3.2.4. Custom IP Protocol Services
Services that run over IP and perform application/transport layer functions can be uniquely
identified by IP protocol numbers. IP can carry data for a number of different protocols. These
protocols are each identified by a unique IP protocol number specified in a field of the IP header.
For example, ICMP, IGMP and EGP have protocol numbers 1, 2 and 8 respectively.
Similar to the TCP/UDP port ranges described previously, a range of IP protocol numbers can be
used to specify multiple applications for one service. For example, specifying the range 1-4,7 will
match the protocols ICMP, IGMP, GGP, IP-in-IP and CBT.
IP protocol numbers
The currently assigned IP protocol numbers and references are published by the Internet Assigned
Numbers Authority (IANA) and can be found at:
http://www.iana.org/assignments/protocol-numbers
Example 3.9. Adding an IP Protocol Service
This example shows how to add an IP Protocol service, with the Virtual Router Redundancy Protocol.
Command-Line Interface
gw-world:/> add Service ServiceIPProto VRRP IPProto=112
Web Interface
1.
Go to Objects > Services > Add > IP protocol service
2.
Specify a suitable name for the service, for example VRRP
3.
Enter 112 in the IP Protocol control
4.
Optionally enter Virtual Router Redundancy Protocol in the Comments control
5.
Click OK
3.2.5. Service Groups
A Service Group is, exactly as the name suggests, a NetDefendOS object that consists of a
collection of services. Although the group concept is simple, it can be very useful when constructing
security policies since the group can be used instead of an individual service.
The Advantage of Groups
For example, there may be a need for a set of IP rules that are identical to each other except for the
service parameter. By defining a service group which contains all the service objects from all the
individual rules, we can replace all of them with just one IP rule that uses the group.
Suppose that we create a service group called email-services which combines the three services
objects for SMTP, POP3 and IMAP. Now only one IP rule needs to be defined that uses this group
service to allow all email related traffic to flow.
Groups Can Contain Other Groups
When a group is defined then it can contain individual services and/or service groups. This ability to
have groups within groups should be used with caution since it can increase the complexity of a
3.2.5. Service Groups
Chapter 3. Fundamentals
91
Summary of Contents for DFL-1600 - Security Appliance
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27 ...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79 ...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146 ...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227 ...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241 ...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339 ...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360 ...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382 ...
Page 386: ... The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386 ...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439 ...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450 ...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488 ...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503 ...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510 ...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533 ...