manualshive.com logo in svg

Multitech RouteFinder RF650VPN, User Manual, Page: 101 / 240

Share
Download
Multitech RouteFinder RF650VPN User Manual Download Page 101

Chapter 3 – RouteFinder Software Operation

Multi-Tech RouteFinder RF650VPN User Guide

101

Set Packet Filter Rules

1.

Open the Rules menu in the Packet Filter directory.

2.

From the From (Client) select menu, select the network from which the information packet must be
sent for the rule to match.  At  From (Client):  you can also select network groups.
The selection Any matches all IP addresses, regardless of whether they are officially assigned
addresses, or so-called private addresses according to RFC1918.  The initial From (Client):
select options are {Private Network - RFC1918}Any, and PPTP-Pool.

3.

From the Service select menu, select the service that is to be matched with the rule.  The Service
menu lists the predefined services as well as those you have defined. With the help of these services,
the information traffic to be filtered can be precisely defined. The default entry Any selects all
combinations of protocols and parameters (e.g., ports).  The Service selections include {netbios},
{ping}{traceroute}AnyDNSFTPFTP-CONTROLHBCIHTTPHTTPSIDENTNEWS,
POP3SMTPSNMPTelnetnetbios-dgmnetbios-ns, and netbios-ssn.

4.

Select the network which the information packet must be sent to for the rule to match from the To
(Server) select menu. At the To (Server) menu you can also select network groups.
The selection Any, applies to all IP addresses, regardless of whether they are officially assigned
addresses or so-called private addresses according to RFC1918. The initial To (Server):
select options are {Private Network - RFC1918}Any, and PPTP-Pool.

5.

In Action, select the action (Allow, Drop, or Deny) that the packet filter executes if the rule matches:
Allow: all packets that match this rule are let through.
Drop: all packets that meet this condition are blocked, but do not appear in the log. To the host
sending the packet, it will appear as if the target address is not responding. 
The action Drop is recommended for filter violations that constantly take place, are not security
relevant and only flood the LiveLog with meaningless messages (e.g., NETBIOS-Broadcasts from
Windows computers).
Deny: all packets that match this rule are blocked and visibly recorded as violations in the Filter
LiveLog. The host sending the packet will be informed that the packet has been rejected.

6.

Confirm your entry by clicking the Add button.  After a successful definition, the rule is always added
to the end of the rule set table. Rules are added in the deactivated state, indicated by the red traffic
lights.  You are then offered further functions for editing the packet filter rules.

Note: By default, new rules are created at the end of the table in the inactive state.
The rule only becomes effective if you assign the active state. Refer to the section on
Rule active/inactive in this chapter.

Summary of Contents for RouteFinder RF650VPN

Page 1: ...RF650VPN Internet Security Appliance User Guide...

Page 2: ...al released for RouteFinder software version 1 92 B 12 04 01 Manual revised for RouteFinder software version 2 00 Refer to Appendix C for a description of changes C 02 25 02 Updated with changes to Ap...

Page 3: ...Introduction 34 System 35 Definitions Networks and Services 63 Network Network Settings 74 Proxies Application Gateways 111 VPN Virtual Private Networks 121 Help The Online Help Functions 158 Chapter...

Page 4: ...plication Examples and How to Use Remote Syslog 195 Appendix B Cable Diagrams 203 Appendix C The WebAdmin Menu System 206 Appendix D User Authentication Methods 211 Appendix E Regulatory Information 2...

Page 5: ...ultiVOIPs and public servers such as email and web to be safely connected And its full featured router hardware allows the entire network to share an Internet link by connecting to an existing cable m...

Page 6: ...ther 10 Mbps or 100 Mbps the LINK LED is on if the WAN Ethernet link is invalid the LINK LED is off ACT The ACT Activity LED indicates either transmit or receive activity on the WAN Ethernet port When...

Page 7: ...el components are described in detail in the Cabling Procedure section in Chapter 2 of this manual Ship Kit Contents The RF650VPN is shipped with the following one RF650VPN one or two power cords two...

Page 8: ...net access for up to 255 LAN users with one IP address Internet access control tools provide client and site filtering Traffic monitoring and reporting IP address mapping port forwarding and DMZ port...

Page 9: ...tification Contact the SANS at http www sans org newlook home htm Linux FreeS WAN is an implementation of IPSEC and IKE for Linux Several companies are co operating in the S WAN Secure Wide Area Netwo...

Page 10: ...been developed and work has begun on defining and mapping the GASSP Broad Functional Principles Go to http web mit edu security www gassp1 html The Center for Internet Security The Center founded in...

Page 11: ...y policy must also address who is allowed high speed remote access and any extra requirements associated with that privilege e g all remote access via DSL requires that a firewall be installed You wil...

Page 12: ...nd from 1995 to 2001 the world wide increase in domains names has been almost exponential The systems in the global network communicate via the Internet Protocol Family IP including TCP UDP or ICMP Th...

Page 13: ...cations running on the machine In more complex network layer firewall implementations the packet filtering process includes the interpretation of the packet payload The status of every current connect...

Page 14: ...ogging and analysis of the protocol s usage Examples of existing proxies are The SMTP proxy responsible for email distribution and virus checking The HTTP proxy supporting Java JavaScript ActiveX Filt...

Page 15: ...nternet Each of these methods has advantages and disadvantages as there is a conflict between the resulting costs and the security requirements Virtual Private Networking VPN establishs secure i e enc...

Page 16: ...nts Note Please print this document and use it to fill in your specific RouteFinder and network information e g the IP address used e mail lists etc Enter the configuration information e g the Default...

Page 17: ...ppropriate field of the Address Table below Please print this document and use it to fill in your specific RF650VPN and network information e g the IP address used e mail lists etc and keep for future...

Page 18: ...s for battery replacement Caution The Phone and Ethernet ports are not designed to be connected to a Public Telecommunication Network Safety Recommendations for Rack Installations Ensure proper instal...

Page 19: ...LAN Port RF650VPN Back Panel Connections 1 Using an RJ 45 cable connect the DMZ RJ 45 jack to the DMZ optional e g a Voice over IP gateway like MultiVOIPs or a public server such as e mail or web 2 U...

Page 20: ...workstation to the RF650VPN s LAN port via Ethernet 2 Set the workstation IP address to 192 168 2 x subnet 3 Connect to the Internet at the RF650VPN WAN port 4 Make an Internet PUBLIC IP address so it...

Page 21: ...o the Password entry and type the default Password of admin all lower case Click Login The User and Password entries are case sensitive both must be all lower case and can be up to 12 characters each...

Page 22: ...n status light next to a function indicates that the function is enabled to disable the function click the Disable button next to the green status light A red status light next to a function indicates...

Page 23: ...Guide 23 1 At the Welcome to WebAdmin screen click on System Settings The following screen displays a Add your own email address for alerts and notification b Remove the default email address c Optio...

Page 24: ...on the LAN port the Private LAN on eth0 For example Name LAN IP address 192 168 2 0 Subnet mask 255 255 255 0 3 Click on Network Interfaces The Local Host screen displays Required changes a Change the...

Page 25: ...order for you to configure the RouteFinder again You also need to reconfigure step 2 so your new IP network is defined e Click Save on the Network card eth0 settings Required changes f Change the IP...

Page 26: ...will enable NAT between the LAN port and the WAN port 5 Click on Packet Filter Rules a Add the rule Any Any Any Allow This allows any service from any server to any client Note you will want to change...

Page 27: ...en using PPTP tunneling 1 Check the following on the Microsoft web site for PPTP updates and patches http support microsoft com support kb articles Q285 1 89 ASP and http support microsoft com support...

Page 28: ...k on VPN PPTP Roadwarrior VPN The PPTP Remote Access screen displays a Enable PPTP Status b Enable Debug c Select an Encryption Strength and click Save d Click on Definitions Networks e In the Command...

Page 29: ...part of the main IP network of the LAN port private LAN You can assign up to 128 addresses g Click on Definitions Users h The User definition screen displays Define a new user check Remote access PPT...

Page 30: ...N configuration is shown below a LAN to LAN configuration is shown at the end of this section The IPSec VPN Gateway Client to LAN configuration aka IPSec roadwarrior configuration is shown below IPSec...

Page 31: ...dd network screen displays Define all the Networks and Hosts for the VPN connection 2 Click on VPN IPSEC Configurations The Edit rule screen displays a Enable VPN Status b Enable IKE Debugging c At Ne...

Page 32: ...of the WAN port Local subnet should be the private IP Network on the LAN port f Select the Remote IP and Remote subnet The Remote IP should be the Public IP address of the WAN port on the remote site...

Page 33: ...H and SCP clients can be downloaded from http www chiark greenend org uk sgtatham PuTTY http winscp vse cz eng http www ssh com products ssh 1 The login name for SSH loginuser default login name and d...

Page 34: ...ed Secure Shell ssh access The aim of the administrator should be to let as little as possible and as much as necessary through the RouteFinder for both incoming as well as outgoing connections Note F...

Page 35: ...ser Guide 35 System The System menu contains all of the functional configuration sub menus for the RouteFinder Settings Licensing Up2Date Service Backup User Authentication WebAdmin Site Certificate S...

Page 36: ...3 RouteFinder Software Operation Multi Tech RouteFinder RF650VPN User Guide 36 Settings From System Settings you can define Notifications SSH WebAdmin HTTPS WebAdmin password Automatic Disconnect Syst...

Page 37: ...try Remote Syslog In the Remote Syslog window select the desired Remote Syslog host from the drop down box and click Save Remote Syslog lets you pass on all log messages of the firewall to another sys...

Page 38: ...akes about one minute During this time it seems as if the connection is frozen or can t be established After that the connection returns to normal without any further delay The networks that are to be...

Page 39: ...TP provides full flexibility of cryptographic algorithms modes and parameters The Allowed Networks dropdown list lets you select the networks from which access to WebAdmin is allowed You can Add new s...

Page 40: ...n session without leaving WebAdmin via Exit the last session stays active until the end of the time out and no new administrator can log in If using ssh you can manually remove the active session if y...

Page 41: ...time period as a straight line at the height of the old value All the values for Accounting in this time period are 0 Backward time adjustment summer to wintertime The time based reports already conta...

Page 42: ...support Each RF650VPN ships with a unique individual License Key It is a 35 digit code that is provided on the RouteFinder s System CD Enter the license key for your RouteFinder and click Add When yo...

Page 43: ...is mistaking a 0 zero for an o the letter O Another error is entering upper case letters or symbols The License Key number is tied to and tracked with your RouteFinder s serial number Whenever you re...

Page 44: ...Up2Date service your RouteFinder can be continually updated with new virus patterns system patches and security features The Up2Dates are signed and encrypted and are read in via an encrypted connecti...

Page 45: ...virus detection patterns for the firewall s virus scanner Click the Start button in the bottom table to start the Pattern Up2Date process To ensure that patterns stay up to date at all times this pro...

Page 46: ...time interval after which the RouteFinder checks for new Up2Dates at the specified Up2Date server The selectable time intervals are Every hour Every night and Every week 3 Save the time interval by cl...

Page 47: ...en read in the backup the comment is displayed 3 Click the Start button to create the backup file The backup file that contains your configuration is now created on theRouteFinder The message Backup h...

Page 48: ...n compatible backup a brief summary of the backup content is displayed 5 Verify the backup information 6 Import the backup file into the active system by clicking the Start button The backup is then i...

Page 49: ...ile sent to the indicated e mail address is typically from 3 10 Kb in size To delete an unneeded e mail address highlight it click Delete then click Save Generate E mail Backup File 1 Open the Backup...

Page 50: ...ed not be created on the RouteFinder again User authentication is also used with the PPTP VPN function More information about PPTP Roadwarrior VPN is in the VPN directory later in this chapter At the...

Page 51: ...erver for user authentication Radius also manages technical information needed for the communication of the router with the equipment of the caller This includes for example the protocols used IP addr...

Page 52: ...ers Now assign all those users that are to be able to use the appropriate service to this group 3 Activate the user flag Allow dial in access to the network of every user in these groups This setting...

Page 53: ...ster 11 If User Authentication is still disabled red light activate it by clicking the Enable button At Authentication types choose Radius from this select menu 12 Confirm your entries by clicking the...

Page 54: ...DNS names The RouteFinder only supports names consisting of alphanumeric and minus and full stop characters Special characters such as _ are not permitted PDC IP Enter the IP address of the primary do...

Page 55: ...your browser Create a Site Certificate for WebAdmin 1 Open the WebAdmin site certificate menu in the System directory 2 Enter your organization s data into the select menu entry fields Country code U...

Page 56: ...curity Alert window install import the CA certificate into your browser by clicking the Yes button at the bottom of the screen 3 If your browser asks you what to do with the file tell it to open it im...

Page 57: ...n the certificate and click OK The Save As screen displays 6 Enter the filename and location to save the certificate file and click Save The Download complete screen displays 7 Check the Close this di...

Page 58: ...Tech RouteFinder RF650VPN User Guide 58 Install a Certificate into the Trusted Root Certification Authorities Store 1 At the Certificate Information window click Install Certificate 2 At the Welcome...

Page 59: ...he certificate automatically placed or you can Browse to a particular location If you elect to place all certificates into a selected location follow the on screen prompts for Select Certificate Store...

Page 60: ...the Certificate Information window click OK The certificate is successfully installed Note Due to system time differences and world timezone offsets it may be that the generated certificate is report...

Page 61: ...ge Do you really want to shut down is displayed If you do not want to shut down the RouteFinder click the Cancel button to return to the System Shut down menu If you want to shut down the RouteFinder...

Page 62: ...really want to shut down is displayed Click the OK button to confirm that you want to restart the RouteFinder WebAdmin software The complete restart can take 4 to 5 minutes When the restart process is...

Page 63: ...efinitions names instead of having to deal with IP addresses ports and network masks Being able to group networks and services is an additional step saver All settings that are then made in the networ...

Page 64: ...not be deleted or edited Add Network 1 Open the Network menu in the Definitions directory 2 Enter a straightforward name into the Name entry field This name is later used to set packet filter rules et...

Page 65: ...creen is displayed You can then edit an existing entry s Name IP address or Subnet mask Delete Network You can remove a network from the list by clicking the del Command the message Do you really want...

Page 66: ...be added or deleted together Note Every change in Network Groups is effective immediately Define Group Networks 1 Open the Network Groups menu in the Definitions directory 2 Assign a straightforward...

Page 67: ...to edit from the Name select menu 3 Click the Show button All the networks that are in the selected network group are displayed in the Selected Networks menu The Available Networks window lists all t...

Page 68: ...Any ICMP AH and ESP UDP uses ports between 0 and 65535 and is a protocol that doesn t use the ACK Bit UDP is well suited for streaming media and works faster than TCP especially when sending small am...

Page 69: ...e g 80 a list of port numbers separated by commas e g 25 80 110 or a port range e g 1024 64000 separated by a colon 5 Set the D Port Server destination port number The entry options are a single port...

Page 70: ...erations such as creating a higher level service group or to set packet filter rules 3 Confirm your entries by clicking Add The Edit Group menu is displayed All available services are contained in the...

Page 71: ...elected Service group The Available Services window lists all the services defined for your RouteFinder Remove Service 1 Open the Service Groups menu in the Definitions directory 2 In Show Group selec...

Page 72: ...should be able to use proxy services This setting is equivalent to adding the user to the allowed user list in the proxy configuration pages Available proxies are HTTP and SOCKS Add User 1 Open the Us...

Page 73: ...Chapter 3 RouteFinder Software Operation Multi Tech RouteFinder RF650VPN User Guide 73 Delete user By clicking the Delete button you delete the user from the Users table...

Page 74: ...SNAT the destination and source address of the IP packets are converted With Masquerading you can hide private networks from the outside world behind one official IP address The Portscan detection me...

Page 75: ...or the RouteFinder The first network card eth0 is always the interface to the internal network LAN and is called the trusted network The second network card eth1 is the interface to the external netwo...

Page 76: ...der IP address is entered as the default gateway in the protected networks Interfaces Menu During initial installation the RouteFinder automatically recognises the installed network cards and adds the...

Page 77: ...has an Interface Route You can use this function to half bridge a network into another LAN segment NOTE All packet filtering rules still apply when Proxy ARP is enabled This is not a full bridging fun...

Page 78: ...er to re establish access When you make a change that effects other WebAdmin functions and configurations an information screen displays If the automatic changes are acceptable continue editing If the...

Page 79: ...rd for all the networks known to it This means that the RouteFinder will accept and forward packets on the Proxy ARP interface for all other directly connected networks This function is necessary in s...

Page 80: ...sk in the appropriate entry fields 3 Confirm your entry by clicking the Save button Proxy ARP on This Interface If you select the Proxy ARP on this Interface checkbox for a network card the RouteFinde...

Page 81: ...e It is recommended that you set your computer with a static IP if you want to use DMZ Proxy ARP on this Interface If you checked the Proxy ARP on this Interface checkbox for a network card the RouteF...

Page 82: ...face Hardware Interface select eth0 for the internal LAN eth1 for the external WAN or eth2 for the DMZ IP Address enter the network IP address for the network named Netmask enter the Netmask to be use...

Page 83: ...ed to which interface Choose a predefined network or network card from the pull down list When you edit and or delete existing routing entries the interface adapts accordingly Static Routing Use this...

Page 84: ...his network Using the menus select which network is routed onto which interface Define Interface Routing 1 Open the Routing menu in the Network directory 2 Select one of the already defined networks a...

Page 85: ...n the Routing menu in the Network directory 2 Select an already defined network from the select menu in Static IP route 3 Enter the external IP address into the entry field on the right 4 Confirm your...

Page 86: ...g table The columns Destination Gateway and Iface interface are especially relevant Destination is the address of the target system or network Gateway is the address of the router Iface Interface indi...

Page 87: ...server with the IP address 192 168 0 20 accessible to clients outside your LAN These clients cannot contact its address directly as the IP address is not routed in the Internet It is however possible...

Page 88: ...t mask 255 255 255 255 3 In Post DNAT destination select a host to which the IP packets are to be diverted Only one host can be defined as the Post DNAT destination If you are using a port range as th...

Page 89: ...ranges are also possible From the Source drop down list you can select Any default DNS FTP FTP CONTROL HBCI HTTP HTTPS IDENT NEWS POP 3 SMTP SNMP SSH Telnet netbios dgm netbios ns or netbios ssn Dest...

Page 90: ...included in the translation The translation only takes place if the packet is sent via the indicated network interface The address of this interface is used as the new source of the data packets This...

Page 91: ...Computer A with the address XY is inside a masked network within the RouteFinder It starts an HTTP request into the Internet Computer A and all computers in this network use the only official IP addre...

Page 92: ...ith the Enable button next to Status The default setting is enabled green traffic light 3 From the Action for portscanner traffic select menu choose the action to be carried out against the discovered...

Page 93: ...ion Normal network activities such as Traceroute or an FTP data traffic with many small files can be interpreted as a portscan by PSD For this reason it is recommendable to exclude certain source and...

Page 94: ...the connection to a remote host The program Ping sends an ICMP echo packet to a different computer When the computer receives the ICMP echo packet its TCP IP Stack must send an ICMP reply packet back...

Page 95: ...100 pings 3 Enter the IP address or the name into the Host entry field e g port 25 for SMTP 4 To activate the Name Resolution function check the corresponding check box 5 Start the test connection by...

Page 96: ...ear to indicate a time out After a fixed number of time outs the attempt is aborted This can have various reasons e g a packet filter doesn t allow traceroute Should no name be locatable despite activ...

Page 97: ...ress and port 80 HTTP service Note For the Name Resolution function to operate the DNS proxy function in the Proxies DNS menu must be enabled Start TCP Connect 1 Open the Tools menu in the Network dir...

Page 98: ...face to the DMZ is entered in the accounting but one particular computer in the DMZ is not to be accounted As this one computer might only be used for internal purposes it does not make sense to inclu...

Page 99: ...g Rules All data traffic is filtered by the packet filter according to a set of rules that you define in Packet Filter Rules This set of rules is a central tool of your IT security Generally speaking...

Page 100: ...ng from four drop down lists All services networks and groups previously created in Definitions are presented for selection In Edit rule use the Save button to create the appropriate rule as a new lin...

Page 101: ...groups The selection Any applies to all IP addresses regardless of whether they are officially assigned addresses or so called private addresses according to RFC1918 The initial To Server select optio...

Page 102: ...rule set the rules are sorted accordingly E g if you want to sort the table according to sender networks click From Client To go back to the order of Matching click Nr Broadcast on the whole Internet...

Page 103: ...If the ICMP settings are disabled separate IPs and networks can be allowed to send ICMP packets through the RouteFinder by using appropriate packet filter rules ICMP Forwarding At Packet Filter ICMP...

Page 104: ...or passed through to the local network and all connected DMZs Note To be able to use the tools Traceroute and Ping the function ICMP on firewall must be enabled After a successful start up of the Rout...

Page 105: ...ilter violations in real time The Filter LiveLog reports the packet filter and NAT rules The Packet filter violation Log shows the packets that have not successfully passed the rule set of the packet...

Page 106: ...see the result of the filter rule set in real time All the system generated filter rules are also shown here For the Current packet filter rules display fields the rules are currently valid and are ta...

Page 107: ...et filter rules i e you must scroll past the former to view the later If an application such as online banking is not working after implementing the RouteFinder you can see if any packets were filtere...

Page 108: ...e log with the latest violation information To re start the violation log again click start LiveLog The RouteFinder logging function is extremely important to your organization s security The logs pro...

Page 109: ...wledge PSH Push the current packet RST Reset the current connection SYN Session request FIN Request to close a session By selecting open Packetfilter violation LiveLog you can view violations in real...

Page 110: ...accept rule as well as the Statefull Inspection rule that accepts all ESTABLISHED and RELATED connections TTT_ACCEPT In this Chain you find the rules defined in WebAdmin which have an interface ip eit...

Page 111: ...ls it usually offers more sophisticated features for logging and real time analysis of transferred content In the Proxies directory select a proxy entry and configure the settings At startup all proxi...

Page 112: ...an active Proxy you need matching browser settings TCP IP address of your RouteFinder and port 8080 otherwise the Proxy must be run in transparent mode Requests to HTTPS TCP IP port 443 are forwarded...

Page 113: ...a configured browser the proxy can only be run in transparent mode Transparent mode The HTTP requests to port 80 are transferred from the internal network and diverted through the proxy For the browse...

Page 114: ...the menu Edit Settings Extended Proxies 2 At manual proxies configuration click the View button 3 At No proxy for enter the IP address of your RouteFinder 4 Click the OK button to save the entries In...

Page 115: ...filter enabled you can still save cookies by using JavaScript by configuring your browser settings as follows Netscape EDIT PREFERENCES ADVANCED MSIE EXTRAS SECURITY ADJUST SETTINGS COOKIES SCRIPTING...

Page 116: ...ithout further notice Configure SMTP Proxy 1 Open the SMTP menu in the Proxies directory 2 Clicking the Enable button next to Status to switch on enable the SMTP proxy 3 Configure the SMTP proxy using...

Page 117: ...any time Note if you assign Any then everybody connected to the Internet can use your SMTP proxy for SPAM purposes SMTP routes here you determine the MTA Mail Transfer Agent to which each incoming do...

Page 118: ...of the external name server into the entry field Confirm every IP address by clicking the Add button The name servers are entered into a window below and can be deleted again any time DNS administrato...

Page 119: ...lly does not need to be configured Note All changes in Proxies becomes effective immediately without additional notice Note If SOCKS5 clients that do not resolve DNS names themselves are being used th...

Page 120: ...0 the standard SOCKS port must be entered in the client application s configuration You can add multiple interfaces to listen on for more advanced configurations Finally select if you would like to us...

Page 121: ...and data encryption according to an open standard IPSec VPN secured connections only allow authenticated stations to communicate with each other No one else can read or change the information of these...

Page 122: ...exchange A VPN server is a economical and secure way to transfer information and can replace expensive dedicated lines between companies or branches Example You are a member of an IT team at company...

Page 123: ...n indicates that the function is enabled to disable the function click the Disable button next to the greenstatus light A red status light next to a function indicates that the function is disabled to...

Page 124: ...supported by both sides of the connection Authentication method secret Secret means that a symmetric key exists Both the Sender and Recipient must own the same for all other secrets key to establish...

Page 125: ...LAN 3 Confirm the name by clicking the Add button Additional entry fields and selection options display in the New connection window 4 Using the entry and select menus configure the new VPN connectio...

Page 126: ...irewall that is to be accessed from the local site or from which you want to be able access the local site 5 Save the entries by clicking the Save button After you have created a VPN tunnel at Packet...

Page 127: ...nection ESP the ESP Encapsulating Security Payload method enter an option for ESP typically IPSEC encryption mode Settings here are for encryption using triple DES and authentication using MD5 The sel...

Page 128: ...ible that due to the time out mechanism WebAdmin will close even though generation of the RSA key is still underway This is because the generation of the RSA key is taking too long or the time out per...

Page 129: ...t use the old RSA key will become inoperable We recommend using RSA keys with a minimum length of 1536 Bits To generate a new RSA key at VPN IPSec RSA key Generate RSA key perform the following steps...

Page 130: ...Key XXX Bits The transmission state of the private part of your RSA key to the VPN counterpart is displayed here When you configure a new VPN connection if you use an IPSec Connection with the authori...

Page 131: ...Export RSA key With this function you can export your RSA key and download it onto your local administration pc Make sure that no one receives unauthorized access to the RSA keys To export an RSA key...

Page 132: ...Tu Krbc71H4oIFd xqKJnt U8x25M0Wbxr0gQngECdZPWHj6KeSVtMtslzXMkxDecdawo CadPtPiH Iln23GKUOt3GoDVMob fob9wBYbwdHOxPAYtN QBxNPEU9PGMxQdYp8io72cy0duJNCXkEVvpvYvVzkmp0x VYOWYkfjiPsdhnz5FCitEh6XsCe0ctByoLjKA...

Page 133: ...ng RSA key at VPN IPSec RSA key perform the following steps 1 Under Import RSA key to the right of Option to import an RSA key click Browse The Windows Choose file screen is displayed to let you selec...

Page 134: ...ou can view important processes or error messages VPN logs By clicking the VPN LiveLog button you open a new window in which you can view VPN activities in real time VPN Routing This window shows all...

Page 135: ...own pool in Definitions Networks and set it to be used as the PPTP pool here Alternatively you can assign a special IP to each user when you define their account see Definitions Users This IP does NO...

Page 136: ...twork as the PPTP IP pool The users of the PPTP service are defined in Definitions Users where you can also assign IP addresses to certain users These IP addresses do not need to be part of the used p...

Page 137: ...soft Windows 98 and Windows ME MS Windows 2000 only has a standard 40 bit encryption strength setting For a 128 bit encryption strength you also need the High Encryption Pack or Service Pack 2 SP2 can...

Page 138: ...ame for the PPTP connection into the entry field of the Complete Wizard window Then click the Next button 13 By right clicking the new symbol in the Start Settings Network and DUN connections window y...

Page 139: ...plays external NIC IP packet byte counts Selfmonitor provides e mail notification of system level issues Portscans disables and logs attempted portscans The data in the Reporting logs could be useful...

Page 140: ...ry to cover up the issue e g missing log files or deleted entries 3 Most mysteries Unknowns don t mean anything Most of the time the issue turns out to be a client user error or a glitch in reporting...

Page 141: ...teFinder displays a System uptime window which documents the availability of your RouteFinder the time elapsed between the last boot and the current time This menu shows the date when your system was...

Page 142: ...of the graph or by clicking on the respective graphic you open additional graphs with the daily weekly monthly and yearly usage statistics on CPU RAM and SWAP utilization By clicking Back in the top r...

Page 143: ...M The more RouteFinder processes that are in execution the less RAM is available SWAP utilization This function reflects the actual usage of the swap file on the RouteFinder s hard disk drive The used...

Page 144: ...played with the average weekly monthly or yearly values By clicking the Back button you go back to the original overview In the Internal Network traffic window the day s data traffic utilization is sh...

Page 145: ...ce routes are inserted by the system and cannot be edited Further manual entries can be made in the Network Routing menu described earlier in this chapter The Network connections table shows all the c...

Page 146: ...n Foreign Address the destination IP address and port for example 192 168 2 40 1034 State the status of the connection The set of possible states reported are for example LISTEN ESTABLISHED TIME_WAIT...

Page 147: ...the average daily weekly monthly and yearly values By clicking the Back button you go back to the original overview For this reporting the HTTP proxy function must be enabled otherwise the diagrams on...

Page 148: ...uide 148 The HTTP memory hits diagram shows the percentage of cache hits occurring while the requested object was still in RAM as opposed to being loaded from disk Note For this reporting the HTTP pro...

Page 149: ...oxy The Reporting SMTP proxy menu displays the RouteFinder s SMTP proxy e mail usage and status in two windows called SMTP Logs and SMTP Status SMTP Logs shows a real time log of the e mail traffic vi...

Page 150: ...ch RouteFinder RF650VPN User Guide 150 A sample SMTP LiveLog screen is shown below When SMTP LiveLog is inactive click start LiveLog to begin real time logging SMTP activity When SMTP LiveLog is activ...

Page 151: ...utgoing e mails Messages in queue Shows the total number of e mail messages in the RouteFinder s SMTP proxy queue Messages in queue but not yet pre processed Shows the number of received and queued me...

Page 152: ...e Select All checkbox or select an individual entry select a function from the dropdown list e g delete selected entry and click Go The selected function is performed on the selected e mail s By click...

Page 153: ...rk cards and sums up their sizes Each day s total is calculated once a day Additionally the number of bytes of data is calculated for each month The displayed traffic will match what your ISP charges...

Page 154: ...e information Selfmonitoring controls the function performance and security of the system parameters and takes regulating measures when it detects divergences that go beyond a certain tolerance The sy...

Page 155: ...Chapter 3 RouteFinder Software Operation Multi Tech RouteFinder RF650VPN User Guide 155...

Page 156: ...onitoring LiveLog active click stop LiveLog at the bottom of the Selfmonitoring display to halt the real time Selfmonitoring log With the Selfmonitoring LiveLog inactive click start LiveLog at the bot...

Page 157: ...porting Portscans by clicking the open Portscan LiveLog button A Portscan Detection PSD LiveLog window is displayed If a portscan is detected and blocked the administrator is notified by e mail The e...

Page 158: ...you can perform a full text search The search is not case sensitive The search results are displayed in the order of appearance of the term you searched for You can limit the number of search results...

Page 159: ...Help Index all WebAdmin menus are listed alphabetically The indicated path states where the particular function is to be found in WebAdmin By clicking the desired term Online Help is started and the...

Page 160: ...on bar Exit Exit RouteFinder If you close the browser in the middle of a WebAdmin session via Exit the last session stays active until the end of the time out and no new administrator can log in The t...

Page 161: ...teFinder can connect individual telecommuters to the office network by creating a separate secure tunnel for each connection or it can connect entire remote office networks together as a LAN to LAN co...

Page 162: ...content Q10 Is Virtual Server support provided on my RouteFinder A10 Yes in addition to providing shared Internet access the RouteFinder can support a web ftp or other Internet servers Once configured...

Page 163: ...n IP alias on your NIC and make a script in etc rc d rc2 d to have it run at each boot put it at S99 to be sure Just don t use ifconfig to do that as it is deprecated in 2 4 kernels The command to add...

Page 164: ...terfaces in Network Interfaces Here you define your Network Interface settings as well as your default gateway for example Internal 192 168 100 1 255 255 255 255 External 194 162 134 10 255 255 255 12...

Page 165: ...s Since government encryption policy is influenced by the agencies responsible for gathering domestic and international intelligence e g the FBI and NSA the government tries to balance the conflicting...

Page 166: ...8 1 10 255 255 255 255 ASL_Extern 1 2 3 4 255 255 255 255 Go to Definitions Services and define entries for the control connection and the passive mode port range that the RouteFinder will use FTP_ALT...

Page 167: ...anonymous ftp from ftp ftp nec com pub socks NEC s SOCKS V5 Reference Implementation of SOCKS V5 socks5 is available at ftp ftp nec com pub socks cgi bin download pl Both packages include clients for...

Page 168: ...nts describing Version 4 SOCKS V4 protocol and extension to SOCKS V4 protocol There are three RFCs for SOCKS V5 related protocols RFC1928 Describes SOCKS Version 5 protocol also known as Authenticated...

Page 169: ...problems Check the Lost Sent columns for an indication of the router experiencing problems A particular router sustaining a high loss percentage rate is a reasonable indicator that there s a problem...

Page 170: ...cket filter violation LiveLog a window opens with the rule violations listed in order of occurrence see Chapter 3 of this manual Note Packets dropped by the Drop setting in Packet Filter Rules do not...

Page 171: ...reen is re displayed Action Enter the correct User and Password in the proper format The User and Password are case sensitive Try turning off your keyboard s Caps Lock key When the User and Password a...

Page 172: ...thentication method but you did not type in a Secret in the Secret field Action Enter one or more valid characters in the Secret entry field then click Save Valid characters include alpha numeric dash...

Page 173: ...ing administration Services are definitions for data traffic via networks e g the Internet A service definition consists of a name the protocol and the source port S Port and destination port D Port T...

Page 174: ...ontext sensitive Helps for additional information Message Remark Error Header error_header 11 Message ERROR Error Header error_header 12 Message ERROR Loop detected Error Header error_header 13 Messag...

Page 175: ...seconds or more Message Error Error Header error_header 21 Message Message Error Header error_header 22 Message Restart Error Header error_header 23 Message Wrong IP address Error Header error_header...

Page 176: ...Chapter 4 Troubleshooting Multi Tech RouteFinder RF650VPN User Guide 176 Action Enter an IP address that is valid for the IP address Menu Entry field...

Page 177: ...a Network Name at Definitions Networks that has previously been entered Recovery Enter a unique previously unentered Name in the entry field Message Password was changed successfully Error Header err...

Page 178: ...ail At least one valid existing e mail address must be entered Recovery Enter an existing valid email address e g admin yourhost com and click Save Message System restarts Error Header error_message 3...

Page 179: ...Message Please type in a TCP port i e 25 for SMTP Error Header error_message 39 Meaning You entered an inconsistent TCP port number in an entry field For example At Network Tools TCP connect you did n...

Page 180: ...IP IP necessary for COUNT VPN connections Error Header error_message 50 Message Connection with name NAME already exists Please choose another one Error Header error_message 51 Message The parameter N...

Page 181: ...ormation program and protocol The function of this server is to deliver machine readable name address information describing networks gateways hosts and eventually domains within the Internet environm...

Page 182: ...information keyboard and monitor connection information PC board component descriptions on going maintenance information e g RouteFinder housekeeping monitoring and updating and a hard disk drive reco...

Page 183: ...RF650VPNs had a 128MB PC100 Non ECC DIMM VGA CRT connector this connector allows attachment of a monitor for configuration and reporting purposes CN4 Floppy drive connector The floppy drive connector...

Page 184: ...nplug the fan power plug from the FAN1 connector on the pc board 3 Gently press down on the top of the metal fan retaining strip and unlatch it from the plastic retaining tab Fan1 is mounted directly...

Page 185: ...d Disk drive ribbon cable Keyboard Connection KB1 is a keyed 6 pin MiniDIN PS 2 interface on the RF650VPN pc board used for connecting a keyboard Perform the following steps to attach a keyboard to th...

Page 186: ...ll receive renewal notices from Multi Tech prior to the end of your subscription The latest virus pattern updates can then be downloaded from the Multi Tech server The RF650VPN s auto update feature l...

Page 187: ...Scanner subscription expiration date The license key number is a 35 digit alphanumeric entry the letters must all be in lower case If you enter your license key number incorrectly the message Error Li...

Page 188: ...et could be the private half of a public key private key pair or it could be a key used along with a symmetric algorithm In both authentication methods each side sends the other an unpredictable value...

Page 189: ...hapter 1 of this manual for additional sources of information The SANS Institute and the National Infrastructure Protection Center NIPC produces a document summarizing the Twenty Most Critical Interne...

Page 190: ...en neglected altered abused used for a purpose other than the one for which they were manufactured repaired by Customer or any party without MTS s written authorization or used in any manner inconsist...

Page 191: ...e ID may be required by the ISP for administration purposes or connection identification Also note the status of your RouteFinder including LED indicators screen messages diagnostic test results probl...

Page 192: ...Send your RouteFinder to this address MULTI TECH SYSTEMS INC 2205 WOODALE DRIVE MOUNDS VIEW MINNESOTA 55112 ATTN SERVICE OR REPAIRS You should also check with the supplier of your RouteFinder on the...

Page 193: ...s required products may be shipped freight prepaid to our Mounds View Minnesota factory Recommended international shipment methods are via Federal Express UPS or DHL courier services or by airmail par...

Page 194: ...10989 Phone 800 826 0279 Fax 914 267 2420 Email info thesupplynet com Internet http www thesupplynet com SupplyNet On line Ordering Instructions 1 Browse to http www thesupplynet com In the Browse by...

Page 195: ...xamples can be found on the Multi Tech Web site for the RF650VPN as separate Reference Guides A Remote Syslog How To is also provided at the end of this appendix State of the Art Firewall Security The...

Page 196: ...ed office network from the Internet The RouteFinder s DMZ port permits connecting of Voice over IP gateways like MultiVOIPs and public servers such as email and web to be safely connected Using a DMZ...

Page 197: ...ies SMTP menu you configure the SMTP proxy including the optional e mail virus scanner The SMTP proxy acts as an email relay it accepts e mail for your internet domains and passes them on to your inte...

Page 198: ...Appendix A Application Examples and How to Use Remote Syslog Multi Tech RouteFinder RF650VPN User Guide 198 RouteFinder VPN and MultiVOIP Example...

Page 199: ...yslog server accepts messages from your RouteFinder 5 Restart your syslogd with the r option for example The RouteFinder sends on syslog standard port 514 UDP The syslog facility depends on the proces...

Page 200: ...14 You should allow only incoming packets from your syslog client s Some logfile examples are provided below Syslog Sample 1 sample syslog ng conf file all syslog messages of karl2 will be written to...

Page 201: ...l syslog messages of karl2 and the expression kernel will be written to var log karls2_kern options sync 0 time_reopen 10 log_fifo_size 1000 long_hostnames off use_dns no use_fqdn no create_dirs no ke...

Page 202: ...mped to var log karl2_stuff options sync 0 time_reopen 10 log_fifo_size 1000 long_hostnames off use_dns no use_fqdn no create_dirs no keep_hostname yes source s_sys unix stream dev log internal udp ip...

Page 203: ...ppendix illustrates and describes the RF650VPN cables Power Cords The RF650VPN IEC 320 Power Cord with US plug is shown below IEC 320 Power Cord with US Plug IEC 320 Power Cord with Euro Plug and the...

Page 204: ...04 CD ROM Drive Adapter The RF650VPN is shipped with a 44 pin m to 40 pin f adapter that connects the Hard Disk Drive CD ROM Drive cable to a CD ROM Drive for use when performing the Hard Disk Drive R...

Page 205: ...adapter pin out is shown below P1 is the 44 pin male header P2 is the 40 pin female box header P1 _ P2 P1 P2 1 1 21 21 2 2 22 22 3 3 23 23 4 4 24 24 5 5 25 25 6 6 26 26 7 7 27 27 8 8 28 28 9 9 29 29...

Page 206: ...ion of network groups for easier handling Services Definition of network services for the firewall configuration Service Groups Definition of service groups for easier handling Users Definition of loc...

Page 207: ...ge of the HTTP proxy web SMTP Proxy Displays the usage and status of the SMTP proxy e mail SMTP Virus E mails Lets you view delete or forward virus infected e mail Accounting Displays accounting infor...

Page 208: ...the format shown below With your browser running when you insert the System CD in your computer s CD ROM drive the RouteFinder Install screen displays If you insert the System CD without your browser...

Page 209: ...anual provides all of the Quick Start Guide information plus features and specifications full installation and operation procedures troubleshooting FAQs error messages and recovery upgrade procedures...

Page 210: ...Initial SW release for RouteFinder WebAdmin Manual released at Rev A on 9 5 01 Software version 2 00 RouteFinder WebAdmin SW updated for production The tradename tagline changed to Internet Security A...

Page 211: ...s User Authentication against a RADIUS server an NT SAM User Base users defined in WebAdmin local RouteFinder User Authentication RADIUS User Authentication With this method ASL will forward User Info...

Page 212: ...e running any other type of Network with a centralized user base In this case you can use RADIUS user authentication however it is up to you to find a suitable RADIUS server for your network type You...

Page 213: ...ier matches string where string is the proxy identifier currently socks or http Windows Groups matches yourgroup where yourgroup is one of the new user groups you created in step 3 Note you can add gr...

Page 214: ...this unit not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment Industry Canada This Class A digital apparatus meets all requirements...

Page 215: ...ses harm to the phone network the phone company will notify you in advance that temporary discontinuance of service may be required But if advance notice isn t practical the phone company will notify...

Page 216: ...t or equipment malfunctions may give the telecommunications company cause to request the user to disconnect the equipment Users should ensure for their own protection that the electrical ground connec...

Page 217: ...license agreement is licensed to you under the terms of that license agreement By installing copying downloading accessing or otherwise using the SOFTWARE PRODUCT you agree to be bound by the terms of...

Page 218: ...t with steps taken to protect its own proprietary information to prevent the unauthorized copying or use by third parties of the software or any of the other materials provided under this Agreement An...

Page 219: ...the software program s delivered with this Agreement GRANT OF LICENSE MTS grants Customer the right to use one copy of the software on a single product the Licensed System You may not network the sof...

Page 220: ...government of Afghanistan Cuba Iran Iraq Libya Montenegro North Korea Pakistan Serbia Sudan Syria nor any other country to which the United States has prohibited export I will not download or by any o...

Page 221: ...ies of the Software may be made to replace worn or deteriorated copies for archival or back up purposes Licensee agrees to implement sufficient security measures to protect Multi Tech Systems Inc s pr...

Page 222: ...hor s protection and ours we want to make certain that everyone understands that there is no warranty for this free software If the software is modified by someone else and passed on we want its recip...

Page 223: ...m rights or contest your rights to work written entirely by you rather the intent is to exercise the right to control the distribution of derivative or collective works based on the Program In additio...

Page 224: ...ld be to refrain entirely from distribution of the Program If any portion of this section is held invalid or unenforceable under any particular circumstance the balance of the section is intended to a...

Page 225: ...LITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING...

Page 226: ...3DES encryption throughput of 15M bps e g 3DES can be configured in WebAdmin from VPN IPSEC Configurations The RouteFinder uses 3DES as an encryption algorithm and not simple DES Data Encryption Stan...

Page 227: ...eared Style sheets let Web designers more quickly create consistent pages and more consistent web sites Browsers began supporting the first CSS Specification Cascading Style Sheets Level 1 CSS1 in ver...

Page 228: ...r exchanges between this source and destination computer and the transporting network CefaultRoute A routing table entry which is used to direct packets addressed to networks not explicitly listed in...

Page 229: ...umbers Additionally there is a name server for every top level domain which lists all the subordinate name servers of that domain Thus the Domain Name System represents a distributed hierarchical data...

Page 230: ...inger utility was in IETF RFC742 dated December 1977 A popular slogan promoting the phone book s yellow pages was Let your fingers do the walking The utility was christened Finger since the utility wa...

Page 231: ...example that an IP datagram cannot reach an intended destination cannot connect to the requested service or that the network has dropped a datagram due to old age ICMP also provides information back...

Page 232: ...ding process of the Linux kernel There are other programs that can also do this such as grub Most distributions versions of Linux use LILO You can set up lilo to require a password to start to load th...

Page 233: ...ped by Microsoft that is considered more secure than SSL2 Note that some web sites may not support the PCT protocol PING Packet InterNet Groper A program used to test reachability of destinations by s...

Page 234: ...standardised sentence of commands and answers with whose help a client and a server can communicate Well known protocols and the services they provide are for example HTTP www FTP ftp and NNTP news Pr...

Page 235: ...tocol a TCP based host information program and protocol The function of this server is to deliver machine readable name address information describing networks gateways hosts and eventually domains wi...

Page 236: ...ccess information types and required encryption levels firewall hardware and software management processes and procedures non standard access guidelines and a policy for adding new equipment to the ne...

Page 237: ...Microsoft Windows program PuTTY is recommended as an SSH client Access via SSH is encrypted and therefore impossible for strangers to tap into Stateful Inspection A method of security that requires a...

Page 238: ...Datagram Protocol A datagram oriented unreliable communications protocol widely used on the Internet It is a layer over the IP protocol UDP is defined in IETF RFC 768 UNC Universal Naming Convention...

Page 239: ...y configure 113 non transparent mode 112 transparent mode 112 I ICMP on firewall 103 ICMP 102 ICMP Forwarding active inactive 102 ICMP on Firewall active inactive 103 ICMP forwarding 102 Index 157 Int...

Page 240: ...8 Select Language 40 Selfmonitor edit e mail addresses 154 Selfmonitor 153 Service delete 69 edit 69 Service 68 Service Groups add service 71 define 70 edit 71 remove service 71 Service Groups 70 Sett...

Reviews:

No comments