Configuring sonicWall firewalls

371_HTC_AD_FM.qxd 12/14/05 12:56 PM Page vi

www.syngress.com

Syngress is committed to publishing high-quality books for IT Professionals and

delivering those books in media and formats that fit the demands of our

customers. We are also committed to extending the utility of the book you pur￾chase via additional materials available from our Web site.

SOLUTIONS WEB SITE

To register your book, visit www.syngress.com/solutions. Once registered, you can

access our [email protected] Web pages. There you will find an assortment

of value-added features such as free e-booklets related to the topic of this book,

URLs of related Web site, FAQs from the book, corrections, and any updates from

the author(s).

ULTIMATE CDs

Our Ultimate CD product line offers our readers budget-conscious compilations of

some of our best-selling backlist titles in Adobe® PDF form. These CDs are the

perfect way to extend your reference library on key topics pertaining to your area

of expertise, including Cisco Engineering, Microsoft Windows System

Administration, CyberCrime Investigation, Open Source Security, and Firewall

Configuration, to name a few.

DOWNLOADABLE EBOOKS

For readers who can’t wait for hard copy, we offer most of our titles in download￾able Adobe PDF form. These eBooks are often available weeks before hard copies,

and are priced affordably.

SYNGRESS OUTLET

Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt

books at significant savings.

SITE LICENSING

Syngress has a well-established program for site licensing our eBooks onto servers

in corporations, educational institutions, and large organizations. Contact us at

[email protected] for more information.

CUSTOM PUBLISHING

Many organizations welcome the ability to combine parts of multiple Syngress

books, as well as their own content, into a single volume for their own internal use.

Contact us at [email protected] for more information.

Visit us at

365_SONIC_FW_FM.qxd 4/6/06 3:52 PM Page i

365_SONIC_FW_FM.qxd 4/6/06 3:52 PM Page ii

Configuring

SonicWALL

Firewalls

Chris Lathem

Benjamin W. Fortenberry

Kevin Lynn

Daniel H. Bendell

Joshua Reed

Bradley Dinerman Technical Editor

Lars Hansen Technical Editor

365_SONIC_FW_FM.qxd 4/6/06 3:52 PM Page iii

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc￾tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be

obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is

sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to

state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other

incidental or consequential damages arising out from the Work or its contents. Because some states do not

allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation

may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working

with computers, networks, data, and files.

Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author

UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The

Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is

to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned

in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

001 HJIRTCV764

002 PO9873D5FG

003 829KM8NJH2

004 P762ABL8D2

005 CVPLQ6WQ23

006 VBP965T5T5

007 HJJJ863WD3E

008 2987GVTWMK

009 629MP5SDJT

010 IMWQ295T6T

PUBLISHED BY

Syngress Publishing, Inc.

800 Hingham Street

Rockland, MA 02370

Configuring SonicWALL Firewalls

Copyright © 2006 by Syngress Publishing, Inc.All rights reserved. Printed in Canada. Except as permitted

under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any

form or by any means, or stored in a database or retrieval system, without the prior written permission of

the publisher, with the exception that the program listings may be entered, stored, and executed in a com￾puter system, but they may not be reproduced for publication.

Printed in Canada

1 2 3 4 5 6 7 8 9 0

ISBN: 1-59749-250-7

Publisher:Andrew Williams Page Layout and Art: Patricia Lupien

Acquisitions Editor: Jaime Quigley Indexer: J. Edmund Rush

Technical Editor: Lars Hansen, Brad Dinerman Cover Designer: Michael Kavish

Copy Editors:Amy Thomson, Beth Roberts

Distributed by O’Reilly Media, Inc. in the United States and Canada.

For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights,

at Syngress Publishing; email [email protected] or fax to 781-681-3585.

365_SONIC_FW_FM.qxd 4/6/06 3:52 PM Page iv

Acknowledgments

v

Syngress would like to acknowledge the following people for their kindness and sup￾port in making this book possible.

Syngress books are now distributed in the United States and Canada by O’Reilly

Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible, and we would

like to thank everyone there for their time and efforts to bring Syngress books to

market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko,

Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark

Wilson, Rick Brown,Tim Hinton, Kyle Hart, Sara Winge, C. J. Rayhill, Peter Pardo,

Leslie Crandell, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce

Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn

Barrett, John Chodacki, Rob Bullington,Aileen Berg, and Wendy Patterson.

The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian

Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother,

Miguel Sanchez, Klaus Beran, Emma Wyatt, Chris Hossack, Krista Leppiko, Marcel

Koppes, Judy Chappell, Radek Janousek, and Chris Reinders for making certain that

our vision remains worldwide in scope.

David Buckland, Marie Chieng, Lucy Chong, Leslie Lim,Audrey Gan, Pang Ai Hua,

Joseph Chan, and Siti Zuraidah Ahmad of STP Distributors for the enthusiasm with

which they receive our books.

David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen

O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing

our books throughout Australia, New Zealand, Papua New Guinea, Fiji,Tonga, Solomon

Islands, and the Cook Islands.

Brandon McIntire and Jason Acosta at CDW for their support.

365_SONIC_FW_FM.qxd 4/6/06 3:52 PM Page v

365_SONIC_FW_FM.qxd 4/6/06 3:52 PM Page vi

vii vii

Lead Author

Chris Lathem (CSSA, Network+) is currently working

as a Network Engineer for Consultrix Technologies.

Consultrix, based in Ridgeland, MI, specializes in net￾work management and security services, structured

cabling, and application development. Prior to joining

Consultrix, Chris was a Security/Network Engineer for

NSight Technologies, now based in Tampa, FL. While at

Nsight, Chris specialized in the support and configura￾tion of firewall appliances from multiple vendors, as well as network

design and architecture. While working for NSight, Chris gained

extensive knowledge of SonicWALL firewall appliances and

achieved certification as a Certified SonicWALL Security

Administrator. It was during his tenure at Nsight that Chris first

worked with Syngress Publishing as a contributing author to the

book Configuring NetScreen Firewalls. Before joining Nsight, Chris

held the position of Network Engineer for SkyHawke Technologies,

a technology start-up company in the recreational GPS industry,

where he spent a great deal of time configuring NetScreen security

appliances. Chris currently resides in Sebastopol, MI, with his wife,

Susann, and son Miller.

Benjamin Fortenberry (CISSP, CSSA, CCSE-4x) is

Manager of Security Services with Consultrix

Technologies, of Jackson, MI. His responsibilities include

development, design, implementation, and senior-level

support for all security services provided to Consultrix

clients. Benjamin has been involved with the installation,

configuration, and ongoing support of 200-plus

SonicWALL appliances for clients, ranging in size from

Contributing Authors

365_SONIC_FW_FM.qxd 4/6/06 3:52 PM Page vii

viii

five to several thousand users. His specialties include SonicWALL

security appliances, LAN/WAN switching, penetration testing, secu￾rity consulting services, and incident response services. Benjamin has

also developed and presented numerous seminars and training classes

related to network security.

Joshua Reed (CISSP, CCSA/CCSE/+, CCNA, CCNP,

MCP) works for a leading firewall and security vendor, with

solutions securing all of the Fortune 100 and 99% of the

Fortune 500. Joshua has a decade of experience in informa￾tion technology and security as both staff and architect. He

is a consultant in various sectors including the largest public

university in the world, the sixth largest financial

services/insurance provider in the world, a well-known Bay

Area Internet search engine, and a leading aerospace/defense con￾cern. Joshua received a bachelor’s degree from the University of

California at Berkeley, and holds a CISSP, as well as numerous other

industry certifications, is a member of and regular speaker for ISSA,

and has lectured and taught courses on information technology and

security topics for over 7 years. Joshua currently lives in Long

Beach, CA, and can be regularly found hiking the Sierra Nevada

and the Mojave Desert.

Daniel H. Bendell (BA, CNE) is the Founder and President

of Assurance Technology Management, Inc. (ATM), a full-ser￾vice consulting practice specializing in providing complete

business technology guidance to small and medium-sized

companies.ATM’s unique consulting approach takes into con￾sideration all of a company’s technology systems and com￾bines that with a clear understanding of the client’s business

goals and practices. With over 20 years of experience in the

industry, Daniel combines his breadth of technical knowledge with an

ability to understand his clients’ business needs. He has published

widely on a number of topics, including technical systems documen￾365_SONIC_FW_FM.qxd 4/6/06 3:52 PM Page viii

ix

tation and remote systems management. He also delivers customized

presentations and educational seminars to organizations and groups of

small business owners on how to better manage the technology sys￾tems they have invested in. Dan was the Technical Editor of How to

Cheat at Microsoft Windows Small Business Server 2003 (Syngress

Publishing, ISBN: 1932266801). Prior to founding ATM, Daniel

worked as a senior-level consultant for CSC Consulting, where he

specialized in client/server technologies, and as a Healthcare

Information Systems Consultant with Superior Consultant Company.

Daniel lives in Framingham, MA, with his wife, Phyllis, and daughters

Melissa and Jessica.

Daniel J. Gordon (MCSE # # 2455250, CNA 12/95) is Principal

and Founder of Gordon Technical Consulting LLC. Gordon

Technical Consulting was founded in November of 2000, and is a

technical consulting firm specializing in computer networking,

design, implementation and support. Daniel has been employed for

many years in the networking technologies field with over 14 years

of experience. Prior to founding his own firm, Daniel worked for

many years at the University of California at San Francisco and

Berkeley as a network manager responsible for over 1,500 network

connections, numerous applications, and servers. He also worked at

various private firms prior to founding his own company. His spe￾cialties include Microsoft Windows Server, Exchange design and

implementation, strategic network planning, network architecture

and design, and network troubleshooting. Daniel currently resides

with his family in Berkeley, CA.

Kevin Lynn (CISSP) is a network systems engineer with Unisys

Kevin’s more than 12 years of experience has seen him working a

variety of roles for organizations including Cisco Systems, IBM, Sun

Microsystems,Abovenet, and the Commonwealth of Virginia. In

365_SONIC_FW_FM.qxd 4/6/06 3:52 PM Page ix

x

addition to his professional work experience, Kevin has been known

to give talks at SANS and teach others on security topics in class￾room settings. Kevin currently resides in Rockville, MD with his

lovely wife Ashley.

Brad Dinerman combines a rare blend of security, high-end

systems architecture and application development skills with a

unique sense of humor. On top of these, he adds a strong sci￾entific background that he draws upon to analyze and trou￾bleshoot complex IT problems. Brad currently serves as the

vice president of information technology at MIS Alliance in

Newton, MA, to provide MIS and IT solutions to companies

in the greater Boston area. He has taught classes in Active

Server Pages, JavaScript, HTML, and the Theory of Relativity. He is

a Microsoft MVP in Windows Server Systems (Networking), one of

only 50 worldwide to possess the award in this category. He also

possesses an MCSE and MCP+I, is a Certified SonicWall Security

Administrator, and holds a Ph.D. in physics from Boston College.

Brad is a frequent contributor to various online TechTips sites and

gives user group/conference presentations on topics ranging from

spam and security solutions to Internet development techniques. He

also published numerous articles in international physics journals in

his earlier, scientific career.

Brad is the founder and president of the New England

Information Security Group, the former chair of the Boston Area

Exchange Server User Group, and a member of the FBI’s Infragard

Boston Members Alliance.

Technical Editor

365_SONIC_FW_FM.qxd 4/6/06 3:52 PM Page x

xi xi

Lars Hansen also contributed to the technical editing of this book.

Lars is a technology consultant living in Boston, MA, with his wife

and daughter.

Rob Cameron (CCSA, CCSE, CCSE+, NSA, JNCIA-FWV,

CCSP, CCNA, INFOSEC, RSA SecurID CSE) is an IT consultant

who has worked with over 200 companies to provide network secu￾rity planning and implementation services. He has spent the last five

years focusing on network infrastructure and extranet security. His

strengths include Juniper’s NetScreen Firewall products, NetScreen

SSL VPN Solutions, Check Point Firewalls, the Nokia IP appliance

series, Linux, Cisco routers, Cisco switches, and Cisco PIX firewalls.

Rob strongly appreciates his wife Kristen’s constant support of his

career endeavors. He wants to thank her for all of her support

through this project.

CJ Cui (CISSP, JNCIA) is Director of Professional Services for

NetWorks Group, an information security consulting company

headquartered in Brighton, Michigan. NetWorks Group provides

information security solutions that mitigate risk while enabling

secure online business. CJ leads the technical team at NetWorks

Group to deliver information security services to customers ranging

from medium-sized companies to Fortune 500 corporations.These

services touch every part of the security life cycle—from enterprise

security management, security assessment and audit to solution

design and implementation—and leverage leading-edge technolo￾gies, including firewall/VPN, intrusion prevention, vulnerability

management, malicious code protection, identity management, and

forensics analysis. CJ holds an M.S. degree from Michigan State

University and numerous industrial certifications. He is a board

member of ISSA Motor City Chapter and serves as the Director of

Operations for the chapter.

Additional Contributors

365_SONIC_FW_FM.qxd 4/6/06 3:52 PM Page xi

xii

Thomas Byrne is a Code Monkey with NetScreen Technologies

(now Juniper Networks). He currently does design, planning, and

implementation on Juniper’s Security Manager, the company’s next￾generation network management software.Tom’s background

includes positions as a UI Architect at ePatterns, and as a senior

developer and consultant for several Silicon Valley companies,

including Lightsocket.com and Abovenet.Tom is an active developer

on several open-source projects and a voracious contributor to sev￾eral on-line technology forums.Tom currently lives in Silicon Valley

with his wife, Kelly, and children, Caitlin and Christian.

Dave Killion (NSCA, NSCP) is a senior security research engineer

with Juniper Networks, Inc. Formerly with the U.S.Army’s

Information Operations Task Force as an Information Warfare

Specialist, he currently researches, develops, and releases signatures

for the NetScreen Deep Inspection and Intrusion Detection and

Prevention platforms. Dave has also presented at several security

conventions, including DefCon and ToorCon, with a proof-of-con￾cept network monitoring evasion device in affiliation with several

local security interest groups that he helped form. Dave lives south

of Silicon Valley with his wife, Dawn, and two children, Rebecca

and Justin.

Kevin Russell (JNCIA-FWV, JNCIA-IDP) is a system engineer

for Juniper Networks, specializing in firewalls, IPSEC, and intrusion

detection and prevention systems. His background includes security

auditing, implementation, and design. Kevin lives in Michigan with

his wife and two children.

Chris Cantrell (NetScreen IDP) is a Director of System

Engineering—Central Region for the Security Products Group at

Juniper Networks. His career has spanned over 12 years, the last

eight focused on network and application security. Chris joined

OneSecure in late 2000 where he was an active member of the

365_SONIC_FW_FM.qxd 4/6/06 3:52 PM Page xii

xiii

team who designed and was responsible for the introduction of their

intrusion prevention product, the IDP. In 2002, OneSecure was

acquired by NetScreen Technologies and most recently acquired by

Juniper Networks, where Chris continues to manage the security

sales engineering team for the Central Region. Chris attended

Auburn University at Montgomery, where his focus was on business

and management information systems. Chris lives in Denver, CO,

with his wife, Maria, and two children, Dylan and Nikki.

Kenneth Tam (JNCIS-FWV, NCSP) is Sr. Systems Engineer at

Juniper Networks Security Product Group (formerly NetScreen

Technologies). Kenneth worked in pre-sales for over four years at

NetScreen since the start-up days and has been one of many key

contributors in building NetScreen as one of the most successful

security companies.As such, his primary role has been to provide

pre-sale technical assistance in both design and implementation of

NetScreen solutions. Kenneth is currently covering the upper

Midwest U.S. region. His background includes positions as a Senior

Network Engineer in the Carrier Group at 3Com Corporation, and

as an application engineer at U. S. Robotics. Kenneth holds a bach￾elor’s degree in computer science from DePaul University. He lives

in the suburbs of Chicago, IL, with his wife, Lorna, and children,

Jessica and Brandon.

Johny Mattsson (NCSA, NCSP, SCJP, SCJD) is a senior engineer

in Ericsson Australia’s IP Centre, where he has been working with

NetScreen firewalls for over three years.The Ericsson IP Centre

provides global integration and support services for a wide range of

IP-based telecommunications solutions, including DSL broadband

and 3G IP Multimedia Subsystems (IMS). Johny’s main areas of spe￾cialization are IP network security and several cutting-edge 3G

mobile services built on IMS. In addition to making sure things are

always working on the technical plane, he is the main interface

365_SONIC_FW_FM.qxd 4/6/06 3:52 PM Page xiii