Below lists general security-related FAQs.

Questions:



Answers:

What DOS attacks does Intoto’s Firewall protect against?
Land attack, Smurf attacks, Unknown IP protocol, IP source route option detection, Zero length IP option, IP unaligned time, Ping of Death, Syn Flooding, UDP Flooding, Win Nuke, Re-Assembly attacks, Jolt and Jolt2 attacks, Octopus, TraceRoute detection, Echo Storm, ICMP unreachable storm, ICMP router advertisement, Echo reply without echo request, Twinge attach detection, Snork attack, Ascend attack, Fraggle attack detected, W2K domain controller attack, TCP header fragmentation, Short header, XMAS scan, Null scan, Sequence out of range, FIN scan, Post connection SYN, Invalid urgent offset, RFProwl, etc.
[top]

What is the footprint size of Intoto’s Firewall?
For footprint sizes, please contact
[top]

What type of Firewall is provided in Intoto’s iGateway?
Intoto’s Firewall is a complete stateful inspection firewall technology.
[top]

Can Firewall policies be enabled based on time schedules?
Selectors for FireWall policies can be IP addresses, user groups and these policies can be applied for specified time intervals.
[top]

Can Firewall policies be enabled based on time schedules?
Yes, Intoto’s Firewall policies can be set based on time, user groups, and IP addresses.
[top]

Can I add a new ALG to Intoto’s Firewall?
Certainly, the customer does not need to know the internals of Firewall code. The mechanism of adding support for new application level gateway uses well-defined API’s offered by Firewall, therefore one can easily add new ALG’s.
[top]

Can I use Dialpad behind the iGateway Firewall?
Yes.
To use dialpad behind the iGateway Firewall, the ports needed by the dialpad application have to be opened.

Blue line is call # 1 and the green call # 2.
Calls can be made from the dial pad clients using different accounts to different phone numbers simultaneously.

The firewall configuration used for this is as follows:
Corporate Inbound Policy:
Deny all

Corporate Outbound Policy:
Permit- Destination port: HTTP, HTTPS, DNS, TCP: 7175, 7176, 8680, 8681, 8682,
8685, 9004, 9900 UDP: 9006
Permit- Source port: 51200-51210
Deny all other ports.
[top]

Can I use ICQ file transfer to send/receive files across the firewall?
Yes.
To send/receive the file from one ICQ client inside the firewall to the other ICQ client across the firewall, configuration is required on the ICQ client as well as the iGateway Firewall.

On the ICQ client,

  1. Go to ICQ/Preferences/Connections/User/Not Using Proxy and configure a set of ports that the ICQ client would be listening on for incoming data.

  2. Disconnect and Connect the ICQ client after the above configuration.


On iGateway Firewall,
Add port triggering records for IP address of each ICQ Client, port 5190 and the TO-BE-TRIGGERED ports (the ports that are configured on the corresponding ICQ client that it is configured to listen on.)

For example IP address of ICQ client on the LAN is 10.1.4.3 and TO-BE-TRIGGERED ports are from 5000 to 5020. Following would be the example CLI sequence:


  1. add service record for protocol TCP and port 5910
    /config/iapd/service> add srvname tcp -sg 5910

  2. add PORT Triggering record
    /config/iapd/fwpt> add ptname yes ip -trs srvname -trip 10.1.4.3 -s no -r yes -rp1 tcp -rr1 5000,5020

Repeat this for each ICQ client.
[top]

How does Intoto’s Firewall software take care of FTP applications, which increase the data size?
The software takes care of this by maintaining serial numbers (sequence number) and delta factor.
[top]

How does NAT/NAPT affect firewall effectiveness?
First firewall processing is done on the data-grams and then if needed it gets address/port translated.
[top]

How many concurrent sessions can be established through Intoto’s Firewall software?
There are no restrictions as far as the Firewall software is concerned.
[top]

How much code memory (in bytes) is required for iGateway Firewall?
89 KB
[top]

In a Rose attack does Intoto Firewall protect internal machines going in 100% CPU ?
YES. No packets would be sent to the actual targetted machine (or the same
host) until a full re-assembled packet is received. It was observed that
without FW when the attack is targetted against a WIN2K machine, the CPU
utilization is at the peak. But when the same test is performed when WIN2K machine that is behind iGateway Firewall, then CPU utilization is normal.

[top]

In a Rose attack, how does Intoto Firewall protect itself?
Intoto Firewall does not queue packets if the fragment received is very small. The term
*small* would be defined based on the admin configuration. As per the default
configuration all these packets would be dropped.
Also our IP reassembly module has the following configuration using which the
administrator can set parameters.
* Maximum Fragments count
* Maximum packet size
* Minimum fragment size
* Timeout value
* Maximum IP messages

[top]

Is a log generated for a Rose attack?
Yes, log messages are generated according to the attack. PoD or Min Frag or Timeout would be detected.
[top]

What are the mechanisms to integrate Firewall to existing TCP/IP stacks?
Intoto provides detailed porting guides in order to assist its customers in porting the software to different TCP/IP stacks. In addition, Intoto provided optional porting services for porting its software to new development environments.
[top]

What attacks does FireWall guard against?
List of attacks Intoto FireWall guards against
1. LAND attack
2. Smurf attacks
3. Winnuke attack (Netbios out-of-bound)
4. Unknown IP protocol
5. Reassembly attacks
1. Syndrop
2. Teardrop 2
3. Opentear
4. Tentacle
5. Ping of Death attack
6. Nestea
7. Big ping
8. Targa 3
9. Newtear
10. Bonk
11. Boink
12. IP fragment overlap
13. IP fragment last length changing
14. Too many IP fragments
15. Very small IP fragments
16. Empty fragment
17. SSPing
18. Flushot
6. IP Spoofing across network
7. Twinge
8. TCP SYN flood.
9. IP source route option detection
10. Jolt and Jolt2
11. Ascend attack
12. TCP XMAS scan
13. Octopus
14. Overdrop
15. Echo / chargen
16. Ascend Kill
17. Mime flood
18. Zero length IP option
19. IP unaligned time stamp
20. ICMP router advertisement
21. Snork attack
22. Fraggle attack
23. UDP short header
24. TCP header fragmentation
25. TCP short header
26. TCP null scan
27. TCP sequence out of range
28. TCP FIN (Stealth)
29. TCP postconnection SYN
30. TCP invalid urgent offset
31. RFProwl
32. Blind spoofing
33. W2K domain controller attack
34. FTP bounce attack
35. Sequence number prediction
36. Rose attack


[top]

What features are supported by FireWall?
The 3 main functions of FireWall are policy definition and enforcement, guarding against attacks(details) and providing logging

- Complete stateful packet inspection firewall (SPI)
- Support for DMZ (optional)
- NAT (Details)
- Corporate IN/OUT bound policies
- DMZ IN/OUT bound policies
- IP address objects
- Services objects
- NAT objects
- Service time-outs
- Statistics
- Application Content filtering
- Authenticated remote user access
- E-mail alerts
- Syslog support for event logging
- Web based or CLI based firewall configuration and management
- Comprehensive network access statistics

Selectors for FireWall policies can be IP addresses, user groups and these policies can be applied for specified time intervals.

[top]

What games have been tested behind iGateway Firewall?
Following games were tested on iGateway Firewall.
Microsoft Games
- Age of Empires
- Flight simulator 2000
Activision Games
- Quake 2
Blizzard Games
- Diablo II
- Starcraft game - Version 1.05 Outbound (destination) TCP 6112 to be opened.
Unreal Tournament
- UT2003 Outbound (destination) TCP 7757, 7758) to be opened.
Electronic Arts (command and conquer)
- Red Alert II Outbound (destination) TCP 1234, 1235, 1236, 1237 ports to be opened.
Valve
- Halflife Version 1.1.1.0 Outbound (destination) TCP 27005-27035, TCP 6003, TCP 7001-7002 to be opened.
- CounterStrike Version 1.5 Outbound (destination) TCP 27005-27035, TCP 6003, TCP 7001-7002 to be opened.
To run any other games, please open the ports required by the game.
[top]

What is the typical number of users that can be supported by iGateway in corporate environment?
Intoto’s Firewall does not put any restrictions on the number of users. It is up to the customer’s product hardware features in terms of memory and processing power to set the number of users. The Intoto software only requires one or two macros to be changed in order to set the number of users.
[top]

What type of Firewall is provided in iGateway?
eFireWall features

The 3 main functions of Firewall are policy definition and enforcement, guarding against attacks(details) and providing logging

- Complete stateful packet inspection firewall (SPI)
- Support for DMZ (optional)
- NAT (Details)
- Corporate IN/OUT bound policies
- DMZ IN/OUT bound policies
- IP address objects
- Services objects
- NAT objects
- Service time-outs
- Statistics
- Application Content filtering
- Authenticated remote user access
- E-mail alerts
- Syslog support for event logging
- Web based or CLI based firewall configuration and management
- Comprehensive network access statistics

Selectors for FireWall policies can be IP addresses, user groups and these policies can be applied for specified time intervals.
[top]

How robust is Intoto's SIP solution for vulnerabilities?
The SIP stack is tested for vulnerabilities against PROTOS-7 test suite developed by Oulu University Secure Programming Group for SIP-based devices (refer to: http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/).
Intoto's vendor statement is available under
http://www.cert.org/advisories/CA-2003-06.html.

[top]