Symantec™ Security Gateways Reference Guide - Sawmill

62 Understanding accessService groupsserver. To extend its capabilities, the current Symantec Gateway Security 2.0 release includes support forthe following third-party proxies:■■■DHCPRIP and OSPFSQL*Net trafficWhen configured, these third-party proxies work seamlessly with the security gateway. The securitygateway does not process or handle traffic associated with these proxies. Instead, the security gateway isconfigured to open the appropriate port for the service, and the listening proxy handles the connectionfrom there.Service groupsDHCP relayBy default a security gateway that separates a DHCP client and DHCP server on a DHCP network blockscommunication between the DHCP client and the DHCP server. This occurs because the security gatewaydoes not have a standard proxy that listens on port 67 (DHCP) for requests and replies, and is not capable ofbeing a DHCP server itself. The security gateway drops packets for which there is no proxy or servicelistening.With the inclusion of the the DHCP relay proxy, you can configure the security gateway to allow DHCPtraffic. You can find complete step-by-step instructions to enable support for DHCP in the SymantecGateway Security 5400 Series Administrator’s Guide.GNU Zebra (RIP-2 and OSPF)In larger envrionments, administrators may use dynamic routing protocols for route propogation anddiscovery. The two most common dynamic routing protocols are RIP-2 and OSPF. As is the case with theDHCP Relay proxy and the Oracle Connection Manager, the security gateway normally blocks this type oftraffic. To support dynamic routing environments using either of these protocols, the security gatewayincludes the GNU Zebra suite of daemons.For a complete discussion on the RIP-2 and OSPF protocols, see “Dynamic routing” on page 35.For step-by-step instructions to enable support for these protocols, consult the Symantec Gateway Security5400 Series Administrator’s Guide.Oracle Connection Manager (SQL*Net)To support the growing number of business that require secure, public-access to protected Oracle serversusing the SQL*Net (Net8) protocol, the security gateway includes a product called the Oracle ConnectionManager. The Oracle Connection Manager interacts with the security gateway in a manner similar to theother included third-party applications. You configure the security gateway to open up the correct port,and then configure the Oracle Connection Manager to point to the Oracle server. Once configured, theOracle Connection Manager listens for incoming SQL*Net connections, and processes them appropriately.You can find complete step-by-step instructions to enable support for SQL*Net traffic in the SymantecGateway Security 5400 Series Administrator’s Guide.A service group is a definition of network traffic that includes one or more protocols. Service groups areused in rules to define the type of traffic to allow or deny, and offer a simple way to group multipleprotocols into a single entity. Service groups also let an administrator organize access rights. For example,one service group might have only FTP enabled, another may have FTP, Telnet, and HTTP access, and athird might have full access. Rules can then be created that allow varying degrees of access as appropriate.