manualshive.com logo in svg

Multitech RouteFinder RF850, User Manual

Share
Download
Multitech RouteFinder RF850 User Manual Download Page 182

Glossary 

 

Multi-Tech Systems, Inc. RouteFinder RF850/860 User Guide (PN S000400E) 

182 

 

Cryptography 

 

The art and science of using mathematics to secure information and create a high degree of 

trust in the networking realm. See also public key, secret key.

 

CSR (Certificate Signing Request)

 – The form used to obtain a certificate from a CA. A CSR generates a 

formatted certification. This request is located on the web site of all certificate authorities. Another way to 
generate a CSR is to use a utility such as Microsoft IIS or OpenSSL. 

Datagram 

– The unit of transmission at the ISO Network layer (such as IP). A datagram may be encapsulated 

in one or more packets passed to the data link layer. A datagram is a self-contained, independent entity of data 
carrying sufficient information to be routed from the source to the destination computer without reliance on 
earlier exchanges between this source and destination computer and the transporting network. 

CefaultRoute

 

– A routing table entry that is used to direct packets addressed to networks not explicitly listed in 

the routing table. 

DES (Data Encryption Standard)

 

– A secret key encryption scheme; contrast with “public key”. DES is an 

NIST standard for a secret key cryptography method that uses a 56-bit key.  

Destination Port Number ZZZZ

 

 

All the traffic going through the firewall is part of a connection. A connection 

consists of the pair of IP addresses that are talking to each other, as well a pair of port numbers. The destination 
port number often indicates the type of service being connected to. When a firewall blocks a connection, it will 
save the destination port number to its logfile.  
Port numbers are divided into three ranges:  

 

The Well-Known Ports are those from 0 through 1023. These are tightly bound to services, and usually 
traffic on this port clearly indicates the protocol for that service. For example, port 80 virtually always 
indicates HTTP traffic.  

 

The Registered Ports are those from 1024 through 49151. These are loosely bound to services, which 
means that while there are numerous services "bound" to these ports, these ports are likewise used for 
many other purposes. For example, most systems start handing out dynamic ports starting around 1024.  

 

The Dynamic and/or Private Ports are those from 49152 through 65535. In theory, no service should be 
assigned to these ports. 

DHCP (Dynamic Host Configuration Protocol) 

 

An IETF standard for dynamically allocating and managing a 

pool of IP addresses, allowing a smaller number of addresses to serve a much larger number of users. 

Digital Signature

 

– The encryption of a message digest with a private key. Digital signatures

 

are based on 

public-key cryptography, which was first introduced by Whitfield Diffie and Martin Hellman of Stanford University 
in 1976. Until 1976 there was only conventional cryptography, which uses the same key to both scramble 
(encrypt) and unscramble (decrypt) information. Public key cryptography is based on two keys, a private key 
and a public key.  
Where conventional cryptography is a one-key system for both locking (encrypting) and unlocking (decrypting) a 
message, public key cryptography uses different keys for locking and unlocking.  
In public-key systems, one key can be kept private while the other key is made public. Knowing the public key 
does not reveal the private key. 

DMZ (De-militarized Zone) 

 

A special LAN on the public network side of a firewall to allow a single WAN 

router to support both private (VPN) and public access to resources. A DMZ allows a single WAN router to 
support both private (VPN) and public access to resources. Using a DMZ allows one IP Address (computer) to 
be exposed to the Internet. Some applications require multiple TCP/IP ports to be open. A DMZ allows just one 
computer to be exposed for that purpose. It is recommended that you set your computer with a static IP if you 
want to use DMZ. 

DNAT (Dynamic NAT)

 

– Used to operate a private network behind a firewall and make network services that 

only run there available to the Internet.

 

The use of private IP addresses in combination with Network Address Translation (NAT) in the form of 
Masquerading, Source NAT (SNAT), and Destination NAT (DNAT) allows a whole network to hide behind one or 
a few IP addresses preventing the identification of your network topology from the outside. With these 
mechanisms, Internet connectivity remains available, while it is no longer possible to identify individual 
machines from the outside. By using Destination NAT (DNAT), it is still possible to place servers within the 
protected network/DMZ and make them available for a certain service. 
In DNAT, only the IP address – not the port – is translated. Typically, the number of externally visible IP 
addresses is less than the number being hidden behind the NAT router.   

Summary of Contents for RouteFinder RF850

Page 1: ...RouteFinder Internet Security Appliance RF850 RF860 User Guide...

Page 2: ...y statement Added an RJ 45 Ethernet cable to the Ship Kit list Added an FAQ about the Ethernet ports supporting 10 100 Mbps half duplex and full duplex lines E 04 14 08 Changes for software version 3...

Page 3: ...teFinder 16 Establish TCP IP Communication 16 Set a Fixed IP Address 16 Obtain a Dynamic IP Address 16 Open a Web Browser 18 Login 18 Web Management Software Opens 19 Navigating Through the Software S...

Page 4: ...works Services Service Groups 65 Proxy 66 General Information About Proxies 66 Proxy HTTP Proxy 67 Proxy HTTP Proxy Custom Filters 71 Proxy SMTP Proxy 72 Proxy SMTP Proxy SMTP SPAM Filtering 75 Proxy...

Page 5: ...135 Statistics Logs View Logs 135 Statistics Logs HTTP Access 136 Statistics Logs DHCP 137 Statistics Logs SMTP Virus Quarantines 137 Statistics Logs POP3 Virus Quarantines 137 Statistics Logs SMTP SP...

Page 6: ...ix G Multi Tech Systems Inc Warranty Repairs and Replacement Policies 167 Appendix H Regulatory Compliance 169 Appendix I License Agreements 171 GNU GENERAL PUBLIC LICENSE 173 URL Content Filtering En...

Page 7: ...r the Multi Tech Systems Inc Web site RouteFinder Features See the RouteFinder Data Sheet for detailed descriptions of the following features Supports IPSec and PPTP VPN tunneling Utilizes Triple Data...

Page 8: ...only No 26 AWG or larger telecommunications line cord Never install telephone jacks in a wet location unless the jack is specifically designed for wet locations Safety Recommendations for Rack Install...

Page 9: ...mation from the RouteFinder s Web Management software at Administration License Key This screen shows the entered License Key number and indicates whether it is a valid License Key number The License...

Page 10: ...distance call to the corporate remote access server Branch Office VPN The LAN to LAN VPN application sends network traffic over the branch office Internet connection instead of relying on dedicated l...

Page 11: ...es Intrusion Port Scan Detection Yes Yes H 323 Pass Through Yes Yes VPN Features Remote User Client to LAN Yes Yes Branch Office LAN to LAN Yes Yes 3DES AES Encryption Yes Yes Encryption Throughput 5M...

Page 12: ...12Vdc 3 5A 42 Watts 12Vdc 3 5A Physical Description Dimensions 12 w 1 75 h 8 d 30 4cm 4 45cm 20 3cm Weight 4 4 lbs 2 0 kg Dimensions 12 w 1 75 h 8 d 30 4cm 4 45cm 20 3cm Weight 4 6 lbs 2 1 kg Operatin...

Page 13: ...begin the installation process you should plan your network and decide which computer is to have access to which services This simplifies configuration and saves you a lot of time that you would other...

Page 14: ...s receiving or transmitting data LAN Blinks when it is receiving or transmitting data 100MB WAN1 WAN2 DMZ Lights when a successful 100Base T Internet connection is established LAN Lights when a succes...

Page 15: ...wser This may take two or three minutes Optional Connections 1 Using an RJ 45 Ethernet cable connect the WAN2 DMZ jack to a network or DMZ device For example a Voice over IP gateway 2 Using a DB 9 cab...

Page 16: ...ddress To set a Fixed IP Address check Specify an IP address instead of Obtain an IP address automatically Then click OK 1 Enter the workstation IP address as 192 168 2 x Note that the x in the addres...

Page 17: ...s dialog box displays Select Internet Protocol TCP IP Click the Properties button 5 Once you click the Properties button the following screen displays To have your DHCP client obtain a dynamic IP addr...

Page 18: ...tional on screen prompts Login The Login screen displays after you type the default Gateway address Type the default User name admin all lower case Tab to the Password field and type the default passw...

Page 19: ...g the software you may find the following information about navigating the screens and the structuring of the menus helpful Navigating Through the Software Screens Menu Bar Sub Menu Other Options Scre...

Page 20: ...Local Users Radius SAM Version Information Restart Shutdown Networks Services Network Groups Service Groups HTTP Proxy Custom Filters SMTP Proxy SMTP SPAM Filtering POP3 Proxy POP3 SPAM Filtering Adv...

Page 21: ...tial Configuration Step Set Up Your Time Zone Click Administration on the Menu Bar The System Setup screen displays Set the following Set System Time by selecting your Time Zone Set the current Day Mo...

Page 22: ...orkstation s and the Internet as shown in the example below Important Note An initial configuration must be completed for each type of RouteFinder functions firewall configuration LAN to LAN configura...

Page 23: ...t Example 204 26 122 1 6 Place a checkmark in the Packet Filter Rule LAN ANY ANY ACCEPT box to enable the rule 7 Change Password Settings as appropriate for your network It is highly recommended that...

Page 24: ...d one in the remote branch office and requires additional parameters beyond the Wizard Setup to be entered Side A Side B RouteFinder Setup Side A Networks Services Networks Setup 1 Log in to your Rout...

Page 25: ...orks and select the network to be allowed 4 In this example select Remote WAN 5 If you are not restricting the type of Service select Any 6 If you are not restricting any Network Click on To Host Netw...

Page 26: ...Example Test Tunnel 2 Secret Enter a Secret password which has to match on both ends of the tunnel For this example enter test 3 Select Encryption Select 3DES 4 Local WAN IP Select WAN 5 Local LAN Sel...

Page 27: ...a new network name for the Remote LAN by entering a Name IP Address and Subnet Mask For this example enter the following Name Remote LAN IP Address 192 168 2 0 Subnet Mask 255 255 255 0 4 Click Add t...

Page 28: ...Networks and select the network to be allowed In this example select Remote LAN 4 If you are not restricting the type of service select Any 5 If you are not restricting what network Click on To Host...

Page 29: ...Example Test Tunnel 2 Secret Enter the Secret password which has to match on both ends of the tunnel For this example enter test 3 Select Encryption Select 3DES 4 Local WAN IP Select WAN 5 Local LAN...

Page 30: ...the fields for entering the network information 3 Create a new network name for the RF850 LAN by entering the Name IP Address and Subnet Mask For this example enter the following Name RF850 LAN IP Ad...

Page 31: ...network to be allowed In this example select RF850 LAN 4 If you are not restricting the type of service select Any 5 If you are not restricting what network Click on To Host Network select Any Notes...

Page 32: ...test 3 Select Encryption Select 3DES 4 Local WAN IP Select WAN 5 Local LAN Select LAN 6 Remote Gateway IP Select RF850 WAN 7 Remote LAN Select RF850 LAN 8 UID Click the Enable button must be enabled...

Page 33: ...r network information 3 Create a new network name for the RF850 WAN by entering the Name IP Address and Subnet Mask For this example enter the following Name RF850 WAN IP Address 65 126 90 250 Subnet...

Page 34: ...network to be allowed In this example select RF850 WAN 4 If you are not restricting the type of service select Any 5 If you are not restricting what network Click on To Host Network select Any Notes I...

Page 35: ...test 3 Select Encryption Select 3DES 4 Local WAN IP Select WAN 5 Local LAN Select LAN 6 Remote Gateway IP Select RF850 WAN 7 Remote LAN Select RF850 LAN 8 UID Click the Enable button must be enabled...

Page 36: ...terface screen Set default gateway at 204 26 122 1 Enter a host name example RF860 Site A com Enter Network Cards Cards 1 3 are defaulted Card 1 LAN eth0 192 168 2 1 255 255 255 0 Card 2 WAN eth1 204...

Page 37: ...860 Site A com Enter Network Cards Cards 1 3 are defaulted Card 1 LAN eth0 192 168 2 1 255 255 255 0 Card 2 WAN eth1 204 26 122 103 255 255 255 0 Card 3 DMZ eth2 192 168 3 1 3 Packet Filters Packet Fi...

Page 38: ...e unaware that their Internet requests are being transferred through an HTTP proxy Setting Up HTTP Proxy and URL Filtering 1 Click Proxy from the Menu bar The HTTP Proxy screen displays Notes About th...

Page 39: ...ber is located on the bottom of the RouteFinder chassis and on the front of the Quick Start Guide 3 Changing Status for the LAN On the HTTP Proxy HTTP screen see previous page check the Add button acr...

Page 40: ...the filter through one of the categories you had chosen or a category preset by the URL software For instance if you selected the Finance and Investment category to be filtered try to access www etrad...

Page 41: ...a lot of time that you would otherwise need for corrections and adjustments Menu Bar The Menu bar provides the organization of this chapter Menu Bar Logout Important Note About Logout Logout Closes t...

Page 42: ...teFinder general system based parameters A Note About This Screen When Logging Status is not checked the section of the screen Configure Logging does not display Email Notification Email Address Enter...

Page 43: ...WANLinks Status The mail settings are saved in the server configuration The first email ID in the list should be the Administrator s ID so that when the first ID is added or deleted the session is te...

Page 44: ...future retain their validity for the Accounting function The accounting files are continued when the setback time is reached again Therefore it is recommended that the time should only be set once dur...

Page 45: ...you are still able to access Administration Administrative Access from your active IP address after the deleting procedure If this is no longer possible the process is not carried out This check is ca...

Page 46: ...ssage if you try to delete access to a network that would cause you to lock yourself out Any has been set as the default for ease of installation ANY allows administrative access from everywhere once...

Page 47: ...erminated The browser settings have to be changed for the new port number before starting the next session By default port 443 is configured for HTTPS sessions The value of the port number should lie...

Page 48: ...same address that you will use to open the Administration Access interface It can be one of the RouteFinder IP addresses Example If you access Administration Access with https 192 168 10 1 the Host Ad...

Page 49: ...t The license key number is a 20 digit alphanumeric entry the letters must all be in upper case If you enter your license key number incorrectly the message Error License is invalid is displayed Check...

Page 50: ...s DNS attacks bad packets overflows chat accesses Web attacks will be detected and then the administrator is informed Apart from the above the other user defined rules for intrusion detection can be c...

Page 51: ...assigned addresses or private addresses These Networks or groups must be predefined in the Networks menu Destination IP Address This selection allows you to choose the network to which the informatio...

Page 52: ...valid names PING Ping is an acronym for Packet Internet Groper The PING utility is used as a diagnostic tool to determine if a communication path exists between two devices on the network The utility...

Page 53: ...d Should the data packets path momentarily not be traceable stars appear to indicate a time out After a fixed number of time outs the attempt is aborted This can have various reasons e g a packet filt...

Page 54: ...onnection by clicking the Start button A Sample TCP Connect Log DDNS Force Update To update the IP Address of the domain names in the DDNS server for WANInterfaces click the Update button Important No...

Page 55: ...select a new amount of time 3 Each Event offers the following time choices minutely every minute twomins every two minutes threemins every three minutes fivemins every five minutes sevenmins every se...

Page 56: ...he authentication person based i e user based and not IP based thus making a person based Accounting in the HTTP proxy access protocol possible Prerequisite Before you can use Local Authentication you...

Page 57: ...become possible Note In order to use any of these authentication methods you must activate user authentication and the type of authentication for the services Mark the option Local SAM RADIUS in the...

Page 58: ...ckup domain controller enter the PDC name again BDC IP Enter the IP address of the backup domain controller into this field If you do not have a backup domain controller enter the PDC IP address again...

Page 59: ...to the RouteFinder and issue these commands login as root use password admin the default password Then type the following etc multicong scripts bkupmain importbkp default Press Enter Administration S...

Page 60: ...if it is not used for any route or by any other module If a network is being used by a routing section that network cannot be edited Similarly if a host address is edited and changed to a network add...

Page 61: ...es can be made in the dot notation style e g 255 255 255 0 for a class C network Networks Services Networks Entries on the Network Services Networks Screen Display on Other Screens Networks added on t...

Page 62: ...resent in the service or service group list Using a space in the name is not allowed After you have entered the name click the Add button Protocol Select from the following protocols TCP UDP TCP UDP I...

Page 63: ...e saved using the Save button Notes About Protocols 1 TCP UDP allow both protocols to be active at the same time 2 The ICMP protocol is necessary to test network connections and RouteFinder functional...

Page 64: ...ction displays When the View Edit button is clicked the Edit Support section of the screen displays Add Network Group Enter a unique name for the Network Group This name is used later if you want to p...

Page 65: ...ce Group This name is required for later operations such as creating a higher level service group or to set packet filter rules Click Add All names will be added to Select Group drop down list box fro...

Page 66: ...y Using Microsoft Internet Explorer 1 Open the menu Extras Internet options 2 Choose the register card Connections 3 Open the menu LAN Settings Extended 4 Under Exceptions enter the IP address of your...

Page 67: ...Save button can be seen More parts of the HTTP Proxy screen display after clicking Status and Save Also the URL Categorization section and the Authentication section display After clicking and saving...

Page 68: ...as shown below Network Setup Load Balancing will display one of two screens to display depending on whether it is enabled or disabled See the two screens below On these screens you can change the stat...

Page 69: ...gorization by checking the URL Filter box Click the URL Categories allowed filtered Edit button The URL Categories screen displays as shown here URL Categories allowed filtered On this screen you can...

Page 70: ...e User Authentication by checking the User Authentication box and clicking Save Authentication Types 1 Select the desired Authentication Type Local RADIUS SAM 2 Click the Save button Available Users 1...

Page 71: ...les Access Rules enable you to define custom rules Because of these custom rules networks or network groups can be allowed or denied access to certain URLs URLs can be added or deleted from this list...

Page 72: ...n system This can be accomplished via a Microsoft Exchange Server for example Emails are transparently scanned for known viruses and other harmful content The SMTP proxy also acts as a gateway for out...

Page 73: ...ed so that email to any domain is forwarded to the default gateway Example 192 168 1 10 Domain and Host The fully qualified Domain Name and Host of the SMTP Proxy must be entered here Queue Cleanup Cl...

Page 74: ...to the above listed domains Confirm every selected network by clicking the Add button Note If you assign Any then everybody connected to the Internet can use your SMTP proxy for SPAM purposes SMTP Rou...

Page 75: ...User Guide PN S000400E 75 Proxy SMTP Proxy SMTP SPAM Filtering Proxy SMTP Proxy SMTP SPAM Filtering On this screen the SPAM filtering parameters can be set so that all incoming and outgoing emails se...

Page 76: ...ore the domain name testuser routefinder yourdomain com If you want to block all email from the domain routefinder yourdomain com then add it as routefinder yourdomain com If you want to block all ema...

Page 77: ...so double extensions such as tar gz cannot be used If you want to search for the expression as is in the email then add it just as it is If you want to use the entry as a regular expression then enclo...

Page 78: ...to Bypass POP3 Virus Spam Filtering KBytes Select the mail size that will bypass filtering Note The next two fields display only if you have purchased the Virus Protection package POP3 Virus Protecti...

Page 79: ...ection Check the box to enable POP3 SPAM Protection Subject of SPAM Mails Enter a word that you would like to add to the subject line of any email identified by the virus scanner as SPAM The word SPAM...

Page 80: ...ed Networks If the user tries to retrieve email from the network entered in the list then that connection of retrieving emails is rejected Check for NULL Sender If this option is enabled email with an...

Page 81: ...al proxy supported by many client applications SOCKS5 is an IETF Internet Engineering Task Force approved standard proxy protocol for TCP IP based networking applications The basic purpose of the prot...

Page 82: ...Sam If you choose the Local method you can choose whether or not local users may use the SOCKS proxy If you disable User Authentication then client applications must be configured with empty user name...

Page 83: ...ion from the drop down list box and then click the Add button Your choice will display in the box under the selection list It you want to change or delete an interface highlight the name and click the...

Page 84: ...P Address Resolution Protocol resolutions ARP clash Some operating systems e g Microsoft Windows cannot cope with this That is why one network interface should be used per physical segment About the I...

Page 85: ...er 6 RouteFinder Software Multi Tech Systems Inc RouteFinder RF850 860 User Guide PN S000400E 85 Network Setup Interface Network Setup Interface Network Setup Interfaces Screen with Load Balancing Dis...

Page 86: ...TP clients are to be assigned a WINS server address enter the address here Network Cards Interface Name Each column allows you to identify the interfaces for the LAN WAN and DMZ networks these are ava...

Page 87: ...this section you can configure the Speed and Duplexity of the NICs By default the RouteFinder automatically detects the Speed and Duplexity of the NICs If you want to change these values click on the...

Page 88: ...OM2 Initialization String Enter the set of commands you want sent to the modem at startup The initialization string sets speed error correction compression various timeout values and how to display re...

Page 89: ...e 1 Type AT T19 0 nn where nn is the country region code in hexadecimal notation Click Enter OK displays 2 Then save the changes by issuing the following command AT F W Click Enter 3 To verify that th...

Page 90: ...rtant If DHCP client is enabled the PPPoE cannot be used The internet connection can be either PPPoE or DHCP client at any given time PPPoE when Load Balancing is Disabled PPPoE when Load Balancing is...

Page 91: ...CP client cannot be enabled The interface to the internet can be either through PPPoE or DHCP client at any time If DHCP client is enabled and if the IP address has been assigned then the following va...

Page 92: ...mail ID you have specified while registering with the Dynamic DNS server Password Enter the password you had specified while registering with the Dynamic DNS server Dynamic DNS Server Enter the server...

Page 93: ...ond router is to be responsible for this network Add Routes Interface Route Select an already defined network and a network card The entries are confirmed by clicking the Add button Also existing entr...

Page 94: ...lect one of the networks already defined in the Networks menu Select a network from each box from and to networks The options are Any LAN WANInterface WAN DMZ Interface and DMZ when Load Balancing is...

Page 95: ...ket Filter Rules with the original source address Packet filter rules are covered later in this chapter Note To create simple connections from private networks to the Internet you should use the Netwo...

Page 96: ...g Service e g FTP FTP CONTROL to be redirected Post DNAT Destination Select a network host to which the IP packets are to be diverted Only one host can be defined as the Post DNAT destination Importan...

Page 97: ...Load Balancing the following message displays Enabling Load Balancing will delete the spooling rules between WAN and DMZ Load Balancing Over Multiple Links Enable Load Balancing Check the box and clic...

Page 98: ...dary DNS server to be used by the local peer through the specific interface Then click the Save button This field can be left blank Note A secondary DNS Address cannot be configured without a primary...

Page 99: ...irtual IP Address on the LAN that forms the Cluster IP and a Configuration Synchronization module The configuration of High Availability is highly critical to its functionality and a slight misconfigu...

Page 100: ...is text box enter the IP address to be used for accessing various RouteFinder services on the LAN Important Notes This IP must belong to the LAN network and should not belong to any host on the networ...

Page 101: ...would like to disable it uncheck the DHCP Server on LAN checkbox If you change the check mark click the Save button to activate the change Add Click the Add Subnet button which will open the table for...

Page 102: ...interface to the DMZ is entered in the Accounting while one particular computer in the DMZ is not to be accounted If this one computer is only to be used for internal purposes it does not make sense t...

Page 103: ...you use the Update Service your RouteFinder can be continually updated with new virus protection patterns system patches security features and new features Update resolves dependencies between modules...

Page 104: ...lay Time Interval for Automatic Update of Virus Patterns Your RouteFinder can be continually updated with new virus patterns with optional email virus scan subscription system patches and security fea...

Page 105: ...as to use as evidence if and when you discover a successful attack letting you compare the before and after states of the RouteFinder You may want to store all alerts and notifications Passwords are s...

Page 106: ...for this file to verify that this is the file you want Once you are sure of the file you want click the Import button Download Backup Click the Download button to backup files saved in the firewall to...

Page 107: ...name of TEST the repository name should always be in capital letters 2 Let the path to the repository be usr local cvs 3 Create a repository in the server using the command cvs d usr local TEST init...

Page 108: ...ned is carried out You can Accept Drop Reject Log the packets When packets are rejected an entry in the appropriate log file occurs All rules are entered according to the principle From Client Service...

Page 109: ...ters e g ports Example SMTP ANY To Select the network to which the data packets are sent for the rule to match Network groups can also be selected These network clients or groups must be pre defined i...

Page 110: ...ICMP Forwarding Check the ICMP Forward checkbox to enable the forwarding of ICMP packets through the RouteFinder into the local network and all connected DMZs In this way you select whether an ICMP p...

Page 111: ...packet passthrough PPTP NAT support Click Save This includes two features 1 Server behind the firewall and client on the Internet DNAT of PPTP packets 2 Clients behind the firewall and server on the I...

Page 112: ...make a change Drop Fragmented Packets Dropped Fragmented Packets Enables disables dropping of IP fragmented packets Log Dropped Fragmented Packets Check the Log Dropped Fragmented Packets checkbox to...

Page 113: ...utbound access requests from private LAN and service DMZ network clients that use a service on a public WAN network server host All Access Requests Traversing Firewall Violating Security Policy Check...

Page 114: ...the basis of priority When a packet enters an interface depending on the bandwidth available the packets are either dropped or sent In other words it is based on best effort mechanism IP does not pro...

Page 115: ...or which the classification rule is set Class Select the priority to be given to the rule Interface Select the interface through which the packet goes Add Button Click the Add button to add this rule...

Page 116: ...tion according to an open standard IPSec The IPSec protocol suite based on cryptographic technologies provides security services at the IP network layer It secures network traffic providing guaranteed...

Page 117: ...the compression checkbox to enable IPCOMP the compression algorithm Perfect Forward Secrecy PFS Check the PFS checkbox to enable PFS a concept in which the newly generated keys are unrelated to the ol...

Page 118: ...e tunnel again comes up on the other link i e WAN 2 Failover is possible only when the remote gateway is an FQDN Fully Qualified Domain Name Local LAN Local security gateway for which the security ser...

Page 119: ...ion 1 ESP using 3DES for encryption and MD5 for authentication 2 ESP using 3DES for encryption and SHA1 for authentication 3 ESP using 3DES for encryption and AH MD5 for authentication 4 ESP using 3DE...

Page 120: ...face to initiate the IPSec tunnel Left Security Gateway Options are LAN WAN and DMZ Local LAN This is the local security gateway for which the security services are to be provided If the RouteFinder a...

Page 121: ...elf signed Certificate of Authority CA by entering the information necessary to identify your Certificate Import a selected Certificate of Authority Add a predefined Certificate of Authority Certifica...

Page 122: ...n enabling IPSec Bridging you will be given options to select the pairs of tunnels for which bridging is to be setup See example above Bridge Endpoint Setup Configure a tunnel and two networks by sele...

Page 123: ...ne banking is not working after implementing the RouteFinder you can see if any packets were filtered out and which rule was responsible for filtering them PPTP Settings PPTP Status Check the Status c...

Page 124: ...n Type Select the type of authentication to be used Options are Local or RADIUS Click the Save button User Name and Password Enter the name in lowercase and password in lowercase of the PPTP user Clic...

Page 125: ...tion System Setup in the Web Management software which allows several entries the screen allows only one ID Host Name Enter the Host Name of your firewall Example format FIREWALL mydomain com LAN Sett...

Page 126: ...Modem Settings Use this checkbox to enable disable the modem PPP dial backup feature If enabled enter the User Name Password Serial Port Baud Rate Dial Number and Initialization Strings for the backu...

Page 127: ...tine displays virus quarantined email SMTP Spam Quarantine using a Message Expression filter and an Attachment filter SPAM emails will not be relayed and will be quarantined in the SPAM area They can...

Page 128: ...SWAP Statistics Shows the actual usage of the swap space on the system When using the HTTP proxy is in use frequent activity of the swap file is normal displays as a graph The log files are updated e...

Page 129: ...you find here for example 192 168 2 43 443 you know that there is an active HTTPS session Foreign Address The destination IP address and port for example 192 168 2 40 1034 State Status of the connect...

Page 130: ...LISTENING The socket is listening for a connection request Such sockets are only included in the output if you specify listening I or all a option CONNECTING The socket is about to establish a connect...

Page 131: ...affic This example shows the daily graph for LAN traffic Statistics Logs SMTP Proxy The SMTP Proxy screen displays the RouteFinder s SMTP proxy email usage and status in two windows called SMTP Logs a...

Page 132: ...on for all the IPSec tunnels that are currently enabled Statistics Logs Self Monitor The Self Monitoring function ensures the integrity of the RouteFinder system and informs the administrator of impor...

Page 133: ...ts of a successful attack You will probably want to keep log information in a location separate from the RouteFinder to keep an intruder from destroying the log data upon compromising the RouteFinder...

Page 134: ...ith Action as LOG the packets matching the corresponding source address and service will be logged Show Logs Select the packets to be displayed by checking the box next to the packet category Check Au...

Page 135: ...ion Live Log button to display the User Defined Intrusion Detection rules entered on the Administration Intrusion Detection screen Portscan Live Log Click the Portscan Live Log button to display detec...

Page 136: ...nding button Generate HTTP Reject Reports 1 Click the Generate button to generate the current day s HTTP Reject report 2 Select a file from the remote client server by browsing to the file name and th...

Page 137: ...e emails will be saved in the virus quarantine area These emails can be viewed by the administrator who can then take action as to whether or not to delete or forward the emails to the email ID Statis...

Page 138: ...N DMZ and LAN when Load Balancing is disabled When Load Balancing is enabled Bandwidth Utilization displays for WANLINK1 WANLINK2 and LAN The graphs display daily weekly monthly and yearly bandwidth u...

Page 139: ...US servers are available for almost every operating system The RouteFinder s implementation of the RADIUS method allows you to configure access rights on both a per proxy and a per user basis NT SAM S...

Page 140: ...entifier field based on these values your RADIUS server should just decide to grant or deny access Setting Up a Microsoft IAS RADIUS Server This section explains how to set up a Microsoft IAS Internet...

Page 141: ...ication requests Setting Up NT 2000 SAM SMB Authentication To setup Windows NT 2000 SAM Authentication you will need an NT 2000 machine on your network that holds the user accounts This can be a domai...

Page 142: ...uteFinder A4 Yes in addition to providing shared Internet access the RouteFinder can support a Web FTP or other Internet servers Once configured the RouteFinder only accepts unsolicited IP packets add...

Page 143: ...eth0 0 though you should avoid characters like or _ ifconfig seems to get lost if you use these 2 Tell the RouteFinder to send those IP packets directly to the external interface by adding a static ro...

Page 144: ...areas Cuba Iran Iraq Libya North Korea Serbia except Kosovo Sudan and Syria For the latest information on United States cryptography export and import laws contact the Bureau of Export Administration...

Page 145: ...atching your setup do not make it too small and make sure you do not need any ports in this range for other services Go to Packet Filters Packet Filter Rules and add the following rules Any FTP_ALTCon...

Page 146: ...forward packets Single homed firewalls have one network interface card You would use a single homed firewall with a choke router that filters packets not originating from the SOCKS server Q22 Is there...

Page 147: ...ems A particular router sustaining a high loss percentage rate is a reasonable indicator that there s a problem with that specific router Type PATHPING at the command prompt to view the syntax for Pat...

Page 148: ...filter rules system generated filter rules and filter violations The Filter LiveLog supervises the packet filter and NAT rules The Packet Filter log shows the packets that have not successfully passed...

Page 149: ...the first packet of a session Subsequent packets are not logged Inbound Access Request Each access request from the external network to the box for any services hosted by the box or hosted by an inte...

Page 150: ...to LO1 G of Baseline module version 4 0 ICSA Labs Figure 12 shows a snapshot of Startup History User Defined Log User defined logging is classified as User logs Administrators can log packets using th...

Page 151: ...ce name 12 OUT Outgoing network interface name 13 MAC Destination MAC address 14 SRC Source IP addresses 15 DST Destination IP address 16 LEN Header Length in bytes 17 TOS Type of service 18 TTL Time...

Page 152: ...stination address listed in the SYSLOG is the DNATTED ip address In this case it is 192 168 1 76 Slno 2 corresponds to a PASV Data connection Src 204 26 122 9 destined to 202 54 39 103 which in turn i...

Page 153: ...a capture of FTP service Slno 2 in the above snapshot corresponds to the control connection Remarks in the second half of the snapshot is a continuation of the capture Remarks Outbound Src 192 168 1...

Page 154: ...21 o Outbound Outbound Log o SRC 192 168 1 212 DST 195 220 108 108 SPORT 32823 DPORT 21 This corresponds to the CONTROL connection information for this data connection IV Access Requests through Firew...

Page 155: ...Admin Port Access Log Figure 11 Snapshot of Admin Port Access Log VIII Startup History Log Figure 12 Snapshot of Startup History IX User Log Figure 13 Snapshot of User Log X Fragmented Dropped Log Fig...

Page 156: ...ateway were configured properly Before You Start 1 Configuration Backup Backup your current RouteFinder configuration file and note the software version you are currently running 2 Record License Key...

Page 157: ...file name is the same as Step 2 case sensitive See the ISO Notes at the beginning of this chapter Do you want an unattended install y n y Do you want to modify the current interface configuration y n...

Page 158: ...ional Enter the protocol to be used ftp http tftp ftp For FTP enter the URL IP address or domain name ftp 192 168 2 2 Enter the ISO path and filename RouteFinder3xx iso Make sure the file name is the...

Page 159: ...outeFinder will boot into the regular software 3 If ALT TAB works you will see a prompt At the prompt type in RFNetInstall case sensitive 4 Rescue Kernel terminates after the install process You can a...

Page 160: ...N 48 N N N 49 62 N N N 63 N N N 64 N N N 65 78 N N N 79 N N N 80 N N N 81 94 N N N 95 N N N 96 N N N 97 110 N N N 111 N N N 112 N N N 113 126 N N N 127 N N N 128 N N N 129 142 N N N 143 N N N 144 N N...

Page 161: ...N N 95 N N N 96 N N N 97 98 N N N 99 N N N 100 N N N 101 102 N N N 103 N N N 104 N N N 105 106 N N N 107 N N N 108 N N N 109 110 N N N 111 N N N 112 N N N 113 114 N N N 115 N N N 116 N N N 117 118 N N...

Page 162: ...be upgraded to a total of 2GB The RF860 is shipped with 1GB and can be upgraded to a total of 2GB 1 Remove the RouteFinder top cover using the procedure earlier in this chapter 2 Pull back on the bei...

Page 163: ...1 Year Content Filter Upgrade Email Anti Virus Code The RouteFinder is shipped with Email Anti Virus code within the core software Order model RFAVUPG to obtain the software key that enables this Ema...

Page 164: ...vides excellent data protection but it s fairly slow A convenient method is to use a temporary key AKA a session key for most transactions and then destroy the session key when the transaction is comp...

Page 165: ...uld close the most dangerous holes first It is segmented into three categories General Vulnerabilities Windows Vulnerabilities and Unix Vulnerabilities The SANS FBI Top Twenty list is valuable because...

Page 166: ...ottage NY 10989 Phone 800 826 0279 Fax 914 267 2420 Email info thesupplynet com Internet http www thesupplynet com SupplyNet Online Ordering Instructions 1 Browse to http www thesupplynet com In the B...

Page 167: ...ar overnight replacement service agreements are available for selected products Please call MTS customer service at 888 288 5470 or visit our web site at PARTNERS Programs overnight_replacement for de...

Page 168: ...your questions regarding technical matters product configuration verification that the product is defective etc to our International Technical Support department at 763 717 5863 When calling the U S...

Page 169: ...ny 2 As indicated below the suitable jack Universal Service Order Code connecting arrangement for this equipment is shown If applicable the facility interface codes FIC and service order codes SOC are...

Page 170: ...requirements The Department does not guarantee the equipment will operate to the user s satisfaction Before installing this equipment users should ensure that it is permissible to be connected to the...

Page 171: ...n any form to any person other than Customer and his employees and or agents without prior written consent from MTS Customer acknowledges that the techniques algorithms and processes contained in the...

Page 172: ...agrees not to provide or otherwise make available any portion of this software in any form to any third party without the prior express written approval of Multi Tech Systems Inc Licensee is hereby i...

Page 173: ...icensee is addressed as you Activities other than copying distribution and modification are not covered by this License they are outside its scope The act of running the Program is not restricted and...

Page 174: ...e only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program If any portion of this section is held invalid or unenforceable under any particular...

Page 175: ...he Product on all copies you make No title to the Product or any part or copy is transferred to you B YOU MAY 1 use and display that part of the Product provided on a hardware box on a single stand al...

Page 176: ...DAMAGES OR THEY ARE FORESEEABLE OR FOR CLAIMS BY A THIRD PARTY OUR MAXIMUM AGGREGATE LIABILITY AND THAT OF OUR SUPPLIERS AGENTS OFFICERS AND DIRECTORS TO YOU SHALL NOT EXCEED THE AMOUNT PAID BY YOU F...

Page 177: ...intend to make such information available for any reason including without limitation costs you shall be permitted to take such steps to achieve interoperability provided that you may only reverse en...

Page 178: ...supply or purported supply of failure to supply or delay in supplying the Software or the Documentation which might but for this paragraph v have effect between the Kaspersky Lab and your or would ot...

Page 179: ...the costs of recovery from municipal collection points reuse and recycling of specified percentages per the WEEE requirements Instructions for Disposal of WEEE by Users in the European Union The symbo...

Page 180: ...lection is 3 des md5 96 AES Advanced Encryption Standard The U S government standard for data encryption Rijndael was chosen as the U S government encryption standard to protect sensitive data and to...

Page 181: ...and decrypt messages between parties and 3 provide a digital signature from the trusted organization that issued the certificate as well as when the certificate expires Certificate Authority The issue...

Page 182: ...5535 In theory no service should be assigned to these ports DHCP Dynamic Host Configuration Protocol An IETF standard for dynamically allocating and managing a pool of IP addresses allowing a smaller...

Page 183: ...main difference between the ESP authentication method and the AH authentication method is that ESP does not protect any IP header fields unless those fields are encapsulated by ESP tunnel mode ESP is...

Page 184: ...uters on a network Individual users communicate by using application programs such as electronic mail Telnet and FTP HTTPS aka S HTTP Secure HyperText Transfer Protocol a secure way of transferring in...

Page 185: ...uthentication and storage of keys Key Pair Full key information in a public key cryptosystem consists of the public key and private key L2TP Layer Two Tunneling Protocol A security protocol that facil...

Page 186: ...protocol PING Packet InterNet Groper A program to test reachability of destinations by sending an ICMP echo request and waiting for a reply The term is also used as a verb Ping host X to see if it is...

Page 187: ...ol process the received information at the application level and then transfer them Proxy ARP The technique in which one machine usually a router answers ARP requests intended for another machine By f...

Page 188: ...e defined in IETF RFC 1812 RSA A public key encryption and digital signature algorithm It was invented by Ron Rivest Adi Shamir and Leonard Adleman The RSA algorithm was patented by RSA Security but t...

Page 189: ...ctions from private networks to the Internet you should use the Masquerading function instead of SNAT The use of private IP addresses in combination with Network Address Translation NAT in the form of...

Page 190: ...sites may not support the TLS protocol Trace Route A program available on many systems that traces the path a packet takes to a destination It is mostly used to debug routing problems between hosts A...

Page 191: ...6 Broadcast on whole Internet 109 Bypass URL Filtering 70 C Cabling 15 CD ROM Adding 162 Certificate of Authority Generation 121 Change Status for LAN 39 Change the country region code 89 Change the r...

Page 192: ...y Caution 8 Load Balancing 97 Local Authentication 56 Local RouteFinder User Authentication 139 Local Users 56 Login 18 Logo on logon page 47 Logout 41 M MAC address based filtering 112 Main 19 Mainte...

Page 193: ...r Using SMTP Proxy 72 S Safe password 18 Safety 8 SAM 58 SAM Prerequisite 58 Save Settings 41 Select encryption method 117 Self Monitor 132 Serivces 62 Service Groups 65 Services entered display on ot...

Page 194: ...iversal Resource Locator URL 38 Update Service 103 Updating 165 Uptime Logs 128 URL categories 69 URL Categories Allowed Filtered 40 URL Categorization Key 49 URL Categorization License Key 9 URL Lice...

Reviews:

No comments

Brands by name

Popular brands

Load more brands