Multitech RF600 User Manual Download | Manualshive

Page: 111 / 189

background image

Chapter 6 – RouteFinder Software

Multi-Tech Systems, Inc. RouteFinderVPN RF760/660/600VPN User Guide (PN S000323D)

111

VPN > X.509 Certificates

VPN > IPSec Bridging

VPN > x.509 Certificates

X.509 is an International Telecommunication ITU-T and ISO certificate format standard. The last release of this standard was
X.509 Version 3 in the year 1996.
An X.509 certificate is a confirmation of identity by binding an entity's unique name to its public key through the use of a
digital signature. It also contains the unique name of the certificate user. The certificate, issued by a certificate authority,
contains information to protect data or to establish secure network connections.
When you click the

Add

buttons on this screen, secondary screens display.

Certificate of Authority Generation

A Certificate of Authority Generation screen opens when you click the

Add

button. On this screen, you can:

•

Add a self-signed Certificate of Authority (CA) by entering the information necessary to identify your Certificate.

•

Import a selected Certificate of Authority.

•

Add a predefined Certificate of Authority.

Certificate Generation

A Certificate screen opens when you click the

Add

button. On this screen, you can enter the file path and key file

path. Then enter your password and click

Import

. The certificate is then installed.

VPN > IPSec Bridging

IPSec Bridging is a concept by which two IPSec tunnels can be linked as if they form one single tunnel.

Example

(In this example, there are two tunnels):

1.

tun1

between gateways

A

and

B

and

2.

tun2

between gateways

B

and

C

If

A

and

C

have to communicate over a secure channel, then a third tunnel would have had to setup if IPSec Bridging was

not used. But with IPSec Bridging, we can have them communicate through the existing tunnels,

tun1

and

tun2

.

The above concept can be extended to link more than two tunnels, provided they all have one common endpoint.
The common endpoint between tunnels is called a

hub

.

The other endpoints are called bridge

endpoints

.

IPSec Bridging

Check the box to enable IPSec Bridging. If enable IPSec Bridging, then this machine is going to act as a hub.
Upon enabling IPSec Bridging, you will be given options to select the pairs of tunnels for which bridging is to be
setup. See example above.

Bridge Endpoint Setup

Configure a tunnel and two networks by selecting the

From

network, the

To

network, and the

Through

tunnel.

If any packet has a specified source and destination network, the packet will be sent encrypted via the tunnel.

Note:

Packets are sent via the tunnels only if the tunnels are up and running.

«
...
109
110
111
112
113
...
»

Summary of Contents for RF600

Page 1: ...RF760 660 600VPN Internet Security Appliance User Guide ...

Page 2: ...y SMTP SPAM Filtering Remote POP3 Virus Protection section was added to Proxy POP3 Proxy A Message Filtering section was added to Proxy POP3 Proxy POP3SPAM Filtering Adaptive Message Database Backup was added to the Tracking Backup screen The screen for Statistics Logs HTTP Access has been enhanced Hardware change new compact flash Patents This device is covered by one or more of the following U S...

Page 3: ...rewall 17 Typical Applications 20 Chapter 2 Installation 21 Pre Installation Planning 21 Planning and Establishing the Corporate Security Policy 21 Planning the Network 22 Establishing an Address Table 22 System Administrator Required Planning 22 Installation Overview 23 Hardware Installation Procedure 23 Cabling Overview 23 Setting up a Workstation and Starting the RouteFinder VPN 24 Navigating T...

Page 4: ...tworks Services Networks 59 Networks Services Services 61 Networks Services Network Groups 63 Networks Services Service Groups 64 Proxy 65 General Information About Proxies 65 Proxy HTTP Proxy 66 Proxy HTTP Proxy Custom Filters 69 Proxy SMTP Proxy 71 Proxy SMTP Proxy SMTP SPAM Filtering 74 Proxy POP3 Proxy 77 Proxy POP3 Proxy POP3 SPAM Filtering 78 Proxy SOCKS Proxy 80 Proxy DNS Proxy 82 Network S...

Page 5: ...istics Logs Port Scans 126 Statistics Logs View Logs 126 Statistics Logs HTTP Access 127 Statistics Logs DHCP 128 Statistics Logs SMTP POP3 Virus Quarantines 129 Statistics Logs SMTP SPAM Quarantines 129 Statistics Logs Administrative Authentication Log 129 Chapter 7 User Authentication Methods 130 Proxy Services and Authentication Methods 130 Which Method Should You Choose 130 Authentication Setu...

Page 6: ...s 154 Software Add ons 156 Overnight Replacement Service 156 Appendix D CD ROM Drive Adapter and Pin Out 157 CD ROM Drive Adapter Pin Out 157 Appendix E RouteFinder Maintenance 158 Appendix F Ordering Accessories 160 SupplyNet Online Ordering Instructions 160 Appendix G Technical Support 161 Technical Support Contacts 161 Recording RouteFinder Information 161 Appendix H Multi Tech Systems Inc Warr...

Page 7: ... based interface eases VPN configuration and management The VPN functionality is based on the IPSec and PPTP protocols and uses Triple DES 168 bit encryption to ensure that your information remains private In addition the RF760 660VPN includes firewall security utilizing Stateful Packet Inspection and optional email anti virus protection The RouteFinder VPNs can be used on the desktop or mounted i...

Page 8: ...lient to LAN connectivity Multi Tech provides optional IPSec client software The RouteFinder also supports remote users that want to use the PPTP VPN client built into the Windows operating system This provides 40 bit or 128 bit encryption user name and password authentication State of the Art Firewall Security The RouteFinder provides network layer security utilizing Stateful Packet Inspection th...

Page 9: ...Sockets Layer to provide 128 bit encryption to secure the management session The command line interface is accessible via SSH Secure Shell and supports SCP Secure Copy Reporting The RouteFinder also includes a suite of integrated monitoring and reporting tools that help administrators troubleshoot the Internet security system and report to management the usage of the Internet This includes reporti...

Page 10: ... LAN interface and enter another valid license key to proceed further The user has to manually enable the DHCP client PPPoE after entering another valid license key URL Categorization License Key An 11 digit numeric key Universal Resource Locator URL Categorization License Key is also shipped with your RouteFinder This Key allows you to set up a URL database that limits clients access to places on...

Page 11: ...rical storm There may be a remote risk of electrical shock from lightening Do not use the telephone to report a gas leak in the vicinity of the leak To reduce the risk of fire use only No 26 AWG or larger Telecommunications line cord Safety Recommendations for Rack Installations Ensure proper installation of the ROUTEFINDER in a closed or multi unit enclosure by following the recommended installat...

Page 12: ... off 100MB or 10 100 1G For the RF760VPN If the Ethernet link is valid at 10 Mbps the LED is off If the Ethernet link is valid at 100 Mbps the LED is green If the Ethernet link is valid at 1G the LED is orange For the RF660VPN The 100MB LED is lit if the LAN Ethernet port is linked at 100 Mbps The 100 MB LED is off at 10 Mbps DMZ LEDs Description LINK DMZ LINK LED Indicates link integrity for the ...

Page 13: ...et state STATUS STATUS LED Off when the RF600VPN is booting up HDD ACT HDD ACT Hard Disk Drive Activity LED Lights when the RF600VPN hard disk drive is accessed LAN WAN DMZ LED Descriptions 10MB 10MB LED Lights when the LAN client has a valid link at 10MB ACT ACT Activity LED Indicates either transmit or receive activity on the LAN Ethernet port When activity is present on the LAN Ethernet port th...

Page 14: ...ernet 10 100 1000 DMZ Port and an Ethernet 10 100 1000 WAN Port and an Ethernet 10 100 1000 LAN Port RF660VPN Back Panel The RF660VPN back panel has a fan a power plug the POWER Switch O an RJ 11 LINE jack a DB 9 COM1 jack a DB 15 High density DSUB VIDEO jack two USB Revision 1 1 compliant jacks an RJ 45 DMZ jack an RJ 45 WAN jack and an RJ 45 LAN jack RF600VPN Back Panel The RF600VPN back panel h...

Page 15: ...cation Shared secret and built in authentication server Network TCP IP DNS Filtering Protocol port number and IP address Proxies HTTP SMTP DNS SOCKS Recommended Number of Tunnels IPSec 100 50 25 Recommended Number of Tunnels PPTP 100 50 25 Firewall Features RF760VPN RF660VPN RF600VPN Throughput 300M bps 80M bps 20M bps Anti Virus Option Yes Yes Yes Content Filtering Yes Yes Yes Application Proxies...

Page 16: ...0 lbs 4 54 kg Dimensions 17 w 1 75 h 10 5 d 43 18cm 4 45cm 26 67cm Weight 10 lbs 4 54 kg Dimensions 12 w 1 7 h 8 d 30 4cm 4 4cm 20 3cm Weight 5 8 lbs 2 6 kg Operating Environment Temperature Range 32 to 120 F 0 50 C Humidity 25 85 noncondensing Temperature Range 32 to 120 F 0 50 C Humidity 25 85 noncondensing Temperature Range 32 to 120 F 0 50 C Humidity 25 85 noncondensing Approvals FCC Part 68 F...

Page 17: ...e types of networks meet at the firewall 1 External network Wide Area Network WAN 2 Internal Network Local Area Network LAN 3 De Militarized Zone DMZ The Firewall The characteristic tasks of a firewall as a connection between WAN LAN and DMZ are Protection from unauthorized access Access control Ensure information integrity Perform analysis of protocols Alert the administrator of relevant network ...

Page 18: ... application gateway buffering processes are called proxy servers or for short proxies Every proxy can offer further security features for its designed task Proxies generally offer a wide range of security and protocol options Each proxy serves only one or a few application protocols allowing high level security and extensive logging and analysis of the protocol s usage Examples of existing proxie...

Page 19: ... IPv6 ISO Layers and TCP IP Once set up this encrypted connection is used automatically i e without extra configurations or passwords at the client systems regardless of the type of data that is to be transferred This protects the content during the transport At the other end of the connection the transferred data is transparently decoded and is available for the recipient in its original form The...

Page 20: ...a long distance call to the corporate remote access server Branch Office VPN The LAN to LAN VPN application sends network traffic over the branch office Internet connection instead of relying on dedicated leased line connections This can save thousands of dollars in line costs and reduce overall hardware and management expenses Firewall Security As businesses shift from dial up or leased line conn...

Page 21: ...propriate use of the network and other computing resources by any and all users This should include policy statements like password sharing is not permitted users may not share accounts and users may not make copies of copyrighted software 2 Remote Access Outline acceptable and unacceptable means of remotely connecting to the internal network Cover all of the possible ways that users remotely acce...

Page 22: ...p it for future reference IP Address Net Mask Default Gateway Network Card connected to the internal network LAN on eth0 ___ ___ ___ ___ ___ ___ ___ ___ Network Card connected to the external network WAN on eth1 ___ ___ ___ ___ ___ ___ ___ ___ ___ ___ ___ ___ Network Card connected to the DMZ eth2 ___ ___ ___ ___ ___ ___ ___ ___ System Administrator Required Planning The system administrator must ...

Page 23: ...N RF660VPN RF600VPN 1 Using an RJ 45 Ethernet cable connect the DMZ RJ 45 jack to the DMZ device or network Optional for example a Voice over IP gateway 2 Using an RJ 45 Ethernet cable connect the WAN RJ 45 jack to the device for the external network 3 Using an RJ 45 Ethernet cable connect the LAN RJ 45 jack to the internal network switch or hub Note Use a cross over Ethernet cable if connecting t...

Page 24: ...ternet Public IP address so it can be assigned to the WAN port 4 Connect to the Internet at the RouteFinder WAN port Power Up 5 Turn on power to the RouteFinder VPN After several minutes you will hear 5 beeps signifying the software has fully booted Note If you hear a continuous beep or no beep cycle RouteFinder VPN power connect an external monitor and check the hard drive Open a Web Browser 6 Br...

Page 25: ...o not remember the password for security reasons Password Caution Use a safe password Your first name spelled backwards is not a sufficiently safe password a password such as xfT35 4 is better It is recommended that you change the default password Do not keep this default password create your own password 9 If someone else is already logged onto the RouteFinder VPN or you were logged in recently t...

Page 26: ...orks packet filters VPN and proxies Proxy Set up proxies Network Setup Set up the LAN WAN and DMZ Ethernet ports PPP modem link etc DHCP Server Configure the DHCP server settings Tracking Set up tracking of all packets through the network ports in the RouteFinder VPN set up automatic download and upgrade of packages from a specified Update server set up import export backup configurations Packet F...

Page 27: ...te Certificate License Key Intrusion Detection Tools System Scheduler Factory Defaults User Authentication Local Users Radius SAM Restart Shutdown Network Services Network Groups Service Groups HTTP Proxy Custom Filters SMTP Proxy SMTP SPAM Filtering POP3 Proxy POP3 SPAM Filtering SOCKS Proxy DNS Proxy Interface PPP PPPoE DHCP Client Dynamic DNS Routes Masquerading SNAT DNAT Subnet Settings Fixed ...

Page 28: ...323D 28 Chapter 3 Configuration Initial Configuration Step Set Up Your Time Zone Click Administration on the menu bar The System Setup screen displays Set the following Set System Time by selecting your Time Zone Set the current Day Month Year Hour and Minute Administration System Setup System Time ...

Page 29: ...Important Note An initial configuration must be completed for each type of RouteFinder functions firewall configuration LAN to LAN configuration a LAN to Remote Client configuration Note About License Agreements It is suggested that you read the legal information and license agreement before beginning the configuration This information can be found in the Appendix RouteFinder VPN Initial Configura...

Page 30: ...cket Filter Rule LAN ANY ANY ALLOW box This will enable the rule 7 Change Password Settings as appropriate for your network It is highly recommended that you change all default passwords Do not leave them at the defaults 8 Click Save to save the settings you just entered 9 The following message displays Click OK to close the message box and save your changes Click OK to save the changes Please be ...

Page 31: ... 122 1 Host name RF660VPN site A com Eth0 LAN 192 168 2 1 255 255 255 0 Eth1 WAN 204 26 122 103 255 255 255 0 Eth2 DMZ don t care 5 Packet Filters Packet Filter Rules LAN Any Any Accept RemoteLAN Any Any Accept 6 VPN IPSec Check and Save VPN Status Add an IKE connection Connection name SiteA Check Perfect Forward Secrecy Authentication Method Secret Enter secret key must be same on both sides Sele...

Page 32: ... IP address 192 168 10 0 Subnet mask 255 255 255 0 2 Add a network for the remote WAN port public WAN on eth1 at the branch office Enter the following Name RemoteWAN_IP IP address 204 26 122 3 Subnet mask 255 255 255 255 Example 1 will add two network entries to the table on this screen Name IP Address Subnet Mask Options RemoteLAN 192 168 10 0 255 255 255 0 Edit Delete RemoteWAN_IP 204 26 122 3 2...

Page 33: ...or the Remote LAN at the branch office to access the RouteFinder s LAN select the following parameters for the Remote LAN rule RemoteLAN Any Any Accept Note The rule LAN Any Any Accept which displays at the bottom of the screen was created when you performed your initial setup using the Setup Wizard View Rules by clicking the Show button Set Parameters here The rule entered in the 1 lan ANY ANY AC...

Page 34: ... S000323D 34 Set VPN IPSec Protocol Site A Configuration RouteFinder VPN in the Home Office Establish an IPSec Protocol for your remote branch office access click on VPN IPSec 1 Check the VPN Status box and then click Save 2 Click the Add button for Add IKE Connection The VPN IPSec IKE screen displays ...

Page 35: ...RemoteWAN_IP The Remote LAN is the private IP network on the LAN Port of the remote site Example RemoteLAN Leave the Remote LAN blank Note FQDN is a DNS resolvable fully qualified domain name with which the right peer can be identified When FQDN is selected the Remote Gateway IP should be blank Disable UID 4 Click Add 5 The newly created IPSec IKE configuration displays at the bottom of the VPN IP...

Page 36: ...client with SSH Sentinel software For the SSH Sentinel Client Setup at the remote site see the separate SSH Sentinel Guide SSH Sentinel Client Accessing LAN Through RF660VPN RouteFinder Input these parameters on the RF660VPN in the home office 1 Domain name Sentinel 2 Public Class C 204 26 122 x 3 Networks Services Network LAN 192 168 2 0 255 255 255 0 Sentinel_Client 204 26 122 50 255 255 255 255...

Page 37: ...Guide PN S000323D 37 Example 3 Remote Client to LAN Configuration Using DNAT and Aliasing Use this procedure to configure the RF660VPN with DNAT and Aliasing This configuration allows a Windows 2000 Remote Client to Telnet through the RF660VPN to several Windows 2000 Systems located on the LAN ...

Page 38: ...0 600VPN User Guide PN S000323D 38 Example 4 Client to LAN Configuration Using PPTP Tunneling Use this procedure to configure the RF660VPN as a PPTP server for VPN Remote Client Access aka PPTP Roadwarrior configuration Note IPX and Netbeui not supported when using PPTP tunneling ...

Page 39: ...ks in conjunction with the HTTP proxy running in transparent mode The RouteFinder must be connected to the Internet for the URL License to be activated Setting Up HTTP Proxy and URL Filtering Click Proxy from the Menu bar The HTTP Proxy screen displays Check Status box and click Save Important The Status box must be checked before you can enter and activate your URL Categorization License Key Note...

Page 40: ...serial number of the URL License Key and click the Save button IMPORTANT It is important that the serial number be entered in upper case Click the Activate button The categorization engine s expiration date and time display Return to the Proxy HTTP Proxy screen to set your URL filtering categories See the screen on the previous page Check the Transparent box and click Save Check the URL Filter box...

Page 41: ...preset by the URL software For instance if you selected the Finance and Investment category to be filtered try to access www etrade com This site should be blocked A message displays under the URL address stating the status of this Web site Important The sites listed in the Favorites box of the browser will not be blocked unless the cache is emptied in the browser Establishing Filtering Rules for ...

Page 42: ...n and saves you a lot of time that you would otherwise need for corrections and adjustments Menu Bar The Menu bar will provide the organization of this chapter Important Note About Logout Logout Closes the Software Program and Saves Settings The best way to exit WebAdmin is to choose Logout This will save all your current settings The browser connection is terminated and you are returned to the Lo...

Page 43: ...uteFinder general system based parameters System Setup includes general system parameters such as the Administrator s email address SNMP Agent System Logging Remote Syslog Host and the System Time Email Notification Email Address Enter the Email Address of the administrator who will receive the email notifications Click Save You can delete the entry and change it at any time if desired At least on...

Page 44: ...ages from the RouteFinder will be forwarded Click Save The IP address is a required parameter On the remote host syslog should be invoked with the r option to enable the host to receive log messages from other machines This is especially recommended if you want to collect the log files of several systems on one host The default setting is off System Time Select the system time time zone and curren...

Page 45: ...e other options display The TCP port number for the SSH session is specified in the SSH Port Number field the default is Port 22 SSH requires name resolution for the access protocol otherwise a time out occurs with the SSH registration This time out takes about one minute During this time it seems as if the connection is frozen or that it can t be established After that the connection returns to n...

Page 46: ... Time Protocol is an internet protocol used to synchronize the clocks of computers on the network Clicking the SNTP Client check box enables the firewall to act as a SNTP client SNTP Client Check the SNTP Client box to activate SNTP Client SNTP Server Address Enter the IP address of the SNTP Server for which the firewall will contact to synchronize its clock Then click the Save button ...

Page 47: ...e access by moving network hosts names from the Available list to from the Allowed list The RouteFinder will display an ERROR message if you try to delete access to a network that would cause you to lock yourself out Allowed Networks The default Any has been entered here for ease of installation ANY allows administrative access from everywhere once a valid password is provided Caution As soon as y...

Page 48: ... wfelock Administrative Access HTTPS Port This field is used for setting the HTTPS port for Web administration After setting the HTTPS port the connection is terminated The browser settings have to be changed for the new port number before starting the next session By default port 443 is configured for HTTPS sessions The value of the port number should lie between 1 and 65535 Well known ports and ...

Page 49: ...ministrator over the default myname mydomain com Firewall Host Address Enter the RouteFinder s host address Use the same address that you will use to open the Administration Access interface It can be one of the RouteFinder IP addresses Example If you access Administration Access with https 192 168 10 1 the Host Address must also be 192 168 10 1 If you access Administration Access with a DNS host ...

Page 50: ...cense Key screen is re displayed Important The license key number is a 20 digit alphanumeric entry the letters must all be in upper case If you enter your license key number incorrectly the message Error License is invalid is displayed Check the license key number and re enter it One common entry error is mistaking a 0 zero for an o the letter O Another entry error is entering lower case letters o...

Page 51: ...ion Detection for LAN Check the box to enable Network Intrusion Detection for the LAN Then click the Save button Enable Network Intrusion Detection for WAN Check the box to enable Network Intrusion Detection for the WAN Then click the Save button Enable Network Intrusion Detection for DMZ Check the box to enable Network Intrusion Detection for the DMZ Then click the Save button User Defined Networ...

Page 52: ... diagnostic tool to determine if a communication path exists between two devices on the network The utility sends a packet to the specified address and then waits for a reply PING is used primarily to troubleshoot Internet connections but it can be used to test the connection between any devices using the TCP IP protocol If you PING an IP address the PING utility will send four packets and stop If...

Page 53: ...indicate a time out After a fixed number of time outs the attempt is aborted This can have various reasons e g a packet filter doesn t allow Trace Route If it is not possible to locate a name despite activated name resolution the IP address is shown after several attempts instead Host Specify the IP address or the name of the other computer to test this tool Start Click the corresponding Start but...

Page 54: ...me Each Event offers the following time choices minutely every minute twomins every two minutes threemins every three minutes fivemins every five minutes sevenmins every seven minutes elevenmins every eleven minutes thirtymins every thirty minutes hourly every hour daily 1 once a day daily 2 twice a day daily 3 three times a day midnight each day at midnight weekly once a week fortnightly once eve...

Page 55: ...akes the authentication person based i e user based and not IP based thus making a person based Accounting in the HTTP proxy access protocol possible Prerequisite Before you can use Local Authentication you must activate User Authentication for the respective proxy services In Proxy e g Proxy HTTP or Proxy SOCKS check the Local in the Authentication Types menu then click Add User Definition User N...

Page 56: ...ttacks become possible Note In order to use any of these authentication methods you must activate user authentication and the type of authentication for the services Mark the option Local SAM RADIUS in the select menu of the respective services SSH by default authenticates users using the local system and you cannot disable local authentication for SSH whereas for SOCKS and HTTP any type of authen...

Page 57: ...e a backup domain controller enter the PDC name again BDC IP Enter the IP address of the backup domain controller into this field If you do not have a backup domain controller enter the PDC IP address again 2 Confirm your entries by clicking the Save button Important Note If you are using SAM authentication you should deactivate the guest account of your Windows domain Otherwise all user password ...

Page 58: ...RouteFinder This is the correct way to shut down the RouteFinder It ensures that all the services are shut down correctly Are you sure you want to shutdown the system message displays If you do not want to shut down the RouteFinder click the Cancel button to return to the Administration Shutdown menu If you want to shut down the RouteFinder click the OK button to confirm The Login screen displays ...

Page 59: ...was used by SNAT or DNAT the changed will not be performed Add Network Name Enter a straightforward name into the Name entry field This name is later used to set packet filter rules etc Accepted characters alphabetic numerical 0 to 9 the minus sign underscore Maximum characters are 39 IP Address Enter the IP address of the network Subnet Mask Enter the Net Mask How to Confirm Your Entries Confirm ...

Page 60: ...nd Remote LAN dropdown boxes on the VPN IPSec IKE screen Entries on This Screen Affect Other Screens Networks added on this screen will display on the following screens Administration Access Network Groups SSH Packet Filter Rules Network Intrusion Detection Routing Masquerading SNAT DNAT HTTP Proxy SMTP Proxy DNS Proxy IPSec PPTP Network Names added on this screen will be made available to Add All...

Page 61: ...ould not be present in the service or service group list Using a space in the name is not allowed After you have entered the name click the Add button Protocol Select from the following protocols TCP UDP TCP UDP ICMP AH and ESP When you select a protocol the corresponding protocol fields will display Source Port Enter the source port for the service The entry options are a single port e g 80 a lis...

Page 62: ...Changes can be saved using the Save button Notes About Protocols TCP UDP allow both protocols to be active at the same time The ICMP protocol is necessary to test network connections and RouteFinder functionality as well as for diagnostic purposes In the Packet Filter ICMP menu you can enable ICMP Forwarding between networks as well as RouteFinder ICMP reception e g to allow ping support The ESP p...

Page 63: ...g Once a name is entered the Select Group section displays When the View Edit button is clicked the Edit xxxxxx section of the screen displays Add Network Group Enter a unique name for the Network Group This name is used later if you want to perform operations such as setting packet filter rules Click the Add button Select Group Group Names Entered Above Now Display Here Select the group from the ...

Page 64: ...rvice Group This name is required for later operations such as creating a higher level service group or to set packet filter rules Click Add All names will be added to Select Group drop down list box from which you can Edit or Delete a Service Group Select Group Group Names Entered Above Now Display Here Select the group from the drop down list box you would like to Edit or Delete View Edit Group ...

Page 65: ...ternet Explorer 1 Open the menu Extras Internet options 2 Choose the register card Connections 3 Open the menu LAN Settings Extended 4 Under Exceptions enter the IP address of your RouteFinder 5 Click the OK button to save your settings Rules and Suggestions for Using HTTP Proxy A valid name server is required for using an HTTP proxy Administration Access should not be called up via one of its own...

Page 66: ...r notes about using Transparent mode Networks Allowed or Denied To select the networks you want to be available for the HTTP proxy click the Edit button The HTTP Transparent Networks screen displays By clicking the desired Change Status button you change that network s status to Allowed Denied as well as Available Banner Filter Java Script Filter and Cookie Filter To enable any one or any combinat...

Page 67: ...forwarded by the firewall URL Categories allowed filtered On this screen you can change URL categories from Allowed to Filtered and vice versa The Allow and Filter buttons will move a URL Category from Allowed to Filtered box and back again The categories are setup and controlled by SurfControl software which is built into your RouteFinder See URL Categorization in Chapter 2 for a detailed discuss...

Page 68: ...d Authentication Type from the drop down list box Available Authentication Types are Local RADIUS SAM 2 Click the Save button Available Users 1 Select the User you want to have access to HTTP Proxy server from the Available Users list 2 Click the Add button The user now displays in the Allowed Users box You can remove an allowed user by highlighting the name and clicking the Delete button The name...

Page 69: ...ild groups of filters or lists that can be filtered by networks The set of rules for the forwarding and filtered of URLs for a particular network can be configured here Default Action for Custom URL Lists Default Action Select either Allow or Deny for your Custom Filter Click the Save button Add Custom URL List URL List Name A Custom URL Group or List has to be named before defining a rule Enter a...

Page 70: ...to the text box and clicking the Add button URLs can be deleted from the list by selecting it and clicking the Delete button Then click the Save button After making any changes click the Save button to save these changes An access rule consists of three parts 1 Network or Network Group 2 URL Group or List 3 Set either Allow or Deny Example Using a Group Name List Name URL List named List1 contains...

Page 71: ...Emails are transparently scanned for known viruses and other harmful content The SMTP proxy also acts as a gateway for outgoing mail thus taking over the job of email distribution from your internal email system Rules and Suggestions for Using SMTP Proxy For SMTP a valid name server DNS must be enabled The RouteFinder sends notifications to the administrator even if SMTP is disabled The RouteFinde...

Page 72: ...fault route can be specified so that email to any domain is forwarded to the default gateway Example 192 168 1 10 Domain and Host The fully qualified Domain Name and Host of the SMTP Proxy must be entered here Main SMTP Screen Continued Queue Cleanup Click the Clean button to delete emails held in the relay agent s mail queue All mails waiting to be delivered will be cleaned up This option is to b...

Page 73: ...ils to the above listed domains Confirm every selected network by clicking the Add button Note If you assign Any then everybody connected to the Internet can use your SMTP proxy for SPAM purposes SMTP Routes Determine the MTA Mail Transfer Agent to which each incoming domain is forwarded The MTA is determined by its IP address You can also configure the forwarding of email into your internal messa...

Page 74: ...st Enter any sender s email ID that you wish to bypass the spam filtering process Authentic Networks Enter any sender s network name that you wish to bypass the spam filtering process Example testuser routefinder yourdomain com If you want to add email IDs from the domain routerfinder yourdomain com then add it as routefinder yourdomain com Blocked Networks Enter the name s of any network s from w...

Page 75: ... If the patterns match the email will not be relayed Control Characters 1 Exclamation mark Bypass the SPAM check for this entry alone Example All email from or to the domain abc com will be stopped except for test abc com abc com test abc com 2 Asterisk Stop all email from or to this domain Example All email from or to the domain abc com will be stopped abc com 3 Set Stop all email from a set such...

Page 76: ...en add it just as it is If you want to use the entry as a regular expression then enclose the entry with these brackets Note About Wild Card The wild card cannot be used to filter all attachments Adaptive Message Filtering If this operation is enabled then the mail message or body will be searched for auto learned expressions by the Adaptive Message Filtering function Click the Help button for thi...

Page 77: ...isplay after checking the initial check boxes and clicking the Save button POP3 Virus Protection POP3 Virus Protection Check the box to enable POP3 virus scanning of the traffic that goes through the RouteFinder Click the Save button Inform Admin for Virus Mails Check this box to have information sent to the administrator The administrator will receive notification regarding infected emails Save C...

Page 78: ...M Protection Check the box to enable POP3 SPAM Protection Subject of SPAM Mails Enter a word that you would like to add to the subject line of any email identified by the virus scanner as SPAM The word SPAM is a good choice POP3 SPAM Filtering Sender White List Enter the sender email IDs that will not be checked for SPAM For example if all the emails from the specific domain abc com are not to be ...

Page 79: ... If this option is enabled email with an empty sender address is marked as SPAM Bad Pattern in Sender Address The sender email address will be checked to see if matches any of the patterns added the list If there is a match then the email will be marked as SPAM Control Character Asterisk is a general pattern matching character For example if the entry is xyz abc com then all email from the domain ...

Page 80: ...en using SOCKS v4 User Authentication is not possible Socks Default Port 1080 Almost all clients will default to this port setting so it normally does not need to be configured Notes All changes in Proxy become effective immediately without additional notice SOCKS Proxy Status To enable SOCKS check the Status box Click the Save button External Interface The SOCKS Proxy uses an external interface t...

Page 81: ...he users from the right selection box and clicking the Add button These users can also be added by checking the checkbox against SOCKS users in the User Authentication Users section The left box contains SOCKS users and the right box consists of all the local users who are not allowed to access SOCKS Delete Users The users who are now allowed to access the SOCKS Proxy can be changed by selecting t...

Page 82: ...igure several name servers the servers are queried in the listed order DNS Proxy Status To enable the DNS proxy check the DNS Status box Click the Save button Interface to Listen To Select the Interface option from the drop down list box Options include LAN WAN and DMZ Click the Add button Your choice will display in the box under the selection list It you want to change or delete and interface hi...

Page 83: ...lty ARP Address Resolution Protocol resolutions ARP clash Some operating systems e g Microsoft Windows cannot cope with this That is why one network interface should be used per physical segment About the Interfaces Screen The first network card eth0 is always the interface to the internal network LAN It is called the trusted network The second network card eth1 is the interface to the external ne...

Page 84: ...ve button after entering the Host Name Notes If the gateway address and DNS addresses are assigned by a PPPoE server or a DHCP server or through a backup link the value cannot be changed The same IP Address cannot be entered for two different interfaces Domain Name Server External Name Server Enter a name for the Domain Server Click the Add button The name displays in the box just under this field...

Page 85: ...he Proxy ARP on This Interface checkbox the RouteFinder will automatically announce itself as responsible for all packets to destinations for which it has an Interface Route You can use this function to half bridge a network into another LAN segment Note All packet filtering rules still apply when Proxy ARP is enabled This is not a full bridging function If the Proxy ARP on This Interface function...

Page 86: ...ommand in the initialization string see directions below Dial Number Enter the phone number that the modem will use to connect to the PSTN User Name Enter the ISP User Name designated for dialup access Password Enter the ISP Password designated for dialup access the password is optional Enable IP Setting Check this box to enable the IP setting This option can be set to make the firewall negotiate ...

Page 87: ...oint to Point PPP commonly used in dialup connections with the Ethernet protocol which support multiple users in a local area network Important If DHCP client is enabled the PPPoE cannot be used The internet connection can be either PPPoE or DHCP client at any given time PPPoE on WAN Enable PPPoE on WAN To Enable PPPoE on WAN check the corresponding box This will enable the interface connected to ...

Page 88: ...IP address from the DHCP server Important If PPPoE is enabled then DHCP client cannot be enabled The interface to the internet can be either through PPPoE or DHCP client at any time If DHCP client is enabled and if the IP address has been assigned then the following values will be displayed on this screen Assigned IP Address Mask DHCP DNS Address Gateway Address Renew Time time at which the DHCP c...

Page 89: ... Password Enter the password you had specified while registering with the Dynamic DNS server Dynamic DNS Server Enter the server to which you have registered for dynamic DNS service At present only the following servers are supported for this function 1 dyndns org 2 zoneedit com 3 easydns com 4 hn org 5 dslreports com 6 dnspark com Domain Name Enter the domain name which you have registered with t...

Page 90: ...d router is to be responsible for this network Add Routes Interface Route Interface Route Select an already defined network and a network card The entries are confirmed by clicking the Add button Also existing entries can be deleted by highlighting the entry and clicking the Delete button Note While adding a route if the network cannot be reached through that interface the route will not be added ...

Page 91: ...you to hide internal IP addresses and network information from the outside network Masquerading Masquerading Select one of the networks already defined in the Networks menu Select a network from each box from and to networks Add Click the Add button The Masqueraded network route displays below Edit or Delete a Route Select Masqueraded network route from the lower box and click the Edit or Delete b...

Page 92: ...mportant As the translation takes place after the filtering by packet filter rules you must allow connections that concern your SNAT rules in Packet Filters Packet Filter Rules with the original source address Packet filter rules are covered later in this chapter Note To create simple connections from private networks to the Internet you should use the Network Setup Masquerading function instead o...

Page 93: ...of one single address with net mask 255 255 255 255 Post DNAT Destination Select a host to which the IP packets are to be diverted Only one host can be defined as the Post DNAT destination Important If you are using a port range as the Post DNAT Service you must enter the same Service definition as you entered in the Pre DNAT Service In other words you can only map one port range to the same port ...

Page 94: ... you would like to disable it uncheck the DHCP Server on LAN checkbox If you change the check mark click the Save button to activate the change Add Click the Add Subnet button which will open the table for entering the Subnet IP Address and Mask Edit or Delete You can edit or delete entries by selecting the desired entries and clicking either the Edit button or Delete button listed under Options D...

Page 95: ...accounting function Excluding a network from Accounting could be useful if the interface to the DMZ is entered in the Accounting while one particular computer in the DMZ is not to be accounted If this one computer is only to be used for internal purposes it does not make sense to include its information traffic in the accounting balance Note The traffic will be displayed as graphs in Statistics Lo...

Page 96: ...ate Server Server Name and Directory Enter the name or IP address of the server you want to specify as the system update server and enter the path to this server Click the Save button Virus Update Server Server Name and Directory Enter the name or IP address of the server you want to specify as the virus database update server and enter the path to this server This process downloads and installs n...

Page 97: ...d encrypted and read in via an encrypted connection To setup an automatic virus update function check the Enable Update checkbox Then select the time interval after which the system automatically checks for the virus pattern updates at the specified update server The time intervals are hourly daily weekly and monthly Time Interval for Automatic Update of URL Categories Your RouteFinder can be cont...

Page 98: ...well as to use as evidence if and when you discover a successful attack letting you compare the before and after states of the RouteFinder You may want to store all alerts and notifications Passwords are saved but the RSA key is not saved Backup Comments for Export Backup This field is a required field Enter an explanation of the backup file for future reference Click Save This starts the backup a...

Page 99: ...ents for this file to verify that this is the file you want Once you are sure of the file you want click the Import button Download Backup Click the Download button to backup files saved in the firewall to the local machine Status Enable Periodic Backup Place a checkmark in this box to set up an automatic performance of the periodic backups Click the Save button Interval for Periodic Backup Select...

Page 100: ...epository name of TEST the repository name should always be in capital letters 2 Let the path to the repository be usr local cvs 3 Create a repository in the server using the command cvs d usr local TEST init Note A new directory cvsroot will be created under usr local cvs Configuring the CVS Server 1 Add a group CVS to the system Any user who needs to access the repository should be in this group...

Page 101: ...correspondence is found the procedure as determined by action is carried out You can Accept Drop Reject Log the packets When packets are denied Rejected setting an entry in the appropriate log file occurs All rules are entered according to the principle From Client Service To Server Action When setting packet filters the two fundamental types of security policies are All packets are allowed throug...

Page 102: ... packets are sent for the rule to match Network groups can also be selected These network clients or groups must be pre defined in the Networks menu Action Select the action that is to be performed in the case of a successful matching applicable filter rule There are three types of actions Accept This allows accepts all packets that match this rule Reject This blocs all packets that match this rul...

Page 103: ...kbox to enable the forwarding of ICMP packets through the RouteFinder into the local network and all connected DMZs In this way you select whether an ICMP packet should be dropped or passed through to the local network and all connected DMZs If ICMP forward is enabled ICMP packets go through all connected networks Another use of ICMP forwarding is to allow ICMP packets to be forwarded to individua...

Page 104: ...assthrough By default packets with invalid flag combinations or TCP sequence numbers passing via the RouteFinder will be dropped Check the TCP Strict box and click the Save button to allow these packets to passthrough instead of being dropped To maintain the Strict TCP connection default do not check this box Drop Fragmented Packets Dropped Fragmented Packets Enables disables dropping of IP fragme...

Page 105: ... LAN and service DMZ network clients that use a service on a public WAN network server host All Access Requests Traversing Firewall Violating Security Policy Check this box to enable the logging of all access requests from private LAN service DMZ and public WAN network clients to traverse the RouteFinder that violate the configured security policy All Access Requests to Firewall Violating Security...

Page 106: ...ng to an open standard IPSec The IPSec protocol suite based on modern cryptographic technologies provides security services like encryption and authentication at the IP network layer It secures the whole network traffic providing guaranteed security for any application using the network It can be used to create private secured tunnels between two hosts two security gateways or a host and a securit...

Page 107: ...nabled by default Authentication Method Check an authentication method either Secret or RSA signatures Secret If the authentication method is Secret this field must be configured The Secret must be agreed upon and shared by the VPN endpoints it must be configured at both endpoints of the tunnel Select Encryption Select the encryption method 3DES is recommended IKE Life Time The duration for which ...

Page 108: ...When FQDN is selected the Remote Gateway IP should be blank Remote LAN Remote security gateway for which the security services should be provided If the remote end is the host this should be configured as None UID Unique Identifier String It is recommended that you accept the default to disable UID UID is used only for compatibility purposes other IPSec VPN gateways might require you to input a Lo...

Page 109: ...urity Parameter Index identifies a manual connection The SPI is a unique identifier in the SA Secure Association a type of secure connection that allows the receiving computer to select the SA under which a packet will be processed The SPI Base is a number needed by the manual keying code Enter any 3 digit hexadecimal number which is unique for a security association It should be in the form 0xhex...

Page 110: ...e Remote Gateway IP This is the interface in which the IPSec tunnel ends In the case of a Road Warrior with a Dynamic IP address this should be configured as ANY Remote LAN This is the remote security gateway for which the security services are to be provided If the remote end is a host this should be configured as None NetBIOS Broadcast Check this option to enable broadcasts over the connection I...

Page 111: ...reen you can enter the file path and key file path Then enter your password and click Import The certificate is then installed VPN IPSec Bridging IPSec Bridging is a concept by which two IPSec tunnels can be linked as if they form one single tunnel Example In this example there are two tunnels 1 tun1 between gateways A and B and 2 tun2 between gateways B and C If A and C have to communicate over a...

Page 112: ... a PPTP update from Microsoft at http support microsoft com support kb articles Q191 5 40 ASP If you are using Windows or 98 you may also have to update Microsoft RAS update When enabling PPTP for the first time a random network for use as a Pool will be generated Clients will be given addresses from this network range About Setting Up PPTP Users You can define your own pool and set it to be used ...

Page 113: ...the Internet The network must be previously defined in the Networks Services Networks Select the Remote IP address for the PPTP link and click the Save button Then the following fields display Local Address Displays the local IP address of the server the remote clients will access Remote Start Address Displays the first IP address in a range of IP addresses to be assigned to remote clients Remote ...

Page 114: ...Setup Screen General Settings Administrator Mail Address Enter the administrator s mail ID Unlike the Administration System Setup in the Web Management software which allows several entries the screen allows only one ID Host Name Enter the Host Name of your firewall Example format FIREWALL mydomain com LAN Settings LAN IP Address and Subnet Mask Enter the IP address and the mask for the LAN interf...

Page 115: ...hrough Modem Settings Use this checkbox to enable disable the modem PPP dial backup feature If enabled enter the User Name Password Serial Port Baud Rate Dial Number and Initialization Strings for the backup port Password Settings Use this section to change the password for the root user WebAdmin User and the SSH User login user It is highly recommended that you change passwords Save or Cancel Whe...

Page 116: ...tine captures any virus infected emails POP3 Virus Quarantine captures any virus infected emails SMTP SPAM Quarantine using a Message Expression filter and an Attachment filter SPAM emails will not be relayed and will be quarantined in the SPAM area They can then be evaluated by the system administrator Administrative Authentication Log shows successful failed login attempts The data in the logs c...

Page 117: ...dware This screen displays a graphical presentation of the CPU RAM and SWAP utilization by days weeks months and years CPU Statistics Displays the actual usage of the processor on the system RAM Statistics Displays the amount of RAM used by the various RouteFinder processes that are in execution SWAP Statistics Shows the actual usage of the swap space on the system When using the HTTP proxy is in ...

Page 118: ...nterfaces Routing Table Click Routing Table to display the Kernel IP routing table of all entered routes The information includes Destination Gateway Genmask Flags Metric Ref Reference and Use Iface User Interface Important Note Interface routes are inserted by the system and cannot be edited Additional routes can be added in Network Setup Routes This is an example of the Statistics Logs Routing T...

Page 119: ... and the port separated by a colon If you find here for example 192 168 2 43 443 you know that there is an active HTTPS session Foreign Address The destination IP address and port for example 192 168 2 40 1034 State Status of the connection Sets of possible states reported are for example LISTEN ESTABLISHED TIME_WAIT UNIX Connections Example Proto RefCnt Flags Type State PID Program name UNIX 3 AC...

Page 120: ...ears Interfaces must be added on the Tracking Accounting screen Network Traffic Overview LAN WAN DMZ Click the LAN Traffic button for a graphical overview of network traffic on the LAN interface Click the WAN Traffic button for a graphical overview of network traffic on the WAN interface Click the DMZ Traffic button for a graphical overview of network traffic on the DMZ interface Example Statistic...

Page 121: ...ick the SMPT Log button to display real time statistics of the SMTP proxy activities SMTP Message Click the SMTP Message button to display a graph showing the number of messages in the queue waiting to be processed and the number of messages which are processed separated by days weeks months and years SMTP Concurrency Click the SMTP Concurrency button to display the number of SMTP connections alre...

Page 122: ...ated for each month The displayed traffic will match what your ISP charges if your service is volume based Important You define which interfaces and networks are included on this screen in the Tracking Accounting menu Interface Based Accounting Display accounting information for all the interfaces Interfaces must be added on the Tracking Accounting screen IP Based Accounting Displays a graph of tr...

Page 123: ...ention becomes almost obsolete resulting in less work for the administrator The RouteFinder s Self Monitoring function ensures that the central services e g the RouteFinder MiddleWare daemon the Syslog daemon the HTTP proxy or the network accounting daemon function smoothly The access rights to files are controlled as is the individual process share of consumption of the system resources This prev...

Page 124: ... results of a successful attack You will probably want to keep log information in a location separate from the RouteFinder to keep an intruder from destroying the log data upon compromising the RouteFinder PPTP Live Log Click PPTP Live Log button to display all the important information about PPTP logins successful as well as failed the encryption strength 128 or 40 bit the mode of authentication ...

Page 125: ...lter with Action as LOG the packets matching the corresponding source address and service will be logged Show Logs Select the packets to be displayed by checking the box next to the packet category Check Auto Refresh if you like the screen to refresh every 30 seconds Select the number of lines from the log database to display on the screen Enter the Search Pattern Within Results Enter the text pat...

Page 126: ...ion Live Log button to display the User Defined Intrusion Detection rules entered on the Administration Intrusion Detection screen Portscan Live Log Click the Portscan Live Log button to display detected port scans The source address the destination address protocol source port and destination port of these packets will be displayed Statistics Logs View Logs Various log files maintained by the Rou...

Page 127: ...ess Report from the Remote Client Generate HTTP Reject Reports 1 Click the Generate button to generate the current day s HTTP Reject report 2 Select a file from the remote client server by browsing to the file name and then clicking the Generate button This will generate the HTTP Reject Report from the Remote Client View HTTP Access Reports See HTTP screen at top of the page The report shows where...

Page 128: ... Multi Tech Systems Inc RouteFinderVPN RF760 660 600VPN User Guide PN S000323D 128 Statistics Logs DHCP Statistics Logs DHCP This live Log gives information about the DHCP leases that have been provided so far Example of a DHCP Log ...

Page 129: ...n filter or Attachment Filtering is enabled in Proxy SPAM Filtering and if such emails are to be relayed by the firewall these emails will not be relayed and they will be saved in the SPAM quarantine area These emails can be viewed by the administrator who can then take action as to whether or not to delete or forward the emails to the email ID Statistics Logs Administrative Authentication Log Adm...

Page 130: ...it is very easy to set up if you already run a PDC Primary Domain Controller on your network The disadvantage is that only a flat authentication model is supported meaning that either ALL or NONE of the existing users in the NT Domain will be allowed to use a proxy service meaning that you cannot differentiate between User A and User B Local RouteFinder User Authentication This method does not nee...

Page 131: ...sh to provide to your users For clarity give the groups descriptive names for example call the group multitech _http_users 4 Put the users in the newly created groups for using the respective proxy services 5 Enter the IAS administration interface at Start Programs Administrative Tools Internet Authentication Service and add a new client using these settings Friendly Name routefinder Protocol RADI...

Page 132: ...e the NT 2000 server name and an IP address Put these values in the configuration of the NT SAM method in User Authentication RADIUS SAM as PDC Name and PDC address If you have a Backup domain controller also enter its corresponding values in User Authentication RADIUS SAM Finally you need the default domain to authenticate against This will be overridden if users specify their user name as DOMAIN...

Page 133: ...such as DSL or cable modems where only one TCP IP address is provided by the ISP The user may have many private addresses behind this single address provided by the ISP Q5 What is a DMZ A5 The DMZ Demilitarized Zone is a partially protected area where you can install public services A device in the DMZ should not be fully trusted and should only be used for a single purpose such as a web server or...

Page 134: ... servers You don t need to bind those IP addresses to the external interface as long as they are routed to the RouteFinder The problem is that the IP packets have to reach the interface There are 2 ways to accomplish this 1 Bind an alias IP to the external interface so that it answers ARP requests for this IP and the IP packets are sent to the ARP Address of this NIC card If you re ready to do som...

Page 135: ...ace i e Internal Network External 4 Define Packet filter Rules and Proxy Settings Now you have set your Security Policy in terms of what is allowed and what is not allowed The RouteFinder uses stateful inspection so you only have to define which services are allowed the way back is opened automatically e g Internal Network FTP Any Accept Peters Laptop Telnet Any Accept If you want to use the Proxi...

Page 136: ...1 Can DES be exported from the U S to other countries A21 For years the government rarely approved the export of DES for use outside of the financial sector or by foreign subsidiaries of U S companies Several years ago export policy was changed to allow the unrestricted export of DES to companies that demonstrate plans to implement key recovery systems in a few years Today Triple DES is exportable...

Page 137: ... the characteristics after the translation For example If you translate SRC 192 168 10 1 into SRC 1 2 10 1 you must allow 1 2 10 1 any any Note that these are examples only Q26 What does SOCKS stand for A26 SOCK et S was an internal development name that remained after release Q27 How is SOCKS V5 different from SOCKS V4 A27 SOCKS V4 does not support authentication and UDP proxy SOCKS V5 supports a...

Page 138: ...otocol There are two documents describing Version 4 SOCKS V4 protocol and extension to SOCKS V4 protocol There are three RFCs for SOCKS V5 related protocols RFC1928 Describes SOCKS Version 5 protocol also known as Authenticated Firewall Traversal AFT RFC1929 Describes Username Password authentication for SOCKS V5 RFC1961 Describes GSS API authentication for SOCKS V5 Q35 Why does the password echo ...

Page 139: ...s and you have the problem of your client computer timing out while waiting for the ICS demand dial router to establish the connection For example your Web browser might report your home site as unreachable because TCP times out before the server can establish the connection TCP sets a retransmission timer when it attempts the first data transmission for a connection with an initial retransmission...

Page 140: ...able and active Internet connections traffic Interfaces displays network traffic on each interface LAN WAN DMZ SMTP Proxy displays email usage and status Accounting calculates and displays external NIC IP packet byte counts Self Monitor provides email notification of system level issues IPSec displays VPN information PPTP displays processes and error messages Packet Filters displays defined filter...

Page 141: ...tup History Log 147 IX User Log 147 X Fragmented Dropped Log 147 XI ICMP Information 148 Table of Figures Figure 1 Inbound Access 143 Figure 2 Snapshot of Inbound Access Log 143 Figure 3 Inbound Access DNAT with Connection Tracking 144 Figure 4 Outbound Access 145 Figure 5 Snapshot of Outbound Access Log 145 Figure 6 Snapshot of Outbound Access Log with Connection Tracking 145 Figure 7 Snapshot of...

Page 142: ...pshot of Inbound Access Figure 3 shows a snapshot of Inbound Access with DNAT and Connection Tracking Outbound Access Request Each access request from the internal network LAN DMZ to the external network WAN that passes through the firewall is termed as an Outbound Access Request All requests routed out through the WAN interface to servers connected on or through the WAN Interface are considered O...

Page 143: ...er Rules and selecting LOG as the action Note User logging is allowed only on routed packets Figure 13 shows a snapshot of user defined log Fragmented Packets Log Fragments packets can be logged as Dropped Fragmented Logging of Dropped Fragmented Packets can be configured through Packet Filters Advanced Drop Fragmented Packets Logging is allowed only if fragments are dropped Figure 14 shows a snap...

Page 144: ...ATTED to 192 168 1 76 on port 62191 Remarks Inbound Accepted SRC 204 26 122 9 DST 202 54 39 103 SPORT 41216 DPORT 21 Dnat ip port 192 168 1 76 21 o Inbound Accepted Inbound Log o SRC 204 26 122 9 DST 202 54 39 103 SPORT 41216 DPORT 21 This corresponds to the CONTROL connection information for this data connection o Dnat ip port 192 168 1 76 21 This corresponds to the CONTROL connection s DNATTED i...

Page 145: ...ulti Tech Systems Inc RouteFinderVPN RF760 660 600VPN User Guide PN S000323D 145 III Outbound Access Log Figure 4 Outbound Access Figure 5 Snapshot of Outbound Access Log Figure 6 Snapshot of Outbound Access Log with Connection Tracking ...

Page 146: ...destination port 32824 Remarks Outbound SRC 192 168 1 212 DST 195 220 108 108 SPORT 32823 DPORT 21 o Outbound Outbound Log o SRC 192 168 1 212 DST 195 220 108 108 SPORT 32823 DPORT 21 This corresponds to the CONTROL connection information for this data connection Slno 4 corresponds to the PASV Data connection originated from 192 168 1 212 destined to 195 220 108 108 Remarks Outbound SRC 192 168 1 ...

Page 147: ...rative Authentication Logs Figure 10 Snapshot of Administrative Authentication Log VII Admin Port Access Log Figure 11 Snapshot of Admin Port Access Log VIII Startup History Log Figure 12 Snapshot of Startup History IX User Log Figure 13 Snapshot of User Log X Fragmented Dropped Log Figure 14 Snapshot of Fragmented Dropped Log ...

Page 148: ...Appendix A Disposition of Events Multi Tech Systems Inc RouteFinderVPN RF760 660 600VPN User Guide PN S000323D 148 XI ICMP Information Figure 15 Snapshot of Log with ICMP Information ...

Page 149: ... If you boot directory has a file named creat_netinstall_cfg then the Rescue Kernel is installed OR Connect a keyboard and monitor to your RouteFinder When you power on the RouteFinder if you see that the LILO prompt pauses for a few seconds and during the pause if you can see the Boot prompt when you press the ALT TAB keys then the Rescue Kernel is installed 2 Configuration Backup Backup your cur...

Page 150: ...erform Steps 3 4 and 5 if Rescue Kernel is already installed Check to see if the boot directory contains the file named create_netinstall_Cfg If this file is present then Rescue Kernel is already installed 3 Use SSH to access the RouteFinder box and use the WinSCP utility to copy RFNetInstall rpm to the home loginuser directory Download the RFNetInstall rpm from ftp ftp multitech com routers RFNet...

Page 151: ...our FTP server on the same machine by access IP ftp 127 0 0 1 Please contact our support multitech com for a link to download the RouteFinder ISO image In the Jgaa FTP server you will need to increase the number for allowing more FTP sessions and allowing more TCP connections Change both of the settings to 10 Important Note DO NOT perform Step 3 4 and 5 if Rescue Kernel is already installed Check ...

Page 152: ... systems are totally corrupted and the RouteFinder can boot only with Rescue Kernel Assumption Rescue Kernel is already installed in your system 1 Set up an external FTP server Refer to the steps above in Method 2 2 Connect a monitor and keyboard to the RouteFinder box During bootup right after the BIOS messages you must press ALT TAB when you see the word LILO You have only a few seconds so you w...

Page 153: ...F660VPN The hard drive mount for the RF760VPN is the same except that some of the board components differ The hard drive mount for the RF600VPN is on the left side of the its board PC Board Component Descriptions U17 Not used 2 5 20 GB EIDE Hard Disk HD Drive a mini hard disk drive that provides system storage The HD drive can be upgraded in the field for additional storage and can be replaced wit...

Page 154: ...ndard grounding supplies and procedures so that you do not damage the PC board or upgrade components Top Cover Removal As the first step for all upgrade procedures use this procedure to remove the RouteFinder top cover 1 Turn off RouteFinder power and remove the RouteFinder power cord 2 Remove all of the RouteFinder back panel cable connections 3 Remove the retaining screws that secure the top cov...

Page 155: ...e far right CD ROM Drive Add on The Hard Disk drive ribbon cable is terminated with a connector for the HD drive as well as a connector for connecting a CD ROM drive To connect a CD ROM drive perform the following procedure 1 Remove the RouteFinder top cover using the procedure earlier in this chapter 2 Remove the TY RAP holding down the cable 3 Remove the 44 pin 40 pin converter from the cable 4 ...

Page 156: ...rn files at user defined intervals See Chapter 3 for more Update Services information The optional email virus protection subscription utilizes a high performance ICSA tested anti virus engine which checks both incoming and outgoing email for viruses in real time See the Tracking section The RouteFinder Email Anti Virus software is an optional purchase For a free 30 day evaluation go to http www m...

Page 157: ...e ribbon cable The adapter is polarity sensitive It will not work if the adapter is inverted CD ROM Drive Adapter Pin Out The 44 pin m to 40 pin f adapter pin out is shown below P1 is the 44 pin male header P2 is the 40 pin female box header P1 _ P2 1 1 2 2 3 3 4 4 5 5 6 6 7 7 8 8 9 9 10 10 11 11 12 12 13 13 14 14 15 15 16 16 17 17 18 18 19 19 P1 P2 21 21 22 22 23 23 24 24 25 25 26 26 27 27 28 28 ...

Page 158: ... to decrypt it Public key cryptography provides excellent data protection but it s fairly slow A convenient method is to use a temporary key AKA a session key for most transactions and then destroy the session key when the transaction is completed Here a secure protocol negotiates a session key that is used for a single transaction The session key is still unpredictable and secure but takes a lot ...

Page 159: ...hey could close the most dangerous holes first It is segmented into three categories General Vulnerabilities Windows Vulnerabilities and Unix Vulnerabilities The SANS FBI Top Twenty list is valuable because the majority of successful attacks on computer systems via the Internet can be traced to exploitation of security flaws on this list While manually checking a system for each of the listed vuln...

Page 160: ...lley Cottage NY 10989 Phone 800 826 0279 Fax 914 267 2420 Email info thesupplynet com Internet http www thesupplynet com SupplyNet Online Ordering Instructions 1 Browse to http www thesupplynet com In the Browse by Manufacturer drop down list select Multi Tech and click GO 2 To order type in the quantity and click Add to Order 3 Click Review Order to change your order 4 After you have selected all...

Page 161: ...________ Serial No _________________________ Software Version ____________________ License Key No _____ _____ _____ _____ URL Filter Key _______________________ These numbers are located on the bottom of your RouteFinder The Software Version is displayed at the top of the Home screen Provide the configuration information e g Default Gateway and other IP addresses used from the Address Table in Cha...

Page 162: ...e problem a return shipping address must have street address not P O Box your telephone number and if the product is out of warranty a check or purchase order for repair charges For out of warranty repair charges go to COMPANY Policies warranty Extended two year overnight replacement service agreements are available for selected products Please call MTS customer service at 888 288 5470 or visit ou...

Page 163: ...on physical abuse or user caused damages are billed on a time plus materials basis Repair Procedures for International Distributors International distributors should contact their MTS International sales representative for information about the repair of the Multi Tech products Please direct your questions regarding technical matters product configuration verification that the product is defective...

Page 164: ...l Service Order Code connecting arrangement for this equipment is shown If applicable the facility interface codes FIC and service order codes SOC are shown 3 An FCC compliant telephone cord with modular plug is provided with this equipment This equipment is designed to be connected to the phone network or premises wiring using a compatible modular jack which is Part 68 compliant See installation ...

Page 165: ...safety requirements The Department does not guarantee the equipment will operate to the user s satisfaction Before installing this equipment users should ensure that it is permissible to be connected to the facilities of the local telecommunications company The equipment must also be installed using an acceptable method of connection The customer should be aware that compliance with the above cond...

Page 166: ...ees and or agents without prior written consent from MTS Customer acknowledges that the techniques algorithms and processes contained in the software are proprietary to MTS and Customer agrees not to use or disclose such information except as necessary to use the software Customer shall take reasonable steps consistent with steps taken to protect its own proprietary information to prevent the unau...

Page 167: ...tion of this software in any form to any third party without the prior express written approval of Multi Tech Systems Inc Licensee is hereby informed that this Software contains confidential proprietary and valuable trade secrets developed by or licensed to Multi Tech Systems Inc and agrees that sole ownership shall remain with Multi Tech Systems Inc The Software and documentation are copyrighted ...

Page 168: ...ogram is not restricted and the output from the Program is covered only if its contents constitute a work based on the Program independent of having been made by running the Program Whether that is true depends on what the Program does 1 You may copy and distribute verbatim copies of the Program s source code as you receive it in any medium provided that you conspicuously and appropriately publish...

Page 169: ...orceable under any particular circumstance the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims this section has the sole purpose of protecting the integrity of the free software distri...

Page 170: ...E In consideration of payment of the license fee which is a part of the price Licensee paid to use this Software and Licensee s agreement to abide by the terms and conditions of this License SurfControl grants to Licensee a non exclusive non transferable right to use this copy of the Software only on a single network so long as Licensee complies with the terms and conditions of this License The So...

Page 171: ...Superior and Municipal Courts of the State of California Santa Clara County in any litigation arising out of or in connection with the License The parties expressly disclaim application of the United Nations Convention on Contracts for the International Sale of Goods 10 LIMITED WARRANTY AND DISCLAIMER OF WARRANTY SURFCONTROL WARRANTS THAT ON THE DATE THE LICENSE REGISTRATION FORM IS COMPLETED AND ...

Page 172: ... any other application in which the failure of the Software could lead directly to death personal injury or severe physical or property damage collectively High Risk Activities SurfControl expressly disclaims any express or implied warranty of fitness for High Risk Activities 16 MISCELLANEOUS Licensee acknowledges and agrees that SurfControl may use Licensee s name in SurfControl s marketing mater...

Page 173: ...es not intend to make such information available for any reason including without limitation costs you shall be permitted to take such steps to achieve interoperability provided that you may only reverse engineer or decompile to the extent permitted by law You shall not nor permit any third party to copy other than as expressly permitted herein make error corrections to or otherwise modify adapt o...

Page 174: ...ng the supply or purported supply of failure to supply or delay in supplying the Software or the Documentation which might but for this paragraph v have effect between the Kaspersky Lab and your or would otherwise be implied into or incorporated into this Agreement or any collateral contract whether by statute common law or otherwise all of which are hereby excluded including without limitation th...

Page 175: ...nance the costs of recovery from municipal collection points reuse and recycling of specified percentages per the WEEE requirements Instructions for Disposal of WEEE by Users in the European Union The symbol shown below is on the product or on its packaging which indicates that this product must not be disposed of with other waste Instead it is the user s responsibility to dispose of the user s wa...

Page 176: ...my replacing DES The algorithms used by the Rijndael AES have since been adopted by businesses and organizations worldwide Alias A name usually short easy to remember is translated into another name usually long and difficult to remember Anonymous FTP Anonymous FTP allows a user to retrieve documents files programs and other archived data from anywhere in the Internet without having to establish a...

Page 177: ...e been revoked before their expiration date Cipher An encryption decryption algorithm Ciphertext Encrypted data Client Server Model A common way to describe the paradigm of many network protocols Examples include the name server name resolver relationship in DNS and the file server file client relationship in NFS CHAP Challenge Handshake Authentication Protocol An IETF standard for authentication ...

Page 178: ... services that only run there available to the Internet The use of private IP addresses in combination with Network Address Translation NAT in the form of Masquerading Source NAT SNAT and Destination NAT DNAT allows a whole network to hide behind one or a few IP addresses preventing the identification of your network topology from the outside With these mechanisms Internet connectivity remains ava...

Page 179: ...d Finger since the utility was basically designed for tracking down people The Finger Information Protocol let UNIX users on college campuses create a profile called a Plan page which included personal and job related information A Plan page was similar to a personal home page on the Internet today So when someone Fingered your email address they learned more about you The Finger utility is a comm...

Page 180: ...hat identifies the devices using the IP protocol An IP address can be unicast broadcast or multicast See RFC 791 for more information Every host has a clear IP address comparable with a telephone number An IP address consists of four decimal numbers between 1 and 254 divided by dots e g a possible IP address is 212 6 145 0 At least one name of the form xxx belongs to every IP address e g xxx This ...

Page 181: ...e process of mapping a name into its corresponding address NAT Network Address Translation IP NAT is comprised of a series of IETF standards covering various implementations of the IP Network Address Translator NAT translates multiple IP addresses on the private LAN to one public address that is sent out to the Internet This adds a level of security since the address of a PC connected to the priva...

Page 182: ...tandardized sentence of commands and answers with whose help a client and a server can communicate Well known protocols and the services they provide are for example HTTP www FTP ftp and NNTP news Proxy Application Gateway The task of a proxy Application Gateway is to completely separate the communication connections between the external network Internet and the internal network LAN There must be ...

Page 183: ...l file transfer transferring only the differences instead of entire files Rsync was developed by Andrew Tridgell and Paul Mackerras the rsync daemon rsyncd provides an efficient secure method for making files available to remote sites Rules The configuration settings used to set how packets are filtered The rules are set with the network and service definitions set up in the Networks Services menu...

Page 184: ... a reserved SPI value will not normally be assigned by IANA unless the use of the assigned SPI value is specified in an RFC It is ordinarily selected by the destination system upon establishment of an SA You can define SPI and other protocols for the RouteFinder from VPN IPSEC SPI is defined in RFC 2401 SSH Secure Shell is a text oriented interface to a firewall suitable only for experienced admin...

Page 185: ...ETF RFC 768 UNC Universal Naming Convention path A UNC path e g server is used to help establish a link to a network drive URL Universal Resource Locator URLs are used to describe the location of web pages and are also used in many other contexts An example of an URL is http www ssh com ipsec index html URLs are defined in IETF RFCs 1738 and 1808 Verification The act of recognizing that a person o...

Page 186: ... VPN example 20 Broadcast on whole Internet 102 Browser 24 C Cabling 23 Case sensitive password 25 CD ROM Adding 155 CD ROM Drive Adapter Dimensions 157 CD ROM Drive Adapter Pin Out 157 Certificate of Authority Generation 111 Change the country region code 86 Changing Passwords 30 Checking disk usage of quarantined emails 54 Client and site filtering 7 Client to LAN Configuration Using PPTP Tunnel...

Page 187: ...ISO Image Directions 149 ISO Layers and TCP IP 19 K Kaspersky Standard End User License Agreement 173 Key exchanges 7 Keyboard Connection 155 L LAN 17 LAN eth0 85 LEDs 12 License Key 50 License Key for AntiVirus software 10 License Key for System License 10 License Key for URL Categorization 10 License Keys 10 Licenses GNU General Public License 168 Kaspersky Standard End User License Agreement 17...

Page 188: ...161 Recovery CD 9 Regulatory Information 164 Remote Client to LAN setup 36 Remote Syslog Host 44 Remote User 15 Remote User example 20 Removing the Top Cover 154 Reporting function 7 Rescue Kernel 149 Restart 58 RouteFinder Technology Overview 17 Routes 90 Routing table 118 RSA digital signatures 7 RSA Key 98 Rules for Using SMTP Proxy 71 S SAM 57 SAM Prerequisite 57 Save Settings 42 Secure local ...

Page 189: ...96 Tracking Version Control 100 Tracking bounced emails 54 Tracking bounced RouteFinder emails 54 Tracking SMTP Report Logs 54 Traffic monitoring and reporting 7 Transparent mode 66 Troubleshooting 139 Tunnels 15 Typical applications 20 U Update Service 96 Updating 159 Upgrade the Processor 154 Uptime Logs 117 URL Categories 67 URL Categorization 39 URL Categorization Key 50 URL Categorization Lic...

Reviews:

No comments

Related manuals for RF600

PathBuilder S200 Series

Brand: 3Com Pages: 31

OfficeConnect 3C855

Brand: 3Com Pages: 3

OfficeConnect 3C855

Brand: 3Com Pages: 4

Brand: C-Bus Pages: 36

Brand: Quark-Elec Pages: 2

Brand: Billion Pages: 35

ASinterfoce AC1325

Brand: IFM Electronic Pages: 23

ePAQ-942 Series

Brand: QEI Pages: 42

Brand: Luminext Pages: 8

Conquest HPO-9007 Series

Brand: KMC Controls Pages: 6

Brand: ZyXEL Communications Pages: 2

Brand: FarSite Communications Pages: 2

DataRoute voice

Brand: Telecom FM Pages: 55

Brand: ZyXEL Communications Pages: 307

Brand: Mavix Pages: 73

4S Media Server

Brand: Snom Pages: 102

Brand: AirLive Pages: 225

Brand: Rosslare Pages: 28

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands