^â[�lg�^dgo�k][mj]dq�Y[jgkk�l`]�Afl]jf]l&�Fg�Y\\alagfYd�[da]fl�kg^loYj]�ak�j]imaj]\&�Ea[jgkg^l�Oaf\gok�1-$�Oaf\gok�10$�Yf\�Oaf\gok�FL�ogjcklYlagfk�[ge]�]imahh]\�oal`�HHLH�gj�Yj]�HHLH%j]Y\q&�>j]]�<aYd%Mh�F]logjcaf_�mh_jY\]k�Yj]�j]Y\adq�YnYadYZd]�^jge�Ea[jgkg^l�lg�]fkmj]�[gehYlaZadalq�oal`�l`]�dYl]kl�klYf\Yj\k&

9f�JMNHF�mk]j�]klYZdak`]k�Y�HHLH�lmff]d�Zq�mkaf_�l`]�<aYd%Mh�F]logjcaf_�\aYdg_m]�gf�Y�Oaf\gok�ogjcklYlagf&�OYl[`?mYj\�Yml`]fla[Yl]k�l`]k]�j]egl]�mk]jk�naY�EK%;@9H�Y_Yafkl�Y�hYkkogj\�


Remote User VPN

dakl�eYaflYaf]\�af�l`]�>aj]Zgp�[gfâ_mjYlagf�gf�l`]�Y\eafakljYlagf�klYlagf&�EK%;@9H�j]da]k�gf�Y�[`Ydd]f_]%j]khgfk]�e][`Yfake�l`Yl�]fkmj]k�l`Yl�Yf�]f[jqhl]\�c]qÈYf\�fgl�l`]�[da]fl�k�hYkkogj\Èak�hYkk]\�Y[jgkk�l`]�Afl]jf]l�l`jgm_`�l`]�k][mj]\�lmff]d&�L`]�hYkk%ogj\k�l`]ek]dn]k�Yj]�f]n]j�ljYfkeall]\�af�Yfq�^gje&

Gf[]�l`]�lmff]d�`Yk�Z]]f�]klYZdak`]\$�Ydd�\YlY�]p[`Yf_]\�Z]lo]]f�l`]�>aj]Zgp�Yf\�j]egl]�[da]fl�ak�]f[jqhl]\�mkaf_�l`]�JK9�J;,�]f[jqhlagf�Yd_gjalè&�L`]�>aj]Zgp�\][jqhlk�Yf\�âdl]jk�]Y[`�hY[c]l�j][]an]\�^jge�l`]�j]egl]�[da]fl�Y[[gj\af_�lg�l`]�[gfâ_mj]\�jmd]k&�Qgm�`Yn]�l`]�ghlagf�lg�dg_�Ydd�J]egl]�NHF�ljY^â[&

Configuration Checklist:]^gj]�Z]_affaf_�lg�k]l�mh�J]egl]�Mk]j�NHF$�_Yl`]j2

� L`]�AH�Y\\j]kk]k�lg�Ykka_f�Yk�l]ehgjYjq�`gklk�\mjaf_�J]egl]�Mk]j�NHF�k]kkagfk&�L`]�AH�Y\\j]kk]k�[Yffgl�Z]�Y\\j]kk]k�[mj%j]fldq�af�mk]�af�l`]�f]logjc&�L`]�kY^]kl�e]l`g\�ak�lg�^YZja[Yl]�Y�J]dYl]\�F]logjc�Y\\j]kk� k]]�É9Zgml�J]dYl]\�F]logjck�Yf\�J]dYl]\�@gklkÊ�gf�hY_] +-!�Yf\�[`ggk]�l`]�AH�Y\\j]kk]k�^jge�l`Yl�f]logjc�jYf_]&�L`Yl�oYq$�qgm�Yj]�\jYoaf_�^jge�Y�jYf_]�g^�Y\\j]kk]k�l`Yl�Yj]�\][dYj]\�lg�l`]�K][mjalq�EYfY_]e]fl�Kqkl]e$�Zml�oà[`�[Yffgl�[dYk`�oal`�j]Yd�`gkl�Y\\j]kk]k�af�mk]�Z]àf\�l`]�>aj]Zgp&

� L`]�AH�Y\\j]kk]k�g^�l`]�<FK�Yf\�OAFK�k]jn]jk�af�l`]�ljmkl]\�f]l%ogjc�l`Yl�h]j^gje�AH�Y\\j]kk�dggcmh�gf�`gkl�YdaYk�fYe]k&

� L`]�mk]j�A<�fYe]k�g^�l`gk]�Yml`gjar]\�lg�[gff][l�lg�l`]�>aj]Zgp�naY�J]egl]�Mk]j�NHF&

Preparing the Client Computers9fq�[gehml]j�l`Yl�oadd�Z]�mk]\�Yk�Y�j]egl]�[da]fl�lg�Y[[]kk�Y�ljmkl]\�f]logjc�naY�l`]�>aj]ZgpÌk�J]egl]�NHF�emkl�Z]�hjgh]jdq�[gfâ_mj]\�^gj�[gehYlaZadalq&�=Y[`�j]egl]�`gkl�emkl�`Yn]�l`]�egkl�j][]fl�EK<MF� Ea[jgkg^l�<aYd%mh�F]logjcaf_!�mh_jY\]k�afklYdd]\$�Yf\�eYq�f]]\�gl`]j�]pl]fkagfk�Yf\�mh\Yl]k�afklYdd]\�^gj�hjgh]j�[gfâ_m%jYlagf&�;mjj]fldq$�J]egl]�Mk]j�NHF�j]imaj]k�l`]k]�mh_jY\]k�Y[[gj\%af_�lg�hdYl^gje2

� Oaf\gok�1-2�<MF�)&+�� Oaf\gok�102�<MF�,&(� Oaf\gok�FL2�K]jna[]�HY[c�,

J]egl]�NHF�\g]k�fgl�ogjc�oal`�]Yjda]j�n]jkagfk�g^�EK<MF&

L`]�[gfâ_mjYlagf�afkljm[lagfk�lg�hj]hYj]�Oaf\gok�1-$�Oaf\gok�10$�Yf\�Oaf\gok�FL�eY[àf]k�^gj�mk]�oal`�J]egl]�Mk]j�NHF�Yj]�[gf%lYaf]\�af�l`]�OYl[`?mYj\�Dan]K][mjalq�Mk]j�?ma\]&



Remote User VPN with IPSecJ]egl]�Mk]j�NajlmYd�HjanYl]�F]logjcaf_�oal`�AHK][� JMNHF�oal`�AHK][!�[j]Yl]k�Y�k][mj]�AHK][�lmff]d�Z]lo]]f�Yf�mfk][mj]\�j]egl]�`gkl�Yf\�qgmj�f]logjc�gn]j�Yf�mfk][mj]\�f]logjc&�>gj�]pYehd]$�qgm�[Yf�[gff][l�Yf�]ehdgq]]�gf�l`]�jgY\�gj�ogjcaf_�^jge�`ge]�lg�qgmj�ljmkl]\�Yf\�ghlagfYd�f]logjck�mkaf_�Y�klYf\Yj\�Afl]jf]l�\aYd%mh�[gff][lagf�oal`gml�k]jagmkdq�[gehjgeakaf_�k][mjalq&�Al�j]imaj]k�gfdq�gf]�>aj]Zgp�^gj�l`]�hjanYl]�f]logjc�Yf\�l`]�J]egl]�Mk]j�NHF�oal`�AHK][�kg^loYj]�eg\md]&�JMHNF�oal`�AHK][�ak�Yf�ghlagfYd�^]Y%lmj]�g^�l`]�OYl[`?mYj\�Dan]K][mjalq�Kqkl]e&

JMNHF�oal`�AHK][�j]imaj]k�[Yj]^md�[gfâ_mjYlagf�g^�Zgl`�l`]�>aj]Zgp�Yf\�l`]�j]egl]�[da]fl�[gehml]jk&�@go]n]j�mfdac]�JMNHF�oal`�HHLH$�l`]�>aj]Zgp�Y\eafakljYlgj�j]lYafk�egj]�[gfljgd�gn]j�l`]�[da]fl�[gfâ_mjYlagf�l`jgm_`�Yf�]f\%mk]j�[gfâ_mjYlagf�âd]&�Aehd]e]flaf_�JMNHF�oal`�AHK][�j]imaj]k�l`]�^gddgoaf_�kl]hk2

� GZlYaf�Y�da[]fk]�c]q�^jge�OYl[`?mYj\&� 9\\�mk]j�fYe]k�lg�l`]�Zmadl%af�>aj]Zgp�_jgmh�ahk][Wmk]jk&� =fl]j�l`]�AHK][�da[]fk]�c]q�aflg�l`]�>aj]Zgp�[gfâ_mjYlagf�âd]&� N]ja^q�OAFK�Yf\�<FK�k]jn]j�k]llaf_k&� Mk]�l`]�Hgda[q�EYfY_]j�lg�kaemdlYf]gmkdq�[gfâ_mj]�l`]�>aj]Zgp�

Yf\�[j]Yl]�]f\%mk]j�[gfâ_mjYlagf�âd]k&� Eg\a^q�k]jna[]k�lg�]fYZd]�JMNHF�oal`�AHK][&� Hj]hYj]�l`]�j]egl]�[da]fl�[gehml]jk&� <akljaZml]�l`]�]f\%mk]j�[gfâ_mjYlagf�âd]k�Ydgf_�oal`�l`]�JMNHF�

[da]fl�kg^loYj]�Yf\�\g[me]flYlagf&� AfklYdd�l`]�JMNHF�[da]fl�kg^loYj]�gf�l`]�j]egl]�[gehml]j&

<]lYad]\�hjg[]\mj]k�^gj�l`]k]�lYkck�Yj]�[gflYaf]\�af�l`]�OYl[`?mYj\�Dan]K][mjalq�Mk]j�?ma\]&�


CHAPTER 8 Logging and Notification

Làk�[`Yhl]j�]phdYafk�o`Yl�dg__af_�Yf\�fglaâ[Ylagf�Yj]�Yf\�o`q�l`]q�Yj]�aehgjlYfl�lg�Y�k][mjalq�kqkl]e&�Al�Ydkg�hjgna\]k�k][mjalq�Yf\�dg_akla[Yd�lahk�^gj�^gjemdYlaf_�qgmj�gof�dg__af_�Yf\�fglaâ[Ylagf�hgd%a[a]k&

What Logging Is

Dg__af_�ak�l`]�Y[l�g^�j][gj\af_�É]n]flk$Ê�l`Yl�g[[mj�Yl�l`]�>aj]Zgp&�9f�]n]fl�ak�Yfq�kaf_d]�Y[lanalq�l`Yl�g[[mjk�Yl�l`]�>aj]Zgp$�km[`�Yk�Yddgoaf_�Y�hY[c]lÈgj�egj]�aehgjlYfldqÈ\]fqaf_�Y�hY[c]l�^jge�hYkkaf_�l`jgm_`�l`]�>aj]Zgp&�

Dg__af_�afngdn]k�l`]�afl]jY[lagf�g^�l`]�>aj]Zgp$�l`]�=n]fl�Hjg[]kkgj$�Yf\�l`]�Dg_�@gkl&�O`]f�Yf�]n]fl� ^gj�]pYehd]$�Y�\]fa]\�af[geaf_�hY[c]l!�g[[mjk�Yl�l`]�>aj]Zgp$�al�af^gjek�l`]�=n]fl�Hjg[]kkgj$�oà[`�^gjeYlk�l`]�]n]fl�Yk�Y�daf]�af�Y�klYf\Yj\ar]\�^gjeYl�Yf\�k]f\k�al�lg�l`]�Dg_�@gkl$�oà[`�Y\\k�l`]�]n]fl�lg�l`]�dg_âd]&�

Dg__af_�ak�afl]f\]\�lg�j][gj\�l`]�caf\k�g^�Y[lanala]k�l`Yl�[Yf�af\a[Yl]�k][mjalq�[gf[]jfk$�km[`�Yk�\]fa]\�hY[c]lk&�Af�^Y[l$�\]fa]\�hY[c]lk$�l`]aj�hYll]jfk$�Yf\�[aj[meklYf[]k�[gehjak]�l`]�egkl�aehgjlYfl�]d]%e]flk�g^�o`Yl�]n]flk�qgm�k`gmd\�dg_&�;]jlYaf�hYll]jfk�g^�\]fa]\�hY[c]lk�[Yf�af\a[Yl]�l`]�lqh]�g^�YllY[c�l`Yl�ak�Z]af_�Yll]ehl]\&

9dl`gm_`�qgm�[Yf�[gfâ_mj]�Y�k]jna[]�lg�dg_�Yddgo]\�]n]flk$�làk�ak�afl]f\]\�egkldq�Yk�Y�\aY_fgkla[�lggd�lg�]fkmj]�l`Yl�Yddgo]\�hY[c]lk�Yj]�hYkkaf_�l`jgm_`�l`]�>aj]Zgp&�A^�qgm�ljq�lg�dg_�Ydd�]n]flk�^gj�qgmj�fgjeYd$�gfdaf]�gh]jYlagf$�qgm�oadd�egkl�dac]dq�[j]Yl]�Y�ZYf\oa\l`�Yf\�klgjY_]�hjgZd]e�Yk�qgmj�=n]fl�Hjg[]kkgj�Yf\�Dg_�@gkl�Yll]ehl�lg�hjg[]kk�Yf\�dg_�]n]jq�hY[c]l�l`Yl�hYkk]k�l`jgm_`�l`]�>aj]Zgp&�


Logging and Notification

What Notification Is

Fglaâ[Ylagf�ak�l`]�k][mjalq�kqkl]eÌk�Y[l�g^�k]f\af_�Y�e]kkY_]�lg�l`]�f]logjc�Y\eafakljYlgj�l`Yl�Y�hYll]jf�g^�\]fa]\�hY[c]lk�e]jalk�l`]�Y\eafakljYlgjÌk�Yll]flagf&�Làk�fglaâ[Ylagf�[gmd\�Z]�af�l`]�^gje�g^�]%eYad$�Y�hgh%mh�oaf\go�gf�l`]�eYfY_]e]fl�ogjcklYlagf$�gj�Yf�Ymlg%eYla[Yddq�\aYd]\�l]d]h`gf]�fmeZ]j�lg�Y�hY_]j&

>gj�]pYehd]$�a^�l`]�>aj]Zgp�jYf\gedq�j]b][lk�Y�hY[c]l�`]j]�gj�l`]j]$�al�ak�\gaf_�alk�bgZ�Yf\�l`]j]�ak�hjgZYZdq�fg�[Ymk]�^gj�[gf[]jf&�:ml�kge]�\]faYd�hYll]jfk�af\a[Yl]�ZdYlYfl�afnYkagf�Yll]ehlk�Yf\�k`gmd\�lja__]j�Y�fglaâ[Ylagf&�

>gj�]pYehd]$�o]�j][gee]f\�l`Yl�qgm�[gfâ_mj]�\]^Ymdl�hY[c]l�`Yf%\daf_�lg�akkm]�Y�fglaâ[Ylagf�o`]f�l`]�>aj]Zgp�\]l][lk�Y�hgjl�khY[]�hjgZ]&�9�hgjl�khY[]�hjgZ]�ak�o`]f�Yf�YllY[c]j�_]f]jYl]k�Y�k]im]f[]�g^�hgjlk$�̀ ghaf_�lg�âf\�gf]�l`Yl�j]khgf\k&�Gf[]�l`]�>aj]Zgp�\]l][lk�Y�hgjl�khY[]�hjgZ]$�l`]�=n]fl�Hjg[]kkgj�k]f\k�fglaâ[Ylagf�lg�l`]�f]l%ogjc�k][mjalq�Y\eafakljYlgj�YZgml�l`]�j]b][l]\�hY[c]lk&�

9l�làk�hgafl$�l`]�f]logjc�k][mjalq�Y\eafakljYlgj�[Yf�]pYeaf]�l`]�dg_k�Yf\�\][a\]�o`Yl�lg�\g�lg�^mjl`]j�k][mj]�l`]�gj_YfarYlagfÌk�f]l%ogjc&�Kge]�hgkkaZd]�[gmjk]k�g^�Y[lagf�ogmd\�Z]2

� :dg[c�l`]�hgjlk�^gj�l`]�>LH�k]jna[]� :dg[c�l`]�AH�Y\\j]kk�l`YlÌk�k]f\af_�l`]�hY[c]lk� ;gflY[l�l`]�AKH�l`jgm_`�oà[`�l`]�hY[c]lk�Yj]�Z]af_�k]fl

Qgm�[Yf�Ydkg�k]l�mh�l`]�>aj]Zgp�lg�YmlgeYla[Yddq�Zdg[c�l`]�\]klafYlagf�hgjl�gj�l`]�hjgZ]�kgmj[]Ìk�AH�Y\\j]kk&�Dg__af_�Yf\�Fglaâ[Ylagf�ogjc�lg_]l`]j�lg�]fYZd]�Y�kljgf_�YmlgeYl]\�k][mjalq�kqkl]e�lg�ka_fYd�^gj�`meYf�afl]jn]flagf�Yl�l`]�ja_`l�lae]&�L`]f�al�Yf\�kmhhda]k�\YlY�mk]%^md�^gj�klj]f_l`]faf_�gj�âf]%lmfaf_�\]^]fk]k�Y_Yafkl�^mlmj]�YllY[ck&

Developing Logging and Notification Policies

Af�dg__af_�Yf\�fglaâ[Ylagf�hgda[a]k$�qgm�kh]dd�gml�o`Yl�_]lk�dg__]\�Yf\�o`]f�Yf�]n]fl�gj�k]ja]k�g^�]n]flk�oYjjYflk�k]f\af_�gml�fglaâ[Y%lagf�lg�l`]�gf%\mlq�Y\eafakljYlgj&�9jla[mdYlaf_�qgmj�dg__af_�Yf\�fglaâ[Ylagf�hgda[a]k�eYc]k�al�]Yka]j�lg�k]l�mh�af\ana\mYd�k]jna[]k�af�l`]�OYl[`?mYj\�Dan]K][mjalq�Kqkl]e&�A^�qgm�`Yn]�^mddq�eYhh]\�gml�qgmj�hgda[q$�qgm�[Yf�egj]�]Ykadq�\]d]_Yl]�[gfâ_mjYlagf�\mla]k�Yf\�]fkmj]�l`Yl�af\ana\mYd�]^^gjlk�\gfÌl�[gfljY\a[l�l`]�gn]jYdd�k][mjalq�hgda[q�gj�dg__af_�Yf\�fglaâ[Ylagf�hgda[a]k&

Kh][aâ[Yddq$�l`]�dg__af_�hgda[q�\]daf]Yl]k2�

� O`Yl�]n]flk�qgm�afl]f\�lg�dg_�



� Oà[`�k]jna[]kÌ�]n]flk�qgm�oak`�lg�dg_� Oà[`�k]jn]j k!�qgm�Yddg[Yl]�Yk�dg_�`gklk� @go�dYj_]�qgm�Yddgo�Y�dg_�âd]�lg�_]l�Yf\'gj�`go�g^l]f�l`]�dg_âd]�

ak�gn]jojall]f�oal`�f]o�dg_k�

L`]�fglaâ[Ylagf�hgda[q�\]daf]Yl]k2

� Oà[`�]n]flk�gj�k]ja]k�g^�]n]flk�oadd�lja__]j�fglaâ[Ylagf�^gj�]Y[`�k]jna[]

� O`Yl�^gje�g^�fglaâ[Ylagf�qgm�oadd�mk]

L`]�j]kl�g^�làk�k][lagf�\]k[jaZ]k�l`]�jYeaâ[Ylagfk�g^�]Y[`�g^�l`]k]�Zmdd]l]\�al]ek&

What Events to Log L`]j]�Yj]�log�eYaf�Yj]Yk�af�l`]�OYl[`?mYj\�Hgda[q�EYfY_]j�o`]j]�qgm�[Yf�\]l]jeaf]�oà[`�]n]flk�lg�dg_2

� L`]�dg__af_�Yf\�fglaâ[Ylagf�[gfljgdk�YllY[`]\�lg�l`]�<]^Ymdl�HY[c]l�@Yf\daf_�\aYdg_

� L`]�dg__af_�Yf\�fglaâ[Ylagfk�[gfljgdk�YllY[`]\�lg�]Y[`�af\ana\mYd�k]jna[]�\aYdg_&

L`]�<]^Ymdl�HY[c]l�@Yf\daf_�lggd�\]Ydk�hjaeYjadq�oal`�à_`%jakc�]n]flk$�oà[`�k`gmd\�Ydegkl�YdoYqk�Z]�dg__]\� Yf\�lja__]j�fglaâ[Y%lagf!&�L`]k]�]n]flk�af[dm\]2

� Khggâf_�YllY[ck� AH�Ghlagfk� Hgjl�khY[]�HjgZ]k� 9\\j]kk�khY[]�hjgZ]k� J]b][l]\�hY[c]lk

>gj�]Y[`�k]jna[]�l`Yl�qgm�Y\\�lg�qgmj�[gfâ_mjYlagf�âd]$�qgm�[Yf�Ydkg�dg_�mh�lg�]a_`l�\a^^]j]fl�caf\k�g^�]n]flk2

� Af[geaf_�ljY^â[2Ò 9ddgo]\�af[geaf_�hY[c]lkÒ <]fa]\�af[geaf_�hY[c]lkÒ 9ddgo]\�gml_gaf_�hY[c]lkÒ <]fa]\�gml_gaf_�hY[c]lk

� Gml_gaf_�ljY^â[Ò 9ddgo]\�af[geaf_�hY[c]lkÒ <]fa]\�af[geaf_�hY[c]lkÒ 9ddgo]\�gml_gaf_�hY[c]lkÒ <]fa]\�gml_gaf_�hY[c]lk



Af�_]f]jYd$�qgm�oYfl�lg�dg_�gfdq�l`Yl�oà[`�ak�af\a[Ylan]�g^�hgl]flaYd�k][mjalq�l`j]Ylk$�Yf\�a_fgj]�]n]flk�l`Yl�ogmd\�oYkl]�ZYf\oa\l`�Yf\�k]jn]j�klgjY_]�khY[]&�Làk�_]f]jYddq�ljYfkdYl]k�aflg�dg__af_�khgg^k$�AH�ghlagfk$�hjgZ]k$�Yf\�\]fa]\�hY[c]lk$�Yf\�fgl�dg__af_�Yddgo]\�hY[c%]lk&�9^l]j�Ydd$�a^�l`]�hY[c]lk�Yj]�Yddgo]\$�l`]q�k`gmd\fÌl�Z]�af\a[Ylan]�g^�Y�k][mjalq�l`j]Yl&�>mjl`]jegj]$�Yddgo]\�ljY^â[�mkmYddq�^Yj�]p[]]\k�l`]�ngdme]�g^�\]fa]\�ljY^â[$�Yf\�ogmd\�kaehdq�kdgo�j]khgfk]�lae]k�Yf\�[Ymk]�qgmj�dg_�âd]�lg�_jgo�Yf\�lmjf�gn]j�lgg�ima[cdq&

OYl[`?mYj\�_an]k�qgm�l`]�ghlagf�lg�dg_�Yddgo]\�]n]flk�hjaeYjadq�^gj�\aY_fgkla[�hmjhgk]k�o`]f�k]llaf_�mh�gj�ljgmZd]k`gglaf_�qgmj�afklYddYlagf&

Qgm�Ydkg�eYq�fgl�f]]\�lg�dg_�Ydd�\]fa]\�]n]flk&�>gj�]pYehd]$�a^�qgm�`Yn]�[gfâ_mj]\�af[geaf_�>LH�lg�\]fq�Ydd�af[geaf_�ljY^â[�^jge�Yfq�kgmj[]�gmlka\]�lg�Yfq�\]klafYlagf�afka\]$�l`]j]�ak�dalld]�hgafl�af�dg_%_af_�af[geaf_�\]fa]\�hY[c]lk�^gj�l`Yl�k]jna[]�Z][Ymk]�Ydd�ljY^â[�^gj�l`Yl�k]jna[]�af�l`Yl�\aj][lagf�ak�Zdg[c]\&

Which Services’ Events to Log9k�klYl]\�Z]^gj]$�af�_]f]jYd�gf]�oYflk�lg�dg_�\]fa]\�hY[c]lk�^gj�Y�_an]f�k]jna[]&�L`]j]�Yj]�[aj[meklYf[]k$�`go]n]j$�o`]f�qgm�ea_`l�oYfl�lg�dg_�]n]jqlàf_&�>gj�]pYehd]$�kmhhgk]�qgm�`Yn]�k]l�mh�Y�n]jq�kh][aYdar]\�k]jna[]�l`Yl�mk]k�Yf�gZk[mj]$�n]jq�à_`�hgjl�fmeZ]j$�Yf\�l`]�k]jna[]�ak�afl]f\]\�^gj�mk]�gfdq�Zq�Y�keYdd�fmeZ]j�g^�h]ghd]�af�qgmj�gj_YfarYlagf&�Af�l`Yl�[Yk]�qgm�ea_`l�oYfl�lg�dg_�Ydd�ljY^â[�^gj�l`Yl�k]jna[]$�lg�egfalgj�l`Yl�k]jna[]Ìk�Y[lanalq�gj�Yl�d]Ykl�Z]�YZd]�lg�j]na]o�Ydd�g^�l`Yl�k]jna[]Ìk�Y[lanalq&

Which Server(s) to Allocate as Log Hosts>gj�keYdd�gh]jYlagfk$�qgm�[Yf�kaehdq�\]ka_fYl]�qgmj�Y\eafakljYlagf�ogjcklYlagf�Yk�l`]�dg_�`gkl&�9l�l`]�gl`]j�]f\�g^�l`]�k[YdYZadalq�kh][%ljme$�qgm�ea_`l�\]ka_fYl]�l]f�gj�egj]�\]\a[Yl]\�à_`�[YhY[alq�dg_�`gklk&�L`]�lqha[Yd�e]\ame%kar]\�gh]jYlagf�ogmd\�`Yn]�log�gj�l`j]]�à_`%[YhY[alq�dg_�`gklk$�g^�oà[`�l`]�hjaeYjq�dg_�`gkl�ak�\]\a[Yl]\$�Yf\�fgf]�g^�oà[`�ak�Ydkg�l`]�Y\eafakljYlagf�ogjcklYlagf&�Emdlahd]�dg_`gklk�gh]jYl]�af�^Yadgn]j$�fgl�j]\mf\Yfl�eg\]&�L`]�hjaeYjq�dg_�`gkl�`Yf\d]k�l`]�Zmdc�g^�l`]�dg__af_�\mla]k3�gl`]jk�Yj]�[Ydd]\�af�Yk�f]]\]\�o`]f�l`]�à_`]kl%jYfcaf_�dg_�`gkl�ak�mfYnYadYZd]�lg�j][]an]�dg_k&

Log File Size and Turnover FrequencyQgm�[Yf�k]l�l`]�eYpaeme�kar]�g^�l`]�dg_�âd]�af�e]_YZql]k�gj�fmeZ]j�g^�dg_�]flja]k&�O`]f�l`]�dg_âd]�j]Y[`]k�l`]�eYpaeme�kar]�qgm�k]l$�l`]�=n]fl�Hjg[]kkgj�Z]_afk�gn]jojalaf_�l`]�dg_�âd]�klYjlaf_�Yl�alk�Z]_affaf_&



>gj�]pYehd]$�kmhhgk]�qgm�`Yn]�k]l�qgmj�dg_�̂ ad]�eYpaeme�lg�)(($(((�]flja]k&�Gh]jYlagf�g^�qgmj�>aj]Zgp�Z]_afk�gf�K]hl]eZ]j�+j\&�:q�K]h%l]eZ]j�0l`$�l`]�dg_�âd]�`Yk�)(($(((�]flja]k&�9l�làk�hgafl$�l`]�]n]fl�hjg[]kkgj�klYjlk�ojalaf_�K]hl]eZ]j�1l`�dg_�]flja]k�gn]j�l`]�gja_afYd�K]hl]eZ]j�+j\�]flja]k&�Kg�^Yj$�l`]�K]hl]eZ]j�,l`�l`jgm_`�0l`�]flja]k�Yj]�kladd�aflY[l�Yf\�[Yf�Z]�j]lja]n]\�^gj�_]f]jYlaf_�àklgja[Yd�j]hgjlk� k]]�ÉJ]hgjlaf_Ê�gf�hY_] 1/!&�=n]flmYddq$�`go]n]j$�l`]�dg_�âd]�ak�[gehd]l]dq�gn]jojall]f�oal`�]n]flk�^jge�K]hl]eZ]j�1l`�jgm_`�l`]�),l`�gj�kg&

Gfdq�qgm�[Yf�\]l]jeaf]�l`]�a\]Yd�eYpaeme�kar]�g^�qgmj�dg_�âd]&�Al�oadd�Z]�ZYk]\�gf�l`]�klgjY_]�khY[]�YnYadYZd]$�`go�eYfq�\YqkÌ�dg_�]flja]k�qgm�oYfl�gf�`Yf\�Yl�Yfq�lae]$�Yf\�`go�dgf_�Y�dg_�âd]�ak�hjY[%la[Yd�lg�c]]h$�gh]f$�Yf\�na]o&�@go�ima[cdq�qgmj�âd]�àlk�alk�eYpa%eme�kar]�Yf\�ak�gn]jojall]f�ak�Ydkg�\]l]jeaf]\�Zq�`go�eYfq�]n]fl�lqh]k�qgm�Yj]�dg__af_�Yf\�`go�em[`�ljY^â[�ak�YhhjgY[àf_�qgmj�>aj]Zgp&

>gj�]pYehd]$�Y�keYdd�gh]jYlagf�ea_`l�fgl�k]]�)($(((�]flja]k�af�log�o]]ck$�o`]j]�Y�dYj_]�gf]�oal`�eYfq�k]jna[]k�]fYZd]\�ea_`l�]Ykadq�dg_�)(($(((�]flja]k�af�Y�\Yq&

Gf]�hjY[la[]�l`Yl�ogmd\�eYc]�qgmj�dg__af_�\][akagfk�]Yka]j�ak�o`]l`]j�gj�`go�g^l]f�qgm�ogmd\�akkm]�j]hgjlk�g^�l`]�>aj]Zgp�Y[lan%alq&�OYl[`?mYj\Ìk�@aklgja[Yd�J]hgjlk�eg\md]�mk]k�Y�dg_�âd]�Yk�alk�kgmj[]�lg�Zmad\�j]hgjlk&�A^�qgm�akkm]�o]]cdq�j]hgjlk�lg�eYfY_]e]fl$�qgm�ogmd\�oYfl�Y�dg_�âd]�dYj_]�]fgm_`�lg�`gd\�Y�lqha[Yd�]a_`l�gj�faf]�\YqÌk�ogjl`�g^�]n]flk&�Kg�ZYka[Yddq�qgm�ogmd\�oYfl�lg�oYl[`�qgmj�afalaYd�dg_�âd]�[gfâ_mjYlagf�lg�k]]�`go�eYfq�\YqkÌ�]n]flk�al�[gdd][lk�Z]^gj]�lmjfaf_�gn]j$�Yf\�l`]f�Y\bmkl�l`]�kar]�lg�qgmj�j]hgjl%af_�f]]\k&�

Which Events will Trigger Notification?L`]�egkl�aehgjlYfl�]n]flk�l`Yl�k`gmd\�lja__]j�fglaâ[Ylagf�Yj]�AH�ghlagfk$�hgjl�khY[]�hjgZ]k$�Y\\j]kk�khY[]�hjgZ]k$�Yf\�khggâf_�YllY[ck� o`]j]�Yf�afZgmf\�hY[c]l�hj]l]f\k�lg�Z]�^jge�Yf�AH�Y\\j]kk�oalàf�qgmj�gj_YfarYlagf!&�L`]k]�Yj]�[gfâ_mjYZd]�af�l`]�Hgda[q�EYf%Y_]jÌk�<]^Ymdl�HY[c]l�@Yf\daf_�\aYdg_$�Yf\�k`gmd\�Ydegkl�YdoYqk�lja__]j�]n]fl�dg_k�Yf\�fglaâ[Ylagf&

Gl`]j�fglaâ[Ylagfk�\]h]f\�gf�gl`]j�^Y[lgjk�af�qgmj�k][mjalq�hgda[q2

� @go�Égh]fÊ�ak�qgmj�>aj]Zgp�[gfâ_mjYlagf7� @go�Zmkq�\g�qgm�oYfl�lg�Z]�afl]jY[laf_�oal`�Yf\�afl]j[]\af_�^gj�

qgmj�âj]oYdd7

>gj�]pYehd]$�a^�qgm�k]l�mh�Y�kaehd]�[gfâ_mjYlagf�l`Yl�]fYZd]k�gfdq�Y�^]o�k]jna[]k$�Yf\�\]fa]k�egkl�gj�Ydd�af[geaf_�ljY^â[$�l`]j]�Yj]�^]o�[aj[meklYf[]k�l`Yl�oYjjYfl�fglaâ[Ylagf&�Gf�l`]�gl`]j�`Yf\$�a^�qgm�



`Yn]�Y�dYj_]�[gfâ_mjYlagf�oal`�eYfq�k]jna[]k$�oal`�eYfq�Yddgo]\�`gklk�gj�f]logjck�^gj�af[geaf_�ljY^â[$�hghmdYj�hjglg[gdk�lg�kh][aâ[$�gZk[mj]�hgjlk$�Yf\�k]n]jYd�hY[c]l�âdl]j�k]jna[]k�Y\\]\�g^�qgmj�gof�\]ka_f$�qgm�oadd�f]]\�lg�k]l�mh�Y�dYj_]$�[gehd]p�fglaâ[Ylagf�k[`]e]&�Làk�lqh]�g^�[gfâ_mjYlagf�ak�egj]�nmdf]jYZd]�lg�YllY[c&�Fgl�gfdq�Yj]�l`]j]�eYfq�egj]�k]jna[]k�l`Yl�j]imaj]�Y�fglaâ[Ylagf�hgda[q$�l`]�à_`�fmeZ]j�g^�jgml]k�l`jgm_`�l`]�>aj]Zgp�af[j]Yk]k�l`]�dac]da`gg\�l`Yl�l`]�=n]fl�Hjg[]kkgj�oadd�akkm]�^j]im]fl�fglaâ[Ylagfk&

L`]j]^gj]$�a^�qgm�k]l�mh�Y�n]jq�Y[[geeg\Ylaf_�âj]oYdd$�Z]�hj]hYj]\�lg�kh]f\�qgmj�\Yqk� Yf\�fa_`lk!�afl]jY[laf_�oal`�qgmj�k][mjalq�kqk%l]e�gj�âpaf_�k][mjalq�Zj]Y[`]k&

Lg�^gjemdYl]�Y�fglaâ[Ylagf�hgda[q$�dggc�Yl�l`]�fmeZ]j�Yf\�fYlmj]�g^�l`]�k]jna[]k�qgm�]fYZd]�^gj�l`]�>aj]Zgp$�Yf\�`go�gh]f�gj�daeal]\�]Y[`�k]jna[]�ak&�Af�_]f]jYd$�^gj�l`]�à_`%ljY^â[�hjgpa]k�km[`�Yk�KELH�Yf\�>LH$�qgm�ea_`l�Y[lanYl]�Y�j]h]Yl�fglaâ[Ylagf�a^�l`]�k]jna[]�j]b][lk�ân]�lg�l]f�hY[c]lk�oalàf�+(�k][gf\k&�A^�qgm�`Yn]�k]l�mh�Y�kh][aYdar]\�k]jna[]�daeal]\�lg�ljY^â[�Z]lo]]f�log�gj�l`j]]�`gklk�mkaf_�Y�à_`�hgjl�fmeZ]j$�qgm�ea_`l�oYfl�lg�Y[lanYl]�fglaâ[Ylagf�gf�làk�k]jna[]�o`]f]n]j�al�\]fa]k�gj�hYkk]k�Y�hY[c]l&

What form of notification you will useKlYf\Yj\�fglaâ[Ylagf�e]l`g\k�Yj]�]%eYad$�Y[lanYlaf_�Y�hY_]j$�Y�hghmh�oaf\go�gf�l`]�Y\eafakljYlagf�ogjcklYlagf$�gj�Y�[mklge�hjg%_jYe&�L`]�[mklge]j�ak�j]khgfkaZd]�^gj�[j]Ylaf_�Y�[mklge�hjg_jYe$�oà[`�[gmd\�akkm]�fglaâ[Ylagf�Yfq�oYq�gj�[geZafYlagf�g^�oYqk�qgm�ogmd\�dac]&�>gj�]pYehd]$�qgm�ea_`l�oYfl�fglaâ[Ylagf�lg�hgh�mh�gf�l`]�Y\eafakljYlagf�ogjcklYlagfÌk�k[j]]f�Yf\�hY_]�l`]�gf%\mlq�f]l%ogjc�Y\eafakljYlgj&

How Notification Counts and Handles Events

L`]�fglaâ[Ylagf�[gf[]hlk�g^�dYmf[`�afl]jnYd$�j]h]Yl�[gmfl$�Yf\�j]h]Yl�afl]jnYd$�Yf\�]kh][aYddq�`go�l`]q�afl]jY[l$�[Yf�Z]�[gf^mkaf_&�:]dgo�ak�Yf�]pYehd]�g^�`go�l`]q�ogjc�lg_]l`]j�lg�Ya\�qgm�af�Yjjanaf_�Yl�mkYZd]�k]llaf_k�o`]f�qgm�[gfâ_mj]�l`]k]�hYjYe]l]jk�af�nYjagmk�hdY[]k�af�l`]�Hgda[q�EYfY_]j&

ExampleKmhhgk]�qgm�`Yn]�k]l�mh�fglaâ[Ylagf�oal`�l`]k]�nYdm]k2

� DYmf[`�Afl]jnYd�5�-�eafml]k� k]l�af�l`]�af\ana\mYd�k]jna[]Ìk�Dg_%_af_�\aYdg_!

� J]h]Yl�[gmfl�5�,� k]l�af�l`]�af\ana\mYd�k]jna[]Ìk�Dg__af_�\aYdg_!� J]h]Yl�Afl]jnYd�5�)-�eafml]k� k]l�_dgZYddq�af�l`]�=n]fl�Hjg[]kkgj�

mk]j�afl]j^Y[]!


How Notification Counts and Handles Events

L`]f�Y�hgjl�khY[]�hjgZ]�Z]_afk�Yl�)(2((�Y&e&�Yf\�[gflafm]k�gf[]�h]j�eafml]$�lja__]jaf_�l`]�dg__af_�Yf\�fglaâ[Ylagf�e][`Yfakek&�@]j]�ak�l`]�lae]�daf]�g^�Y[lanala]k�l`Yl�ogmd\�j]kmdl�^jge�làk�]n]fl�oal`�làk�laeaf_�Yf\�j]h]Ylaf_�k]lmh2

1. )(2((ÈAfalaYd�hgjl�khY[]�hjgZ]� âjkl�]n]fl!

2. )(2()ÈOYl[`?mYj\�dYmf[`]k�âjkl�fglaâ[Ylagf�

3. )(2(.ÈOYl[`?mYj\�dYmf[`]k�k][gf\�fglaâ[Ylagf� j]hgjlk�ân]�]n]flk!

4. )(2))ÈOYl[`?mYj\�dYmf[`]k�làj\�fglaâ[Ylagf� j]hgjlk�ân]�]n]flk!

5. )(2).ÈOYl[`?mYj\�dYmf[`]k�^gmjl`�fglaâ[Ylagf� j]hgjlk�ân]�]n]flk!

6. )(2+)ÈOYl[`?mYj\�ojal]k�Y�dg_�e]kkY_]�l`Yl�l`]�fglaâ[Ylagf�]n]fl�`Yk�j]h]Yl]\�ân]�lae]k

7. )(2,.ÈOYl[`?mYj\�ojal]k�Yfgl`]j�dg_�e]kkY_]�l`Yl�l`]�fglaâ[Y%lagf�]n]fl�`Yk�j]h]Yl]\�â^l]]f�lae]k

L`]�lae]�afl]jnYdk�Z]lo]]f�Y[lanala]k�)$�*$�+$�,$�Yf\�-�Yj]�[gfljgdd]\�Zq�l`]�dYmf[`�afl]jnYd$�oà[`�oYk�k]l�lg�-�eafml]k&

L`]�lae]�afl]jnYdk�Z]lo]]f�-$�.$�Yf\�/�Yj]�[gfljgdd]\�Zq�l`]�j]h]Yl�afl]jnYd$�oà[`�oYk�k]l�lg�)-�eafml]k&

L`]�j]h]Yl�[gmfl�emdlahda]\�Zq�l`]�dYmf[`�afl]jnYd�_an]k�l`]�lae]�Yf�]n]fl�emkl�[gflafmgmkdq�`Yhh]f�Z]^gj]�OYl[`?mYj\�`Yf\d]k�al�Yk�Y�Éj]h]Ylaf_�fglaâ]j&Ê

Làk�hjg_j]kkan]�fglaâ[Ylagf�Yf\�dg__af_�k[`]e]�hjgna\]k�Y�\]lYad]\�fglaâ[Ylagf�Yl�l`]�afalaYd�]n]fl$�^gddgo]\�Zq�khY[]%�Yf\�lae]%kYnaf_�[memdYlan]�kmeeYja]k�lg�c]]h�l`]�Y\eafakljYlgj�mh\Yl]\&�Làk�j]\m[]k�l`]�Yegmfl�g^�dg__af_�Yf\�fglaâ[Ylagf�g^�Y�j]h]Ylaf_�]n]fl&�A^�o]�[gflafm]�lg�_]l�]n]flk�^gj�l`]�j]h]Yl�[gmfl�emdlahda]\�Zq�l`]�dYmf[`�afl]jnYd$�OYl[`?mYj\�kaehdq�dg_k�l`Yl�l`]�]n]flk�Yj]�[gflafm%af_�]n]jq�j]h]Yl�afl]jnYd&

A^�Yf�]n]fl�klghk�[gehd]l]dq�^gj�Y�o`gd]�dYmf[`�afl]jnYd$�l`]�o`gd]�hjg[]kk�klYjlk�Y_Yaf&


CHAPTER 9 Monitoring your Security System

L`]�OYl[`?mYj\�Dan]K][mjalq�Kqkl]e�hjgna\]k�k]n]jYd�egfalgjaf_�lggdk$�eYfq�g^�oà[`�Yj]�_jYhà[Yd�Yf\'gj�j]Yd%lae]$�lg�`]dh�qgm�nakmYdar]�f]logjc�eYfY_]e]fl�Yf\�Ykk]kk�l`]�]^^][lan]f]kk�g^�qgmj�k][mjalq�hgda[a]k&

L`]�OYl[`?mYj\�Dan]K][mjalq�Kqkl]e�af[dm\]k�@gkloYl[`$�Y�klYf\Y%dgf]�_jYhà[Yd�j]Yd%lae]�egfalgjaf_�lggd$�hdmk�k]n]jYd�lggdk�oalàf�l`]�>aj]Zgp�Egfalgj&�L`]�egfalgjaf_�lggdk�af[dm\]2�

HostWatch (standalone)<akhdYqk�j]Yd%lae]�egfalgjaf_�g^�f]logjc�mkY_]�eYhh]\�lg�Yml`]fla%[Yl]\�mk]jk�Yf\�`gkl�[gehml]jk&�;gdgj%[g\]\�[gff][lagf�lqh]k� 9ddgo]\$�<]fa]\$�Hjgpa]\�gj�EYkim]jY\]\!�Z]lo]]f�afl]jfYd']pl]jfYd�`gklk�Yj]�a\]flaâ]\�Zq�AH�Y\\j]kk$�<FK�fYe]�gj�mk]j�fYe]&�

Bandwidth Meter (Firebox Monitor)<akhdYqk�j]Yd%lae]�egfalgjaf_�g^�ZYf\oa\l`�mkY_]�^gj�]Y[`�=l`]jf]l�hgjl&�:Yf\oa\l`�mkY_]�ak�\akhdYq]\�^gj�af[geaf_�Yf\�gml_gaf_�[geem%fa[Ylagfk&�H]jag\k�g^�h]Yc�mladarYlagf�Yj]�Ydkg�af\a[Yl]\�gf�Y�[gfâ_mjYZd]�k[Yd]�mh�lg�)((EZ'k][&�

ServiceWatch (Firebox Monitor)<akhdYqk�j]Yd%lae]�egfalgjaf_�g^�k]jna[]k�Z]af_�mk]\�gf�l`]�f]logjc&�L`]�_jYhà[Yd�j]hj]k]flYlagfk�k`goaf_�l`]�[gdgj%[g\]\�[gff][lagfk�g^�]Y[`�[gfâ_mj]\�k]jna[]�[Yf�Z]�j]^j]k`]\�Yl�mk]j%kh][aâ]\�afl]jnYdk&�

Status Report (Firebox Monitor)J]lja]n]k�Y�kmeeYjq�g^�l`]�>aj]ZgpÌk�klYlmk�j]hgjl$�\akhdYq]\�af�Y�k[jgd%dYZd]�oaf\go&�

Authentication List (Firebox Monitor)K`gok�l`]�lqh]k�g^�Yml`]fla[Ylagf�Z]af_�mk]\$�hdmk�l`]�AH�Y\\j]kk�g^�l`]�Yml`]fla[Ylagf�k]jn]j&

Blocked Site List (Firebox Monitor)<akhdYqk�l`]�AH�Y\\j]kk]k� af�kdYk`�fglYlagf!�g^�Yfq�]pl]jfYd�kal]k�l`Yl�Yj]�l]ehgjYjadq�Zdg[c]\�Zq�hgjl�khY[]�hjgZ]k$�khggâf_�Yll]ehlk$�Y\\j]kk�khY[]�hjgZ]k$�gj�o`Yl]n]j�`Yk�Z]]f�[gfâ_mj]\�lg�lja__]j�Yf�Ymlg%Zdg[c&


Monitoring your Security System

HostWatch

@gklOYl[`�\akhdYqk�Y[lan]�[gff][lagfk�g[[mjjaf_�gf�Y�>aj]Zgp�af�j]Yd%lae]&�Al�[Yf�Ydkg�_jYhà[Yddq�j]hj]k]fl�l`]�[gff][lagfk�dakl]\�af�Y�dg_�âd]$�]al`]j�hdYqaf_�ZY[c�Y�hj]nagmk�âd]�^gj�j]na]o$�gj�\akhdYqaf_�[gff][lagfk�Yk�l`]q�Yj]�dg__]\�aflg�l`]�[mjj]fl�dg_�âd]&

@gklOYl[`�hjgna\]k�_jYhà[Yd�^]]\ZY[c�gf�f]logjc�[gff][lagfk�Z]lo]]f�l`]�Ljmkl]\�Yf\�=pl]jfYd�f]logjck&�9\\alagfYd�\]lYadk�YZgml�mk]jk$�[gff][lagfk$�Yf\�eYkim]jY\af_�Yj]�YnYadYZd]�^jge�@gklOYl[`&

L`]�af^gjeYlagf�\akhdYq]\�af�@gklOYl[`�ak�ZYk]\�gf�l`]�dg__af_�k]l%laf_k�[gfâ_mj]\�af�l`]�>aj]Zgp&�>gj�afklYf[]$�lg�k]]�Ydd�\]fa]\�Yll]ehlk�Yl�af[geaf_�l]df]l$�[gfâ_mj]�l`]�>aj]Zgp�lg�dg_�af[geaf_�\]fa]\�l]df]l�Yll]ehlk&

L`]�daf]�[gff][laf_�l`]�kgmj[]�`gkl�Yf\�\]klafYlagf�`gkl�ak�[gdgj%[g\]\�lg�\akhdYq�l`]�lqh]�g^�[gff][lagf�Z]af_�eY\]&�J]hj]k]flYlan]�a[gfk�Yhh]Yj�f]pl�lg�l`]�k]jn]j�]flja]k�^gj�@LLH$�l]df]l$�KELH$�Yf\�>LH&

O`]f�@gklOYl[`�ak�âjkl�klYjl]\$�fYe]�j]kgdmlagf�eYq�fgl�g[[mj�aee]\aYl]dq&�9k�fYe]k�Yj]�j]kgdn]\$�l`]�\akhdYq]\�AH�Y\\j]kk]k�Yj]�j]hdY[]\�Zq�`gkl�fYe]k�gj�mk]j�fYe]k$�\]h]f\af_�gf�l`]�k]d][l]\�\akhdYq�k]llaf_k&�Kge]�eY[àf]k�eYq�f]n]j�j]kgdn]$�Yf\�l`]�AH�Y\\j]kk]k�j]eYaf�af�l`]�@gklOYl[`�oaf\go&

The HostWatch DisplayL`]�eYaf�oaf\go�ak�khdal�aflg�log�ka\]k$�Afka\]�Yf\�Gmlka\]&�<gm%Zd]%[da[caf_�Yf�al]e�gf�]al`]j�ka\]�hjg\m[]k�Y�hgh%mh�oaf\go�\ak%hdYqaf_�\]lYad]\�af^gjeYlagf�YZgml�[mjj]fl�[gff][lagfk�̂ gj�l`Yl�al]e&�Làk�hgh%mh�oaf\go�k`gok�l`]�AH�Y\\j]kk]k$�hgjl�fmeZ]j$�[gff][%lagf�lqh]$�\aj][lagf$�Yf\�gl`]j�\]lYad]\�af^gjeYlagf�YZgml�l`]k]�[gf%f][lagfk&�

Qgm�[Yf�na]o�\]lYad]\�af^gjeYlagf�^gj�Yfq�[gff][lagf�l`Yl�afngdn]k�l`]�>aj]Zgp&�Af�l`]�eYaf�\akhdYq$�l`]�dgo]j�oaf\go�k`gok�l`]�[gf%f][lagfk�j]dYlan]�lg�l`]�>aj]Zgp&�L`]�hgh%mh�oaf\go�k`gok�\]lYad]\�af^gjeYlagf�j]dYlan]�lg�l`]�k]d][l]\�`gkl&


Bandwidth Meter

FIGURE 7. HostWatch Display

Bandwidth Meter

L`]�:Yf\oa\l`�E]l]j�k`gok�j]Yd%lae]�ZYf\oa\l`�mkY_]�^gj�Y�_an]f�afl]j^Y[]�g^�Y�>aj]Zgp&�Kaf[]�al�ak�Y�j]Yd%lae]�\akhdYq$�:Yf\oa\l`�E]l]j�\akhdYqk�[mjj]fl�gf_gaf_�ZYf\oa\l`�mk]�Zq�Y�^mf[lagfaf_�>aj]Zgp&

The Bandwidth Meter Display

L`]�\]^Ymdl�:Yf\oa\l`�E]l]j�k`gok�l`]�Y�_jYh`�kmjjgmf\]\�Zq�k]n%]jYd�gl`]j�[gfljgdk�Yf\�\akhdYqk&�:Yf\oa\l`�E]l]j�[Yf�Z]�Y�`Yf\q�lggd�^gj�eYcaf_�kmj]�qgm�`Yn]�l`]�hjgh]j�j]kgmj[]k�Yddg[Yl]\�lg�]Y[`�afl]j^Y[]&�Al�[Yf�ima[cdq�a\]fla^q�o`a[`�afl]j^Y[]k�k]]�l`]�egkl�ljY^^a[&

ServiceWatch

K]jna[]OYl[`�_jYh`k�l`]�fmeZ]j�g^�[gff][lagfk�Zq�k]jna[]$�hjgna\%af_�Y�k]jna[]%[]flja[�na]o�g^�f]logjc�Y[lanalq&



L`]�Q�Ypak�k`gok�l`]�fmeZ]j�g^�[gff][lagfk$�Yf\�l`]�P�Ypak�k`gok�lae]$�[gflafmgmkdq�_jYhàf_�f]logjc�Y[lanalq&�=Y[`�k]jna[]�Z]af_�_jYh`]\�ak�Ykka_f]\�Y�\a^^]j]fl�[gdgj]\�daf]�lg�\a^^]j]flaYl]�Yegf_�k]jna[]k&

9k�l`]�_jYh`�k[jgddk�^jge�d]^l�lg�ja_`l$�l`]�daf]k�oadd�_g�mh�gj�\gof�j]^d][laf_�l`]�[mjj]fl�fmeZ]j�g^�[gff][lagfk&

StatusReport

L`]�KlYlmkJ]hgjl�lYZ�\akhdYqk�[gehj]`]fkan]�af^gjeYlagf�YZgml�l`]�[mjj]fl�klYlmk�g^�l`]�>aj]Zgp&�>jge�lgh�lg�Zgllge�al�daklk�l`]�^gddgo%af_2

Uptime and Version InformationL`]�lae]�jYf_]�gf�l`]�klYlakla[k$�l`]�>aj]Zgp�mhlae]�Yf\�l`]�OYl[`?mYj\�K][mjalq�Kqkl]e�kg^loYj]�n]jkagf&

Packet CountsL`]�fmeZ]j�g^�hY[c]lk�Yddgo]\$�\]fa]\$�Yf\�j]b][l]\�Z]lo]]f�klYlmk�im]ja]k&�J]b][l]\�hY[c]lk�Yj]�\]fa]\�hY[c]lk�^gj�oà[`�OYl[`?mYj\�k]f\k�Yf�A;EH�]jjgj�e]kkY_]&

Log and Notification HostsL`]�AH�Y\\j]kk]k�g^�l`]�Dg_�Yf\�Fglaâ[Ylagf�@gklk&

Network ConfigurationKlYlakla[k�YZgml�l`]�f]logjc�[Yj\k�\]l][l]\�oalàf�l`]�âj]oYdd$�af[dm\af_�l`]�afl]j^Y[]�fYe]$�alk�`Yj\oYj]�Yf\�kg^loYj]�Y\\j]kk]k�Yf\�alk�f]l%eYkc&�Af�Y\\alagf$�dg[Yd�jgmlaf_�af^gjeYlagf$�Yf\�AH�YdaYk]k�Yj]�af[dm\]\&

Blocked Site ListL`]�[mjj]fl�eYfmYddq�Zdg[c]\�kal]k$�a^�Yfq&�L]ehgjYjadq�Zdg[c]\�kal]�]flja]k�Yhh]Yj�gf�l`]�:dg[c]\�Kal]k�lYZ&

Active TCP Connections9�dakl�g^�Yfq�Y[lan]�L;H�[gff][lagfk�g[[mjjaf_�Y[jgkk�l`]�>aj]Zgp&

Active FTP Connections9�dakl�g^�Yfq�Y[lan]�>LH�[gff][lagfk�g[[mjjaf_�Y[jgkk�l`]�âj]oYdd&�L`]�\aj][lagf�Yf\�o`]l`]j�gj�fgl�l`]j]�ak�Yf�gh]f�\YlY�[`Yff]d�Yj]�dakl]\�af�hYj]fl`]k&

Spoofing InformationL`]�AH�Y\\j]kk]k�g^�Zdg[c]\�`gklk�Yf\�f]logjck&�A^�Éfgf]Ê�ak�dakl]\$�OYl[`?mYj\�j]b][lk�l`]k]�hY[c]lk�gf�Ydd�g^�alk�afl]j^Y[]k&

Logging OptionsDg__af_�ghlagfk�[gfâ_mj]\�oal`�]al`]j�l`]�Ima[cK]lmh�OarYj\�gj�Zq�Y\\af_�Yf\�[gfâ_mjaf_�k]jna[]k�^jge�l`]�Hgda[q�EYfY_]j&

Authentication Host InformationL`]�lqh]k�g^�Yml`]fla[Ylagf�Z]af_�mk]\�Yf\�l`]�AH�Y\\j]kk�g^�l`]�Yml`]f%la[Ylagf�k]jn]j&


Authentication List

MemoryKlYlakla[k�gf�l`]�e]egjq�mkY_]�g^�l`]�[mjj]fldq�jmffaf_�âj]oYdd&�Fme%Z]jk�k`gof�Yj]�Zql]k�g^�e]egjq&

Load AverageL`]�fmeZ]j�g^�bgZk�af�l`]�jmf�im]m]�Yn]jY_]\�gn]j�)$�-$�Yf\�)-�eafml]k&�L`]�^gmjl`�fmeZ]j�hYaj�ak�fmeZ]j�g^�hjg[]kk]k�Y[lan]'fmeZ]j�g^�lglYd�hjg[]kk]k�jmffaf_�Yf\�l`]�dYkl�fmeZ]j�ak�l`]�f]pl�hjg[]kk�A<�fmeZ]j&

ProcessesL`]�hjg[]kk�A<$�l`]�fYe]�g^�l`]�hjg[]kk$�l`]�klYlmk�g^�l`]�hjg[]kk2

Ò J2�Jmffaf_Ò K2�Kd]]haf_Ò R2�RgeZa]

Al�Ydkg�\akhdYqk�^gmj�fmeZ]jk�k`goaf_�e]egjq�af^gjeYlagf�^gj�]Y[`�hjg[]kk2

Ò Kar]�g^�l`]�]p][mlYZd]Ò CadgZql]k�g^�hjg_jYe�af�e]egjqÒ Kar]�g^�l`]�]p][mlYZd]�eafmk�l`]�k`Yj]\�e]egjq�hgjlagfÒ <YlY�kar]�hdmk�klY[c

Interfaces=Y[`�f]logjc�afl]j^Y[]�ak�\akhdYq]\�af�làk�k][lagf$�Ydgf_�oal`�\]lYad]\�af^gjeYlagf�j]_Yj\af_�alk�klYlmk�Yf\�hY[c]l�[gmfl&

RoutesL`]�âj]oYdd�c]jf]d�jgmlaf_�lYZd]&�L`]k]�jgml]k�Yj]�mk]\�lg�\]l]jeaf]�oà[`�afl]j^Y[]�l`]�>aj]oYdd�mk]k�^gj�]Y[`�\]klafYlagf�Y\\j]kk&

ARP Table9�kfYhk`gl�g^�l`]�9JH�lYZd]�gf�l`]�jmffaf_�âj]oYdd&�L`]�9JH�lYZd]�ak�mk]\�lg�eYh�AH�Y\\j]kk]k�lg�`Yj\oYj]�Y\\j]kk]k&

Authentication List

L`]�9ml`]fla[Ylagf�Dakl�lYZ�\akhdYqk�l`]�`gkl�AH�Y\\j]kk]k�Yf\�mk]j�fYe]k�g^�]n]jqgf]�[mjj]fldq�Yml`]fla[Yl]\�lg�l`]�>aj]Zgp&�A^�qgm�Yj]�mkaf_�<@;H$�l`]�AH�Y\\j]kk�lg�mk]j�fYe]�eYhhaf_�[`Yf_]k�o`]f%]n]j�eY[àf]k�j]Zggl�gj�j]klYjl&

Blocked Site List

T`]�:dg[c]\�Kal]k�lYZ�daklk�l`]�AH�Y\\j]kk]k� af�kdYk`�fglYlagf!�g^�Yfq�]pl]jfYd�kal]k�l`Yl�Yj]�l]ehgjYjadq�Zdg[c]\�Zq�hgjl�khY[]�hjgZ]k$�khggâf_�Yll]ehlk$�Y\\j]kk�khY[]�hjgZ]k$�gj�o`Yl]n]j�`Yk�Z]]f�[gf%â_mj]\�lg�lja__]j�Yf�Ymlg%Zdg[c&�



9mlg%Zdg[caf_�`Yk�Y�kaf_d]�lae]gml�o`a[`�[Yf�Z]�Y\bmkl]\�^jge�l`]�:dg[c]\�Kal]k�\aYdg_�Zgp�YnYadYZd]�naY�l`]�Hgda[q�EYfY_]j&�F]pl�lg�]Y[`�Zdg[c]\�kal]�l`ak�lYZ�ak�l`]�Yegmfl�g^�lae]�j]eYafaf_�gf�l`]�l]ehgjYjq�Ymlg%Zdg[c&�


CHAPTER 10 Reporting

9�[`Ydd]f_af_�f]logjc�Y\eafakljYlagf�lYkc�ak�Y[[gmflaf_�^gj�Afl]jf]l�mkY_]&��Gf]�g^�l`]�Z]kl�oYqk�lg�hjgna\]�`Yj\�\YlY�^gj�Y[[gmflaf_�Yf\�eYfY_]e]fl�hmjhgk]k�ak�lg�_]f]jYl]�\]lYad]\�j]hgjlk�k`goaf_�`go�l`]�Afl]jf]l�[gff][lagf�ak�Z]af_�mk]\�Yf\�Zq�o`ge&�

L`]�dg_�j]na]o�^mf[lagfk�g^�l`]�OYl[`?mYj\�L][`fgdg_a]k�K][mjalq�Kqkl]e�Yj]�k]hYjYl]\�aflg�log�ZYka[�[gehgf]flk3�j]Yd�lae]�Yf\�àk%lgja[Yd�j]hgjlk&�L`]�j]Yd�lae]�dg_k�Yj]�l]pl�âd]k�l`Yl�[Yf�]Ykadq�Z]�aehgjl]\�aflg�Yfq�j]hgjl�eYc]j�gj�dg_�hYjk]j&�L`]�OYl[`?mYj\�L][`fgdg_a]k�@aklgja[Yd�J]hgjl�Ojal]j�ak�Yf�]Ykq�lg�mk]�j]hgjl�eYc]j�l`Yl�`Yk�eYfq�klYf\Yj\�j]hgjlk�\]ka_f]\�lg�_an]�Y�kfYhk`gl�g^�l`]�[mjj]fl�Yf\�àklgja[Yd�>aj]Zgp�Y[lanalq&�

Why Reporting?

O]dd%lYj_]l]\�j]hgjl�_]f]jYlagf�`]dhk�a\]fla^q�Yf\�]f^gj[]�Yf�Y[[]hl%YZd]�mk]�hgda[q�^gj�l`]�gj_YfarYlagfÌk�Afl]jf]l�[gff][lagf&�L`]�[gf%[]hl�g^�ÉY[[]hlYZd]�mk]Ê�fgl�gfdq�Z]Yjk�gf�hjg\m[lanalq$�Zml�Ydkg�gf�l`]�gj_YfarYlagfÌk�nmdf]jYZaalq�lg�k]pmYd�`YjYkke]fl�[`Yj_]k�Yf\�gl`]j�h]jkgff]d%j]dYl]\�[gf[]jfk&

9�_gg\�j]hgjl�_]f]jYlagf�^Y[adalq�k`gmd\�Z]�YZd]�lg�a\]fla^q�Yf\�kme%eYjar]�c]q�akkm]k�km[`�Yk2�

� O`]f�\g�A�f]]\�Y�oa\]j�ZYf\oa\l`�[gff][lagf�lg�l`]�Afl]jf]l�Yf\�o`q7�

� O`Yl�Yj]�l`]�mkY_]�hYll]jfk�l`Yl�eq�mk]jk�Yj]�\]n]dghaf_�Yf\�`go�\g�l`gk]�hYll]jfk�j]dYl]�lg�l`]�k][mjalq�g^�l`]�f]logjc�Yf\�l`]�_gYdk�g^�l`]�[gjhgjYlagf7�


Reporting

� @go�\g�[mjj]fl�mk]j�hYll]jfk�j]^d][l�l`]�nYdm]k�Yf\�[gf[]jfk�g^�l`]�[gjhgjYlagf�oal`�j]_Yj\k�lg�[j]Ylaf_�Y�hjg\m[lan]�ogjchdY[]7

L`]�@aklgja[Yd�J]hgjlaf_�Eg\md]�Yddgok�kmeeYja]k�lg�Z]�Zmadl�k`goaf_�lqh]k�g^�k]kkagfk$�egkl�Y[lan]�`gklk$�egkl�mk]\�k]jna[]k$�MJDk$�EYkim]jY\af_�af^gjeYlagf�Yf\�eYfq�gl`]j�j]hgjlk&��L`]k]�klYf\Yj\�j]hgjlk�o]j]�\]n]dgh]\�^gj�gmj�[mklge]jk�ZYk]\�gf�l`]aj�j]im]klk�^gj�[d]Yj$�[gf[ak]$�Yf\�j]d]nYfl�af^gjeYlagf�gf�l`]aj�[gjhg%jYl]�Afl]jf]l�mkY_]&�

The WatchGuard Historical Reports Module

@aklgja[Yd�J]hgjlaf_�kmeeYjar]k�qgmj�f]logjc�Y[lanalq&�9f�YjjYq�g^�^d]paZd]�j]hgjlaf_�ghlagfk�hjgna\]k�qgm�Y�jYf_]�g^�klYf\Yj\ar]\�j]hgjlk�Zq�lae]�khYf$�`gkl�Yf\�k]jna[]&�Qgm�[Yf�na]o�j]hgjlk�af�l]pl�eg\]�gj�mk]�k]n]jYd�_jYhàf_�ghlagfk�af[dm\]\�af�l`]�@aklgja[Yd�J]hgjlaf_�hY[cY_]&�L`]k]�klYf\Yj\ar]\�j]hgjlk�[Yf�Z]�[mklgear]\�gj�]phgjl]\�aflg�làj\%hYjlq�Yhhda[Ylagfk�^gj�]phYf\]\�YfYdqkak�Yf\�hj]k]flYlagf&

O`]f�qgm�[gdd][l�Y�j]hgjl�h]jag\Ìk�]n]flk$�[ghq�l`]�dg_�âd]�lg�klYZa%dar]�al�^gj�_]f]jYlaf_�j]hgjlk&

Types of Reports

KlYf\Yj\�j]hgjlk�af[dm\]2�

Exception reportsDakl�\]fa]\�[gff][lagf�j]im]klk$�j]Zgglk$�k[Yf�Yll]ehlk�Yf\�gl`]j�Y[lan%alq�dg__]\�Zq�l`]�>aj]Zgp&�

Time Series reportsK`go�[gff][lagf�kmeeYja]k�\mjaf_�Y�kh][aâ]\�lae]�h]jag\&�

Host reportsK`go�l`]�fmeZ]j�g^�[gff][lagfk�lg�l`]�lgh�)(�af[geaf_�Yf\�gml_gaf_�`gklk&�

Service reportsK`go�l`]�fmeZ]j�g^�[gff][lagfk�lg�l`]�lgh�)(�af[geaf_�Yf\�gml_gaf_�k]jna[]k&�

Session reportsNa]o�Y[lanalq�Zq�af\ana\mYd�mk]j�k]kkagf&�

Suspicious Activity reportsOYjf�g^�hgl]flaYd�k][mjalq�Zj]Y[`]k&�

URL reports lDakl�@LLH�Y[lanalq$�af[dm\af_�hY_]k�j]lja]n]\$�aeY_]k�j]lja]n]\�Yf\�kal]k�nakal]\�Zq�`gkl�gj�mk]j&�


Building Reports

Building Reports

:mad\af_�Y�j]hgjl�e]Yfk�k]d][laf_�Y�[]jlYaf�hgafl�g^�na]o�gj�klYlakla[�qgm�oYfl�lg�kmeeYjar]$�kh][a^qaf_�l`]�[jal]jaY�l`Yl�oadd�hjgna\]�làk�hgafl�g^�na]o$�Yf\�afalaYlaf_�l`]�Zmad\&�9�j]hgjl�akgdYl]k�kh][aâ[�af^gjeYlagf�^jge�Y�em[`�dYj_]j�\YlYZYk]&

>gj�]pYehd]$�Y�ÉmkY_]�Zq�`gklÊ�j]hgjl�\akhdYqk�o`Yl�h]j[]flY_]�g^�ljY^â[�l`jgm_`�l`]�>aj]Zgp�ak�YlljaZmlYZd]�lg�l`]�nYjagmk�[gehml]jk�af�l`]�gj_YfarYlagfÌk�f]logjc&�Lg�Zmad\�Y�mkY_]�Zq�`gkl�j]hgjl$�qgm�ogmd\�kh][a^q�o`Yl�lae]�h]jag\�l`]�Y[lanalq�[gn]jk$�oà[`�`gklk�qgm�Yj]�[gfka\]jaf_� ^gj�]pYehd]$�l`]�lgh�l]f�gj�lo]flq!$�Yf\�oà[`�_jYhà[�Z]kl�j]hj]k]flk�l`]�mkY_]� ^gj�]pYehd]$�Y�+%<�ha]%[`Yjl!&

Exporting Reports

@aklgja[Yd�j]hgjlk�[Yf�Z]�]phgjl]\�lg�gl`]j�^gjeYlk�^gj�af[gjhgjYlagf�aflg�hghmdYj�j]hgjl�hjg_jYek&�

CDF ReportsL`]�]phgjl�^]Ylmj]�]fYZd]k�qgm�lg�]phgjl�l`]�[mjj]fldq�dgY\]\�dg_\Z�âd]�aflg�l`j]]�\a^^]j]fl�[geeY�\]daeal]\�l]pl�âd]k� ;<>!$�oà[`�qgm�[Yf�l`]f�mk]�af�gl`]j�hjg_jYek�km[`�Yk�\YlYZYk]k�Yf\�khj]Y\k`]]lk&�L`]�l`j]]�âd]k�Yj]2

� =phgjl&lpl�È�Daklk�l`]�]flaj]�âd]�af�;<>�^gjeYl&� =p[=phgjl&lpl�È�Daklk�l`]�]p[]hlagfk�gj�\]fa]\�[gff][lagfk&� Mjd=phgjl&lpl�È�Daklk�l`]�MJDk�gj�<FK�fYe]k�g^�l`]�`gklk�l`Yl�

[gff][l]\�lg�]Y[`�gl`]j&

=phgjl�ghlagfk�]fYZd]�qgm�lg�[mklgear]�l`]�gmlhml�^gj�lae]�h]jag\�[gn]j]\$�dg[Yd�gj�?EL�lae]$�Yf\�MJD�gj�<FK�fYe]k&

L`]�]phgjl�âd]�â]d\�fYe]k�Yj]2

� Dg[Yd�\Yl]�È�<Yl]�af�l`]�>aj]Zgp�lae]�rgf]&� Dg[Yd�lae]�È�Lae]�af�l`]�>aj]Zgp�lae]�rgf]&� ?E<�È�Dg_k�mk]�?j]]foa[`�E]Yf�<Yl]�^gj�Ydd�dg_k�kaf[]�l`]�dg_k�

[Yf�g[[mj�af�Yfq�lae]�rgf]&� ?EL�È�Dg_k�mk]�?j]]foa[`�E]Yf�Lae]�^gj�Ydd�dg_k�kaf[]�l`]�dg_k�

[Yf�g[[mj�af�Yfq�lae]�rgf]&� Kj[�È�Kgmj[]�Yk�]al`]j�AH�Y\\j]kk�gj�<FK�YdaYk$�\]h]f\af_�gf�l`]�

<FK�k]llaf_k&� <]kl�È�<]klafYlagf�Yk�]al`]j�AH�Y\\j]kk�gj�<FK�YdaYk$�\]h]f\af_�

gf�l`]�<FK�k]llaf_k&� Kj[�hgjl�È�L`]�hgjl�mk]\�lg�k]f\�l`]�ljYfkeakkagf&


Reporting

� <]kl�hgjl�È�L`]�hgjl�lg�oà[`�l`]�ljYfkeakkagf�oYk�k]fl&� Af'Gml�È�<aj][lagf�g^�ljYfkY[lagf$�]al`]j�ÉAf[geaf_Ê�gj�ÉGml_g%

af_Ê&� Mk]j�fYe]�È�L`]�fYe]�g^�l`]�gja_afYlgj�g^�gml_gaf_�ljYfkY[lagfk&

L`]�mk]j�fYe]�ak�j]hgjl]\�a^�Yml`]fla[Ylagf�lg�l`]�>aj]Zgp�ak�Y[lan]�Yf\�l`]�mk]j�fYe]�ak�j]kgdn]\�af�l`]�dg_�âd]&�Al�ak�hgkkaZd]�^gj�Y�[gff][lagf�lg�Z]�ojall]f�lg�l`]�]phgjl�o`]j]�l`]�mk]j�fYe]�ak�fgl�j]kgdn]\&�Làk�ak�Z][Ymk]�l`]�dg_�âd]�ak�gn]jojall]f�k]im]flaYddq�ZYk]\�gf�Y�eYpaeme�dg_�kar]&�L`]j]^gj]$�Y�j][gj\�l`Yl�j]hgjlk�Y�mk]jÌk�Yml`]fla[Ylagf�[gmd\�Z]�gn]jojall]f�Z]lo]]f�l`]�lae]�al�\akhdYqk�af�@aklgja[Yd�J]hgjlk�Yf\�o`]f�al�ak�]phgjl]\&

WebTrends for Firewalls and VPNs® Reports@aklgja[Yd�J]hgjlk�[Yf�Ydkg�]phgjl�l`]�dg_�âd]�aflg�Y�^gjeYl�l`Yl�[Yf�Z]�aehgjl]\�aflg�O]ZLj]f\k�^gj�>aj]oYddk�Yf\�NHFk�&��

O]ZLj]f\k�^gj�>aj]oYddk�Yf\�NHFk�[Yd[mdYl]k�af^gjeYlagf�\a^^]j%]fldq�l`Yf�OYl[`?mYj\�@aklgja[Yd�J]hgjlk&�OYl[`?mYj\�@aklgja[Yd�J]hgjlk�[gmflk�l`]�fmeZ]j�g^�ljYfkY[lagfk�l`Yl�g[[mj�gf�Hgjl�0(&�O]ZLj]f\k�^gj�>aj]oYddk�Yf\�NHFk�[Yd[mdYl]k�l`]�fmeZ]j�g^�MJD�j]im]klk&�L`]k]�fmeZ]jk�nYjq�\m]�lg�emdlahd]�MJD�j]im]kl�eYq�_g�gn]j�l`]�kYe]�Hgjl�0(�[gff][lagf�Yf\�ÉC]]h�9dan]k&Ê


Internet Security Handbook Index

9Y[lan]�[gff][lagfk 1,9@

AHK][ /-YdaYk

AH +.9JH�lYZd] 1-Yml`]fla[Ylagf

;JQHLG;Yj\ -/\akhdYqaf_�dakl 1->aj]Zgp --na]oaf_�`gkl�af^gjeYlagf 1,Oaf\gok�FL�K]jn]j --

9ml`]fla[Ylagf�@]Y\]j� 9@! /-Ymlg%Zdg[c]\�kal]k ,-

:Zdg[c]\�hgjlk

[gf^da[lk ,0mk]^mdf]kk ,/OYl[`?mYj\�\]^Ymdl�dakl ,/

Zdg[c]\�kal]k ,-YmlgeYla[ ,-dakl 1,$�1-h]jeYf]fl ,-

:jYf[`�G^â[]�NHF .1\aY_jYe /*AHK][�mk]k /(kYehd]�[gfâ_mjYlagfk /+

:jYf[`�G^â[]�NHF�oal`�AHK][\aY_jYe /.

;;`Yf_af_�Y�K]jna[] ,*;@9H�Yml`]fla[Ylagf�hjglg[gd -.[gfâ_mjaf_

Hgjl�>gjoYj\af_ -)k]jna[]k�lg�ogjc�oal`�NHF /0

;JQHLG;Yj\ -/

<\]^Ymdl�Zdg[c]\�\]klafYlagf�hgjlk ,/\]^Ymdl�hY[c]l�`Yf\daf_ ,-$�,.$�,0<]d]laf_�Y�K]jna[] ,+<=K�]f[jqhlagf /-\jgh%af�[gf^a_mjYlagf +-$�+.<jgh%af�f]logjc

j]dYl]\�`gkl�akkm] +.

==f[YhkmdYlaf_�K][mjalq�HYqdgY\� =KH! /-]f[jqhlagf

)*0%Zal /(,(%Zal /(kaf_d]%<=K /-ljahd]%<=K /-$�/.

=KH /-]phgjlaf_�j]hgjlk )((

>>aj]Zgp +-

Y\\af_�j]dYl]\�`gkl +.Y\\af_�j]dYl]\�f]logjc +-Yml`]fla[Ylagf --=pl]jfYd�afl]j^Y[] ,-afl]j^Y[]k 1-eYkim]jY\af_ -(hgjl�^gjoYj\af_ -)JY\amk�Yml`]fla[Ylagf -.k][j]l�k`Yj]\�oal`�JY\amk�k]jn]j -.mk]jk -*mk]jk�Yf\�_jgmhk -*mk]jk�afka\] ,*mk]jk�gmlka\] ,*

>aj]Zgp$�afl]j^Y[]k +/

@`gkl�YdaYk -*

AA9F9 ,/Afl]jf]l�9kka_f]\�FmeZ]j�9ml`gjalq ,.AH�YdaYk +.AH�eYkim]jY\af_

f]logjck -(AHK][ /,$�/-

9@ /-=KH /-aehd]e]flYlagf�]pYehd] //hgda[q /,lmff]d /,

AHK][�k]lmhHgda[a]k //

DdgY\�Yn]jY_] 1-dg_�`gkl

daklaf_ 1,dg__af_

ghlagfk 1,O]Z:dg[c]j .*

Ee]egjq 1-Emdlahd]�f]logjc�[gfâ_mjYlagf +/emdlahd]�f]logjc�[gfâ_mjYlagf +.

FF]l:AGK�k]jna[]k ,0F]logjc�[gfâ_mjYlagf$�emdlahd] +/F]logjc�>ad]�Kqkl]e ,0fglaâ[Ylagf

daklaf_�`gklk 1,Fgn]dd�AHP ,0FL�K]jn]j�Yml`]fla[Ylagf --

GGh]fOaf\gok ,0

HhY[c]l�âdl]jaf_

\]k[jahlagf +1jmd]�k]lk ,(

hgda[qAHK][ /,

hgda[q�gj\]jaf_ /-AHK][ /-

hgjl�khY[]�hjgZ] ,($�,-hgjlk$�jYf\ge ,0hjgZ]

hghmdYj�hgjlk ,0hgjl�khY[] ,-

hjgZ]khgjl�khY[] ,(

hjg[]kk 1-hjgpa]k

\]k[jahlagf ,(

JJY\amk

k][j]l -.k]jn]j�j]imaj]e]flk -.

JY\amk�Yml`]fla[Ylagfhgjl�mk]\ -.

j[h ,0j]dYl]\�`gklk +.j]dYl]\�f]logjck +-J]egl]�Mk]j�NHF .1$�0(j]hgjlk

]phgjlaf_ 11O]ZLj]f\k )((

jdg_af ,0jgml]k 1-JH;�hgjleYhh]j ,0

jk` ,0jmd]�k]lk

hY[c]l�âdl]jaf_ ,(

KkYehd]�[gfâ_mjYlagf

:jYf[`�G^â[]�NHF /+k][j]l� JY\amk! -.K]jna[]k

[`Yf_af_ ,*\]d]laf_ ,+

khggâf_ ,-$�,.$�1,KlYlmk�Na]o]j

Afl]j^Y[]k 1-KlYlmkJ]hgjl 1,

LljYfkhYj]fl�Yhhda[Ylagf�hjgpa]k +1ljahd]%<=K�]f[jqhlagf /-$�/.Ljmkl]\�afl]j^Y[] /(lmff]d

AHK][ /,

Mmhlae] 1,

Nn]jkagf 1,NajlmYd�HjanYl]�F]logjc� NHF!

[gfâ_mjYlagf�[`][cdakl /*[gfâ_mjaf_�k]jna[]k�lg�ogjc�oal` /0

NHF .1[gfâ_mjaf_�k]jna[]k�lg�ogjc�oal` /0

OOYl[`?mYj\�K][mjalq�LjaYf_d] *1OYl[`?mYj\�NHF

mk]k /(O]Z:dg[c]j

:dg[c]\�MJD�<YlYZYk] .+manually downloading .+

;gfljgdk�lYZ .)=p[]hlagfk�LYZ .)_jgmhk .)?jgmhk�LYZ .)`go�al�ogjck .*dg__af_ .*e]kkY_]�^gj�Zdg[c]\�mk]j .)K[`]\md]�LYZ .)

O]ZLj]f\k )((Oaf\gok�FL

_jgmhk -*mk]jk -*mk]jk�Yf\�_jgmhk -*

PP�Oaf\gok ,/

WatchGuard Internet Security Handbook

Documents

Transcript of WatchGuard Internet Security Handbook