4
1. Functional description
1.1 FIREWALL- AND VPN FUNCTIONS
Firewall functions
The EAGLE mGuard FW supports the
following firewall functions:
– Stateful inspection firewall
– Transparent firewall:
Single client / multi client
– Configurable firewall rules:
– Received/transmitted data travel
– Modem access
– External management access
– IP masquerading, 1-to-1 NAT
– IP spoofing protection
VPN functions
The EAGLE mGuard supports the following
virtual private network (VPN) functions:
– Multipoint VPN:
Router and single client transparent mode
– VPN protocols: IPSec, L2TP
– Encoding algorithms:
– DES-56
– 3DES-168
– AES-128, AES-192, AES-256
– Authentification:
– Pre shared key (PSK)
– X.509v3 certificates
– Hashing algorithms: MD5, SHA-1
– NAT-T support
– Firewall rules for every VPN connection
1.2 OPERATION MODES
This device protects the network which is to
be safeguarded (trusted port
k
) from out-
side influences (untrusted port
g
). This can
be intentional attacks or unauthorized
accesses as well as disturbing network
occurrences as e.g. overload.
In the state of delivery the device operates
in the multi client transparent mode (MCT
mode). In this mode there are no network
settings necessary for operation (e.g. for
subnets).
This pre-configuration of the firewall ensu-
res that every IP travel from the trusted net-
work (
k
) is possible, but not the other way
round: travel from the untrusted (
g
) to the
trusted network is not possible. Therefore
already in the state of delivery configuraion
attacks from outside into the trusted net-
work are impossible.
Multi Client Transparent Mode
(MCT mode) – Single Client
Transparent Mode (SCT mode)
The MCT/SCT mode is a transparent bridge
mode. In this mode the device operates as a
2 port bridge where only IP and ARP frames
are transmitted, in compliance with the
firewall rules.
The access to the device is possible, too,
without configuring the IP address, using
the address 1.1.1.1.
In the MCT mode several clients are suppor-
ted in the network which is to be protected,
whereas in the SCT mode only one client is
possible.
Please note that you have to carry through
the corresponding IP configurations in the
MCT mode.
Note:
In the MCT mode no virtual private
networks (VPN) are supported.
Router mode
In the router mode the device operates as a
2 port router. The corresponding IP configu-
rations are to be carried through. You will
find a detailed description in the EAGLE
mGuard manual.
Note:
In the router mode another network
access to the trusted network is supported
via the V.24 interface of the EAGLE mGuard,
using PPP. In this case the communication
with the EAGLE mGuard itself or with the
devices in the trusted network is possible,
in compliance with the firewall rules for the
modem connection.
PPPoE/PPTP mode
In the PPPoE/PPTP mode the EAGLE
mGuard operates the same way as in the
router mode, with the difference that on the
trusted port (
k
) the PPPoE/PPTP protocol is
used. Therefore internet access e.g. via a
DSL modem becomes possible.
1.3 SPECIFIC FUNCTIONS OF THE
TP/TX INTERFACE
Link control
The EAGLE mGuard monitors the connec-
ted TP/TX line segments for short-circuit or
interrupt using regular link test pulses in
accordance with IEEE standard 802.3
10/100BASE-T/TX. The EAGLE mGuard does
not transmit any data to a TP/TX segment
from which it does not receive a link test
pulse.
Note:
A non-occupied interface is assessed
as a line interrupt. The TP/TX line to termi-
nal equipment which is switched off is like-
wise assessed as a line interrupt as the de-
energised bus coupler cannot transmit link
test pulses.
Auto polarity exchange
If the receive line pair is incorrectly connec-
ted (RD+ and RD- switched) polarity is auto-
matically reversed.
Autonegotiation
Autonegotiation is a procedure in which the
switch automatically selects the operating
mode of its 10/100 RJ-45 ports. When a
connection is set up for the first time, the
switch detects the speed (10 or 100 Mbit/s)
and the transmission mode of the connec-
ted network (half duplex or full duplex).
Autocrossing
If the autonegotiation function is active, the
EAGLE mGuard detects the transmit and
receive pairs (MDI, MDI-X). The EAGLE
mGuard automatically configures its port
for the correct transmit and receive pins.
Consequently it does not matter whether
you connect devices using a cross-over or
straight cable.
Fig. 1: Overview interfaces, display elements and controls of the EAGLE mGuard
2
1
STATUS
P
2
1
LS/DA
2
1
+24V (P1)
FAUL
T
+24V (P2)
0V
0V
V.24
Aufkleber MAC-Adresse
IP-ADDRESS
g
k
x
FAULT
R
V.24
RS2-4R
h
1
2
RM
P
0 1
RM
2
1
FAULT
+24V (P1)
FAUL
T
+24V (P2)
0V
0V
V.24
DA
LS
DA
LS
DA
LS
DA
LS
3
4
Aufkleber MAC-Adresse
IP-ADDRESS
RING
2
1
STATUS
P
2
1
LS/DA
2
1
+24V (P1)
FA
U
LT
+24V (P2)
0V
0V
V.24
Aufkleber MAC-Adresse
IP-ADDRESS
g
k
FAULT
R
V.24
2
1
STATUS
P
2
1
LS/DA
2
1
+24V (P1)
FA
U
LT
+24V (P2)
0V
0V
V.24
Aufkleber MAC-Adresse
IP-ADDRESS
g
k
FAULT
R
V.24
1
STATUS
P
2
1
LS/DA
2
1
+24V (P1)
FA
U
LT
+24V (P2)
0V
0V
V.24
Aufkleber MAC-Adresse
IP-ADDRESS
k
FAULT
R
V.24
2
g
USB
USB
x
USB
x
USB
x
MAC address field
IP address field
TX
MM
S
M
LH
TX
MM
S
M
LH
6pi
n
termi
n
al block
(screw locki
n
g
mecha
n
ism)
LED display
eleme
n
ts
Recovery butto
n
V.24 i
n
terface
exter
n
al
ma
n
ageme
n
t
a
n
d modem
Port 1 a
n
d 2
TX (RJ45 co
nn
ector, auto
n
egotiato
n
+ autopo autocrossi
n
g)
or FX (
S
C co
nn
ector; multimode,
si
n
glemode, lo
n
ghaul)
k
g
EAGLE mGuard TX/TX
EAGLE mGuard TX/MM SC
EAGLE mGuard TX/SM SC
EAGLE mGuard TX/LH SC
EAGLE mGuard MM SC/TX
EAGLE mGuard MM SC/MM SC
EAGLE mGuard MM SC/SM SC
EAGLE mGuard MM SC/LH SC
EAGLE mGuard FW TX/TX
EAGLE mGuard FW TX/MM SC
EAGLE mGuard FW TX/SM SC
EAGLE mGuard FW TX/LH SC
EAGLE mGuard FW MM SC/TX
EAGLE mGuard FW MM SC/MM SC
EAGLE mGuard FW MM SC/SM SC
EAGLE mGuard FW MM SC/LH SC
Port
1
Port
2
(truste
d
) (untruste
d
)
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
