Arxceo ALLY IP1000 User manual
User Guide
2
Information in this document is subject to change without notice.
© 2005 Arxceo Corporation, Huntsville, AL 35806. All rights Reserved.
Reproduction of this document in any manner whatsoever without written permission from Arxceo is
strictly prohibited.
Trademarks used in this text: Arxceo, Ally IP1000, Tag-UR-IT, PnPro, NetFailOpen and the Arxceo logo
are trademarks or registered trademarks of Arxceo Corporation. Microsoft and Windows Embedded XP
are registered trademarks of Microsoft Corporation. Other brands, trademarks or trade names may be
used in this document to refer to either the entities claiming the marks and names or their products.
Arxceo disclaims any proprietary interest in brands, trademarks and trade names other than its own.
Arxceo believes the information in this publication to be accurate as of its publication and is not
responsible for inadvertent errors.
3
Table of Contents
Ally IP1000 Placement........................................................................................... 4
Connection............................................................................................................. 5
Ally IP1000 Back Panel .......................................................................................... 6
Management .......................................................................................................... 7
Command Line Management .................................................................................. 8
Confirmation .......................................................................................................... 8
Intrusion Protection Information......................................................................... 10
Reviewing Intrusion Messages in the Event Log................................................... 12
Appendix A........................................................................................................... 13
Appendix B........................................................................................................... 18
Appendix C........................................................................................................... 25
Customer Support ................................................................................................ 29
Product Specifications.......................................................................................... 30
License Agreement............................................................................................... 31
4
Congratulations on purchasing the Arxceo Ally IP1000™. The
following steps will be your guide to Plug and Protect™ your
valuable systems and data, simply and securely.
An Ally IP1000 is easy to install and typically requires very little configuration. However,
the appliance can be extensively configured to allow for use in a wide variety of
networks.
Ally IP1000 Placement
The following diagram illustrates the most common Ally IP1000 installation,
appropriately called the Perimeter Protection position. As shown, the Ally IP1000 is on
the perimeter of the network, in a position to evaluate incoming traffic prior to being
passed to internal systems. This placement, between your router and existing firewall,
allows the Ally IP1000 to provide anomaly detection and prevention to your
organization’s network. Additional security, such as thwarting worm propagation from
infected internal systems, can be provided by deploying Ally products at common
gateways or network traffic intersections.
In the Perimeter Protection position, there are only a few steps to perform to finalize the
Ally IP1000 configuration for your specific environment. If you are installing in a
configuration different from the Perimeter Protection position, please contact your
Arxceo authorized reseller or Arxceo Technical Support if you have any questions about
the installation.
NOTE: As you begin the Ally IP1000 installation, there will be a brief Internet service
outage while the Ally IP1000 is being inserted into the network. However, the
NetFailOpen™ technology within the appliance will allow Internet communication to
resume as soon as the Ally IP1000 network cables are properly connected, even though
the appliance has not been powered on. Depending on your particular network policies
and/or Service Level Agreements (SLA’s), Arxceo recommends that the network outage
be communicated to all users prior to beginning the installation procedure.
5
Connection
The first step in protecting your environment is to connect the Ally IP1000 to the
network. Each connector is detailed in the diagram and table below.
BEFORE YOU BEGIN – NetFailOpen Cabling Requirements: The
Ally IP1000 NetFailOpen feature ensures network traffic will continue
flowing in the case of a system component failure or power loss. If
such a failure occurs, Network Adapters 1 and 2 (as shown in the
diagram below) automatically bridge the two networks together and
continue passing traffic, without providing protection, while the
problem is being resolved.
NetFailOpen only becomes activated when the Ally IP1000 is not
operable; therefore, you will not receive a notification alerting you that
network traffic is continuing without active protection being applied by
the appliance. If you prefer to have all network traffic stop during a
failure, use Adapters 3 and 4 as the Outside and Inside Adapters. In
this case you will need to change the software Network Adapter
Configuration to match this physical setup by using either the Ally
Management Console or the command line interface.
To make certain this feature will function correctly it is important to
ensure that network traffic passes through the Ally IP1000 while it is
powered off. This requires selecting the proper cables to connect the
appliance to the network. Typically, you should use a straight-through
cable when connecting an Ally IP1000 network adapter to a switch and
a crossover cable when connecting directly to another appliance such
as a firewall or router.
When the Ally IP1000 is powered on, Network Adapters 1 and 2
automatically sense the type of cable used and modify their internal
configuration as needed to provide network communication. However,
this auto-sensing capability is lost when the appliance is powered off.
Therefore, you must not assume that the NetFailOpen feature will keep
your network operational in the event of an Ally IP1000 system failure
unless you have verified that network communication continues when
the appliance is powered off.
6
Using the following diagram and table, insert the Ally IP1000 into your network.
Ally IP1000 Back Panel
Ally IP1000 Back Panel Connectors
Connector Description
1 Network Adapter 1
“Outside” Adapter Connect this network interface to your “outside”
Internet access point.
2 Network Adapter 2
“Inside” Adapter Connect this network interface to your “inside” LAN.
3 Network Adapter 3
“Management” Adapter
Connect this network interface, preferably to an out-of-
band management network, to allow remote Ally IP1000
configuration and to send SNMP alerts and/or Syslog
messages to a centralized network management facility.
NOTE: Many of our customers want to be able to re-
configure, monitor and manage the Ally IP1000 from a
remote location, such as their office. However, like any
product on the market, allowing remote access from a
public network to the management interface of a
network security device such as the Ally IP1000
introduces a potential point of attack.
The Ally IP1000 Inside and Outside Adapters do not use
an IP or MAC address. This unique approach helps
protect the Ally IP1000 and your network from attacks.
However, the Ally IP1000 management interface utilizes
a limited IP protocol stack to provide secure remote
administration and reporting. Although this interface is
protected by a number of Ally IP1000 security features,
we recommend that you connect this port and the
management ports of all your network security devices
to an out-of-band (private) network.
Many facilities have created an out-of-band network by
installing an inexpensive switch and network cables
between the server room and a few administrators’
offices. This ensures better security while providing
easier remote access for administrators.
4 Network Adapter 4 This network interface is not used in the default
Perimeter Protection configuration.
5 Monitor Connector Optionally, connect a monitor here to manage the Ally
IP1000 from a local console.
6 Not in Use
7 Mouse Connector Optionally, connect a mouse/pointing device here.
9 78 6 5 4 3 2 1
7
Ally IP1000 Back Panel Connectors
Connector Description
8 Keyboard Connector Optionally, connect a keyboard here.
9 Power Cord Connector Plug the enclosed power cord here.
Once the desired connections have been made, determine that network traffic is flowing
through the Ally IP1000 while it is powered off. Adjust the cabling configuration, if
necessary, until network communication is restored. Then apply power to the Ally
IP1000.
Management
The Ally IP1000 is managed through a graphical user interface (GUI), called the Ally
Management Console. The GUI provides a convenient, secure portal for remotely managing
the configuration settings or for viewing the Ally IP1000’s event log, blacklists, and statistics
counters. The Ally Management Console can be accessed through the Management Adapter
from a remote web browser or from a locally attached monitor, keyboard, and mouse. (A
command line interface is also available. This interface provides access to most, but not all,
of the features provided by the Ally Management Console.)
Connecting to the Ally Management Console from Another System on the Administrative (or
out-of-band) Network:
1) Temporarily change the IP address and subnet mask of another system on your out-
of-band management network to 10.x.x.x, 255.0.0.0 (Do not use 10.1.2.3)
2) Key in https://10.1.2.3 into the URL address field of the web browser on the system
used in step 1. This address references the Ally IP1000 Management Adapter’s
default IP address preset by Arxceo, prior to shipment.
3) Login as Username: administrator
Password: arxceo
4) The first time the Ally Management Console is accessed, you will be required to
accept the End User License Agreement (EULA). If you do not accept the terms of
the EULA, the product will pass network traffic without providing protection.
5) Select the “Login Account Management” page on the Ally Management Console. Use
the “Change Password” command to change the administrator account password.
6) Select the Ally Management Console “Network Adapter Configuration” page. Set the
Management Adapter IP address, subnet mask, and other IP configuration
information as appropriate for your out-of-band administrative network, or enable
automatic configuration through DHCP if desired. Select “Apply”. This will cause the
web browser system to lose access to the Ally IP1000 if you have changed the IP
address to match your out-of-band address scheme.
7) Reset the IP address and subnet mask of the system used in Step 1 back to the
original address. All systems, including the Ally IP1000, should now be assigned
appropriate IP addresses used by your organization.
8) Now you can use the system from Step 1 to reconnect to https://xxx.xxx.xxx.xxx,
where xxx.xxx.xxx.xxx is the new address of the Ally IP1000.
Accessing the Ally Management Console from a Local Console:
1) Attach a monitor, keyboard, and mouse to the Ally IP1000
2) Login as Username: administrator
Password: arxceo
3) At the command prompt, enter “AllyMC” to run the Ally Management Console.
4) Login as Username: administrator
Password: arxceo
5) The first time the Ally Management Console is accessed, you will be required to
accept the End User License Agreement (EULA). If you do not accept the terms of
the EULA, the product will pass network traffic without providing protection.
8
6) Select the “Login Account Management” page on the Ally Management Console. Use
the “Change Password” command to change the administrator account password.
Command Line Management
Most of the functions provided by the Ally Management Console are available through
these command line programs: AllyRTCfg, AllyAgentCfg, AllyEvent, AllyClearLog,
AllySetIP, AllyTime, AllyReboot, and AllyShutdown. As mentioned above, the Ally
Management Console can be started with the AllyMC command.
Enter these commands at the command prompt with the argument -? to view the
available options.
NOTE: The first time you execute one of the Ally command line programs you will be
required to accept the End User License Agreement (EULA), unless it has been
previously accepted from the Ally Management Console. If you do not accept the
terms of the EULA, the product will pass network traffic without providing protection.
For best security practice, be sure to run the Ally Management Console and add a
password to the administrator account.
Before leaving the local console unattended, logout of the system by entering the “logout”
command in the command window. This will password protect the console.
Confirmation
The next step to Plug and Protect™ is to ensure no known, or trusted, IP Address has been
“blacklisted” based on the default Ally IP1000 configuration. Once the Ally IP1000 has been
online for approximately two minutes, perform the following from the Ally Management
Console or from the command line window:
Ally IP1000 Command What Happens?
View the Ally Management Console “Blacklist”
page.
Or enter the following command at the local
console:
AllyRTCfg –blacklist
Display Current Blacklist: This
command displays the currently
“blacklisted” IP Addresses and
identifies whether the address was
detected on the “inside” or “outside”
network. Blacklisted IP Addresses
should be reviewed to verify if they are
“trusted”. If a Trusted IP Address
appears in this list, the next command
in this table should be used to place it
on the “whitelist”. This will allow the
node to continue to function properly
while analysis to determine why it was
“blacklisted” occurs. If the IP Address
is not a Trusted IP Address, then the
“blacklisted” entry should remain on
the blacklist, with no further actions to
be taken.
9
Ally IP1000 Command What Happens?
Use the Ally Management Console “Blacklist”
page to add a Trusted IP Address to the Inside
or Outside “Whitelist” according to the location
of the Trusted IP Address.
Or enter the following command at the local
console:
AllyRTCfg –apwhitelist xx.xxx.xx.xxx INOUT
where xx.xxx.xx.xxx is replaced with the
Trusted IP Address from the “blacklist”
and INOUT is replaced with 1 for the Inside
Adapter or 0 for the Outside Adapter to
indicate the location of the Trusted IP address.
In the normal installation, the INOUT value is
almost always “1”.
Add Trusted IP Address to
Permanent Whitelist: This command
automatically removes the IP Address
from the “blacklist” and adds the IP
Address to the permanent “whitelist”
for the Inside or Outside Adapter. It is
important to remember there are
separate blacklists and whitelists for
both the Outside and Inside adapters.
Arxceo recommends performing the following three steps as a component of your
scheduled systems security maintenance:
1. Review Blacklist: Perform the steps listed above in order to see IP Addresses that
have been blacklisted.
2. Review Ally IP1000 Statistics: The current Ally IP1000 statistics counters can be
viewed from the Ally Management Console “Statistics” page or by entering the
“AllyRTCfg – stats” command at the local console.
3. Review Ally IP1000 Event Log: The Ally IP1000 records security events and
configuration information in the system event log. The event log can be viewed from
the Ally Management Console “Event Log” page or by entering the “AllyEvent”
command at the local console.
Additionally, whenever a trusted IP address, or system, seems to have lost network
access, review the blacklist as described above. Ally IP1000 Intrusion Protection
Messages indicating when and why an IP address was blacklisted will be found in the
event log.
10
Intrusion Protection Information
The Ally IP1000 is now protecting your network and will provide protection message
information on a variety of intrusions. The following table lists and describes each type
of intrusion and details the protections provided through the default Ally IP1000
configuration.
Intrusions Prevented Automatically by Default
Area Description and Protection
SYN or ACK Denial of
Service (DoS) Attacks By default, the Ally IP1000 is configured to stop ACK floods
and prevent SYN floods from getting to any computer
protected by the Ally appliance. SYN requests arrive first,
and the Ally IP1000 responds in place of the destination
server with a Tag-UR-IT marked SYN/ACK and then waits
for the responding ACK. Only ACK responses that contain
the matching Tag-UR-IT mark are permitted beyond the
appliance. Therefore, false ACK traffic is dropped. In this
fashion, SYN floods are reflected by the Ally appliance,
which merely marks the packets, rather than keeping track
of state (session) information. State information is
recovered from the ACK packet, which contains the Tag-
UR-IT mark.
The Ally device can be configured to detect SYN floods,
rather than ACK floods. However, it is possible for an
attacker to create false blacklists of ‘good’ IP addresses if
they can determine that you are blacklisting on SYN
requests, rather than ACK responses.
IP Fragments Due to physical differences between various networking
hardware, IP packets may be broken into various fragments
when routed on the Internet. Endpoint devices rarely have
the requirement to support fragmented packet reassembly.
Originally, fragments were defined within the standard to
be held by the destination device and put together once the
rest of the transmission arrived. This method of
reassembling fragments at the destination device has been
exploited by numerous network attacks. With today’s
robust networking gear, the only fragmented traffic that is
typically seen is intentional fragmentation by attackers
trying to sneak exploits past signature-based detection
devices.
Unknown Packet Types By default, ‘unknown’ packet types are not discarded by the
Ally IP1000. Enabling the dropping of these packets
prevents unknown packet types from entering your
network. However, these types include legacy protocols and
services such as IPX/SPX (Novell netware) and native
Microsoft NetBios (unless it’s encapsulated within TCP/IP).
DNS Cache Poisoning DNS cache poisoning is prevented by default by the Ally
appliance. This feature prevents false DNS resolution
replies from entering your network.
DNS Tunneling The use of the DNS protocol for anything other than DNS
resolutions is prevented by default. As an example, a user
could set up a system to use DNS for web surfing unless
this feature is enabled.
11
Intrusions Prevented Automatically by Default
Area Description and Protection
Information Leakage Previously transmitted data is often used by network cards
to fill in non-required fields or to increase packet sizes to
meet the required minimum frame size of various protocols.
For instance, Ethernet packets must be at least 64 bytes in
length. Packets that are shorter than this required
minimum are padded with a previous transmission’s data to
create a 64 byte packet length. Therefore, confidential
information on the inside of your LAN that has been
accessed correctly, and without encryption, can be sent out
to the Internet on the next DNS resolution request, as one
example. ALLY IP1000 changes the content of all bytes
beyond the exact size required, or within non-required
fields, in order to prevent data leakage.
Network
Reconnaissance:
IP Address Discovery;
TCP Port Discovery;
UDP Port Discovery;
OS Fingerprinting
A critical part of an attacker’s network reconnaissance is to
determine what addresses, ports, operating systems and
firewall devices are used in your network. The Ally IP1000
prevents address discovery, port discovery, bounce-
scanning and other types of network recons by default.
IP Spoofing Attackers frequently change their packets to show a
different IP address than the one they are actually using.
For connection-oriented sessions, such as HTTP and TCP/IP,
the Ally appliance prevents any connection into the network
unless the original source IP address remains unchanged
throughout the session. For example, only ACK responses
that match the originator’s IP address from the initial SYN
request are allowed into the network.
Resource Flooding &
Denial of Service (DoS) The Ally IP1000 protects against DoS and its variants along
with illegitimate large amounts of traffic intended to
overload a system to an extent it is unable to respond to
legitimate traffic. Examples of DoS and other resource
floods that are thwarted by the Ally IP1000 are: SYN;
SYN/ACK; ACK; RESET; 3-way connection ‘hogs’
(handshake takes place, but no data sent); Invalid TCP
packets; and Open Idle Connections.
Session Hijacking:
Initial Sequence Number
(ISN) Guessing;
IPID Guessing
Session hijacking involves brute force methods to attempt
to match an existing ISN, IPID, and other fields within the
IP and TCP header. By default, the Ally IP1000 hardens,
encrypts and randomizes many of the IP and TCP fields to
prevent session hijacking. Windows XP nodes sitting behind
a typical firewall have a 12% likelihood of being hijacked.
With an Ally IP1000 in place, this likelihood drops to a
0.00001% chance of success.
Worm Mitigation Worms typically propagate by scanning for the next target
victim. The Ally IP1000 detects these scans and blacklists
the offending node and drops any further traffic from that
node. Therefore, worm propagation is stopped from coming
into your network by default.
12
Reviewing Intrusion Messages in the Event Log
Based on the Ally IP1000 default configuration (described in Appendix B), certain Ally
IP1000 Intrusion Protection Messages will be written to the system event log. This log
can be viewed as described below. Appendix A contains a complete listing of the Ally
IP1000 intrusion protection messages.
Use the Ally Management Console “Event Log” page to view the most recent 100 event
log messages. You may also use the “Save to File” command on that page to save the
entire event log to a file on the local system that is running the web browser.
The command line program, AllyEvent, can be run from the local console to view the
most recent 100 event log messages. Additionally, the Ally IP1000 event log messages
can be viewed on the local console using the Windows Event Viewer.
To access the Windows Event Viewer,
1. At the Ally IP1000 console, enter “eventvwr”
2. The Windows Event Viewer will be displayed.
3. Click on the “System” log.
Ally IP1000 messages can be identified by the word “Ally” in the SOURCE column. The
Ally IP1000 Message Number will be in the EVENT column. Message details can be
viewed by clicking on the message.
NOTE: For security reasons, this Event Log cannot be interpreted on a machine
other than an Ally IP1000.
The Ally IP1000 can also be configured to transmit SNMP alerts and/or Syslog messages
to a centralized network management facility through the Ally IP1000 management
adapter. More details are available in the help messages displayed in the Ally
Management Console.
13
Appendix A
Ally IP1000 Notification Message Types
The Ally IP1000 records configuration information and intrusion protection notifications
in the system event log. The table below lists each message that may be generated by
the Ally IP1000. The number and the associated Message Content text will appear in the
event log entry.
The italicized text found below in each Message Content table entry indicates variable
information that will appear in the event log message. For example, in Message Number
6 – Incomplete Connection Timeout, either ‘are’ or ‘are not’ will be displayed, depending
on the “Log Connection Resets” configuration parameter setting.
The Type column assigns a brief name to each message. This name is used to reference
the message in the Ally IP1000 documentation, but does not appear in the actual event
log entry. The Type column also assigns the message to one of four general message
categories: Configuration, Configuration Event, Detection and Information.
Configuration and Configuration Event messages are always written to the event log
while Detection and Information messages can be optionally disabled.
Ally IP1000 Notification Message Types
Message Number - Type Message Content
1 Configuration
Inside and Outside Adapters (Device ALLY) has been started. Network
adapter (Network Adapter Number) is assigned
to handle inside network traffic. Network
adapter (Network Adapter Number) is assigned
to handle outside network traffic.
2 Configuration
Management Adapter Network adapter (Network Adapter Number) is
assigned to handle management traffic.
Outbound connection requests (‘are’ or ‘are
not’) blocked. Discarded outbound connection
requests (‘are’ or ‘are not’) logged.
3 Configuration
Mode (Device ALLY) is currently in (‘Pass Through
(Inactive)’ or ‘Filter (Active)’) mode.
4 Configuration
Inside Authentication Authentication of the source IP address for an
inside-to-outside session request (‘is’ or ‘is
not’) performed (‘for the first connection only’
or ‘for all connections’ or ‘’).
5 Configuration
Outside Authentication Authentication of the source IP address for an
outside-to-inside session request (‘is’ or ‘is
not’) performed (‘for the first connection only’
or ‘for all connections’ or ‘’).
6 Configuration
Incomplete Connection Timeout Incomplete TCP connections will timeout in
(Connection Timeout Number) seconds.
Connection resets (‘are’ or ‘are not’) logged.
7 Configuration
Maximum Concurrent Connections Up to (Maximum Number of Connections)
concurrent (‘inside-to-outside’ or ‘outside-to-
inside’) connections from the same source IP
address to one destination IP address and port
are allowed.
8 Configuration
Idle Connection Timeout Idle connections will timeout in (Idle
Connection Timeout Number) seconds.
14
Ally IP1000 Notification Message Types
Message Number - Type Message Content
9 Configuration
IP Fragment Policy
Fragmented packets are (‘passed through
without analysis’ or ‘discarded’). If discarded,
fragmented packets (‘are’ or ‘are not’) logged.
10 Configuration
Log Invalid TCP Flags Packets with invalid TCP flags (‘are’ or ‘are
not’) logged.
11 Configuration
Log Invalid TCP Option Packets with invalid TCP options (‘are’ or ‘are
not’) logged.
12 Configuration
Prevent Data Leaks Packet pad bytes (‘are’ or ‘are not’) scrubbed to
prevent data leaks.
13 Configuration
Port Scan Detection TCP port scan detection is based on the (‘SYN’
or ‘ACK’) packet received during the three-way
handshake of the connection request.
IP address blacklisting due to port scan
detection (‘is’ or ‘is not’) enabled on the inside
adapter and (‘is’ or ‘is not’) enabled on the
outside adapter.
14 Configuration
Inside Port Scans On the inside adapter, (Inside Scan Number)
connection requests received from the same IP
address in (Inside Scan Timeout Number)
seconds will cause that IP address to be placed
on the inside adapter’s blacklist.
15 Configuration
Outside Port Scans On the outside adapter, (Outside Scan Number)
connection requests received from the same IP
address in (Outside Scan Timeout Number)
seconds will cause that IP address to be placed
on the outside adapter’s blacklist.
16 Configuration
Blacklist Time Period
An IP address will remain on the blacklist for
(Blacklist Time Period Number) seconds.
Blacklisting events (‘are’ or ‘are not’) logged.
17 Configuration
TCP Policy TCP packets are (‘passed through without’ or
‘handled according to policy’ or ‘discarded
without’) analysis.
18 Configuration
ARP Policy ARP packets are (‘passed through without’ or
‘handled according to policy’ or ‘discarded
without’) analysis. If discarded, ARP packets
(‘are’ or ‘are not’) logged.
19 Configuration
ICMP Policy ICMP packets are (‘passed through without’ or
‘handled according to policy’ or ‘discarded
without’) analysis. If discarded, ICMP packets
(‘are’ or ‘are not’) logged.
20 Configuration
UDP Policy UDP packets are (‘passed through without’ or
‘handled according to policy’ or ‘discarded
without’) analysis. If discarded, UDP packets
(‘are’ or ‘are not’) logged.
21 Configuration
Other IP Policy
Other IP packets are (‘passed through without’
or ‘handled according to policy’ or ‘discarded
without’) analysis.
22 Configuration
Non-IP Non-ARP Policy Packets that are not IP and are not ARP are
(‘passed through without’ or ‘handled according
to policy’ or ‘discarded without’) analysis.
23 Configuration
ICMP Echo Request Policy ICMP Echo packets are (‘passed through
without analysis’ or ‘discarded’).
15
Ally IP1000 Notification Message Types
Message Number - Type Message Content
24 Configuration
ICMP Echo Reply Policy ICMP Echo Reply packets are (‘passed through
without analysis’ or ‘discarded’).
25 Configuration
ICMP Destination Unreachable Policy ICMP Destination Unreachable packets are
(‘passed through without analysis’ or
‘discarded’).
26 Configuration
ICMP Port Unreachable Policy ICMP Port Unreachable packets are (‘passed
through without analysis’ or ‘discarded’).
27 Configuration
ICMP Source Quench Policy ICMP Source Quench packets are (‘passed
through without analysis’ or ‘discarded’).
28 Configuration
ICMP Redirect Policy ICMP Redirect packets are (‘passed through
without analysis’ or ‘discarded’).
29 Configuration
ICMP Time Exceeded Policy ICMP Time Exceeded packets are (‘passed
through without analysis’ or ‘discarded’).
30 Configuration
ICMP Parameter Problem Policy ICMP Parameter Problem packets are (‘passed
through without analysis’ or ‘discarded’).
31 Configuration
ICMP Timestamp Request Policy ICMP Timestamp packets are (‘passed through
without analysis’ or ‘discarded’).
32 Configuration
ICMP Timestamp Reply Policy ICMP Timestamp Reply packets are (‘passed
through without analysis’ or ‘discarded’).
33 Configuration
ICMP Information Request Policy ICMP Information Request packets are (‘passed
through without analysis’ or ‘discarded’).
34 Configuration
ICMP Information Reply Policy ICMP Information Reply packets are (‘passed
through without analysis’ or ‘discarded’).
35 Configuration
ICMP Address Mask Policy ICMP Address Mask Request packets are
(‘passed through without analysis’ or
‘discarded’).
36 Configuration
ICMP Address Mask Reply Policy ICMP Address Mask Reply packets are (‘passed
through without analysis’ or ‘discarded’).
37 Configuration
ICMP Traceroute Policy ICMP Traceroute packets are (‘passed through
without analysis’ or ‘discarded’).
38 Configuration
ICMP Conversion Error Policy ICMP Conversion Error packets are (‘passed
through without analysis’ or ‘discarded’).
39 Configuration
ICMP Domain Name Policy ICMP Domain Name Request packets are
(‘passed through without analysis’ or
‘discarded’).
40 Configuration
ICMP Domain Name Reply Policy ICMP Domain Name Reply packets are (‘passed
through without analysis’ or ‘discarded’).
41 Configuration
DNS Policy
DNS packets are (‘handled according to policy’
or ‘discarded without’) analysis. If discarded,
DNS packets (‘are’ or ‘are not’) logged.
42 Configuration
DNS Tunneling Detection DNS tunneling detection is (‘enabled’ or
‘disabled’). If enabled, (Number of DNS Tunnel
Packets) tunnel packets in (DNS Tunnel
Timeout Number) seconds will cause the
originating IP address to be blacklisted.
43 Configuration
DNS Cache Poisoning Detection DNS cache poisoning packets (‘are’ or ‘are not’)
discarded.
44 Configuration
Maximum Segment Size Range The TCP Maximum Segment Size range has
been set to (Numeric Value) - (Numeric Value).
45 Configuration
Remote System Statistics Timeout Remote system information is retained for
(Numeric Value) seconds after verification.
16
Ally IP1000 Notification Message Types
Message Number - Type Message Content
46 Configuration
Permanent Blacklist/Whitelist The permanent blacklist and/or whitelist has
been (‘updated’ or ‘initialized’).
47 Configuration
Normal Start Normal startup for the (Device ALLY) driver has
completed.
48 Detection
Dynamic Blacklist Add The IP address (IP Address) was added to the
(‘inside’ or ‘outside’) adapter’s blacklist because
(‘port scanning’ or ‘DNS tunneling’) was
detected.
49 Detection
Dynamic Blacklist Remove The IP address (IP Address) has been removed
from the (‘inside’ or ‘outside’) adapter’s
blacklist.
50 Information
Connection Reset The Connection from IP address (Source IP
Address) port (Source Port) to (Destination IP
Address) port (Destination Port) has been
reset.
51 Detection
Discard TCP Packet, Flags A TCP Packet with flags (Hexadecimal
Representation of TCP Flags) from IP address
(Source IP Address) to (Destination IP Address)
was discarded.
52 Detection
Discard TCP Packet, Option A TCP Packet with option (Hexadecimal
Representation of TCP Option) from IP address
(Source IP Address) to (Destination IP Address)
was discarded.
53 Detection
Discard Fragmented Packet A fragmented packet from IP address (Source
IP Address) to (Destination IP Address) with IP
id (IP ID) was discarded.
54 Detection
Discard Outbound Management An outbound connection request packet on the
management adapter was discarded.
55 Detection
Discard ARP Packet An ARP packet from IP address (Source IP
Address) was discarded.
56 Detection
Discard ICMP Packet An ICMP (‘echo (ping) reply’ or ‘destination
unreachable’ or ‘port unreachable’ or ‘source
quench’ or ‘redirect’ or ‘echo (ping)’ or ‘time
exceeded’ or ‘parameter problem’ or
‘timestamp’ or ‘timestamp reply’ or ‘information
request’ or ‘information reply’ or ‘address mask
request’ or ‘address mask reply’ or ‘traceroute’
or ‘conversion errors’ or ‘domain name request’
or ‘domain name reply’) packet from IP address
(Source IP Address) to (Destination IP Address)
was discarded.
57 Detection
Discard UDP Packet A UDP packet from IP address (Source IP
Address) port (Source Port) to (Destination IP
Address) port (Destination Port) was discarded.
58 Detection
Discard DNS Packet A DNS (‘query’ or ‘response’) packet from IP
address (Source IP Address) to (Destination IP
Address) was discarded because a possible
DNS (‘tunneling’ or ‘cache poisoning’) attempt
was detected.
59 Configuration Event
Configuration Reload (‘Console User’ or User Name) reloaded the
configuration from (‘the factory default
settings’).
17
Ally IP1000 Notification Message Types
Message Number - Type Message Content
60 Configuration Event
Set Adapter Number (‘Console User’ or User Name) set the (‘inside’
or ‘outside’ or ‘management’) adapter to
network interface number ‘Network Interface
Number).
61 Configuration Event
Set Management IP (‘Console User’ or User Name) changed the
management adapter to IP address (IP
Address), netmask (Mask), gateway
(Gateway), DNS1 (DNS1), DNS2 (DNS2).
62 Configuration Event
Clear Statistics (‘Console User’ or User Name) cleared the
packet statistics.
63 Configuration Event
Set SNMP/Syslog Agent Variable (‘Console User’ or User Name) set the ALLY
SNMP/Syslog agent's configuration variable
(Variable Name) to (New Variable Value).
64 Configuration Event
SNMP/Syslog Agent Reload The ALLY SNMP/Syslog agent was directed to
(‘reload its configuration’ or ‘restart’) by
(‘Console User’ or User Name).
65 Configuration Event
User Change (‘Console User’ or User Name) (‘added’ or
‘removed’ or ‘changed’) account (User Name).
66 Configuration Event
Password Change (‘Console User’ or User Name) changed his/her
password.
67 Configuration Event
Time Change (‘Console User’ or User Name) changed the
system time to (Time).
68 Configuration Event
Reboot (‘Console User’ or User Name) (‘rebooted’ or
‘shutdown’) the ALLY system.
69 Configuration Event
Set Management DHCP (‘Console User’ or User Name) changed the
management adapter to a DHCP IP address.
18
Appendix B
Ally IP1000 Default Configuration Matrix
The matrix below identifies the Ally IP1000 configurable parameters, the default setting
for each parameter, and the implication of each parameter setting to the overall
intrusion protection system.
The Ally IP1000 can be configured through the Ally Management Console from a web
browser or additionally through the AllyRTCfg command line program from the local
console. The following table identifies the Ally Management Console page and the
AllyRTCfg command line option associated with each configuration parameter.
Ally IP1000 Factory Default Configuration
Configuration
Parameter Possible
Settings Default Intrusion Implication Mgmt.
Console
Page
AllyRTCfg
Option
Pass Through
Mode !Enabled
!Disabled Disabled Enable Pass Through Mode to turn
off the Ally IP1000 filter. All
network traffic will simply be
passed through without inspection
or intervention.
When Pass Through Mode is
enabled the other Ally IP1000
configuration parameters are
ignored and NO PROTECTION is
provided.
General
Filtering
Options
-pt
IP Fragment
Policy !Discard All
!Allow All Discard All It is uncommon to find fragmented
IP traffic on an internal network.
These packets are sometimes used
in malicious attacks.
The Ally IP1000 can be configured
to allow the propagation of IP
fragments; however, the Ally
never reassembles fragmented
packets.
General
Filtering
Options
-df
Prevent Data
Leaks !Enabled
!Disabled Enabled Transmitted Ethernet packets must
be at least 64 bytes in length;
however, many packets contain
less than that amount of actual
header and data information.
These short packets must be
"padded" with additional bytes to
fill the minimum packet size. Most
systems do not specifically "zero
out" these pad bytes. This practice
produces data leaks. By default,
the Ally IP1000 reinitializes all pad
bytes before retransmitting a
packet, erasing any leaked values.
General
Filtering
Options
-zp
19
Ally IP1000 Factory Default Configuration
Configuration
Parameter Possible
Settings Default Intrusion Implication Mgmt.
Console
Page
AllyRTCfg
Option
Remote System
Timeout Any unsigned
32-bit
integer
3600
seconds
(1 hour)
The Ally IP1000 discovers
information about systems on the
both the outside and the inside
networks through its analysis of
network traffic. The "Retain
Remote System Information" time
value controls the length of time
this information is retained for
each system.
General
Filtering
Options
-sit
TCP Policy !Discard All
!Analyze
!Allow All
Analyze Selecting “Analyze” activates the
TCP policy parameters, i.e. the
next 12 entries in this table.
General
Filtering
Options
-at
Inside-to-
Outside Address
Authentication
!Disabled
!First
Connection
per Session
!All
Connections
First
Connect per
Session
TCP
Policy -id
Maximum
Number of
Inside-to-
Outside
Concurrent
Connections
Any unsigned
32-bit
integer
150
TCP
Policy -mci
Outside-to-
Inside Address
Authentication
!Disabled
!First
Connection
per Session
!All
Connections
All
Connections
The Ally IP1000 Address
Authentication feature guarantees
that the source IP address
contained in a TCP connection
request is not spoofed. The Ally
IP1000 verifies the requestor's
address before forwarding the
connection request to the intended
recipient.
There are three Address
Authentication modes: All
Connections, First Connection per
Session, and Disabled. The
Address Authentication mode is
configured independently for
connection requests received on
the Inside Adapter (inside-to-
TCP
Policy -od
20
Ally IP1000 Factory Default Configuration
Configuration
Parameter Possible
Settings Default Intrusion Implication Mgmt.
Console
Page
AllyRTCfg
Option
Maximum
Number of
Outside-to-
Inside
Concurrent
Connections
Any unsigned
32-bit
integer
150
outside) and for requests received
on the Outside Adapter (outside-
to-inside).
Select the Address Authentication
mode "All Connections" for
maximum protection. This setting
authenticates the source IP
address in every connection
request received on the associated
interface.
The Address Authentication mode
may be set to "First Connection
per Session" to increase the speed
at which multi-connection sessions
are established. This setting is
especially useful when the
applications communicating
through the Ally create multiple
connections from a specific source
IP address to a single destination
IP address and port number, e.g.
web browsers.
The "Maximum Number of
Concurrent Connections" value is
only referenced in the "First
Connection per Session" mode.
This value places a limit on the
number of concurrent connections
that can exist between a specific
source IP address and a single
destination IP address and port
number.
TCP
Policy -mco
Incomplete
Connection
Timeout
5 – 25
seconds 5
seconds An "incomplete" connection is one
in which the TCP connection
establishment three-way
handshake process has not been
completed. The Incomplete
Connection Timeout value
indicates the amount of time the
Ally IP1000 will retain pending
connection information.
TCP
Policy -ct
Table of contents
Popular Firewall manuals by other brands
Fortinet
Fortinet FortiGate FortiGate-4000 quick start guide
Fortinet
Fortinet FortiScan-1000C install guide
Fortinet
Fortinet FortiGate FortiGate-310B quick start guide
Barracuda
Barracuda NextGen F Series manual
SonicWALL
SonicWALL NSA 250M series Getting started guide
Cisco
Cisco Firepower 9300 Hardware installation guide
Ruijie Networks
Ruijie Networks RG-WALL1600-S3600 Hardware installation and reference guide
Dell
Dell sonicwall x series Deployment guide
Mooltipass
Mooltipass Mini BLE user manual
Draytek
Draytek Vigor2850 Series user guide
Tandberg Data
Tandberg Data BAKSTOR Administration manual
ZyXEL Communications
ZyXEL Communications ZyWALL 110 Series user guide
