manualshive.com logo in svg

Nokia IP60 - Security Appliance, User Manual

Looking for a comprehensive User Manual for the Nokia IP60 Security Appliance? Look no further! Download the free and detailed manual from our website today. Explore the features and benefits of this state-of-the-art product, ensuring maximum security and peace of mind. Your ultimate User Manual awaits at manualshive.com.

Share
Download
background image

 

The Nokia IP60 Firewall 

 

Chapter 2: Security 

37 

 

Firewall Technology 

Action 

Stateful Inspection 

Firewall 

A Stateful Inspection firewall examines the FTP application-layer 

data in an FTP session. When the client initiates a command 

session, the firewall extracts the port number from the request. The 

firewall then records both the client and server's IP addresses and 

port numbers in an FTP-data pending request list. When the client 

later attempts to initiate a data connection, the firewall compares the 

connection request's parameters (ports and IP addresses) to the 

information in the FTP-data pending request list, to determine 

whether the connection attempt is legitimate. 

Since the FTP-data pending request list is dynamic, the firewall can 

ensure that only the required FTP ports open. When the session is 

closed, the firewall immediately closes the ports, guaranteeing the 

FTP server's continued security. 

 

 

What Other Stateful Inspection Firewalls Cannot Do 

The level of security that a stateful firewall provides is determined by the richness of data tracked, and how 
thoroughly the data is analyzed. Treating traffic statefully requires application awareness. Firewalls without 
application awareness must open a range of ports for certain applications, which leads to exploitable holes 
in the firewall and violates security ―best practices‖. 

TCP packet reassembly on all services and applications is a fundamental requirement for any Stateful 
Inspection firewall. Without this capability, fragmented packets of legitimate connections may be dropped, 
or those carrying network attacks may be allowed to enter a network. The implications in either case are 
potentially severe. When a truly stateful firewall receives fragmented packets, the packets are reassembled 
into their original form. The entire stream of data is analyzed for conformity to protocol definition and for 
packet-payload validity. 

True Stateful Inspection means tracking the state and context of all communications. This requires a 
detailed level of application awareness. The IP60 appliance provides true Stateful Inspection. 

 

Summary of Contents for IP60 - Security Appliance

Page 1: ...Part No N450000643 Rev 001 Published February 2008 Nokia IP60 Security Appliance User Guide ...

Page 2: ...okia Inc as is and any express or implied warranties including but not limited to implied warranties of merchantability and fitness for a particular purpose are disclaimed In no event shall Nokia or its affiliates subsidiaries or suppliers be liable for any direct indirect incidental special exemplary or consequential damages including but not limited to procurement of substitute goods or services...

Page 3: ...d Canada 1 512 437 7089 email info ipnetworking_americas nokia com Europe Middle East and Africa Nokia House Summit Avenue Southwood Farnborough Hampshire GU14 ONG UK Tel UK 44 161 601 8908 Tel France 33 170 708 166 email info ipnetworking_emea nokia com Asia Pacific 438B Alexandra Road 07 00 Alexandra Technopark Singapore 119968 Tel 65 6588 3364 email info ipnetworking_apac nokia com Web Site htt...

Page 4: ...4 Nokia IP60 Security Appliance User Guide ...

Page 5: ... Started 59 Initial Login to the Nokia IP60 Portal 59 Logging on to the Nokia IP60 Portal 60 Accessing the Nokia IP60 Portal Remotely Using HTTPS 61 Using the Nokia IP60 Portal 63 Logging off 65 Configuring the Internet Connection 67 Overview 67 Using the Internet Wizard 68 Using Internet Setup 76 Setting Up Dialup Modems 96 Viewing Internet Connection Information 102 Enabling Disabling the Intern...

Page 6: ...r 181 Overview 181 Setting Up Traffic Shaper 182 Predefined QoS Classes 182 Adding and Editing Classes 184 Viewing and Deleting Classes 187 Restoring Traffic Shaper Defaults 187 Working with Wireless Networks 189 Overview 189 Configuring Wireless Networks 194 Troubleshooting Wireless Connectivity 215 Viewing Reports 217 Viewing the Event Log 217 Using the Traffic Monitor 219 Viewing Computers 222 ...

Page 7: ...Antivirus 312 Updating VStream Antivirus 324 SMART Management and Subscription Services 325 Connecting to a Service Center 325 Viewing Services Information 330 Refreshing Your Service Center Connection 330 Configuring Your Account 332 Disconnecting from Your Service Center 332 Web Filtering 333 Email Filtering 337 Automatic and Manual Updates 340 Working with VPNs 343 Overview 343 Setting Up Your ...

Page 8: ...top 411 Overview 411 Workflow 411 Configuring Remote Desktop 412 Configuring the Host Computer 415 Accessing a Remote Computer s Desktop 417 Maintenance 419 Viewing Firmware Status 420 Updating the Firmware 421 Upgrading Your License 423 Configuring Syslog Logging 424 Controlling the Appliance via the Command Line 425 Configuring HTTPS 429 Configuring SSH 431 Configuring SNMP 432 Setting the Time ...

Page 9: ...ing Network Printer Ports 471 Resetting Network Printers 472 Troubleshooting 473 Connectivity 473 Service Center and Upgrades 475 Other Problems 476 Specifications 477 Technical Specifications 477 CE Declaration of Conformity 479 Federal Communications Commission Radio Frequency Interference Statement 481 Glossary of Terms 483 Index 487 ...

Page 10: ......

Page 11: ... text and preceded by the Note icon Warning Warnings are denoted by indented text and preceded by the Warning icon Each task is marked with an icon indicating the Nokia IP60 product required to perform the task as follows If this icon appears You can perform the task using these products Nokia IP60 Nokia IP60 Wireless All products with USB ports specifically Nokia IP60 Wireless Only products witho...

Page 12: ......

Page 13: ...l unit including firewall VPN intrusion prevention antivirus antispam Web filtering reporting monitoring and Network Access Control NAC In addition IP60 appliances offer powerful networking capabilities including advanced routing traffic shaping high availability redundant Internet connections and extensive VLAN support All IP60 appliances can be integrated into an overall enterprise security poli...

Page 14: ...AN Switch 10 100 Mbps WAN Port Ethernet 10 100 Mbps ADSL Standards DMZ WAN2 Port 10 100 Mbps Dialup Backup With external serial USB modem Console Port Serial Print Server USB 2 0 Ports Firewall Security Features Check Point Stateful Inspection Firewall Application Intelligence SmartDefense IPS Network Address Translation NAT Four Preset Security Policies Anti spoofing Voice over IP H 323 Support ...

Page 15: ...Access VPN Remote Access Users 1 10 15 25 VPN Server with OfficeMode and RADIUS Support SecuRemote L2TP Site to Site VPN Gateway Route based VPN Backup VPN Gateways Remote Access VPN Client SecuRemote Included Site to Site VPN Tunnels Managed 100 IPSEC Features Hardware accelerated DES 3DES AES MD5 SHA 1 Hardware Random Number Generator RNG Internet Key Exchange IKE Perfect Forward Secrecy PFS IPS...

Page 16: ...Mode Spanning Tree Protocol STP Traffic Shaper QoS Traffic Monitoring Dead Internet Connection Detection DCD WAN Load Balancing Backup Internet Connection DHCP Server Client and Relay MAC Cloning Network Address Translation NAT Rules Static Routes Source Routes and Service Based Routes Ethernet Cable Type Recognition DiffServ Tagging Automatic Gateway Failover HA Dynamic Routing ...

Page 17: ...Display Local Logs NTP Automatic Time Setting TFTP Rapid Deployment Hardware Specifications Power 100 110 120 210 220 230VAC Linear Power Adapter or 100 240VAC Switched Power Adapter Mounting Options Desktop Wall or Rack Mounting Warranty 1 Year Hardware Rack mounting requires the optional rack mounting kit sold separately Nokia IP60 Wireless Features Table 2 Nokia IP60 Wireless Series Features Fe...

Page 18: ... Check Point Stateful Inspection Firewall Application Intelligence IPS Intrusion Detection and Prevention using Check Point SmartDefense Network Address Translation NAT Four Preset Security Policies Anti spoofing Voice over IP H 323 Support Unlimited INSPECT Policy Rules Instant Messenger Blocking Monitoring P2P File Sharing Blocking Monitoring Port based Tag based and Other VLAN 32 WU 10 Other Mo...

Page 19: ...Tunnels Managed 100 IPSEC Features Hardware accelerated DES 3DES AES MD5 SHA 1 Hardware Random Number Generator RNG Internet Key Exchange IKE Perfect Forward Secrecy PFS IPSEC Compression IPSEC NAT Traversal NAT T IPSEC VPN Pass through Networking Supported Internet Connection Methods Static IP DHCP PPPoE PPTP Telstra Cable Dialup Transparent Bridge Mode Spanning Tree Protocol STP Traffic Shaper Q...

Page 20: ...s Wireless Security VPN over Wireless WEP WPA2 802 11i WPA Personal WPA Enterprise 802 1x Wireless QoS WMM Dual Diversity Antennas Virtual Access Points VAP Wireless Distribution System WDS Links Wireless Range Standard Mode Up to 100 m Indoors and 300 m Outdoors Wireless Range XR Mode Up to 300 m Indoors and 1 km Outdoors Management Central Management Check Point SmartCenter Check Point SmartLSM ...

Page 21: ...ranges are subject to change in different environments Rack mounting requires the optional rack mounting kit sold separately Optional Security Services The following subscription security services are available to IP60 owners by connecting to a Service Center Firewall Security and Software Updates Web Filtering Email Antivirus and Antispam Protection VStream Embedded Antivirus Updates Dynamic DNS ...

Page 22: ...rs for http my firewall Getting to Know Your Nokia IP60 Appliance Package Contents The Nokia IP60 package includes the following Nokia IP60 Internet Security Appliance Power supply CAT5 Straight through Ethernet cable Getting Started Guide Documentation CDROM Wall mounting kit RS232 serial adaptor RJ45 to DB9 model SBX 166LHGE 5 only ...

Page 23: ...o its factory defaults You need to use a pointed object to press this button Short press Reboots the IP60 appliance Long press 7 seconds Resets the IP60 appliance to its factory defaults and resets your firmware to the version that shipped with the IP60 appliance This results in the loss of all security services and passwords and reverting to the factory default firmware You will have to re config...

Page 24: ...tch Four Ethernet ports RJ 45 used for connecting computers or other network devices Front Panel The Nokia IP60 appliance includes several status LEDs that enable you to monitor the appliance s operation For an explanation of the Nokia IP60 appliance s status LEDs see the table below Table 4 Nokia IP60 Appliance Status LEDs LED State Explanation PWR SEC Off Power off Flashing quickly Green System ...

Page 25: ...Flashing Green VPN activity On Green VPN tunnels established no activity Serial Off No Serial port activity Flashing Green Serial port activity Getting to Know Your Nokia IP60 Wireless Appliance Package Contents The Nokia IP60 Wireless package includes the following Nokia IP60 Wireless Internet Security Appliance Power supply CAT5 Straight through Ethernet cable Getting Started Guide Documentation...

Page 26: ...ts Label Description PWR A power jack used for supplying power to the unit Connect the supplied power supply to this jack RESET A button used for rebooting the IP60 appliance or resetting the IP60 appliance to its factory defaults You need to use a pointed object to press this button Short press Reboots the IP60 appliance Long press 7 seconds Resets the IP60 appliance to its factory defaults and r...

Page 27: ...r or a network leading to the Internet DMZ WAN2 A dedicated Ethernet port RJ 45 used to connect a DMZ Demilitarized Zone computer or network Alternatively can serve as a secondary WAN port or as a VLAN trunk LAN 1 4 Local Area Network switch Four Ethernet ports RJ 45 used for connecting computers or other network devices ANT 1 ANT 2 Antenna connectors used to connect the supplied wireless antennas...

Page 28: ...K ACT On 100 On 100 Mbps link established for the corresponding port LNK ACT Flashing Data is being transmitted received VPN Off No VPN activity Flashing Green VPN activity On Green VPN tunnels established no activity Serial Off No Serial port activity Flashing Green Serial port activity USB Off No USB port activity Flashing Green USB port activity WLAN Off No WLAN activity Flashing Green WLAN act...

Page 29: ...ens residential addresses car licenses registration and so on The army stores information about its soldiers weapons inventory and intelligence information about other armies Much of this information is confidential A bank stores information about its customers accounts their money transactions ATM machine access codes and so on Much of this information is confidential Commercial companies store i...

Page 30: ... Integrity Ensuring that the original information was not altered and that no one tampered with it Availability Ensuring that important information can be accessed at all times and places The Security Policy In order to meet these challenges an organization must create and enforce a security policy A security policy is a set of rules that defines how and by whom sensitive information should be acc...

Page 31: ...mation is processed and stored electronically by single standalone computers or computer networks Therefore an attack on an organization s computers or computer networks can result in extensive information theft or abuse However computers and computer networks today are not just tools used to store information they are the heart of an organization s operations and crucial to its communication and ...

Page 32: ...a is not To provide robust security a firewall must track and control the flow of communication passing through it To reach control decisions for TCP IP based services such as whether to accept reject authenticate encrypt and or log communication attempts a firewall must obtain store retrieve and manipulate information derived from all communication layers and other applications Security Requireme...

Page 33: ... the following advantages and disadvantages Table 7 Packet Filter Advantages and Disadvantages Advantages Disadvantages Application independence Low security High performance No screening above the network layer Scalability Application Layer Gateways Application layer gateways improve security by examining all application layers bringing context information into the decision making process However...

Page 34: ... can inspect all traffic before it reaches the network Packet State and Context Information To track and act on both state and context information for an application is to treat that traffic statefully The following are examples of state and context related information that a firewall should track and analyze Packet header information source and destination address protocol source and destination ...

Page 35: ...el Type Description Source TCP Source Port Destination TCP Destination Port 1 CMD Client initiates a PASV command to the FTP server on port 21 FTP client C 1023 FTP server 21 2 CMD Server responds with data port information P 1023 FTP server 21 FTP client C 3 Data Client initiates data connection to server on port P FTP client D 1023 FTP server P 4 Data Server acknowledges data connection FTP serv...

Page 36: ...ions in either of the following ways By leaving the entire upper range of ports greater than 1023 open While this allows the file transfer session to take place over the dynamically allocated port it also exposes the internal network By shutting down the entire upper range of ports While this secures the internal network it also blocks other services Thus packet filters handling of Passive FTP com...

Page 37: ...walls Cannot Do The level of security that a stateful firewall provides is determined by the richness of data tracked and how thoroughly the data is analyzed Treating traffic statefully requires application awareness Firewalls without application awareness must open a range of ports for certain applications which leads to exploitable holes in the firewall and violates security best practices TCP p...

Page 38: ......

Page 39: ... the Appliance to Network Printers 55 Setting Up the Nokia IP60 Appliance 55 Before You Install the Nokia IP60 Appliance Prior to connecting and setting up your Nokia IP60 appliance for operation you must do the following Check if TCP IP Protocol is installed on your computer Check your computer s TCP IP settings to make sure it obtains its IP address automatically Refer to the relevant section in...

Page 40: ...User Guide Windows Vista Checking the TCP IP Installation 1 Click Start Control Panel The Control Panel window appears 2 Under Network and Internet click View network status and tasks The Network Sharing Center screen appears 3 In the Tasks pane click Manage network connections ...

Page 41: ... IP60 Appliance Chapter 3 Installing and Setting Up the Nokia IP60 Appliance 41 The Network Connections screen appears 4 Double click the Local Area Connection icon The Local Area Connection Status window opens 5 Click Properties ...

Page 42: ...es The Internet Protocol Version 4 TCP IPv4 Properties window appears 2 Click the Obtain an IP address automatically radio button Note Normally it is not recommended to assign a static IP address to your PC but rather to obtain an IP address automatically If for some reason you need to assign a static IP address select Specify an IP address type in an IP address in the range of 192 168 10 129 254 ...

Page 43: ...mputer is now ready to access your IP60 appliance Windows 2000 XP Checking the TCP IP Installation 1 Click Start Settings Control Panel The Control Panel window appears 2 Double click the Network and Dial up Connections icon The Network and Dial up Connections window appears 3 Right click the icon and select Properties from the pop up menu that opens ...

Page 44: ...l Area Connection Properties window appears 4 In the above window check if TCP IP appears in the components list and if it is properly configured with the Ethernet card installed on your computer If TCP IP does not appear in the Components list you must install it as described in the next section ...

Page 45: ...w click Install The Select Network Component Type window appears 2 Select Protocol and click Add The Select Network Protocol window appears 3 Choose Internet Protocol TCP IP and click OK TCP IP protocol is installed on your computer TCP IP Settings 1 In the Local Area Connection Properties window double click the Internet Protocol TCP IP component or select it and click Properties ...

Page 46: ...ress automatically If for some reason you need to assign a static IP address select Specify an IP address type in an IP address in the range of 192 168 10 129 254 enter 255 255 255 0 in the Subnet Mask field and click OK to save the new settings Note that 192 168 10 is the default value and it may vary if you changed it in the Network My Network page 3 Click the Obtain DNS server address automatic...

Page 47: ... 47 Mac OS Use the following procedure for setting up the TCP IP Protocol 1 Choose Apple Menus Control Panels TCP IP The TCP IP window appears 2 Click the Connect via drop down list and select Ethernet 3 Click the Configure drop down list and select Using DHCP Server 4 Close the window and save the setup ...

Page 48: ...pliance 48 Nokia IP60 Security Appliance User Guide Mac OS X Use the following procedure for setting up the TCP IP Protocol 1 Choose Apple System Preferences The System Preferences window appears 2 Click Network The Network window appears ...

Page 49: ...he Nokia IP60 Appliance Chapter 3 Installing and Setting Up the Nokia IP60 Appliance 49 3 Click Configure TCP IP configuration fields appear 4 Click the Configure IPv4 drop down list and select Using DHCP 5 Click Apply Now ...

Page 50: ...ubs or other network devices 3 Connect the WAN cable a Connect one end of the Ethernet cable to the appliance s WAN port b Connect the other end of the cable to a cable modem DSL modem or office network 4 Connect the power supply to the appliance s power socket labeled PWR 5 Plug the power supply into the wall electrical outlet Warning The IP60 appliance power supply is compatible with either 100 ...

Page 51: ...ce s rear panel 2 Bend the antennas at the hinges so that they point upwards Wall Mounting the IP60 Appliance For your convenience the IP60 appliance includes a wall mounting kit which consists of two plastic conical anchors and two cross head screws To mount the IP60 appliance on the wall 1 Decide where you want to mount your IP60 appliance 2 Decide on the mounting orientation You can mount the a...

Page 52: ...lls 6 Insert the two screws you received with your Nokia IP60 Edge appliance into the plastic conical anchors and turn them until they protrude approximately 5 mm from the wall 7 Align the holes on the Nokia IP60 Edge appliance s underside with the screws on the wall then push the appliance in and down Your Nokia IP60 Edge appliance is wall mounted You can now connect it to your computer Securing ...

Page 53: ... diagram below The bolt has two states Open and Closed and is used to connect the looped security cable to the appliance s security slot To install an anti theft device on the Nokia IP60 Edge appliance 1 If your anti theft device has a combination lock set the desired code as described in the documentation that came with your device 2 Connect the anti theft device s loop to any sturdy mounting poi...

Page 54: ...Appliance The IP60 appliance protects all computers and network devices that are connected to its LAN and DMZ ports If desired you can increase the appliance s port capacity by cascading hubs or switches To cascade the IP60 appliance to a hub or switch 1 Connect a standard Ethernet cable to one of the appliance s LAN ports or to its DMZ WAN2 port The IP60 appliance automatically detects cable type...

Page 55: ...B power supply capabilities Failure to observe this warning may cause damage to the appliance and void the warranty For information on setting up network printers see Setting up Network Printers on page 457 Setting Up the IP60 Appliance After you have installed the IP60 appliance you must set it up using the steps shown below When setting up your IP60 appliance for the first time after installatio...

Page 56: ... IP60 appliance Setting the Time on the Appliance on page 436 Setting up a wireless network wireless appliances only Configuring a Wireless Network on page 189 Installing the Product Key Upgrading Your Software Product on page 423 Setting up subscription services Connecting to a Service Center on page 325 You can access the Setup Wizard at any time after initial setup using the procedure below To ...

Page 57: ...Up the IP60 Appliance Chapter 3 Installing and Setting Up the Nokia IP60 Appliance 57 The Firmware page appears 2 Click Nokia IP60 Setup Wizard The Nokia IP60 Setup Wizard opens with the Welcome page displayed ...

Page 58: ......

Page 59: ...ng the Nokia IP60 Portal 63 Logging off 65 Initial Login to the Nokia IP60 Portal The first time you log on to the Nokia IP60 Portal you must set up your password To log on to the Nokia IP60 Portal for the first time 1 Browse to http my firewall The initial login page appears 2 Type a password both in the Password and the Confirm password fields Note The password must be five to 25 characters lett...

Page 60: ...es to guide you through appliance setup For more information see Setting Up the Nokia IP60 Appliance on page 55 Internet Setup Internet Setup offers advanced setup options such as configuring two Internet connections To use Internet Setup click Cancel and refer to Using Internet Setup on page 76 Logging on to the Nokia IP60 Portal Note By default HTTP and HTTPS access to the Nokia IP60 Portal is n...

Page 61: ...page appears 2 Type your username and password 3 Click OK The Welcome page appears Accessing the Nokia IP60 Portal Remotely Using HTTPS You can access the Nokia IP60 Portal remotely from the Internet through HTTPS HTTPS is a protocol for accessing a secure Web server It is used to transfer confidential user information If desired you can also use HTTPS to access the Nokia IP60 Portal from your int...

Page 62: ...0 Portal appears To access the Nokia IP60 Portal from the Internet Browse to https firewall_IP_address 981 Note that the URL starts with https not http The following things happen in the order below If this is your first attempt to access the Nokia IP60 Portal through HTTPS the certificate in the IP60 appliance is not yet known to the browser so the Security Alert dialog box appears To avoid seein...

Page 63: ...sts of three major elements Table 11 Nokia IP60 Portal Elements Element Description Main menu Used for navigating between the various topics such as Reports Security and Setup Main frame Displays information and controls related to the selected topic The main frame may also contain tabs that allow you to view different pages related to the selected topic Status bar Shows your Internet connection a...

Page 64: ...k Allows you to manage and configure your network settings and Internet connections Setup Provides a set of tools for managing your IP60 appliance Allows you to upgrade your license and firmware and to configure HTTPS access to your IP60 appliance Users Allows you to manage IP60 appliance users VPN Allows you to manage configure and log on to VPN sites Help Provides context sensitive help Logout A...

Page 65: ...rnet connection When both connections are configured the Status bar displays both statuses For example Internet Primary Connected For information on configuring a secondary Internet connection see Configuring the Internet Connection on page 67 Service Center Displays your subscription services status Your Service Center may offer various subscription services These include the firewall service and...

Page 66: ...To log off of the Nokia IP60 Portal Do one of the following If you are connected through HTTP click Logout in the main menu The Login page appears If you are connected through HTTPS the Logout option does not appear in the main menu Close the browser window ...

Page 67: ...witch a router a bridge or an Ethernet enabled broadband modem You can configure your Internet connection using any of the following setup tools Setup Wizard Guides you through the IP60 appliance setup step by step The first part of the Setup Wizard is the Internet Wizard For further information on the Setup Wizard see Setting Up the Nokia IP60 Appliance on page 55 Internet Wizard Guides you throu...

Page 68: ...d allows you to configure your IP60 appliance for Internet connection quickly and easily through its user friendly interface Note The first time you log on to the Nokia IP60 Portal the Internet Wizard starts automatically as part of the Setup Wizard In this case you should skip to step 3 in the following procedure ...

Page 69: ...k in the main menu and click the Internet tab The Internet page appears 2 Click Internet Wizard The Internet Wizard opens with the Welcome page displayed 3 Click Next The Internet Connection Method dialog box appears 4 Select the Internet connection method you want to use for connecting to the Internet If you are uncertain regarding which connection method to use contact your xDSL provider ...

Page 70: ...t 5 Click Next If you chose PPPoE continue at Using a PPPoE Connection on page 71 If you chose PPTP continue at Using a PPTP Connection on page 73 If you chose Cable Modem continue at Using a Cable Modem Connection on page 74 If you chose Static IP continue at Using a Static IP Connection on page 74 If you chose DHCP continue at Using a DHCP Connection on page 75 ...

Page 71: ...the PPPoE PPP over Ethernet connection method the PPP Configuration dialog box appears 1 Complete the fields using the information in the following table 2 Click Next The Confirmation screen appears 3 Click Next The system attempts to connect to the Internet via the specified connection The Connecting screen appears ...

Page 72: ...of the connection process the Connected screen appears 4 Click Finish Table 14 PPPoE Connection Fields In this field Do this Username Type your user name Password Type your password Confirm password Type your password again Service Type your service name This field can be left blank ...

Page 73: ... to connect to the Internet via the specified connection The Connecting screen appears At the end of the connection process the Connected screen appears 4 Click Finish Table 15 PPTP Connection Fields In this field Do this Username Type your user name Password Type your password Confirm password Type your password again Service Type your service name Server IP Type the IP address of the PPTP modem ...

Page 74: ...At the end of the connection process the Connected screen appears 2 Click Finish Using a Static IP Connection If you selected the Static IP connection method the Static IP Configuration dialog box appears 1 Complete the fields using the information in the following table 2 Click Next The Confirmation screen appears 3 Click Next The system attempts to connect to the Internet via the specified conne...

Page 75: ...ult gateway Primary DNS Server Type the Primary DNS server IP address Secondary DNS Server Type the Secondary DNS server IP address This field is optional WINS Server Type the WINS server IP address This field is optional Using a DHCP Connection No further settings are required for a DHCP Dynamic IP connection The Confirmation screen appears 1 Click Next The system attempts to connect to the Inter...

Page 76: ...your Internet connection For information on configuring bridged Internet connections see Adding Internet Connections to Bridges on page 168 To configure the Internet connection using Internet Setup 1 Click Network in the main menu and click the Internet tab The Internet page appears 2 Next to the desired Internet connection click Edit ...

Page 77: ...ion continue at Using No Connection on page 88 Configuring an Ethernet Based Connection 1 In the Port drop down list do one of the following To configure an Ethernet based connection through the WAN port select WAN To configure an Ethernet based connection through the DMZ WAN2 port select WAN2 This option is available in non ADSL models only To configure an Ethernet based connection through a LAN ...

Page 78: ...hose PPPoE continue at Using a PPPoE Connection on page 81 If you chose PPTP continue at Using a PPTP Connection on page 83 If you chose Telstra continue at Using a Telstra BPA Connection on page 85 For information on configuring bridged connections see Adding Internet Connections to Bridges on page 168 Using a LAN Connection 1 Complete the fields using the relevant information in Internet Setup F...

Page 79: ...ear depending on the check boxes you selected 2 Click Apply The IP60 appliance attempts to connect to the Internet and the Status Bar displays the Internet status Connecting This may take several seconds Once the connection is made the Status Bar displays the Internet status Connected ...

Page 80: ...rmation in Internet Setup Fields on page 89 New fields appear depending on the check boxes you selected 2 Click Apply The IP60 appliance attempts to connect to the Internet and the Status Bar displays the Internet status Connecting This may take several seconds Once the connection is made the Status Bar displays the Internet status Connected ...

Page 81: ...Using Internet Setup Chapter 5 Configuring the Internet Connection 81 Using a PPPoE Connection 1 Complete the fields using the relevant information in Internet Setup Fields on page 89 ...

Page 82: ...r depending on the check boxes you selected 2 Click Apply The IP60 appliance attempts to connect to the Internet and the Status Bar displays the Internet status Connecting This may take several seconds Once the connection is made the Status Bar displays the Internet status Connected ...

Page 83: ...Using Internet Setup Chapter 5 Configuring the Internet Connection 83 Using a PPTP Connection 1 Complete the fields using the relevant information in Internet Setup Fields on page 89 ...

Page 84: ...r depending on the check boxes you selected 2 Click Apply The IP60 appliance attempts to connect to the Internet and the Status Bar displays the Internet status Connecting This may take several seconds Once the connection is made the Status Bar displays the Internet status Connected ...

Page 85: ... Using a Telstra BPA Connection Use this Internet connection type only if you are subscribed to Telstra BigPond Internet Telstra BigPond is a trademark of Telstra Corporation Limited 1 Complete the fields using the relevant information in Internet Setup Fields on page 89 ...

Page 86: ...onds Once the connection is made the Status Bar displays the Internet status Connected Configuring a Dialup Connection Note To use this connection type you must first set up the dialup modem For information see Setting Up Modems on page 96 1 In the Port drop down list do one of the following To configure a Dialup connection on the Serial port using a connected RS232 modem select Serial To configur...

Page 87: ...Using Internet Setup Chapter 5 Configuring the Internet Connection 87 The Connection Type field displays Dialup 2 Complete the fields using the relevant information in Internet Setup Fields on page 89 ...

Page 88: ... Apply The IP60 appliance attempts to connect to the Internet and the Status Bar displays the Internet status Connecting This may take several seconds Once the connection is made the Status Bar displays the Internet status Connected Configuring No Connection 1 In the Port drop down list select None The fields disappear 2 Click Apply ...

Page 89: ...assword Confirm password Type your password Service Type your service name If your ISP has not provided you with a service name leave this field empty Server IP If you selected PPTP type the IP address of the PPTP server as given by your ISP If you selected Telstra BPA type the IP address of the Telstra authentication server as given by Telstra Phone Number If you selected Dialup type the phone nu...

Page 90: ...connection opens or if the connection times out the appliance will disconnect Idle timeout Type the amount of time in minutes that the connection can remain idle Once this period of time has elapsed the appliance will disconnect The default value is 1 Delay before connecting Type the amount of time in seconds that the appliance should wait to re connect to the Internet if the connection goes down ...

Page 91: ... your Internet connection s maximum measured upstream speed in the field provided It is recommended to try different rates in order to determine which one provides the best results For information on using Traffic Shaper see Using Traffic Shaper Shape Downstream Link Rate Select this option to enable Traffic Shaper for incoming traffic Then type a rate in kilobits second slightly lower than your I...

Page 92: ...ier assigned to every network device If your ISP restricts connections to specific recognized MAC addresses you must select this option to clone a MAC address Note When configuring MAC cloning for the secondary Internet connection the DMZ WAN2 port must be configured as WAN2 otherwise this field is disabled For information on configuring ports see Managing Ports on page 148 Hardware MAC Address Th...

Page 93: ...ough the secondary connection To ensure full utilization of both Internet connections the ratio between the connections load balancing weights should reflect the ratio between the connections bandwidths The default value is 50 For information on WAN load balancing see Configuring WAN Load Balancing on page 106 High Availability Do not connect if this gateway is in passive state If you are using Hi...

Page 94: ...sts to the default gateway If you selected PPTP PPPoE or Dialup this is done by sending PPP echo reply LCP messages to the PPP peer By default if the default gateway does not respond the Internet connection is considered to be down If it is determined that the Internet connection is down and two Internet connections are defined a failover will be performed to the second Internet connection ensurin...

Page 95: ...wn Use this method if you have reliable servers that can be pinged that are a good indicator of Internet connectivity and that are not likely to fail simultaneously that is they are not at the same location Probe DNS Servers Probe the primary and secondary DNS servers If for 45 seconds neither gateway responds the Internet connection is considered to be down Use this method if the availability of ...

Page 96: ...RS232 to the appliance s Serial port See Setting Up an RS232 Modem on page 96 USB based modems including dialup PSTN ISDN and cellular GPRS EVDO modems You can connect up to two USB based modems to the appliance s USB port See Setting Up a USB Modem on page 100 Setting Up an RS232 Modem Note Your RS232 dialup modem and your IP60 appliance s Serial port must be configured for the same speed By defa...

Page 97: ...ting Up Dialup Modems Chapter 5 Configuring the Internet Connection 97 The Ports page appears 3 Next to Serial click Edit The Port Setup page appears 4 In the Assign to Network drop down list select Dialup ...

Page 98: ...2 Dialup Fields In this field Do this Modem Type Select the modem type You can select one of the predefined modem types or Custom If you selected Custom the Installation String field is enabled Otherwise it is filled in with the correct installation string for the modem type Initialization String Type the installation string for the custom modem type If you selected a standard modem type this fiel...

Page 99: ...t Connection 99 In this field Do this Answer incoming PPP calls Select this option to specify that the modem should answer incoming PPP calls This allows accessing the appliance out of band for maintenance purposes in case the primary Internet connection fails ...

Page 100: ...d 2 5W per port 0 5A at 5V If the total current consumed by a port exceeds 0 5A a powered USB hub must be used to avoid damage to the gateway To set up a USB modem 1 Connect a USB based modem to one of your IP60 appliance s USB ports For information on locating the USB ports see Introduction on page 13 2 Click Network in the main menu and click the Ports tab The Ports page appears 3 Next to USB cl...

Page 101: ...ng the information in USB Dialup Fields on page 101 6 Click Apply 7 To check that that the values you entered are correct click Test The page displays a message indicating whether the test succeeded 8 Configure a Dialup Internet connection on the USB port See Using Internet Setup on page 76 Table 19 USB Dialup Fields In this field Do this Modem Type Select the modem type You can select one of the ...

Page 102: ...or maintenance purposes in case the primary Internet connection fails Cellular APN Type your Access Point Name APN as given by your cellular provider If your cellular provider has not provided you with an APN leave this field empty PIN Type the Personal Identification Number PIN code that you received with your cellular SIM card if required by your modem The PIN code is usually 4 digits long Warni...

Page 103: ...r an explanation of the fields on this page see the following table 2 To view activity information for a connection mouse over the information icon next to the desired connection A tooltip displays the number of bytes sent and received bytes through the connection 3 To refresh the information on this page click Refresh ...

Page 104: ...s Indicates the connection s status Duration Indicates the connection duration if active The duration is given in the format hh mm ss where hh hours mm minutes ss seconds IP Address Your IP address Enabled Indicates whether or not the connection is enabled For further information see Enabling Disabling the Internet Connection on page 105 ...

Page 105: ...es to and the connection is disabled Using Quick Internet Connection Disconnection By clicking the Connect or Disconnect button depending on the connection status on the Internet page you can establish a quick Internet connection using the currently selected connection type In the same manner you can terminate the active connection The Internet connection retains its Connected Not Connected status...

Page 106: ...amines each Internet connection s recent bandwidth utilization in kilobits per second to determine its load The IP60 appliance then enters the source destination pair in a load balancing table and specifies the least loaded Internet connection as the connection to use for traffic between this pair To prevent disruption of stateful protocols the IP60 appliance will route all traffic between this pa...

Page 107: ...and secondary Internet connections For further information see the Load Balancing Weight field in Using Internet Setup on page 76 2 Click Network in the main menu and click the Internet tab The Internet page appears 3 In the WAN Load Balancing area drag the load balancing lever to On WAN load balancing is enabled Traffic will be distributed automatically across the defined Internet connections acc...

Page 108: ......

Page 109: ... Service Objects 142 Using Static Routes 144 Managing Ports 148 Configuring Network Settings Note If you accidentally change the network settings to incorrect values and are unable to connect to the my firewall Web portal you can connect to the appliance through the serial console and correct the error see Using a Console on page 427 Alternatively you can reset the IP60 appliance to its default se...

Page 110: ... 110 Nokia IP60 Security Appliance User Guide Configuring the LAN Network To configure the LAN network 1 Click Network in the main menu and click the My Network tab The My Network page appears 2 Click Edit in the LAN network s row ...

Page 111: ...able Hide NAT See Enabling Disabling Hide NAT on page 112 6 If desired configure a DHCP server See Configuring a DHCP Server on page 113 7 Click Apply A warning message appears 8 Click OK A success message appears Changing IP Addresses If desired you can change your IP60 appliance s internal IP address or the entire range of IP addresses in your internal network To change IP addresses 1 Click Netw...

Page 112: ...ing If your computer is configured to obtain its IP address automatically using DHCP and the Nokia IP60 DHCP server is enabled restart your computer Your computer obtains an IP address in the new range Otherwise manually reconfigure your computer to use the new address range using the TCP IP settings For information on configuring TCP IP see TCP IP Settings on page 45 Enabling Disabling Hide NAT H...

Page 113: ...dress within the DHCP address range the DHCP server will detect this and will not assign this IP address to another computer If you already have a DHCP server in your internal network and you want to use it instead of the Nokia IP60 DHCP server you must disable the Nokia IP60 DHCP server since you cannot have two DHCP servers or relays on the same network segment If you want to use a DHCP server o...

Page 114: ... Edit The Edit Network Settings page appears 3 From the DHCP Server list select Enabled or Disabled 4 Click Apply A warning message appears 5 Click OK A success message appears 6 If your computer is configured to obtain its IP address automatically using DHCP and either the Nokia IP60 DHCP server or another DHCP server is enabled restart your computer If you enabled the DHCP server your computer o...

Page 115: ...the Nokia IP60 DHCP range manually To configure the DHCP address range 1 Click Network in the main menu and click the My Network tab The My Network page appears 2 In the desired network s row click Edit The Edit Network Settings page appears 3 Do one of the following To allow the DHCP server to set the IP address range select the Automatic DHCP range check box To set the DHCP range manually 1 Clea...

Page 116: ...iance User Guide 6 If your computer is configured to obtain its IP address automatically using DHCP and either the Nokia IP60 DHCP server or another DHCP server is enabled restart your computer Your computer obtains an IP address in the new DHCP address range ...

Page 117: ...k Settings page appears 3 In the DHCP Server list select Relay The Automatic DHCP range check box is disabled and new fields appear 4 In the Primary DHCP Server IP field type the IP address of the primary DHCP server 5 In the Secondary DHCP Server IP field type the IP address of the DHCP server to use if the primary DHCP server fails 6 Click Apply A warning message appears 7 Click OK A success mes...

Page 118: ...ons for an internal network Domain suffix DNS servers WINS servers Default gateway NTP servers VoIP call managers TFTP server and boot filename Avaya Nortel and Thomson IP phone configuration strings To configure DHCP options 1 Click Network in the main menu and click the My Network tab The My Network page appears 2 In the desired network s row click Edit The Edit Network Settings page appears 3 I...

Page 119: ...Configuring Network Settings Chapter 6 Managing Your Network 119 The DHCP Server Options page appears 4 Complete the fields using the relevant information in the following table ...

Page 120: ...ns an IP address in the DHCP address range Table 21 DHCP Server Options Fields In this field Do this Domain Name Type a default domain suffix that should be passed to DHCP clients The DHCP client will automatically append the domain suffix for the resolving of non fully qualified names For example if the domain suffix is set to mydomain com and the client tries to resolve the name mail the suffix ...

Page 121: ...S Server 2 fields appear WINS Server 1 2 Type the IP addresses of the Primary and Secondary WINS servers to use instead of the gateway Automatically assign default gateway Clear this option if you do not want the DHCP server to pass the current gateway IP address to DHCP clients as the default gateway s IP address Normally it is recommended to leave this option selected The Default Gateway field i...

Page 122: ...he phone s configuration string Nortel IP Phone To enable Nortel IP phones to receive their configuration type the phone s configuration string Thomson IP Phone To enable Thomson IP phones to receive their configuration type the phone s configuration string Configuring a DMZ Network In addition to the LAN network you can define a second internal network called a DMZ demilitarized zone network For ...

Page 123: ...s page appears 3 Next to the DMZ WAN2 port click Edit The Port Setup page appears 4 In the Assign to network drop down list select DMZ 5 Click Apply A warning message appears 6 Click OK 7 Click Network in the main menu and click the My Network tab The My Network page appears ...

Page 124: ...s may lead to the following problems VPN Clients on the same network will be unable to communicate with each other via the Nokia IP60 Internal VPN Server This is because their IP addresses are on the same subnet and they therefore attempt to communicate directly over the local network instead of through the secure VPN link Some networking protocols or resources may require the client s IP address ...

Page 125: ...dress field type the IP address to use as the OfficeMode network s default gateway Note The OfficeMode network must not overlap other networks 5 In the Subnet Mask text box type the OfficeMode internal network range 6 If desired enable or disable Hide NAT See Enabling Disabling Hide NAT on page 112 7 If desired configure DHCP options See Configuring DHCP Server Options on page 118 8 Click Apply A ...

Page 126: ...ll and is subject to the security policy By default traffic from a VLAN to any other internal network including other VLANs is blocked In this way defining VLANs can increase security and reduce network congestion For example you can assign each division within your organization to a different VLAN regardless of their physical location The members of a division will be able to communicate with eac...

Page 127: ...g the appliance to a VLAN aware switch Each VLAN behind the trunk is assigned an identifying number called a VLAN ID also referred to as a VLAN tag All outgoing traffic from a tag based VLAN contains the VLAN s tag in the packet headers Incoming traffic to the VLAN must contain the VLAN s tag as well or the packets are dropped Tagging ensures that traffic is directed to the correct VLAN Figure 11 ...

Page 128: ...nce LAN ports Virtual access point VAP In wireless Nokia IP60 models you can partition the primary WLAN network into wireless VLANs called virtual access points VAPs You can use VAPs to grant different permissions to groups of wireless users by configuring each VAP with the desired security policy and network settings and then assigning each group of wireless users to the relevant VAP For example ...

Page 129: ...ends on your Nokia IP60 series and model Table 22 Supported Number of VLANs Series Models Maximum Number of VLANs of all supported types combined Nokia IP60 Models with unlimited nodes 32 VLAN networks Nokia IP60 Models without unlimited nodes 10 VLAN networks Nokia IP60 Wireless Models with unlimited nodes 32 VLAN networks including up to 3 VAPs and up to 7 WDS links Nokia IP60 Wireless Models wi...

Page 130: ...ttings page for VLAN networks appears 3 In the Network Name field type a name for the VLAN 4 In the Type drop down list select Port Based VLAN The VLAN Tag field disappears 5 In the Mode drop down list select Enabled The fields are enabled 6 In the IP Address field type the IP address of the VLAN network s default gateway Note The VLAN network must not overlap other networks 7 In the Subnet Mask f...

Page 131: ...N 1 Click Network in the main menu and click the My Network tab The My Network page appears 2 Do one of the following To add a VLAN click Add Network To edit a VLAN click Edit in the desired VLAN s row The Edit Network Settings page for VLAN networks appears 3 In the Network Name field type a name for the VLAN 4 In the Type drop down list select Tag Based VLAN The VLAN Tag field appears 5 In the V...

Page 132: ...cess message appears 13 Click Network in the main menu and click the Ports tab The Ports page appears 14 In the DMZ WAN2 drop down list select VLAN Trunk 15 Click Apply The DMZ WAN2 port now operates as a VLAN Trunk port In this mode it will not accept untagged packets 16 Configure a VLAN trunk 802 1Q port on the VLAN aware switch according to the vendor instructions Define the same VLAN IDs on th...

Page 133: ...e Ports page appears b Remove all port assignments to the VLAN by selecting other networks in the drop down lists c Click Apply 2 Delete any firewall rules or VStream Antivirus rules that use this VLAN 3 Click Network in the main menu and click the My Network tab The My Network page appears 4 In the desired VLAN s row click the Erase icon A confirmation message appears 5 Click OK The VLAN is delet...

Page 134: ...dress thereby enabling communication As a result the Static NAT Internet IP addresses appear to external sources to be real computers connected to the WAN interface Assign the network object s IP address to a MAC address Normally the Nokia IP60 DHCP server consistently assigns the same IP address to a specific computer However if the Nokia IP60 DHCP server runs out of IP addresses and the computer...

Page 135: ...les you to add only individual computers as network objects The computer s details are filled in automatically in the wizard To add or edit a network object via the Network Objects page 1 Click Network in the main menu and click the Network Objects tab The Network Objects page appears with a list of network objects 2 Do one of the following To add a network object click New To edit an existing net...

Page 136: ...Do one of the following To specify that the network object should represent a single computer or device click Single Computer To specify that the network object should represent a network click Network 4 Click Next The Step 2 Computer Details dialog box appears If you chose Single Computer the dialog box includes the Reserve a fixed IP address for this computer option ...

Page 137: ...work 137 If you chose Network the dialog box does not include this option 5 Complete the fields using the information in the tables below 6 Click Next The Step 3 Save dialog box appears 7 Type a name for the network object in the field 8 Click Finish ...

Page 138: ...e desired computer The Nokia IP60 Network Object Wizard opens with the Step 1 Network Object Type dialog box displayed 3 Do one of the following To specify that the network object should represent a single computer or device click Single Computer To specify that the network object should represent a network click Network 4 Click Next The Step 2 Computer Details dialog box appears The computer s IP...

Page 139: ...Using Network Objects Chapter 6 Managing Your Network 139 8 Click Finish The new object appears in the Network Objects page ...

Page 140: ...s IP address or click This Computer to specify your computer s MAC address Perform Static NAT Network Address Translation Select this option to map the local computer s IP address to an Internet IP address You must then fill in the External IP field External IP Type the Internet IP address to which you want to map the local computer s IP address Exclude this computer from HotSpot enforcement Selec...

Page 141: ...this network from Secure HotSpot enforcement Computers on the excluded network will be able to access your network without viewing the My HotSpot page Furthermore users on HotSpot networks will be able to access computers on the excluded network without viewing the My HotSpot page Exclude this network from Web Filtering Select this option to exclude this network from the Web Filtering service and ...

Page 142: ...your policies easier to understand and maintain When a network service object is modified the change automatically takes effect in all rules and settings that reference the network service object Adding and Editing Network Service Objects To add or edit a network service object 1 Click Network in the main menu and click the Network Services tab The Network Services page appears with a list of netw...

Page 143: ...Network Service Wizard opens with the Step 1 Network Service Details dialog box displayed 3 Complete the fields using the information in the table below 4 Click Next The Step 2 Network Service Name dialog box appears 5 Type a name for the network service object in the field 6 Click Finish ...

Page 144: ... 2 To delete a network service object do the following a In the desired network service object s row click the Erase icon A confirmation message appears b Click OK The network service object is deleted Using Static Routes A static route is a setting that explicitly specifies the route to use for packets according to one of the following criteria The packet s source IP address and or destination IP...

Page 145: ... originating from the Accounting department should be sent via WAN1 and another static route specifying that traffic originating from the Marketing department should be sent via WAN2 A static route that is based on the network service used to send the packet is called a service route Service routing is useful for directing all traffic of a particular type to a specific Internet connection For exam...

Page 146: ...red route in the list The Static Route Wizard opens displaying the Step 1 Source and Destination dialog box 3 Complete the fields using the relevant information in the following table 4 Click Next The Step 2 Next Hop and Metric dialog box appears 5 Complete the fields using the relevant information in the following table 6 Click Next The new static route is saved ...

Page 147: ...ination Network Type the destination network s IP address Destination Netmask Select the destination network s subnet mask Service Specify the service used to send packets service routing This can be either of the following ANY This route applies to packets sent using any service A specific service Note When defining a static route for a specific service the Source and Destination fields must be s...

Page 148: ...ith a list of existing static routes 2 To refresh the view click Refresh 3 To delete a route do the following a In the desired route s row click the Erase icon A confirmation message appears b Click OK The route is deleted Managing Ports The IP60 appliance enables you to quickly and easily assign its ports to different uses as shown in the following table If desired you can also disable ports Tabl...

Page 149: ...pliance also allows you to restrict each port to a specific link speed and duplex setting and to configure its security scheme For information on port based security see Using Port Based Security on page 247 Viewing Port Statuses You can view the status of the IP60 appliance s ports on the Ports page including each Ethernet connection s duplex state This is useful if you need to check whether the ...

Page 150: ...P60 Security Appliance User Guide The Ports page appears In non ADSL models this page appears as follows The page displays the information for each port as described in the following table 2 To refresh the display click Refresh ...

Page 151: ...devices printers or modem are connected to the USB ports The number of connected devices appears in parentheses This status is relevant for the USB ports only Not Connected No USB devices are connected to the USB ports This status is relevant for the USB ports only 802 1x The port s security scheme This can be any of the following N A No security scheme is defined for the port Unauthorized An 802 ...

Page 152: ...The procedure below Note When you configure an Ethernet based Internet connection on a port the port is automatically assigned to Internet use For information on configuring an Internet connection see Using Internet Setup on page 76 DMZ Configuring a DMZ Network Console Using a Console on page 427 A VLAN network dynamically assigned by a RADIUS server Configuring Port Based Security on page 249 A ...

Page 153: ...sage appears 5 Click OK The port is reassigned to the specified network or purpose Modifying Link Configurations By default the IP60 appliance automatically detects the link speed and duplex If desired you can manually restrict the appliance s ports to a specific link speed and duplex setting To modify a port s link configuration 1 Click Network in the main menu and click the Ports tab The Ports p...

Page 154: ...Appliance User Guide Select Automatic Detection to configure the port to automatically detect the link speed and duplex This is the default 4 Click Apply A warning message appears 5 Click OK The port uses the specified link speed and duplex ...

Page 155: ...rt Default Assignment LAN 1 8 LAN DMZ WAN2 DMZ WAN This port is always assigned to the WAN ADSL This port is always assigned to the ADSL connection Serial Console Note When you reset ports to their defaults all currently established connections that are not supported by the default settings may be broken For example if you were using the DMZ WAN2 port as WAN2 the port reverts to its DMZ assignment...

Page 156: ... OK All ports are reset to their default assignments and to Automatic Detection link configuration Resetting Individual Ports to Defaults To reset a port to defaults 1 Click Network in the main menu and click the Ports tab The Ports page appears 2 Next to the desired port click Edit The Port Setup page appears 3 Click Default A confirmation message appears 4 Click OK The port is reset to its defau...

Page 157: ...a bridge Bridges offer the following advantages Easy network segmentation Bridges can be used to compartmentalize an existing network into several security zones without changing the IP addressing scheme or the routers configuration Ordinarily if you need to deploy a firewall within an internal network you can divide the existing subnet into two networks and configure a new routing scheme However ...

Page 158: ...ts inspecting traffic and dropping or blocking unauthorized or unsafe traffic In contrast if you disable the firewall between bridged network segments all network interfaces assigned to the bridge are connected directly with no firewall filtering the traffic between them The network interfaces operate as if they were connected by a hub or switch Figure 13 Bridge with Four VLANs ...

Page 159: ...all the two networks will act as a single seamless network and only traffic from the LAN and primary WLAN networks to other networks for example the Internet will be inspected by the firewall If you enable the internal firewall it will enforce security rules and inspect traffic between the LAN and primary WLAN networks Figure 14 Bridge Firewalling ...

Page 160: ...k is completely transparent and does not require any changes to the network s structure Each bridge maintains a forwarding table which consists of MAC Address Port associations When a packet is received on one of the bridge ports the forwarding table is automatically updated to map the source MAC address to the network port from which the packet originated and the gateway processes the received pa...

Page 161: ...es and Spanning Tree Protocol When using multiple bridges you can enable fault tolerance and optimal packet routing by configuring Spanning Tree Protocol STP IEEE 802 1d When STP is enabled each bridge communicates with its neighboring bridges or switches to discover how they are interconnected This information is then used to eliminate loops while providing optimal routing of packets STP also use...

Page 162: ...g Internet Connections to Bridges on page 168 4 If you enabled the firewall between networks on this bridge add security rules and VStream Antivirus rules as needed For information on adding security rules see Adding and Editing Rules on page 241 For information on adding VStream Antivirus rules see Adding and Editing Vstream Antivirus Rules on page 313 Adding and Editing Bridges To add or edit a ...

Page 163: ... Network page appears 2 Do one of the following To add a bridge click Add Bridge To edit a bridge click Edit in the desired bridge s row The Bridge Configuration page appears 3 Complete the fields using the following table 4 Click Apply A success message appears ...

Page 164: ...Pass The firewall will allow all non IP protocol traffic on the bridge and process it as described in Using Bridges on page 157 Spanning Tree Protocol Specify whether to enable STP for this bridge by selecting one of the following Enabled STP is enabled Disabled STP is disabled This is the default value If you selected Enabled the Bridge Priority field appears Bridge Priority Select this bridge s ...

Page 165: ...or information on adding port based VLANs see Adding and Editing Port Based VLANs on page 130 For information on adding tag based VLANs see Adding and Editing Tag Based VLANs on page 131 For information on adding VAPs see Configuring Virtual Access Points on page 209 For information on adding WDS links see Configuring WDS Links on page 212 To add an internal network to a bridge 1 Click Network in ...

Page 166: ... IP60 Security Appliance User Guide If the assigned bridge uses STP additional fields appear 5 Click Apply A warning message appears 6 Click OK A success message appears In the My Network page the internal network appears indented under the bridge ...

Page 167: ...etwork segment the Nokia IP60 DHCP server allocates only addresses within the allowed IP address range To enable clients to move between bridged networks without changing IP addresses configure identical IP address ranges for the desired networks thus allowing the IP addresses to be used on either of the bridged networks Note Configuring overlapping or identical allowed IP address ranges will decr...

Page 168: ...ll ports the root port will be elected based on the port s logical number The default value is 128 This field only appears if the bridge uses STP Adding Internet Connections to Bridges To add an Internet connection to a bridge 1 Click Network in the main menu and click the Internet tab The Internet page appears 2 Next to the desired Internet connection click Edit The Internet Setup page appears 3 ...

Page 169: ...onnections to Bridges Chapter 7 Using Bridges 169 New fields appear 5 Complete the fields specified in the table below 6 Complete the rest of the fields using the relevant information in Internet Setup Fields on page 89 ...

Page 170: ...ding on the selected options and whether the selected bridge uses STP 7 Click Apply The IP60 appliance attempts to connect to the Internet and the Status Bar displays the Internet status Connecting This may take several seconds Once the connection is made the Status Bar displays the Internet status Connected ...

Page 171: ...e blocked It is recommended to set a lower value for faster links This field only appears if the selected bridge uses STP It is relevant for regular bridged connections only Spanning Tree Protocol Port Priority Select the port s priority The port s priority is combined with the port s logical number to create the port s ID The port with the lowest ID is elected as the root port which forwards fram...

Page 172: ... Apply 2 Remove all Internet connections from the bridge by doing the following for each connection a Click Network in the main menu and click the Internet tab The Internet page appears b Next to the desired Internet connection click Edit c The Internet Setup page appears d In the Connection Type field select the desired connection type not Bridged e Click Apply 3 Click Network in the main menu an...

Page 173: ... 1 Each gateway is assigned a priority which determines the gateway s role the gateway with the highest priority is the Active Gateway and uses the virtual IP address and the rest of the gateways are Passive Gateways 2 The Active Gateway sends periodic signals or heartbeats to the network via a synchronization interface The synchronization interface can be any internal network or bridge existing o...

Page 174: ...a virtual IP address to the WAN interface Each Passive Gateway will remain constantly connected to the Internet using its WAN interface s primary IP address while remaining on standby to take over the WAN virtual IP address in the event that the Active Gateway fails If desired you can configure a WAN virtual IP address for the WAN2 interface as well Note To use a WAN virtual IP address the Interne...

Page 175: ... interface Configuring High Availability on a Gateway The following procedure explains how to configure HA on a single gateway You must perform this procedure on each IP60 appliance that you want to include in the HA cluster To configure HA on a IP60 appliance 1 Set the appliance s internal IP addresses and network range Each appliance must have a different internal IP address See Changing IP Addr...

Page 176: ... same for all gateways You can assign a virtual IP address to any internal interface as well as to Internet connections that are configured as LAN Static IP 6 Click the Synchronization radio button next to the network you want to use as the synchronization interface Note The synchronization interface must be the same for all gateways and must always be connected and enabled on all gateways Otherwi...

Page 177: ...In this field Do this Priority My Priority Type the gateway s priority This must be an integer between 1 and 255 Internet Connection Tracking Internet Primary Type the amount to reduce the gateway s priority if the primary Internet connection goes down This must be an integer between 0 and 255 Internet Secondary Type the amount to reduce the gateway s priority if the secondary Internet connection ...

Page 178: ... value Sample Implementation on Two Gateways The following procedure illustrates how to configure HA for the following two Nokia IP60 gateways Gateway A and Gateway B Table 35 Gateway Details Gateway A Gateway B Internal Networks LAN DMZ LAN DMZ Internet Connections Primary and secondary Primary only LAN Network IP Address 192 169 100 1 192 169 100 2 LAN Network Subnet Mask 255 255 255 0 255 255 2...

Page 179: ...pears c Select the Gateway High Availability check box The Gateway High Availability area is enabled The LAN and DMZ networks are listed d Next to LAN select the HA check box e In the LAN network s Virtual IP field type the default gateway IP address 192 168 100 3 f Next to DMZ select the HA check box g In the DMZ network s Virtual IP field type the default gateway IP address 192 168 101 3 h Click...

Page 180: ...ton next to DMZ i In the My Priority field type 60 The low priority means that Gateway B will be the Passive Gateway j In the Internet Primary field type 20 Gateway B will reduce its priority by 20 if its Internet connection goes down k Click Apply A success message appears Gateway A s priority is 100 and Gateway B s priority is 60 So long as one of Gateway A s Internet connections is up Gateway A...

Page 181: ...Web traffic and FTP traffic at 3 1 If a specific class is not using all of its bandwidth the leftover bandwidth is divided among the remaining classes in accordance with their relative weights In the example above if only one Web and one FTP connection are active and they are competing the Web connection will receive 75 30 40 of the leftover bandwidth and the FTP connection will receive 25 10 40 o...

Page 182: ...ernatively use the four built in QoS classes See Adding and Editing a Class on page 184 3 Use Allow or Allow and Forward rules to assign different types of connections to QoS classes For example if Traffic Shaper is enabled for outgoing traffic and you create an Allow rule associating all outgoing VPN traffic with the Urgent QoS class then Traffic Shaper will handle outgoing VPN traffic as specifi...

Page 183: ...dwidth allocated to this class is less than the weight allocated to the Important class The Urgent class is ideal for delay sensitive traffic that does not demand a high amount of bandwidth Important 20 Medium Normal Traffic Important traffic that requires a high allocation of bandwidth but which is not exceptionally sensitive to delays For example you can prioritize the HTTP traffic of a company ...

Page 184: ...1 Click Network in the main menu and click the Traffic Shaper tab The Quality of Service Classes page appears 2 Click Add The Nokia IP60 QoS Class Editor wizard opens with the Step 1 of 3 Quality of Service Parameters dialog box displayed 3 Complete the fields using the relevant information in the following table 4 Click Next ...

Page 185: ...umber or type of packets it receives from the Internet it can only affect the rate of incoming traffic by dropping received packets It is therefore recommended to enable traffic shaping for incoming traffic only if necessary For information on enabling Traffic Shaper for incoming and outgoing traffic see Using Internet Setup on page 76 6 Click Next The Step 3 of 3 Save dialog box appears with a su...

Page 186: ...tocols that require quick user response such as telnet Traffic Shaper serves delay sensitive traffic with a lower latency That is Traffic Shaper attempts to send packets with a High Interactive Traffic level before packets with a Medium Normal Traffic or Low Bulk Traffic level Outgoing Traffic Guarantee At Least Select this option to guarantee a minimum bandwidth for outgoing traffic belonging to ...

Page 187: ...existing QoS class 1 Click Network in the main menu and click the Traffic Shaper tab The Quality of Service Classes page appears with a list of all defined QoS classes 2 To delete a QoS class do the following a In the desired class s row click the Erase icon A confirmation message appears b Click OK The class is deleted Restoring Traffic Shaper Defaults If desired you can reset the Traffic Shaper ...

Page 188: ...IP60 Security Appliance User Guide To restore Traffic Shaper defaults 1 Click Network in the main menu and click the Traffic Shaper tab The Quality of Service Classes page appears 2 Click Restore Defaults A confirmation message appears 3 Click OK ...

Page 189: ...e XR mode that allows up to three times the range of a regular 802 11g access point XR dramatically stretches the performance of a wireless LAN by enabling long range connections The architecture delivers receive sensitivities of up to 105 dBm over 20 dB more than the 802 11 specification This allows ranges of up to 300 meters indoors and up to 1 km 3200 ft outdoors with XR enabled wireless statio...

Page 190: ... 11i encryption standard and allow employees to access company resources such as the intranet You can configure up to three VAPs in addition to the primary WLAN For information on configuring VAPs see Configuring VAPs on page 209 Wireless Distribution System Links The IP60 appliance enables you to extend the primary WLAN s coverage area by creating a Wireless Distribution System WDS A WDS is a sys...

Page 191: ...ies such as a star or tree of access points When used together with bridge mode and Spanning Tree Protocol STP you can use WDS links to create redundant topologies such as a loop or mesh of linked access points Figure 17 WDS Star of Wireless Access Points Figure 18 Two Access Points Linked by a WDS Bridge ...

Page 192: ...bjects including any combination of the following The primary WLAN Up to three virtual access points VAPs Up to seven WDS links For example if you configure the primary WLAN and two VAPs then you can configure five WDS links or one more VAP and four WDS links When Extended Range XR mode is enabled for a wireless object then it is counted as two objects For example if you configure XR mode for the ...

Page 193: ...s point authenticator must first be authenticated by a RADIUS server authentication server which supports 802 1x All messages are passed in EAP Extensible Authentication Protocol This method is recommended for situations in which you want to authenticate wireless users but do not need to encrypt the data This security method is not supported for WDS links Note To use this security method you must ...

Page 194: ...u to restrict access to the wireless network to wireless stations that support the WPA2 security method If this setting is not selected the IP60 appliance allows clients to connect using both WPA and WPA2 This security method is not supported for WDS links Note For increased security it is recommended to enable the Nokia IP60 internal VPN Server for users connecting from your internal networks and...

Page 195: ...escribed in Preparing the Edge Appliance for a Wireless Connection on page 51 2 Click Network in the main menu and click the My Network tab The My Network page appears 3 In the WLAN network s row click Edit The Edit Network Settings page appears 4 Click Wireless Wizard The Wireless Configuration Wizard opens with the Wireless Configuration dialog box displayed 5 Select the Enable wireless networki...

Page 196: ...ns must use a pre shared key to connect to your network WEP is widely known to be insecure and is supported mainly for compatibility with existing networks and stations that do not support other methods Click No Security to use no security to create a public unsecured access point 10 Do one of the following To bridge the LAN and WLAN networks so that they appear as a single unified network click B...

Page 197: ...information see Using Firewall Rules 11 Click Next WPA Personal If you chose WPA Personal the Wireless Configuration WPA Personal dialog box appears Do the following 1 In the text box type the passphrase for accessing the network or click Random to randomly generate a passphrase This must be between 8 and 63 characters It can contain spaces and special characters and is case sensitive 2 Click Next...

Page 198: ... wizard closes 6 Prepare the wireless stations WEP If you chose WEP the Wireless Configuration WEP dialog box appears Do the following 1 Choose a WEP key length The possible key lengths are 64 Bits The key length is 10 hexadecimal characters 128 Bits The key length is 26 hexadecimal characters 152 Bits The key length is 32 hexadecimal characters ...

Page 199: ...ppears 5 Click Finish The wizard closes 6 Prepare the wireless stations No Security The Wireless Security Complete dialog box appears Click Finish The wizard closes Manually Configuring a Wireless Network To manually configure a wireless network 1 Prepare the appliance for a wireless connection as described in Preparing the Edge Appliance for a Wireless Connection on page 51 2 If you want to use 8...

Page 200: ...erlap other networks 7 In the Subnet Mask field type the wireless network s internal network range 8 If desired enable or disable Hide NAT See Enabling Disabling Hide NAT on page 112 9 If desired configure a DHCP server See Configuring a DHCP Server on page 113 10 Complete the fields using the information in Basic Wireless Settings Fields on page 202 11 To configure advanced settings click Show Ad...

Page 201: ...hat you are about to change your network settings 13 Click OK A success message appears Note Some wireless cards have Infrastructure and Ad hoc modes These modes are also called Access Point and Peer to Peer On the wireless client choose the Infrastructure or Access Point mode You can set the wireless cards to either Long Preamble or Short Preamble ...

Page 202: ...mode 802 11b 11 Mbps Operates in the 2 4 GHz range and offers a maximum theoretical rate of 11 Mbps When using this mode only 802 11b stations will be able to connect 802 11g 54 Mbps Operates in the 2 4 GHz range and offers a maximum theoretical rate of 54 Mbps When using this mode only 802 11g stations will be able to connect 802 11b g 11 54 Mbps Operates in the 2 4 GHz range and offers a maximum...

Page 203: ...adio frequency to use for the wireless connection Automatic The IP60 appliance automatically selects a channel This is the default A specific channel The list of channels is dependent on the selected country and operation mode Note If there is another wireless network in the vicinity the two networks may interfere with one another To avoid this problem the networks should be assigned channels that...

Page 204: ...Wireless stations using either WPA or WPA2 can access the wireless network This is the default WPA Encryption Select the encryption method to use for authenticating and encrypting wireless data Auto The IP60 appliance automatically selects the cipher used by the wireless client This is the default AES Advanced Encryption Standard TKIP Temporal Key Integrity Protocol Note AES is more secure than TK...

Page 205: ...domly generate a key matching the selected length The key is composed of hexadecimal characters 0 9 and A F and is not case sensitive Table 40 Advanced Wireless Settings Fields In this field Do this Advanced Security Hide the Network Name SSID Specify whether you want to hide your network s SSID by selecting one of the following Yes Hide the SSID Only devices to which your SSID is known can connec...

Page 206: ...low wireless stations on this network to communicate with each other by selecting one of the following Allow Allow stations to communicate with each other This is the default Block Block traffic between wireless stations Wireless Transmitter Transmission Rate Select the transmission rate Automatic The IP60 appliance automatically selects a rate This is the default A specific rate This field only a...

Page 207: ...th antennas and automatically selects the antenna with the lowest distortion signal to use for communicating The selection is made on a per station basis This is the default ANT 1 The ANT 1antenna is always used for communicating ANT 2 The ANT 2 antenna is always used for communicating Use manual diversity control ANT 1 or ANT 2 if there is only one antenna connected to the appliance This field on...

Page 208: ...on threshold effectively disables RTS The default value is 2346 Extended Range Mode XR Specify whether to use Extended Range XR mode Disabled XR mode is disabled Enabled XR mode is enabled XR will be automatically negotiated with XR enabled wireless stations and used as needed This is the default For more information on XR mode see About the Wireless Hardware in Your Wireless Appliance Multimedia ...

Page 209: ...AN see Manually Configuring a Wireless Network on page 199 Note To enable VAPs you must first enable the primary WLAN network If you disable the primary WLAN network all VAPs are automatically disabled The procedure below explains how to add or edit a VAP For information on deleting a VAP see Deleting VLANs on page 133 To add or edit a VAP 1 Configure and enable the primary WLAN For information on...

Page 210: ... Appliance User Guide The Edit Network Settings page appears 5 In the Network Name field type a name for the VAP 6 In the Type drop down list select Virtual Access Point New fields appear 7 In the Mode drop down list select Enabled The fields are enabled ...

Page 211: ...rver See Configuring a DHCP Server on page 113 12 Complete the fields using the information in Basic Wireless Settings Fields on page 202 13 To configure advanced settings click Show Advanced Settings and complete the fields using the information in Advanced Wireless Settings Fields on page 205 New fields appear 14 Click Apply Note Some wireless cards have Infrastructure and Ad hoc modes These mod...

Page 212: ...ry WLAN see Manually Configuring a Wireless Network on page 199 Note To enable WDS links you must first enable the primary WLAN network If you disable the primary WLAN network all WDS links are automatically disabled The procedure below explains how to add or edit a WDS link For information on deleting a WDS link see Deleting VLANs on page 133 To add or edit a WDS link 1 Configure and enable the p...

Page 213: ...nk 1 In the Mode drop down list select Bridged The fields are enabled and additional fields appear 2 Complete these fields as described in Bridged Network Fields on page 167 To create a routed WDS link do the following 1 In the Mode drop down list select Enabled The fields are enabled 2 In the IP Address field type the IP address of the WDS link s default gateway The WDS link must not overlap othe...

Page 214: ...ettings and complete the fields using the relevant information in Advanced Wireless Settings Fields on page 205 New fields appear 12 Click Apply Note Both sides of the WDS link must use the same radio channel and security settings Note WDS links support using the WEP security mode or no security However the access point can use any supported security protocol to communicate with wireless stations ...

Page 215: ... page and check for excessive errors or dropped packets Look at the My Computers page to see information for specific wireless stations such as the number of transmission errors and the current reception power of each station On the wireless station open a command window and type ping my firewall If you see a large number of dropped packets you are experiencing poor reception Wireless reception is...

Page 216: ...ending a certain size IP packet a station sends an RTS Request To Send packet If the recipient is not currently receiving packets from another source it sends back a CTS Clear To Send packet indicating that the station can send the IP packet Try setting the RTS Threshold parameter in the wireless network s advanced settings to a lower value This will cause stations to use RTS for smaller IP packet...

Page 217: ...your setup that you have made yourself or as a result of a security update implemented by your Service Center Red Connection attempts that were blocked by your firewall Orange Connection attempts that were blocked by your custom security rules Green Traffic accepted by the firewall By default accepted traffic is not logged However such traffic may be logged if specified by a security policy downlo...

Page 218: ... purposes or send it to technical support Note You can configure the IP60 appliance to send event logs to a Syslog server For information see Configuring Syslog Logging on page 424 To view the event log 1 Click Reports in the main menu and click the Event Log tab The Event Log page appears 2 If an event is highlighted in red indicating a blocked attack on your network you can display the attacker ...

Page 219: ...oS class assignments The Traffic Monitor displays separate bar charts for incoming traffic and outgoing traffic and displays traffic rates in kilobits second If desired you can change the number of seconds represented by the bars in the charts using the procedure Configuring Traffic Monitor Settings on page 221 In network traffic reports the traffic is color coded as described in the following tab...

Page 220: ...the list If Traffic Shaper is enabled the list also includes the defined QoS classes Choose All QoS Classes to display a report including all QoS classes For information on enabling Traffic Shaper see Using Internet Setup on page 76 The selected report appears in the Traffic Monitor page 3 To refresh all traffic reports click Refresh 4 To clear all traffic reports click Clear Note The firewall blo...

Page 221: ...Traffic Monitor page appears 2 Click Export A standard File Download dialog box appears 3 Click Save The Save As dialog box appears 4 Browse to a destination directory of your choice 5 Type a name for the configuration file and click Save A csv file is created and saved to the specified directory Configuring Traffic Monitor Settings You can configure the interval at which the IP60 appliance should...

Page 222: ...llect traffic data The default value is one sample every 1800 seconds 30 minutes 4 Click Apply Viewing Computers This option allows you to view the currently active computers on your network The computers are graphically displayed each with its name IP address and settings DHCP Static etc You can also view node limit information To view the computers 1 Click Reports in the main menu and click the ...

Page 223: ...ars and the computers over the node limit are marked in red These computers are still protected but they are blocked from accessing the Internet through the IP60 appliance Note Computers that did not communicate through the firewall are not counted for node limit purposes even though they are protected by the firewall and appear in the My Computers table Note To increase the number of computers al...

Page 224: ... network objects see Adding and Editing Network Objects on page 135 2 To refresh the display click Refresh 3 To view node limit information do the following a Click Node Limit The Node Limit window appears with installed software product and the number of nodes used b Click Close to close the window Viewing Connections This option allows you to view currently active connections between your networ...

Page 225: ...ame of the entity to which the IP address is registered and their contact information 4 To view information about a destination port click the port A window opens displaying information about the port Table 43 Connections Fields This field Displays Protocol The protocol used TCP UDP etc Source IP Address The source IP address Source Port The source port Destination IP Address The destination IP ad...

Page 226: ...can view wireless statistics for the primary WLAN and VAPs or for individual wireless stations To view statistics for the primary WLAN and VAPs 1 Click Reports in the main menu and click the Wireless tab The Wireless page appears The page displays the information in the following tables 2 To refresh the display click Refresh Table 44 Wireless Statistics This field Displays Status Wireless Mode The...

Page 227: ...sfully transmitted and received Errors The total number of transmitted and received frames for which an error occurred Wrong NWID ESSID The total number of received packets that were dropped because they were destined for another access point Invalid Encryption Key The total number of transmitted and received packets with the wrong encryption key Missing Fragments The total number of packets misse...

Page 228: ...ent Rate The current reception and transmission rate in Mbps Frames OK The total number of frames that were successfully transmitted and received Management The total number of transmitted and received management packets Control The total number of received control packets Errors The total number of transmitted and received frames for which an error occurred Dup ratio The percentage of frames rece...

Page 229: ...and click the Routing tab The Routing Table page appears The page displays the information in the following table 2 To refresh the display click Refresh Table 46 Routing Table Fields This field Displays Source The route s source Destination The route s destination Service The network service for which the route is configured Gateway The gateway s IP address Metric The route s metric Interface The ...

Page 230: ...ute A route to a network that is directly connected to the IP60 appliance Static Route A destination based or service based static route See Using Static Routes on page 144 Dynamic Route A route obtained through a dynamic routing protocol such as OSPF Source Route A source based static route See Using Static Routes on page 144 ...

Page 231: ... enterprise security policy by connecting to SMART management Note When the firewall is managed by SmartCenter the SmartCenter security policy replaces the default security policy and the firewall security levels The firewall security level is set to High and cannot be changed Note Local security rules take precedence over rules configured by the central management For information on subscribing t...

Page 232: ...ces a network security policy for accessing network resources A rule base is an ordered set of individual network security rules against which each attempted connection is checked Each rule specifies the source destination service and action to be taken for each connection A rule also specifies how a communication is tracked logged and displayed In other words the rule base is the implementation o...

Page 233: ...VAPs HTTPS access to the Nokia IP60 Portal my firewall my hotspot and my vpn is allowed from all internal networks HTTP access to the Nokia IP60 Portal my firewall my hotspot and my vpn is allowed from all internal networks except the WLAN and VAPs You can allow HTTP access from the primary WLAN and VAPs by creating a specific user defined firewall rule When using the print server function see Usi...

Page 234: ...und traffic is allowed to the Internet except for Windows file sharing NBT ports 137 138 139 and 445 High Enforces strict control on all incoming and outgoing connections All inbound traffic is blocked Restricts all outbound traffic except for the following Web traffic HTTP HTTPS email IMAP POP3 SMTP ftp newsgroups Telnet DNS IPSEC IKE and VPN traffic Block All Blocks all access between networks A...

Page 235: ...ded from a Service Center may alter the security policy and change these definitions To change the firewall security level 1 Click Security in the main menu and click the Firewall tab The Firewall page appears 2 Drag the security lever to the desired level The IP60 appliance security level changes accordingly ...

Page 236: ...ward rules for common services where the destination is This Gateway For information on creating more complex rules see Using Rules on page 238 Exposed host If you need to allow unlimited incoming and outgoing connections between the Internet and a particular host you can define an exposed host An exposed host is not protected by the firewall and it receives all traffic that was not forwarded to a...

Page 237: ...c service or application rows 1 9 An exposed host row 10 Host IP Type the IP address of the computer that will run the service one of your network computers or click the corresponding This Computer button to allow your computer to host the service VPN Only Select this option to allow only connections made through a VPN To stop the forwarding of services to a specific host 1 Click Security in the m...

Page 238: ...irewall rules that allow specific DMZ computers such a manager s computer to connect to the LAN network and the accounting department The IP60 appliance processes user defined rules in the order they appear in the Rules table so that rule 1 is applied before rule 2 and so on This enables you to define exceptions to rules by placing the exceptions higher up in the Rules table For example if you wan...

Page 239: ...Permit outgoing traffic from your internal network to a specific service and destination IP address on the Internet and then divert all such connections to a specific IP address Such rules are called transparent proxy rules For example you can redirect all traffic destined for a specific Web server on the Internet to a different IP address Redirect the specified connections to a specific port This...

Page 240: ...example if Traffic Shaper is enabled for outgoing traffic and you create an Allow rule associating all outgoing Web traffic with the Urgent QoS class then Traffic Shaper will handle outgoing Web traffic as specified in the bandwidth policy for the Urgent class For information on Traffic Shaper and QoS classes see Using Traffic Shaper Note You cannot use an Allow rule to permit incoming traffic if ...

Page 241: ...curity in the main menu and click the Rules tab The Rules page appears 2 Do one of the following To add a new rule click Add Rule To edit an existing rule click the Edit icon next to the desired rule The Nokia IP60 Firewall Rule wizard opens with the Step 1 Rule Type dialog box displayed 3 Select the type of rule you want to create ...

Page 242: ... 2 Service dialog box appears The example below shows an Allow and Forward rule 5 Complete the fields using the relevant information in the following table 6 Click Next The Step 3 Destination Source dialog box appears 7 To configure advanced settings click Show Advanced Settings ...

Page 243: ...licy 243 New fields appear 8 Complete the fields using the relevant information in the following table 9 Click Next The Step 4 Rule Options dialog box appears 10 Complete the fields using the relevant information in the following table 11 Click Next ...

Page 244: ...fy that the rule should apply to a specific standard service or a network service object You must then select the desired service or network service object from the drop down list Custom Service Click this option to specify that the rule should apply to a specific non standard service The Protocol and Port Range fields are enabled You must fill them in Protocol Select the protocol for which the ru...

Page 245: ... the fields provided Destination Select the destination of the connections you want to allow block To specify an IP address select Specified IP and type the desired IP address in the text box To specify an IP address range select Specified Range and type the desired IP address range in the fields provided To specify the Nokia IP60 IP address select This Gateway To specify any destination except th...

Page 246: ...u must then type the desired port in the field provided This option is called Port Address Translation PAT and is only available when defining an Allow and Forward rule Log accepted connections Log blocked connections Select this option to log the specified blocked or allowed connections By default accepted connections are not logged and blocked connections are logged You can modify this behavior ...

Page 247: ...information icon in the desired rule s row A tooltip displays the rule s description 3 To delete a rule do the following a In the desired rule s row click the Erase icon A confirmation message appears b Click OK The rule is deleted Using Port Based Security The IP60 appliance supports the IEEE 802 1x standard for secure RADIUS authentication of users and devices that are directly attached to IP60 ...

Page 248: ... to log on the IP60 appliance relays the information to the RADIUS server which replies with RADIUS option 81 and the value Accounting The appliance then assigns the user s port to the Accounting network granting the user access to all the resources of the Accounting team The IP60 appliance also enables you to automatically assign users to a Quarantine network when authentication fails All Quarant...

Page 249: ...r documentation 3 To configure dynamic VLAN assignment do the following a Add port based VLAN networks as needed See Adding and Editing Port Based VLANs on page 130 b Configure RADIUS option 81 Tunnel Private Group ID on the RADIUS server For information refer to your RADIUS server documentation 4 To configure a Quarantine network other than the LAN or DMZ add a port based VLAN network See Adding ...

Page 250: ... select From RADIUS To configure 802 1x security without dynamic VLAN assignment select the network to which users should be assigned upon successful authentication 8 In the Port Security drop down list select 802 1x 9 To configure a Quarantine network in the Quarantine Network drop down list select the network that should be the Quarantine network 10 Click Apply A warning message appears 11 Click...

Page 251: ...x status of all ports is reset to Unauthenticated Using Secure HotSpot You can enable your IP60 appliance as a public Internet access hotspot for specific networks When users on those networks attempt to access the Internet they are automatically re directed to the My HotSpot page http my hotspot Note You can configure Secure HotSpot to use HTTPS In this case the My HotSpot page will be https my h...

Page 252: ...le to access the excluded network object without viewing the My HotSpot page For information on excluding network objects from HotSpot enforcement see Using Network Objects on page 134 Important SecuRemote SecureClient VPN software users who are authenticated by the Internal VPN Server are automatically exempt from HotSpot enforcement This allows for example authenticated employees to gain full ac...

Page 253: ...Networks area do one of the following To enable Secure HotSpot for a specific network select the check box next to the network To disable Secure HotSpot for a specific network clear the check box next to the network 3 Click Apply Customizing Secure HotSpot To customize Secure HotSpot 1 Click Security in the main menu and click the HotSpot tab The My HotSpot page appears 2 Complete the fields using...

Page 254: ...pens displaying the My HotSpot page 4 Click Apply Your changes are saved Table 51 My HotSpot Fields In this field Do this My HotSpot Title Type the title that should appear on the My HotSpot page The default title is Welcome to My HotSpot My HotSpot Terms Type the terms to which the user must agree before accessing the Internet You can use HTML tags as needed ...

Page 255: ... and the network A computer s IP address can be public and Internet routable or private and non routable Since IPv4 the current version of IP provides only 32 bits of address space available public IP addresses are becoming scarce most having already been assigned Internet Service Providers will usually allocate only one or a few public IP addresses at a time and while larger companies may purchas...

Page 256: ...T Work on page 257 Few to Many NAT Translation of a smaller IP address range to a larger IP address range When this type of NAT rule is used static NAT is used to map the IP addresses in the smaller range to the IP addresses at the beginning of the larger range The remaining IP addresses in the larger range remain unused Many to Few NAT Translation of a larger IP address range to a smaller IP addr...

Page 257: ...e internal IP address is recorded in the gateway s state tables When reply packets arrive the enforcement module uses the destination port to determine to which connection the packet belongs and then adjusts the destination port and IP address accordingly Adding and Editing NAT Rules This procedure explains how to add and edit custom NAT rules You cannot add or edit an implicitly defined NAT rule ...

Page 258: ...h the Step 1 of 3 Original Connection Details dialog box displayed 3 Complete the fields using the relevant information in the following table 4 Click Next The Step 2 of 3 Translations to Perform dialog box appears 5 Complete the fields using the relevant information in the following table 6 Click Next ...

Page 259: ... the field provided To specify an IP address range select Specified Range and type the desired IP address range in the fields provided And the destination is Select the original destination of the connections you want to translate To specify an IP address select Specified IP and type the desired IP address in the text box To specify an IP address range select Specified Range and type the desired I...

Page 260: ...ess range select Specified Range and type the desired IP address range in the fields provided To specify that the original destination should not be translated select Don t Change Change the service to Select the new service to which the original service should be translated To specify that the original service should not be translated select Don t Change Viewing and Deleting NAT Rules This proced...

Page 261: ... limit access from the Internet to internal Web servers Note Web rules differ from the Web Filtering subscription service in the following ways The Web Filtering service is subscription based and requires a connection to the Service Center while Web rules are included with the IP60 appliance The Web Filtering service is centralized extracting URLs from HTTP requests and sending the URLs to the Ser...

Page 262: ... In the figure below the general rule is rule number 2 and the exception is rule number 1 The IP60 appliance will process rule 1 first allowing access to the desired page and only then it will process rule 2 blocking access to the rest of the site The following rule types exist Table 53 Web Rule Types Rule Description Allow This rule type enables you to specify that a specific Web page should be a...

Page 263: ...he following To add a new rule click Add Rule To edit an existing rule click the Edit icon next to the desired rule The Nokia IP60 Web Rule Wizard opens with the Step 1 Rule Type dialog box displayed 3 Select the type of rule you want to create 4 Click Next The Step 2 Rule Location dialog box appears ...

Page 264: ...liance User Guide The example below shows a Block rule 5 Complete the fields using the relevant information in the following table 6 Click Next The Step 3 Confirm Rule dialog box appears 7 Click Finish The new rule appears in the Web Rules page ...

Page 265: ...and the IP address you must block both Log allowed connections Log blocked connections Select this option to log the specified blocked or allowed connections By default allowed Web pages are not logged and blocked Web pages are logged If the connection source is Select the source of the connections you want to allow block To specify an IP address select Specified IP and type the desired IP address...

Page 266: ...e rule is deleted Customizing the Access Denied Page The Access Denied page appears when a user attempts to access a page that is blocked either by a Web rule or by the Web Filtering service You can customize this page using the following procedure For information on the Web Filtering service see Web Filtering on page 333 To customize the Access Denied page 1 Do one of the following Click Security...

Page 267: ...s page 3 In the text box type the message that should appear when a user attempts to access a blocked Web page You can use HTML tags as needed 4 To display the Access Denied page using HTTPS select the Use HTTPS check box 5 To preview the Access Denied page click Preview A browser window opens displaying the Access Denied page 6 Click Apply Your changes are saved ...

Page 268: ......

Page 269: ...er operations In addition SmartDefense aids proper usage of Internet resources such as FTP instant messaging Peer to Peer P2P file sharing file sharing operations and File Transfer Protocol FTP uploading among others Configuring SmartDefense You can configure SmartDefense using the following tools SmartDefense Wizard Resets all SmartDefense settings to their defaults and then creates a SmartDefens...

Page 270: ...ee See Using the SmartDefense Tree on page 273 To configure the SmartDefense policy using the wizard 1 Click Security in the main menu and click the SmartDefense tab The SmartDefense page appears 2 Click SmartDefense Wizard The SmartDefense Wizard opens with the Step 1 SmartDefense Level dialog box displayed 3 Drag the lever to the desired level of SmartDefense enforcement For information on the l...

Page 271: ... Server Types dialog box appears 5 Select the check boxes next to the types of public servers that are running on your network 6 Click Next The Step 3 Application Blocking dialog box appears 7 Select the check boxes next to the types of applications you want to block from running on your network 8 Click Next ...

Page 272: ...s This level Does this Minimal Disables all SmartDefense protections except those that cannot be disabled Normal Enables the following Teardrop Ping of Death LAND Packet Sanity Max Ping Size set to 1500 Welchia Cisco IOS Null Payload IGMP Small PMTU Log Only This level blocks the most common attacks High Enables the same protections as Normal level as well as the following Host Port Scan Sweep Sca...

Page 273: ...onvenience SmartDefense is organized as a tree in which each branch represents a category of settings When a category is expanded the settings it contains appear as nodes For information on each category and the nodes it contains see SmartDefense Categories on page 274 Each node represents an attack type a sanity check or a protocol or service that is vulnerable to attacks To control how SmartDefe...

Page 274: ...xpand the relevant category and click on the desired node The right pane displays a description of the node followed by fields 3 To modify the node s current settings do the following a Complete the fields using the relevant information in SmartDefense Categories on page 274 b Click Apply 4 To reset the node to its default values a Click Default A confirmation message appears b Click OK The fields...

Page 275: ... to Peer on page 305 Port Scan on page 294 TCP on page 290 Denial of Service Denial of Service DoS attacks are aimed at overwhelming the target with spurious data to the point where it is no longer able to respond to legitimate service requests This category includes the following attacks DDoS Attack on page 279 LAND on page 278 Non TCP Flooding on page 279 Ping of Death on page 277 Teardrop on pa...

Page 276: ...much memory and crash You can configure how Teardrop attacks should be handled Table 56 Teardrop Fields In this field Do this Action Specify what action to take when a Teardrop attack occurs by selecting one of the following Block Block the attack This is the default None No action Track Specify whether to log Teardrop attacks by selecting one of the following Log Log the attack This is the defaul...

Page 277: ...uests and crash You can configure how Ping of Death attacks should be handled Table 57 Ping of Death Fields In this field Do this Action Specify what action to take when a Ping of Death attack occurs by selecting one of the following Block Block the attack This is the default None No action Track Specify whether to log Ping of Death attacks by selecting one of the following Log Log the attack This...

Page 278: ...es to reply to itself and either reboots or crashes You can configure how LAND attacks should be handled Table 58 LAND Fields In this field Do this Action Specify what action to take when a LAND attack occurs by selecting one of the following Block Block the attack This is the default None No action Track Specify whether to log LAND attacks by selecting one of the following Log Log the attack This...

Page 279: ...ake when the percentage of state table capacity used for non TCP connections reaches the Max percent non TCP traffic threshold Select one of the following Block Block any additional non TCP connections None No action This is the default Track Specify whether to log non TCP connections that exceed the Max Percent Non TCP Traffic threshold by selecting one of the following Log Log the connections No...

Page 280: ...action Track Specify whether to log DDoS attacks by selecting one of the following Log Log the attack This is the default None Do not log the attack IP and ICMP This category allows you to enable various IP and ICMP protocol tests and to configure various protections against IP and ICMP related attacks It includes the following Checksum Verification on page 289 Cisco IOS DOS on page 286 IP Fragmen...

Page 281: ... can configure whether logs should be issued for offending packets Table 61 Packet Sanity Fields In this field Do this Action Specify what action to take when a packet fails a sanity test by selecting one of the following Block Block the packet This is the default None No action Track Specify whether to issue logs for packets that fail the packet sanity tests by selecting one of the following Log ...

Page 282: ...ntly the IP60 appliance relaxes the UDP length verification sanity check by default performing the check but not dropping offending packets This is called relaxed UDP length verification Specify whether the IP60 appliance should relax the UDP length verification sanity check or not by selecting one of the following True Disable relaxed UDP length verification The IP60 appliance will drop packets t...

Page 283: ... whether to log ICMP echo responses that exceed the Max Ping Size threshold by selecting one of the following Log Log the responses This is the default None Do not log the responses Max Ping Size Specify the maximum data size for ICMP echo response The default value is 1500 IP Fragments When an IP packet is too big to be transported by a network link it is split into several smaller IP packets and...

Page 284: ...se it does not allow any fragmented packets Max Number of Incomplete Packets Type the maximum number of fragmented packets allowed Packets exceeding this threshold will be dropped The default value is 300 Timeout for Discarding Incomplete Packets When the IP60 appliance receives packet fragments it waits for additional fragments to arrive so that it can reassemble the packet Type the number of sec...

Page 285: ...ons from the same source reaches the Max Connections Second per Source IP threshold Select one of the following Block Block all new connections from the source Existing connections will not be blocked This is the default None No action Track Specify whether to log connections from a specific source that exceed the Max Connections Second per Source IP threshold by selecting one of the following Log...

Page 286: ...lds In this field Do this Action Specify what action to take when the Welchia worm is detected by selecting one of the following Block Block the attack This is the default None No action Track Specify whether to log Welchia worm attacks by selecting one of the following Log Log the attack This is the default None Do not log the attack Cisco IOS DOS Cisco routers are configured to process and accep...

Page 287: ...to log Cisco IOS DOS attacks by selecting one of the following Log Log the attack This is the default None Do not log the attack Number of Hops to Protect Type the number of hops from the enforcement module that Cisco routers should be protected The default value is 10 Action Protection for SWIPE Protocol 53 IP Mobility Protocol 55 SUN ND Protocol 77 PIM Protocol 103 Specify what action to take wh...

Page 288: ...ll payload ping packets should be handled Table 67 Null Payload Fields In this field Do this Action Specify what action to take when null payload ping packets are detected by selecting one of the following Block Block the packets This is the default None No action Track Specify whether to log null payload ping packets by selecting one of the following Log Log the packets This is the default None D...

Page 289: ...led Table 68 Checksum Verification Fields In this field Do this Action Specify what action to take when packets with incorrect checksums are detected by selecting one of the following Block Block the packets This is the default None No action Track Specify whether to log packets with incorrect checksums by selecting one of the following Log Log the packets None Do not log the packets This is the d...

Page 290: ...mal conditions out of state TCP packets can occur after the Nokia IP60 restarts since connections which were established prior to the reboot are unknown This is normal and does not indicate an attack You can configure how out of state TCP packets should be handled Table 69 Strict TCP In this field Do this Action Specify what action to take when an out of state TCP packet arrives by selecting one o...

Page 291: ... Specify what action to take when a packet is smaller than the Minimal MTU Size threshold by selecting one of the following Block Block the packet None No action This is the default Track Specify whether to issue logs for packets are smaller than the Minimal MTU Size threshold by selecting one of the following Log Issue logs This is the default None Do not issue logs Minimal MTU Size Type the mini...

Page 292: ...he default None No action A SYN attack is when more than 5 incomplete TCP handshakes are detected within 10 seconds A handshake is considered incomplete when it exceeds the Maximum time for completing the handshake threshold Track Specify whether to issue logs for the events specified by the Log Mode parameter by selecting one of the following Log Issue logs This is the default None Do not issue l...

Page 293: ...or external interfaces only Sequence Verifier The IP60 appliance examines each TCP packet s sequence number and checks whether it matches a TCP connection state You can configure how the appliance handles packets that match a TCP connection in terms of the TCP session but have incorrect sequence numbers Table 72 Strict TCP In this field Do this Action Specify what action to take when TCP packets w...

Page 294: ...g by selecting one of the following Clear Clear the URG flag on all incoming packets This is the default Allow Allow the URG flag Port Scan An attacker can perform a port scan to determine whether ports are open and vulnerable to an attack This is most commonly done by attempting to access a port and waiting for a response The response indicates whether or not the port is open This category includ...

Page 295: ...the number of seconds specified by the In a period of seconds value in order for SmartDefense to consider the activity a scan Type the minimum number of ports that must be accessed within the In a period of seconds period in order for SmartDefense to detect the activity as a port scan For example if this value is 30 and 40 ports are accessed within a specified period of time SmartDefense will dete...

Page 296: ...sed threshold is exceeded for 15 seconds SmartDefense will detect the activity as a port scan If the threshold is exceeded for 30 seconds SmartDefense will not detect the activity as a port scan The default value is 20 seconds Track Specify whether to issue logs for scans by selecting one of the following Log Issue logs This is the default None Do not issue logs This is the default Detect scans fr...

Page 297: ...tim machine You can configure how FTP bounce attacks should be handled Table 75 FTP Bounce Fields In this field Do this Action Specify what action to take when an FTP Bounce attack occurs by selecting one of the following Block Block the attack This is the default None No action Track Specify whether to log FTP Bounce attacks by selecting one of the following Log Log the attack This is the default...

Page 298: ...TP bounce attacks by preventing such attacks from reaching well known ports Table 76 Block Known Ports Fields In this field Do this Action Specify what action to take when the FTP server attempts to connect to a well known port by selecting one of the following Block Block the connection None No action This is the default ...

Page 299: ...tain a number greater than 255 Table 77 Block Port Overflow In this field Do this Action Specify what action to take for PORT commands containing a number greater than 255 by selecting one of the following Block Block the PORT command This is the default None No action Blocked FTP Commands Some seldom used FTP commands may compromise FTP server security and integrity You can specify which FTP comm...

Page 300: ...d FTP command 2 Click Block The FTP command appears in the Blocked Commands box 3 Click Apply When FTP command blocking is enabled the FTP command will be blocked To allow a specific FTP command 1 In the Blocked Commands box select the desired FTP command 2 Click Accept The FTP command appears in the Allowed Commands box 3 Click Apply The FTP command will be allowed regardless of whether FTP comma...

Page 301: ...fy what action to take when an HTTP header based exploit is detected by selecting one of the following Block Block the attack None No action This is the default Track Specify whether to log HTTP header based exploits by selecting one of the following Log Log the attack None Do not log the attack This is the default HTTP header values list Select the HTTP header values to detect Worm Catcher A worm...

Page 302: ...ne No action This is the default Track Specify whether to log HTTP based worm attacks by selecting one of the following Log Log the attack None Do not log the attack This is the default HTTP based worm patterns list Select the worm patterns to detect Microsoft Networks This category includes File and Print Sharing Microsoft operating systems and Samba clients rely on Common Internet File System CI...

Page 303: ...electing one of the following Block Block the attack None No action This is the default Track Specify whether to log CIFS worm attacks by selecting one of the following Log Log the attack None Do not log the attack This is the default CIFS worm patterns list Select the worm patterns to detect Patterns are matched against file names including file paths but excluding the disk share name that the cl...

Page 304: ...occurs by selecting one of the following Block Block the attack This is the default None No action Track Specify whether to log IGMP attacks by selecting one of the following Log Log the attack This is the default None Do not log the attack Enforce IGMP to multicast addresses According to the IGMP specification IGMP packets must be sent to multicast addresses Sending IGMP packets to a unicast or b...

Page 305: ...e can detect peer to peer traffic regardless of the TCP port being used to initiate the session In each node you can configure how peer to peer connections of the selected type should be handled using the following table Table 82 Peer to Peer Fields In this field Do this Action Specify what action to take when a connection is attempted by selecting one of the following Block Block the connection N...

Page 306: ...block the proprietary protocol on all ports Block masquerading over HTTP protocol Specify whether to block using the peer to peer application over HTTP by selecting one of the following Block Block using the application over HTTP This is the default None Do not block using the application over HTTP This field is not relevant for eMule and Winny Instant Messaging Traffic SmartDefense can block inst...

Page 307: ...ether to log instant messenger connections by selecting one of the following Log Log the connection None Do not log the connection This is the default Block proprietary protocol Block proprietary protocols on all ports Specify whether proprietary protocols should be blocked on all ports by selecting one of the following Block Block the proprietary protocol on all ports This in effect prevents all ...

Page 308: ...tDefense setting see SmartDefense Categories on page 274 For information on resetting individual nodes in the SmartDefense tree to their default settings see Using the SmartDefense Tree on page 273 To reset SmartDefense to its defaults 1 Click Security in the main menu and click the SmartDefense tab The SmartDefense page appears 2 Click Reset to Defaults A confirmation message appears 3 Click OK T...

Page 309: ...mal added latency and support for unlimited file sizes and since VStream Antivirus stores only minimal state information per connection it can scan thousands of connections concurrently In order to scan archive files on the fly VStream Antivirus performs real time decompression and scanning of ZIP TAR and GZ archive files with support for nested archive files When VStream Antivirus detects malicio...

Page 310: ...ses In such cases detection of viruses is not guaranteed and depends on the specific encoding used by the protocol If you are subscribed to the VStream Antivirus subscription service VStream Antivirus virus signatures are automatically updated so that security is always up to date and your network is always protected Note VStream Antivirus differs from the Email Antivirus subscription service part...

Page 311: ...intains two databases a daily database and a main database The daily database is updated frequently with the newest virus signatures Periodically the contents of the daily database are moved to the main database leaving the daily database empty This system of incremental updates to the main database allows for quicker updates and saves on network bandwidth You can view information about the VStrea...

Page 312: ...igure VStream Antivirus in the following ways Configuring the VStream Antivirus Policy on page 312 Configuring VStream Antivirus Advanced Settings on page 320 Configuring the VStream Antivirus Policy VStream Antivirus includes a flexible mechanism that allows the user to define exactly which traffic should be scanned by specifying the protocol ports and source and destination IP addresses VStream ...

Page 313: ...d the exception is rule number 1 The IP60 appliance will process rule 1 first passing outgoing SMTP traffic from the specified IP address and only then it will process rule 2 scanning all outgoing SMTP traffic The following rule types exist Table 86 VStream Antivirus Rule Types Rule Description Pass This rule type enables you to specify that VStream Antivirus should not scan traffic matching the r...

Page 314: ... 2 Do one of the following To add a new rule click Add Rule To edit an existing rule click the Edit icon next to the desired rule The VStream Policy Rule Wizard opens with the Step 1 Rule Type dialog box displayed 3 Select the type of rule you want to create 4 Click Next The Step 2 Service dialog box appears ...

Page 315: ...eam Antivirus 315 The example below shows a Scan rule 5 Complete the fields using the relevant information in the following table 6 Click Next The Step 3 Destination Source dialog box appears 7 To configure advanced settings click Show Advanced Settings ...

Page 316: ...in the following table 9 Click Next The Step 4 Done dialog box appears 10 If desired type a description of the rule in the field provided 11 Click Finish The new rule appears in the Antivirus Policy page Table 87 VStream Antivirus Rule Fields In this field Do this Any Service Click this option to specify that the rule should apply to any service ...

Page 317: ...xt box Note If you do not enter a port range the rule will apply to all ports If you enter only one port number the range will include only that port If the connection source is Select the source of the connections you want to allow block To specify an IP address select Specified IP and type the desired IP address in the field provided To specify an IP address range select Specified Range and type...

Page 318: ...data The rule applies to downloaded data that is data flowing from the destination of the connection to the source of the connection Upload data The rule applies to uploaded data that is data flowing from the source of the connection to the destination of the connection If the current time is Select this option to specify that the rule should be applied only during certain hours of the day You mus...

Page 319: ...s Rules Priority To change a VStream Antivirus rule s priority 1 Click Antivirus in the main menu and click the Policy tab The Antivirus Policy page appears 2 Do one of the following Click next to the desired rule to move the rule up in the table Click next to the desired rule to move the rule down in the table The rule s priority changes accordingly Viewing and Deleting VStream Antivirus Rules To...

Page 320: ... To configure VStream Antivirus advanced settings 1 Click Antivirus in the main menu and click the Advanced tab The Advanced Antivirus Settings page appears 2 Complete the fields using the following table 3 Click Apply 4 To restore the default VStream Antivirus settings do the following a Click Default A confirmation message appears b Click OK The VStream Antivirus settings are reset to their defa...

Page 321: ...g potentially unsafe attachments Unsafe file types are DOS Windows executables libraries and drivers Compiled HTML Help files VBScript encoded files Files with CLSID in their name The following file extensions ade adp bas bat chm cmd com cpl crt exe hlp hta inf ins isp js jse lnk mdb mde msc msi msp mst pcd pif reg scr sct shs shb url vb vbe vbs wsc wsf wsh To view a list of unsafe file types and ...

Page 322: ...t WMA WMV ASF RealMedia file JPEG only the header is scanned and the rest of the file is skipped To view a list of safe file types click Show next to this option Selecting this option reduces the load on the gateway by skipping safe file types This option is selected by default Archive File Handling Maximum Nesting Level Type the maximum number of nested content levels that VStream Antivirus shoul...

Page 323: ...he following Pass file without scanning Scan only the number of levels specified and skip the scanning of more deeply nested archives Furthermore skip scanning highly compressible files and skip scanning archives that cannot be extracted because they are corrupt This is the default Block file Block the file When a password protected file is found in archive VStream Antivirus cannot extract and sca...

Page 324: ...s are automatically updated keeping security up to date with no need for user intervention However you can still check for updates manually if needed To update the VStream Antivirus virus signature database 1 Click Antivirus in the main menu and click the Antivirus tab The VStream Antivirus page appears 2 Click Update Now The VStream Antivirus database is updated with the latest virus signatures ...

Page 325: ...viders use the SMP to provide subscription based security configuration and networking services For example you can connect to an SMP in order to receive such value add services as firewall security updates Web Filtering and Dynamic DNS This chapter explains how to connect your appliance to SMART management or to an SMP Note Although some procedures in this chapter specifically relate to the SMP y...

Page 326: ...pears 2 In the Service Account area click Connect The Nokia IP60 Services Wizard opens with the Service Center dialog box displayed 3 Make sure the Connect to a Service Center check box is selected 4 Do one of the following To connect to the SofaWare Service Center choose usercenter sofaware com ...

Page 327: ...n to you by your system administrator 5 Click Next The Connecting screen appears If the Service Center requires authentication the Service Center Login dialog box appears Enter your gateway ID and registration key in the appropriate fields as given to you by your service provider then click Next The Connecting screen appears The Confirmation dialog box appears with a list of services to which you ...

Page 328: ...reen appears with a success message 7 Click Finish The following things happen If a new firmware is available the IP60 appliance may start downloading it This may take several minutes Once the download is complete the IP60 appliance restarts using the new firmware The Welcome page appears ...

Page 329: ...n Services 329 The services to which you are subscribed are now available on your IP60 appliance and listed as such on the Account page See Viewing Services Information on page 330 for further information The Services submenu includes the services to which you are subscribed ...

Page 330: ...on The status of your subscription to each service Subscribed Not Subscribed Status The status of each service Connected You are connected to the service through the Service Center Connecting Connecting to the Service Center N A The service is not available Information The mode to which each service is set If you are subscribed to Dynamic DNS this field displays your gateway s domain name For furt...

Page 331: ...cription Services 331 To refresh your Service Center connection 1 Click Services in the main menu and click the Account tab The Account page appears 2 In the Service Account area click Refresh The IP60 appliance reconnects to the Service Center Your service settings are refreshed ...

Page 332: ...ot appear Your Service Center s Web site opens 3 Follow the on screen instructions Disconnecting from Your Service Center If desired you can disconnect from your Service Center To disconnect from your Service Center 1 Click Services in the main menu and click the Account tab The Account page appears 2 In the Service Account area click Connect The Nokia IP60 Services Wizard opens with the first Sub...

Page 333: ... 134 Note The Web Filtering service is only available if you are connected to a Service Center and subscribed to this service Note The Web Filtering subscription service differs from Web rules in the following ways The category based Web Filtering service is subscription based and requires a connection to the Service Center while Web rules are included with the IP60 appliance The category based We...

Page 334: ...ed with will remain visible while categories marked with will be blocked and will require the administrator password for viewing Note If the IP60 appliance is remotely managed contact your Service Center administrator to change these settings Note The list of supported categories may vary depending on the Service Center to which the IP60 appliance is connected To allow block a category 1 Click Ser...

Page 335: ...o one of the following To temporarily block all connections to the Internet click This ensures that users will not gain access to undesirable Web sites even when the Service Center is unavailable The button changes to To temporarily allow all connections to the Internet click This ensures continuous access to the Internet The button changes to When the Service Center is available again the gateway...

Page 336: ...dow opens 3 To re enable the service click Resume either in the popup window or on the Web Filtering page The service is re enabled for all internal network computers If you clicked Resume in the Web Filtering page the button changes to Snooze If you clicked Resume in the Web Filtering Off popup window the popup window closes ...

Page 337: ...for viruses in the Nokia IP60 gateway itself Email Antivirus is specific to email scanning incoming POP3 and outgoing SMTP connections only while VStream Antivirus supports additional protocols including incoming SMTP and outgoing POP3 connections You can use either antivirus solution or both in conjunction For information on VStream Antivirus see Using VStream Antivirus on page 309 Email Antispam...

Page 338: ...fine which protocols should be scanned for viruses and spam Email retrieving POP3 If enabled all incoming email in the POP3 protocol will be scanned Email sending SMTP If enabled all outgoing email will be scanned Protocols marked with will be scanned while those marked with will not Note If the IP60 appliance is remotely managed contact your Service Center administrator to change these settings T...

Page 339: ...mporarily block all email traffic click This ensures constant protection from spam and viruses The button changes to To temporarily allow all email traffic click This ensures continuous access to email however it does not protect against viruses and spam so use this option cautiously The button changes to When the Service Center is available again the gateway will enforce the configured Email Filt...

Page 340: ...ring page the button changes to Snooze If you clicked Resume in the Email Filtering Off popup window the popup window closes Automatic and Manual Updates The Software Updates service enables you to check for new security and software updates Note Software Updates are only available if you are connected to a Service Center and subscribed to this service Checking for Software Updates when Locally Ma...

Page 341: ...tic you can still manually check for updates 3 To set the IP60 appliance so that software updates must be checked for manually drag the Automatic Manual lever downwards The IP60 appliance does not check for software updates automatically 4 To manually check for software updates click Update Now The system checks for new updates and installs them Checking for Software Updates when Remotely Managed ...

Page 342: ...Automatic and Manual Updates 342 Nokia IP60 Security Appliance User Guide The Software Updates page appears 2 Click Update Now The system checks for new updates and installs them ...

Page 343: ...g topics Overview 343 Setting Up Your Nokia IP60 Appliance as a VPN Server 347 Adding and Editing VPN Sites Error Bookmark not defined Viewing and Deleting VPN Sites 383 Enabling Disabling a VPN Site 383 Logging on to a Remote Access VPN Site 384 Logging off a Remote Access VPN Site 385 Installing a Certificate 386 Uninstalling a Certificate 392 Viewing VPN Tunnels 392 Viewing IKE Traces for VPN C...

Page 344: ...onnection to the Remote Access VPN Client Defining a Remote Access VPN Client is a hardware alternative to using SecuRemote software All Nokia IP60 models provide VPN functionality The IP60 appliance can act as a Remote Access VPN Client a VPN Server or a Site to Site VPN Gateway A virtual private network VPN must include at least one Remote Access VPN Server or gateway The type of VPN sites you i...

Page 345: ... consists of two or more Site to Site VPN Gateways that can communicate with each other in a bi directional relationship The connected networks function as a single network You can use this type of VPN to mesh office branches into one corporate network Figure 20 Site to Site VPN ...

Page 346: ...ing the procedure Adding and Editing VPN Sites on page Error Bookmark not defined b Enable a Remote Access VPN Server using the procedure Setting Up Your Nokia IP60 Appliance as a VPN Server on page 347 Note You can manually configure each VPN site s internal encryption domain via the CLI For information refer to the Nokia IP60 CLI Reference Guide Remote Access VPNs A Remote Access VPN consists of...

Page 347: ...nsparent and allows you to access company resources the same way whether you are sitting at your desk or anywhere else Security Many of today s attacks are increasingly introduced from inside the network Internal security threats cause outages downtime and lost revenue Wired networks that deal with highly sensitive information especially networks in public places such as classrooms are vulnerable ...

Page 348: ...he VPN Server In contrast the L2TP VPN Client does not support split tunneling meaning that all Internet traffic to and from a VPN Client passes through the VPN Server and is routed to the Internet Enabling the Nokia IP60 VPN Server for users connecting from your internal networks adds a layer of security to such connections For example while you could create a firewall rule allowing a specific us...

Page 349: ...f you configured the SecuRemote Internal VPN Server install SecuRemote SecureClient on the desired internal network computers See Installing SecuRemote on page 353 3 If you configured the L2TP VPN Server do the following a Configure the OfficeMode network See Configuring the OfficeMode Network on page 124 All users connecting via L2TP will be assigned to the OfficeMode network b Configure L2TP VPN...

Page 350: ... SecuRemote Remote Access VPN Server 1 Click VPN in the main menu and click the VPN Server tab The VPN Server page appears 2 Select the Allow SecuRemote users to connect from the Internet check box New check boxes appear 3 To allow authenticated users connecting from the Internet to bypass NAT when connecting to your internal network select the Bypass NAT check box ...

Page 351: ...ng from the Internet to bypass the default firewall policy and access your internal network without restriction select the Bypass default firewall policy check box User defined rules will still apply to the authenticated users 5 Click Apply The SecuRemote Remote Access VPN Server is enabled for the specified connection types ...

Page 352: ...appear 3 To allow authenticated users connecting from internal networks to bypass the default firewall policy and access your internal network without restriction select the Bypass default firewall policy check box User defined rules will still apply to the authenticated users Note Bypass NAT is always enabled for the internal VPN Server and cannot be disabled 4 Click Apply The internal VPN Server...

Page 353: ... defining users with VPN access permissions see Setting Up Remote VPN Access for Users on page 404 4 To allow authenticated users to bypass the default firewall policy and access your internal network without restriction select the Bypass default firewall policy check box User defined rules will still apply to the authenticated users 5 Click Apply The L2TP VPN Server is enabled for the specified c...

Page 354: ... the L2TP VPN Server you must configure the L2TP VPN Client on all computers that should be allowed to remotely access your network via L2TP connections This procedure is relevant for computers with a Windows XP operating system Note The IP60 appliance supports the following authentication methods PAP For both local users and RADIUS users EAP MD5 CHAP For local users but not for RADIUS users To co...

Page 355: ...nnection Type dialog box appears 5 Choose Connect to the network at my workplace 6 Click Next 7 The Network Connection dialog box appears 8 Choose Virtual Private Network connection 9 Click Next The Connection Name dialog box appears 10 In the Company Name field type your company s name 11 Click Next ...

Page 356: ...tial connection 13 Click Next The VPN Server Selection dialog box appears 14 In the field type the IP60 appliance s IP address The Completing the New Connection Wizard screen appears 15 Click Finish 16 In the Network and Dial up Connections window right click on the L2TP connection and click Properties in the popup menu The connection s Properties dialog box opens ...

Page 357: ...tion drop down list select Optional encryption 20 Choose Allow these protocols 21 Select the Unencrypted password PAP check box and clear all other check boxes 22 Click OK 23 In Properties dialog box s Security tab click IPSec Settings The IPSec Settings dialog box opens 24 Select the Use pre shared key for authentication check box 25 In the Key field type the preshared secret you configured on th...

Page 358: ... Your Nokia IP60 Appliance as a VPN Server 358 Nokia IP60 Security Appliance User Guide 27 In Properties dialog box click the Networking tab 28 In the Type of VPN drop down list select L2TP IPSec VPN 29 Click OK ...

Page 359: ...ick VPN in the main menu and click the VPN Sites tab The VPN Sites page appears with a list of VPN sites 2 Do one of the following To add a VPN site click New Site To edit a VPN site click Edit in the desired VPN site s row The Nokia IP60 VPN Site Wizard opens with the Welcome to the VPN Site Wizard dialog box displayed ...

Page 360: ...to Site VPN Gateway 4 Click Next Configuring a Remote Access VPN Site If you selected Remote Access VPN the VPN Gateway Address dialog box appears 1 Enter the IP address of the Remote Access VPN Server to which you want to connect as given to you by the network administrator 2 To allow the VPN site to bypass the default firewall policy and access your internal network without restriction select th...

Page 361: ...ain the VPN network configuration Refer to VPN Network Configuration Fields on page 367 5 Click Next The following things happen in the order below If you chose Specify Configuration a second VPN Network Configuration dialog box appears Complete the fields using the information in VPN Network Configuration Fields on page 367 and click Next ...

Page 362: ...te All Traffic the Backup Gateway dialog box appears In the Backup Gateway IP field type the name of the VPN site to use if the primary VPN site fails and then click Next The Authentication Method dialog box appears 6 Complete the fields using the information in Authentication Methods Fields on page 368 7 Click Next ...

Page 363: ...ion in VPN Login Fields on page 369 2 Click Next If you selected Automatic Login the Connect dialog box appears Do the following 1 To try to connect to the Remote Access VPN Server select the Try to Connect to the VPN Gateway check box This allows you to test the VPN connection Warning If you try to connect to the VPN site before completing the wizard all existing tunnels to this site will be term...

Page 364: ...he Contacting VPN Site screen appears The Site Name dialog box appears 3 Enter a name for the VPN site You may choose any name 4 Click Next The VPN Site Created screen appears 5 Click Finish The VPN Sites page reappears If you added a VPN site the new site appears in the VPN Sites list If you edited a VPN site the modifications are reflected in the VPN Sites list ...

Page 365: ...ct to the VPN Gateway check box This allows you to test the VPN connection Warning If you try to connect to the VPN site before completing the wizard all existing tunnels to this site will be terminated 2 Click Next If you selected Try to Connect to the VPN Gateway the Connecting screen appears and then the Contacting VPN Site screen appears The Site Name dialog box appears 3 Enter a name for the ...

Page 366: ... The VPN Sites page reappears If you added a VPN site the new site appears in the VPN Sites list If you edited a VPN site the modifications are reflected in the VPN Sites list RSA SecurID Authentication Method If you selected RSA SecurID the Site Name dialog box appears 1 Enter a name for the VPN site You may choose any name 2 Click Next ...

Page 367: ...by downloading the network topology definition from the Remote Access VPN Server Note Downloading the network configuration is only possible if you are connecting to a Check Point VPN 1 or Nokia IP60 Site to Site VPN Gateway Specify Configuration Click this option to provide the network configuration manually Route All Traffic Click this option to route all network traffic through the VPN site For...

Page 368: ...ine on page 425 For information on the relevant commands for OSPF refer to the Nokia IP60 CLI Reference Guide This option is only available for when configuring a Site to Site VPN gateway Destination network Type up to three destination network addresses at the VPN site to which you want to connect Subnet mask Select the subnet masks for the destination network addresses Note Obtain the destinatio...

Page 369: ...Manual Login connects only the computer you are currently logged onto to the VPN site and only when the appropriate user name and password have been entered For further information on Automatic and Manual Login see Logging on to a VPN Site on page 384 Automatic Login Click this option to enable the IP60 appliance to log on to the VPN site automatically You must then fill in the Username and Passwo...

Page 370: ...e to Site VPN the VPN Gateway Address dialog box appears 1 Complete the fields using the information in VPN Gateway Address Fields on page 380 2 Click Next The VPN Network Configuration dialog box appears 3 Specify how you want to obtain the VPN network configuration Refer to VPN Network Configuration Fields on page 367 4 Click Next ...

Page 371: ...log box appears Complete the fields using the information in VPN Network Configuration Fields on page 367 and then click Next If you chose Specify Configuration or Route All Traffic the Backup Gateway dialog box appears In the Backup Gateway IP field type the name of the VPN site to use if the primary VPN site fails and then click Next ...

Page 372: ...Based VPN the Route Based VPN dialog box appears Complete the fields using the information in Route Based VPN Fields on page 380 and then click Next The Authentication Method dialog box appears 5 Complete the fields using the information in Authentication Methods Fields on page 380 6 Click Next ...

Page 373: ...cret Authentication Method If you selected Shared Secret the Authentication dialog box appears If you chose Download Configuration the dialog box contains additional fields 1 Complete the fields using the information in VPN Authentication Fields on page 381 and click Next ...

Page 374: ...ity Appliance User Guide The Security Methods dialog box appears 2 To configure advanced security settings click Show Advanced Settings New fields appear 3 Complete the fields using the information in Security Methods Fields on page 381 and click Next ...

Page 375: ... This allows you to test the VPN connection Warning If you try to connect to the VPN site before completing the wizard all existing tunnels to this site will be terminated 5 Click Next If you selected Try to Connect to the VPN Gateway the Connecting screen appears and then the Contacting VPN Site screen appears The Site Name dialog box appears 6 Type a name for the VPN site You may choose any name...

Page 376: ...ve and previously you chose Download Configuration the Keep Alive Configuration dialog box appears Do the following 1 Type up to three IP addresses which the IP60 appliance should ping in order to keep the tunnel to the VPN site alive 2 Click Next The VPN Site Created screen appears 9 Click Finish The VPN Sites page reappears If you added a VPN site the new site appears in the VPN Sites list If yo...

Page 377: ...ificate the following things happen If you chose Download Configuration the Authentication dialog box appears Complete the fields using the information in VPN Authentication Fields on page 381 and click Next The Security Methods dialog box appears 1 To configure advanced security settings click Show Advanced Settings ...

Page 378: ...y to connect to the Remote Access VPN Server select the Try to Connect to the VPN Gateway check box This allows you to test the VPN connection Warning If you try to connect to the VPN site before completing the wizard all existing tunnels to this site will be terminated 4 Click Next If you selected Try to Connect to the VPN Gateway the following things happen The Connecting screen appears The Cont...

Page 379: ...raffic between the IP60 appliance and the VPN site select Keep this site alive 7 Click Next If you selected Keep this site alive and previously you chose Download Configuration the Keep Alive Configuration dialog box appears Do the following 1 Type up to three IP addresses which the IP60 appliance should ping in order to keep the tunnel to the VPN site alive 2 Click Next The VPN Site Created scree...

Page 380: ...y and access your internal network without restriction User defined rules will still apply to the VPN site Table 94 Route Based VPN Fields In this field Do this Tunnel Local IP Type a local IP address for this end of the VPN tunnel Tunnel Remote IP Type the IP address of the remote end of the VPN tunnel OSPF Cost Type the cost of this link for dynamic routing purposes The default value is 10 If OS...

Page 381: ... Secret Type the shared secret to use for secure communications with the VPN site This shared secret is a string used to identify the VPN sites to each other The secret can contain spaces and special characters Table 97 Security Methods Fields In this field Do this Phase 1 Security Methods Select the encryption and integrity algorithm to use for IKE negotiations Automatic The IP60 appliance automa...

Page 382: ...y Specify whether to enable Perfect Forward Secrecy PFS by selecting one of the following Enabled PFS is enabled The Diffie Hellman group field is enabled Disabled PFS is disabled This is the default Enabling PFS will generate a new Diffie Hellman key during IKE Phase 2 and renew the key for each key exchange PFS increases security but lowers performance It is recommended to enable PFS only in sit...

Page 383: ...e You can only connect to VPN sites that are enabled To enable disable a VPN site 1 Click VPN in the main menu and click the VPN Sites tab The VPN Sites page appears with a list of VPN sites 2 To enable a VPN site do the following a Click the icon in the desired VPN site s row A confirmation message appears b Click OK The icon changes to and the VPN site is enabled 3 To disable a VPN site do the f...

Page 384: ...user name and password Note You must use a single user name and password for each VPN destination gateway Logging on through the Nokia IP60 Portal Note You can only log on to sites that are configured for Manual Login To manually log on to a VPN site through the Nokia IP60 Portal 1 Click VPN in the main menu and click the VPN Sites tab The VPN Sites page appears 2 Next to the desired VPN site clic...

Page 385: ...Click Login If the IP60 appliance is configured to automatically download the network configuration the IP60 appliance downloads the network configuration If when adding the VPN site you specified a network configuration the IP60 appliance attempts to create a tunnel to the VPN site The VPN Login Status box appears The Status field tracks the connection s progress Once the IP60 appliance has finis...

Page 386: ...ys in the certificates The certificate also includes a fingerprint a unique text used to identify the certificate You can email your certificate s fingerprint to the remote user Upon connecting to the Nokia IP60 VPN Server for the first time the entity should check that the VPN peer s fingerprint displayed in the SecuRemote SecureClient VPN Client is identical to the fingerprint received The IP60 ...

Page 387: ...rate a self signed certificate 1 Click VPN in the main menu and click the Certificate tab The Certificate page appears 2 Click Install Certificate The Nokia IP60 Certificate Wizard opens with the Certificate Wizard dialog box displayed 3 Click Generate a self signed security certificate for this gateway ...

Page 388: ... appliance generates the certificate This may take a few seconds The Done dialog box appears displaying the certificate s details 6 Click Finish The IP60 appliance installs the certificate If a certificate is already installed it is overwritten The Certificate Wizard closes The Certificates page displays the following information The gateway s certificate The gateway s name The gateway certificate...

Page 389: ...VPNs 389 The CA s certificate The name of the CA that issued the certificate in this case the Nokia IP60 gateway The CA certificate s fingerprint The starting and ending dates between which the gateway s certificate and the CA s certificate are valid ...

Page 390: ...certificate This field is filled in automatically with the gateway s MAC address If desired you can change this to a more descriptive name Valid Until Use the drop down lists to specify the month day and year when this certificate should expire Note You must renew the certificate when it expires Importing a Certificate To install a certificate 1 Click VPN in the main menu and click the Certificate...

Page 391: ...ertificate Passphrase dialog box appears This may take a few moments 6 Type the pass phrase you received from the network security administrator 7 Click Next The Done dialog box appears displaying the certificate s details 8 Click Finish The IP60 appliance installs the certificate If a certificate is already installed it is overwritten The Certificate Wizard closes The Certificates page displays t...

Page 392: ...t to replace a currently installed certificate there is no need to uninstall the certificate first When you install the new certificate the old certificate will be overwritten To uninstall a certificate 1 Click VPN in the main menu and click the Certificate tab The Certificate page appears with the name of the currently installed certificate 2 Click Uninstall A confirmation message appears 3 Click...

Page 393: ... off To view VPN tunnels 1 Click Reports in the main menu and click the Tunnels tab The VPN Tunnels page appears with a table of open VPN tunnels The VPN Tunnels page includes the information described in the following table 2 To refresh the table click Refresh Table 99 VPN Tunnels Page Fields This field Displays Type The currently active security protocol IPSEC Source The IP address or address ra...

Page 394: ...ttings are automatically negotiated between the two sites The encryption and authentication schemes used for the connection are the strongest of those used at the two sites Your IP60 appliance supports AES 3DES and DES encryption schemes and MD5 and SHA authentication schemes Established The time at which the tunnel was established This information is presented in the format hh mm ss where hh hour...

Page 395: ...rts in the main menu and click the Tunnels tab The VPN Tunnels page appears with a table of open tunnels to VPN sites 2 Click Clear IKE Trace All IKE trace data currently stored on the IP60 appliance is cleared To view the IKE trace for a connection 1 Establish a VPN tunnel to the VPN site with which you are experiencing connection problems For information on when and how VPN tunnels are establish...

Page 396: ...ich the IP60 appliance is currently connected To view VPN topology 1 Click Reports in the main menu and click the Tunnels tab The VPN Tunnels page appears with a table of open tunnels to VPN sites 2 Click View Topology The VPN Topology page appears displaying the current topology of the VPN sites to which the appliance is connected ...

Page 397: ...ntials 397 Adding and Editing Users 399 Adding Quick Guest HotSpot Users 402 Viewing and Deleting Users 403 Setting Up Remote VPN Access for Users 404 Using RADIUS Authentication 404 Configuring RADIUS Attributes 408 Changing Your Login Credentials You can change your username and password at any time To change your login credentials 1 Click Users in the main menu and click the Internal Users tab ...

Page 398: ...izard opens displaying the Set User Details dialog box 3 Edit the Username field 4 Edit the Password and Confirm password fields Note Use 5 to 25 characters letters or numbers for the new password 5 Click Next The Set User Permissions dialog box appears 6 Click Finish Your changes are saved ...

Page 399: ... Quick Guest HotSpot Users on page 402 To add or edit a user 1 Click Users in the main menu and click the Internal Users tab The Internal Users page appears 2 Do one of the following To create a new user click New User To edit an existing user click Edit next to the desired user The Account Wizard opens displaying the Set User Details dialog box 3 Complete the fields using the information in Set U...

Page 400: ... 101 Set User Details Fields In this field Do this Username Enter a username for the user Password Enter a password for the user Use five to 25 characters letters or numbers for the new password Confirm Password Re enter the user s password Expires On To specify an expiration time for the user select this option and specify the expiration date and time in the fields provided When the user account ...

Page 401: ...ot modify other system settings For example you could assign this administrator level to clerks who need to manage HotSpot users Read Write The user can log on to the Nokia IP60 Portal and modify system settings The default level is No Access The admin user s Administrator Level Read Write cannot be changed VPN Remote Access Select this option to allow the user to connect to this IP60 appliance us...

Page 402: ...ations where you want to grant temporary network access to guests for example in an Internet café The shortcut also enables printing the guest user s details in one click By default the quick guest user has the following characteristics Username in the format guest number where number is a unique three digit number For example guest123 Randomly generated password Expires in 24 hours Administration...

Page 403: ...ons using the procedure Adding and Editing Users on page 399 Viewing and Deleting Users Note The admin user cannot be deleted To view or delete users 1 Click Users in the main menu and click the Internal Users tab The Internal Users page appears with a list of all users and their permissions The expiration time of expired users appears in red 2 To delete a user do the following a In the desired us...

Page 404: ...r tries to log on to the Nokia IP60 Portal the IP60 appliance sends the entered user name and password to the RADIUS server The server then checks whether the RADIUS database contains a matching user name and password pair If so then the user is logged on By default all RADIUS authenticated users are assigned the set of permissions specified in the Nokia IP60 Portal s RADIUS page However you can c...

Page 405: ...ollowing table 3 Click Apply 4 To restore the default RADIUS settings do the following a Click Default A confirmation message appears b Click OK The RADIUS settings are reset to their defaults For information on the default values refer to the following table 5 If desired configure user permissions and or the HotSpot session timeout on the RADIUS server See Configuring RADIUS Attributes on page 40...

Page 406: ... port number is 1812 Shared Secret Type the shared secret to use for secure communication with the RADIUS server Realm If your organization uses RADIUS realms type the realm to append to RADIUS requests The realm will be appended to the username as follows username realm For example if you set the realm to myrealm and the user JohnS attempts to log on to the Nokia IP60 Portal the IP60 appliance wi...

Page 407: ...odify other system settings For example you could assign this administrator level to clerks who need to manage HotSpot users Read Write The user can log on to the Nokia IP60 Portal and modify system settings The default level is No Access VPN Remote Access Select this option to allow all users authenticated by the RADIUS server to connect to this IP60 appliance using their VPN client For further i...

Page 408: ...ne a timeout for Secure HotSpot sessions Set the Session Timeout Attribute attribute 27 to the number of seconds after which users should be automatically logged off from the hotspot To assign permissions to specific RADIUS authenticated users 1 Create a remote access policy as follows a Assign the policy s VSA attribute 26 the SofaWare vendor code 6983 b For each permission you want to grant conf...

Page 409: ...settings users manager The user can log on to the Nokia IP60 Portal and add edit or delete No Access level users However the user cannot modify other system settings readwrite The user can log on to the Nokia IP60 Portal and modify system settings VPN Indicates whether the user can access the network from a Remote Access VPN Client 2 String true The user can remotely access the network via VPN fal...

Page 410: ...ther the user can override Web Filtering 4 String true The user can override Web Filtering false The user cannot override Web Filtering This permission is only relevant if the Web Filtering service is enabled RemoteDe sktop Indicates whether the user can remotely access computers desktops using the Remote Desktop feature 5 String true The user can log on to the my firewall portal view the Active C...

Page 411: ...u can print and transfer files with ease Remote Desktop sessions use the Microsoft Remote Desktop Protocol RDP on TCP port 3389 This port is opened dynamically between the Remote Desktop client and the Remote Desktop server as needed meaning that the port is not exposed to the Internet and your constant security is ensured Note By default the Microsoft RDP protocol is secured with 128 bit RC4 encr...

Page 412: ...g Users on page 399 4 The authorized users can access remote computers desktops as desired See Accessing a Remote Computer s Desktop on page 417 Configuring Remote Desktop To configure Remote Desktop 1 Click Setup in the main menu and click the Remote Desktop tab The Remote Desktop page appears 2 Do one of the following To enable Remote Desktop select the Allow remote desktop access check box ...

Page 413: ... local hard drives when logged on to the host computer Share local printers Select this option to allow the host computer to access printers on the client computer This enables remote users to access their local printer when logged on to the host computer Share local smartcards Select this option to allow the host computer to access smartcards on the client computer This enables remote users to ac...

Page 414: ...this Advanced Full screen mode Select this option to open Remote Desktop sessions on the whole screen Optimize performance for slow links Select this option to optimize Remote Desktop sessions for slow links Bandwidth consuming options such as wallpaper and menu animations will be disabled ...

Page 415: ...indows XP Tablet PC 2005 To enable users to remotely connect to a computer 1 Log on to the desired computer as an administrator 2 For each remote user who should be allowed to access this computer create a user account with a password For information refer to Microsoft documentation 3 On the desktop right click on My Computer and select Properties in the pop up menu that appears The System Propert...

Page 416: ...ing for each remote user who should be allowed to access this computer a Click Add The Select Users dialog box appears b Type the desired user s username in the text box The Check Names button is enabled c Click Check Names d Click OK The Remote Desktop Users dialog box reappears with the desired user s username 8 Click OK 9 Click OK ...

Page 417: ...ng Internet connection To access a remote computer s desktop 1 Click Reports in the main menu and click the My Computers tab The My Computers page appears 2 Next to the desired computer click Remote Desktop The following things happen If you are prompted to install the Remote Desktop Active X Control then install it The Remote Desktop Connection Security Warning dialog box appears 3 Select the des...

Page 418: ...gured for your user account in Enabling the Remote Desktop Server on page 415 6 Click OK The remote computer s desktop appears onscreen You can use the following keyboard shortcuts during the Remote Desktop session Table 106 Remote Desktop Keyboard Shortcuts This shortcut Does this ALT INSERT Cycles through running programs in the order that they were started ALT HOME Displays the Start menu CTRL ...

Page 419: ... Updating the Firmware 421 Upgrading Your License 423 Configuring Syslog Logging 424 Controlling the Appliance via the Command Line 425 Configuring HTTPS 429 Configuring SSH 431 Configuring SNMP 432 Setting the Time on the Appliance 436 Using Diagnostic Tools 439 Backing Up the Nokia IP60 Appliance Configuration 451 Resetting the Nokia IP60 Appliance to Defaults 453 Running Diagnostics 455 Rebooti...

Page 420: ...and click the Firmware tab The Firmware page appears The Firmware page displays the following information Table 107 Firmware Status Fields This field Displays For example WAN MAC Address The MAC address used for the Internet connection 00 80 11 22 33 44 Firmware Version The current version of the firmware 7 5 Installed Product The licensed software and the number of allowed nodes Nokia IP60 unlimi...

Page 421: ...r reseller for the availability of Software Updates and other services For information on subscribing to services see Connecting to a Service Center on page 325 When connected to SmartCenter you can also update Nokia IP60 firmware using SmartCenter s SmartUpdate component For information refer to the Check Point SmartUpdate documentation If you are not subscribed to the Software Updates service yo...

Page 422: ...ile and click Open The Firmware Update page reappears The path to the firmware update image file appears in the Browse text box 5 Click Upload Your IP60 appliance firmware is updated Updating may take a few minutes Do not power off the appliance At the end of the process the IP60 appliance restarts automatically ...

Page 423: ...can upgrade to Nokia IP6032 without changing your hardware Note You can only upgrade within the same appliance hardware type Note To purchase an upgrade contact your IP60 appliance provider Alternatively you can click Upgrades Services in the Welcome page to view and purchase available upgrades To upgrade your product you must install the new Product Key To install a Product Key 1 Click Setup in t...

Page 424: ...he destination port and the protocol used for the communication attempt for example TCP or UDP This same information is also available in the Event Log page see Viewing the Event Log on page 217 However while the Event Log can display hundreds of logs a Syslog server can store an unlimited number of logs Furthermore Syslog servers can provide useful tools for managing your logs Note Kiwi Syslog Da...

Page 425: ... this Syslog Server Type the IP address of the computer that will run the Syslog service one of your network computers or click This Computer to allow your computer to host the service Clear Click to clear the Syslog Server field Syslog Port Type the port number of the Syslog server Default Click to reset the Syslog Port field to the default port 514 UDP Controlling the Appliance via the Command L...

Page 426: ...nsole connected to the IP60 appliance For information see Using the Serial Console on page 427 Using an SSH client See Configuring SSH on page 431 Using the Nokia IP60 Portal You can control your appliance via the Nokia IP60 Portal s command line interface To control the appliance via the Nokia IP60 Portal 1 Click Setup in the main menu and click the Tools tab The Tools page appears 2 Click Comman...

Page 427: ... use the console to control the appliance via the command line Note Your terminal emulation software and your IP60 appliance s Serial port must be configured for the same speed By default the appliance s Serial port s speed is 57600 bps For information on changing the Serial port s speed refer to the Nokia IP60 CLI Reference Guide To control the appliance via a console 1 Connect the serial console...

Page 428: ...he Assign to drop down list select Console 5 In the Port Speed drop down list select the Serial port s speed in bits per second The Serial port s speed must match that of the attached serial console The default value is 57600 6 Click Apply You can now control the IP60 appliance from the serial console For information on all supported commands refer to the Nokia IP60 CLI Reference Guide ...

Page 429: ... TCP port 443 with the destination This Gateway For information see Using Rules on page 238 To configure HTTPS 1 Click Setup in the main menu and click the Management tab The Management page appears 2 Specify from where HTTPS access to the Nokia IP60 Portal should be granted See Access Options on page 430 for information Warning If remote HTTPS is enabled your IP60 appliance settings can be change...

Page 430: ...ou can now access the Nokia IP60 Portal through the Internet using the procedure Accessing the Nokia IP60 Portal Remotely on page 61 Table 109 Access Options Select this option To allow access from Internal Networks The internal network only This disables remote access capability This is the default Internal Networks VPN The internal network and your VPN Internal Networks IP Range A particular ran...

Page 431: ...contains security vulnerabilities and is not supported Note Configuring SSH is equivalent to creating a simple Allow rule where the destination is This Gateway To create more complex rules for SSH such as allowing SSH connections from multiple IP address ranges define Allow rules for TCP port 22 with the destination This Gateway For information see Using Rules on page 238 To configure SSH 1 Click ...

Page 432: ...access you can now control the IP60 appliance from the Internet using an SSHv2 client For information on all supported commands refer to the Nokia IP60 CLI Reference Guide Configuring SNMP The IP60 appliance users can monitor the IP60 appliance using tools that support SNMP Simple Network Management Protocol You can enable users to do so via the Internet by configuring remote SNMP access The IP60 ...

Page 433: ...gement tab The Management page appears 2 Specify from where SNMP access should be granted See Access Options on page 430 for information If you selected Internal Networks IP Range additional fields appear The Community field and the Advanced link are enabled 3 If you selected Internal Networks IP Range enter the desired IP address range in the fields provided 4 In the Community field type the name...

Page 434: ...e The SNMP Configuration page appears b Complete the fields using the following table If you selected the Send SNMP Traps check box additional fields appear 6 Click Apply The SNMP configuration is saved 7 Configure the SNMP clients with the SNMP community string ...

Page 435: ... SNMP trap is a notification sent from one application to another Send Traps On Startup Shutdown Indicates that SNMP traps will automatically be sent upon startup shutdown events This option is always selected Send Traps On SNMP Authentication Failure Select this option to to send an SNMP trap on each SNMP authentication failure event Send Traps On Link up down Select this option to send an SNMP t...

Page 436: ...l appliance setup If desired you can change the date and time using the procedure below To set the time 1 Click Setup in the main menu and click the Tools tab The Tools page appears 2 Click Set Time The Nokia IP60 Set Time Wizard opens displaying the Set the Nokia IP60 Time dialog box 3 Complete the fields using the information in Set Time Wizard Fields on page 438 4 Click Next ...

Page 437: ...you selected Specify date and time the Specify Date and Time dialog box appears Set the date time and time zone in the fields provided then click Next If you selected Use a Time Server the Time Servers dialog box appears Complete the fields using the information in Time Servers Fields on page 438 then click Next ...

Page 438: ...e right of this option Keep the current setting Do not change the appliance s time The current appliance time is displayed to the right of this option Use a Time Server Synchronize the appliance time with a Network Time Protocol NTP server Specify date and time Set the appliance to a specific date and time Table 112 Time Servers Fields In this field Do this Primary Server Type the IP address of th...

Page 439: ... routers used to connect from the IP60 appliance to a specific IP address or DNS name Using IP Tools on page 439 WHOIS Display the name and contact information of the entity to which a specific IP address or DNS name is registered This information is useful in tracking down hackers Using IP Tools on page 439 Packet Sniffer Capture network traffic This information is useful troubleshooting network ...

Page 440: ...cket to reach the specified host and return round trip in milliseconds If you selected Traceroute the following things happen The IP60 appliance connects to the specified IP address or DNS name The IP Tools window opens and displays a list of routers used to make the connection If you selected WHOIS the following things happen The IP60 appliance queries the Internet WHOIS server A window displays ...

Page 441: ... support Wireshark runs on all popular computing platforms and can be downloaded from http www wireshark com To use Packet Sniffer 1 Click Setup in the main menu and click the Tools tab The Tools page appears 2 Click Sniffer The Packet Sniffer window opens 3 Complete the fields using the information in the following table 4 Click Start The Packet Sniffer window displays the name of the interface t...

Page 442: ...e the filter string to use for filtering the captured packets Only packets that match the filter condition will be saved For a list of basic filter strings elements see Filter String Syntax on page 443 For detailed information on filter syntax go to http www tcpdump org tcpdump_man html Note Do not enclose the filter string in quotation marks If you do not specify a filter string Packet Sniffer wi...

Page 443: ... information on filter syntax refer to http www tcpdump org and PURPOSE The and element is used to concatenate filter string elements The filtered packets must match all concatenated filter string elements SYNTAX element and element and element element element element PARAMETERS element String A filter string element EXAMPLE The following filter string saves packets that both originate from IP add...

Page 444: ...8 10 1 dst 192 168 10 1 dst port PURPOSE The dst port element captures all packets destined for a specific port SYNTAX dst port port Note This element can be prepended by tcp or udp For information see tcp on page 448 and udp on page 450 PARAMETERS port Integer The port to which the packet is sent EXAMPLE The following filter string saves packets that are destined for port 80 dst port 80 ether pro...

Page 445: ...nance 445 PARAMETERS protocol String The protocol type of the packet This can be the following ip ip6 arp rarp atalk aarp dec net sca lat mopdl moprc iso stp ipx or netbeui EXAMPLE The following filter string saves ARP packets ether proto arp ...

Page 446: ...kets that either originated from IP address 192 168 10 1 or are destined for that same IP address host 192 168 10 1 not PURPOSE The not element is used to negate filter string elements SYNTAX not element element PARAMETERS element String A filter string element EXAMPLE The following filter string saves packets that are not destined for port 80 not dst port 80 or PURPOSE The or element is used to a...

Page 447: ... IP address 192 168 10 1 or IP address 192 168 10 10 src 192 168 10 1 or src 192 168 10 10 port PURPOSE The port element captures all packets originating from or destined for a specific port SYNTAX port port Note This element can be prepended by tcp or udp For information see tcp on page 448 and udp on page 450 PARAMETERS port Integer The port from to which the packet is sent ...

Page 448: ...s A host name EXAMPLE The following filter string saves packets that originated from IP address 192 168 10 1 src 192 168 10 1 src port PURPOSE The src port element captures all packets originating from a specific port SYNTAX src port port Note This element can be prepended by tcp or udp For information see tcp on page 448 and udp on page 450 PARAMETERS port Integer The port from which the packet i...

Page 449: ...p element PARAMETERS element String A port related filter string element that should be restricted to saving only TCP packets This can be the following dst port Capture all TCP packets destined for a specific port port Capture all TCP packets originating from or destined for a specific port src port Capture all TCP packets originating from a specific port ...

Page 450: ...an be prepended to port related elements Note When not prepended to other elements the udp element is the equivalent of ip proto udp SYNTAX udp udp element PARAMETERS element String A port related filter string element that should be restricted to saving only UDP packets This can be the following dst port Capture all UDP packets destined for a specific port port Captures all UDP packets originatin...

Page 451: ...LI script If desired you can edit the file For a full explanation of the CLI script format and the supported CLI commands see the Nokia IP60 CLI Reference Guide Exporting the Nokia IP60 Appliance Configuration Exporting the Nokia IP60 Appliance Configuration to Your Computer To export the IP60 appliance configuration to your computer 1 Click Setup in the main menu and click the Tools tab The Tools...

Page 452: ...e IP60 appliance configuration from your computer 1 Click Setup in the main menu and click the Tools tab The Tools page appears 2 Click Import The Import Settings page appears 3 Do one of the following In the Import Settings field type the full path to the configuration file Or Click Browse and browse to the configuration file 4 Click Upload A confirmation message appears 5 Click OK The IP60 appli...

Page 453: ...econfigure your IP60 appliance for Internet connection For information on performing these tasks see Setting Up the Nokia IP60 Appliance on page 55 This operation also resets your appliance to its default Product Key Therefore if you upgraded your license you should save your Product Key before resetting to defaults You can view the installed Product Key by in the Nokia IP60 Licensing Wizard For i...

Page 454: ...the main menu and click the Tools tab The Tools page appears 2 Click Factory Settings A confirmation message appears 3 To revert to the firmware version that shipped with the appliance select the check box 4 Click OK The Please Wait screen appears The IP60 appliance returns to its factory defaults The IP60 appliance is restarted This may take a few minutes The Login page appears ...

Page 455: ...ng might cause permanent damage Running Diagnostics You can view technical information about your IP60 appliance s hardware firmware license network status and Service Center This information is useful for troubleshooting You can export it to an html file and send it to technical support To view diagnostic information 1 Click Setup in the main menu and click the Tools tab The Tools page appears 2 ...

Page 456: ...ot functioning properly rebooting it may solve the problem To reboot the IP60 appliance 1 Click Setup in the main menu and click the Firmware tab The Firmware page appears 2 Click Restart A confirmation message appears 3 Click OK The Please Wait screen appears The IP60 appliance is restarted This may take a few minutes The Login page appears ...

Page 457: ...P60 appliance supports connecting up to four USB based printers to the appliance When using computers with a MAC OS X operating system the IP60 appliance supports connecting one printer The appliance automatically detects printers as they are plugged in and they immediately become available for printing Usually no special configuration is required on the IP60 appliance Note The Nokia IP60 print se...

Page 458: ...e appears 4 Next to USB click Edit The USB Devices page appears If the IP60 appliance detected the printer the printer is listed on the page If the printer is not listed check that you connected the printer correctly then click Refresh to refresh the page 5 Next to the printer click Edit ...

Page 459: ...Click Apply You may want to change the port number if for example the printer you are setting up is intended to replace another printer In this case you should change the replacement printer s port number to the old printer s port number and you can skip the next step 8 Configure each computer from which you want to enable printing to the network printer See Configuring Computers to Use Network Pr...

Page 460: ... 1 If the computer for which you want to enable printing is located on the WAN create an Allow rule for connections from the computer to This Gateway See Adding and Editing Rules on page 241 2 Click Start Control Panel The Control Panel window opens 3 Under Hardware and Sound click Printer The Printers screen appears 4 Click Add a printer ...

Page 461: ...ens displaying the Choose a local or network printer screen 5 Click Add a local printer 6 Click Next The Choose a printer port dialog box appears 7 Click Create a new port 8 In the Type of port drop down list select Standard TCP IP Port 9 Click Next The Type a printer hostname or IP address dialog box appears ...

Page 462: ... 12 In the Port name field type the port name 13 Select the Query the printer and automatically select the driver to use check box 14 Click Next The following things happen If Windows cannot identify your printer the Additional Port Information Required dialog box appears Do the following 1 Click Custom 2 Click Settings The Configure Standard TCP IP Port Monitor dialog box opens 3 In the Protocol ...

Page 463: ...ear in the lists insert the CD that came with your printer in the computer s CD ROM drive and click Have Disk 16 Click Next 17 Complete the remaining dialog boxes in the wizard as desired and click Finish The printer appears in the Printers and Faxes window 18 Right click the printer and click Properties in the popup menu The printer s Properties dialog box opens 19 In the Ports tab in the list bo...

Page 464: ...ctions from the computer to This Gateway See Adding and Editing Rules on page 241 2 Click Start Settings Control Panel The Control Panel window opens 3 Click Printers and Faxes The Printers and Faxes window opens 4 Right click in the window and click Add Printer in the popup menu The Add Printer Wizard opens with the Welcome dialog box displayed 5 Click Next The Local or Network Printer dialog box...

Page 465: ...ppears 8 Click Create a new port 9 In the Type of port drop down list select Standard TCP IP Port 10 Click Next The Add Standard TCP IP Port Wizard opens with the Welcome dialog box displayed 11 Click Next The Add Port dialog box appears 12 In the Printer Name or IP Address field type the IP60 appliance s LAN IP address or my firewall ...

Page 466: ... The Add Standard TCP IP Printer Port Wizard opens with the Additional Port Information Required dialog box displayed 14 Click Custom 15 Click Settings The Configure Standard TCP IP Port Monitor dialog box opens 16 In the Port Number field type the printer s port number as shown in the Printers page 17 In the Protocol area make sure that Raw is selected 18 Click OK The Add Standard TCP IP Printer ...

Page 467: ...ts to select the printer s manufacturer and model If your printer does not appear in the lists insert the CD that came with your printer in the computer s CD ROM drive and click Have Disk 22 Click Next 23 Complete the remaining dialog boxes in the wizard as desired and click Finish The printer appears in the Printers and Faxes window 24 Right click the printer and click Properties in the popup men...

Page 468: ...e This procedure may not apply to earlier MAC OS X versions To configure a computer to use a network printer 1 If the computer for which you want to enable printing is located on the WAN create an Allow rule for connections from the computer to This Gateway See Adding and Editing Rules on page 241 2 Choose Apple System Preferences The System Preferences window appears 3 Click Show All to display a...

Page 469: ...inters The Printer List window appears 6 Click Add New fields appear 7 In the first drop down list select IP Printing 8 In the Printer Type drop down list select Socket HP Jet Direct 9 In the Printer Address field type the IP60 appliance s LAN IP address or my firewall You can find the LAN IP address in the Nokia IP60 Portal under Network My Network ...

Page 470: ...list select the desired model 13 Click Add The new printer appears in the Printer List window 14 In the Printer List window select the newly added printer and click Make Default Viewing Network Printers To view network printers 1 Click Network in the main menu and click the Ports tab The Ports page appears 2 Next to USB click Edit The USB Devices page appears displaying a list of connected printer...

Page 471: ...n Setting Up Network Printers on page 457 However you may sometimes need to change the port number after completing printer setup For example you may want to replace a malfunctioning network printer with another existing network printer without reconfiguring the client computers To do this you must change the replacement printer s port number to the malfunctioning printer s port number as describe...

Page 472: ...g the network printer You may want to do this if the print job has stalled To reset a network printer 1 Click Network in the main menu and click the Ports tab The Ports page appears 2 Next to USB click Edit The USB Devices page appears displaying a list of connected printers 3 Next to the desired printer click Reset Server The network printer s current print job is restarted ...

Page 473: ... connecting it to a different LAN port Using your Web browser go to http my firewall and see whether Connected appears on the Status Bar Make sure that your IP60 appliance network settings are configured as per your ISP directions Check your TCP IP configuration according to Installing and Setting up the Nokia IP60 Appliance on page 39 If Web Filtering or Email Filtering are on try turning them of...

Page 474: ...y firewall or http my vpn Therefore if you are connecting from the wireless LAN try connecting to https my firewall instead Try surfing to 192 168 10 1 instead of to my firewall Note 192 168 10 is the default value and it may vary if you changed it in the My Network page Check your TCP IP configuration according to Installing and Setting up the Nokia IP60 Appliance on page 39 Restart your IP60 app...

Page 475: ...liance What should I do To enable audio video you must configure an IP Telephony H 323 virtual server For instructions see Configuring Servers on page 236 I run a public Web server at home but it cannot be accessed from the Internet What should I do Configure a virtual Web Server For instructions see Configuring Servers on page 236 I cannot connect to the LAN network from the DMZ or primary WLAN n...

Page 476: ...oduct on page 423 Other Problems I have forgotten my password What should I do Reset your IP60 appliance to factory defaults using the Reset button as detailed in Resetting the Nokia IP60 Appliance to Defaults on page 453 Why are the date and time displayed incorrectly You can adjust the time on the Setup page s Tools tab For information see Setting the Time on the Appliance on page 436 I cannot u...

Page 477: ...sign development and supply chain stages Directive of the European Parliament and of the Council of 27 January 2003 on the Restriction of the Use of Certain Hazardous Substances in Electrical and Electronic Equipment RoHS 2002 95 EC Directive of the European Parliament and of the Council of 27 January 2003 on Waste Electrical and Electronic Equipment WEEE 2002 96 CE For a copy of the original sign...

Page 478: ... Max Power Consumption 4 5W 6 5W 11 5W including USB devices Environmental Conditions Temperature Storage Transport 5ºC 80ºC 5ºC 80ºC Temperature Operation 0ºC 40ºC 0ºC 40ºC Humidity Storage Operation 10 95 10 90 non condensed 10 95 10 90 non condensed Applicable Standards Safety cULus CB LVD cULus CB LVD Quality ISO9001 ISO 14001 TL9000 ISO9001 ISO 14001 TL9000 EMC CE FCC 15B VCCI CE FCC 15B VCCI...

Page 479: ... TLS EAP TTLS PEAP EAP GTC PEAP EAP MSCHAP V2 CE Declaration of Conformity Nokia IP60 and Nokia IP60 Wireless SofaWare Technologies Ltd 3 Hilazon St Ramat Gan Israel Hereby declares that this equipment is in conformity with the essential requirements specified in Article 3 1 a and 3 1 b of Directive 89 336 EEC EMC Directive Directive 73 23 EEC Low Voltage Directive LVD Directive 99 05 EEC Radio Eq...

Page 480: ... 4 11 ENV50204 EN 61000 4 2 EN 61000 4 3 EN 61000 4 4 EN 61000 4 5 EN 61000 4 6 EN 61000 4 7 EN 61000 4 8 EN 61000 4 9 EN 61000 4 10 EN 61000 4 11 EN 61000 4 12 Safety EN 60950 IEC 60950 EN 60950 IEC 60950 The CE mark is affixed to this product to demonstrate conformance to the R TTE Directive 99 05 EEC Radio Equipment and Telecommunications Terminal Equipment Directive and FCC Part 15 Class B The...

Page 481: ... or modifications to this product not explicitly approved by the manufacturer could void the user s authority to operate the equipment and any assurances of Safety or Performance and could result in violation of Part 15 of the FCC Rules This device complies with Part 15 of the FCC Rules Operation is subject to the following two conditions 1 this device may not cause harmful interference and 2 this...

Page 482: ......

Page 483: ... breaks into someone else s computer system bypasses passwords or licenses in computer programs or in other ways intentionally breaches computer security The end result is that whatever resides on the computer can be viewed and sensitive data can be stolen without anyone knowing about it Sometimes tiny programs are planted on the computer that are designed to watch out for seize and then transmit ...

Page 484: ...P address in the message and sends it to the IP address that is obtained by looking up the domain name in the Uniform Resource Locator you requested or in the e mail address you re sending a note to At the other end the recipient can see the IP address of the Web page requestor or the e mail sender and can respond by sending another message using the IP address it received IP Spoofing A technique ...

Page 485: ...outing Each of these packets is separately numbered and includes the Internet address of the destination The individual packets for a given file may travel different routes through the Internet When they have all arrived they are reassembled into the original file at the receiving end PPPoE PPPoE Point to Point Protocol over Ethernet enables connecting multiple computer users on an Ethernet local ...

Page 486: ...u as a single file TCP IP TCP IP Transmission Control Protocol Internet Protocol is the underlying communication protocol of the Internet U UDP UDP User Datagram Protocol is a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol IP UDP is an alternative to the Transmission Control Protocol TCP and...

Page 487: ...ons to 168 adding networks to 165 deleting 172 explained 157 multiple 161 using 157 CA explained 386 483 cable modem connection 74 80 explained 483 certificate explained 386 generating self signed 387 importing 390 installing 386 uninstalling 392 Checksum Verification 289 Cisco IOS DOS 286 command line interface controlling the appliance via 425 DDoS Attack 279 DHCP configuring 113 connection 75 e...

Page 488: ...ies 32 firewall rules adding and editing 241 changing priority 247 deleting 247 enabling disabling 246 types 241 using 238 firmware explained 420 484 updating manually 421 viewing status 420 Flags 294 FTP Bounce 297 gateways backup 173 default 122 144 173 explained 484 ID 330 master 173 Site to Site VPN 343 Header Rejection 301 Hide NAT enabling disabling 112 explained 112 485 high availability co...

Page 489: ...C address 484 Manual Login 384 Max Ping Size 283 MTU explained 89 485 NAT rules about 255 adding and editing 257 types 256 using 255 viewing and deleting 260 NetBIOS explained 485 network changing internal range of 111 configuring 109 configuring a DMZ 122 configuring a virtual access point VAP 209 configuring a VLAN 126 configuring DHCP options 118 configuring high availability 173 configuring th...

Page 490: ...ements 63 initial login 59 logging on 60 remotely accessing 61 using 63 Nokia IP60 product family models 13 Nokia IP60 Wireless front panel 27 network requirements 26 package contents 25 rear panel 26 Nokia IP60 Wireless product family about 13 features 17 models 13 Non TCP Flooding 279 Null Payload 288 OfficeMode about 124 configuring 124 packet 102 144 439 484 485 Packet Sanity 281 Packet Sniffe...

Page 491: ...ssing a remote desktop 417 configuring 412 configuring the host computer 415 using 411 reports active computers 222 active connections 224 event log 217 node limit 222 routing table 229 traffic 219 viewing 217 wireless statistics 226 routers 105 173 439 473 485 RS232 dialup modem setting up 96 rules firewall 238 VStream Antivirus 312 Scan rules explained 313 Secure HotSpot customizing 253 enabling...

Page 492: ...Site to Site VPN gateways 359 explained 343 PPPoE tunnels 359 Small PMTU 291 SMART Management 325 SmartDefense categories 274 configuring 269 using 269 SNMP configuring 432 explained 432 software updates 421 checking for manually 340 explained 340 source routing about 144 Spanning Tree Protocol explained 161 with WDS 190 SSH configuring 431 explained 431 Stateful Inspection 13 34 485 static IP con...

Page 493: ...users adding and editing 399 adding quick guest HotSpot 402 managing 397 setting up remote VPN access for 404 viewing and deleting 403 Vendor Specific Attribute about 404 configuring 312 virtual access points VAPs about 126 189 adding and editing 209 deleting 133 VLAN adding and editing 129 deleting 133 port based 126 130 tag based 126 131 virtual access points 209 VPN explained 343 486 Remote Acc...

Page 494: ... 105 WDS explained 190 links 190 WDS links configuring 212 explained 190 Web Filtering customizing the Access Denied page 266 enabling disabling 333 selecting categories for 334 snoozing 335 temporarily disabling 335 Web rules adding and editing 262 changing priority of 265 customizing the Access Denied page 266 using 261 viewing and deleting 266 Welchia 286 WEP 189 192 WHOIS 439 wireless networks...

Reviews:

No comments

Related manuals for IP60 - Security Appliance

WAGO 852-1417 Operating And Assembly Instructions preview
852-1417
Brand: WAGO Pages: 2
NEC N8141-75F Startup Manual preview
N8141-75F
Brand: NEC Pages: 6
Avid Technology MediaStream ConnectPlus 1000 Installation And Operation Manual preview
MediaStream ConnectPlus 1000
Brand: Avid Technology Pages: 74
NETGEAR RP334 Installation Manual preview
RP334
Brand: NETGEAR Pages: 2
Caimore CM520-86EG User Manual preview
CM520-86EG
Brand: Caimore Pages: 79
RAK RAK3372 Quick Start Manual preview
RAK3372
Brand: RAK Pages: 30
Cypress Semiconductor CY7C1329H Specification Sheet preview
CY7C1329H
Brand: Cypress Semiconductor Pages: 16
3Com 3C589D User Manual preview
3C589D
Brand: 3Com Pages: 50
Maipu MP2900-04-AC Installation Manual preview
MP2900-04-AC
Brand: Maipu Pages: 80
Eaton SONiX Pm10 Technical Manual preview
SONiX Pm10
Brand: Eaton Pages: 14
1&1 Homeserver+ Quick Start Manual preview
Homeserver+
Brand: 1&1 Pages: 32
Sparklan WNFB-265AXI(BT) User Manual preview
WNFB-265AXI(BT)
Brand: Sparklan Pages: 14
XJTAG XJLink2-CFM User Manual preview
XJLink2-CFM
Brand: XJTAG Pages: 9
Xilinx Zynq-7000 Manual preview
Zynq-7000
Brand: Xilinx Pages: 8
Lantech IMR-3003 User Manual preview
IMR-3003
Brand: Lantech Pages: 40
ACTi GNR-310 Quick Installation Manual preview
GNR-310
Brand: ACTi Pages: 12
Delta Electronics LonWorks Communication Module LN-01 Instruction Sheet preview
LonWorks Communication Module LN-01
Brand: Delta Electronics Pages: 1
Razer RZ37-0251 Manual preview
RZ37-0251
Brand: Razer Pages: 17

Brands by name

Popular brands

Load more brands