Device Registration

Overview of the FireRack Host/Device Registration System

Introduction

Host Registration is a feature of FireRack firewalls that combines IP spoofing protection with static DHCP IP address allocation and DNS management for hosts on a LAN.

Details of each host, such as its name, IP address and MAC address are stored in the database on the FireRack Management Server (FMS). Each host registration is bound to a specific security zone. The FMS uses this single data source to configure the spoofing protection features, DHCP and DNS, thus reducing the administrative overhead.

IP Spoofing Protection

FireRack Host Registration provides two kinds of spoofing protection.

Ingress filtering can be performed on traffic entering a firewall. Connections leaving a zone with a source IP address registered to a host in that zone that do not have the matching source MAC address will be blocked. This feature is called MAC Address Validation. Connections with a source IP and MAC address pairing that match a registered host are not blocked. If the block unregistered hosts option is set for a zone then all other traffic is blocked.

For more advanced configurations automatic MAC Address Validation can be disabled. The firewall administrator can then explicitly place a rule with a MAC Address Validation action in the Filtering stage of the ingress zone, and precede this with rules permitting unregistered hosts limited access to some services.

The other spoofing protection feature that is provided by host registration is Static Address Resolution, which may be enabled or disabled on a per registration basis. This provides protection for packets on egress by preventing the FireRack from sending ARP requests for the registered hosts. Instead the packet is always sent directly to the appropriate MAC address.

Note that if you use static ARP tables for egress protection for a given host and an explicit MAC Address Validation rule to allow unregistered hosts access to a limited range of services, a host on that IP address with the incorrect MAC address will experience difficultly accessing these services. This is because although the connection is permitted through the firewall the returning IP packets would not make it back to the host.

DHCP configuration

If the DHCP server is enabled for a zone, you may optionally configure it to respond with the corresponding fixed IP address to DHCP requests coming from registered MAC addresses. This feature can be enabled or disabled on a host-by-host basis.

This feature allows you to use a fixed IP address configuration on each host, but you do not need to visit and configure each computer on your network to manually configure it. Once a host's MAC address has been determined and it is registered on the FireRack it can then automatically fetch its own IP address from the FireRack’s DHCP server, along with other parameters for the zone such as the gateway IP address, DNS server address, etc.

DNS

Each registered host may optionally be added to the DNS. For each security zone corresponding forward and reverse DNS zones may be specified. A and PTR records for the registered hosts will be generated respectively in these DNS zones.