By Garrett Seeley
In continuing with the discussion on troubleshooting networks, one of the more confusing troubleshooting events for a biomed technician is the ACL or firewall caused issues. These can appear to be other issues, but ultimately are things related to the permissions to use a network; either set on the network or host computer. The most important aspect to understand about ACL or firewall issues is that the problems can appear to be in any of the TCP/IP OSI model layers. The problems can range from a layer 1 issue, for example, a hardware port is disabled on a switch, to a layer 4 software port incorrectly set. Therefore, it is important to have a firm grasp on the foundational material that we covered in previous Network Notes articles. In this article, we will cover issues found when dealing with switch level and firewall port securities. We will cover specific scenarios to illustrate the concepts in ACL troubleshooting.
Scenario #1 – Network Security enforced: Appears as if the port is dead
A side effect of port level security is that a functional switch may have a security setting that disables the port. This is becoming less in vogue as it alerts the unit that tripped the security that the switch UTM is on to their behavior. Modern systems use a more isolative approach to security, which we can cover later in this article. However, older switch security may become triggered and simply disable the port access. In other words, it is possible to have a correct cable, and functional device, and a functional switch, yet no link indication on the switch. The cable and device will test fine, and the switch will be functional. This may happen if the switch observed a fake MAC address. If properly configured, the hardware port (the physical plug on the switch) may be disabled for security reasons. In this case, contact a network administrator or an informatics team member to reactivate the port. Keep in mind they may want to know why the port became disabled. This is the point of the security setting, to put a pause in activity so that a Network Administrator can follow up on why the security system triggered.
Scenario #2 – ICMP blocking: Ping is not working, but Internet is
Similarly, it is possible to have access to a network, yet the ping command does not work. A remote machine’s operating system firewall can be told to not respond to anonymous requests. This usually means that the device will not respond to pings or other requests such as tracers yet is still on the network. It is an infuriating setting when troubleshooting, and something to keep in mind. Similarly, a switch can be told to block the ICMP traffic. This functionally will stop the set ports, possibly the entire LAN from responding to a ping. This will happen and the network will still be functional. The switch is just blocking the ping traffic. Keep in mind that this can be set both on a device, and for an entire network. ICMP blocking is a great security measure, but one that can ultimately leave a troubleshooter confused, if not frustrated.
Scenario #3 – MAC filtering: A new system has no access but scanner says the port is live
Like ICMP blocking, a MAC filter can be used as a security measure. This can result in the switch disabling the hardware port. More likely, this situation will result in a device not having any access, despite having a good link light. When checked by an approved device, the switch port will seem functional. However, when the unapproved device, usually a new device, is added to the network, the switch port stops working. This is because the ACL has to be told which MAC addresses to let access which switches or VLANS. When observed, tell the informatics team to add the new MAC address to the correct VLAN to repair the issue.
Scenario #4 – ACL Firewall blocking a port: Ping works, but software does not connect
A slightly more difficult issue is when the ACL or firewall stops a communication because of a software port setting. In this case, ping or other test communications may still work, however, recall that an ACL and firewall see network communications not only as MAC and IP settings, but also as software using specific TCP or UDP ports. This is not like the switch, where it is a physical plug, but also a software port. Recall from the port discussion that there are only 65,535 different softwares that an OS can use to communicate over a network at any given time. These are the numbered software ports. Some ports, such as web, use standard ports. Some things, such as ICMP, do not use ports at all. These may or may not be registered by function in the IANA port registry (Internet Assigned Numbers Authority (www.iana.org) ). Firewalls and ACLs are programmed to look for these ports, and standard messages such as ICMP, and they allow or block these software ports. Rules are set for incoming, called ingress, or outgoing, called egress rules. I cover this because it is important to know that ACL and firewalls see software communicating on a numbered port. These individual software communications can be blocked while other communications are allowed. For example, web traffic on port 80 is usually not encrypted, so it is often blocked by ACLs, whereas port 443 is usually encrypted and therefore it is allowed. Because of this effect, sometimes we can ping a device, but when using a specific software port, like we do in DICOM, the port is not allowed, and the communication fails. This will happen even when the devices are correctly configured and on a functioning network. In this case, review the ACL and firewall ingress and egress settings. There is software that allows for port scanning of a remote IP, but using such a tool can cause the ACL to set off security settings. Be careful of network security settings at this point, as suggested before, now is a time to get a hold of the informatics team or the network administrator.
There are other possible issues caused by ACLs and firewalls. This is meant to get a discussion moving regarding the thought process of troubleshooting a communication error. Keep in mind that in these issues, a common point is a security setting. That is, after all, what an ACL or firewall means to address. It’s easier to troubleshoot actually consistent malfunctions, but these issues are not always so. It can be frustrating to troubleshoot intermittent problems affecting only specific functions. Look for the consistencies in the issue and ask, “What security setting could cause this?” That often leads to the correct solution. Good luck.
