Eicon Networks SHIVA 1100 Administrator'S Manual Download Page 45 | Manualshive

Page: 45 / 136

Eicon Networks SHIVA 1100 Administrator'S Manual Download Page 45

Chapter 4: Firewall

Chapter 4

Firewall

The Shiva VPN Gateway is equipped with a fully featured, stateful firewall. The firewall
allows you to control both incoming and outgoing access, so that computers on the
LAN can have tailored Internet access facilities and are shielded from malicious
attacks. By default the firewall is active, and allows all outgoing connections and
blocks all incoming connections.

The Shiva VPN Gateway's stateful firewall keeps track of outgoing connections (e.g.
a computer on your LAN requesting content from a server on the Internet) and only
allows corresponding incoming traffic (e.g. the server on the Internet sending the
requested content to the computer).

Sometimes it may be useful to allow some incoming connections, e.g. if you have a
mail or web server on your LAN that you want to be accessible from the Internet.
These situations are catered for by configuring Packet Filtering rules.

Generally, the majority of customizations to the default firewall rule set will be done
through Packet Filtering (page 49).

«
...
43
44
45
46
47
...
»

Summary of Contents for SHIVA 1100

Page 1: ...Shiva VPN Gateway Model 500 and 1100 System Administrator s Guide Connecting People to Information...

Page 2: ...on Networks Corporation or its subsidiaries More detailed information about such intellectual property is available from Eicon Networks Corporation s legal department at 9800 Cavendish Blvd Montreal Q...

Page 3: ...ternet connection 18 COM port settings 21 Connecting a modem 21 Setting up a dial out Internet connection 21 Wireless port settings 24 Wireless network performance 24 Setting up the wireless network 2...

Page 4: ...Firewall 45 Incoming access 46 Administration services 46 Shiva web server 47 Packet filtering 49 Service groups 50 Addresses 51 Rules 52 NAT 53 Connection tracking 57 Rules 58 Intrusion detection 59...

Page 5: ...a GRE tunnel 96 Port Tunnels 98 Setting up a port tunnel 98 Chapter 6 Management 101 Setting the date and time 102 Locality 103 User list 104 Adding a user 104 Administrator password security 106 Man...

Page 6: ...ernational Regulatory Information 133 Shiva 500 VPN Gateway 134 Regulatory information for the USA 134 Regulatory information for Canada 134 Regulatory information for Europe 135 Shiva 1100 VPN Gatewa...

Page 7: ...n This manual describes how to take advantage of the features of your Shiva VPN Gateway including setting up network connections a secure firewall and a VPN This chapter provides an overview of your S...

Page 8: ...chines on your local network To configure your Shiva VPN Gateway as a DHCP server you must set a static IP address and netmask on the LAN port Chapter 4 The Shiva VPN Gateway is equipped with a fully...

Page 9: ...cting the remote PCs or offices This combined with support for industry standard VPN and authentication protocols makes the Shiva VPN Gateway a fully featured security device that will also help maxim...

Page 10: ...m Administrator s Guide Package contents The following items are included with your Shiva VPN Gateway gateway Power adapter Installation CD Quick Install guide Install Map Two six foot straight throug...

Page 11: ...creen Bold text is also used to present command line output or program listings Network Setup Routes When referring to the web based management console submenus and tabs are indicated using the sign T...

Page 12: ...pecifies the number of bits in the IP address range For example a b c d 24 covers the entire C class network subnet a b c 0 and is equivalent to specifying the range as a b c 0 255 a b c d 32 is equiv...

Page 13: ...er is supplied to the Shiva VPN Gateway TST Flashing The Shiva VPN Gateway is operating correctly On The unit is restarting or an operating error has occurred LAN1 LAN2 LAN3 LAN4 Flashing Traffic is b...

Page 14: ...he power adapter here ERASE Details SERIAL Serial port with DB 9 connector supporting speeds up to 115200 WAN 10 100 auto sensing Ethernet port LAN1 LAN2 LAN3 LAN4 10 100 auto sensing Ethernet ports A...

Page 15: ...ter describes the Network Setup section of the Web Management Console Here you can configure each of your Shiva VPN Gateway s network ports Ethernet serial Network ports may be configured for Internet...

Page 16: ...onfiguration of a port select a new setting in the Configuration column This will automatically display additional configuration pages To edit an existing configuration select Edit current settings in...

Page 17: ...hiva VPN Gateway in its default network address translation mode Network address translation NAT masquerading on page 36 this will typically be part of a private IP range such as 192 168 1 1 255 255 2...

Page 18: ...N connection as your primary Internet connection see the section COM port settings on page 21 Connect your Shiva VPN Gateway s Internet port to the modem device using a straight through Ethernet cable...

Page 19: ...neric enter your user name and password and click Finish You are now ready to connect Click the Reboot button to save your configuration and reboot your Shiva VPN Gateway ADSL Internet If you are conn...

Page 20: ...er s however any DNS server addresses allocated by your ISP will take precedence over these To manually configure your Internet network settings enter the IP Address Netmask Internet Gateway and DNS S...

Page 21: ...A connects into your ISDN line and has either a serial or Ethernet port that is connected to your Shiva VPN Gateway Do not plug an ISDN connection directly in to your Shiva VPN Gateway Setting up a di...

Page 22: ...ve i e when there is no traffic to from the Internet for the time specified by Idle Timer Idle Time Specifies how long the connection can be idle before it is dropped when Dial on Demand is active Sel...

Page 23: ...m Administrator s Guide 23 If a dial on demand connection has been set up Connect Now Disconnect Now buttons will be displayed These make the Shiva VPN Gateway dial or hang up the modem connection imm...

Page 24: ...s governed by a number of factors including Intervening obstructions Each obstruction between the Shiva VPN Gateway and a wireless client station will reduce the signal strength Some materials wood an...

Page 25: ...tions Channel Frequency Select the operating channel for the wireless network To avoid interference with other 2 4GHz devices select a channel number that differs from the one used by the other device...

Page 26: ...erly all wireless stations have identical key lists If you define only one encryption key it must be entered in the first key field If you configure one key only in fields 2 3 or 4 you may not be able...

Page 27: ...tion 5 Specify a MAC address and click the Add button Advanced wireless settings The Advanced tab gives you access to a number of settings that can be used to fine tune the operation of the wireless n...

Page 28: ...power Specifies the transmit power as a percentage Can be used to reduce the wireleess cell size to avoid interference with neighboring wireless networks Peramble Type Long Short RTS Threshold Enable...

Page 29: ...a bridge between them The Shiva VPN Gateway will learn which computers or devices are present on either side of the bridge and direct traffic appropriately Note When the Shiva VPN Gateway is bridging...

Page 30: ...Shiva VPN Gateway you must Enable your primary Internet connection for failover Set up a secondary backup Internet connection Enable the primary connection for failover Set up your primary broadband...

Page 31: ...ll not appear as an available Configuration until a primary Internet connection has been configured Refer to Enable the primary connection for failover on page 30 for details on enabling your primary...

Page 32: ...can be configured to automatically exchange routing information with other routers Note that this feature is intended for network administrators adept at configuring route management services Check E...

Page 33: ...Edit alias configuration for the LAN port 3 Specify an IP address and Netmask and click Add Internet port alias Note For Internet aliased ports you must also setup appropriate Packet Filtering and or...

Page 34: ...lobally unique address and is specific to a single Shiva VPN Gateway It is set by the manufacturer and should not normally be changed However you may need to change it if your ISP has configured your...

Page 35: ...e is a descriptive name for the Shiva VPN Gateway on the network DNS Proxy The Shiva VPN Gateway can also be configured to run as a Domain Name Server The Shiva VPN Gateway acts as a DNS Proxy and pas...

Page 36: ...te IP address Note It is strongly recommended that you leave Enable NAT on Internet Interface checked Dynamic DNS A dynamic DNS service is useful when you don t have a static Internet IP address but n...

Page 37: ...a http https imap irc nntp ntp pop3 smtp ssh and telnet This advanced feature is provided for expert users to fine tune their networks The Auto Traffic Shaper uses a set of inbuilt traffic shaping rul...

Page 38: ...QoS traffic shaping 38 System Administrator s Guide...

Page 39: ...s Chapter 3 DHCP services The Shiva VPN Gateway can act as a DHCP server for machines on your local network To configure your Shiva VPN Gateway as a DHCP server you must set a static IP address and ne...

Page 40: ...Apply Enter the Subnet and netmask of the IP addresses to be distributed Enter the Gateway Address that the DHCP clients will be issued with If this field is left blank the Shiva VPN Gateway s IP add...

Page 41: ...ort 4 Click Apply to save these settings A page similar to the following will be displayed Interface Once a subnet has been configured the port which the IP addresses will be issued from will be shown...

Page 42: ...e an option to Remove the address and for reserved IP addresses the added option to Unreserve the address Unreserving the address will allow it to be handed out to any host The Status field will have...

Page 43: ...resolution This allows both static and dynamic addresses to be given out on the LAN just as running a DHCP server would To enable this feature specify the server which is to receive the forwarded req...

Page 44: ...DHCP relay 44 System Administrator s Guide...

Page 45: ...Gateway s stateful firewall keeps track of outgoing connections e g a computer on your LAN requesting content from a server on the Internet and only allows corresponding incoming traffic e g the serve...

Page 46: ...r example you generally want to restrict access to the Web Management Console web administration pages Web Admin to machines on your local network Disallowing all services is not recommended as this w...

Page 47: ...Shiva VPN Gateway s Internet IP address into a web browser Ideally you should use Packet Filtering rules see the Packet Filtering section later in this chapter to restrict who has access for remote a...

Page 48: ...agement console administrative web pages securely using SSL encryption the URL becomes https instead of http e g https 10 0 0 1 Add local and private certificates Valid SSL certificates have been uplo...

Page 49: ...eraded servers to offer services to the outside world Destination NAT rules are used for port forwarding Source NAT rules are useful for masquerading one or more IP addresses behind a single other IP...

Page 50: ...ting address and click Modify A service group can be used to group together similar services For example you can create a group of services that you wish to allow and then use a single rule to allow t...

Page 51: ...a VPN Gateway will perform a DNS lookup and fill in the IP Address field If the DNS hostname is invalid you may need to wait while the DNS lookup times out Warning The DNS lookup is only performed onc...

Page 52: ...he Packet Filtering page to change the order The rules are evaluated top to bottom as displayed on the Packet Filtering page Action Specifies what to do if the rule matches Accept means to allow the t...

Page 53: ...ng matched when inspecting the system log NAT Once appropriate addresses and perhaps service groups have been defined you can add 1 to 1 and Destination NAT rules Source NAT rules may be added at any...

Page 54: ...MZ address Outgoing Interface The interface that receives the request for masquerading this will typically be private interface i e LAN or DMZ Destination Address The destination address of the reques...

Page 55: ...vice to be only accessible from a specific remote location Destination Address The destination address of the request this is the address that will be altered Destination Services The destination serv...

Page 56: ...ess The private address to change Into public address The public address typically a WAN interface alias Create a corresponding ACCEPT firewall rule Leave checked to create a virtual DMZ type scenario...

Page 57: ...Connection tracking provides support for the listed services by creating a proxy for the service Supported services include File transfer protocol FTP H 323 teleconferencing Internet relay chat IRC Po...

Page 58: ...u Warning Only experts on firewalls and iptables will be able to add effective custom firewall rules for more information see http www netfilter org documentation Configuring the Shiva VPN Gateway s f...

Page 59: ...e applications These attacks can potentially be detected using an intrusion detection system IDS The IDS logs information and sends alerts so that administrators may be able to contain and recover fro...

Page 60: ...ll reduce the number of false positives The ignore list contains a list of host IP addresses which the IDB will ignore for detection and blocking purposes This list may be freely edited so trusted ser...

Page 61: ...VPN Gateway via this interface The UPnP Gateway will listen on this interface to requests from UPnP capable applications and devices to establish port forwarding rules In response to these requests t...

Page 62: ...net ZoneAlarm To enable any of these access controls or content filtering select Access Control then under the Main tab check Enabled and click Apply User authentication Check Require user authenticat...

Page 63: ...is for Microsoft Internet Explorer 6 Instructions for other browsers should be similar refer to their user documentation for details on using a web proxy 1 On the Internet Options menu select Tools 2...

Page 64: ...ank 6 In the Exceptions box enter your Shiva VPN Gateway s LAN IP address 7 Click OK OK and OK again IP lists Internet access may be Blocked or Allowed by the Source LAN IP address or address range th...

Page 65: ...urce Block list access to www kernel org and www kernel org only from 192 168 1 100 will be granted Web lists Access will be denied to any web address URL that contains text entered in the Block List...

Page 66: ...Access control 66 System Administrator s Guide...

Page 67: ...Virtual private networking Chapter 5 Virtual private networking This chapter details how to configure the PPTP client how to establish an IPSec tunnel and also provides an overview of GRE and L2TP VPN...

Page 68: ...dquarters LAN to the branch office s IPSec is generally the most suitable choice in this scenario With the Shiva VPN Gateway you can establish a VPN tunnel over the Internet using either PPTP IPSec GR...

Page 69: ...nd password to use when logging in to the remote VPN You may need to obtain this information from the system administrator of the remote PPTP server and Optionally the remote network s netmask This is...

Page 70: ...edit the advanced routing information L2TP client The Layer Two Tunneling Protocol was developed by Microsoft and Cisco as a multi purpose network transport protocol Many DSL ISPs use L2TP over ATM to...

Page 71: ...Enable and configure the PPTP VPN server Set up VPN user accounts on the Shiva VPN Gateway and enable the appropriate authentication security Configure the VPN clients at the remote sites The client d...

Page 72: ...Addresses to Assign to VPN Server Select the port that the VPN tunnel will be created on Authentication Scheme PPTP provides an authenticated tunnel between a client and a gateway by using a user ID...

Page 73: ...the PAP authentication scheme 3 Click Continue 4 Configure user account settings PPTP Accounts are distinct from those added through Users on the System menu and those added through L2TP Server and D...

Page 74: ...he remote VPN client computer has Internet connectivity To create a VPN connection across the Internet you must set up two networking connections One connection is for ISP and the other connection is...

Page 75: ...ing IPSec This provides a secure tunnel through which users on both networks can share data and resources To combine the Headquarters and Branch Office networks together an IPSec tunnel must be config...

Page 76: ...00 and 1500 5 Click the Apply button to save the changes Warning It may be necessary to reduce the MTU of the IPSec interface if large packets of data are not being transmitted Create a tunnel to conn...

Page 77: ...Gateway and the remote party RSA Digital Signatures uses a public private RSA key pair for authentication The Shiva VPN Gateway can generate these key pairs The public keys need to be exchanged betwe...

Page 78: ...this end checkbox checked Note This option will not be available when the Shiva VPN Gateway has a static IP address and the remote party has a dynamic IP address 2 Enter the Required Endpoint ID of t...

Page 79: ...d Authentication Key field is the ESP Authentication Key It must be of the form 0xhex where hex is one or more hexadecimal digits The hex part must be exactly 32 characters long when using MD5 or 40 c...

Page 80: ...e remote party has a dynamic IP or DNS hostname address or if RSA Digital Key Signatures are used for authentication It is optional For this example because the remote party has a static IP address If...

Page 81: ...lue and must be unique It is used to establish and uniquely identify the tunnel It must be of the form 0xhex where hex is one or more hexadecimal digits and be in the range of 0x100 0xfff This field a...

Page 82: ...leave the Rekeyfuzz as the default value of 100 Enter a secret in the Preshared Secret field Keep a record of this secret as it will be used to configure the remote party s secret For this example en...

Page 83: ...down menu contains a list of the local certificates that have been uploaded for X 509 authentication Select the required certificate to be used to negotiate the tunnel This field appears when X 509 C...

Page 84: ...t a time by entering subnets into the Add Local Network and Add Remote Network fields and then clicking Apply Configured local and remote network combinations can be deleted by clicking the Delete che...

Page 85: ...network so select the single network behind a gateway option 9 Select the type of routing the tunnel will be used as For this example select the be a route to the remote party option 10 Click the Con...

Page 86: ...Office Phase 1 Proposal 6 Click the Continue button to configure the Phase 2 Settings Define phase 2 settings 1 Set the length of time before Phase 2 is renegotiated in the Key lifetime m field For th...

Page 87: ...e Party to sort the tunnel list by the remote party ID name address Status Tunnels that use Automatic Keying IKE will have one of four states in the Status field The states include the following Down...

Page 88: ...se Phase 2 Ciphers Loaded lists the encryption ciphers that tunnels can be configured with for Phase 2 negotiations This will include DES 3DES and AES Phase 2 Hashes Loaded lists the authentication ha...

Page 89: ...there is no key yet The current Phase 2 key This is the number that corresponds to the newest IPSec SA field For this example phase 1 has not be successfully negotiated so there is no key yet The Pha...

Page 90: ...the IPSec endpoint that has dynamic DNS supported and enable Dead Peer Detection If the IP address of the Shiva VPN Gateway s DNS hostname changes the tunnel will automatically renegotiate and establ...

Page 91: ...he remote party has gone down The remote party has disabled IPSec The remote party has disabled the tunnel The tunnel on the Shiva VPN Gateway has been configured not to rekey the tunnel The remote pa...

Page 92: ...not work across the tunnel Possible cause There may be a firewall device blocking IPSec packets The MTU of the IPSec interface may be too large The application uses broadcasts packets to work Solution...

Page 93: ...e the MTU if large packets are not being sent through the tunnel If the application is still not working across the tunnel then the problem is with the application Check that the application uses IP a...

Page 94: ...PKCS 12 format file and the CA local public key and private key certificates must be extracted or created before uploading them into the Shiva VPN Gateway Adding certificates To add certificates to t...

Page 95: ...host computer Certificates have time durations in which they are valid Ensure that the certificates uploaded are valid and that the Date and Time settings have been set correctly on the Shiva VPN Gate...

Page 96: ...t to networks then you should use IPSec or tunnel GRE over either IPSec or PPTP tunnels An example setup that describes using GRE to bridge a network over an IPSec tunnel is described in GRE over IPSe...

Page 97: ...emote subnet netmask 192 168 1 0 255 255 255 0 8 Click Add The GRE tunnel between the two networks is now set up Tunnels may be Disabled Deleted or Edited from the main table of GRE tunnels A few furt...

Page 98: ...nnel with a localhost destination 127 0 0 1 and to then have an httptunnel listening on that port which forwards to a remote httptunnel which in turn loops back to a remote stunnel which in turn forwa...

Page 99: ...erver settings Enabled Enables the tunnel Local Port Remote Host Remote Port Content Length Strict Length Adherence Maximum Connection Age Keep Alive Interval Source Client settings Enabled Enables th...

Page 100: ...Port Tunnels 100 System Administrator s Guide Strict Length Adherence Maximum Connection Age Keep Alive Interval Proxy Username Password Port Proxy Buffer Size User Agent Padding Timeout...

Page 101: ...Chapter 6 Management Chapter 6 Management This chapter describes how to configure various management options such as date and time users administrator settings and diagnostics...

Page 102: ...f your computer Alternately you can manually set the Year Month Date Hour and Minute using the selection boxes to set the date and time on the Shiva VPN Gateway NTP time server The Shiva VPN Gateway c...

Page 103: ...ield Locality Select your region then select your location within said region The system clock will subsequently show local time Without setting this the system clock will show UTP Setting a time zone...

Page 104: ...abilities beyond any other user Note The root user is the only user permitted to telnet to a Shiva VPN Gateway Web administration access controls are grouped into four broad categories Administration...

Page 105: ...ol can dump and restore the entire Shiva VPN Gateway s configuration via the encrypted save and restore option on the Advanced page Such a user cannot edit the configuration nor even see the configura...

Page 106: ...restrict access to the Web Management Console web administration pages Web Admin and the Shiva VPN Gateway itself The Shiva VPN Gateway administrative password is the key to the security of your netw...

Page 107: ...authenticate devices This value must be the same as the value configured in CMS Back to base ping interval Specifies the time in seconds between ALIVE traps sent to CMS Local SNMP port The port on wh...

Page 108: ...ocation in the CMS Syslog Remote Port Specifies the port on which to listen for syslog messages The default value 514 is the standard syslog port however there may be reasons to use a different port i...

Page 109: ...tests are provided through the Web Management Console web administration pages Diagnostics To access this information click Diagnostics under System This page displays information including the curre...

Page 110: ...Diagnostics 110 System Administrator s Guide Network tests Basic network diagnostic tests ping traceroute can be accessed by clicking the Network Tests tab at the top of the Diagnostics page...

Page 111: ...option of re directing log output to a remote machine using the syslog protocol Enable this option by selecting Enable Remote Logging entering the IP address of the remote machine and clicking Apply L...

Page 112: ...nd logging performed some of the fields may not appear Commonly used interfaces are The firewall rules deny all packets arriving from the WAN port by default There are a few ports open to deal with tr...

Page 113: ...th0 OUT eth1 SRC 10 0 0 2 DST 140 103 74 181 LEN 60 TOS 0x00 PREC 0x00 TTL 63 ID 62830 DF PROTO TCP SPT 46486 DPT 22 WINDOW 5840 RES 0x00 SYN URGP 0 Creating custom log rules Additional log rules can...

Page 114: ...teway rather than attempting to pass through it A very similar scenario occurs for logging access requests that are attempting to pass through the Shiva VPN Gateway It merely requires replacing the IN...

Page 115: ...te limiting the log messages that are generated in order to avoid denial of service issues arising out of logging these access attempts To achieve this use the following option limit rate rate is the...

Page 116: ...entication successful for root from 10 0 0 2 Once again showing the same information as a web login attempt Boot Log Messages The Shiva VPN Gateway s startup boot time messages are identified by log m...

Page 117: ...with a password To backup to a plain text file click store restore and copy and paste the configuration into a text editor on the remote machine Restoring is simply a matter of copying and pasting th...

Page 118: ...ill stop functioning and will be unusable until its flash is reprogrammed at the factory or a recovery boot is performed User care is advised After the upgrade has completed successfully and the Shiva...

Page 119: ...wly than normal At the end of the upgrade all the lights will flash briefly then return to their normal state Warning If the flash upgrade is interrupted e g power down the Shiva VPN Gateway will stop...

Page 120: ...est method to clear the Shiva VPN Gateway s stored configuration information is by pushing the reset button on the back panel of the Shiva VPN Gateway twice within two seconds A bent paper clip is a s...

Page 121: ...ze problems with your Shiva VPN Gateway The report gives the support team important information about any problems you may be experiencing If you experience a fault with your Shiva VPN Gateway and hav...

Page 122: ...Technical Support 122 System Administrator s Guide...

Page 123: ...size prevents brute force attacks Aggressive Mode This Phase 1 keying mode automatically exchanges encryption and authentication keys and uses less messages in the exchange when compared to Main mode...

Page 124: ...fication Authority CA after the CA has verified that the entity is who it says it is Certificate Authority A Certificate Authority is a trusted third party which certifies public key s to truly belong...

Page 125: ...hem into IP addresses A domain name is a meaningful and easy to remember name for an IP address DUN Dial Up Networking Encapsulating Security Payload ESP Encapsulated Security Payload is the IPSec pro...

Page 126: ...evice that allows more than one computer to be connected as a LAN usually using UTP cabling IDB Intruder Detection and Blocking A feature of your Shiva VPN Gateway that detects connection attempts fro...

Page 127: ...olicies will applied is also agreed upon ISAKMP ISAKMP is a framework for doing Security Association Key Management It can in theory be used to produce session keys for many different systems not just...

Page 128: ...e from the gateway itself and not the machines on the local network MD5 Message Digest Algorithm Five is a 128 bit hash It is one of two message digest algorithms available in IPSec NAT Network Addres...

Page 129: ...Point to Point Protocol A networking protocol for establishing simple links between two peers PPPoE Point to Point Protocol over Ethernet A protocol for connecting users on an Ethernet to the Interne...

Page 130: ...ffectively TCP IP Transmission Control Protocol Internet Protocol The basic protocol for Internet communication TCP IP address Fundamental Internet addressing method that uses the form nnn nnn nnn nnn...

Page 131: ...name and public key of the entity requesting the certificate and the CA s signature X 509 certificates are used to authenticate the remote party against a Certificate Authority s CA certificate The CA...

Page 132: ...132 System Administrator s Guide...

Page 133: ...Chapter 8 International Regulatory Information Chapter 8 International Regulatory Information This chapter provides regulatory information for all regions...

Page 134: ...protection against harmful interference in a residential installation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruc...

Page 135: ...limits for the general population consult safety code 6 obtainable from Health Canada s website www hc sc gc ca rpb Regulatory information for Canada This Class B digital apparatus complies with Cana...

Page 136: ...not allowed to operate the device at any other channel as supported by the device Licence required for every indoor installation please contact ART for procedure to follow Use outdoors is not allowed...

Reviews:

No comments