3Com 3C16111 - SuperStack 3 Firewall Web Site Filter User Manual Download | Manualshive

Page: 161 / 214

background image

Using Network Access Policy Rules

161

Restoring the default rules will delete all custom rules and Public LAN
Servers. If an IKE VPN Security Association has been created, a service will
need to be recreated to permit IKE negotiations.

Protocols/Services to Filter

Although the Firewall is shipped in a safe mode by default, the user can
alter the Policy Rules and potentially cause the Firewall to be vulnerable to
attacks. Therefore, before any modifications are made, the user should be
aware of which services are of most risk to the private LAN.

The following table shows the protocols that are inherently vulnerable to
abuse and should be blocked from entering or leaving the site.

Table 6

Protocol Definitions and Characteristics

Protocol Name

Port
Number

Risk

TFTP-Trivial FTP

69

This protocol can be used to boot diskless
workstations, terminal servers and routers,
and can also be used to read any file on the
system, if set up incorrectly.

X Windows

6000+

This can leak information from X window
displays including all keystrokes.

DNS-Domain Names
Service

53

The DNS service contains names of hosts
and information about hosts that could be
helpful to attackers.

RIP-Routing
Information Protocol

520

This service can be used to redirect packet
routing.

UUCP-UNIX-to-UNIX
CoPy

540

If this service is not properly configured, it
can be used for unauthorized access.

Open Windows

2000

This protocol can also leak information
about what keystrokes are depressed.

RPC-Remote Call
Procedure

111

The RPC services, including NIS and NFS,
can be used to steal system information
such as passwords and read to write files.

Rexec

Rlogin

Rsh

512

513

514

These protocols can permit unauthorized
access to accounts and commands

Other services, whether inherently
dangerous or not, should be restricted to
only those systems that need them as
shown below:

DUA1611-0AAA02.book Page 161 Thursday, August 2, 2001 4:01 PM

«
...
159
160
161
162
163
...
»

Summary of Contents for 3C16111 - SuperStack 3 Firewall Web Site Filter

Page 1: ...m Part No DUA1611 0AAA02 Published August 2001 SuperStack 3 Firewall User Guide SuperStack 3 Firewall 3CR16110 95 SuperStack 3 Firewall Web Site Filter 3C16111 DUA1611 0AAA02 book Page 1 Thursday August 2 2001 4 01 PM ...

Page 2: ...any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be registered in other countries 3Com and SuperStack are registered trademarks of 3Com Corporation The 3Com logo and CoreBuilder are trademarks of 3Com Corporation Intel and Pentium ar...

Page 3: ... Web URL Filtering 23 High Availability 24 Logs and Alerts 24 User Remote Access from the Internet 24 Automatic IP Address Sharing and Configuration 24 Introduction to Virtual Private Networking VPN 25 Virtual Private Networking 25 2 INSTALLING THE HARDWARE Before You Start 27 Positioning the Firewall 28 Rack Mounting the Units 28 Securing the Firewall with the Rubber Feet 29 Firewall Front Panel ...

Page 4: ...s provided by a DHCP Server 44 Configuring LAN Settings 44 Automatic LAN Settings 44 Entering information about your LAN 45 Configuring the DHCP Server 45 Confirming Firewall Settings 46 II CONFIGURING THE FIREWALL 4 BASIC SETTINGS OF THE FIREWALL Examining the Unit Status 52 Setting the Administrator Password 53 Setting the Inactivity Timeout 54 Setting the Time 54 Changing the Basic Network Sett...

Page 5: ...a site is blocked 72 Updating the Web Filter 73 Checking the Web Filter Status 73 Downloading an Updated Filter List 74 Setting Actions if no Filter List is Loaded 74 Blocking Websites by using Keywords 75 Filtering by User Consent 75 Configuring User Consent Settings 76 Mandatory Filtered IP addresses 77 6 USING THE FIREWALL DIAGNOSTIC TOOLS Logs and Alerts 79 Viewing the Log 80 Changing Log and ...

Page 6: ...Restoring Rules to Defaults 106 Updating User Privileges 106 Establishing an Authenticated Session 108 Setting Management Method 109 Selecting Remote Management 110 Using the Firewall with the NBX 100 Business Telephone System 110 8 ADVANCED SETTINGS Automatic Proxy Web Cache Forwarding 111 Deploying the SuperStack 3 Webcache as a Proxy of the Firewall 112 Specifying Intranet Settings 114 Installi...

Page 7: ...RE VPN Client Software 139 Configuring the IRE VPN Client 139 10 CONFIGURING HIGH AVAILABILITY Getting Started 141 Network Configuration for High Availability Pair 142 Configuring High Availability 142 Configuring High Availability on the Primary Firewall 143 Configuring High Availability on the Backup Firewall 144 Making Configuration Changes 145 Checking High Availability Status 146 High Availab...

Page 8: ...ss the Internet 169 Firewall Does Not Save Changes 169 Duplicate IP Address Errors Are Occurring 169 Machines on the WAN Are Not Reachable 170 Troubleshooting the Firewall VPN Client 170 The IKE Negotiation on the VPN Client 170 Restarting the Firewall with Active VPN Tunnel 171 Export the VPN Client Security Policy File 171 Import the VPN Client Security Policy File 171 Uninstall the VPN Client 1...

Page 9: ... Known Port Numbers 184 Registered Port Numbers 184 Private Port Numbers 184 Virtual Private Network Services 184 Introduction to Virtual Private Networks 185 VPN Applications 185 Basic VPN Terms and Concepts 186 V APPENDICES A SAFETY INFORMATION Important Safety Information 193 Wichtige Sicherheitshinweise 194 Consignes Importantes de Sécurité 195 B TECHNICAL SPECIFICATIONS AND STANDARDS C CABLE ...

Page 10: ...rld Wide Web Site 201 3Com Knowledgebase Web Services 201 3Com FTP Site 202 Support from Your Network Supplier 202 Support from 3Com 202 Returning Products for Repair 204 INDEX REGULATORY NOTICES DUA1611 0AAA02 book Page 10 Thursday August 2 2001 4 01 PM ...

Page 11: ...have to web sites Sites can be blocked on a site wide or individual basis and by the features a web site uses or content it provides This guide is intended for use by the person responsible for installing or managing the network It assumes knowledge of the following Basic familiarity with Ethernet networks and the Internet Protocol Knowledge of how to install and handle electronically sensitive eq...

Page 12: ...ation about installing and setting up the Web Site Filter Chapter 11 Troubleshooting common Firewall problems Chapter 12 Information about Denial of Service and other attacks Chapter 13 An introduction to TCP IP and VPN Chapter 14 Important Safety Information Appendix A Technical Specifications of the Firewall Appendix B Cable Specifications Appendix C Information about obtaining Technical Support...

Page 13: ...creen displays This typeface represents information as it appears on the screen Commands The word command means that you must enter the command exactly as shown and then press Return or Enter Commands appear in bold Example To display port information enter the following command bridge port detail The words enter and type When you see the word enter in this guide you must type something and then p...

Page 14: ...b based application which you use to set up the Firewall to protect your network from attack and to control access to the Internet for LAN users NAT Network Address Translation NAT refers to the process of converting the IP addresses used within a private network to Internet IP addresses NTP Network Time Protocol This allows the Firewall to automatically set the local time via an NTP server on the...

Page 15: ...to as GMT or World Time VPN stands for Virtual Private Network and is a method of networking that uses data encryption and the public internet to provide secure communications between sites without incurring the expense of leased lines Web Site Filter Used in this guide to refer to the SuperStack 3 Web Site Filter See Chapter 13 Types of Attack and Firewall Defences for further information on type...

Page 16: ...al support questions For information about contacting Technical Support see Appendix A Registration To register your Firewall point your web browser to http www 3com com ssfirewall click on Hardware Registration and follow the instructions DUA1611 0AAA02 book Page 16 Thursday August 2 2001 4 01 PM ...

Page 17: ...I GETTING STARTED Chapter 1 Introduction Chapter 2 Installing the Hardware Chapter 3 Quick Setup for the Firewall DUA1611 0AAA02 book Page 17 Thursday August 2 2001 4 01 PM ...

Page 18: ...18 DUA1611 0AAA02 book Page 18 Thursday August 2 2001 4 01 PM ...

Page 19: ...k LAN to be securely connected to the Internet You can use the Firewall to Prevent theft destruction and modification of data Filter incoming data for unsafe or objectionable content Log events which may be important to the security of your network The Firewall has three Ethernet ports which are used to divide the network into separate areas The Wide Area Network WAN port attaches to the Internet ...

Page 20: ...e 1 3Com Network Supervisor display Network Supervisor automatically discovers up to 1500 network devices and shows devices and connections on a graphical display Network managers can view network activity monitor stress and set thresholds and alerts This information helps to provide the most efficient cost effective use of network resources Version 3 0 and later releases add significant extra fun...

Page 21: ... the Firewall you must follow the steps below before Network Supervisor will detect your Firewall 1 Access the Web interface from a Web browser connected to the LAN port of the Firewall 2 Click on the Policy button after the Management screen appears 3 Click on the User Privileges tab 4 Add a user to the Current Privileges list Enter the user name in the User field 5 Click on Remote Access and cli...

Page 22: ...sers LAN DMZ WAN STOP DoS Attacks Blocked Web Access Allowed Unauthorised External Access Blocked Authorised External Access using VPN Encrypted STOP STOP STOP Internet Access Filtered optional LAN Normal Uplink DMZ Normal Uplink WAN Normal Uplink DMZ Port Connected to public servers e g Web E mail Protected from DoS attacks but visible from outside your network LAN Port Connected to your internal...

Page 23: ...h you want to restrict access Alternatively you can restrict access to the Internet to certain trusted URLs See Setting up Trusted and Forbidden Domains on page 165 for more information Web site technologies such as cookies and Java and ActiveX applets give enhancements to web pages but hackers may use the technologies to steal or damage data The Firewall can block these potentially damaging appli...

Page 24: ...s of Internet bandwidth You can also set up the Firewall to send an alert message through e mail when a high priority concern such as a hacker attack is detected See Log Alert Settings on page 177 for more information For detailed logging 3Com recommends that you us a syslog server or a syslog reporting tool A free syslog server is available from 3Com To download it point your web browser to http ...

Page 25: ...trading partners legal and financial advisors as well as remote workers and branch offices This real time requirement often leads to the creation of an extranet where branch offices and partners are connected to a primary network in one of two ways Leasing dedicated data lines to connect all sites Using the public Internet to connect all sites and remote users together Each of these methods has it...

Page 26: ...nating device at the other end of the tunnel must be using the same level and type of encryption See Configuring Virtual Private Network Services on page 123 for more details DUA1611 0AAA02 book Page 26 Thursday August 2 2001 4 01 PM ...

Page 27: ... relatives à la sécurité qui se trouvent dans l Appendice A de ce guide VORSICHT Bevor Sie den Firewall hinzufügen lesen Sie die Sicherheitsanweisungen die in Anhang A in diesem Handbuch aufgeführt sind Before You Start Your SuperStack 3 Firewall 3CR 15110 95 comes with the following A power cord for use with the Firewall Four rubber feet Mounting Kit for a 19 in rack mount cabinet comprising two ...

Page 28: ...and sources of electrical noise such as radio transmitters and broadband amplifiers Water or moisture cannot enter the case of the unit Air flow around the unit and through the vents in the side of the case is not restricted 3Com recommends that you provide a minimum of 25 4 mm 1 in clearance to each side of the unit Rack Mounting the Units The Firewall is 1U high and will fit a standard 19 inch r...

Page 29: ...ck the feet to the marked areas at each corner of the underside of the unit if you intend to place the unit directly on top of the desk Firewall Front Panel Figure 4 shows the front panel of the Firewall Figure 4 Firewall Front Panel WARNING RJ 45 Ports These are shielded RJ 45 data sockets They cannot be used as standard traditional telephone sockets or to connect the unit to a traditional PBX or...

Page 30: ... each have a Status LED that indicates the following Green indicates that the link between port and the next network device is operational at 100 Mbps Yellow indicates that the link between the port and the next network device is operational at 10 Mbps Off indicates that nothing is operational or that the link to the port has failed 6 Packet LEDs The WAN LAN and DMZ ports each have a Packet LED th...

Page 31: ...Use this connector to attach a Redundant Power System to the Firewall 11 Reset Switch recessed Use to reset the Firewall CAUTION Holding the Reset Switch when you power on the Firewall will erase the operational firmware and return the device to factory default settings To reset the Firewall see Restore Factory Defaults on page 187 Redundant Power System RPS The SuperStack 3 Advanced Redundant Pow...

Page 32: ...ll to the same physical network For example never connect the LAN and DMZ ports into the same device as this bypasses all firewall functions S LAN DMZ WAN N R F S S L B W C W N R Key S L B S C F W N eb and etwork Servers W N eb and etwork Servers Client PC Client PC SuperStack 3 irewall F SuperStack 3 irewall F 10 100 Mbps witch S 10 100 Mbps witch S Router Router S L B erver oad alancer S L B erv...

Page 33: ...the Normal position 3 Connect the Ethernet port labeled DMZ to the public servers If you are installing the Firewall DMZ and want to protect the public servers such as Web and FTP servers use the DMZ port If you are connecting the DMZ port directly to a server using standard Category 5 cable make sure that the Uplink Normal switch is in the Normal position If you are connecting the DMZ port to an ...

Page 34: ...ewall See the following chapters for more information Chapter 3 for a quick setup guide for the Firewall Chapters 4 to 8 for full information about all the configuration options Chapter 11 for information about the Web Site Filter and Network Access Policy Rules At frequent intervals check the Firewall for the following The Alert LED is not continuously lit if it is there are problems on your netw...

Page 35: ...use the Installation Wizard to configure the Firewall you can activate the Installation Wizard manually To start the Installation Wizard manually click on the Tools menu followed by the Configuration tab then the Wizard button The configuration process can be split into three steps 1 To access the Installation Wizard you must first configure a computer as a Management Station See Setting up a Mana...

Page 36: ... have finished using the Installation Wizard 2 Change the IP address to a value within the Firewall s default subnet This will be a value between 192 168 1 1 and 192 168 1 254 but not 192 168 1 254 as this is already taken by the Firewall A suitable address would be 192 168 1 20 if this is not already taken by another device 3 Enter http 192 168 1 254 the Firewall s default IP address into the box...

Page 37: ...irewall manually click the Cancel button You will then be returned to the Web interface See Configuring the Firewall starting on page 49 to configure the Firewall using the Web interface Setting the Password Choose an administration password end enter it in the New Password and Confirm New Password fields This will be use in conjunction with the admin User Name when logging on to the Firewall in t...

Page 38: ...d click the Next button to continue The Time Zone you choose will affect the time recorded in the logs Figure 9 Set Time Zone screen This completes the Basic setup of the Firewall The Firewall will now attempt to configure some of its network settings automatically If it is unable to detect the settings automatically the DUA1611 0AAA02 book Page 38 Thursday August 2 2001 4 01 PM ...

Page 39: ...ge 40 Automatic WAN Settings The Installation Wizard checks for the presence of a DHCP Server or a PPPoE server on the WAN port Depending on the server found the Firewall configures itself appropriately as described below DHCP Server The Firewall requests an IP address form the DHCP server on the WAN Port and uses the IP address subnet mask and any DNS information supplied PPPoE Server The Install...

Page 40: ...ation Wizard s automatic detection then 1 Disconnect the power cord from the Firewall 2 Wait at least 5 seconds 3 Reconnect the power cord 4 Point your browser at the Firewall 5 Follow the instructions supplied by the Installation Wizard If you want to configure the WAN settings of the Firewall manually then click the Next button to continue The Installation Wizard will display its Connecting to t...

Page 41: ...llation Wizard Using an IP Address provided by a PPPoE Server One IP address is provided by the PPPoE server This is taken by the WAN port Network Address Translation NAT will be enabled Using a Static IP address provided by a DHCP Server One IP address is provided by the DHCP server This is taken by the WAN port Network Address Translation NAT will be enabled The settings for each of these option...

Page 42: ... first is unavailable or is unable to answer your query 4 Click the Next button to proceed to the final part of the configuration See Configuring LAN Settings on page 44 Using Multiple Static IP Addresses Select the Assigned you two or more IP addresses option and click the Next button The Network Address Translation screen will be displayed as shown in Figure 13 below Figure 13 Choosing whether t...

Page 43: ...d by your ISP 3 WAN Gateway Router Address Enter the IP address of your route or internet access device This must be in the same address range as the WAN IP Address 4 DNS Server Address Enter the IP address of your ISP s DNS server in this field This will be used to resolve machine names to IP addresses If you have access to additional DNS Servers enter them in the Optional Second DNS Server Addre...

Page 44: ...dynamic IP address DHCP option and click the Next button If a DHCP server is detected the Firewall will obtain its IP address automatically and will enable NAT for all devices connected to the LAN port Click the Next button again to confirm your choice and proceed to the final part of the configuration See Configuring LAN Settings below Configuring LAN Settings Once the WAN setting of the Firewall...

Page 45: ...f you are not using NAT this screen will not appear as these settings will be the same as the WAN settings Figure 16 Configuring LAN Settings Choose an IP address for the LAN port of your Firewall and enter it in the Firewall LAN IP Address field Enter the Subnet mask for your LAN network in the LAN Subnet Mask field The default IP address of the Firewall is 192 168 1 254 with a subnet mask of 255...

Page 46: ...cate The addresses you set must be contained entirely within your LAN subnet and must be currently unused Click the Next button to continue The Firewall will now review its settings See Confirming Firewall Settings below for details Confirming Firewall Settings The Firewall prompts you to confirm the settings it has established through automatic configuration as well as those entered manually You ...

Page 47: ...figuration of the Firewall click the Back button If you want to configure the Firewall manually Click the Cancel button to lose the changes made by the Installation Wizard or Click the Next Button continue to the end of the Installation Wizard and make the changes once the Firewall has reset If you click the Next button the following screen will display DUA1611 0AAA02 book Page 47 Thursday August ...

Page 48: ...mplete the configuration of the Firewall using the Installation Wizard The Firewall will take under a minute to restart during which time the Power Self test LED will flash When the Power Self test LED stops flashing the Firewall is ready for use DUA1611 0AAA02 book Page 48 Thursday August 2 2001 4 01 PM ...

Page 49: ...Setting up Web Filtering Chapter 6 Using the Firewall Diagnostic Tools Chapter 7 Setting a Policy Chapter 8 Advanced Settings Chapter 9 Configuring Virtual Private Network Services Chapter 10 Configuring High Availability DUA1611 0AAA02 book Page 49 Thursday August 2 2001 4 01 PM ...

Page 50: ...50 DUA1611 0AAA02 book Page 50 Thursday August 2 2001 4 01 PM ...

Page 51: ... for another role Chapter 5 Setting up Web Filtering describes the functions available in the Filter menu of the Web interface These functions allow you to control the access your users have to information on the Web Chapter 6 Using the Firewall Diagnostic Tools describes the functions available in the Log and Tools menus of the Web interface These functions allow you to monitor and manage your Fi...

Page 52: ... available in the VPN menu of the Web interface These functions enable you encrypt and authenticate external access to your Firewall Chapter 10 Configuring High Availability describes the functions available in the High Availability menu of the Web interface These functions allow you to set up a second SuperStack 3 Firewall as a live backup should your Firewall fail Examining the Unit Status To di...

Page 53: ...inistrator Password From the General screen select Set Password A window similar to that in Figure 22 displays If you are setting the password for the first time the default password is password Change the administrator password to keep the Firewall secure Figure 22 Set Password Screen 1 In the Old Password box type the old password 2 In the New Password and Confirm New Password boxes type the new...

Page 54: ...ox at the top of the screen If you cannot find your time zone in the list you should set this to the one with the same offset from GMT as is used at your location Use NTP Network Time Protocol to set time automatically Check this box to allow the Firewall to synchronize its time using an Network Time Protocol NTP server every hour For example if you started the Firewall at 2 30 the clock will sync...

Page 55: ... Universal Time Co ordinated UTC time UTC is the standard time common to all places in the world It is also commonly referred to as Greenwich Mean Time or World Time Many ISPs require firewall logs to be recorded in UTC as tracking hackers can be very difficult if reports of times are not consistent Manual Time Set To set the time manually enter the date and time in the boxes at the bottom of the ...

Page 56: ...d Choose NAT Enabled if you want to use a single IP address for accessing the Internet or if you do not have an IP address allocated by your ISP for each machine that requires access to the Internet NAT provides anonymity to machines on the LAN by connecting the entire network to the Internet using a single IP address This is useful for two purposes Additional security is provided because all the ...

Page 57: ...th PPPoE Client if your Internet connection for the Firewall WAN IP Address is to be obtained from a remote PPPoE server Specifying the LAN Settings For the LAN settings specify Firewall LAN IP Address This is the IP address that is given to the Internet Firewall and used to access it for configuration and monitoring Choose a unique IP address from the LAN address range LAN Subnet Mask This value ...

Page 58: ...nter the value specified by your ISP WAN DMZ Subnet Mask This value is automatically set to the LAN Subnet Mask for the Firewall unless PPPoE is selected For PPPoE enter the value specified by your ISP If PPPoE is selected you also have to set the following User Name Enter the User Name for your PPPoE account in this section This is information given to you by your service provider upon initial in...

Page 59: ... prevents users from reaching servers intended for public access such as a Web or e mail server which are crucial for effective Internet use In order to allow such services the Firewall comes with a special Demilitarized Zone DMZ port which you use for setting up public servers The DMZ is located between the local network and the Internet Servers on the DMZ are publicly accessible but they are pro...

Page 60: ...ddress Obtain these IP addresses from your ISP Usually the ISP can also supply information on setting up public Internet servers Click the Update button to save your changes To delete an address or range select it in the Address Range list and click Delete Network Address Translation NAT does not apply to servers on the DMZ Servers on the DMZ Port must therefore have addresses in the same range as...

Page 61: ...f manual addressing is used on the LAN computers Lease Time This is the amount of time that the IP address is leased or given to the client machine before the DHCP server attempts to renew that address If the client still requires the use of the IP address the DHCP Server grants the client the use of that IP address for the same amount of time If the client no longer requires the IP address the ad...

Page 62: ...HCP client you can select the Set DNS Servers by Internet Firewalls DHCP Client to have these fields set automatically Dynamic Ranges When a client makes a request for an IP address the Firewall s DHCP server leases an address from the Dynamic Ranges Prior to offering an address from the Dynamic Range to a requesting client the Firewall first verifies that the address is not already in use by anot...

Page 63: ...a requesting client type an IP address and the Ethernet MAC address of the client machine in the appropriate boxes and click Update Delete Static To remove a static address select it from the scrolling list of static addresses and click Delete Static Viewing the DHCP Server Status Click Network and then select the DHCP Server Status tab A window similar to that in Figure 27 displays Figure 27 DHCP...

Page 64: ...e Service DNS is an internet service which allows users to enter an easily remembered host name such as www 3Com com instead of numerical IP addresses to access Internet resources The Firewall has a DNS Lookup tool that returns the numerical IP address of a host name 1 Select DNS Name Lookup from the Choose a diagnostic tool menu 2 Type the host name to lookup in the Look up the name box and click...

Page 65: ...he Firewall s DNS Name Lookup tool to find the IP address of a host Ping The Ping tool bounces a packet off a machine on the Internet back to the sender This test shows if the Firewall is able to contact the remote host If users on the LAN are having problems accessing services on the Internet try pinging the DNS server or other machine at the ISP s location If this test is successful try pinging ...

Page 66: ...t name such as www 3Com com 3 Click Refresh to display the packet trace information 4 Click Stop to terminate the packet trace and Reset to clear the results Technical Support Report The Tech Support Report generates a detailed report of the Firewall s configuration and status and saves it to the local hard disk You can then e mail this file to Technical Support to help assist with a problem 1 Sel...

Page 67: ...he appropriate tab This following sections are covered in this chapter Changing the Filter Settings Filtering Web Sites using a Custom List Updating the Web Filter Blocking Websites by using Keywords Filtering by User Consent See Chapter 11 for background information about web filtering Changing the Filter Settings Click Filter and then select the Settings tab A window similar to that in Figure 29...

Page 68: ...check the checkbox corresponding to that category ActiveX ActiveX is a programming language that is used to embed small programs in Web pages It is generally considered an insecure protocol to allow into a network since it is possible for malicious programmers to write controls that can delete files compromise security or cause other damage Java Java is also used to embed small programs also calle...

Page 69: ... selected the Firewall logs and blocks access to all sites on the Web Site Filter custom and keyword lists Log Only When selected the Firewall logs and then allows access to all sites on the Web Site Filter custom and keyword lists Use this function to monitor inappropriate usage without restricting access Specifying the Categories to Filter The Web Site Filter can control access from the LAN to t...

Page 70: ...the Web Site Filter Custom Sites and Keywords Consent and Restrict Web Features such as ActiveX Java cookies and Web Proxy are not affected Always Block When selected Internet Filtering is always active and Time of Day limitations are not enforced This is enabled by default Block Between When selected Internet Filtering is only active during the time interval and days specified Enter the time peri...

Page 71: ...o allows www 3Com com my support 3com com shop 3com com and so forth Up to 256 entries are supported in the Trusted Domains list Click Update to send the update to the Firewall Forbidden Domains To block a Web site which has not been blocked by the Web Site Filter type its host name such as www bad site com into the Forbidden Domains box Do not use the complete URL of the site that is do not inclu...

Page 72: ...en a site is blocked When a user attempts to access a site that is blocked by the Web Site Filter a message is displayed on their screen The default message is Web Site Blocked by 3Com SuperStack 3 Firewall You can type any message including embedded HTML up to 255 characters long in this box For example if you type the following Access to this site was denied because it appears to violate this or...

Page 73: ... difficult to add and maintain the numerical addresses of every server in the pool Many sites included in the Web Site Filter regularly change the IP address of the server to try to bypass the Web Site Filters This makes maintaining a current list subscription critical for effective content filtering Click Filter and then select the Filter Update tab at the top of the window A window similar to th...

Page 74: ...ble in the event of the Filter List expiring or a download failing See Setting up Trusted and Forbidden Domains on page 71 for more information Allow traffic to all websites Select this option to provide open access to the internet in the event of the Filter List expiring or a download failing Since it is necessary to restart the Firewall once the download is complete which causes a momentary inte...

Page 75: ...use caution when enabling this feature For example blocking the word breast may stop access to sites on breast cancer as well as objectionable or pornographic sites To enable this function check the Enable Keyword Blocking check box and click Update To add a keyword in the Add Keyword box type the keyword to block and click Update To remove a keyword select it from the list and click Delete Keywor...

Page 76: ...ssroom or library time limits are often imposed You can set up the Firewall to remind users when their time has expired by displaying the page defined in the Consent page URL box Type the time limit in minutes in the Maximum web usage is box Specify the default value of zero 0 to disable this feature User idle timeout After a period of inactivity the Firewall requires the user to agree to the term...

Page 77: ... for filtered access and the link for unfiltered access are case sensitive Enter the URL of the page you have created in the When entering these addresses you should not enter http before the address Consent Accepted URL Filtering Off When users accept the terms outlined in the Consent page and choose to access the Internet without the protection of filtering they are shown a page to confirm their...

Page 78: ...ptFilter html If you have changed the IP address or the Firewall use the IP Address of the Firewall instead of 192 168 1 254 Click the Update button to save your changes The link for filtered access is case sensitive Add New Address You can configure the Firewall to provide filtering always for certain computers on the LAN Type the IP addresses of these computers in the Add New Address box and cli...

Page 79: ...the Firewall Configuration File Upgrading the Firewall Firmware Logs and Alerts The Firewall maintains an event log which contains events that may be security concerns You can view this log with a browser using the Firewall Web interface or you can set up a tab delimited text file to be sent automatically and periodically to any e mail address for convenience and archival purposes If you want to b...

Page 80: ...at in Figure 34 displays Figure 34 View Log Window The log is usually displayed as a list in a table but may appear differently depending on the browser used You may have to adjust the browser s font size and other viewing characteristics to display the log data most efficiently Depending on the browser you can copy entries from the log and paste them into documents Alternatively use the E mail Lo...

Page 81: ...or Newsgroup blocked The LAN IP and Ethernet addresses of a machine that attempted to connect to the blocked site or newsgroup is displayed In most cases the name of the site which was blocked will also be shown In addition there is a box labeled Rule which contains one or more lowercase letters These correspond to the categories in the Web Site Filter as follows a Violence profanity b Partial nud...

Page 82: ... the source of the attack Varying conditions on the Internet can produce conditions which may cause the appearance of an attack even when no one is deliberately attacking one of the machines on the LAN or DMZ This is particularly true for SYN Flood attacks If the log message calls the attack possible or it only happens on an irregular basis then there is probably no attack in progress If the log m...

Page 83: ...n page 92 for more information If there is a new software release an e mail notification is sent to this address Send Alerts To Alerts are events such as an attack which may warrant immediate attention When an event generates an alert a message is immediately sent to an e mail account or e mail pager Enter the e mail address for example username 3Com com to which alert messages are sent in this bo...

Page 84: ...erver field Click the Update button on the right of the browser window and restart the Firewall for changes to take effect E mail Log Now Immediately sends the log to the address in the Send Log To box and then clears the log Clear Log Now Deletes the contents of the log Changing the Log Automation Settings The Automation time set here determines when the Firewall queries the 3Com server for new f...

Page 85: ...activity such as administrator logins automatic loading of Web Site Filters activation and restarting the Firewall are generated This is enabled by default System Errors When enabled log messages showing problems with DNS e mail and automatic Web Site Filter loading are generated This is enabled by default Blocked Web Sites When enabled log messages showing Web sites newsgroups or other services b...

Page 86: ...og messages showing Ethernet broadcasts ARP resolution problems ICMP redirection problems and NAT resolution problems are generated This category is intended for experienced network administrators This is disabled by default Alert Categories Alerts are events such as an attack which may warrant immediate attention When an event generates an alert a message is immediately sent to the e mail account...

Page 87: ...accessed Web sites Top 25 users of bandwidth by IP address Top 25 services that consume the most bandwidth Click Log and then select the Reports tab A window similar to that in Figure 36 displays Figure 36 Reports Window Collecting Report Data Start Data Collection By default the log analysis function is disabled Click Start Data Collection to begin log analysis When log analysis is enabled the bu...

Page 88: ...he Web Site Hits report to ensure that the majority of Web access is to sites considered applicable to the primary business function If leisure sports or other similar sites are on this list it may signal the need to change or more strictly enforce the organization s Acceptable Use Policy Bandwidth Usage by IP Address Selecting Bandwidth Usage by IP Address from the Report to view drop down list d...

Page 89: ...e Firewall To restart the Firewall 1 Click Tools and select the Restart tab A window similar that in Figure 37 displays Figure 37 Restart Window 2 Click Restart SuperStack 3 Firewall 3 Click Yes to confirm the restart and send the restart command to the Firewall The restart takes about 90 seconds during which time the Firewall cannot be reached from the Web browser and all network traffic through ...

Page 90: ...u to save and restore the configuration settings of the Firewall Click Tools and then select the Configuration tab A window similar to that in Figure 38 displays Figure 38 Configuration Window Use the Configuration tab to specify where the settings for the Firewall are saved to and retrieved from for backup purposes You can also restore the default settings from the Configuration tab 3Com recommen...

Page 91: ...using Export You may need to set File type to to be able to see the exp file you exported 3 Once you have selected the file click Import 4 Once the file transfer has completed the status at the bottom of the screen will give you the option to Restart the Firewall 5 Click Restart Make sure that the Web browser supports HTTP uploads If it does not you cannot import the saved settings Note that this ...

Page 92: ...ng Factory Default Settings Click Restore to clear all configuration information and restore the Firewall to its factory state Clicking Restore will not change the Firewall s LAN IP Address LAN Subnet Mask WAN Gateway Address and Password Using the Installation Wizard to reconfigure the Firewall Click on the Wizard button to start the Installation Wizard This allows you to configure the Firewall f...

Page 93: ...ure the Firewall to send an e mail notification to the address in the Send log to box Click Tools and then select the Upgrade tab A window similar to that in Figure 41 displays To be notified automatically when new firmware is available 1 Click the Send me e mail when new firmware is available check box 2 Click Update To download new firmware go to http www 3com com ssfirewall and follow the instr...

Page 94: ...file you have downloaded from the 3Com FTP site to a local hard drive or server on the LAN 4 Click Upload to begin the upload Make sure that your Web browser supports HTTP uploads When uploading the firmware to an Firewall it is important not to interrupt the Web browser by closing the window clicking a link loading a new page or removing the power to the Firewall If the Firewall is DUA1611 0AAA02...

Page 95: ...way it may result in the Firewall not responding to attempts to log in If your Firewall does not respond see Chapter 12 Troubleshooting Guide 5 Restart the Firewall for the changes to take effect DUA1611 0AAA02 book Page 95 Thursday August 2 2001 4 01 PM ...

Page 96: ...96 CHAPTER 6 USING THE FIREWALL DIAGNOSTIC TOOLS DUA1611 0AAA02 book Page 96 Thursday August 2 2001 4 01 PM ...

Page 97: ...on the appropriate tab This following sections are covered in this chapter Changing Policy Services Adding and Deleting Services Editing Policy Rules Updating User Privileges Setting Management Method See Chapter 11 for background information about policies Changing Policy Services This section covers which network services are blocked by the Firewall and which are allowed to pass through DUA1611 ...

Page 98: ...vers of that type on the Internet The default value is enabled When the Warning Icon is displayed to the right of the check box there is a Custom Rule in the Rules tab section that modifies the behavior of the listed Network Access Rule LAN In Checkbox When this check box is cleared access to the protocol is not permitted from the WAN to the LAN and if appropriate from the DMZ to the LAN When the ...

Page 99: ...rotocol type 0 0 0 0 in the box Changing NetBIOS Broadcast Settings Systems running Microsoft Windows Networking communicate with one another through NetBIOS broadcast packets By default the Firewall blocks these broadcasts If you have Windows computers on more than one port of the Firewall for example if you are using the Firewall as an internal security measure you may need to enable NetBios Bro...

Page 100: ... Point to point Tunneling Protocol PPTP and IPSec are forms of VPN that allows data to pass through the Firewall without termination In some cases passing large amounts of data through the Firewall can cause packets to become fragmented which results in low data throughput If fragmented PPTP packets are being blocked check the Over PPTP box If fragmented IPSec packets are being blocked check the O...

Page 101: ...dicates the IP port number which defines the service either TCP Port UDP Port or ICMP Type The second number indicates the IP protocol type 6 for TCP 17 for UDP or 1 for ICMP There may be more than one entry with the same name For example the default configuration has two entries labeled Name Service DNS These are UDP port 53 and TCP port 53 Any entries with identical names are grouped together an...

Page 102: ... If you create multiple entries with the same name they are grouped together as a single service and may not function as expected Disabling Screen Logs You can disable the log of events which is usually written to the Firewall s internal Screen Log For example if LINUX s authentication protocol is filling the log with entries you can configure the screen log to ignore all activity for this service...

Page 103: ...the Internet Use extreme caution when creating or deleting Network Access Rules Network Access Rules do not disable protection from Denial of Service attacks such as SYN Flood Ping of Death or LAND However it is possible to create vulnerabilities to attacks that exploit vulnerabilities in applications such as WinNuke Viewing Network Policy Rules Click Policy and then select the Policy Rules tab A ...

Page 104: ...ddress range Action The Action for a rule can be set to either Allow or Deny traffic across the Firewall For security reasons common protocols are often denied and more specific rules created to describe where these protocols are used legitimately Service The Service for a rule shows the service and hence the protocol over which the rule operates A value of Default indicates that the rule operates...

Page 105: ... you want to edit Clicking on the icon will bring up the Edit Rule window where you can make the changes you need In the Edit Rule window To save your changes click Update To leave the Edit Rule window without saving changes close it using the Windows close button To reset all the parameters of the rule to the values they were before you started editing click Reset This will save no changes and wi...

Page 106: ...es The Firewall provides an authentication mechanism which gives authorized users access to the LAN from remote locations on the Internet as well as a means to bypass the Internet filtering and blocking from the LAN to the Internet These users are known as Privileged Users Privileged Users will only be able to use the Services currently allowed by the Firewall If an external user need full access ...

Page 107: ...g names of friends family pets places and so on Good passwords can be created by Making up nonsense words such as dwizdell Including non alphanumeric ASCII characters in words such as so n c Passwords are case sensitive 4 Choose the privileges to be enabled for the user by selecting one or both check boxes Two options are available Remote Access Unrestricted access to the LAN from a remote locatio...

Page 108: ...ipting To establish an Authenticated Session you point your Web browser at the Firewall s LAN IP Address This process is identical to the administrator login A dialog box is displayed asking you for the user name and password After filling in these boxes and clicking Login the password is verified using MD5 authentication The password is never sent in the clear over the Internet preventing passwor...

Page 109: ...owser on the LAN network When operating in this mode no Security Association information is needed Remotely from the WAN interface allows you to manage your Firewall from a remote host When operating in this mode you must specify Security Association information so that network traffic between your the Firewall and the remote host is secure You must also install a VPN Client on the remote host and...

Page 110: ...in the Authentication Key field An example of a valid authentication key is 1234567890ABCDEF1234567890ABCDEF 3 Click the Update button and then restart the Firewall for the change to take effect Using the Firewall with the NBX 100 Business Telephone System 3Com recommends that you place your NBX 100 Processor on the LAN port of the Firewall This is to ensure that your telephone system is completel...

Page 111: ... if it can fulfill the requests by returning a locally stored copy of the requested information If not the proxy Completes the request to the server Returns the requested information to the user Saves it locally to fulfill future requests Because of this a proxy can improve Internet response and lessen the load on the Internet link For example suppose a school is using the Internet for a research ...

Page 112: ...n the network The Web Cache can be placed either on the WAN or the DMZ side of the Firewall The installation is the same as for a Proxy Server See below 1 Click Advanced and then select the Proxy Relay tab A window similar to that in Figure 49 displays Figure 49 Proxy Relay Window 2 Enter the IP address of the proxy in the Proxy Web Server Address box and the proxy s IP port in the Proxy Web Serve...

Page 113: ...d Wizard or by selecting Device View System Caching Set Caching Mode from the Web interface c In the Port Number field enter the number 8080 this is the default value d Do not configure Web Site Blocking on the Webcache as the Firewall has more advanced filtering abilities and is able to use the 3Com Web Site Filter 3C16111 2 Install the Firewall according to the Superstack 3 Firewall User Guide t...

Page 114: ...ers in the Student Computer Lab Similarly an organization s accounting research or other sensitive resources may be protected against unauthorized access by other users on the same network By default protected LAN users can only access the Internet and no other devices between the WAN port and the Internet To enable access to the area between the Firewall s WAN port and the Internet referred to as...

Page 115: ...the network Devices connected to the WAN port do not have firewall or Web Site Filter protection It is advised that you use another Firewall to protect these computers 3 Connect the power cord to the back of the Firewall and then connect to an AC power outlet Configuring the Firewall to Protect the Intranet Click Advanced and then select the Intranet tab A window similar to that in Figure 52 displ...

Page 116: ...l number of machines with restricted access rather than the larger number of machines on the corporate network Using the exclusive method you specify the IP addresses of the machines connected to the Firewall s WAN port Use this method in cases such as a large school district with a small student computer lab where it would be easier to specify the small number of machines on the WAN which are not...

Page 117: ... to 192 168 23 100 type the starting address in the From Address box and the ending address in the To Address box To specify an individual address type it in the From Address box only You can specify up to 64 address ranges Click the Update button to save the configuration Setting Static Routes If the LAN has internal routers you must specify their addresses and network information Use static rout...

Page 118: ...er To configure static routes click Advanced and then select the Static Routes tab A window similar to that in Figure 54 displays Figure 54 Static Routes Window R 1 R 2 F S S D e s i g n N e t w o r k C o r e N e t w o r k DUA1611 0AAA02 book Page 118 Thursday August 2 2001 4 01 PM ...

Page 119: ...rnal addresses to internal addresses hidden by NAT Machines with an internal address may be accessed at the corresponding external valid IP address To create this relationship between internal and external addresses define internal and external address ranges of equal length Once you have defined that relationship the machine with the first internal address is accessible at the first IP address in...

Page 120: ...56 for details Figure 55 One to One NAT Window Table 4 Address Correspondence in One to One NAT LAN Address Corresponding WAN Address Accessed Through 192 168 1 1 209 19 28 16 Inaccessible Firewall WAN IP Address 192 168 1 2 209 19 28 17 209 19 28 17 192 168 1 16 209 19 28 31 209 19 28 31 192 168 1 17 No corresponding valid IP address Inaccessible except as Public LAN Server 192 168 1 255 No corre...

Page 121: ...nge Begin box This address is assigned by the ISP Range Length Type the number of IP addresses for the range The range length may not exceed the number of valid IP address You can add up to 64 ranges To map a single address use a Range Length of 1 Click Update to save changes Restart the Firewall for changes to take effect One to One NAT does not change the way the firewall functions work Access t...

Page 122: ...122 CHAPTER 8 ADVANCED SETTINGS DUA1611 0AAA02 book Page 122 Thursday August 2 2001 4 01 PM ...

Page 123: ... tab This following sections are covered in this chapter Editing VPN Summary Information Configuring a VPN Security Association Configuring the Firewall to use a RADIUS Server Using the Firewall with Check Point Firewall 1 Configuring the IRE VPN Client for use with the Firewall Editing VPN Summary Information To view the VPN Summary click on VPN and then select the VPN Summary tab A window simila...

Page 124: ... Firewall CAUTION The Unique Firewall Identifier must be different for each Firewall within your network as VPN connections may refer to Firewalls by name Enable VPN To enable VPN connections check the Enable VPN checkbox and click the Update button If VPN is disabled the VPN settings will still be visible on screen and can still be amended but will have no effect until VPN is enabled Disable all ...

Page 125: ... Security Associations SAs that have been created in the VPN Configure window The Name listed in the summary table links to the corresponding VPN configuration A Renegotiate button will appear next to an IKE VPN Security Association when the VPN connection is active Click the Renegotiate button to initiate the VPN handshake and the exchange of new encryption and authentication keys The SuperStack ...

Page 126: ...lick the Update button to save your changes To delete a SA click the drop down box labelled Security Associations and select the SA you want to delete Click the Delete button to delete the SA The GroupVPN Security Association cannot be deleted IPSec Keying Mode To select the keying mode click on the IPSec Keying Mode drop down box and select one of the options IKE Using pre shared secret Internet ...

Page 127: ...etting up a SA for VPN clients which do not have a fixed IP address Security Policy The options in the Security policy area of the screen relate to the current Security Association being created modified A description of each option is listed below Require XAUTH RADIUS only allows VPN clients Check the Require XAUTH RADIUS only allows VPN clients box to force VPN clients to be authenticated by a R...

Page 128: ...d when the keys are renegotiated a low value short time will increase security but may cause inconvenience The default value for the SA Life time secs field is 28800 seconds 8 hours Enter the number 28800 or your desired value This setting is not available if the IPSec Keying Mode is set to Manual Key Incoming SPI and Outgoing SPI The Incoming Security Parameter Index SPI and Outgoing SPI are two ...

Page 129: ...ed when Manual Keying is employed These fields do not appear when using IKE as your IPSec Keying Mode Encryption Method The Firewall supports seven encryption methods for establishing a VPN tunnel These are shown in Table 5 below DUA1611 0AAA02 book Page 129 Thursday August 2 2001 4 01 PM ...

Page 130: ... Fast Encrypt ESP ARCFour uses 56 bit ARCFour to provide an encrypted VPN tunnel ARCFour is widely considered to be a secure encryption method Medium Medium Manual Key IKE Encrypt for Check Point ESP DES rfc1829 uses 56 bit DES as specified in RFC 1829 to provide an encrypted VPN tunnel This method will provide interoperability with other IPSec VPN gateways such as Check Point FW 1 Slow High Manua...

Page 131: ...an the value stated above it will be rejected by the Firewall If it is longer than stated then the number will be truncated and the stated number of digits used The Encryption Key is only used when Manual Keying is employed This field does not appear when using IKE as your IPSec Keying Mode Authentication Key The Authentication Key is a hexadecimal number that is used to authenticate the users of ...

Page 132: ...ting a Network Range To edit a network range click of the icon of the pencil and paper next to the range you want to edit Change the range to the desired value and click the Update button Configuring the Firewall to use a RADIUS Server The Firewall is capable of using a RADIUS Remote Authentication Dial In User Service server to authenticate VPN users To configure your Firewall to use a RADIUS ser...

Page 133: ...cribed below If you have a backup or secondary RADIUS server on your network then repeat the process for the Secondary Server fields Name or IP Address Enter the DNS name or IP address of your RADIUS server in the Name or IP Address field Using the name of the server allows you to change its address without reconfiguring the Firewall Click the Update button to save your changes Port Number Enter t...

Page 134: ... large network from internal threats Thus it is possible to have firewalls as portals and use Virtual Private Networks VPNs between the enterprise network and remote offices A VPN provides a secure encrypted path over the Internet A VPN should be required for accessing any non public information over the Internet Since VPN standards are still evolving different vendor s implementations are not alw...

Page 135: ... Press the OK button when finished 3 For easier management you should create a group and place all objects that are protected by the remote Firewall in that group a Press the New button and select the Group option b Give the Group object a unique Name for example Encrypt Firewall c Give the Group object a Comment optional d Select the objects that are behind the remote Firewall and Add them to the...

Page 136: ...ion Key and SPI Key number must match the settings on the remote Firewall for the VPN to work 6 Now you must create a rule to allow the Check Point Firewall to exchange IPSEC packets with the remote Firewall From the Edit menu select Add Rule This rule should be added below any Client VPN rules for SecuRemote to work properly and above the normal resource access rules The rule should contain both ...

Page 137: ...checkbox 2 Enter a valid destination address range referring to the LAN behind Check Point Specify the Check Point s external address as the IPSec Gateway address 3 Select the Encryption Method Encrypt for Checkpoint ESP DES rfc1829 Make sure the Encryption Key and the SPIs match the values specified in the Check Point screens The Firewall doesn t need the 0x prefixes to denote hexadecimal fields ...

Page 138: ...IUS Server on page 132 4 If you do not have a RADIUS server or do not wish to use your RADIUS server to authenticate users ensure that the Require XAUTH RADIUS checkbox is not ticked 5 Set the SA Life time secs field to 28000 6 If you want extremely high security select the Strong Encrypt and Authenticate option from the Encryption Method drop down box otherwise select Encrypt and Authenticate 7 E...

Page 139: ...nfiguring the IRE VPN Client 1 Copy the previously saved export file created in Setting up the GroupVPN Security Association to a floppy disk or to the hard drive of the client machine 2 Start the Safenet Security Policy Editor To start the Security Policy Editor either select it from the SafeNet Soft PK submenu of the Windows Start menu or double click the SafeNet icon in the toolbar A window sim...

Page 140: ...the Security Policy Editor saving changes when prompted 6 Delete the export file from the hard drive if it was previously copied there The client is now set up to access your network safely across the Internet DUA1611 0AAA02 book Page 140 Thursday August 2 2001 4 01 PM ...

Page 141: ...ewalls together as a pair Although only one Firewall will function at a time the second will automatically take over from the first in the event of a failure Before attempting to configure two Firewalls as a High Availability pair check the following requirements You have two Superstack 3 Firewalls available The Firewalls must be running the same version of firmware which must be version 6 0 or ab...

Page 142: ... Do not mix the LAN DMZ and WAN networks when connecting the Firewalls together as this will compromise the security of your network All Firewall ports being used must be connected together with a hub or switch Each Firewall must have a unique LAN IP Address on the same LAN subnet If each Firewall has a unique WAN IP Address for remote management the WAN IP Addresses must be in the same subnet The...

Page 143: ...rewall s serial number and network settings The bottom half of the window is used to configure High Availability 1 To enable High Availability check the Enable High Availability box 2 Enter the Serial Number LAN IP Address and WAN IP Address of the backup Firewall The Serial Number and LAN IP Address are required settings for the backup Firewall The WAN IP Address field may be left blank if remote...

Page 144: ...eartbeats respectively the backup Firewall will take over from the primary Firewall after 10 seconds in the event of a failure in the primary Firewall 6 Click the Update button Once the Firewall has been updated a message confirming the update will be displayed at the bottom of the browser window If you have modified the Enable High Availability setting you will need to restart the Firewall for ch...

Page 145: ...tton on the left side of the browser window and then click the Status tab at the top of the window Both the firmware version and the Firewall serial number are displayed at the top of the window In the event of a mismatch in firmware versions it will be necessary to upgrade the firmware to correct the problem See Upgrading the Firewall Firmware on page 92 for instructions on upgrading firmware At ...

Page 146: ...below High Availability Status Window One method to determine which Firewall is active is to check the High Availability status page for the High Availability pair To view the High Availability status window it is necessary to log into the primary Firewall s LAN IP Address Click the High Availability button on the left side of the browser window and then click the Configuration tab at the top of t...

Page 147: ...imary Firewall to send e mail alerts you will receive an alert e mail when there is a change in the status of the High Availability pair For example when the backup Firewall takes over from the primary after a failure an e mail alert will be sent indicating that the backup has transitioned from Idle to Active If the primary Firewall subsequently resumes operation after that failure and Preempt Mod...

Page 148: ...s may be accomplished by disconnecting the active Firewall s LAN port by shutting off power on the currently active unit or by restarting it from the Web interface In all of these cases heartbeats from the active Firewall will be interrupted which will force the currently Idle unit to become Active To restart the active Firewall 1 Log into the primary Firewall s LAN IP Address 2 Click the Tools bu...

Page 149: ...TION If the Preempt Mode checkbox has been checked for the primary Firewall the primary unit will take over operation from the backup unit after the restart is complete DUA1611 0AAA02 book Page 149 Thursday August 2 2001 4 01 PM ...

Page 150: ...150 CHAPTER 10 CONFIGURING HIGH AVAILABILITY DUA1611 0AAA02 book Page 150 Thursday August 2 2001 4 01 PM ...

Page 151: ...III ADMINISTRATION AND TROUBLESHOOTING Chapter 11 Administration and Advanced Operations Chapter 12 Troubleshooting Guide DUA1611 0AAA02 book Page 151 Thursday August 2 2001 4 01 PM ...

Page 152: ...152 DUA1611 0AAA02 book Page 152 Thursday August 2 2001 4 01 PM ...

Page 153: ...vided so Internet access can be tailored to the needs of the organization Just like the Custom List and filtering by Keywords see Chapter 8 access to these sites can be enabled or disabled The 3Com Web Site Filter is provided as a 12 month subscription and can be automatically updated weekly to ensure that the filter keeps pace with the ever changing Internet The Firewall comes with a one month su...

Page 154: ...note The Partial Nudity and Full Nudity categories do not include sites containing nudity or partial nudity of a non prurient nature For example web sites for publications such as National Geographic or Smithsonian Magazine or sites hosted by museums such as the Guggenheim the Louvre or the Museum of Modern Art Sexual Acts Pictures descriptive text or audio of anyone or anything involved in explic...

Page 155: ...emely aggressive and combative behavior or advocacy of unlawful political measures Topics include groups that advocate violence as a means to achieve their goals Includes How to information on weapons making ammunition making or the making or use of pyrotechnics materials Also includes the use of weapons for unlawful reasons Sex Education Pictures or text advocating the proper use of contraceptive...

Page 156: ...dental are not in this category For further details refer to http www cyberpatrol com Activating the Web Site Filter When you register the Firewall you will be given 30 days free subscription to the Web Site Filter To continue getting upgrades to the Web Site Filter covering new Web Sites as they appear you will need to purchase the annual Web Site Filter subscription To activate your annual subsc...

Page 157: ... List which computers on the Internet will be affected The more specific the better For example if traffic is being allowed from the Internet to the LAN it is better to allow only certain machines on the Internet to access the LAN Once you have defined the logic of the rule it is critical to consider the security ramifications created by the rule Will this rule stop LAN users from accessing critic...

Page 158: ...e are IP address restrictions on the source of the traffic such as keeping competitors off the company s Web site type the starting and ending IP addresses of the range in the Addr Range Begin and Addr Range End respectively If all IP addresses are affected type in the Addr Range Begin box d Destination There are three parameters to configure for the Destination item Select the Network Access Rule...

Page 159: ... access to NNTP servers on the Internet 1 For the Action choose Deny 2 From the Service list choose NNTP If the service is not listed in the menu add it in the Add Service window 3 Select LAN from the Source Ethernet list 4 Since all computers on the LAN are to be affected enter in the Source Addr Range Begin box 5 Select WAN from the Destination Ethernet menu 6 Since the intent is to block access...

Page 160: ...ess of the ISP s network in the Source Addr Range Begin box and the network s ending IP address in the Source Addr Range End box 5 Select WAN from the Destination Ethernet list 6 Since the intent is to allow a ping only to the Firewall enter the Firewall s LAN IP Address in the Destination Addr Range Begin box 7 Click Add Rule Restore the Default Network Access Rules If the Firewall s network acce...

Page 161: ...l servers and routers and can also be used to read any file on the system if set up incorrectly X Windows 6000 This can leak information from X window displays including all keystrokes DNS Domain Names Service 53 The DNS service contains names of hosts and information about hosts that could be helpful to attackers RIP Routing Information Protocol 520 This service can be used to redirect packet rou...

Page 162: ...eset your Firewall to factory default settings and can access the Web interface of the Firewall successfully 3Com recommends that you use the Restore Factory Defaults command described on page 187 However if it is no longer possible to access the Web interface for example due to a lost password then you must completely reset your Firewall CAUTION The reset procedure described below not only delete...

Page 163: ...ops flashing and the Alert LED is illuminated continuously indicating that the unit has been reset and the firmware erased Reloading the Firmware Even when the firmware has been erased you can use a basic Web interface to get the Firewall up and running again The Firewall reverts to its default IP address of 192 168 1 254 after a complete reset so you must reconfigure your chosen management statio...

Page 164: ...password is password Once you have logged into the Web interface you may upload your saved settings file as described in Configuration on page 185 Note that the administrator password is not uploaded and is still password once the upload is complete Make sure that you change this password to increase the security of the unit If you do not have a saved settings file you must set up the unit from sc...

Page 165: ...agement station from the local Ethernet network 2 Attach the Firewall directly to the management station To do this connect a cable from the Ethernet port on the management station to the LAN Port of the Firewall 3 Switch on the Firewall To do this connect the power adapter to the port on the back labeled Power 4 Wait for the Power LED to stop flashing This takes approximately 90 seconds 5 Follow ...

Page 166: ...166 CHAPTER 11 ADMINISTRATION AND ADVANCED OPERATIONS DUA1611 0AAA02 book Page 166 Thursday August 2 2001 4 01 PM ...

Page 167: ...g Technical Support First try the following Make sure that all equipment is switched on Switch off the Firewall wait approximately 5 seconds and then switch it back on Wait for the Power LED to stop flashing approximately 90 seconds CAUTION The contents of the log are lost when resetting the Firewall If you are trying to diagnose a repeating problem examine the log before resetting the Firewall Po...

Page 168: ...ternative position Ethernet Connection is Not Functioning If the Ethernet connection does not work try the following Check the physical connections to make sure they are secure Try replacing the cable with a known good cable Cannot Access the Web interface If the Firewall does not allow users or the administrator to log in to establish an authenticated session try the following Make sure that the ...

Page 169: ...nternet router connected to the WAN port they are not accessible to users on the LAN To see if the problem is outside the Firewall disconnect the Firewall and try to access the Internet Try restarting the router and LAN machines If you are using the Internet Firewall with a cable modem you may need to register the MAC address of the unit with your cable service provider before connecting the Inter...

Page 170: ...KMP OAK AG SA KE NON ID VID New connection message not received Retransmitting This means the VPN client cannot contact the Firewall either because the VPN client is misconfigured or the Internet Service Provider for either the Firewall or the VPN client does not pass IPSec packets IreIKE Unable to acquire CAPI provider handle This indicates that the Firewall VPN client did not install properly Co...

Page 171: ...t remote users from changing the VPN client policy Click No to permit remote user configuration Then name the security policy database file spd and save it to a local folder or to a floppy disk Import the VPN Client Security Policy File 1 Select Import Security Policy in the File menu at the top of the Security Policy Editor window 2 Browse your local hard drive for the desired security policy dat...

Page 172: ...m using PPPoE without a Firewall is that the ISP requires the customer to have a PPPoE account for each computer attempting to access the Internet The Firewall is able to manage PPPoE connections eliminating the need to install PPPoE software on each client machine Home networking Many home networking products don t support PPPoE and if they do configuration can be increasingly complex Performance...

Page 173: ...IV FIREWALL AND NETWORKING CONCEPTS Chapter 13 Types of Attack and Firewall Defences Chapter 14 Networking Concepts DUA1611 0AAA02 book Page 173 Thursday August 2 2001 4 01 PM ...

Page 174: ...174 DUA1611 0AAA02 book Page 174 Thursday August 2 2001 4 01 PM ...

Page 175: ...it its vulnerabilities to crash any server at will Denial of Service attacks work by exploiting weaknesses in TCP IP exploiting weaknesses in your servers or by generating large amounts of traffic brute force attacks Commonly attempted attacks and the reaction of the SuperStack 3 Firewall are listed below Ping of Death A ping of death attack attempts to crash your system by sending a fragmented pa...

Page 176: ...t accept any more connections and will be unresponsive Firewall Response The connection request will be completed by the Firewall and the connection monitored to check if data is sent If no data is sent the Firewall resets the connection Land Attack A land attack is an attempt to slow your network down by sending a packet with identical source and destination addresses originating from your networ...

Page 177: ... Firewall will drop any spoofed packets log the event and alert the administrator Trojan Horse Attacks Trojan Horse attacks rely on a piece of software installed within your network prior to the attack Attacks vary in severity and effect from showing messages on screen or crashing an individual PC to theft of information and infiltration of the network The Firewall blocks attacks in two ways Known...

Page 178: ...178 CHAPTER 13 TYPES OF ATTACK AND FIREWALL DEFENCES DUA1611 0AAA02 book Page 178 Thursday August 2 2001 4 01 PM ...

Page 179: ... Transmission Control Protocol In TCP IP TCP works with IP to ensure the integrity of the data traveling over the network TCP IP is the protocol of the Internet IP Addressing To become part of an IP network a network device must have an IP address An IP address is a unique number that differentiates one device from another on the network to avoid confusion during communication To help illustrate I...

Page 180: ...IP addresses provide for varying levels of interchanges or subnetworks and extensions or device numbers The classes are based on estimated network size Class A used for very large networks with hundreds of subnetworks and thousands of devices Class A networks use IP addresses between 0 0 0 0 and 127 0 0 0 Class B used for medium to large networks with 10 100 subnetworks and hundreds of devices Cla...

Page 181: ...ubnet mask of 255 255 255 0 results in a sub network number of 123 45 67 0 and a device number of 89 The IP address numbers that are valid to use are those assigned by InterNIC this prevents someone setting up IP addresses that are duplicates of those at another company The subnet mask used for the network typically corresponds to the class of IP address assigned If the IP address is Class A use a...

Page 182: ...AN which have not been assigned to you by your Internet Service Provider it is a good idea to use addresses in a special range allocated for this purpose The following three blocks of IP address space have been reserved by the Internet Assigned Numbers Authority for the purpose of creating private internets 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 If you use so...

Page 183: ... provides a dynamic leased address to a DHCP client This means that the client will be able to use the provided IP address for a certain period of time The DHCP server will not give this address to a different client during the lease period thus ensuring that there are no address conflicts When the lease expires then the client may renew the lease If it does not renew the lease for instance if it ...

Page 184: ...ange for the assigned ports managed by the IANA has been expanded to the range 0 1023 Registered Port Numbers The Registered Ports are not controlled by the IANA and on most systems can be used by ordinary user processes or programs executed by ordinary users While the IANA cannot control uses of these ports it does list uses of these ports as convenience The Registered Ports are in the range 1024...

Page 185: ...essor The data is delivered via the Web and decrypted at the intended destination The SuperStack 3 Firewall VPN implementation uses the IPSec VPN standard This guarantees compliance with other VPN products such as 3Com PathBuilder 400 and Check Point Firewall 1 that adhere to the same standard VPN Applications The following illustration shows the VPN connections between the offices and users of a ...

Page 186: ...ommon terms and expressions used in VPN VPN Tunnel Tunnelling is the encapsulation of point point transmission inside IP packets A VPN Tunnel is a term that is used to describe a connection between two or more private nodes or LANs over a public network typically the Internet Encryption is often used to maintain the confidentiality of private data when travelling over the Internet Encryption Encry...

Page 187: ... by trusted organizations Once a key has been generated the user must register his or her public key with a central administration called a Certifying Authority CA Organizations such as RSA Data Security and Verisign can help users issue and register key pairs The Firewall VPN uses Symmetric Cryptography As a result the key on both ends of the VPN tunnel must match exactly Authentication Header AH...

Page 188: ...unications with secure Web Sites using the SSL protocol Many banks use a 40 bit key ARC4 for online banking while others use a 128 bit key 3Com s implementation of ARCFour uses a 56 bit key ARCFour is faster than DES for several reasons First is that it is a newer encryption mechanism than DES As a result it benefits from advances in encryption technology Second unlike DES it is designed to encryp...

Page 189: ... will not be accepted by the Firewall when entered as an SPI an error message will be displayed at the bottom of the Web browser window when the Update button is pressed Security Association SA A Security Association is the group of security settings relating to a given network connection or set of connections The Security Association is based on the SPI and includes the Destination Address Range ...

Page 190: ...190 CHAPTER 14 NETWORKING CONCEPTS DUA1611 0AAA02 book Page 190 Thursday August 2 2001 4 01 PM ...

Page 191: ...dix A Safety Information Appendix B Technical Specifications and Standards Appendix C Cable Specifications Appendix D Technical Support Index Regulatory Notices DUA1611 0AAA02 book Page 191 Thursday August 2 2001 4 01 PM ...

Page 192: ...192 DUA1611 0AAA02 book Page 192 Thursday August 2 2001 4 01 PM ...

Page 193: ...g safety information carefully before you install or remove the unit WARNING Exceptional care must be taken during installation and removal of the unit WARNING To ensure compliance with international safety standards only use the power adapter that is supplied with the unit WARNING The socket outlet must be near to the unit and easily accessible You can only remove power from the unit by disconnec...

Page 194: ...er eigenen Sicherheit befolgen müssen Alle Anweisungen sind sorgfältig zu befolgen VORSICHT Sie müssen die folgenden Sicherheitsinformationen sorgfältig durchlesen bevor Sie das Gerät installieren oder ausbauen VORSICHT Bei der Installation und beim Ausbau des Geräts ist mit höchster Vorsicht vorzugehen VORSICHT Stapeln Sie das Gerät nur mit anderen SuperStack 3 Gerätes zusammen VORSICHT Aufgrund ...

Page 195: ...fen an diese Datensteckdosen angeschlossen werden Consignes Importantes de Sécurité AVERTISSEMENT Les avertissements présentent des consignes que vous devez respecter pour garantir votre sécurité personnelle Vous devez respecter attentivement toutes les consignes Nous vous demandons de lire attentivement les consignes suivantes de sécurité avant d installer ou de retirer l appareil AVERTISSEMENT F...

Page 196: ...lution des problèmes dans ce guide contacter votre fournisseur AVERTISSEMENT Débranchez l adaptateur électrique avant de retirer cet appareil AVERTISSEMENT Points d accès RJ 45 Ceux ci sont protégés par des prises de données Ils ne peuvent pas être utilisés comme prises de téléphone conventionnelles standard ni pour la connection de l unité à un réseau téléphonique central privé ou public Raccorde...

Page 197: ...nding or 19in rack mounting using the mounting kit supplied Capacity Maximum Number of Simultaneous IP Connections 30 000 Maximum Number of Security Associations 1 000 Maximum Number of VPN Tunnels 1 999 Size of DHCP pool 255 bindings Maximum Number of Rules 100 Maximum Number of Custom Rules 64 AC Line Frequency 50 60Hz Current Rating max 3 15A Input Voltage 90 264Vrms Operating Temperature 0 50 ...

Page 198: ...on Safety UL1950 EN 60950 CSA 22 2 950 IEC 950 EMC EN55022 Class A EN 50082 1 FCC Part 15 Part Class A ICES 003 Class A VCCI Class A EN 55024 CNS 13438 Class A Environmental EN 60068 IEC 68 Power Inlet IEC 320 Table 7 Technical Specifications of the Firewall DUA1611 0AAA02 book Page 198 Thursday August 2 2001 4 01 PM ...

Page 199: ... used for Ethernet and Fast Ethernet Figure 66 Connecting the Firewall to a hub or switch using a straight through cable Figure 67 Connecting the Firewall to a Network Interface Card using a straight through cable 1 2 3 6 Pins 4 5 7 and 8 are not used 1 2 3 6 RxD RxD TxD TxD Firewall Uplink Network Device Hub Switch TxD TxD RxD RxD TxD TxD RxD RxD 1 2 3 6 Pins 4 5 7 and 8 are not used 1 2 3 6 RxD ...

Page 200: ...rpose Figure 68 Connecting the firewall to a hub or switch using a crossover cable Figure 69 Connecting the firewall to a network interface card using a crossover cable TxD TxD RxD RxD 1 2 3 6 Pins 4 5 7 and 8 are not used 1 2 3 6 TxD TxD RxD RxD Firewall Normal Network Device Hub Switch 1 2 3 6 Pins 4 5 7 and 8 are not used 1 2 3 6 Firewall Uplink Network Card NIC RxD RxD TxD TxD RxD RxD TxD TxD ...

Page 201: ...on World Wide Web site enter this URL into your Internet browser http www 3com com This service provides access to online support information such as technical documentation and software as well as support options that range from technical education to maintenance and professional services 3Com Knowledgebase Web Services The 3Com Knowledgebase is a database of technical information to help you ins...

Page 202: ... maintenance application training and support services When you contact your network supplier for assistance have the following information ready Product model name part number and serial number A list of system hardware and software including revision levels Diagnostic error messages Details about recent configuration changes if applicable If you are unable to contact your network supplier see th...

Page 203: ...61 463 00798 611 2230 or 02 3455 6455 00798 611 2230 0080 611 261 001 800 611 2000 Europe Middle East and Africa From anywhere in these regions call 44 0 1442 435529 phone 44 0 1442 432524 fax Europe and South Africa From the following countries you may use the toll free numbers Austria Belgium Denmark Finland France Germany Hungary Ireland Israel Italy 0800 297468 0800 71429 800 17309 0800 113153...

Page 204: ...ia Ecuador Mexico Paraguay Peru Uruguay Venezuela 0810 222 3266 511 241 1691 0800 133266 or 55 11 5643 2700 525 201 0004 562 240 6200 525 201 0004 525 201 0004 525 201 0004 525 201 0004 511 241 1691 525 201 0004 525 201 0004 From the following countries you may call the toll free numbers select option 2 and then option 2 Austria Belgium Denmark Finland France Germany Hungary Ireland Israel Italy N...

Page 205: ...or Repair 205 U S A and Canada 1 800 NET 3Com 1 800 638 3266 Enterprise Customers 1 800 876 3266 1 408 326 7120 not toll free Country Telephone Number Fax Number DUA1611 0AAA02 book Page 205 Thursday August 2 2001 4 01 PM ...

Page 206: ...206 APPENDIX D TECHNICAL SUPPORT DUA1611 0AAA02 book Page 206 Thursday August 2 2001 4 01 PM ...

Page 207: ...n 24 automatic LAN settings 44 automatic WAN settings 39 B bandwidth usage by IP address 88 by service 88 blocking categories 69 81 broadband modems 25 C cable specifications 199 Categories tab 67 clock setting 54 CMT 15 code archive blocking 82 configuration saving and restoring 90 consent 75 URL 77 conventions notice icons About This Guide 12 cookies 23 69 current sample period 88 custom list 70...

Page 208: ...9 positioning 28 purpose 19 quick setup 35 uses 19 firewall security 21 Firewall moving 35 firmware e mail notification 93 loading 93 lost 162 reloading 163 uploading 93 forbidden domains 71 front panel 29 G gateway default 181 glossary 13 I IANA 184 ICMP packets 81 installation inventory 27 positioning 28 rack mounting 28 Installation Wizard 35 automatic LAN settings 44 automatic WAN settings 39 ...

Page 209: ...nual WAN settings 40 maximum idle time 76 web usage option 76 MIBs 202 moving your Firewall 35 N NAT 14 119 overview 24 network addressing mode 56 network access rules 23 103 creating 157 examples 159 hierarchy 158 Network Address Translation 14 network configuration diagram 32 Network News Transfer Protocol 14 network protocols See protocols Network Supervisor 3Com 20 network supplier support 202...

Page 210: ... features 68 returning products for repair 204 routes adding 119 specifying static 117 rubber feet 29 rules creating 103 S safety information 193 sample network diagram 32 saving configuration 90 screen logs disabling 102 security functions extending 23 security policy 21 self test LED 31 self diagnostic tests 33 164 services adding 101 deleting 102 setting admin password 53 clock 54 password usin...

Page 211: ...2 uploading firmware 93 URL 201 registration 16 URLs forbidden 23 trusted 23 user inactivity timer 107 privileges 23 106 remote access 24 settings authentication 106 users advanced 23 deleting 108 Internet 22 LAN 22 UTC 15 V View Log tab 80 VPN 15 W WAN port 19 WAN settings configuring using Installation Wizard 39 Web features restricting 68 web filtering 23 web management interface access lost 16...

Page 212: ...212 INDEX DUA1611 0AAA02 book Page 212 Thursday August 2 2001 4 01 PM ...

Page 213: ...receiver Plug the equipment into a different outlet so that equipment and receiver are on different branch circuits If necessary the user should consult the dealer or an experienced radio television technician for additional suggestions The user may find the following booklet prepared by the Federal Communications Commission helpful How to Identify and Resolve Radio TV Interference Problems This b...

Page 214: ...DUA1611 0AAA02 book Page 214 Thursday August 2 2001 4 01 PM ...

Reviews:

No comments

Related manuals for 3C16111 - SuperStack 3 Firewall Web Site Filter

Brand: Lanner Pages: 16

SecPath F5000-A

Brand: H3C Pages: 62

Brand: Yamaha Pages: 194

Brand: Fortinet Pages: 54

Brand: Barracuda Pages: 8

Brand: Nexcom Pages: 53

H3C SECPATH F5000-A5 ADVANCED VPN FIREWALL 12-PORT GIGABIT ETHERNET MODULE

Brand: 3Com Pages: 158

Brand: Global Technology Pages: 28

FortiSandbox 1000F

Brand: Fortinet Pages: 13

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands