Ubigate iBG2016 Configuration Guide© SAMSUNG Electronics Co., Ltd. 231CHAPTER 3. Firewall NATOverviewSecurity module in Ubigate iBG2016 consists of various components such asStateful inspection firewall, IPSec VPN, Public Key Infrastructure and AccessControl List(ACL). This chapter introduces Ubigate iBG2016’s firewall andits typical configuration.The Ubigate iBG2016 has Smart Forwarder as a dataplane forwarding engine.So, the forwarding of packets in security module is performed in the contextof Smart Forwarder task. The components of security module may havecontrol plane such as IKE(Internet Key Exchange) for VPN, SCEP forcertificate enrollment in PKI, etc. These control plane activities are performedin the context of separate tasks such as IKES, SCEP, etc.Whenever an IP packet in transit gets to Smart Forwarder, it checks whetherthe interface on which the packet arrived is registered for security processingor not. If registered, it is processed for security. Otherwise, it is put throughregular IP forwarding. Similarly, whenever a packet gets to the SmartForwarder from the local TCP/IP stack, it is checked if the outbound interfaceis registered with security and if so, it is processed for security.The firewall in security module is a Stateful inspection firewall for IPv4.In this, packets are allowed or denied to be forwarded through the systembased on pre-defined policies. When a packet is allowed by the firewall policy,in real time, an association with limited lifetime is created for the packet withthe combination of various fields in the packet such as Source IP, Source port,Destination IP, Destination port, Protocol, etc. Based on the protocol type, theassociation maintains a state or pseudo-state.
