SonicOS Enhanced supports an expanded IP protocol support to allow users to create services
and access rules based on these protocols. See “
Supported Protocols
”
for a complete listing of support IP protocols.
Services are used by the SonicWALL security appliance to configure network access rules for
allowing or denying traffic to the network. The SonicWALL security appliance includes Default
Services
. Default Services are predefined services that are not editable. And you can also create Custom Services
to configure firewall services to meet your specific business requirements.
Selecting
All Services
from View Style
displays both Custom Services
and Default
Services
.
The
Default Services
view displays the SonicWALL security appliance default services in the Services
table and Service Groups
table. The Service Groups table displays clusters of multiple default services as a single service object. You cannot delete or edit these predefined services. The Services
table displays the following attributes of the services:
|
|
•
|
Name
—The name of the service.
|
|
|
•
|
Protocol
—The protocol of the service.
|
|
|
•
|
Port Start
—The starting port number for the service.
|
|
|
•
|
Port End
—The ending port number for the service.
|
|
|
•
|
Configure
—Displays the unavailable Edit
 and Delete
 icon (default services cannot be edited or deleted, you will need to add a new service for the Edit and Delete icons to become available).
|
Services that apply to common applications are grouped as
Default Service Groups
. These groups cannot be changed or deleted. Clicking on the + to the left of the Default Service Groups entry, displays all the individual Default Services included in the group. For example, the DNS
(Name Service
) entry has two services labelled DNS
(Name Service
) TCP
for port 53 and DNS
(Name Service
) UDP
for port 53. These multiple entries with the same name are grouped together, and are treated as a single service. Default Services Groups cannot be edited or deleted.
The following list provides configuration tasks for Custom Services:
The following IP protocols are available for custom services:
|
|
•
|
ICMP
(1
)—(Internet Control Message Protocol) A TCP/IP protocol used to send error and control messages.
|
|
|
•
|
IGMP
(2
)—(Internet Group Management Protocol) The protocol that governs the management of multicast groups in a TCP/IP network.
|
|
|
•
|
TCP
(6
)—(Transmission Control Protocol) The TCP part of TCP/IP. TCP is a transport protocol in TCP/IP. TCP ensures that a message is sent accurately and in its entirety.
|
|
|
•
|
UDP
(17
)—(User Datagram Protocol) A protocol within the TCP/IP protocol suite that is used in place of TCP when a reliable delivery is not required.
|
|
|
•
|
GRE
(47
)—(Generic Routing Encapsulation) A tunneling protocol used to encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to firewalls or routing devices over an IP Internetwork.
|
|
|
•
|
ESP
(50
)—(Encapsulated Security Payload) A method of encapsulating an IP datagram inside of another datagram employed as a flexible method of data transportation by IPsec.
|
|
|
•
|
AH
(51
)—(Authentication Header) A security protocol that provides data authentication and optional anti-relay services. AH is embedded in the data to be protected (a full IP datagram).
|
|
|
•
|
EIGRP
(88
)—(Enhanced Interior Gateway Routing Protocol) Advanced version of IGRP. Provides superior convergence properties and operating efficiency, and combines the advantages of link state protocols with those of distance vector protocols.
|
|
|
•
|
OSPF
(89
)—(Open Shortest Path First) A routing protocol that determines the best path for routing IP traffic over a TCP/IP network based on distance between nodes and several quality parameters. OSPF is an interior gateway protocol (IGP), which is designed to work within an autonomous system. It is also a link state protocol that provides less router to router update traffic than the RIP protocol (distance vector protocol) that it was designed to replace.
|
|
|
•
|
PIMSM
(103
)—(Protocol Independent Multicast Sparse Mode) One of two PIM operational modes (dense and sparse). PIM sparse mode tries to constrain data distribution so that a minimal number of routers in the network receive it. Packets are sent only if they are explicitly requested at the RP (rendezvous point). In sparse mode, receivers are widely distributed, and the assumption is that downstream networks will not necessarily use the datagrams that are sent to them. The cost of using sparse mode is its reliance on the periodic refreshing of explicit join messages and its need for RPs.
|
|
|
•
|
L2TP
(115
)—(Layer 2 Tunneling Protocol) A protocol that allows a PPP session to run over the Internet. L2TP does not include encryption, but defaults to using IPsec in order to provide virtual private network (VPN) connections from remote users to the corporate LAN.
|
You can add a custom service for any of the predefined service types:
All custom services you create are listed in the
Custom Services
table. You can group custom services by creating a Custom Services Group
for easy policy enforcement. If a protocol is not listed in the Default Services
table, you can add it to the Custom Services table by clicking Add
.
|
Step 4
|
Click
OK
. The service appears in the Custom Services
table.
|
Click the
Enable Logging
checkbox to disable or enable the logging of the service activities.
Using only the predefined IP types, if the security appliance encounters traffic of any other IP
Protocol type it drops it as unrecognized
. However, there exists a large and expanding list of other registered IP types, as governed by IANA (Internet Assigned Numbers Authority): http://www.iana.org/assignments/protocol-numbers
, so while the rigid practice of dropping less-common (unrecognized) IP Type traffic is secure, it was functionally restrictive.
SonicOS Enhanced 3.5 and newer, with its support for Custom IP Type Service Objects, allows
an administrator to construct Service Objects representing any IP type, allowing Firewall Access Rules to then be written to recognize and control IPv4 traffic of any type.
|
|
Note
|
The generic service
Any
will not handle Custom IP Type Service Objects. In other words, simply defining a Custom IP Type Service Object for IP Type 126 will not
allow IP Type 126 traffic to pass through the default LAN > WAN Allow rule.
|
It will be necessary to create an Access Rules specifically containing the Custom IP Type
Service Object to provide for its recognition and handling, as illustrated below.
Assume an administrator needed to allow RSVP (Resource Reservation Protocol - IP Type 46)
and SRP (Spectralink™ Radio Protocol – IP type 119) from all clients on the WLAN zone (WLAN Subnets) to a server on the LAN zone (for example, 10.50.165.26), the administrator would be able to define Custom IP Type Service Objects to handle these two services:
|
Step 1
|
From the
Network > Services
page, Click on the Go to Service Objects
link at the top right of page to jump to the Services section.
|
|
Step 4
|
Select
Custom IP Type
from the Protocol drop-down list.
|
|
Step 7
|
From the
Network > Services
page, Service Group
section, select Add Group
.
|
|
Step 9
|
From
Firewall > Access Rules > WLAN > LAN
, select Add
.
|
IP protocol 46 and 119 traffic will now be recognized, and will be allowed to pass from
WLAN
Subnets
to 10.50.165.26
.
Click the
Edit
icon
under Configure
to edit the service in the Edit Service
window, which includes the same configuration settings as the Add Service
window.
Click the
Delete
icon
to delete an individual custom service. You can delete all custom services by clicking the Delete
button.
You can add custom services and then create groups of services, including default services, to
apply the same policies to them. For instance, you can allow SMTP and POP3 traffic only during certain hours or days of the week by adding the two services as a Custom Service Group. To create a Custom Services Group
, click Add Group
.
|
Step 3
|
Click
- >
to add the services to the group.
|
|
Step 5
|
Click
< -
to remove the services.
|
Clicking
+
on the left of a Custom Service Group name, expands the display to show all the individual Custom Services, Default Services, and Custom Services Groups included in the Custom Service Group entry.
Click the
Edit
icon
under Configure
to edit the custom service group in the Edit Service
Group
window, which includes the same configuration settings as the Add Service Group
window.
Click the
Delete
icon
to delete the individual custom service group entry. You can delete all custom service groups by clicking the Delete button.