Home
/
Nortel
/
BSR222
/
Configuration

Nortel BSR222, Configuration, Page: 166 / 451

Share

Page: 166 / 451

Nortel BSR222 Configuration Download Page 166

166

Chapter 10 Firewalls

NN47922-500

•

Restrict use of certain protocols, such as Telnet, to authorized users on the
LAN.

These custom rules work by evaluating the network traffic’s Source IP address,
Destination IP address, IP protocol type, and comparing these to rules set by the
administrator.

Below is a brief technical description of how these connections are tracked.
Connections can either be defined by the upper protocols (for instance, TCP), or
by the Business Secure Router itself (as with the virtual connections created for
UDP and ICMP).

TCP security

The Business Secure Router uses state information embedded in TCP packets.
The first packet of any new connection has its SYN flag set and its ACK flag
cleared; these are initiation packets. All packets that do not have this flag structure
are called subsequent packets, since they represent data that occurs later in the
TCP stream.

If an initiation packet originates on the WAN, someone is trying to make a
connection from the Internet into the LAN. Except in a few special cases, (see

“Upper layer protocols” on page 167

), these packets are dropped and logged.

If an initiation packet originates on the LAN, someone is trying to make a
connection from the LAN to the Internet. Assuming that this is an acceptable part
of the security policy (as is the case with the default policy), the connection is
allowed. A cache entry is added, which includes connection information such as
IP addresses, TCP ports, and sequence numbers.

Note:

The ability to define firewall rules is a very powerful tool. Using

custom rules, it is possible to disable all firewall protection or block all
access to the Internet. Use extreme caution when creating or deleting
firewall rules. Test changes after creating them to make sure they work
correctly.

«
...
164
165
166
167
168
...
»

Summary of Contents for BSR222

Page 1: ...BSR222 Business Secure Router Document Number NN47922 500 Document Version 1 4 Date May 2007 Nortel Business Secure Router 222 Configuration Basics ...

Page 2: ...o be accurate and reliable but are presented without express or implied warranty The information in this document is proprietary to Nortel Trademarks Nortel Nortel Logo the Globemark and This is the way This is Nortel Design mark are trademarks of Nortel Microsoft MS MS DOS Windows and Windows NT are registered trademarks of Microsoft Corporation All other trademarks and registered trademarks are ...

Page 3: ...xpress Routing Code 32 Getting Help through a Nortel distributor or reseller 32 Chapter 1 Getting to know your Nortel Business Secure Router 222 33 Introducing the Nortel Business Secure Router 222 33 Features 33 Physical features 34 4 Port switch 34 Autonegotiating 10 100 Mb s Ethernet LAN 34 Autosensing 10 100 Mb s Ethernet LAN 34 Autonegotiating 10 100 Mb s Ethernet WAN 34 Auxiliary port 35 Tim...

Page 4: ...rect 39 Port Forwarding 39 DHCP Dynamic Host Configuration Protocol 39 Full network management 40 Road Runner support 40 Logging and tracing 40 Upgrade Business Secure Router Firmware 40 Embedded FTP and TFTP Servers 40 Applications for the Nortel Business Secure Router 222 41 Secure broadband internet access and VPN 41 Hardware Setup 42 Chapter 2 Introducing the WebGUI 43 WebGUI overview 43 Acces...

Page 5: ...AN MAC address 60 Basic Setup Complete 65 Chapter 4 User Notes 67 General Notes 67 General 67 Firewall 68 NAT 68 VPN Client Termination 69 Security 70 Routing 70 Advanced Router Configuration 71 Setting up the router when the system has a server 71 Connecting two sites to establish a virtual private network 71 Adding IP telephony to a multi site network 72 Configuring the router to act as a Nortel...

Page 6: ...iew 77 DNS overview 77 Private DNS server 77 Configuring General Setup 78 Dynamic DNS 81 DYNDNS Wildcard 81 Configuring Dynamic DNS 81 Configuring Password 83 Predefined NTP time server list 85 Configuring Time and Date 86 ALG 90 Configuring ALG 90 Chapter 6 LAN screens 93 LAN overview 93 DHCP setup 93 IP pool setup 93 DNS servers 94 LAN TCP IP 94 Factory LAN defaults 94 RIP setup 94 Multicast 95 ...

Page 7: ...irect 119 Configuring Traffic Redirect 120 Configuring Dial Backup 122 Advanced Modem Setup 127 AT Command Strings 127 DTR Signal 127 Response Strings 127 Configuring Advanced Modem Setup 128 Chapter 8 Network Address Translation NAT Screens 131 NAT overview 131 NAT definitions 131 What NAT does 132 How NAT works 133 Port Restricted Cone NAT 133 NAT application 134 NAT mapping types 135 Using NAT ...

Page 8: ...52 Chapter 10 Firewalls 155 Firewall overview 155 Types of firewalls 155 Packet Filtering firewalls 156 Application level firewalls 156 Stateful Inspection firewalls 156 Introduction to the Business Secure Router firewall 157 Denial of Service 158 Basics 158 Types of DoS attacks 159 Stateful inspection 163 Stateful inspection process 164 Stateful inspection and the Business Secure Router 165 TCP s...

Page 9: ... 174 Destination address 174 Connection direction examples 174 LAN to WAN rules 175 WAN to LAN rules 175 Configuring firewall 176 Configuring firewall rules 180 Configuring source and destination addresses 183 Configuring custom ports 184 Example firewall rule 185 Predefined services 188 Alerts 191 Configuring attack alert 192 Threshold values 192 Half open sessions 192 TCP maximum incomplete and ...

Page 10: ...ture 204 IPSec algorithms 205 AH Authentication Header protocol 206 ESP Encapsulating Security Payload protocol 206 Key management 207 Encapsulation 208 Transport mode 208 Tunnel mode 208 IPSec and NAT 209 Secure Gateway Address 210 Dynamic Secure Gateway Address 211 Summary screen 211 Keep Alive 214 Nailed Up 214 NAT Traversal 215 NAT Traversal configuration 216 Preshared key 216 Configuring Cont...

Page 11: ...Client Termination 248 VPN Client Termination IP pool summary 252 VPN Client Termination IP pool edit 254 VPN Client Termination advanced 255 Chapter 14 Certificates 261 Certificates overview 261 Advantages of certificates 262 Self signed certificates 262 Configuration summary 263 My Certificates 263 Certificate file formats 266 Importing a certificate 267 Creating a certificate 269 My Certificate...

Page 12: ...ent 298 Application and subnet based bandwidth management 299 Reserving bandwidth for nonbandwidth class traffic 299 Configuring summary 300 Configuring class setup 301 Bandwidth Manager Class Configuration 303 Bandwidth management statistics 306 Monitor 308 Chapter 16 IEEE 802 1x 309 IEEE 802 1x overview 309 RADIUS 309 Types of RADIUS messages 309 EAP Authentication overview 310 Configuring 802 1...

Page 13: ... 333 Netscape Navigator warning messages 333 Avoiding the browser warning messages 335 Logon screen 336 SSH overview 341 How SSH works 342 SSH implementation on the Business Secure Router 343 Requirements for using SSH 343 Configuring SSH 343 Secure Telnet using SSH examples 345 Example 1 Microsoft Windows 345 Example 2 Linux 346 Secure FTP using SSH example 347 Telnet 348 Configuring TELNET 349 C...

Page 14: ...lling UPnP in Windows XP 364 Using UPnP in Windows XP example 366 Autodiscover Your UPnP enabled Network Device 366 WebGUI easy access 369 Chapter 20 Logs Screens 371 Configuring View Log 371 Configuring Log settings 373 Configuring Reports 376 Viewing Web site hits 378 Viewing Protocol Port 380 Viewing LAN IP address 381 Reports specifications 383 Chapter 21 Call scheduling screens 385 Call sched...

Page 15: ... 404 Problems with the LAN interface 404 Problems with the WAN interface 405 Problems with Internet Access 405 Problems accessing an internet Web site 406 Problems with the password 406 Problems with the WebGUI 407 Problems with Remote Management 407 Allowing Pop up Windows JavaScript and Java Permissions 408 Internet Explorer Pop up Blockers 408 Allowing Pop ups 408 Enabling Pop up Blockers with ...

Page 16: ...2 500 Appendix B Log Descriptions 423 VPN IPSec Logs 432 VPN Responder IPSec Log 433 Log Commands 442 Configuring what you want the Business Secure Router to log 442 Displaying Logs 443 Log Command Example 444 Index 445 ...

Page 17: ...3 Figure 10 Wizard 2 PPTP Encapsulation 55 Figure 11 Wizard2 PPPoE Encapsulation 57 Figure 12 Wizard 3 62 Figure 13 Private DNS server example 78 Figure 14 System general setup 79 Figure 15 DDNS 82 Figure 16 Password 84 Figure 17 Time and Date 87 Figure 18 ALG 90 Figure 19 LAN IP 96 Figure 20 Static DHCP 100 Figure 21 IP Alias 102 Figure 22 WAN Route 106 Figure 23 Ethernet Encapsulation 107 Figure...

Page 18: ...t IP Static Route 152 Figure 46 Business Secure Router firewall application 158 Figure 47 Three way handshake 160 Figure 48 SYN flood 161 Figure 49 Smurf attack 162 Figure 50 Stateful inspection 164 Figure 51 LAN to WAN traffic 175 Figure 52 WAN to LAN traffic 176 Figure 53 Enabling the firewall 178 Figure 54 Creating and editing a firewall rule 181 Figure 55 Adding or editing source and destinati...

Page 19: ...re 78 VPN Global Setting 247 Figure 79 VPN Client Termination 249 Figure 80 VPN Client Termination IP pool summary 253 Figure 81 VPN Client Termination IP pool edit 254 Figure 82 VPN Client Termination advanced 256 Figure 83 Certificate configuration overview 263 Figure 84 My Certificates 264 Figure 85 My Certificate Import 268 Figure 86 My Certificate create 269 Figure 87 My Certificate details 2...

Page 20: ...igure 18 4 Security Certificate 1 Netscape 334 Figure 115 Security Certificate 2 Netscape 335 Figure 116 Logon screen Internet Explorer 337 Figure 117 Login screen Netscape 338 Figure 118 Replace certificate 339 Figure 119 Device specific certificate 340 Figure 120 Common Business Secure Router certificate 341 Figure 121 SSH Communication Example 342 Figure 122 How SSH Works 342 Figure 123 SSH 344...

Page 21: ...ork connections 370 Figure 149 My Network Places Local network 370 Figure 150 View Log 372 Figure 151 Log settings 374 Figure 152 Reports 377 Figure 153 Web site hits report example 379 Figure 154 Protocol Port report example 380 Figure 155 LAN IP address report example 382 Figure 156 Call schedule summary 386 Figure 157 Call schedule edit 387 Figure 158 Applying Schedule Sets to a remote node 390...

Page 22: ...re 176 Security Settings Java Scripting 413 Figure 177 Security Settings Java 414 Figure 178 Java Sun 415 Figure 179 Allow Popups from this site 416 Figure 180 Netscape Search Toolbar 416 Figure 181 Popup Windows 417 Figure 182 Popup Windows 418 Figure 183 Allowed Sites 419 Figure 184 Advanced 420 Figure 185 Scripts Plug ins 421 Figure 186 Example VPN Initiator IPSec Log 433 Figure 187 Example VPN...

Page 23: ...eral setup 79 Table 9 DDNS 82 Table 10 Password 84 Table 11 Default Time Servers 86 Table 12 Time and Date 88 Table 13 ALG 91 Table 14 LAN IP 97 Table 15 Static DHCP 100 Table 16 IP Alias 102 Table 17 WAN Route 106 Table 18 Ethernet Encapsulation 108 Table 19 PPPoE Encapsulation 110 Table 20 PPTP Encapsulation 111 Table 21 RR Service Type 113 Table 22 WAN IP 116 Table 23 Traffic Redirect 121 Table...

Page 24: ...202 Table 46 VPN Screens Overview 203 Table 47 AH and ESP 207 Table 48 VPN and NAT 210 Table 49 Summary 213 Table 50 VPN Contivity Client rule setup 217 Table 51 VPN Contivity Client advanced rule setup 219 Table 52 Local ID type and content fields 220 Table 54 Matching ID type and content configuration example 221 Table 53 Peer ID type and content fields 221 Table 55 Mismatching ID Type and Conte...

Page 25: ...erver add 295 Table 78 Application and Subnet based Bandwidth Management Example 299 Table 79 Bandwidth Manager Summary 300 Table 80 Bandwidth Manager Class Setup 302 Table 81 Bandwidth Manager Edit class 304 Table 82 Services and port numbers 306 Table 83 Bandwidth management statistics 307 Table 84 Bandwidth manager monitor 308 Table 85 802 1X 312 Table 86 Local User database 316 Table 87 Local ...

Page 26: ...ecure Router 403 Table 116 Troubleshooting the LAN LED 404 Table 117 Troubleshooting the LAN Interface 404 Table 118 Troubleshooting the WAN Interface 405 Table 119 Troubleshooting Internet Access 405 Table 120 Troubleshooting Web Site Internet Access 406 Table 121 Troubleshooting the password 406 Table 122 Troubleshooting the WebGUI 407 Table 123 Troubleshooting Remote Management 407 Table 124 Sy...

Page 27: ... 222 Configuration Basics Table 135 RFC 2408 ISAKMP Payload Types 438 Table 136 PKI Logs 438 Table 137 Certificate Path Verification Failure Reason Codes 440 Table 138 IIEEE 802 1X Logs 441 Table 139 Log categories and available settings 442 ...

Page 28: ...28 Tables NN47922 500 ...

Page 29: ...he following text conventions Note This guide explains how to use the WebGUI to configure your Business Secure Router See Nortel Business Secure Router 222 Configuration Advanced NN47922 501 for how to use the System Management Terminal SMT or the command interpreter interface to configure your Business Secure Router Not all features can be configured through all interfaces Enter means type one or...

Page 30: ...d release notes free directly from the Internet Go to www nortel com documentation Find the product for which you need documentation Then locate the specific category and model or version for your hardware or software product Use Adobe Reader to open the manuals and release notes search for the sections you need and print them on most standard printers Go to the Adobe Systems Web site at www adobe...

Page 31: ...oftware documentation and product bulletins search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues sign up for automatic notification of new software and documentation for Nortel equipment open and manage technical support cases Getting Help over the phone from a Nortel Solutions Center If you don t find the information you require on the Nortel Technic...

Page 32: ...RC to quickly route your call to a specialist in your Nortel product or service To locate the ERC for your product or service go to www nortel com erc Getting Help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller ...

Page 33: ...ocal Area Network LAN By integrating Network Address Translation NAT firewall and Virtual Private Network VPN capability the Business Secure Router is a complete security solution that protects your Intranet and efficiently manages data traffic on your network The embedded WebGUI assists in easy setup and management of the Business Secure Router via an Internet browser Features This section lists ...

Page 34: ...o either a crossover or straight through Ethernet cable Autonegotiating 10 100 Mb s Ethernet WAN The 10 100 Mb s Ethernet WAN port attaches to the Internet via broadband modem or router and automatically detects if it is on a 10 or a 100 Mb s Ethernet Number of address mapping rules 10 Maximum number of VPN IP Policies 60 Maximum number of VPN Tunnels Client and or Branch Office 10 Maximum number ...

Page 35: ...is built into the rear panel Use this button to restart the Business Secure Router or restore the factory default password to PlsChgMe IP address to 192 168 1 1 subnet mask to 255 255 255 0 and DHCP server enabled with a pool of 126 IP addresses starting at 192 168 1 2 Nonphysical features IPSec VPN capability Establish Virtual Private Network VPN tunnels to connect home or office computers to you...

Page 36: ...eb sessions Use HTTPS for secure WebGUI access to the Business Secure Router IEEE 802 1x for network security The Business Secure Router supports the IEEE 802 1x standard for user authentication With the local user profile in the Business Secure Router you can configure up 32 user profiles without a network authentication server In addition centralized user and accounting management is possible on...

Page 37: ...b proxies The Business Secure Router can block specific URLs by using the keyword feature The administrator can also define time periods and days during which content filtering is enabled Packet filtering The packet filtering mechanism blocks unwanted traffic from entering or leaving your network Universal Plug and Play UPnP Using the standard TCP IP protocol the Business Secure Router and other U...

Page 38: ...or this service with a Dynamic DNS service provider IP Multicast The Business Secure Router can use IP multicast to deliver IP packets to a specific group of hosts IGMP Internet Group Management Protocol is the protocol used to support multicast groups The Business Secure Router supports versions 1 and 2 IP Alias Using IP Alias you can partition a physical network into logical networks over the sa...

Page 39: ...direct forwards WAN traffic to a backup gateway when the Business Secure Router cannot connect to the Internet thus acting as an auxiliary backup when your regular WAN connection fails Port Forwarding Use this feature to forward incoming service requests to a server on your local network You can enter a single port number or a range of port numbers to be forwarded and the local IP address of the d...

Page 40: ...e port or over a Telnet connection Road Runner support In addition to standard cable modem services the Business Secure Router supports Time Warner s Road Runner Service Logging and tracing The Business Secure Router supports the following logging and tracing functions to help with management Built in message logging and packet tracing Unix syslog facility support Upgrade Business Secure Router Fi...

Page 41: ...222 via Ethernet WAN port for broadband Internet access The Business Secure Router also provides IP address sharing and a firewall protected local network with traffic management VPN is an ideal cost effective way to connect branch offices and business partners over the Internet without the need and expense of leased lines between sites The LAN computers can share the VPN tunnels for secure connec...

Page 42: ...NN47922 301 for hardware connection instructions After installing your Nortel Business Secure Router 222 continue with the rest of this guide for configuration instructions Note To keep the Business Secure Router operating at optimal internal temperature keep the bottom sides and rear clear of obstructions and away from the exhaust of other equipment ...

Page 43: ...olution is 1 024 by 768 pixels In order to use the WebGUI you need to allow Web browser pop up windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See Allowing Pop up Windows JavaScript and Java Permissions on page 408 if you want to make sure these functions are allowed in Internet Ex...

Page 44: ...lt and the password PlsChgMe is the default and click Login Click Reset to clear any information you have entered in the Username and Password fields Figure 2 Login screen 4 A screen asking you to change your password highly recommended appears and is shown in Figure 3 Type a new password and retype it to confirm and click Apply or click Ignore ...

Page 45: ...cure Router 222 Configuration Basics Figure 3 Change password screen 5 Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router s MAC address that is specific to this device Figure 4 Replace certificate screen ...

Page 46: ...d flow control set to none The password is also reset to PlsChgMe Procedure to use the reset button Press the rear panel RESET button for longer than three seconds to return the Business Secure Router to the factory defaults Uploading a configuration file via console port 1 Download the default configuration file from the Nortel FTP site unzip it and save it in a folder 2 Turn off the Business Sec...

Page 47: ...sing HyperTerminal 6 Click Transfer then Send File to display the screen illustrated in Figure 5 Figure 5 Example Xmodem Upload 7 After the firmware uploads successfully enter atgo to restart the router Navigating the Business Secure Router WebGUI Follow the instructions in the MAIN MENU screen or click the help icon located in the top right corner of most screens to view online help Note The help...

Page 48: ...48 Chapter 2 Introducing the WebGUI NN47922 500 Figure 6 MAIN MENU Screen Click the Contact link to display the customer support contact information Figure 7 is a sample of what displays ...

Page 49: ...Chapter 2 Introducing the WebGUI 49 Nortel Business Secure Router 222 Configuration Basics Figure 7 Contact Support ...

Page 50: ...50 Chapter 2 Introducing the WebGUI NN47922 500 ...

Page 51: ... General Setup contains administrative and system related information System Name is for identification purposes However because some ISPs check this name you must enter your Computer Name In Windows 95 98 click Start Settings Control Panel Network Click the Identification tab note the entry for the Computer Name field and enter it as the System Name In Windows 2000 click Start Settings Control Pa...

Page 52: ...HCP from the ISP is used While you must enter the host name System Name on each individual computer the domain name can be assigned from the Business Secure Router via DHCP Click Next to configure the Business Secure Router for Internet access Figure 8 Wizard 1 Wizard setup Screen 2 The Business Secure Router offers three choices of encapsulation They are Ethernet PPTP or PPPoE ...

Page 53: ...Chapter 3 Wizard setup 53 Nortel Business Secure Router 222 Configuration Basics Ethernet Choose Ethernet when the WAN port is used as a regular Ethernet Figure 9 Wizard 2 Ethernet Encapsulation ...

Page 54: ...pe Choose from Standard RR Telstra Telstra authentication method RR Manager Road Runner Manager authentication method or RR Toshiba Road Runner Toshiba authentication method For ISPs such as Telstra that send UDP heartbeat packets to verify that the customer is still online create a WAN to WAN Business Secure Router firewall rule that allows access for port 1026 UDP The following fields are not ap...

Page 55: ...ters for Internet Access Encapsulation Select PPTP from the drop down list User Name Type the username given to you by your ISP Password Type the password associated with the username above Nailed Up Connection Select Nailed Up Connection if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPTP server...

Page 56: ...dows users One of the benefits of PPPoE is the ability to let end users access one of multiple network services a function known as dynamic service selection This means the service provider can easily create and offer new IP services for specific users Operationally PPPoE saves significant effort for both the subscriber and the ISP or carrier as it requires no specific configuration of the broadba...

Page 57: ...uter does that part of the task Furthermore with NAT all the computers on the LAN have Internet access Figure 11 Wizard2 PPPoE Encapsulation Table 4 describes the fields in Figure 11 Table 4 Wizard2 PPPoE Encapsulation Label Description Encapsulation Select PPP over Ethernet from the drop down list Service Name Type the name of your service provider User Name Type the username given to you by your...

Page 58: ... without problems However the Internet Assigned Numbers Authority IANA has reserved three blocks of IP addresses specifically for private networks Nailed Up Connection Select Nailed Up Connection if you do not want the connection to time out Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server The default time is 100 seconds Next Clic...

Page 59: ...hen the connection is established If this is the case Nortel recommends that you select a network number from 192 168 0 0 to 192 168 255 0 and you must enable the Network Address Translation NAT feature of the Business Secure Router The Internet Assigned Number Authority IANA reserved this block of addresses specifically for private use do not use any other number unless you are told otherwise For...

Page 60: ...g ways The ISP tells you the DNS server addresses usually in the form of an information sheet when you sign up If your ISP gives you DNS server addresses enter them in the DNS Server fields in DHCP Setup If the ISP did not give you DNS server information leave the DNS Server fields in DHCP Setup set to 0 0 0 0 for the ISP to dynamically assign the DNS server IP addresses WAN MAC address Every Ethe...

Page 61: ...f duplex mode Your Business Secure Router supports full duplex mode on the LAN side The third wizard screen varies according to the type of encapsulation that you select in the second wizard screen Table 6 Example of network properties for LAN servers with fixed IP addresses Choose an IP address 192 168 1 2 192 168 1 32 192 168 1 65 192 168 1 254 Subnet mask 255 255 255 0 Gateway or default route ...

Page 62: ...scription WAN IP Address Assignment Get automatically from ISP Select this option If your ISP did not assign you a fixed IP address This is the default selection Use fixed IP address Select this option If the ISP assigned a fixed IP address IP Address Enter your WAN IP address in this field if you select Use Fixed IP Address ...

Page 63: ...nortel com is 47 249 48 20 The DNS server is extremely important because without it you must know the IP address of a machine before you can access it Get automatically from ISP Select this option if your ISP does not give you DNS server addresses This option is selected by default Use fixed IP address DNS Server IP Address Select this option If your ISP provides you a DNS server address System DN...

Page 64: ...ay You must also configure a VPN branch office rule since the Business Secure Router uses a VPN tunnel when it relays DNS queries to the private DNS server One of the rule s IP policies must include the LAN IP address of the Business Secure Router as a local IP address and the IP address of the DNS server as a remote IP address A Private DNS entry with the IP address set to 0 0 0 0 changes to None...

Page 65: ... Wizard setup 65 Nortel Business Secure Router 222 Configuration Basics Basic Setup Complete Well done You have successfully set up your Business Secure Router to operate on your network and access the Internet ...

Page 66: ...66 Chapter 3 Wizard setup NN47922 500 ...

Page 67: ...he rules can be deleted 2 Response to Invalid User ID or Password When the wrong user ID or password is entered into the router login screen no error message is displayed Instead the login screen is simply displayed again 3 First DHCP Address Reserved for BCM50 The first address of the DHCP Address Pool is reserved for a BCM50 in the subnet and will not be assigned to any other equipment Once assi...

Page 68: ...ss is higher than the first If this type of address range is entered the range is ignored 2 Automatic Firewall Programming Configurations to various areas of the router such as remote management or adding a SUA Server do not automatically add the appropriate rules to the Firewall to enable the traffic to pass through the router These need to be added separately Note Firewall rules do not apply to ...

Page 69: ...or a VPN Client user cannot contain the single or double quote characters 4 IP Pool Address Overlap When defining multiple VPN Client Termination IP pools the router uses the IP Subnet mask and not the pool size to determine if the pools are overlapping The subnet mask of each pool should be appropriate for the size of the VPN Client Termination IP pool 5 VPN Client Termination Failure In Specific...

Page 70: ...n must be Triple DES with SHA1 integrity or Triple DES with MD5 integrity IKE Encryption must be Triple DES with Diffie Hellman Group 2 Perfect Forward Secrecy PFS must be enabled Security 1 Exporting or Saving Self Signed Certificate To export or save a self signed certificate click details the icon that looks like a paper note then click Export or copy the PEM text into the clipboard and paste i...

Page 71: ...r 2 For both SUA Only and Full Feature NAT configurations do the following a In SUA NAT SUA Server add server private IP address and port number s to the SUA NAT Server table b In FIREWALL add a WAN to LAN rule c If the service is not in the list of available services add it as a Custom Port d Add the rule selecting the service and entering the server IP address as the destination IP address Conne...

Page 72: ...the other site Adding IP telephony to a multi site network Scenario 1 A BCM50 in the primary site acting as the gateway for both sites 1 Ensure that the DHCP Server in the BCM50 is disabled that the BCM50 is connected to the router and both have booted 2 Add the IP phones to the primary site as per BCM50 installation guide 3 Create a tunnel to the remote site as described above 4 In the remote sit...

Page 73: ...0 User Guide Configuring the router to act as a Nortel VPN Server Client Termination 1 Under VPN Client Termination a Enable Client Termination b Select authentication type and the encryption algorithms supported c If the clients are assigned IP addresses from a pool define the pool and enable it 2 Assuming a Local User Database is used for authentication a Add user name and password to the local ...

Page 74: ...te computer IP addresses to the BCM50 IP address for service type HTTPS TCP 443 One rule allowing access from allowed remote computer IP addresses to the BCM50 IP address for custom port TCP 5989 Setting up the router for guest access The recommended approach to provide guest access is by creating an IP Alias and using static addressing for the corporate equipment to make it a member of the define...

Page 75: ...rve sufficient bandwidth based on the number of telephones for Protocol ID 17 UDP Traffic The amount of bandwidth should be based on a reasonable peak number of simultaneous calls and the data rate needed by the IP telephony CODECs Setting Up a Remote Office with a UNIStim IP Telephone For a remote office with a PC and a UNIStim IP telephone behind a Business Secure Router Client Emulation is the ...

Page 76: ...e IP set with the corporate call server address 4 On the PC install Contivity Client Software and configure it with the PC user account information Inter Operability With Third Party Routers VPN Connections With Cisco Routers When establishing a VPN Client tunnel or Branch Office Tunnel between the Business Secure Router and a Cisco router the following configuration rules should be followed 1 Ens...

Page 77: ...domain names for Business Secure Router system features like VPN DDNS and the time server Use the LAN IP screen to configure the DNS server information that the Business Secure Router sends to the DHCP client devices on the LAN Use the Remote Management DNS screen to configure the Business Secure Router to accept or discard DNS queries Private DNS server In cases where you want to use domain names...

Page 78: ... access computers that use private domain names on the HQ network the Business Secure Router at branch office 1 uses the Intranet DNS server in headquarters Figure 13 Private DNS server example Configuring General Setup Click SYSTEM to open the General screen Note If you do not specify an Intranet DNS server on the remote network then the VPN host must use IP addresses to access the computers on t...

Page 79: ...t here If you leave this field blank the ISP assigns a domain name via DHCP The domain name entered by you is given priority over the ISP assigned domain name Administrator Inactivity Timer Type how many minutes a management session either via the WebGUI or SMT can be left idle before the session times out The default is 5 minutes After it times out you have to log in with your password again Very...

Page 80: ...dress can be public or a private address on your local LAN Enter the DNS server s IP address in the field to the right A User Defined entry with the IP address set to 0 0 0 0 changes to None after you click Apply A duplicate User Defined entry changes to None after you click Apply Select None if you do not want to configure DNS servers If you do not configure a system DNS server you must use IP ad...

Page 81: ...ven if they don t know your IP address First of all you must register a dynamic DNS account with for example www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that still wants a domain name The Dynamic DNS service provider gives you a password or key DYNDNS Wildcard Enabling the wildcard feature for your host causes yourhost dyndns org to be aliased to the same IP a...

Page 82: ...ynamic DNS Service Provider Select the name of your Dynamic DNS service provider DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider Host Names 1 3 Enter the host names in the three fields provided You can specify up to two host names in each field separated by a comma User Enter your username up to 31 characters ...

Page 83: ... line IP Address Update Policy DDNS Server Auto Detect IP Address Select this option only when there are one or more NAT routers between the Business Secure Router and the DDNS server This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address Note The DDNS server not be able to detect the proper IP address if there is an HTTP proxy s...

Page 84: ... can access and configure all of the Business Secure Router s features Old Password Type your existing system administrator password PlsChgMe is the default password New Password Type your new system password up to 31 characters Note that as you type a password the screen displays a for each character you type Retype to Confirm Retype your new system password for confirmation ...

Page 85: ...igure the WAN ISP and IP screens Configure the VPN Contivity Client settings except the Advanced screen s exclusive use mode for client tunnel and MAC address allowed settings View the SA monitor Configure the VPN Global Setting screen View logs View the Maintenance Status screen Use the Maintenance F W Upload and Restart screens User Name Type a username for the client user up to 31 characters Ne...

Page 86: ... or all the predefined NTP time servers have been tried Configuring Time and Date To change your Business Secure Router s time and date click SYSTEM and then Time and Date The screen in Figure 17 appears Use this screen to configure the Business Secure Router s time based on your local time zone Table 11 Default Time Servers a ntp alphazed net ntp1 cs wisc edu ntp1 gbg netnod se ntp2 cs wisc edu t...

Page 87: ...Chapter 5 System screens 87 Nortel Business Secure Router 222 Configuration Basics Figure 17 Time and Date ...

Page 88: ...s the last updated date from the time server or the last date configured manually After you set Time and Date Setup to Manual enter the new date in this field and then click Apply Get from Time Server Select this radio button to have the Business Secure Router get the time and date from the time server that you specified Time Protocol Select the time service protocol that your time server sends wh...

Page 89: ... Daylight Saving Time at the same moment 1 a m GMT or UTC So in the European Union select Last Sunday March The time you type in the o clock field depends on your time zone In Germany for instance type 2 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you select Enable Daylight Saving The o clock field uses the...

Page 90: ...o configure NAT and firewall rules depending upon the type of access you want to allow Configuring ALG To change the ALG settings of your Business Secure Router click SYSTEM and then ALG The screen appears as shown in Figure 18 Figure 18 ALG Note You must enable the FTP H 323 or SIP ALG in order to use bandwidth management on that application ...

Page 91: ...ending of voice signals over the Internet Protocol The H 323 ALG does not support H 323 Gatekeeper Enable SIP ALG Select this check box to allow SIP Session Initiation Protocol applications to go through the Business Secure Router The Session Initiation Protocol SIP is an application layer control signaling protocol that handles the setting up altering and tearing down of voice and multimedia sess...

Page 92: ...92 Chapter 5 System screens NN47922 500 ...

Page 93: ...P Dynamic Host Configuration Protocol RFC 2131 and RFC 2132 individual clients can obtain TCP IP configuration at start up from a server You can configure the Business Secure Router as a DHCP server or disable it When configured as a server the Business Secure Router provides the TCP IP configuration for the clients If DHCP service is disabled you must have another DHCP server on your LAN or else ...

Page 94: ...es you explicit DNS server addresses read the embedded WebGUI help regarding which fields need to be configured RIP setup RIP Routing Information Protocol RFC 1058 and RFC 1389 allows a router to exchange routing information with other routers RIP Direction controls the sending and receiving of RIP packets When set to Both or Out Only the Business Secure Router broadcasts its routing table periodi...

Page 95: ...s an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you want to read more detailed information about interoperability between IGMP version 2 and version 1 see sections 4 and 5 of Internet Group Management Protocol RFC 2236 The class D IP address is used to identify host groups and can be in the range 224 0 0 0 to 239 255 255 255 The address 224 0 0 0 is not assigned...

Page 96: ...96 Chapter 6 LAN screens NN47922 500 Configuring IP Click LAN to open the IP screen Figure 19 LAN IP ...

Page 97: ... Address field Select None to stop the Business Secure Router from acting as a DHCP server When you select None you must have another DHCP server on your LAN or else the computers must be manually configured IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP address pool The default is 192 168 1 2 Pool Size This field specifies the size or count of the IP...

Page 98: ...he three servers Select None if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it LAN TCP IP IP Address Type the IP address of your Business Secure Router in dotted decimal notation 192 168 1 1 factory default IP Subnet Mask The subnet mask specifies the network number portion of an IP address Your Business...

Page 99: ...Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you want to read more detailed information about interoperability between IGMP version 2 and version 1 see sections 4 and 5 of Internet Group Management P...

Page 100: ...igned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 To change your Business Secure Router s Static DHCP settings click LAN then the Static DHCP tab The screen appears as shown in Figure 20 Figure 20 Static DHCP Table 15 describes the fields in Figure 20 Table 15 Static DHCP Label Description This is the index number of the Static IP table entry ro...

Page 101: ...ace with the Business Secure Router itself as the gateway for each LAN network To change the IP Alias settings of your Business Secure Router click LAN then the IP Alias tab The screen appears as shown in Figure 21 IP Address This field specifies the size or count of the IP address pool Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this...

Page 102: ... configure another LAN network for the Business Secure Router IP Address Enter the IP address of your Business Secure Router in dotted decimal notation IP Subnet Mask Your Business Secure Router automatically calculates the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the Business Secure Router ...

Page 103: ...of the RIP packets that the Business Secure Router sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicas...

Page 104: ...104 Chapter 6 LAN screens NN47922 500 ...

Page 105: ...number greater than 15 means the link is down The smaller the number the lower the cost 1 The metric sets the priority for the routes of the Business Secure Router to the Internet Each route must have a unique metric 2 The priority of the WAN port route must always be higher than the dial backup and traffic redirect route priorities If the WAN port route has a metric of 1 and the traffic redirect ...

Page 106: ...tion is 1 as your broadband connection via the WAN port must always be your preferred method of accessing the WAN The default priority of the routes is WAN Traffic Redirect and then Dial Backup dial backup does not apply to all Business Secure Router models You have two choices for an auxiliary connection in the event that your regular WAN connection goes down If Dial Backup is preferred to Traffi...

Page 107: ...ings click WAN then the WAN ISP tab The screen differs by the encapsulation Ethernet Encapsulation The screen shown in Figure 23 is for Ethernet encapsulation Figure 23 Ethernet Encapsulation Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Table 17 WAN Route Label Description ...

Page 108: ...PPoE is the ability to let you access one of multiple network services a function known as dynamic service selection This makes it easy for the service provider to create and offer new IP services for individuals Table 18 Ethernet Encapsulation Label Description Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet Service Type Choose from Standard Telst...

Page 109: ...the broadband modem at the customer site By implementing PPPoE directly on the Business Secure Router rather than individual computers the computers on the LAN do not need PPPoE software installed since the Business Secure Router does that part of the task Furthermore with NAT all of the computers on the LAN have access The screen shown in Figure 24 is for PPPoE encapsulation Figure 24 PPPoE Encap...

Page 110: ...connection Operationally PPPoE saves significant effort for both the end user and ISP or carrier as it requires no specific configuration of the broadband modem at the customer site By implementing PPPoE directly on the router rather than individual computers the computers on the LAN do not need PPPoE software installed since the router does that part of the task Further with NAT all of the comput...

Page 111: ...m a remote client to a private server possible by creating a Virtual Private Network VPN using TCP IP based networks PPTP supports on demand multiprotocol and virtual private networking over public networks such as the Internet The Business Secure Router supports only one PPTP server connection at any given time To configure a PPTP client you must configure the User Name and Password fields for a ...

Page 112: ...P Configuration My IP Address Type the static IP address assigned to you by your ISP My IP Subnet Mask Your Business Secure Router automatically calculates the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the Business Secure Router Server IP Address Type the IP address of the PPTP server Connection ID Name Type your iden...

Page 113: ...ager Road Runner Manager authentication method or RR Telstra Choose a Road Runner service type if your ISP is Time Warner s Road Runner otherwise choose Standard User Name Enter the username given to you by your ISP Password Enter the password associated with the username Login Server IP Address The Business Secure Router finds the Road Runner Server IP address if this field is left blank If it do...

Page 114: ...ness Secure Router click WAN then the WAN IP tab This screen varies according to the type of encapsulation you select If your ISP did not assign you a fixed IP address click Get automatically from ISP Default otherwise click Use fixed IP Address and enter the IP address in the field My WAN IP Address ...

Page 115: ...Chapter 7 WAN screens 115 Nortel Business Secure Router 222 Configuration Basics Figure 27 WAN IP ...

Page 116: ...UA Only if you have a single public IP address SUA Single User Account is a subset of NAT that supports two types of mapping Many to One and Server Choose Full Feature if you have multiple public IP addresses Full Feature mapping types include One to One Many to One SUA PAT Many to Many Overload Many One to One and Server After you select Full Feature you must configure at least one address mappin...

Page 117: ...hile RIP 2M uses multicasting Multicasting can reduce the load on nonrouter machines since they generally do not listen to the RIP multicast address and so do not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default the RIP Version field is set to RIP 1 Multicast Choose None default IGMP V1 or IGMP V2 IGMP Internet G...

Page 118: ... to block WAN to LAN traffic you must also enable the default WAN to LAN firewall rule that forwards NetBIOS traffic Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN This field does the same as the Allow between LAN and WAN field in the LAN IP screen Enabling one automatically enables the other Allow Trigger Dial Select this option to allo...

Page 119: ...irect forwards WAN traffic to a backup gateway when the Business Secure Router cannot connect to the Internet through its normal gateway Connect the backup gateway on the WAN so that the Business Secure Router still provides firewall protection This feature is not available on all models Figure 29 Traffic Redirect WAN Setup The network topology illustrated in Figure 30 avoids triangle route securi...

Page 120: ...0 Figure 30 Traffic Redirect LAN Setup Configuring Traffic Redirect To change your Business Secure Router s Traffic Redirect settings click WAN then the Traffic Redirect tab The screen appears as shown in Figure 31 Business Secure Router ...

Page 121: ...tation The Business Secure Router automatically forwards traffic to this IP address if the Business Secure Router s Internet connection terminates Metric This field sets this route s priority among the routes the Business Secure Router uses The metric represents the cost of transmission A router determines the best route for transmission by choosing a path with the lowest cost RIP routing uses hop...

Page 122: ...mes Business Secure Router will attempt to connect to the Internet before traffic is forwarded to the backup gateway Period sec Type the number of seconds for the Business Secure Router to wait between checks to see if it can connect to the WAN IP address Check WAN IP Address field or default gateway Allow more time if your destination IP address handles lots of traffic Timeout sec Type the number...

Page 123: ...Chapter 7 WAN screens 123 Nortel Business Secure Router 222 Configuration Basics Figure 32 Dial Backup Setup ...

Page 124: ... before the phone number for local calls Include a symbol at the beginning of the phone numbers as required Dial Backup Port Speed Use the drop down list to select the speed of the connection between the Dial Backup port and the external device Available speeds are 9 600 19 200 38 400 57 600 115 200 or 230 400 b s AT Command Initial String Type the AT command string to initialize the WAN device Co...

Page 125: ...ol address used within one network to a different IP address known within another network SUA Single User Account is a subset of NAT that supports two types of mapping Many to One and Server When you select this option the Business Secure Router uses Address Mapping Set 255 Clear this option to disable NAT Enable RIP Select this check box to turn on RIP Routing Information Protocol which allows a ...

Page 126: ...s On Select this check box to have the dial backup connection on all of the time Configure Budget Select this check box to have the dial backup connection on during the time that you select Allocated Budget Type the amount of time in minutes that the dial backup connection can be used during the time configured in the Period field Set an amount that is less than the time period configured in the P...

Page 127: ...vices default to hanging up the current call when the DTR Data Terminal Ready signal is dropped by the DTE If the Drop DTR When Hang Up check box is selected the Business Secure Router uses this hardware signal to force the WAN device to hang up in addition to issuing the drop command ATH Response Strings The response strings tell the Business Secure Router the tags or labels immediately preceding...

Page 128: ...anced Modem Setup Click the Edit button in the Dial Backup screen to display the Advanced Setup screen shown in Figure 33 Figure 33 Advanced Setup Note Consult the manual of your WAN device connected to your dial backup port for specific AT commands Note ...

Page 129: ...t comes from the WAN device CLID is required for CLID authentication NMBR Called ID Type the keyword preceding the dialed number Speed Type the keyword preceding the connection speed CONNECT Call Control Dial Timeout sec Type a number of seconds for the Business Secure Router to try to set up an outgoing call before timing out stopping 60 Retry Count Type a number of times for the Business Secure ...

Page 130: ...apter 7 WAN screens NN47922 500 Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Table 25 Advanced Setup Label Description Example ...

Page 131: ...o a different IP address known within another network NAT definitions Inside outside denotes where a host is located relative to the Business Secure Router For example the computers of your subscribers are the inside hosts while the Web servers on the Internet are the outside hosts Global local denotes the IP address of a host in a packet as the packet traverses a router For example the local addr...

Page 132: ...is never changed The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP In addition you can designate servers for example a web server and a Telnet server on your local network and make them accessible to the outside world You can make designated servers on the LAN accessible to the outside world If you do not define any servers for Many to One and Man...

Page 133: ...laces the original IP source address and TCP or UDP source port numbers for Many to One and Many to Many Overload NAT mapping in each packet and then forwards it to the Internet The Business Secure Router keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored as illustrated in Figure 34 Figure 34 How NAT works Port Restricted Cone N...

Page 134: ... cannot send packets with source IP address e f g h and port 10101 to A because A has not sent a packet to IP address e f g h and port 10101 Figure 35 Port Restricted Cone NAT NAT application Figure 36 illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the Business Secure Router can communicate with three distinct WAN networks More examples follow at ...

Page 135: ...l IP address This is equivalent to SUA for example PAT port address translation the Single User Account feature the SUA Only option Many to Many Overload In Many to Many Overload mode the Business Secure Router maps the multiple local IP addresses to shared global IP addresses Many One to One In Many One to One mode the Business Secure Router maps each local IP address to a unique global IP addres...

Page 136: ... of clients or servers using mapping types Select either SUA Only or Full Feature in WAN IP Table 27 NAT mapping type Type IP Mapping SMT Abbreviations One to One ILA1Å Æ IGA1 1 1 Many to One SUA PAT ILA1Å Æ IGA1 ILA2Å Æ IGA1 M 1 Many to Many Overload ILA1Å Æ IGA1 ILA2Å Æ IGA2 ILA3Å Æ IGA1 ILA4Å Æ IGA2 M M Ov Many One to One ILA1Å Æ IGA1 ILA2Å Æ IGA2 ILA3Å Æ IGA3 M 1 1 Server Server 1 IPÅ Æ IGA1 S...

Page 137: ...than one service for example both FTP and web service it is better to specify a range of port numbers You can allocate a server IP address that corresponds to a port or a range of ports With many residential broadband ISP accounts you cannot run any server processes such as a Web or FTP server from your location Your ISP periodically checks for servers and can suspend your account if it discovers ...

Page 138: ...mple For example you want to assign ports 22 25 to one server port 80 to another and assign a default server IP address of 192 168 1 35 as shown in Figure 37 Table 28 Services and port numbers Services Port Number ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer Protocol 25 DNS Domain Name System 53 Finger 79 HTTP Hyper Text Transfer protocol or WWW Web 80 POP3 Post Office Protocol 1...

Page 139: ...figuring SUA Server Click SUA NAT to open the SUA Server screen Refer to Chapter 10 Firewalls on page 155 and Chapter 11 Firewall screens on page 171 for port numbers commonly used for particular services Note If you do not assign a Default Server IP Address then all packets received for ports not specified in this screen are discarded Business Secure Router ...

Page 140: ...el Description Default Server In addition to the servers for specified services NAT supports a default server A default server receives packets from ports that are not specified in this screen If you do not assign a default server IP address then all packets received for ports not specified in this screen are discarded Number of an individual SUA server entry ...

Page 141: ...elete rule 4 rules 5 to 7 are pushed up by 1 rule so old rules 5 6 and 7 become new rules 4 5 and 6 To change your Business Secure Router s Address Mapping settings click SUA NAT then the Address Mapping tab The screen appears as shown in Figure 39 Active Select this check box to enable the SUA server entry Clear this check box to disallow forwarding of these ports to an inside server without havi...

Page 142: ...is is the end Inside Local Address ILA If the rule is for all local IP addresses then this field displays 0 0 0 0 and 255 255 255 255 as the Local End IP address This field is N A for One to One and Server mapping types Global Start IP This refers to the Inside Global IP Address IGA 0 0 0 0 is for a dynamic IP address from your ISP with Many to One and Server mapping types Global End IP This is th...

Page 143: ...one global IP address This is equivalent to SUA that is PAT port address translation the Single User Account feature 3 Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many One to One mode maps each local IP address to unique global IP addresses 5 Server permits you to specify inside servers of different services behind the NAT to be accessible to the out...

Page 144: ...ny to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many One to One Many One to one mode maps each local IP address to unique global IP addresses 5 Server With this type you can specify inside servers of different services behind the NAT to be accessible to the outside world Local Start IP This is the starting Inside Local IP Address ILA Local IP addresses are...

Page 145: ...e Router records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol a trigger port When the WAN port on the Business Secure Router receives a response with a specific port number and protocol incoming port the Business Secure Router forwards the traffic to the LAN IP address of the computer that sent the request After that c...

Page 146: ...etween 6970 7170 4 The Business Secure Router forwards the traffic to Jane s computer IP address 5 Only Jane can connect to the Real Audio server until the connection is closed or times out The Business Secure Router times out in three minutes with UDP User Datagram Protocol or two hours with TCP IP Transfer Control Protocol Internet Protocol Two points to remember about Trigger Ports Trigger even...

Page 147: ... Configuration Basics Configuring Trigger Port Forwarding To change trigger port settings of your Business Secure Router click SUA NAT and the Trigger Port tab The screen appears as shown in Figure 42 Figure 42 Trigger Port Note Only one LAN computer can use a trigger port range at a time ...

Page 148: ...the client computer on the LAN that requested the service Start Port Type a port number or the starting port number in a range of port numbers End Port Type a port number or the ending port number in a range of port numbers Trigger The trigger port is a port or a range of ports that causes or triggers the Business Secure Router to record the IP address of the LAN computer that sent the traffic to ...

Page 149: ...connected and the Business Secure Router has no knowledge of the networks beyond For instance the Business Secure Router knows about network N2 in Figure 43 through remote node Router 1 However the Business Secure Router is unable to route a packet to network N3 because it does not know that there is a route through the same remote node Router 1 via gateway Router 2 The static routes are for you t...

Page 150: ...43 Example of Static Routing topology Configuring IP Static Route Click STATIC ROUTE to open the Route Entry screen Note The first static route entry is for the default WAN route You cannot modify or delete this static default route Business Secure Router ...

Page 151: ...field shows whether this static route is active Yes or not No Destination This parameter specifies the IP network address of the final destination Routing is always based on network number Gateway This is the IP address of the gateway The gateway is a router or switch on the same network segment as the Business Secure Router s LAN or WAN port The gateway helps forward packets to their destinations...

Page 152: ...ive This field allows you to activate or deactivate this static route Destination IP Address This parameter specifies the IP network address of the final destination Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Enter th...

Page 153: ...recise but it must be between 1 and 15 In practice 2 or 3 is usually a good number Private This parameter determines if the Business Secure Router includes this route to a remote node in its RIP broadcasts Select this check box to keep this route private and not included in RIP broadcasts Clear this check box to propagate this route to other hosts through RIP broadcasts Apply Click Apply to save y...

Page 154: ...154 Chapter 9 Static Route screens NN47922 500 ...

Page 155: ...mechanism used to protect a trusted network from an untrusted network Of course firewalls cannot solve every security problem A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy It must never be the only mechanism or method employed For a firewall to guard effectively you must design and deploy it appropriately This requires in...

Page 156: ...uthenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging Filtering rules at the packet filtering router can be less complex than if the router needed to filter application traffic and direct it to a number of specific systems The router need only allow application traffic destined for the applica...

Page 157: ... Secure Router also has packet filtering capabilities The Business Secure Router is installed between the LAN and a broadband modem connecting to the Internet so that it can allow it to act as a secure gateway for all data passing between the Internet and the LAN The Business Secure Router has one Ethernet WAN port and four Ethernet LAN port which are used to physically separate the network into t...

Page 158: ...to network resources The Business Secure Router is preconfigured to automatically detect and thwart currently known DoS attacks Basics Computers share information over the Internet using a common language called TCP IP TCP IP in turn is a set of application protocols that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP ...

Page 159: ...oofing 1 Ping of Death and Teardrop attacks exploit bugs in the TCP IP implementations of various computer and host systems Ping of Death uses a ping utility to create an IP packet that exceeds the maximum 65 536 bytes of data allowed by the IP specification The oversize packet is then sent to an unsuspecting system and can cause systems to crash hang or reboot Teardrop attack exploits weaknesses ...

Page 160: ... the initiator responds with an ACK acknowledgment After this handshake a connection is established SYN Attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are mov...

Page 161: ...work with useless data A Smurf hacker floods a router with Internet Control Message Protocol ICMP echo request packets pings Since the destination IP address of each packet is the broadcast address of the network the router broadcasts the ICMP echo request packet to all hosts on the network If there are numerous hosts this creates a large amount of ICMP echo request and response traffic If a hacke...

Page 162: ...CMP types trigger an alert Illegal Commands NetBIOS and SMTP The only legal NetBIOS commands are shown in Table 36 all others are illegal Table 35 ICMP commands that trigger alerts 5 REDIRECT 13 TIMESTAMP_REQUEST 14 TIMESTAMP_REPLY 17 ADDRESS_MASK_REQUEST 18 ADDRESS_MASK_REPLY Table 36 Legal NetBIOS commands MESSAGE REQUEST POSITIVE NEGATIVE RETARGET KEEPALIVE ...

Page 163: ...t it appears that the packets originate from a trusted host and is allowed through the router or firewall The Business Secure Router blocks all IP Spoofing attempts Stateful inspection With stateful inspection fields of the packets are compared to packets that are already known to be trusted For example if you access an outside service the proxy server remembers things about your original request ...

Page 164: ...onses to this request are allowed However other Telnet traffic initiated from the WAN is blocked Stateful inspection process In the following example the following sequence of events occurs when a TCP packet leaves the LAN network through the firewall s WAN interface The TCP packet is the first in a session and the packet s application layer protocol is configured for a firewall rule inspection 1 ...

Page 165: ...d against the inbound access list and is permitted because of the temporary access list entry previously created 7 The packet is inspected by a firewall rule and the connection s state table entry is updated as necessary You can modify the inbound extended access list temporary entries based on the updated state information in order to permit only packets that are valid for the current state of th...

Page 166: ... structure are called subsequent packets since they represent data that occurs later in the TCP stream If an initiation packet originates on the WAN someone is trying to make a connection from the Internet into the LAN Except in a few special cases see Upper layer protocols on page 167 these packets are dropped and logged If an initiation packet originates on the LAN someone is trying to make a co...

Page 167: ...d port pairs are stored For a short period of time UDP packets from the WAN that have matching IP and UDP information are allowed back in through the firewall A similar situation exists for ICMP except that the Business Secure Router is even more restrictive Specifically only outgoing echoes allow incoming echo replies outgoing address mask requests allow incoming address mask replies and outgoing...

Page 168: ...se by case basis You can use the WebGUI s Custom Ports feature to do this Guidelines for enhancing security with your firewall 1 Change the default password via SMT or WebGUI 2 Think about access control before you connect your device to the network in any way Access to the console port can give unauthorized individuals total control of the firewall even with access control configured 3 Limit who ...

Page 169: ... outbound LAN to WAN traffic between the specific inside host or network A and outside host or network B If the filter blocks the traffic from A to B it also blocks the traffic from B to A Filters cannot distinguish traffic originating from an inside host or an outside host by IP address 4 To block or allow IP trace route Firewall The firewall inspects packet contents as well as their source and d...

Page 170: ... be specified within one firewall rule making the firewall a better choice when complex rules are required 3 To selectively block or allow inbound or outbound traffic between inside host or networks and outside host or networks Remember that filters cannot distinguish traffic originating from an inside host or an outside host by IP address 4 The firewall performs better than filtering if you need ...

Page 171: ...ptions and are only recommended for advanced users refer to Nortel Business Secure Router 222 Configuration Advanced NN47922 501 for firewall CLI commands Firewall policies overview Firewall rules are grouped based on the direction of travel of packets to which they apply By default Business Secure Router s stateful packet inspection allows packets traveling in the following directions LAN to LAN ...

Page 172: ...at from the LAN to the Internet Allow certain types of traffic such as Lotus Notes database synchronization from specific hosts on the Internet to specific hosts on the LAN Allow everyone except your competitors to access a Web server Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by comparing the Source IP address Destination IP address and...

Page 173: ...llow only certain machines on the Internet to access the LAN Security ramifications Once the logic of the rule has been defined it is critical to consider the security ramifications created by the rule 1 Does this rule stop LAN users from accessing critical resources on the Internet For example if IRC is blocked are there users that require this service 2 Is it possible to modify the rule to be mo...

Page 174: ...ce address What is the connection s source address is it on the LAN or WAN Is it a single IP a range of IPs or a subnet Destination address What is the connection s destination address is it on the LAN or WAN Is it a single IP a range of IPs or a subnet Connection direction examples This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN LAN to ...

Page 175: ...ness Secure Router s WAN interface itself By default the Business Secure Router stops WAN computers from using the Business Secure Router as a gateway to communicate with other computers on the WAN You can configure one of these rules to allow a WAN computer to manage the Business Secure Router LAN to WAN rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed unrest...

Page 176: ...rule and stops checking the firewall rules For example you have one general rule that blocks all LAN to WAN IRC Internet Relay Chat And you have another rule that allows IRC traffic from your company president s LAN IP address to go to the WAN In order for the president s IRC traffic to get through the rule for the president s IP address must come before the rule that blocks all LAN to WAN IRC tra...

Page 177: ... the Business Secure Router s LAN IP address return traffic does not go through the Business Secure Router This is called an asymmetrical or triangle route and causes the Business Secure Router to reset the connection as the connection has not been acknowledged Note Allowing asymmetrical routes can let traffic from the WAN go directly to the LAN without passing through the Business Secure Router A...

Page 178: ...3 Table 38 Firewall rules summary First screen Label Description Enable Firewall Select this check box to activate the firewall The Business Secure Router performs access control and protects against Denial of Service DoS attacks when the firewall is activated The firewall allows traffic to go through your VPN tunnels ...

Page 179: ...ure summarized below take priority over the general firewall action settings above This is your firewall rule number The ordering of your rules is important as rules are applied in turn The Move field allows you to reorder your rules Status This field displays whether a firewall is turned on Active or not Inactive Rules that have not been configured display Empty Source Address This drop down list...

Page 180: ...ay the screen where you configure a firewall rule Move Select a rule s Index option button and type a number for where you want to put that rule Click Move to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering Rule to Rule Number Click a rule s option button and type the number for where you want to put that rule Edit ...

Page 181: ...54 Table 39 Creating and editing a firewall rule Label Description Active Check the Active check box to have the Business Secure Router use this rule Leave it unchecked if you do not want the Business Secure Router to use the rule after you apply it Packet Direction Use the drop down list to select the direction of packet travel to which you want to apply this firewall rule ...

Page 182: ...remove a service highlight it in the Selected Services box on the right then click Custom Port Add Click this button to bring up the screen that you use to configure a new custom service that is not in the predefined list of services Edit Select a custom service denoted by an from the Available Services list and click this button to edit the service Delete Select a custom service denoted by an fro...

Page 183: ... Table 40 Adding or editing source and destination addresses Label Description Address Type Select an option from the drop down list that includes Single Address Range Address Subnet Address and Any Address Start IP Address Enter the single IP address or the starting IP address in a range here Use a numerical IP address in dotted decimal notation for example 192 168 1 10 End IP Address Enter the e...

Page 184: ...a custom port Table 41 describes the fields in Figure 56 Table 41 Creating Editing A Custom Port Label Description Service Name Enter a unique name to identify the service a service that is not predefined in the Business Secure Router Service Type Choose the IP port TCP UDP or Both that defines your customized port from the drop down list Port Configuration Type Click Single to specify one port on...

Page 185: ...nk and then the Summary tab 2 In the Summary screen type the index number for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 3 Click Insert to display the firewall rule configuration screen Figure 57 Firewall edit rule screen example 4 Select WAN to LAN as the Packet Direction 5 Select Any in the Destin...

Page 186: ...Custom Port screen Configure it as shown in Figure 59 and click Apply Figure 59 Edit custom port example 8 The firewall rule configuration screen displays Use the arrows between Available Services and Selected Services to configure it as shown in Figure 60 Click Apply after you are done Note Custom ports show up with an before their names in the Services list box and the Rule Summary list box Clic...

Page 187: ...the configuration procedure for this Internet firewall rule the Rule Summary screen will look like the on illustrated in Figure 61 Rule 1 Allows a My Service connection from the WAN to IP addresses 10 0 0 10 through 10 0 0 15 on the LAN Remember to click Apply after you finish configuring your rules to save your settings to the Business Secure Router ...

Page 188: ...Rule screen see Figure 54 displays all predefined services that the Business Secure Router already supports Next to the name of the service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or ICMP The second field indicates the IP port number that defines the service Note that there can be more than one IP protocol ...

Page 189: ...9 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on FTP TCP 20 21 File Transfer Program is a program to enable fast transfer of files including large files that cannot be sent by e mail H 323 TCP 1720 NetMeeting uses this protocol HTTP TCP 80 Hyper Text Transfer Protocol is a client server protocol for the World Wide Web HTTPS TCP 443 HTTPS is a secur...

Page 190: ... Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the data channel RCMD TCP 512 Remote Command Service REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Logon RTELNET TCP 107 Remote Telnet RTSP TCP UDP 554 The Real Time Streaming media control Protocol RTS...

Page 191: ...n of voice and multimedia sessions over the Internet SIP is used in VoIP Voice over IP the sending of voice signals over the Internet Protocol SSH TCP UDP 22 Secure Shell Remote Logon Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Using syslog you can send system logs to a UNIX server TACACS UDP 49 Login Host Protocol used for Terminal Access Controller Access Control System TELN...

Page 192: ...influencing choices for threshold values are The maximum number of opened sessions The minimum capacity of server backlog in your LAN network The CPU power of servers in your LAN network Network bandwidth Type of traffic for certain servers If your network is slower than average for any of these factors especially if you have servers that are slow or handle many tasks and are often busy then the d...

Page 193: ...ons as necessary until the rate of new connection attempts drops below another threshold one minute low The rate is the number of new attempts detected in the last one minute sample period TCP maximum incomplete and blocking period An unusually high number of half open sessions with the same destination host address indicates that a Denial of Service attack is being launched against the host Whene...

Page 194: ... the fields in Figure 62 Table 43 Attack alert Label Description Generate alert when attack detected A detected attack automatically generates a log entry Check this box to generate an alert as well as a log whenever an attack is detected Denial of Service Thresholds One Minute Low This is the rate of new half open sessions that causes the firewall to stop deleting half open sessions The Business ...

Page 195: ...ns as required to accommodate new connection requests Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number The above values say 80 in the Maximum Incomplete Low field and 100 in this field cause the Business Secure Router to start deleting half open sessions when the number of existing half open sessions rises above 100 and to stop deleting half open sessions ...

Page 196: ...196 Chapter 11 Firewall screens NN47922 500 ...

Page 197: ...s the ability to block certain web features or specific URL keywords and is not to be confused with packet filtering via SMT menu 21 1 To access these functions from the Main Menu click Content Filter to expand the Content Filter menus Restrict web features The Business Secure Router can block web features such as ActiveX controls Java applets and cookies and disable web proxies Days and Times Wit...

Page 198: ...198 Chapter 12 Content filtering NN47922 500 Configure Content Filtering Click Content Filter on the navigation panel to open the screen show in Figure 63 Figure 63 Content filter ...

Page 199: ...his proxy server Enable URL Keyword Blocking The Business Secure Router can block Web sites with URLs that contain certain keywords in the domain name or IP address For example if the keyword bad was enabled all sites containing this keyword in the domain name or IP address will be blocked for example URL http www website com bad html is blocked Select this check box to enable this feature Keyword...

Page 200: ...ict web server data such as ActiveX Java Cookies and Web Proxy are not affected Enter the time period in 24 hour format during which content filtering will be enforced Select the All Day check box to have content filtering always active on the days selected in Day to Block with time of day limitations not enforced Apply Click Apply to save your changes Reset Click Reset to begin configuring this s...

Page 201: ...ces used to transport traffic over the Internet or any insecure network that uses the TCP IP protocol suite for communication Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections IPSec Internet Protocol Security IPSec is a standards based VPN that offers flexible solutions for secure data communications across a public network like the Intern...

Page 202: ... Screens overview Screens Description Summary This screen lists all of your VPN rules Contivity Client Rule Setup Use these screens to configure simple VPN rules that have the Nortel Business Secure Router 222 operate as a VPN client Branch Office Rule Setup Use these screens to manually configure VPN rules that have the Nortel Business Secure Router 222 operate as a VPN router SA Monitor Use this...

Page 203: ... Decryption is the opposite of encryption it is a mathematical operation that transforms ciphertext to plaintext Decryption also requires a key Figure 64 Encryption and decryption Table 46 VPN Screens Overview Screens Description Summary This screen lists all of your VPN rules Contivity Client Rule Setup Use these screens to configure simple VPN rules that have the Nortel Business Secure Router 22...

Page 204: ...works Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites Accessing Network Resources When NAT Is Enabled When NAT is enabled between the WAN and the LAN remote users are not able to access hosts on the LAN unless the host is designated a public LAN server for that specific protoc...

Page 205: ...ty Payload Protocol RFC 2406 and AH Authentication Header protocol RFC 2402 describe the packet formats and the default standards for packet structure including implementation algorithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard AES Advanced Encryption Standard and Triple DES algorithms ...

Page 206: ...ence integrity replay resistance and nonrepudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but can be used for verification of the integrity of the ...

Page 207: ...s effectively doubling the strength of DES AES Advanced Encryption Standard is a newer method of data encryption that also uses a secret key This implementation of AES applies a 128 bit key to 128 bit blocks of data during phase 1 You can configure the device to use a 128 bit 192 bit or 256 bit key for phase 2 AES is faster than 3DES Select NULL to set up a phase 2 tunnel without encryption Authen...

Page 208: ...der information and options are not used in the authentication process Therefore the originating IP address cannot be verified for integrity against the data With the use of AH as the security protocol protection is extended forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process Tunnel mode Tunnel mode encapsulate...

Page 209: ... encrypted A NAT device in between the IPSec endpoints rewrites either the source or destination address with one of its own choosing The VPN device at the receiving end verifies the integrity of the incoming packet by computing its own hash value and complains that the hash value appended to the received packet does not match The VPN device at the receiving end does not know about the NAT in the ...

Page 210: ...pecify this for a VPN rule in the VPN Branch Office Rule Setup screen see Figure 72 on page 223 If the remote VPN switch has a static WAN IP address enter it in the Secure Gateway Address field You can alternatively enter the remote VPN switch s domain name if it has one in the Secure Gateway Address field You can also enter a remote VPN switch s domain name in the Secure Gateway Address field if ...

Page 211: ...tiate SAs This is useful for telecommuters initiating a VPN tunnel to the company network Summary screen Figure 67 helps explain the main fields in the WebGUI Figure 67 IPSec summary fields Click VPN to open the Summary screen This is a read only menu of your IPSec rules tunnels Edit or create an IPSec rule by selecting an index number and then clicking Edit to configure the associated submenus Th...

Page 212: ...212 Chapter 13 VPN NN47922 500 Figure 68 Summary IP Policies ...

Page 213: ...e indicated by the starting and ending IP addresses separated by a dash You configure these IP addresses in the VPN Branch Office IP Policy screen This field is empty if you do not configure the VPN branch office rule to use an IP policy Private IP addresses are IP addresses of computers on your Business Secure Router s local network for which you have configured the IP policy to use NAT for the V...

Page 214: ...Business Secure Router because the Business Secure Router does not drop the tunnels that are already connected unless there is outbound traffic with no inbound traffic Nailed Up The nailed up feature is similar to the keep alive feature When you initiate an IPSec tunnel with nailed up enabled the Business Secure Router automatically renegotiates the tunnel when the IPSec SA lifetime period expires...

Page 215: ...ess Secure Router does not drop the tunnels that are already connected unless there is outbound traffic with no inbound traffic NAT Traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between the Nortel Business Secure Router 222 and the remote VPN switch Figure 69 NAT router between VPN switches Normally you cannot set up a VPN connection with a NAT router bet...

Page 216: ...age 223 to receive an initiating IPSec packet from VPN switch B set the NAT router to forward UDP port 500 to VPN switch A Preshared key A preshared key identifies a communicating party during a phase 1 IKE negotiation see IKE phases on page 238 for more information It is called preshared because you have to share it with another party before you can communicate with them over a secure connection ...

Page 217: ...rate as a VPN client Active Select this check box to turn on this rule Clear this check box if you do not want to use this rule after you apply it If you want to set the Contivity Client rule to active you must set all other VPN rules to inactive To set a Contivity Client rule to active all of the other VPN rules must be disabled Keep Alive Select this check box to turn on the Keep Alive feature f...

Page 218: ... domain name up to 31 case sensitive characters of the remote VPN switch You can use alphanumeric characters the underscore dash period and the symbol in a domain name No spaces are allowed User Name Enter the username exactly as the VPN switch administrator gives it to you Password Enter the password exactly as the VPN switch administrator gives it to you Advanced Click Advanced to configure grou...

Page 219: ...exactly as the VPN switch administrator gives it to you This field only applies when you enable Group Authentication Group Password Enter the group password exactly as the VPN switch administrator gives you This field only applies when you enable Group Authentication On Demand Client Tunnel Select this check box to have any outgoing packets automatically trigger a VPN connection to the remote VPN ...

Page 220: ...ess Secure Router can distinguish up to 12 incoming SAs because you can select between two encryption algorithms DES and 3DES two authentication algorithms MD5 and SHA1 and three key groups DH1 DH2 and DH5 when you configure a VPN rule see Configuring advanced Branch office setup on page 241 The ID type and content act as an extra level of identification for incoming SAs Configure the ID type and ...

Page 221: ...e the Business Secure Router automatically use the address in the Secure Gateway field DNS Type a domain name up to 31 characters by which to identify the remote VPN switch E mail Type an e mail address up to 31 characters by which to identify the remote VPN switch The domain name or e mail address that you use in the Content field is used for identification purposes only and does not need to be a...

Page 222: ... static or dynamic to set up the VPN tunnel If the WAN connection goes down the Business Secure Router uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect See Chapter 7 WAN screens on page 105 for details about dial backup and traffic redirect Configuring Branch Office VPN Rule Setup Select one of the VPN rules in the VPN Summ...

Page 223: ...Chapter 13 VPN 223 Nortel Business Secure Router 222 Configuration Basics Figure 72 VPN Branch Office rule setup ...

Page 224: ...starts NAT Traversal Select this check box to enable NAT traversal With NAT traversal you can set up a VPN connection when there are NAT routers between the two VPN switches The remote VPN switch must also have NAT traversal enabled You can use NAT traversal with ESP protocol using Transport or Tunnel mode but not with AH protocol In order for a VPN switch behind a NAT router to receive an initiat...

Page 225: ...able IP Policy table Private IP Address This field displays the IP address or a range of IP addresses of the computers on your Business Secure Router s local network for which you have configured this VPN rule For a range of addresses the starting and ending IP addresses are displayed separated by a dash This field applies when you configure the IP policy to use a branch tunnel NAT address mapping...

Page 226: ...omputers when the policy s Branch Tunnel NAT Address Mapping Rule Type field is configured to Many One to one in the IP Policy screen This field displays the policy s local IP address or range of addresses when you disable branch tunnel NAT address mapping in the IP Policy screen This field displays a single static IP address when the IP policy s Local Address Type field is configured to Single Ad...

Page 227: ...tton next to an IP policy and then click Edit to edit that IP policy Delete Select the radio button next to an IP policy that you want to remove and then click Delete Authentication Method Select the Pre Shared Key radio button to use a preshared secret key to identify the Business Secure Router Select the Certificate radio button to identify the Business Secure Router by a certificate Preshared K...

Page 228: ...dress or leave the field blank to have the Business Secure Router automatically use its own IP address When you select DNS in the Local ID Type field type a domain name up to 31 characters by which to identify this Business Secure Router When you select E mail in the Local ID Type field type an e mail address up to 31 characters by which to identify this Business Secure Router The IP address domai...

Page 229: ...PN tunnel has to be rebuilt if this IP address changes The following applies if this field is configured as 0 0 0 0 the default The Business Secure Router uses the current Business Secure Router WAN IP address static or dynamic to set up the VPN tunnel If the WAN connection goes down the Business Secure Router uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP ...

Page 230: ... authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput You can select a 128 bit 192 bit or 256 bit key with this implementation of AES AES is faster than 3DES Select NULL to set up a tunnel...

Page 231: ...guration Basics Configuring an IP Policy Select one of the IP policies in the VPN Branch Office screen and click Add or Edit to configure the policy s settings The Branch Office IP Policy setup screen is shown in Figure 73 Figure 73 VPN Branch Office IP Policy ...

Page 232: ...he Business Secure Router starts the IPSec connection idle timeout timer when it sends the ping packet If there is no traffic from the remote VPN switch by the time the timeout period expires the Business Secure Router disconnects the VPN tunnel Control Ping IP Address If you select Enable Control Ping enter the IP address of a computer at the branch office The computer s IP address must be in thi...

Page 233: ...hat are to use the VPN tunnel Private Ending IP Address When the Type field is configured to One to one this field is N A When the Type field is configured to Many to One or Many One to one enter the ending static IP address of the range of computers on your Business Secure Router s LAN that are to use the VPN tunnel Virtual Starting IP Address Virtual addresses must be static and correspond to th...

Page 234: ... the Secure Gateway Address field set to 0 0 0 0 Address Type Use the drop down menu to choose Single Address Range Address or Subnet Address Select Single Address for a single IP address Select Range Address for a specific range of IP addresses Select Subnet Address to specify IP addresses on a network by their subnet mask Starting IP Address When the Address Type field is configured to Single Ad...

Page 235: ...the Protocol field and 21 FTP in the Port field Remote Remote IP addresses must be static and correspond to the remote VPN switch s configured local IP addresses The remote fields do not apply when the Secure Gateway Address field is configured to 0 0 0 0 In this case only the remote VPN switch can initiate the VPN Two active SAs cannot have the local and remote IP addresses both the same You can ...

Page 236: ...e Type select Many to One enter the private and virtual IP addresses and click the Port Forwarding Server button to display the screen shown in Figure 74 Ending IP Address Subnet Mask When the Address Type field is configured to Single Address this field is N A When the Address Type field is configured to Range Address enter the end static IP address in a range of computers on the LAN behind your ...

Page 237: ...er In addition to the servers for specified services NAT supports a default server A default server receives packets from ports that are not specified in this screen If you do not assign a default server IP address all packets received for ports not specified in this screen are discarded Number of an individual port forwarding server entry Active Select this check box to activate the port forwardi...

Page 238: ...the End Port field End Port Type a port number in this field To forward only one port type the port number in the Start Port field above and then type it again in this field To forward a series of ports type the last port number in a series that begins with the port number in the Start Port field above Server IP Address Type your server IP address in this field Apply Click this button to save thes...

Page 239: ... authentication algorithm Choose whether to enable Perfect Forward Secrecy PFS using Diffie Hellman public key cryptography see Perfect Forward Secrecy PFS on page 240 Select None the default to disable PFS Choose Tunnel mode or Transport mode Set the IPSec SA lifetime In this field you can determine how long the IPSec SA will stay up before it times out The Business Secure Router automatically re...

Page 240: ...E negotiation It is called preshared because you have to share it with another party before you can communicate with the party over a secure connection Diffie Hellman DH Key Groups Diffie Hellman DH is a public key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel Diffie Hellman is used within IKE SA setup to establish session keys ...

Page 241: ...oot secret which can have security implications in the long run but allows faster SA setup by bypassing the Diffie Hellman key exchange Configuring advanced Branch office setup Select one of the VPN rules in the VPN Summary screen and click Edit to configure the rule s settings The basic IKE rule setup screen displays In the VPN Branch Office Rule Setup screen click the Advanced button to display ...

Page 242: ...own list When you use one of these encryption algorithms for data communications both the sending device and the receiving device must use the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is mor...

Page 243: ...d for integrity authentication sequence integrity replay resistance and nonrepudiation but not for confidentiality for which the ESP was designed If you select AH here you must select options from the Authentication Algorithm field Encryption Algorithm Select DES 3DES AES or NULL from the drop down list When you use one of these encryption algorithms for data communications both the sending device...

Page 244: ...ust be identical to the remote VPN switch Tunnel is compatible with NAT Transport is not Perfect Forward Secrecy PFS Perfect Forward Secrecy PFS is disabled None by default in phase 2 IPSec SA setup This allows faster IPSec setup but is not as secure Choose from DH1 DH2 or DH5 to enable PFS DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1 024 bi...

Page 245: ...nd does not time out until the SA lifetime period expires See the section Keep Alive on page 214 about keep alive to have the Business Secure Router renegotiate an IPSec SA when the SA lifetime expires even if there is no traffic Table 60 VPN SA Monitor Label Description This is the security association index number Name This field displays the identification name for this VPN policy Connection Ty...

Page 246: ...ssing requirements and communications latency delay Refresh Click Refresh to display the current active VPN connections This button is available when you have active VPN connections Disconnect Select a security association index number that you want to disconnect and then click Disconnect This button is available when you have active VPN connections Next Page if applicable Click Next Page to view ...

Page 247: ...ith a LAN It is sometimes necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa Allow Through IPSec Tunnel Select this check box to send NetBIOS packets through the VPN connection Exclusive Use Mode for Client Tunnel Select this check box to permit only the computer with the MAC address that you speci...

Page 248: ... backup VPN switch when the default remote VPN switch specified in the Destination field is not accessible The VPN fail over feature must also be set up in the remote VPN switch First Gateway Second Gateway Third Gateway These read only fields display the IP addresses of the backup VPN switches The Business Secure Router automatically gets this information from the default remote VPN switch After ...

Page 249: ...Chapter 13 VPN 249 Nortel Business Secure Router 222 Configuration Basics Figure 79 VPN Client Termination ...

Page 250: ...gotiations RADIUS Server Select this option to have the Business Secure Router use an external RADIUS server to identify the Contivity VPN clients during phase 1 IKE negotiations Click Configure RADIUS Server to specify the associated external RADIUS server Group ID The Contivity VPN clients send the group ID and group password to the Business Secure Router for or initial authentication After a su...

Page 251: ...t You can select a 128 bit key implementation of AES AES is faster than 3DES SHA1 Secure Hash Algorithm and MD5 Message Digest 5 are hash algorithms used to authenticate packet data SHA1 algorithm is generally considered stronger than MD5 but is slower IKE Encryption and Diffie Hellman Group Select the combinations of encryption algorithm and Diffie Hellman key group that the Business Secure Route...

Page 252: ...m Enable Perfect Forward Secrecy Perfect Forward Secrecy PFS is disabled by default in phase 2 IPSec SA setup This allows faster IPSec setup but is not so secure Turn on PFS to use the Diffie Hellman exchange to create a new key for each IPSec SA setup Rekey Timeout Set the allowed lifetime for an individual key used for data encryption before negotiating a new key A setting of 00 00 00 disables t...

Page 253: ...ield displays the label that you configure for the IP address pool Active This field displays whether or not the IP address pool is turned on Starting Address This field displays the first IP address in the IP address pool Subnet mask This field displays the subnet mask that you specified to define the IP address pool Pool size This field displays how many IP addresses you set the Business Secure ...

Page 254: ...can configure the entry s settings Use this screen to configure a range of IP addresses to assign to the Contivity VPN clients Figure 81 VPN Client Termination IP pool edit Table 64 describes the fields in Figure 81 Table 64 VPN Client Termination IP pool edit Label Description Active Turn on the IP pool if you want the Business Secure Router to use it in assigning IP addresses to the Contivity VP...

Page 255: ...en Use this screen to configure detailed settings for use with all of the Contivity VPN Client tunnels Pool Size Specify how many IP addresses the Business Secure Router is to give out from the pool created by the starting address and subnet mask 256 is the maximum Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel to return to the IP Pool Summary screen witho...

Page 256: ...256 Chapter 13 VPN NN47922 500 Figure 82 VPN Client Termination advanced ...

Page 257: ...this UDP port to the VPN Contivity client behind the NAT router Fail Over The fail over feature allows a Contivity VPN client to establish a VPN connection to a backup VPN switch when the Business Secure Router is not accessible The VPN fail over feature must also be set up in the Contivity VPN clients First Gateway Second Gateway Third Gateway Enter the IP addresses of the backup VPN switches Whe...

Page 258: ...ies what the Business Secure Router does when it detects a noncompliant version of Contivity VPN client software Select None to allow the VPN tunnel without displaying any messages to tell the user where to download the required version of the Contivity VPN client software Select Send Message to allow the VPN tunnel but display a message to tell the user where to download the required version of t...

Page 259: ...s to have both numbers and letters Maximum Password Age Enter the maximum number of days that a Contivity VPN client can use a password before it has to be changed 0 means that a password never expires Minimum Password Length Enter the minimum number of characters that can be used for a Contivity VPN client password Apply Click Apply to save your changes to the Business Secure Router Reset Click R...

Page 260: ...260 Chapter 13 VPN NN47922 500 ...

Page 261: ...on authorities You can use the Business Secure Router to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority In public key encryption and decryption each host has two keys One key is public and can be made openly available the other key is private and must be kept secure Public key encryption in ...

Page 262: ...ies maintain directory servers with databases of valid and revoked certificates A directory of certificates that have been revoked before the scheduled expiration is called a CRL Certificate Revocation List The Business Secure Router can check a peer s certificate against a directory server s list of revoked certificates The framework of servers software procedures and policies that handles keys i...

Page 263: ...re Routers CA signed certificates Use the Trusted CA screens to save CA certificates to the Business Secure Router Use the Trusted Remote Hosts screens to import self signed certificates Use the Directory Servers screen to configure a list of addresses of directory servers that contain lists of valid and revoked certificates My Certificates Click CERTIFICATES My Certificates to open the Business S...

Page 264: ...264 Chapter 14 Certificates NN47922 500 Figure 84 My Certificates ...

Page 265: ...lid certificate Send a certification request to a certification authority which then issues a certificate Use the My Certificate Import screen to import the certificate and replace the request SELF represents a self signed certificate SELF represents the default self signed certificate which the Business Secure Router uses to sign imported trusted remote host certificates CERT represents a certifi...

Page 266: ...o other features such as HTTPS VPN or SSH are configured to use the SELF certificate 2 Click the details icon next to another self signed certificate see the description on the Create button if you need to create a self signed certificate 3 Select the Default self signed certificate which signs the imported remote host certificates check box 4 Click Apply to save the changes and return to the My C...

Page 267: ...convert a binary PKCS 7 certificate into a printable form Importing a certificate Click CERTIFICATES My Certificates and then Import to open the My Certificate Import screen Follow the instructions on the screen shown in Figure 85 to save an existing certificate to the Business Secure Router Note 1 You can only import a certificate that matches a corresponding certification request generated by th...

Page 268: ...e Import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the certificate to the Business Secure Router Cancel Click Cancel to quit and return to the My Certificates screen ...

Page 269: ...FICATES My Certificates and then Create to open the My Certificate Create screen Use this screen to have the Business Secure Router create a self signed certificate enroll a certificate with a certification authority or generate a certification request For more information see Figure 86 Figure 86 My Certificate create ...

Page 270: ...ganizational Unit Type up to 127 characters to identify the organizational unit or department to which the certificate owner belongs You can use any character including spaces but the Business Secure Router drops trailing spaces Organization Type up to 127 characters to identify the company or group to which the certificate owner belongs You can use any character including spaces but the Business ...

Page 271: ...ertification authority requires it Enrollment Protocol Select the certification authority s enrollment protocol from the drop down list Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509 working group o...

Page 272: ...r information in the My Certificate Create screen Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the Business Secure Router to enroll a certificate online My Certificate details Click CERTIFICATES and then My Certificates to open the My Certificates screen see Figure 84 Click the details icon to open the My Certif...

Page 273: ...Chapter 14 Certificates 273 Nortel Business Secure Router 222 Configuration Basics Figure 87 My Certificate details ...

Page 274: ...the issuing certification authority is one that you have imported as a trusted certification authority it can be the only certification authority in the list along with the certificate itself If the certificate is a self signed certificate the certificate itself is the only one in the list The Business Secure Router does not trust the certificate and displays Not trusted in this field if any certi...

Page 275: ...e certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the Business Secure Router uses RSA encryption and the length of the key set in bits 1 024 bits for example Subject Alternative Name This field displays the certificate owner s IP address IP domain name DNS or e mail address EMAIL Key ...

Page 276: ...tification request into a certification authority s Web page an e mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later...

Page 277: ...hen the maximum is approached When the bar is red consider deleting expired or unnecessary certificates before adding more certificates This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Subject This field displays identifying information about the certificate s owner such as CN Comm...

Page 278: ...ertificate Revocation Lists for the certificates that it has issued and you have selected the Issues certificate revocation lists CRL check box in the certificate s details screen to have the Business Secure Router check the CRL before trusting any certificates issued by the certification authority Otherwise the field displays No Modify Click the details icon to open a screen with an in depth list...

Page 279: ... this screen to save a trusted certification authority s certificate to the Business Secure Router Figure 89 Trusted CA import Table 71 describes the labels in Figure 89 Note You must remove any spaces from the certificate s filename before you can import the certificate Table 71 Trusted CA import Label Description File Path Type in the location of the file you want to upload in this field or clic...

Page 280: ...ion about the certification authority s certificate change the certificate s name and set whether or not you want the Business Secure Router to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Apply Click Apply to save the certificate on the Business Secure Router Cancel Click Cancel to quit and return to the Trusted...

Page 281: ...Chapter 14 Certificates 281 Nortel Business Secure Router 222 Configuration Basics Figure 90 Trusted CA details ...

Page 282: ...hority in the list along with the end entity s own certificate The Business Secure Router does not trust the end entity s certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked Refresh Click Refresh to display the certification path Certificate Information These read only fields display detailed information about the certificate Type This fiel...

Page 283: ...r e mail address EMAIL Key Usage This field displays for what functions the certificate s key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification auth...

Page 284: ...fication request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution via floppy disk for example Export Click this bu...

Page 285: ... green to red when the maximum is approached When the bar is red consider deleting expired or unnecessary certificates before adding more certificates Issuer My Default Self signed Certificate This field displays identifying information about the default self signed certificate on the Business Secure Router that the Business Secure Router uses to sign the trusted remote host certificates This fiel...

Page 286: ...nt O Organization or company or C Country Nortel recommends that each certificate have unique subject information Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and...

Page 287: ...s 3 Double click the certificate s icon to open the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields Figure 93 Certificate details Verify over the phone for example that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields ...

Page 288: ...d then click Import to open the Trusted Remote Host Import screen Follow the instructions in this screen to save a trusted host s certificate to the Business Secure Router see Figure 94 Figure 94 Trusted remote host import Note The trusted remote host certificate must be a self signed certificate and you must remove any spaces from its file name before you can import it ...

Page 289: ... screen You can use this screen to view in depth information about the trusted remote host s certificate and change the certificate s name Table 74 Trusted remote host import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the certif...

Page 290: ...290 Chapter 14 Certificates NN47922 500 Figure 95 Trusted remote host details ...

Page 291: ...nformation about the certificate Type This field displays general information about the certificate With trusted remote host certificates this field always displays CA signed The Business Secure Router is the Certification Authority that signed the certificate X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public ke...

Page 292: ... is the remote host s actual certificate because the Business Secure Router has signed the certificate thus causing this value to be different from that of the remote host s actual certificate See Verifying a certificate of a trusted remote host on page 286 for how to verify a remote host s certificate SHA1 Fingerprint This is the certificate s message digest that the Business Secure Router calcul...

Page 293: ...nst the issuing certification authority s list of revoked certificates the Business Secure Router first checks the servers listed in the CRL Distribution Points field of the incoming certificate If the certificate does not list a server or the listed server is not available the Business Secure Router checks the servers listed here Figure 96 Directory servers Apply Click Apply to save your changes ...

Page 294: ...s The index number of the directory server The servers are listed in alphabetical order Name This field displays the name used to identify this directory server Address This field displays the IP address or domain name of the directory server Port This field displays the port number that the directory server uses Protocol This field displays the protocol that the directory server uses Modify Click...

Page 295: ...to 31 ASCII characters spaces are not permitted to identify this directory server Access Protocol Use the drop down list to select the access protocol used by the directory server LDAP Lightweight Directory Access Protocol is a protocol over TCP that specifies how clients access directories certificates and lists of revoked certificates 1 Server Address Type the IP address in dotted decimal notati...

Page 296: ...self in order to assess the directory server Type the logon name up to 31 ASCII characters from the entity maintaining the directory server usually a certification authority Password Type the password up to 31 ASCII characters from the entity maintaining the directory server usually a certification authority Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel t...

Page 297: ...se of real time applications such as Voice over IP VoIP increasing the requirement for bandwidth allocation is also increasing Bandwidth management addresses questions such as Who gets how much access to specific applications Which traffic must have guaranteed delivery How much bandwidth is allotted to guarantee delivery With bandwidth management you can configure the allowed output for an interfa...

Page 298: ...bclass View your configured bandwidth subclasses for a given interface in the Class Setup tab see Configuring class setup on page 301 for details The total of the configured bandwidth budgets cannot exceed the configured bandwidth budget for the interface as specified in Configuring summary on page 300 Proportional bandwidth allocation With bandwidth management you can define how much bandwidth ea...

Page 299: ...d an application Table 78 shows bandwidth allocations for application specific traffic from separate LAN subnets Reserving bandwidth for nonbandwidth class traffic If you want to allow bandwidth for traffic that is not defined in a bandwidth filter leave some of the interface s bandwidth unbudgeted Table 78 Application and Subnet based Bandwidth Management Example Traffic Type From Subnet A From S...

Page 300: ...mmary Label Description WAN LAN These read only labels represent the physical interfaces Select an interface s check box to enable bandwidth management on that interface Bandwidth management applies to all traffic flowing out of the router through the interface regardless of the traffic s source Traffic redirect or IP alias cause LAN to LAN traffic to pass through the Business Secure Router and be...

Page 301: ...r the root class To add or delete child classes on an interface click BW MGMT then the Class Setup tab The screen appears as shown in Figure 100 Speed kbps Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management This appears as the bandwidth budget of the interface s root class see Configuring class setup on page 301 Nortel recommends that you set this...

Page 302: ...asses Bandwidth Management This field displays whether bandwidth management on the interface you selected in the field above is enabled Active or not Inactive Add Subclass Click Add Sub class to add a subclass Edit Click Edit to go to a screen where you can configure the selected subclass You cannot edit the root class Delete Click Delete to remove the selected subclass You cannot delete the root ...

Page 303: ... 0 0 0 0 0 means all Destination Port This field displays the port number of the destination 0 means all ports Source IP Address This field displays the source IP address in dotted decimal notation followed by the subnet mask The IP 0 0 0 0 0 means all Source Port This field displays the port number of the source The 0 means all ports Protocol ID This field displays the protocol ID service type nu...

Page 304: ...se the autogenerated name or enter a descriptive name of up to 20 alphanumeric characters including spaces Bandwidth Budget kbps Specify the maximum bandwidth allowed for the class in kb s The recommendation is a setting between 20 kbps and 20 000 kbps for an individual class The bandwidth you specify cannot cause the total allocated bandwidths of this and all other subclasses to exceed the bandwi...

Page 305: ...ic If you select H 323 make sure you also turn on the H 323 ALG For more information about ALG see ALG on page 90 SIP Session Initiation Protocol is a signaling protocol used in Internet telephony instant messaging events notification and conferencing The Business Secure Router supports SIP traffic pass through Select SIP from the drop down list to configure this bandwidth filter for SIP traffic T...

Page 306: ... See Table 82 for some common services and port numbers Protocol ID Enter the protocol ID service type number for example 1 for ICMP 6 for TCP or 17 for UDP Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel to exit this screen without saving Table 82 Services and port numbers Services Port Number ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer ...

Page 307: ...transmitted Dropped Packets This field displays the total number of packets dropped Dropped Bytes This field displays the total number of bytes dropped Bandwidth Statistics for the Past 8 Seconds t 8 to t 1 This field displays the bandwidth statistics in b s for the past one to eight seconds For example t 1 means one second ago Update Period Seconds Enter the time interval in seconds to define how...

Page 308: ... the labels in Figure 103 Table 84 Bandwidth manager monitor Label Description Interface Select an interface from the drop down list to view the bandwidth usage of its bandwidth classes Class This field displays the name of the class Budget kbps This field displays the amount of bandwidth allocated to the class Current Usage kbps This field displays the amount of bandwidth that each class is using...

Page 309: ...IUS RADIUS is based on a client sever model that supports authentication and accounting where users are the clients and the server is the RADIUS server The RADIUS server handles the following tasks among others Authentication Determines the identity of the users Accounting Keeps track of the client s network activity RADIUS is a simple package exchange in which your Business Secure Router acts as ...

Page 310: ...ting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the Business Secure Router and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to the shared key password information exchanged is also encrypted to protect the network from unauthorized acces...

Page 311: ...ow IEEE 802 1x EAP authentication works 1 The user sends a start message to the Business Secure Router 2 The Business Secure Router sends a request identity message to the user for identity information 3 The user replies with identity information including username and password 4 The RADIUS server checks the user information against its user profile database and determines whether or not to authen...

Page 312: ...on Required to allow all users to access your network without authentication Select No Access to deny all users access to your wired network Reauthentication Period Specifies the time interval between the RADIUS server s authentication checks of users connected to the network This field is active only when you select Authentication Required in the Authentication Type field Idle Timeout Seconds The...

Page 313: ...erver for a user s username and password Select Local first then RADIUS to have the Business Secure Router first check the user database on the Business Secure Router for a user s username and password If the user name is not found the Business Secure Router then checks the user database on the specified RADIUS server Select RADIUS first then Local to have the Business Secure Router first check th...

Page 314: ...314 Chapter 16 IEEE 802 1x NN47922 500 ...

Page 315: ...r of users Introduction to Local User database By storing user profiles locally on the Business Secure Router your Business Secure Router is able to authenticate users without interacting with a network RADIUS server However there is a limit on the number of users you can authenticate in this way Local User database To see your Business Secure Router s local user list click AUTH SERVER The Local U...

Page 316: ...ption User ID This field displays the logon name for the user account Active This field displays Yes if the user account is enabled or No if it is disabled User type This field displays whether the user account can be used for a IEEE 802 1X or IPSec logon or both Last Name This field displays the user s last name First Name This field displays the user s first name ...

Page 317: ...s A dash appears for all other accounts Valid displays if an IPSec user can use the account to logon Expired displays if an IPSec user can no longer use the account to logon This happens when you have enabled Password Management in the VPN Client Termination Advanced screen and the account s password has exceeded the time that you configured as the Maximum Password Age Edit Select a user account a...

Page 318: ...318 Chapter 17 Authentication server NN47922 500 Figure 107 Local User database edit ...

Page 319: ... or 802 1X IPSec in the User Type field First Name Enter the user s first name Last Name Enter the user s last name Static IP Address Enter the IP address of the remote user in dotted decimal notation Static Subnet Mask Enter the subnet mask of the remote user Split Tunneling Enable or disable split tunneling or inverse split tunneling Select Disable to force all traffic to be encrypted and go thr...

Page 320: ...his field applies when you select Enabled in the Split Tunneling field Select the network for which you force traffic to be encrypted and go through the VPN tunnel Inverse Split Tunnel Network This field applies when you select Enabled Inverse or Enabled Inverse locally connected in the Split Tunneling field Select the network for which you do not force traffic to be encrypted and go through the V...

Page 321: ... use with split or inverse split VPN tunnels Table 88 Current split networks Label Description Return to Local User Database User Edit Page Click this link to return to the screen where you configure a local user database entry Current Split Networks This is the list of names of split or inverse split networks Add Click Add to open another screen where you can specify split or inverse split networ...

Page 322: ...escribes the labels in Figure 109 Table 89 Current split networks edit Label Description Network Name Enter a name to identify the split network IP Address Enter the IP address for the split network in dotted decimal notation Netmask Enter the netmask for the split network in dotted decimal notation ...

Page 323: ... as shown in Figure 110 Current Subnets for Network This box displays the subnets that belong to this split network Add Click Add to save your split network configuration Delete Select a network subset and click Delete to remove it Clear Click Clear to remove all of the configuration field and subnet settings Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel ...

Page 324: ...ption Authentication Server Active Select the check box to enable user authentication through an external authentication server Clear the check box to enable user authentication using the local user profile on the Business Secure Router Server IP Address Enter the IP address of the external authentication server in dotted decimal notation ...

Page 325: ...e check box to enable user accounting through an external authentication server Server IP Address Enter the IP address of the external accounting server in dotted decimal notation Port Number The default port of the RADIUS server for accounting is 1813 You need not change this value unless your network administrator instructs you to do so with additional information Key Enter a password up to 31 a...

Page 326: ...326 Chapter 17 Authentication server NN47922 500 ...

Page 327: ...u can manage your Business Secure Router from a remote location via Internet WAN only LAN only ALL LAN and WAN Neither Disable To disable remote management of a service select Disable in the corresponding Server Access field Remote management limitations Remote management over LAN or WAN does not work if Note When you configure remote management to allow management from the WAN you still need to c...

Page 328: ...ning with a Telnet session A web session is disconnected if you begin a Telnet session nor does it begin if a Telnet session is already running 7 A firewall rule blocks access to device Remote management and NAT When NAT is enabled Use the Business Secure Router s WAN IP address when configuring from the WAN Use the Business Secure Router s LAN IP address when configuring from the LAN System timeo...

Page 329: ...s the Business Secure Router using the WebGUI The SSL protocol specifies that the SSL server the Business Secure Router must always authenticate itself to the SSL client the computer that requests the HTTPS connection with the Business Secure Router whereas the SSL client only authenticates itself when the SSL server requires it to do so select Authenticate Client Certificates in the REMOTE MGMT W...

Page 330: ...TPS implementation Configuring WWW To change your Business Secure Router s Web settings click REMOTE MGMT to open the WWW screen Note If you disable HTTP Server Access Disable in the REMOTE MGMT WWW screen the Business Secure Router blocks all HTTP connection attempts ...

Page 331: ...r and must always authenticate itself to the SSL client the computer that requests the HTTPS connection with the Business Secure Router Authenticate Client Certificates Select Authenticate Client Certificates optional to require the SSL client to authenticate itself to the Business Secure Router by sending the Business Secure Router a certificate To do that the SSL client must have a CA signed cer...

Page 332: ...nt is a trusted computer that is allowed to communicate with the Business Secure Router using this service Select All to allow any computer to access the Business Secure Router using this service Choose Selected to just allow the computer with the IP address that you specify to access the Business Secure Router using this service HTTP Server Port You can change the server port number for a service...

Page 333: ...13 appears in Internet Explorer Select Yes to proceed to the WebGUI logon screen if you select No then WebGUI access is blocked Figure 113 Security Alert dialog box Internet Explorer Netscape Navigator warning messages When you attempt to access the Business Secure Router HTTPS server a Website Certified by an Unknown Authority screen shown in Figure 114 appears asking if you trust the server cert...

Page 334: ...r 18 Remote management screens NN47922 500 Select Accept this certificate permanently to import the Business Secure Router s certificate into the SSL client Figure 114 Figure 18 4 Security Certificate 1 Netscape ...

Page 335: ... factory default certificate is the Business Secure Router itself since the certificate is a self signed certificate For the browser to trust a self signed certificate import the self signed certificate into your operating system as a trusted certificate To have the browser trust the certificates issued by a certificate authority import the certificate authority s certificate into your operating s...

Page 336: ...his procedure if you need to access the WAN port and it uses a dynamically assigned IP address a Create a new certificate for the Business Secure Router that uses the IP address of the Business Secure Router s port that you are trying to access as the certificate s common name For example to use HTTPS to access a LAN port with IP address 192 168 1 1 create a certificate that uses 192 168 1 1 as th...

Page 337: ...Chapter 18 Remote management screens 337 Nortel Business Secure Router 222 Configuration Basics Figure 116 Logon screen Internet Explorer ...

Page 338: ...nagement screens NN47922 500 Figure 117 Login screen Netscape Click Login to proceed The screen shown in Figure 118 appears The factory default certificate is a common default certificate for all Business Secure Router models ...

Page 339: ...ics Figure 118 Replace certificate Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router s MAC address that is specific to this device Click CERTIFICATES to open the My Certificates screen You see information similar to that shown in Figure 119 ...

Page 340: ...ote management screens NN47922 500 Figure 119 Device specific certificate Click Ignore in the Replace Certificate screen to use the common Business Secure Router certificate The My Certificates screen appears Figure 120 ...

Page 341: ...e 120 Common Business Secure Router certificate SSH overview Unlike Telnet or FTP which transmit data in clear text SSH Secure Shell is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network ...

Page 342: ...a secure connection is established between two remote hosts Figure 122 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and sends the result to the server ...

Page 343: ...then sends its authentication information username and password to the server to log on to the server SSH implementation on the Business Secure Router Your Business Secure Router supports SSH version 1 5 using RSA authentication and three encryption methods DES 3DES and Blowfish The SSH server is implemented on the Business Secure Router for remote SMT management and file transfer on port 22 Only ...

Page 344: ...owever you must use the same port number in order to use that service for remote management Server Access Select the interfaces If any through which a computer can access the Business Secure Router using this service Secure Client IP Address A secure client is a trusted computer that is allowed to communicate with the Business Secure Router using this service Select All to allow any computer to ac...

Page 345: ...e Example 1 Microsoft Windows This section describes how to access the Business Secure Router using the Secure Shell Client program 1 Launch the SSH client and specify the connection information IP address port number or device name for the Business Secure Router 2 Configure the SSH client to accept connection using SSH version 1 3 A window appears prompting you to store the host key in you comput...

Page 346: ...ult IP address of 192 168 1 1 A message displays indicating the SSH protocol version supported by the Business Secure Router Figure 125 SSH Example 2 Test 2 Enter ssh 1 192 168 1 1 This command forces your computer to connect to the Business Secure Router using SSH version 1 If this is the first time you are connecting to the Business Secure Router using SSH a message appears prompting you to save...

Page 347: ...ecure Router for secure file transfer using SSH version 1 If this is the first time you are connecting to the Business Secure Router using SSH a message displays prompting you to save the host information of the Business Secure Router Type yes and press ENTER 2 Enter the password to log on to the Business Secure Router 3 Use the put command to upload a new firmware to the Business Secure Router ss...

Page 348: ...ing to 192 168 1 1 The authenticity of host 192 168 1 1 192 168 1 1 can t be established RSA1 key fingerprint is 21 6c 07 25 7e f4 75 80 ec af bd d4 3d 80 53 d1 Are you sure you want to continue connecting yes no yes Warning Permanently added 192 168 1 1 RSA1 to the list of known hosts Administrator 192 168 1 1 s password sftp put firmware bin ras Uploading firmware bin to ras Read from remote hos...

Page 349: ...t Server Access Select the interfaces If any through which a computer can access the Business Secure Router using this service Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the Business Secure Router using this service Select All to allow any computer to access the Business Secure Router using this service Choose Selected to just allow the com...

Page 350: ...ttings click REMOTE MANAGEMENT and then the FTP tab The screen appears as shown in Figure 130 Figure 130 FTP Table 94 describes the fields in Figure 130 Table 94 FTP Label Description Server Port You can change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interfaces If any throug...

Page 351: ...rates an SNMP management operation SNMP is only available if TCP IP is configured The default get and set communities are public Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the Business Secure Router using this service Select All to allow any computer to access the Business Secure Router using this service Choose Selected to just allow the c...

Page 352: ...etwork management functions It executes applications that control and monitor managed devices The managed devices contain object variables and managed objects that define each piece of information to be collected about a device Examples of variables include number of packets received and node port status A Management Information Base MIB is a collection of managed objects SNMP allows a manager and...

Page 353: ... data and monitor status and performance SNMP Traps The Business Secure Router sends traps to the SNMP manager when any one of the following events occurs Table 95 SNMP traps Trap Trap Name Description 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215 A trap ...

Page 354: ...e 132 Figure 132 SNMP Table 96 describes the fields in Figure 132 Table 96 SNMP Label Description SNMP Configuration Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is PlsChgMe RO Set Community Enter the Set community which is the password for incoming Set requests from the management station The default ...

Page 355: ...er The default is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to SNMP Service Port You change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Access Select the interfaces If any through which a computer can access the Business Secure Router u...

Page 356: ...rver Access Select the interfaces if any through which a computer can send DNS queries to the Business Secure Router Secured Client IP Address A secured client is a trusted computer that is allowed to send DNS queries to the Business Secure Router Select All to allow any computer to send DNS queries to the Business Secure Router Choose Selected to just allow the computer with the IP address that y...

Page 357: ...s in Figure 134 Note In order to allow Ping on the WAN you must also configure a WAN to WAN Business Secure Router rule that allows PING ICMP 0 traffic Table 98 Security Label Description ICMP Internet Control Message Protocol is a message control and error reporting protocol between a host server and a gateway to the Internet ICMP uses Internet Protocol IP datagrams but the messages are processed...

Page 358: ...rt requests for unused ports thus leaving the unused ports and the Business Secure Router unseen If the firewall blocks a packet from the WAN the Business Secure Router sends a TCP reset packet Use the sys firewall tcprst rst off command in the command interpreter if you want to stop the Business Secure Router from sending TCP reset packets Apply Click Apply to save your customized settings and ex...

Page 359: ... in use How do I know if I am using UPnP UPnP hardware is identified as an icon in the Network Connections folder Windows XP Each UPnP compatible device installed on your network appears as a separate icon By selecting the icon of a UPnP device you can access the information and properties of that device NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate t...

Page 360: ... enabled devices can communicate freely with each other without additional configuration If this is not your intention disable UPnP UPnP implementation The device has UPnP certification from the Universal Plug and Play Forum Creates UPnP Implementers Corp UIC This UPnP implementation supports IGD 1 0 Internet Gateway Device At the time of writing the UPnP implementation supports Windows Messenger ...

Page 361: ...ugh UPnP Select this check box to allow UPnP enabled applications to automatically configure the Business Secure Router so that they can communicate through the Business Secure Router For example by using NAT traversal UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device eliminating the need to manually configure port forwarding for...

Page 362: ...siness Secure Router can keep a record when your computer uses UPnP to create a NAT forwarding rule for that service The following read only table displays information about the UPnP created NAT mapping rule entries in the Business Secure Router s NAT routing table This is the index number of the UPnP created NAT mapping rule entry Remote Host This field displays the source IP address on the WAN o...

Page 363: ...apped to the Internal Client Protocol This field displays the protocol of the NAT mapping rule TCP or UDP Internal Port This field displays the port number on the Internal Client to which the Business Secure Router forwards incoming connection requests Internal Client This field displays the DNS host name or IP address of a client on the LAN Multiple NAT clients can use a single port simultaneousl...

Page 364: ...ow select the Universal Plug and Play check box in the Components selection box 4 Click OK to return to the Add Remove Programs Properties window and click Next 5 Restart the computer when prompted Figure 138 Communications Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP ...

Page 365: ...s 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components The Windows Optional Networking Components Wizard window appears Figure 139 Network connections 4 Select Networking Service in the Components selection box and click Details Figure 140 Windows optional networking components wizard ...

Page 366: ... Using UPnP in Windows XP example This section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the device Make sure the computer is connected to a LAN port of the device Turn on your computer and the Business Secure Router Autodiscover Your UPnP enabled Network Device 1 Click Start and Control Panel Double click Network C...

Page 367: ...nfiguration Basics 2 Right click the icon and select Properties Figure 142 Internet gateway icon 3 In the Internet Connection Properties window click Settings to see the port mappings that were automatically created Figure 143 Internet connection properties ...

Page 368: ...the port mappings or click Add to manually add port mappings Figure 144 Internet connection properties advanced setup Figure 145 Service settings Note When the UPnP enabled device is disconnected from your computer all port mappings are deleted automatically ...

Page 369: ...nection icon 6 Double click the icon to display your current Internet connection status Figure 147 Internet connection status WebGUI easy access With UPnP you can access the WebGUI without first finding out its IP address This is helpful if you do not know the IP address of your Business Secure Router Follow the steps below to access the WebGUI 1 Click Start and then Control Panel 2 Double click N...

Page 370: ...laces Figure 148 Network connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click the icon for your Business Secure Router and select Invoke The WebGUI logon screen displays Figure 149 My Network Places Local network ...

Page 371: ...tion Click LOGS to open the View Log screen Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen see Configuring Log settings on page 373 Options include logs about system maintenance system errors access control allowed or blocked Web sites blocked Web features such as ActiveX controls Java and cookies attacks such as DoS and IPSec Log entries in...

Page 372: ...ded Refer to Configuring Time and Date on page 86 for information about configuring the Business Secure Router s time and date Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Note This field displays additional ...

Page 373: ...serious attention including system errors attacks access control and attempted access to blocked Web sites or Web sites with restricted Web features such as cookies Active X and so on Some categories such as System Errors consist of both logs and alerts You can differentiate between logs and alerts by their color in the View Log screen Alerts display in red and logs display in black Refresh Click ...

Page 374: ...374 Chapter 20 Logs Screens NN47922 500 Figure 151 Log settings ...

Page 375: ...to store logs Active Click Active to enable syslog logging Syslog Server IP Address Enter the server name or IP address of the syslog server that logs the selected categories of logs Log Facility Select a location from the drop down list In the log facility you can log the messages to different files in the syslog server Refer to the documentation of your syslog program for more details Send Log L...

Page 376: ... from which the most traffic has been sent Log Select the categories of the logs that you want to record Logs include alerts Send Immediate Alert Select the categories of alerts for which you want the Business Secure Router to instantly e mail alerts to the e mail address specified in the Send Alerts To field Log Consolidation Active Some logs such as the Attacks logs can be so numerous that it be...

Page 377: ...ckets Many Web sites include HTTP GET references to other Web sites and the Business Secure Router can count these as hits thus the Web hit count is not yet 100 accurate Figure 152 Reports Note The Web site hit count not be 100 accurate because sometimes when an individual Web page loads it can contain references to other Web sites that also get counted as hits Note Enabling the Business Secure Ro...

Page 378: ...een Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Report Type Use the drop down list to select the type of reports to display Web Site Hits displays the Web sites that have been visited the most often from the LAN and how many times they have been visited Protocol Port displays the protocols or service ports that have...

Page 379: ...he domain names of the Web sites visited most often from computers on the LAN The names are ranked by the number of visits to each Web site and listed in descending order with the most visited Web site listed first The Business Secure Router counts each page viewed in a Web site as another hit on the Web site Hits This column lists how many times each Web site has been visited The count starts ove...

Page 380: ...een select Protocol Port from the Report Type drop down list to have the Business Secure Router record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports Figure 154 Protocol Port report example ...

Page 381: ...col or service port listed first Direction This column lists the direction of travel of the traffic belonging to each protocol or service port listed Incoming refers to traffic that is coming into the Business Secure Router s LAN from the WAN Outgoing refers to traffic that is going out from the Business Secure Router s LAN to the WAN Amount This column lists how much traffic has been sent and rec...

Page 382: ... IP addresses are listed in descending order with the LAN IP address to and from which the most traffic was sent listed first Amount This column displays how much traffic has gone to and from the listed LAN IP addresses The measurement unit shown bytes Kilobytes Megabytes or Gigabytes varies with the amount of traffic sent to and from the LAN IP address The count starts over at 0 if the total traf...

Page 383: ...ature Table 107 Report Specifications Label Description Number of Web sites protocols or ports IP addresses listed 20 Hit count limit Up to 232 hits can be counted per Web site The count starts over at 0 if it passes four billion Bytes count limit Up to 264 bytes can be counted per protocol port or LAN IP address The count starts over at 0 if it passes 264 bytes ...

Page 384: ...384 Chapter 20 Logs Screens NN47922 500 ...

Page 385: ...video cassette recorder you can specify a time period for the VCR to record Apply schedule sets in the WAN IP screen or the WAN Dial Backup screen Lower numbered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 are applied in the remote node set 1 takes precedence over set 2 3 and 4 as the Business Secure Router by default applies...

Page 386: ...Description This is the call schedule set number Name This field displays the name of the call schedule set Active This field shows whether the call schedule set is turned on Yes or off No Start Date This is the date in year month day format that the call schedule set takes effect Duration Date This is the date in year month day format that the call schedule set ends ...

Page 387: ...he Action field Action Forced On means that the connection is maintained whether or not there is a demand call on the line and persists for the time period specified in the Duration field Forced Down means that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand call on the line Disable Dial On Demand means tha...

Page 388: ...t will activate in year month day format If you selected Weekly in the How Often field then select the day or days of the week when the set will activate Start Time 24 Hour Format Enter the start time in hour minute format when you want the schedule set to take effect Duration Time 24 Hour Format Enter the maximum length of time in hour minute format that the schedule set is to apply the action co...

Page 389: ... your schedule sets are configured you must then apply them to the remote node You can apply schedule sets when the Business Secure Router is set to use PPPoE or PPTP encapsulation refer to Configuring WAN ISP on page 107 Click WAN WAN IP to display the WAN IP screen as shown in Figure 158 Use the screen to apply up to four schedule sets ...

Page 390: ...390 Chapter 21 Call scheduling screens NN47922 500 Figure 158 Applying Schedule Sets to a remote node ...

Page 391: ...t traffic statistics Maintenance overview The maintenance screens can help you view system information upload new firmware manage configuration and restart your Business Secure Router Status screen Click MAINTENANCE to open the Status screen where you can monitor your Business Secure Router Note that these fields are READ ONLY and only used for diagnostic purposes ...

Page 392: ...ce type The model name is also on a sticker on your device If you are uploading firmware be sure to upload firmware for this exact model name Nortel Firmware Version The release of firmware currently on the Business Secure Router and the date the release was created Routing Protocols This shows the routing protocol IP for which the Business Secure Router is configured WAN Port IP Address This is t...

Page 393: ...k This is the LAN port subnet mask DHCP This is the LAN port DHCP role Server or None Table 111 System Status Show statistics Label Description Port This is the WAN or LAN port Status This displays the port speed and duplex setting if you are using Ethernet encapsulation and down line is down idle line ppp idle dial starting to trigger a call and drop dropping a call if you are using PPPoE encapsu...

Page 394: ... information here relates to your DHCP status The DHCP table shows current DHCP Client information including IP Address Host Name and MAC Address of all network clients using the DHCP server Tx B s This displays the transmission speed in bytes per second on this port Rx B s This displays the reception speed in bytes per second on this port Up Time This is the total amount of time the line has been...

Page 395: ... the IP address relative to the field listed above Host Name This field displays the computer host name MAC Address This field shows the MAC address of the computer with the name in the Host Name field Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 Reser...

Page 396: ...it two minutes before logging on to the device again Table 113 Firmware Upload Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the bin file you want to upload Remember that you must decompress compressed zip files before you can upload them Upload Click Upload to begin the upload process This proce...

Page 397: ... you can see the icon Shown in Figure 164 on your desktop Figure 164 Network Temporarily Disconnected After two minutes log on again and check your new firmware version in the System Status screen If the upload was not successful the screen shown in Figure 165 appears Uploading the wrong firmware file or a corrupted firmware file can cause this error Click Return to return to the F W Upload screen...

Page 398: ...ry defaults backup configuration and restoring configuration appears as shown in Figure 166 Figure 166 Configuration Back to Factory Defaults Pressing the Reset button in this section clears all user entered configuration information and returns the Business Secure Router to its factory defaults The warning screen appears see Figure 167 ...

Page 399: ...1 1 and the password reverts to PlsChgMe Backup configuration With backup configuration you can back up and save the device s current configuration to a 104 KB file on your computer After your device is configured and functioning properly Nortel recommends that you back up your configuration file before making configuration changes The backup configuration file is useful in case you need to return...

Page 400: ...ging on to the device again Figure 168 Configuration Upload Successful The device automatically restarts in this time causing a temporary network disconnect In some operating systems you see the icon shown in Figure 169 on your desktop Table 114 Restore configuration Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Clic...

Page 401: ... 192 168 1 1 See your Nortel Business Secure Router 222 Fundamentals NN47922 301 guide for details about how to set up your computer s IP address If the upload was not successful click Return to return to the Configuration screen Restart screen With system restart you can reboot the Business Secure Router without turning the power off Click MAINTENANCE and then Restart Click Restart to have the Bu...

Page 402: ...402 Chapter 22 Maintenance NN47922 500 Figure 170 Restart screen ...

Page 403: ...o an appropriate power source Check that the Business Secure Router and the power source are both turned on Turn the Business Secure Router off and on If the error persists you likely have a hardware problem In this case contact your vendor I cannot access the Business Secure Router via the console port 1 Make sure the Business Secure Router is connected to your computer s serial port 2 Make sure ...

Page 404: ...n I cannot access the Business Secure Router from the LAN Check your Ethernet cable type and connections Refer to the Nortel Business Secure Router 222 Fundamentals NN47922 301 guide for LAN connection instructions Make sure the computer s Ethernet adapter is installed and functioning properly I cannot ping any computer on the LAN Check the 10M 100M LAN LEDs on the front panel If they are all off ...

Page 405: ...equires MAC address authentication clone the MAC address from your computer on the LAN as the Business Secure Router s WAN MAC address Use the WAN screens in the WebGUI Nortel recommends that you clone your computer s MAC address even if your ISP presently does not require MAC address authentication If your ISP requires host name authentication configure your computer s name as the Business Secure...

Page 406: ...et access settings Your username and password can be case sensitive If device connections and Internet access settings are correct contact your ISP Table 121 Troubleshooting the password Problem Corrective Action I cannot access the Business Secure Router The administrator username is nnadmin The default password is PlsChgMe The Password and Username fields are case sensitive Make sure that you en...

Page 407: ...Router s IP addresses must be on the same subnet for LAN access If you changed the Business Secure Router s LAN IP address then enter the new one as the URL Remove any filters in SMT menu 3 1 LAN or menu 11 1 4 WAN that block Web service Table 123 Troubleshooting Remote Management Problem Corrective Action I cannot remotely manage the Business Secure Router from the LAN or the WAN Check your remot...

Page 408: ...necessary Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or enable pop up blocking and create an exception for your device s IP address Allowing Pop ups 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 171 Pop up Blocker You can also check if pop up blocking is disabled in the Pop up Blocker section in the Privacy ...

Page 409: ...ear the Block pop ups check box in the Pop up Blocker section of the screen Figure 172 Internet Options 3 Click Apply to save this setting Enabling Pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab ...

Page 410: ...47922 500 2 Select Settings to open the Pop up Blocker Settings screen Figure 173 Internet options 3 Type the IP address of your device the Web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 ...

Page 411: ... address to the list of Allowed sites Figure 174 Pop up Blocker settings 5 Click Close to return to the Internet Options screen 6 Click Apply to save this setting Internet Explorer JavaScript If pages of the WebGUI do not display properly in Internet Explorer check that JavaScript and Java permissions are enabled ...

Page 412: ...Internet Options and then the Security tab Figure 175 Internet options 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default ...

Page 413: ...lose the window Figure 176 Security Settings Java Scripting Internet Explorer Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make sure that a safety level is selected ...

Page 414: ...lick OK to close the window Figure 177 Security Settings Java JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the window ...

Page 415: ... and open a new browser Figure 178 Java Sun Netscape Pop up Blockers Either disable the blocking of unrequested pop up windows enabled by default in Netscape or allow pop ups from Web sites by creating an exception for your device s IP address Note Netscape 7 2 screens are used here Screens for other Netscape versions vary ...

Page 416: ...s from this site 2 In the Netscape search toolbar you can enable and disable pop up blockers for Web sites Figure 180 Netscape Search Toolbar You can also check if pop up blocking is disabled in the Popup Windows screen in the Privacy Security directory 1 In Netscape click Edit and then Preferences 2 Click the Privacy Security directory and then select Popup Windows ...

Page 417: ...1 Popup Windows 4 Click OK to save this setting Enable Pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device follow these steps 1 In Netscape click Edit and then Preferences 2 In the Privacy Security directory select Popup Windows 3 Make sure the Block unrequested popup windows check box is selected ...

Page 418: ...ubleshooting NN47922 500 4 Click the Allowed Sites button Figure 182 Popup Windows 5 Type the IP address of your device the Web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 ...

Page 419: ... to return to the Popup Windows screen 8 Click OK to save this setting Netscape Java Permissions and JavaScript If pages of the WebGUI do not display properly in Netscape check that JavaScript and Java permissions are enabled 1 In Netscape click Edit and then Preferences 2 Click the Advanced directory 3 In the Advanced screen make sure the Enable Java check box is selected ...

Page 420: ...ubleshooting NN47922 500 4 Click OK to close the window Figure 184 Advanced 5 Click the Advanced directory and then select Scripts Plug ins 6 Make sure the Navigator check box is selected in the enable JavaScript section ...

Page 421: ...Appendix A Troubleshooting 421 Nortel Business Secure Router 222 Configuration Basics 7 Click OK to close the window Figure 185 Scripts Plug ins ...

Page 422: ...422 Appendix A Troubleshooting NN47922 500 ...

Page 423: ... on information from the time server Time calibration failed The router failed to get information from the time server DHCP client gets s A DHCP client got a new IP address from the DHCP server DHCP client IP expired A DHCP client s IP address has expired DHCP server assigns s The DHCP server assigned an IP address to a client SMT Login Successfully Someone has logged on to the router s SMT interf...

Page 424: ...siness Secure Router allows access to this IP address or domain name and forwarded traffic addressed to the IP address or domain name URLBLK IP Domain Name The Business Secure Router blocked access to this IP address or domain name due to a forbidden keyword All Web traffic is disabled except for trusted domains untrusted domains or the cybernot list JAVBLK IP Domain Name The Business Secure Route...

Page 425: ...d code details ip spoofing WAN TCP The firewall detected a TCP IP spoofing attack on the WAN port ip spoofing WAN UDP The firewall detected an UDP IP spoofing attack on the WAN port ip spoofing WAN IGMP The firewall detected an IGMP IP spoofing attack on the WAN port ip spoofing WAN ESP The firewall detected an ESP IP spoofing attack on the WAN port ip spoofing WAN GRE The firewall detected a GRE ...

Page 426: ...g no routing entry GRE The firewall detected a GRE IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry OSPF The firewall detected an OSPF IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry ICMP type d code d The firewall detected an ICMP IP spoofing attack while the Business Secure ...

Page 427: ...ecure Router blocked or forwarded it according to the ACL set s configuration Firewall rule match TCP set d rule d TCP access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to the rule s configuration Firewall rule match UDP set d rule d UDP access matched the listed firewall rule and the Business Secure Router blocked or forwarded it according to...

Page 428: ...firewall rule and the Business Secure Router logged it Firewall rule NOT match GRE set d rule d GRE ac access did not match the listed firewall rule and the Business Secure Router logged it Firewall rule NOT match OSPF set d rule d OSPF access did not match the listed firewall rule and the Business Secure Router logged it Firewall rule NOT match set d rule d Access did not match the listed firewal...

Page 429: ...ule d UDP access matched the listed filter rule and the Business Secure Router dropped the packet to block access Filter match DROP set d rule d ICMP access matched the listed filter rule and the Business Secure Router dropped the packet to block access Filter match DROP set d rule d Access matched the listed filter rule and the Business Secure Router dropped the packet to block access Filter matc...

Page 430: ...ent a TCP packets in response Firewall sent TCP reset packets The firewall sent out TCP reset packets Packet without a NAT table entry blocked The router blocked a packet that did not have a corresponding SUA NAT table entry Out of order TCP handshake packet blocked The router blocked a TCP handshake packet that came out of the proper order Drop unsupported out of order ICMP The Business Secure Ro...

Page 431: ...packets traveling from the WAN to the WAN or the Business Secure Router Table 131 ICMP Notes Type Code Description 0 Echo reply 0 Echo reply message 3 Destination unreachable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because the packet was set to Don t Fragment DF 5 Source route failed 4 Source quench 0 A gateway...

Page 432: ... in transit 1 Fragment reassembly time exceeded 12 Parameter problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp reply 0 Timestamp reply message 15 Information request 0 Information request message 16 Information reply 0 Information reply message Table 132 Sys log LOG MESSAGE DESCRIPTION Mon dd hr mm ss hostname src srcIP srcPort dst dstIP dstPort msg msg no...

Page 433: ... Main Mode request to 192 168 100 101 002 01 Jan 08 02 22 Send SA 003 01 Jan 08 02 22 Recv SA 004 01 Jan 08 02 24 Send KE NONCE 005 01 Jan 08 02 24 Recv KE NONCE 006 01 Jan 08 02 26 Send ID HASH 007 01 Jan 08 02 26 Recv ID HASH 008 01 Jan 08 02 26 Phase 1 IKE SA process done 009 01 Jan 08 02 26 Start Phase 2 Quick Mode 010 01 Jan 08 02 26 Send HASH SA NONCE ID ID 011 01 Jan 08 02 26 Recv HASH SA N...

Page 434: ...Jan 08 08 07 Recv SA 003 01 Jan 08 08 08 Send SA 004 01 Jan 08 08 08 Recv KE NONCE 005 01 Jan 08 08 10 Send KE NONCE 006 01 Jan 08 08 10 Recv ID HASH 007 01 Jan 08 08 10 Send ID HASH 008 01 Jan 08 08 10 Phase 1 IKE SA process done 009 01 Jan 08 08 10 Recv HASH SA NONCE ID ID 010 01 Jan 08 08 10 Start Phase 2 Quick Mode 011 01 Jan 08 08 10 Send HASH SA NONCE ID ID 012 01 Jan 08 08 10 Recv HASH Clea...

Page 435: ...e connection but the IKE key exchange has not completed Duplicate requests with the same cookie The Business Secure Router received multiple requests from the same peer but is still processing the first IKE packet from that peer No proposal chosen The parameters configured for Phase 1 or Phase 2 negotiations do not match Check all protocols and settings for these phases For example one party uses ...

Page 436: ...h the local s peer ID type Phase 1 ID content mismatch The ID content of an incoming packet does not match the local s peer ID content No known phase 1 ID type found The ID type of an incoming packet does not match any known ID type Peer ID IP address type IP address The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the loca...

Page 437: ...IP address static or dynamic to set up the VPN tunnel Cannot find IPSec SA The Business Secure Router cannot find a phase 2 SA that corresponds with the SPI of an inbound packet from the peer the packet is dropped Cannot find outbound SA for rule d The packet matches the rule index number d but Phase 1 or Phase 2 negotiation for outbound from the VPN initiator traffic is not finished yet Discard R...

Page 438: ...rtificate enrollment succeeded The Destination field records the certification authority server IP address and port Enrollment failed The SCEP online certificate enrollment failed The Destination field records the certification authority server s IP address and port Failed to resolve SCEP CA server url The SCEP online certificate enrollment failed because the certification authority server s addre...

Page 439: ... the LDAP server whose address and port are recorded in the Source field Failed to decode the received user cert The router received a corrupted user certificate from the LDAP server whose address and port are recorded in the Source field Failed to decode the received CRL The router received a corrupted CRL Certificate Revocation List from the LDAP server whose address and port are recorded in the...

Page 440: ...oding failed 10 Certificate was not found anywhere 11 Certificate chain looped did not find trusted root 12 Certificate contains critical extension that was not handled 13 Certificate issuer was not valid CA specific information missing 14 Not used 15 CRL is too old 16 CRL is not valid 17 CRL signature was not verified correctly 18 CRL was not found anywhere 19 CRL was not added to the cache 20 CR...

Page 441: ...d to use another authentication method and was not authenticated User logout because of session timeout expired The router logged off a user whose session expired User logout because of user deassociation The router logged off a user who ended the session User logout because of no authentication response from user The router logged off a user from which there was no authentication response User lo...

Page 442: ...tegory followed by a log category and a parameter to decide what to record No Server to authenticate user There is no authentication server to authenticate a user Local User Database does not find user s credential A user was not authenticated by the local user database because the user is not listed in the local user database Table 139 Log categories and available settings Log Categories Availabl...

Page 443: ...ommand to show the log settings for all of the log categories Use the sys logs display log category command to show the logs in an individual Business Secure Router log category Use the sys logs clear command to erase all of the Business Secure Router s logs urlforward 0 1 Use 0 to record no logs for a selected category 1 to record only logs a selected category 2 to record only alerts for a select...

Page 444: ... 80 137 172 22 255 255 137 ACCESS BLOCK Firewall default policy UDP set 8 1 11 11 2002 15 10 12 172 21 4 17 138 172 21 255 255 138 ACCESS BLOCK Firewall default policy UDP set 8 2 11 11 2002 15 10 11 172 17 2 1 224 0 1 60 ACCESS BLOCK Firewall default policy IGMP set 8 3 11 11 2002 15 10 11 172 22 3 80 137 172 22 255 255 137 ACCESS BLOCK Firewall default policy UDP set 8 4 11 11 2002 15 10 10 192 ...

Page 445: ...27 Attack Alert 192 194 Attack Types 162 Authentication databases 313 Authentication Header 206 Authentication Type 124 Autonegotiating 10 100 Mb s Ethernet LAN 34 Autosensing 10 100 Mb s Ethernet LAN 34 Auxiliary 35 B Backup 399 Bandwidth Class 298 Bandwidth Filter 298 305 Bandwidth Management 297 Bandwidth Management Statistics 306 Bandwidth Manager Class Configuration 303 Bandwidth Manager Clas...

Page 446: ...es 199 copyright 2 Custom Port 182 Custom Ports Creating Editing 184 D Data Terminal Ready 127 DDNS Type 82 Default 398 Default Policy Log 179 Default Server 140 Default Server IP Address 139 Denial of Service 157 158 192 193 DES 207 Destination Address 174 182 DHCP 52 60 81 93 94 394 DHCP Dynamic Host Configuration Protocol 39 DHCP Server 97 Dial 129 Dial Backup 122 Dial Backup Port Speed 124 Dia...

Page 447: ...mifications 173 Services 188 Types 155 When To Use 170 Firmware Version 392 First DNS Server 80 FTP 81 137 138 327 350 FTP Restrictions 327 FTP Server 40 Full Feature 116 Full Network Management 40 G General Setup 51 78 Global 132 Global End IP 142 145 Global Start IP 142 144 Group Authentication 219 Group ID 219 250 Group Password 219 250 H Half Open Sessions 192 Hardware Setup 42 Host 84 Host Na...

Page 448: ...ement Information Base MIB 352 Many One to One 143 144 Many to Many No Overload 135 Many to Many Overload 135 Many to One 135 Many to Many Ov 144 Many to Many Overload 143 144 Many to On 144 Many to One 143 Maximum Incomplete High 195 Maximum Incomplete Low 195 Max incomplete High 193 Max incomplete Low 193 195 MD5 207 Media Access Control 100 Metric 105 116 121 124 153 Multicast 95 117 126 Multic...

Page 449: ...ion 184 Port Forwarding 39 Port Restricted Cone NAT 133 PPPoE 37 52 56 57 PPPoE Encapsulation 108 PPTP 52 54 138 PPTP Encapsulation 38 110 Predefined NTP Time Server List 85 Preshared Key 216 240 Primary Phone Number 124 Priority 124 Private 116 153 Private IP Address 58 Proportional Bandwidth Allocation 298 Protocol Port 378 380 publications hard copy 30 related 30 Q Quick Start Guide 43 R RADIUS...

Page 450: ...ions 173 Server 88 135 136 143 144 Server Auto Detect 83 Service 174 Service Type 112 179 184 Services 138 setup a schedule 387 SHA1 207 Single User Account 125 144 SMTP 138 Smurf 161 162 SNMP 39 138 351 Get 353 Manager 352 MIBs 353 Trap 353 SNMP Simple Network Management Protocol 39 Source Destination Addresses 183 Source Address 174 182 SSH 36 341 SSH Implementation 343 Start Port 148 Stateful I...

Page 451: ...direct 39 119 120 Trigger Port Forwarding Process 145 U UDP ICMP Security 167 Universal Plug and Play 37 Universal Plug and Play UPnP 359 361 Upgradeable Firmware 40 Uploading a Configuration File Via Console Port 46 UPnP 37 UPnP Examples 363 UPnP Port Mapping 362 Upper Layer Protocols 167 URL Keyword Blocking 199 User Profiles 315 Username 44 V VPN 110 VPN Client Termination 248 W WAN MAC 118 WAN...

Reviews:

No comments